Falcoctl - HackMD

# Falcoctl ## falcoctl artifact Even if it's clear for a dev what artifacts are, it's not a term commonly used by SRE/SecOps, and it's confusing to list all types with same command (even if we can filter with an arg). To avoid confusion, I propose to replace `falcoctl artifacts` by `falcoctl plugin` and `falcoctl driver`. For plugins: * `falcoctl plugin list`: list all official plugins * `falcoctl plugin search`: search a plugin * `falcoctl plugin install`: install a plugin * `falcoctl plugin remove`: uninstall a plugin For rules: * `falcoctl rule list`: list all official rules * `falcoctl rule search`: search a rule * `falcoctl rule install`: install a rule * `falcoctl rule remove`: uninstall a rule For drivers: * `falcoctl driver list`: list all official drivers (`--type` to filter between kmod and ebpf) * `falcoctl driver search`: search a driver (`--type` to filter between kmod and ebpf) * `falcoctl driver install`: install a driver (it replaces the loading function from this [script](https://github.com/falcosecurity/falco/blob/master/scripts/falco-driver-loader)) * `falcoctl driver remove`: uninstall a driver ### falcoctl driver In the last months, we added in test-infra the creation of .json listing the drivers: * https://download.falco.org/driver/site/index.json * https://download.falco.org/driver/site/3.0.1%2Bdriver.json (example for 1 driver version) These files could be used for the `list` and `search` subcommands. #### falcoctl driver search The most common issue the adopters have with the installation of Falco is to check the compatibility of the drivers with their systems. A command `falcoctl driver search --current` could check if some precompiled drivers are available for the locale system. ### falcoctl rule list The API endpoint is not available in the gRPC contract but we can imagine having a way to list the enabled rules in Falco could be useful `falcoctl rule list --enabled`. ### falcoctl rule enable/disable If the gRPC allows it, it gives to the user the possibility to enable/disable rules on the fly. ## More functions ### falcoctl check `checks` if we can install falco with precompiled drivers in the locale or remote system (k8s, vm). It replaces check functions from https://github.com/falcosecurity/falco/blob/master/scripts/falco-driver-loader ### falcoctl connect It connect to a falco through gRPC to get the livestream of events