Container/pods filters implicitly exclude host events

[LucaRocco]

Hi,

While using Tracee, I noticed that enabling filters on containers and/or pods implicitly disables events that are not container-related.

For example, consider the following policy:

apiVersion: tracee.aquasec.com/v1beta1
kind: Policy
metadata:
  annotations:
    description: process execution tracking
  name: process-exec
spec:
  rules:
    - event: sched_process_exec
      filters:
        - podNamespace!=kube-system
  scope:
    - global

This policy automatically filters out all events originating from the host. As a result, I receive events only from pods that are not in the kube-system namespace, but I do not receive any events occurring outside of containers.

To capture host events, I am forced to create an additional policy to compensate for this behavior:

apiVersion: tracee.aquasec.com/v1beta1
kind: Policy
metadata:
  annotations:
    description: process execution tracking
  name: process-exec
spec:
  rules:
    - event: sched_process_exec
  scope:
    - not-container

this the intended behavior? I believe users should be able to apply container-related filters without implicitly restricting the policy to container-only events.

I suspect this behavior originates from this lines of code line of code.

What do you think?

Thanks

[yanivagman]

Thanks for reporting this @LucaRocco
Can you please check if #5226 solves the issue for you?

[LucaRocco]

Hi @yanivagman, sorry for the late response. I confirm it works, thanks.