Proposal: Falcoctl config to patch falco.yaml with additional rules files or plugins beyond what is defined from the rules artifact

Question

Proposal: Falcoctl config to patch falco.yaml with additional rules files or plugins beyond what is defined from the rules artifact

Opened this issue a year ago · 9 comments

What would you like to be added:

Context: Falcoctl can retrieve the rules files from OCI when doing falcoctl artifact install. However when the artifacts are all installed, I also have some custom rules I want to apply that are not packaged up, and contain only some overrides/extensions that are specific to our local environments, for rules and macros defined in the artifacts. I want to be able to apply these overrides with Falcoctl so that they apply any time new rules are downloaded.

Proposal: It’d be great if falcoctl artifact install also could have a small config file for itself included in the OCI artifact. This could be used, for example, to directly append a new rules file to the rules_file field in falco.yaml, or a new plugin to the plugins field.

example config.yaml:

rules_files_append:
  - userDefinedRules.yaml
plugins_append:
  - name userDefinedPlugin
    library_path: libUserDefinedPlugin.so
    init_config: {}
    open_params: ""

If falcoctl could read this in from the extracted tarball path (from the OCI registry artifact) and take action to append the values defined, it’d be really useful.

Answer 1 · 2023-11-27T15:46:44.000Z

Issues go stale after 90d of inactivity.

Mark the issue as fresh with /remove-lifecycle stale.

Stale issues rot after an additional 30d of inactivity and eventually close.

If this issue is safe to close now please do so with /close.

Provide feedback via https://github.com/falcosecurity/community.

/lifecycle stale

Answer 2 · 2023-11-27T16:41:00.000Z

Not stale. Made some clarifications to the title and description

Answer 3 · 2023-12-27T21:47:34.000Z

Stale issues rot after 30d of inactivity.

Mark the issue as fresh with /remove-lifecycle rotten.

Rotten issues close after an additional 30d of inactivity.

If this issue is safe to close now please do so with /close.

Provide feedback via https://github.com/falcosecurity/community.

/lifecycle rotten

Answer 4 · 2023-12-28T02:32:28.000Z

/remove-lifecycle rotten
/remove-lifecycle stale

Answer 5 · 2024-03-27T03:50:07.000Z

Issues go stale after 90d of inactivity.

Mark the issue as fresh with /remove-lifecycle stale.

Stale issues rot after an additional 30d of inactivity and eventually close.

If this issue is safe to close now please do so with /close.

Provide feedback via https://github.com/falcosecurity/community.

/lifecycle stale

Answer 6 · 2024-03-27T16:35:06.000Z

/remove-lifecycle stale

Answer 7 · 2024-06-25T21:54:07.000Z

Issues go stale after 90d of inactivity.

Mark the issue as fresh with /remove-lifecycle stale.

Stale issues rot after an additional 30d of inactivity and eventually close.

If this issue is safe to close now please do so with /close.

Provide feedback via https://github.com/falcosecurity/community.

/lifecycle stale

Answer 8 · 2024-06-25T22:02:06.000Z

/remove-lifecycle stale

Answer 9 · 2024-09-23T22:10:55.000Z

Issues go stale after 90d of inactivity.

Mark the issue as fresh with /remove-lifecycle stale.

Stale issues rot after an additional 30d of inactivity and eventually close.

If this issue is safe to close now please do so with /close.

Provide feedback via https://github.com/falcosecurity/community.

/lifecycle stale