New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Falco still load "enabled: false" rule when using "-t" #2631
Comments
/milestone 0.36.0 Thanks! Will need further investigation. |
I can confirm that tag-based enabling-disabling overrides the |
I just use -t with 0.35.0, not previous versions. But I think they have same behavior.
|
I tend to agree with you, but since this is a UX change we may need the opinion of others too. cc @falcosecurity/falco-maintainers @falcosecurity/core-maintainers |
Update: It's on the roadmap for Falco 0.36 alongside exposing tags based filtering through |
Issues go stale after 90d of inactivity. Mark the issue as fresh with Stale issues rot after an additional 30d of inactivity and eventually close. If this issue is safe to close now please do so with Provide feedback via https://github.com/falcosecurity/community. /lifecycle stale |
/remove-lifecycle stale |
still, to address, I will move it to 0.38.0 |
Issues go stale after 90d of inactivity. Mark the issue as fresh with Stale issues rot after an additional 30d of inactivity and eventually close. If this issue is safe to close now please do so with Provide feedback via https://github.com/falcosecurity/community. /lifecycle stale |
/remove-lifecycle stale |
/assign |
The new rule selection configuration option coming in Falco 0.38.0 (scheduled for end of month) address this kind of use case and has been designed with that in mind ( #3178 ). I would close this specific issue, but if after release more use cases are identified that we want to add we can always open more issues. |
Describe the bug
How to reproduce it
Expected behaviour
Screenshots
Environment
Falco version: 0.35.0
System info:
Mon Jun 12 03:39:02 2023: Falco version: 0.35.0 (x86_64)
Mon Jun 12 03:39:02 2023: Falco initialized with configuration file: /etc/falco/falco.yaml
Mon Jun 12 03:39:02 2023: Loading rules from file /etc/falco/falco_rules.yaml
Mon Jun 12 03:39:02 2023: Loading rules from file /etc/falco/falco_rules.local.yaml
{
"machine": "x86_64",
"nodename": "falco-syscall-wk8vn",
"release": "5.10.0-0.deb10.16-amd64",
"sysname": "Linux",
"version": "Digwatch compiler #1 SMP Debian 5.10.127-2~bpo10+1 (2022-07-28)"
}
OS: Debian 10
Kernel:4.19.98-1
Installation method: kubernetes daemonset
The text was updated successfully, but these errors were encountered: