[Auditbeat/fim/fsnotify]: tiny time window that loses file events

[pkoutsovasilis]

So if my analysis is correct the following can happen in audibeat file_integrity module with fsnotify backend with recursive mode enabled.

The code of interest is here.

So we got an event that a path was created and we invoke the addRecursive to essentially walk the new file and if it is a dir also walk its contents.

However, there is a scenario here that we may end up losing events; So the path is the dir and there is a tiny time window where if a child file get's created right after the internal dir contents snapshot of filepath.Walk and before we add the path to the fsnotify watcher, this file is now off the radar.

@andrewkroh does the above make sense to you?

cc @dliappis

For confirmed bugs, please report:

• Version: all versions
• Operating System: Ubuntu 22.04.4 LTS
• Steps to Reproduce: Related buildkite failed runs due to the above 1, 2, 3

[elasticmachine]

Pinging @elastic/sec-linux-platform (Team:Security-Linux Platform)

[andrewkroh]

Unfortunately your analysis makes perfect sense.

[dliappis]

Thanks @pkoutsovasilis for the quick fix via #39133 !