Falco still load "enabled: false" rule when using "-t"

[duongmn89]

Describe the bug

• We are running falco 0.35.0 with default rule file and load only network rules (with flag -t network)
• There are some rules in default rule file are already disabled, example: "Unexpected inbound connection source, Unexpected outbound connection destination, Unexpected UDP Traffic"
• But when falco is running, there are a lot of alerts come from those rules
• I already tried with disable those rule at falco_local_rules.yaml but it didn't help

How to reproduce it

• Running falco with flag -t network

Expected behaviour

• Does not have any alerts relate with "enabled: false" rules

Screenshots

Environment

• Falco version: 0.35.0

• System info:
  Mon Jun 12 03:39:02 2023: Falco version: 0.35.0 (x86_64)
  Mon Jun 12 03:39:02 2023: Falco initialized with configuration file: /etc/falco/falco.yaml
  Mon Jun 12 03:39:02 2023: Loading rules from file /etc/falco/falco_rules.yaml
  Mon Jun 12 03:39:02 2023: Loading rules from file /etc/falco/falco_rules.local.yaml
  {
  "machine": "x86_64",
  "nodename": "falco-syscall-wk8vn",
  "release": "5.10.0-0.deb10.16-amd64",
  "sysname": "Linux",
  "version": "Digwatch compiler #1 SMP Debian 5.10.127-2~bpo10+1 (2022-07-28)"
  }

• OS: Debian 10

• Kernel:4.19.98-1

• Installation method: kubernetes daemonset

[jasondellaluce]

/milestone 0.36.0

Thanks! Will need further investigation.

[jasondellaluce]

I can confirm that tag-based enabling-disabling overrides the enabled field of each rules. The same goes for rules disabled with -D. I was assuming this to be intended behavior. Did this change for you from previous Falco versions?

[duongmn89]

I can confirm that tag-based enabling-disabling overrides the enabled field of each rules. The same goes for rules disabled with -D. I was assuming this to be intended behavior. Did this change for you from previous Falco versions?

I just use -t with 0.35.0, not previous versions. But I think they have same behavior.
If it's intended behavior, I think it would be better if we can use both "-t or -D" with "enabled field"
For example:

• I just want to use network-related rules => I use -t network
• But I also want to disable some noisy rule, example: "Unexpected inbound connection source"
  For now, I can't do this.

[jasondellaluce]

I tend to agree with you, but since this is a UX change we may need the opinion of others too.

cc @falcosecurity/falco-maintainers @falcosecurity/core-maintainers

[incertum]

Update: It's on the roadmap for Falco 0.36 alongside exposing tags based filtering through falco.yaml as we are introducing a new rules maturity framework.

[poiana]

Issues go stale after 90d of inactivity.

Mark the issue as fresh with /remove-lifecycle stale.

Stale issues rot after an additional 30d of inactivity and eventually close.

If this issue is safe to close now please do so with /close.

Provide feedback via https://github.com/falcosecurity/community.

/lifecycle stale

[leogr]

/remove-lifecycle stale

[Andreagit97]

still, to address, I will move it to 0.38.0

[poiana]

Issues go stale after 90d of inactivity.

Mark the issue as fresh with /remove-lifecycle stale.

Stale issues rot after an additional 30d of inactivity and eventually close.

If this issue is safe to close now please do so with /close.

Provide feedback via https://github.com/falcosecurity/community.

/lifecycle stale

[LucaGuerra]

/remove-lifecycle stale

[LucaGuerra]

/assign

[LucaGuerra]

I just want to use network-related rules => I use -t network
But I also want to disable some noisy rule, example: "Unexpected inbound connection source"
For now, I can't do this.

The new rule selection configuration option coming in Falco 0.38.0 (scheduled for end of month) address this kind of use case and has been designed with that in mind ( #3178 ). I would close this specific issue, but if after release more use cases are identified that we want to add we can always open more issues.