Informational Rules Loaded When priority: notice

[mike-stewart]

Describe the bug

On falco 0.31.0 I am seeing Informational rules being loaded when the priority in the config is set to only load Notice and above.

How to reproduce it

I'm running falco.yaml with:

priority: notice

with no overrides for info-level rules. However, informational rules are still being loaded, and are alerting at the Notice level.

Expected behaviour

It is expected that when priority: notice, only Notice, Warning, Error, Critical, Alert, and Emergency rules will be loaded and fired.

Screenshots

Note that this rule is supposed to be INFO level:

falco/rules/falco_rules.yaml

Lines 1886 to 1894 in f86423d

	- rule: Launch Privileged Container
	desc: Detect the initial process started in a privileged container. Exceptions are made for known trusted images.
	condition: >
	container_started and container
	and container.privileged=true
	and not falco_privileged_containers
	and not user_privileged_containers
	output: Privileged container started (user=%user.name user_loginuid=%user.loginuid command=%proc.cmdline %container.info image=%container.image.repository:%container.image.tag)
	priority: INFO

Environment

• Falco version: 0.31.0

• System info:

• Cloud provider or hardware configuration:
• OS:

• Kernel:

• Installation method: Kubernetes

Additional context

I'm wondering if this code may be the problem:

falco/userspace/engine/lua/rule_loader.lua

Lines 61 to 66 in 2f82a9b

	priorities = {
	Emergency=0, Alert=1, Critical=2, Error=3, Warning=4, Notice=5, Informational=5, Debug=7,
	emergency=0, alert=1, critical=2, error=3, warning=4, notice=5, informational=5, debug=7,
	EMERGENCY=0, ALERT=1, CRITICAL=2, ERROR=3, WARNING=4, NOTICE=5, INFORMATIONAL=5, DEBUG=7,
	INFO=5, info=5
	}

Note that Notice and Informational are both set to level 5.

I can open a PR from master...mike-stewart:patch-2 if that would be helpful.

[jasondellaluce]

Great catch @mike-stewart ! Thank you for noticing, would you mind opening a PR?