What type of PR is this?

Uncomment one (or more) /kind <> lines:

/kind feature

Any specific area of the project related to this PR?

Uncomment one (or more) /area <> lines:

/area engine

What this PR does / why we need it:

This is a rather straightforward implementation of #3174 (comment) . Essentially, it introduces two new ways of enabling/disabling rules without changing the rule files. Following the example:

rules:
  - disable:
      rule: *
  - enable:
      tag: network
  - enable:
      rule: Directory traversal monitored file
  - enable:
      rule: k8s_*
  - disable:
      rule: k8s_noisy_rule

This means: disable everything, enable all rules tagged networking, also enable the rule called Directory traversal monitored file, then enable any rule matching the wildcard pattern k8s_* and disable k8s_noisy_rule.

You can achieve the same via the CLI

falco -o "rules[].disable.rule=*" -o "rules[].enable.tag=network" -o "rules[].enable.rule=Directory traversal monitored file
" -o "rules[].enable.rule=k8s_*" -o "rules[].disable.rule=k8s_noisy_rule"

The new syntax [] allows to append a new element at the end of sequences, which is how the CLI works in this case.

At this point, rule names support wildcard while tag names do not. I am a bit unsure about what to do with tag names. On one side, what you want to do is enable and disable them one by one so wildcards seem a bit too much there. On the other hand we currently allow to "intersect" the tags we want, such as only networking AND exec, which is not supported here. Perhaps we could add a tags option for that?

Which issue(s) this PR fixes:

Fixes #3174

Special notes for your reviewer:

Does this PR introduce a user-facing change?:

new(falco): allow selecting which rules to load from the configuration file or command line