rules icon indicating copy to clipboard operation
rules copied to clipboard

Published 20 hours ago verified publisher icon falcosecurity

Duplicated entries across various `falco` rules files

Open leogr opened this issue 1 year ago • 11 comments

Motivation

See https://github.com/falcosecurity/rules/pull/149#issuecomment-1705527047

The common use case is when a list or a macro is first defined in the stable rules file, but it is also needed (as-is or extended) by other rules files.

Feature

Likely, the simplest way to address this is to define a standard way to express list and macro dependencies requirements.

This would force the user to load another rules file with the missing list or macro definition, without the need of duplicating the whole list or macro.

However, the design of this feature is still TBD

@falcosecurity/core-maintainers

Alternatives

Keep duplicate entries, as it is now. In this way, duplicated items are just silently overwritten. The only con is that the loading order affects the end results when the duplicate item is not identical (for example, if it has been modified in one file but not in the other).

Additional context

See https://github.com/falcosecurity/rules/pull/149#issuecomment-1705527047

leogr avatar Sep 04 '23 16:09 leogr