Cannot disable rule with append and enabled

[jemag]

Describe the bug
Cannot disable rule using documented way, e.g:

- rule: Change thread namespace
  append: true
  enabled: false

logs:

DKMS: install completed.
* falco module installed in dkms, trying to insmod
* Success: falco module found and loaded in dkms
Mon Dec 14 20:19:49 2020: Falco version 0.26.2 (driver version 2aa88dcf6243982697811df4c1b484bcbe9488a2)
Mon Dec 14 20:19:49 2020: Falco initialized with configuration file /etc/falco/falco.yaml
Mon Dec 14 20:19:49 2020: Loading rules from file /etc/falco/falco_rules.yaml:
Mon Dec 14 20:19:50 2020: Loading rules from file /etc/falco/falco_rules.local.yaml:
Mon Dec 14 20:19:51 2020: Loading rules from file /etc/falco/rules.d/custom.local.yaml:
Mon Dec 14 20:19:51 2020: Runtime error: Rule must have property condition
---
- rule: Change thread namespace
  append: true
  enabled: false
---. Exiting.

where the custom rules are located in custom.local.yaml and are properly loaded after the falco_rules.yaml file.

It will however work if using the following:

- rule: Change thread namespace
  append: true
  condition: and (never_true)

suggesting that the appending is probably working properly and file is loaded in proper order.

How to reproduce it
Deploy falco using falco chart with the following values

customRules:
  custom.local.yaml: |-
    - rule: Change thread namespace
      append: true     
      enabled: false

Expected behaviour

Disables the falco rule

Environment

• Falco version:
  0.26.2
• System info:

Mon Dec 14 20:38:02 2020: Falco version 0.26.2 (driver version 2aa88dcf6243982697811df4c1b484bcbe9488a2)
Mon Dec 14 20:38:02 2020: Falco initialized with configuration file /etc/falco/falco.yaml
Mon Dec 14 20:38:02 2020: Loading rules from file /etc/falco/falco_rules.yaml:
Mon Dec 14 20:38:03 2020: Loading rules from file /etc/falco/falco_rules.local.yaml:
Mon Dec 14 20:38:04 2020: Loading rules from file /etc/falco/rules.d/custom.local.yaml:
{
  "machine": "x86_64",
  "nodename": "falco-swwzp",
  "release": "5.4.0-1032-azure",
  "sysname": "Linux",
  "version": "#33~18.04.1-Ubuntu SMP Tue Nov 17 11:40:52 UTC 2020"
}

• Cloud provider or hardware configuration:
  Azure AKS

[leogr]

/help

[poiana]

@leogr:
This request has been marked as needing help from a contributor.

Please ensure the request meets the requirements listed here.

If this request no longer meets these requirements, the label can be removed
by commenting with the /remove-help command.

In response to this:

/help

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

[poiana]

Issues go stale after 90d of inactivity.

Mark the issue as fresh with /remove-lifecycle stale.

Stale issues rot after an additional 30d of inactivity and eventually close.

If this issue is safe to close now please do so with /close.

Provide feedback via https://github.com/falcosecurity/community.

/lifecycle stale

[poiana]

Stale issues rot after 30d of inactivity.

Mark the issue as fresh with /remove-lifecycle rotten.

Rotten issues close after an additional 30d of inactivity.

If this issue is safe to close now please do so with /close.

Provide feedback via https://github.com/falcosecurity/community.

/lifecycle rotten

[poiana]

Rotten issues close after 30d of inactivity.

Reopen the issue with /reopen.

Mark the issue as fresh with /remove-lifecycle rotten.

Provide feedback via https://github.com/falcosecurity/community.
/close

[poiana]

@poiana: Closing this issue.

In response to this:

Rotten issues close after 30d of inactivity.

Reopen the issue with /reopen.

Mark the issue as fresh with /remove-lifecycle rotten.

Provide feedback via https://github.com/falcosecurity/community.
/close

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

[jemag]

/remove-lifecycle rotten

[jemag]

/reopen

[poiana]

@jemag: Reopened this issue.

In response to this:

/reopen

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

[poiana]

Issues go stale after 90d of inactivity.

Mark the issue as fresh with /remove-lifecycle stale.

Stale issues rot after an additional 30d of inactivity and eventually close.

If this issue is safe to close now please do so with /close.

Provide feedback via https://github.com/falcosecurity/community.

/lifecycle stale

[leogr]

/cc @mstemm

[leogr]

/remove-lifecycle stale

[jasondellaluce]

This is most likely related to the same bug as #1537. This is currently not necessary, as currently Change thread namespace should be disabled by default. However, I recently opened a PR trying to address this 👉🏼 #1775