Motivation
When rules are updated by falcoctl, I don't get any notification of what changed. I need visibility into this in order to aid in debugging issues.
Feature
Part of the output from falcoctl should report on which rules changed (possibly additionally showing a diff if provided a flag for it)
Alternatives
Only manually trying to diff them, which is highly error-prone.
Additional context
This could tie into Falco as well fairly easily so that falco emits a Notice or Info level message about the rules changing.
Create a rule to have falco watch for falcoctl to modify the rules. I started trying to craft one but have not tested it: condition: (fd.directory=/etc/falco and fd.name endswith falco_rules.yaml) and evt.dir=< and open_write and proc_name_exists and proc.name=falcoctl
Motivation
When rules are updated by falcoctl, I don't get any notification of what changed. I need visibility into this in order to aid in debugging issues.
Feature
Part of the output from falcoctl should report on which rules changed (possibly additionally showing a diff if provided a flag for it)
Alternatives
Only manually trying to diff them, which is highly error-prone.
Additional context
This could tie into Falco as well fairly easily so that falco emits a Notice or Info level message about the rules changing.
Create a rule to have falco watch for falcoctl to modify the rules. I started trying to craft one but have not tested it:
condition: (fd.directory=/etc/falco and fd.name endswith falco_rules.yaml) and evt.dir=< and open_write and proc_name_exists and proc.name=falcoctl