Wrong usage of `evt.arg.*` / `evt.rawarg.*` when more than one event is involved

[Andreagit97]

In some rules like Set Setuid or Setgid bit we use some filter checks like fd=%evt.arg.fd. These filter checks are event-specific so using them with a condition like evt.type in (chmod, fchmod, fchmodat) means that chmod and fchmodat don't have it and will always return an <NA> while fchmod has it.

I'm not sure this is what we want, returning <NA> by default doesn't seem the right choice. IMO we should limit the usage of evt.arg.* / evt.rawarg.* when only one event is involved in the condition and a precise direction is set (e.g. evt.type=open and evt.dir=<). The direction is necessary because enter and exit events have different parameters!