Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[7.17](backport #39133) [Auditbeat/FIM/fsnotify]: remove time window where a child file operation of a directory can be lost #39231

Merged
merged 2 commits into from Apr 30, 2024
Merged

[7.17](backport #39133) [Auditbeat/FIM/fsnotify]: remove time window where a child file operation of a directory can be lost #39231

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
18459e0
[Auditbeat/FIM/fsnotify]: remove time window where a child file opera…
pkoutsovasilis Apr 26, 2024
f13b10b
fix: resolve conflicts
pkoutsovasilis Apr 26, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Jump to
Jump to file
Failed to load files.
Diff view
Diff view
3 changes: 3 additions & 0 deletions CHANGELOG.next.asciidoc
View file
Open in desktop
Expand Up @@ -35,6 +35,9 @@ https://github.com/elastic/beats/compare/v7.0.0-alpha2...master[Check the HEAD d
*Auditbeat*


- Prevent scenario of losing children-related file events in a directory for recursive fsnotify backend of auditbeat file integrity module {pull}39133[39133]


*Filebeat*

- Fix handling of un-parsed JSON in O365 module. {issue}37800[37800] {pull}38709[38709]
Expand Down
7 changes: 6 additions & 1 deletion auditbeat/module/file_integrity/monitor/monitor_test.go
View file
Open in desktop
Expand Up @@ -22,7 +22,7 @@

import (
"errors"
"io/ioutil"

Check failure on line 25 in auditbeat/module/file_integrity/monitor/monitor_test.go

View workflow job for this annotation

GitHub Actions / lint (darwin) 

SA1019: "io/ioutil" has been deprecated since Go 1.19: As of Go 1.16, the same functionality is now provided by package [io] or package [os], and those implementations should be preferred in new code. See the specific function documentation for details.  (staticcheck)
"os"
"path/filepath"
"runtime"
Expand Down Expand Up @@ -59,7 +59,7 @@
testDirOps(t, dir, watcher)

subdir := filepath.Join(dir, "subdir")
os.Mkdir(subdir, 0750)

Check failure on line 62 in auditbeat/module/file_integrity/monitor/monitor_test.go

View workflow job for this annotation

GitHub Actions / lint (darwin) 

Error return value of `os.Mkdir` is not checked (errcheck)

ev, err := readTimeout(t, watcher)
assertNoError(t, err)
Expand Down Expand Up @@ -107,7 +107,7 @@
testDirOps(t, dir, watcher)

subdir := filepath.Join(dir, "subdir")
os.Mkdir(subdir, 0750)

Check failure on line 110 in auditbeat/module/file_integrity/monitor/monitor_test.go

View workflow job for this annotation

GitHub Actions / lint (darwin) 

Error return value of `os.Mkdir` is not checked (errcheck)

ev, err := readTimeout(t, watcher)
assertNoError(t, err)
Expand Down Expand Up @@ -177,6 +177,11 @@
t.Skip("Skipping permissions test on Windows")
}

if os.Getuid() == 0 {
t.Skip("skipping as root can access every file and thus this unittest will fail")
return
}

// Create dir to be watched

dir, err := ioutil.TempDir("", "monitor")
Expand Down Expand Up @@ -227,7 +232,7 @@

ev, err := readTimeout(t, watcher)
assert.Equal(t, errReadTimeout, err)
if err != errReadTimeout {

Check failure on line 235 in auditbeat/module/file_integrity/monitor/monitor_test.go

View workflow job for this annotation

GitHub Actions / lint (darwin) 

comparing with != will fail on wrapped errors. Use errors.Is to check for a specific error (errorlint)
t.Fatalf("Expected timeout, got event %+v", ev)
}

Expand All @@ -242,7 +247,7 @@
for {
// No event is received
ev, err := readTimeout(t, watcher)
if err == errReadTimeout {
if errors.Is(err, errReadTimeout) {
break
}
assertNoError(t, err)
Expand Down Expand Up @@ -326,7 +331,7 @@

ev, err := readTimeout(t, watcher)
assert.Equal(t, errReadTimeout, err)
if err != errReadTimeout {

Check failure on line 334 in auditbeat/module/file_integrity/monitor/monitor_test.go

View workflow job for this annotation

GitHub Actions / lint (darwin) 

comparing with != will fail on wrapped errors. Use errors.Is to check for a specific error (errorlint)
t.Fatalf("Expected timeout, got event %+v", ev)
}

