From e0ed18b83a148990b0cc32d025bca5d6ef2a5887 Mon Sep 17 00:00:00 2001
From: Leonardo Grasso <me@leonardograsso.com>
Date: Fri, 20 Sep 2024 17:36:44 +0200
Subject: [PATCH 1/2] update(events): disable JavaProcessClassFileDownload

Since it is not in the stable ruleset: https://github.com/falcosecurity/rules/blob/b6ad37371923b28d4db399cf11bd4817f923c286/rules/falco-sandbox_rules.yaml#L1676-L1686

Signed-off-by: Leonardo Grasso <me@leonardograsso.com>
---
 events/syscall/java_process_class_file_download.go | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/events/syscall/java_process_class_file_download.go b/events/syscall/java_process_class_file_download.go
index 8d286fff..8b01c6ff 100644
--- a/events/syscall/java_process_class_file_download.go
+++ b/events/syscall/java_process_class_file_download.go
@@ -18,7 +18,10 @@ import (
 	"github.com/falcosecurity/event-generator/events"
 )
 
-var _ = events.Register(JavaProcessClassFileDownload)
+var _ = events.Register(
+	JavaProcessClassFileDownload,
+	events.WithDisabled(), // this rules is not included in falco_rules.yaml (stable rules), so disable the action
+)
 
 func JavaProcessClassFileDownload(h events.Helper) error {
 	return h.SpawnAs("java", "helper.CombinedServerClient")

From 58fcb704dc16261a22b3dc1e78b0746bb9eed27a Mon Sep 17 00:00:00 2001
From: Leonardo Grasso <me@leonardograsso.com>
Date: Fri, 20 Sep 2024 17:38:41 +0200
Subject: [PATCH 2/2] update(events): disable
 PotentialLocalPrivilegeEscalationViaEnvironmentVariablesMisuse

Since it is not in the stable ruleset:
https://github.com/falcosecurity/rules/blob/b6ad37371923b28d4db399cf11bd4817f923c286/rules/falco-incubating_rules.yaml#L1263-L1276

Signed-off-by: Leonardo Grasso <me@leonardograsso.com>
---
 ..._privilege_escalation_via_environment_variables_misuse.go | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/events/syscall/potential_local_privilege_escalation_via_environment_variables_misuse.go b/events/syscall/potential_local_privilege_escalation_via_environment_variables_misuse.go
index e7d43781..9577acf4 100644
--- a/events/syscall/potential_local_privilege_escalation_via_environment_variables_misuse.go
+++ b/events/syscall/potential_local_privilege_escalation_via_environment_variables_misuse.go
@@ -26,7 +26,10 @@ import (
 	"github.com/falcosecurity/event-generator/events"
 )
 
-var _ = events.Register(PotentialLocalPrivilegeEscalationViaEnvironmentVariablesMisuse)
+var _ = events.Register(
+	PotentialLocalPrivilegeEscalationViaEnvironmentVariablesMisuse,
+	events.WithDisabled(), // this rules is not included in falco_rules.yaml (stable rules), so disable the action
+)
 
 func PotentialLocalPrivilegeEscalationViaEnvironmentVariablesMisuse(h events.Helper) error {
 	// Set the GLIBC_TUNABLES environment variable