From 772d4f951527ec8e4aada1ffa745c7006b64d7c1 Mon Sep 17 00:00:00 2001 From: Mark Stemm Date: Tue, 30 Apr 2019 12:46:25 -0700 Subject: [PATCH] Update engine fields checksum for fd.dev.* (#589) * Update engine fields checksum for fd.dev.* New fields fd.dev.*, so updating the fields checksum. * Print a message why the trace file can't be read. At debug level only, but better than nothing. * Adjust tests to match new container_started macro Now that the container_started macro works either on the container event or the first process being spawned in a container, we need to adjust the counts for some rules to handle both cases. --- test/falco_traces.yaml.in | 4 ++-- userspace/engine/falco_engine_version.h | 2 +- userspace/falco/falco.cpp | 1 + 3 files changed, 4 insertions(+), 3 deletions(-) diff --git a/test/falco_traces.yaml.in b/test/falco_traces.yaml.in index ef949bf4..fb43a8fd 100644 --- a/test/falco_traces.yaml.in +++ b/test/falco_traces.yaml.in @@ -34,14 +34,14 @@ traces: !mux detect: True detect_level: INFO detect_counts: - - "Launch Privileged Container": 2 + - "Launch Privileged Container": 3 container-sensitive-mount: trace_file: traces-positive/container-sensitive-mount.scap detect: True detect_level: INFO detect_counts: - - "Launch Sensitive Mount Container": 2 + - "Launch Sensitive Mount Container": 3 create-files-below-dev: trace_file: traces-positive/create-files-below-dev.scap diff --git a/userspace/engine/falco_engine_version.h b/userspace/engine/falco_engine_version.h index c7745f72..7dc9b169 100644 --- a/userspace/engine/falco_engine_version.h +++ b/userspace/engine/falco_engine_version.h @@ -24,4 +24,4 @@ limitations under the License. // This is the result of running "falco --list -N | sha256sum" and // represents the fields supported by this version of falco. It's used // at build time to detect a changed set of fields. -#define FALCO_FIELDS_CHECKSUM "b1bf297373fd08c91ffc978dbff5b349ec9338e25b54f70f23e40a609d47924b" +#define FALCO_FIELDS_CHECKSUM "fb82780f268b91fb888876e6ac1142b5acca08e05b3a82c4b1b524ca88fa83d9" diff --git a/userspace/falco/falco.cpp b/userspace/falco/falco.cpp index 31f32e71..361dfadd 100644 --- a/userspace/falco/falco.cpp +++ b/userspace/falco/falco.cpp @@ -916,6 +916,7 @@ int falco_init(int argc, char **argv) } catch(sinsp_exception &e) { + falco_logger::log(LOG_DEBUG, "Could not read trace file \"" + trace_filename + "\": " + string(e.what())); trace_is_scap=false; }