new(falco): add append_output configuration option with fields and format

[LucaGuerra]

What type of PR is this?

Uncomment one (or more) /kind <> lines:

/kind feature

Any specific area of the project related to this PR?

Uncomment one (or more) /area <> lines:

/area engine

What this PR does / why we need it:

This addresses the need for a configuration option that allows to specify:

1. Additional output at the end of the regular message
2. Additional output fields, only visible in the json message, which can contain any custom message including formatted fields. Supports outputting strings with format and environment variables.

This is how it works

append_output:
  - source: syscall
    tag: persistence
    rule: some rule name
    format: "gparent=%proc.aname[2] ggparent=%proc.aname[3] gggparent=%proc.aname[4]"

  - source: k8s_audit
    fields: 
      - ka.verb
      - home_directory: "${HOME}"
      - my_field: "this is event number %evt.num"
    format: "with response code %ka.response.code"

Which issue(s) this PR fixes:

Fixes #3235

Special notes for your reviewer:

As a bonus, this gets rid of JsonCpp in Falco.

Does this PR introduce a user-facing change?:

new(falco): introduce append_output configuration

[github-actions]

This PR may bring feature or behavior changes in the Falco engine and may require the engine version to be bumped.

Please double check userspace/engine/falco_engine_version.h file. See versioning for FALCO_ENGINE_VERSION.

/hold

[LucaGuerra]

/milestone 0.39.0

[LucaGuerra]

The structure and functionality is there and can be reviewed, I need to figure out how to properly add this to the json schema, make sure integration tests pass and add an explanation to falco.yaml

[FedeDP]

/cc @incertum

[LucaGuerra]

I have updated the PR:

• Fields specified like - ka.verb (i.e. single Falco field) are now supported. They will show up with their original type instead of being cast to string
• The json schema should be updated to reflect these changes
• There is an explanation in falco.yaml about how to use this feature

[LucaGuerra]

This fixes the falcosecurity/testing failure: falcosecurity/testing#61

[LucaGuerra]

Addressed @FedeDP 's comment, updated the json schema and also added a test for CLI options since the -o PR was merged in the meantime

[FedeDP]

/approve

[poiana]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: FedeDP, LucaGuerra

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

• OWNERS [FedeDP,LucaGuerra]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[poiana]

LGTM label has been added.

Git tree hash: 04ed804283cb84988ae80420bf2bd60f16d1f84b

[leogr]

This PR may bring feature or behavior changes in the Falco engine and may require the engine version to be bumped.

Please double check userspace/engine/falco_engine_version.h file. See versioning for FALCO_ENGINE_VERSION.

/hold

false positive
/unhold

[leogr]

nits

[leogr]

Suggested change

	# `format`: add output to the Falco message
	# `format`: format the given string and append it to the Falco output message