Expand All @@ -341,7 +346,7 @@
for {
// No event is received
ev, err := readTimeout(t, watcher)
if err == errReadTimeout {

Check failure on line 349 in auditbeat/module/file_integrity/monitor/monitor_test.go

View workflow job for this annotation

GitHub Actions / lint (darwin) 

comparing with == will fail on wrapped errors. Use errors.Is to check for a specific error (errorlint)
break
}
assertNoError(t, err)
Expand Down Expand Up @@ -384,12 +389,12 @@
for i := 0; i < 3; i++ {
f, err := os.OpenFile(fpath, os.O_RDWR|os.O_APPEND, 0640)
assertNoError(t, err)
f.WriteString(" world\n")

Check failure on line 392 in auditbeat/module/file_integrity/monitor/monitor_test.go

View workflow job for this annotation

GitHub Actions / lint (darwin) 

Error return value of `f.WriteString` is not checked (errcheck)
f.Sync()

Check failure on line 393 in auditbeat/module/file_integrity/monitor/monitor_test.go

View workflow job for this annotation

GitHub Actions / lint (darwin) 

Error return value of `f.Sync` is not checked (errcheck)
f.Close()

ev, err = readTimeout(t, watcher)
if err == nil || err != errReadTimeout {

Check failure on line 397 in auditbeat/module/file_integrity/monitor/monitor_test.go

View workflow job for this annotation

GitHub Actions / lint (darwin) 

comparing with != will fail on wrapped errors. Use errors.Is to check for a specific error (errorlint)
break
}
}
Expand Down
55 changes: 41 additions & 14 deletions auditbeat/module/file_integrity/monitor/recursive.go
View file
Open in desktop
Expand Up @@ -18,12 +18,13 @@
package monitor

import (
"fmt"
"os"
"path/filepath"

"github.com/fsnotify/fsnotify"
"github.com/joeshaw/multierror"
"github.com/pkg/errors"

Check failure on line 27 in auditbeat/module/file_integrity/monitor/recursive.go

View workflow job for this annotation

GitHub Actions / lint (darwin) 

import of package `github.com/pkg/errors` is blocked because the module is in the blocked modules list. `errors` and `fmt` are recommended modules. This package is deprecated, use `fmt.Errorf` with `%!w(MISSING)` instead. (gomodguard)

"github.com/elastic/beats/v7/libbeat/logp"
)
Expand Down Expand Up @@ -84,37 +85,63 @@
return watcher.inner.Errors
}

func (watcher *recursiveWatcher) watchFile(path string, info os.FileInfo) error {
var err error
if info == nil {
info, err = os.Lstat(path)
if err != nil {
return err
}
}

if info.IsDir() {
if err = watcher.tree.AddDir(path); err != nil {
return err
}

if err = watcher.inner.Add(path); err != nil {
return err
}

return nil
}

return watcher.tree.AddFile(path)
}

func (watcher *recursiveWatcher) addRecursive(path string) error {
if watcher.isExcludedPath(path) {
return nil
}

if err := watcher.watchFile(path, nil); err != nil {
return fmt.Errorf("failed adding watcher to '%s': %w", path, err)
}

var errs multierror.Errors
err := filepath.Walk(path, func(path string, info os.FileInfo, fnErr error) error {
if watcher.isExcludedPath(path) {
err := filepath.Walk(path, func(walkPath string, info os.FileInfo, fnErr error) error {
if walkPath == path {
return nil
}

if watcher.isExcludedPath(walkPath) {
return nil
}

if fnErr != nil {
errs = append(errs, errors.Wrapf(fnErr, "error walking path '%s'", path))
errs = append(errs, fmt.Errorf("error walking path '%s': %w", walkPath, fnErr))
// If FileInfo is not nil, the directory entry can be processed
// even if there was some error
if info == nil {
return nil
}
}
var err error
if info.IsDir() {
if err = watcher.tree.AddDir(path); err == nil {
if err = watcher.inner.Add(path); err != nil {
errs = append(errs, errors.Wrapf(err, "failed adding watcher to '%s'", path))
return nil
}
}
} else {
err = watcher.tree.AddFile(path)

if err := watcher.watchFile(walkPath, info); err != nil {
errs = append(errs, fmt.Errorf("failed adding watcher to '%s': %w", walkPath, err))
}
return err

return nil
})
watcher.log.Debugw("Added recursive watch", "path", path)

Expand Down