Proposal: Falcoctl config to patch falco.yaml with additional rules files or plugins beyond what is defined from the rules artifact

[tspearconquest]

What would you like to be added:

Context: Falcoctl can retrieve the rules files from OCI when doing falcoctl artifact install. However when the artifacts are all installed, I also have some custom rules I want to apply that are not packaged up, and contain only some overrides/extensions that are specific to our local environments, for rules and macros defined in the artifacts. I want to be able to apply these overrides with Falcoctl so that they apply any time new rules are downloaded.

Proposal: It’d be great if falcoctl artifact install also could have a small config file for itself included in the OCI artifact. This could be used, for example, to directly append a new rules file to the rules_file field in falco.yaml, or a new plugin to the plugins field.

example config.yaml:

rules_files_append:
  - userDefinedRules.yaml
plugins_append:
  - name userDefinedPlugin
    library_path: libUserDefinedPlugin.so
    init_config: {}
    open_params: ""

If falcoctl could read this in from the extracted tarball path (from the OCI registry artifact) and take action to append the values defined, it’d be really useful.

[poiana]

Issues go stale after 90d of inactivity.

Mark the issue as fresh with /remove-lifecycle stale.

Stale issues rot after an additional 30d of inactivity and eventually close.

If this issue is safe to close now please do so with /close.

Provide feedback via https://github.com/falcosecurity/community.

/lifecycle stale

[tspearconquest]

Not stale. Made some clarifications to the title and description

[poiana]

Stale issues rot after 30d of inactivity.

Mark the issue as fresh with /remove-lifecycle rotten.

Rotten issues close after an additional 30d of inactivity.

If this issue is safe to close now please do so with /close.

Provide feedback via https://github.com/falcosecurity/community.

/lifecycle rotten

[tspearconquest]

/remove-lifecycle rotten
/remove-lifecycle stale

[poiana]

Issues go stale after 90d of inactivity.

Mark the issue as fresh with /remove-lifecycle stale.

Stale issues rot after an additional 30d of inactivity and eventually close.

If this issue is safe to close now please do so with /close.

Provide feedback via https://github.com/falcosecurity/community.

/lifecycle stale

[tspearconquest]

/remove-lifecycle stale

[poiana]

Issues go stale after 90d of inactivity.

Mark the issue as fresh with /remove-lifecycle stale.

Stale issues rot after an additional 30d of inactivity and eventually close.

If this issue is safe to close now please do so with /close.

Provide feedback via https://github.com/falcosecurity/community.

/lifecycle stale

[tspearconquest]

/remove-lifecycle stale

[poiana]

Issues go stale after 90d of inactivity.

Mark the issue as fresh with /remove-lifecycle stale.

Stale issues rot after an additional 30d of inactivity and eventually close.

If this issue is safe to close now please do so with /close.

Provide feedback via https://github.com/falcosecurity/community.

/lifecycle stale

[poiana]

Stale issues rot after 30d of inactivity.

Mark the issue as fresh with /remove-lifecycle rotten.

Rotten issues close after an additional 30d of inactivity.

If this issue is safe to close now please do so with /close.

Provide feedback via https://github.com/falcosecurity/community.

/lifecycle rotten