executable hashing integration in falco.yaml.

Signed-off-by: Loris Degioanni <loris@sysdig.com>

falco.yaml

@@ -63,6 +63,16 @@ plugins:
 # load_plugins: [cloudtrail, json]
 load_plugins: []
 
+#
+# Enabling hashing instructs Falco to generate checksums of executable files,
+# which is used by malware detection rules.
+# Hashing can require substantial resources when many different files are executed, so
+# keep this disabled if performance is an issue.
+#
+hash_executables: false
+#hashing_checksum_files:
+#  - /etc/falco/malware_signatures.txt
+
 # Watch config file and rules files for modification.
 # When a file is modified, Falco will propagate new config,
 # by reloading itself.

userspace/engine/falco_engine_version.h

@@ -21,4 +21,4 @@ limitations under the License.
 // This is the result of running "falco --list -N | sha256sum" and
 // represents the fields supported by this version of Falco. It's used
 // at build time to detect a changed set of fields.
-#define FALCO_FIELDS_CHECKSUM "674c6cf2bc1c105038c8676f018fa3d1431d86597df428453441f5d859cad284"
+#define FALCO_FIELDS_CHECKSUM "7295abed12ed0f2fba58b10a383fbefb67741ef24d493233e056296350f1f288"

userspace/falco/app_actions/init_inspectors.cpp

@@ -51,6 +51,11 @@ void application::init_syscall_inspector(
 		configure_interesting_sets();
 	}
 
+	if(m_state->config->m_hash_executables)
+	{
+		inspector->set_exec_hashing(true, m_state->config->m_hashing_checksum_files);
+	}
+
 	inspector->set_hostname_and_port_resolution_mode(false);
 }
 

userspace/falco/configuration.cpp

@@ -57,6 +57,7 @@ falco_configuration::falco_configuration():
 	m_metadata_download_chunk_wait_us(1000),
 	m_metadata_download_watch_freq_sec(1),
 	m_syscall_buf_size_preset(4),
+	m_hash_executables(false),
 	m_config(NULL)
 {
 }
@@ -338,6 +339,19 @@ void falco_configuration::init(const string& conf_filename, const vector<string>
 	}
 
 	m_watch_config_files = m_config->get_scalar<bool>("watch_config_files", true);
+
+	m_hash_executables = m_config->get_scalar<bool>("hash_executables", false);
+	m_config->get_sequence<vector<string>>(m_hashing_checksum_files, string("hashing_checksum_files"));
+	for(auto fname : m_hashing_checksum_files)
+	{
+		ifstream fs(fname);
+		if(!fs.good())
+		{
+			throw invalid_argument("Error reading config file(" + m_config_file + "): hashing file " + fname + " doesn not exist");
+		}
+		fs.close();
+	}
+
 }
 
 void falco_configuration::read_rules_file_directory(const string &path, list<string> &rules_filenames, list<string> &rules_folders)

userspace/falco/configuration.h

@@ -274,6 +274,9 @@ public:
 
 	std::vector<plugin_config> m_plugins;
 
+	bool m_hash_executables;
+	std::vector<string> m_hashing_checksum_files;
+
 private:
 	void init_cmdline_options(const std::vector<std::string>& cmdline_options);