[Feature Request] Falcoctl notification of rule changes on apply #568
Comments
|
@jasondellaluce you have a real cool new automation to check on the diff in a PR, what is the delta to support this in |
|
/milestone 0.37.0 @LucaGuerra and @jasondellaluce this aligns with the revamped rules maturity and adoption framework and there seem to be more capabilities we need for |
|
Issues go stale after 90d of inactivity. Mark the issue as fresh with Stale issues rot after an additional 30d of inactivity and eventually close. If this issue is safe to close now please do so with Provide feedback via https://github.com/falcosecurity/community. /lifecycle stale |
|
/remove-lifecycle stale |
|
Thanks @Andreagit97 |
|
Issues go stale after 90d of inactivity. Mark the issue as fresh with Stale issues rot after an additional 30d of inactivity and eventually close. If this issue is safe to close now please do so with Provide feedback via https://github.com/falcosecurity/community. /lifecycle stale |
|
/remove-lifecycle stale |
|
Issues go stale after 90d of inactivity. Mark the issue as fresh with Stale issues rot after an additional 30d of inactivity and eventually close. If this issue is safe to close now please do so with Provide feedback via https://github.com/falcosecurity/community. /lifecycle stale |
|
/remove-lifecycle stale |
|
This should be addressed in falcoctl. So, moving this to its own repo. cc @falcosecurity/falcoctl-maintainers |
|
I missed the later updates, apologies! |
|
Issues go stale after 90d of inactivity. Mark the issue as fresh with Stale issues rot after an additional 30d of inactivity and eventually close. If this issue is safe to close now please do so with Provide feedback via https://github.com/falcosecurity/community. /lifecycle stale |
|
/remove-lifecycle stale |
Motivation
When rules are updated by falcoctl, I don't get any notification of what changed. I need visibility into this in order to aid in debugging issues.
Feature
Part of the output from falcoctl should report on which rules changed (possibly additionally showing a diff if provided a flag for it)
Alternatives
Only manually trying to diff them, which is highly error-prone.
Additional context
This could tie into Falco as well fairly easily so that falco emits a Notice or Info level message about the rules changing.
Create a rule to have falco watch for falcoctl to modify the rules. I started trying to craft one but have not tested it:
condition: (fd.directory=/etc/falco and fd.name endswith falco_rules.yaml) and evt.dir=< and open_write and proc_name_exists and proc.name=falcoctlThe text was updated successfully, but these errors were encountered: