Skip to content

[auditbeat][fim] Update Auditbeat file_integrity module to default to auto backend with intelligent fallback #47498

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 3 commits into
base: main
Choose a base branch
from
Open

[auditbeat][fim] Update Auditbeat file_integrity module to default to auto backend with intelligent fallback #47498

wants to merge 3 commits into from

Conversation

@marc-gr
Copy link
Contributor

@marc-gr marc-gr commented Nov 6, 2025

Proposed commit message

The auto backend option now tries the backends in order until the best available option is found

Checklist

  • My code follows the style guidelines of this project
  • I have commented my code, particularly in hard-to-understand areas
  • I have made corresponding changes to the documentation
  • I have made corresponding change to the default configuration files
  • I have added tests that prove my fix is effective or that my feature works. Where relevant, I have used the stresstest.sh script to run them under stress conditions and race detector to verify their stability.
  • I have added an entry in ./changelog/fragments using the changelog tool.

Disruptive User Impact

Author's Checklist

  • [ ]

How to test this PR locally

Related issues

Use cases

Screenshots

Logs

@marc-gr marc-gr requested review from a team as code owners November 6, 2025 09:22
@marc-gr marc-gr added enhancement docs Auditbeat backport-skip Skip notification from the automated backport with mergify Team:Security-Linux Platform Linux Platform Team in Security Solution labels Nov 6, 2025
@botelastic botelastic bot added the needs_team Indicates that the issue/PR needs a Team:* label label Nov 6, 2025
@elasticmachine
Copy link
Collaborator

elasticmachine commented Nov 6, 2025

Pinging @elastic/sec-linux-platform (Team:Security-Linux Platform)

@botelastic botelastic bot removed the needs_team Indicates that the issue/PR needs a Team:* label label Nov 6, 2025
@github-actions
Copy link
Contributor

github-actions bot commented Nov 6, 2025

🤖 GitHub comments

Just comment with:

  • run docs-build : Re-trigger the docs validation. (use unformatted text in the comment!)

@mergify mergify bot assigned marc-gr Nov 6, 2025
@github-actions
Copy link
Contributor

github-actions bot commented Nov 6, 2025
edited
Loading

🔍 Preview links for changed docs

@marc-gr marc-gr marked this pull request as draft November 6, 2025 09:45
@marc-gr marc-gr marked this pull request as ready for review November 6, 2025 11:10
nicholasberlin
nicholasberlin reviewed Nov 6, 2025
View reviewed changes
auditbeat/module/file_integrity/ebpfreader_supported.go
func newEBPFReader(c Config, l *logp.Logger) (EventProducer, error) {
// Test if eBPF is available by trying to get the watcher
// This validates early that eBPF can actually be used, allowing fallback to work
_, err := ebpf.GetWatcher()
Copy link
Contributor

@nicholasberlin nicholasberlin Nov 6, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I noticed that newFSNotifyReader and newKProbesReader, get watchers and then close them.
The ebpf watcher doesn't need to be closed?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@nicholasberlin nicholasberlin nicholasberlin left review comments

At least 1 approving review is required to merge this pull request.

Assignees

@marc-gr marc-gr

Labels

Auditbeat backport-skip Skip notification from the automated backport with mergify docs enhancement Team:Security-Linux Platform Linux Platform Team in Security Solution

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

[auditbeat][fim] Improve handling of backend choice

3 participants

@marc-gr @elasticmachine @nicholasberlin