From 11c30708bf02b08c3bed830bfbec31e1e3c139ba Mon Sep 17 00:00:00 2001
From: Luca Guerra <luca@guerra.sh>
Date: Tue, 23 Apr 2024 16:42:16 +0000
Subject: [PATCH] new(engine): add 'rules' section description to falco.yaml

Signed-off-by: Luca Guerra <luca@guerra.sh>
---
 falco.yaml | 33 +++++++++++++++++++++++++++++++++
 1 file changed, 33 insertions(+)

diff --git a/falco.yaml b/falco.yaml
index 93aefe03978..5064ca55ff0 100644
--- a/falco.yaml
+++ b/falco.yaml
@@ -177,6 +177,39 @@ rules_files:
   - /etc/falco/falco_rules.local.yaml
   - /etc/falco/rules.d
 
+# [Experimental] `rules`
+#
+# --- [Description]
+#
+# Falco rules can be enabled or disabled by name (with wildcards *) and/or by tag.
+#
+# This configuration is applied after all rules files have been loaded, including
+# their overrides, and will take precedence over the enabled/disabled configuration
+# specified or overridden in the rules files.
+#
+# The ordering matters and selections are evaluated in order. For instance, if you
+# need to only enable a rule you would first disable all of them and then only
+# enable what you need, regardless of the enabled status in the files.
+#
+# --- [Examples]
+#
+# Only enable two rules:
+#
+# rules:
+#   - disable:
+#       rule: "*"
+#   - enable:
+#       rule: Netcat Remote Code Execution in Container
+#   - enable:
+#       rule: Delete or rename shell history
+#
+# Disable all rules with a specific tag:
+#
+# rules:
+#   - disable:
+#       tag: network
+#
+
 ################
 # Falco engine #
 ################