Update engine fields checksum for fd.dev.* (#589)

* Update engine fields checksum for fd.dev.*

New fields fd.dev.*, so updating the fields checksum.

* Print a message why the trace file can't be read.

At debug level only, but better than nothing.

* Adjust tests to match new container_started macro

Now that the container_started macro works either on the container event
or the first process being spawned in a container, we need to adjust the
counts for some rules to handle both cases.

test/falco_traces.yaml.in

@@ -34,14 +34,14 @@ traces: !mux
     detect: True
     detect_level: INFO
     detect_counts:
-      - "Launch Privileged Container": 2
+      - "Launch Privileged Container": 3
 
   container-sensitive-mount:
     trace_file: traces-positive/container-sensitive-mount.scap
     detect: True
     detect_level: INFO
     detect_counts:
-      - "Launch Sensitive Mount Container": 2
+      - "Launch Sensitive Mount Container": 3
 
   create-files-below-dev:
     trace_file: traces-positive/create-files-below-dev.scap

userspace/engine/falco_engine_version.h

@@ -24,4 +24,4 @@ limitations under the License.
 // This is the result of running "falco --list -N | sha256sum" and
 // represents the fields supported by this version of falco. It's used
 // at build time to detect a changed set of fields.
-#define FALCO_FIELDS_CHECKSUM "b1bf297373fd08c91ffc978dbff5b349ec9338e25b54f70f23e40a609d47924b"
+#define FALCO_FIELDS_CHECKSUM "fb82780f268b91fb888876e6ac1142b5acca08e05b3a82c4b1b524ca88fa83d9"

userspace/falco/falco.cpp

@@ -916,6 +916,7 @@ int falco_init(int argc, char **argv)
 			}
 			catch(sinsp_exception &e)
 			{
+				falco_logger::log(LOG_DEBUG, "Could not read trace file \"" + trace_filename + "\": " + string(e.what()));
 				trace_is_scap=false;
 			}