Skip to content

feat(engine): emit warning when a condition uses deprecated "evt.dir" #3690

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 2 commits into from
Oct 9, 2025
Merged

feat(engine): emit warning when a condition uses deprecated "evt.dir" #3690

merged 2 commits into from
Oct 9, 2025

Conversation

@irozzo-1A
Copy link
Contributor

@irozzo-1A irozzo-1A commented Oct 6, 2025
edited
Loading

What type of PR is this?

Uncomment one (or more) /kind <> lines:

/kind bug

/kind cleanup

/kind design

/kind documentation

/kind failing-test

/kind feature

/kind release

Any specific area of the project related to this PR?

Uncomment one (or more) /area <> lines:

/area build

/area engine

/area tests

/area proposals

/area CI

What this PR does / why we need it:

Emit a warning when a rule with a condition using "evt.dir" field is encountered.
The direction have been deprecated in the scope of enter event suppression initiative.

ref: falcosecurity/libs#2588

Which issue(s) this PR fixes:

Fixes #

Special notes for your reviewer:

Example output:

Wed Oct 08 08:50:51 2025: rules/falco-deprecated_rules.yaml: Ok, with warnings
4 Warnings:
In rules content: (rules/falco-deprecated_rules.yaml:0:0)
    rule 'Disallowed SSH Connection': (rules/falco-deprecated_rules.yaml:82:2)
    rule condition: (rules/falco-deprecated_rules.yaml:88:13)
------
  condition: >
             ^
------
LOAD_DEPRECATED_ITEM (Used deprecated item: field 'evt.dir' is deprecated): due to the drop of enter events, 'evt.dir = <' always evaluates to true, and 'evt.dir = >' always evaluates to false. The rule expression can be simplified by removing the condition on 'evt.dir'
In rules content: (rules/falco-deprecated_rules.yaml:0:0)
    rule 'Unexpected outbound connection destination': (rules/falco-deprecated_rules.yaml:115:2)
    rule condition: (rules/falco-deprecated_rules.yaml:121:13)
------
  condition: >
             ^
------
LOAD_DEPRECATED_ITEM (Used deprecated item: field 'evt.dir' is deprecated): due to the drop of enter events, 'evt.dir = <' always evaluates to true, and 'evt.dir = >' always evaluates to false. The rule expression can be simplified by removing the condition on 'evt.dir'
In rules content: (rules/falco-deprecated_rules.yaml:0:0)
    rule 'Outbound or Inbound Traffic not to Authorized Server Process and Port': (rules/falco-deprecated_rules.yaml:155:2)
    rule condition: (rules/falco-deprecated_rules.yaml:163:13)
------
  condition: >
             ^
------
LOAD_DEPRECATED_ITEM (Used deprecated item: field 'evt.dir' is deprecated): due to the drop of enter events, 'evt.dir = <' always evaluates to true, and 'evt.dir = >' always evaluates to false. The rule expression can be simplified by removing the condition on 'evt.dir'
In rules content: (rules/falco-deprecated_rules.yaml:0:0)
    rule 'Outbound Connection to C2 Servers': (rules/falco-deprecated_rules.yaml:180:2)
    rule condition: (rules/falco-deprecated_rules.yaml:187:13)
------
  condition: >
             ^
------
LOAD_DEPRECATED_ITEM (Used deprecated item: field 'evt.dir' is deprecated): due to the drop of enter events, 'evt.dir = <' always evaluates to true, and 'evt.dir = >' always evaluates to false. The rule expression can be simplified by removing the condition on 'evt.dir'

Does this PR introduce a user-facing change?:

feat(engine): emit warning when a rule containing a condition on the deprecated `evt.dir` field is encountered

@poiana poiana requested review from Kaizhe and leogr October 6, 2025 09:05
@github-actions
Copy link

github-actions bot commented Oct 6, 2025

This PR may bring feature or behavior changes in the Falco engine and may require the engine version to be bumped.

Please double check userspace/engine/falco_engine_version.h file. See versioning for FALCO_ENGINE_VERSION.

/hold

@leogr leogr mentioned this pull request Oct 6, 2025
Closed
89 tasks
@leogr
Copy link
Member

leogr commented Oct 6, 2025

/milestone 0.42.0

@poiana poiana added this to the 0.42.0 milestone Oct 6, 2025
@irozzo-1A
feat(engine): emit warning when a condition uses deprecated "evt.dir"
f1542d3 
Emit a warning when a rule with a condition using "evt.dir" field is
encountered.
The direction have been deprecated in the scope of enter event
suppression initiative.

Signed-off-by: Iacopo Rozzo <[email protected]>
@irozzo-1A irozzo-1A force-pushed the feat/emit-warning-when-dir-used branch from 06f5d98 to f1542d3 Compare October 6, 2025 15:43
mstemm
mstemm previously approved these changes Oct 6, 2025
View reviewed changes
Copy link
Contributor

@mstemm mstemm left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I'd suggest making the error a bit more generic, but I can live with it as written.

@poiana poiana added the lgtm label Oct 6, 2025
@poiana
Copy link
Contributor

poiana commented Oct 6, 2025

LGTM label has been added.

Git tree hash: 7ef95de6bea5d29dc3d232471325e195ad89b27d

@poiana poiana requested a review from mstemm October 8, 2025 08:53
@poiana poiana added size/XL and removed size/M labels Oct 8, 2025
@irozzo-1A irozzo-1A force-pushed the feat/emit-warning-when-dir-used branch from 98a77f9 to 4f1ff8a Compare October 8, 2025 15:22
@irozzo-1A irozzo-1A marked this pull request as ready for review October 8, 2025 15:23
@poiana poiana requested a review from jasondellaluce October 8, 2025 15:23
@poiana poiana added the lgtm label Oct 9, 2025
@poiana
Copy link
Contributor

poiana commented Oct 9, 2025

LGTM label has been added.

Git tree hash: a408e32011e828ef6e5a8b29b9bcaed7ae1f0577

@leogr
Copy link
Member

leogr commented Oct 9, 2025

This PR may bring feature or behavior changes in the Falco engine and may require the engine version to be bumped.

Please double check userspace/engine/falco_engine_version.h file. See versioning for FALCO_ENGINE_VERSION.

/hold

false positive
/remove-hold

@github-project-automation github-project-automation bot moved this from Todo to In progress in Falco Roadmap Oct 9, 2025
@leogr
Copy link
Member

leogr commented Oct 9, 2025

/approve

@poiana
Copy link
Contributor

poiana commented Oct 9, 2025

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: irozzo-1A, leogr

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@poiana poiana added the approved label Oct 9, 2025
@poiana poiana merged commit 8c4e5aa into falcosecurity:master Oct 9, 2025
34 checks passed
@github-project-automation github-project-automation bot moved this from In progress to Done in Falco Roadmap Oct 9, 2025
@irozzo-1A irozzo-1A mentioned this pull request Oct 13, 2025
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@leogr leogr leogr approved these changes

@jasondellaluce jasondellaluce jasondellaluce approved these changes

@Kaizhe Kaizhe Awaiting requested review from Kaizhe

@mstemm mstemm Awaiting requested review from mstemm

Assignees

@leogr leogr

@mstemm mstemm

@jasondellaluce jasondellaluce

Labels

approved dco-signoff: yes lgtm release-note size/XL

Projects

Falco Roadmap
Status: Done

Milestone

0.42.0

Development

Successfully merging this pull request may close these issues.

5 participants

@irozzo-1A @leogr @poiana @mstemm @jasondellaluce