Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[Auditbeat/FIM/fsnotify]: remove time window where a child file operation of a directory can be lost #39133

Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
3 changes: 3 additions & 0 deletions CHANGELOG.next.asciidoc
Original file line number Diff line number Diff line change
Expand Up @@ -96,6 +96,9 @@ https://github.com/elastic/beats/compare/v8.8.1\...main[Check the HEAD diff]
*Auditbeat*
- Set field types to correctly match ECS in sessionmd processor {issue}38955[38955] {pull}38994[38994]

- Prevent scenario of losing children-related file events in a directory for recursive fsnotify backend of auditbeat file integrity module {pull}39133[39133]


*Filebeat*

- [Gcs Input] - Added missing locks for safe concurrency {pull}34914[34914]
Expand Down
7 changes: 6 additions & 1 deletion auditbeat/module/file_integrity/monitor/monitor_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -144,6 +144,11 @@ func TestRecursiveSubdirPermissions(t *testing.T) {
t.Skip("Skipping permissions test on Windows")
}

if os.Getuid() == 0 {
t.Skip("skipping as root can access every file and thus this unittest will fail")
return
}

// Create dir to be watched

dir, err := os.MkdirTemp("", "monitor")
Expand Down Expand Up @@ -202,7 +207,7 @@ func TestRecursiveSubdirPermissions(t *testing.T) {
for {
// No event is received
ev, err := readTimeout(t, watcher)
if err == errReadTimeout {
if errors.Is(err, errReadTimeout) {
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I need to spend more time learning go-isms.

break
}
assertNoError(t, err)
Expand Down
54 changes: 40 additions & 14 deletions auditbeat/module/file_integrity/monitor/recursive.go
Original file line number Diff line number Diff line change
Expand Up @@ -84,37 +84,63 @@ func (watcher *recursiveWatcher) ErrorChannel() <-chan error {
return watcher.inner.Errors
}

func (watcher *recursiveWatcher) watchFile(path string, info os.FileInfo) error {
var err error
if info == nil {
info, err = os.Lstat(path)
if err != nil {
return err
}
}

if info.IsDir() {
if err = watcher.tree.AddDir(path); err != nil {
return err
}

if err = watcher.inner.Add(path); err != nil {
return err
}

return nil
}

return watcher.tree.AddFile(path)
}

func (watcher *recursiveWatcher) addRecursive(path string) error {
if watcher.isExcludedPath(path) {
return nil
}

if err := watcher.watchFile(path, nil); err != nil {
return fmt.Errorf("failed adding watcher to '%s': %w", path, err)
}

var errs multierror.Errors
err := filepath.Walk(path, func(path string, info os.FileInfo, fnErr error) error {
if watcher.isExcludedPath(path) {
err := filepath.Walk(path, func(walkPath string, info os.FileInfo, fnErr error) error {
if walkPath == path {
return nil
}

if watcher.isExcludedPath(walkPath) {
return nil
}

if fnErr != nil {
errs = append(errs, fmt.Errorf("error walking path '%s': %w", path, fnErr))
errs = append(errs, fmt.Errorf("error walking path '%s': %w", walkPath, fnErr))
// If FileInfo is not nil, the directory entry can be processed
// even if there was some error
if info == nil {
return nil
}
}
var err error
if info.IsDir() {
if err = watcher.tree.AddDir(path); err == nil {
if err = watcher.inner.Add(path); err != nil {
errs = append(errs, fmt.Errorf("failed adding watcher to '%s': %w", path, err))
return nil
}
}
} else {
err = watcher.tree.AddFile(path)

if err := watcher.watchFile(walkPath, info); err != nil {
errs = append(errs, fmt.Errorf("failed adding watcher to '%s': %w", walkPath, err))
}
return err

return nil
})
watcher.log.Debugw("Added recursive watch", "path", path)

Expand Down
Loading