[Feature Request] Falcoctl notification of rule changes on apply

[tspearconquest]

Motivation

When rules are updated by falcoctl, I don't get any notification of what changed. I need visibility into this in order to aid in debugging issues.

Feature

Part of the output from falcoctl should report on which rules changed (possibly additionally showing a diff if provided a flag for it)

Alternatives

Only manually trying to diff them, which is highly error-prone.

Additional context

This could tie into Falco as well fairly easily so that falco emits a Notice or Info level message about the rules changing.

Create a rule to have falco watch for falcoctl to modify the rules. I started trying to craft one but have not tested it: condition: (fd.directory=/etc/falco and fd.name endswith falco_rules.yaml) and evt.dir=< and open_write and proc_name_exists and proc.name=falcoctl

[incertum]

@jasondellaluce you have a real cool new automation to check on the diff in a PR, what is the delta to support this in falcoctl, thanks!

[incertum]

/milestone 0.37.0

@LucaGuerra and @jasondellaluce this aligns with the revamped rules maturity and adoption framework and there seem to be more capabilities we need for falcoctl as a result of a new approach to track the maturity of rules, therefore I am assigning a more conservative Falco 0.37 for now.

[poiana]

Issues go stale after 90d of inactivity.

Mark the issue as fresh with /remove-lifecycle stale.

Stale issues rot after an additional 30d of inactivity and eventually close.

If this issue is safe to close now please do so with /close.

Provide feedback via https://github.com/falcosecurity/community.

/lifecycle stale

[Andreagit97]

/remove-lifecycle stale

[tspearconquest]

Thanks @Andreagit97

[poiana]

Issues go stale after 90d of inactivity.

Mark the issue as fresh with /remove-lifecycle stale.

Stale issues rot after an additional 30d of inactivity and eventually close.

If this issue is safe to close now please do so with /close.

Provide feedback via https://github.com/falcosecurity/community.

/lifecycle stale

[Andreagit97]

/remove-lifecycle stale

[poiana]

Issues go stale after 90d of inactivity.

Mark the issue as fresh with /remove-lifecycle stale.

Stale issues rot after an additional 30d of inactivity and eventually close.

If this issue is safe to close now please do so with /close.

Provide feedback via https://github.com/falcosecurity/community.

/lifecycle stale

[Andreagit97]

/remove-lifecycle stale

[leogr]

This should be addressed in falcoctl. So, moving this to its own repo.

cc @falcosecurity/falcoctl-maintainers

[tspearconquest]

I missed the later updates, apologies!

[poiana]

Issues go stale after 90d of inactivity.

Mark the issue as fresh with /remove-lifecycle stale.

Stale issues rot after an additional 30d of inactivity and eventually close.

If this issue is safe to close now please do so with /close.

Provide feedback via https://github.com/falcosecurity/community.

/lifecycle stale

[leogr]

/remove-lifecycle stale

[poiana]

Issues go stale after 90d of inactivity.

Mark the issue as fresh with /remove-lifecycle stale.

Stale issues rot after an additional 30d of inactivity and eventually close.

If this issue is safe to close now please do so with /close.

Provide feedback via https://github.com/falcosecurity/community.

/lifecycle stale

[leogr]

/remove-lifecycle stale