elastic
diff --git a/‎.github/workflows/check-audtibeat.yml‎ ‎.github/workflows/check-auditbeat.yml‎.github/workflows/check-audtibeat.yml renamed to .github/workflows/check-auditbeat.yml b/‎.github/workflows/check-audtibeat.yml‎ ‎.github/workflows/check-auditbeat.yml‎.github/workflows/check-audtibeat.yml renamed to .github/workflows/check-auditbeat.yml
diff --git a/‎CHANGELOG.next.asciidoc‎
Lines changed: 1 addition & 0 deletions b/‎CHANGELOG.next.asciidoc‎
Lines changed: 1 addition & 0 deletions
diff --git a/‎NOTICE.txt‎
Lines changed: 2 additions & 2 deletions b/‎NOTICE.txt‎
Lines changed: 2 additions & 2 deletions
diff --git a/‎auditbeat/.gitignore‎
Lines changed: 0 additions & 1 deletion b/‎auditbeat/.gitignore‎
Lines changed: 0 additions & 1 deletion
diff --git a/‎auditbeat/auditbeat.reference.yml‎
Lines changed: 5 additions & 0 deletions b/‎auditbeat/auditbeat.reference.yml‎
Lines changed: 5 additions & 0 deletions
diff --git a/‎auditbeat/docker-compose.yml‎
Lines changed: 4 additions & 0 deletions b/‎auditbeat/docker-compose.yml‎
Lines changed: 4 additions & 0 deletions
diff --git a/‎auditbeat/docs/modules/file_integrity.asciidoc‎
Lines changed: 9 additions & 1 deletion b/‎auditbeat/docs/modules/file_integrity.asciidoc‎
Lines changed: 9 additions & 1 deletion
diff --git a/‎auditbeat/module/file_integrity/_meta/config.yml.tmpl‎
Lines changed: 8 additions & 0 deletions b/‎auditbeat/module/file_integrity/_meta/config.yml.tmpl‎
Lines changed: 8 additions & 0 deletions
diff --git a/‎auditbeat/module/file_integrity/_meta/docs.asciidoc‎
Lines changed: 9 additions & 1 deletion b/‎auditbeat/module/file_integrity/_meta/docs.asciidoc‎
Lines changed: 9 additions & 1 deletion
diff --git a/‎auditbeat/module/file_integrity/config.go‎
Lines changed: 27 additions & 0 deletions b/‎auditbeat/module/file_integrity/config.go‎
Lines changed: 27 additions & 0 deletions
@@ -130,6 +130,7 @@ Setting environmental variable ELASTIC_NETINFO:false in Elastic Agent pod will d
 *Auditbeat*
 
 - Add linux capabilities to processes in the system/process. {pull}37453[37453]
+- Add opt-in eBPF backend for file_integrity module. {pull}37223[37223]
 
 *Filebeat*
 
 
@@ -12257,11 +12257,11 @@ SOFTWARE.
 
 --------------------------------------------------------------------------------
 Dependency : github.com/elastic/ebpfevents
-Version: v0.3.2
+Version: v0.4.0
 Licence type (autodetected): Apache-2.0
 --------------------------------------------------------------------------------
 
-Contents of probable licence file $GOMODCACHE/github.com/elastic/ebpfevents@v0.3.2/LICENSE.txt:
+Contents of probable licence file $GOMODCACHE/github.com/elastic/ebpfevents@v0.4.0/LICENSE.txt:
 
 The https://github.com/elastic/ebpfevents repository contains source code under
 various licenses:
 
@@ -6,4 +6,3 @@ module/*/_meta/config.yml
 /auditbeat
 /auditbeat.test
 /docs/html_docs
-
@@ -92,6 +92,11 @@ auditbeat.modules:
   # Auditbeat will ignore files unless they match a pattern.
   #include_files:
   #- '/\.ssh($|/)'
+  # Select the backend which will be used to source events.
+  # "fsnotify" doesn't have the ability to associate user data to file events.
+  # Valid values: auto, fsnotify, kprobes, ebpf.
+  # Default: fsnotify.
+  backend: fsnotify
 
   # Scan over the configured file paths at startup and send events for new or
   # modified files since the last time Auditbeat was running.
 
@@ -14,11 +14,15 @@ services:
       - KIBANA_PORT=5601
     volumes:
       - ${PWD}/..:/go/src/github.com/elastic/beats/
+      - /sys:/sys
     command: make
     privileged: true
     pid: host
     cap_add:
       - AUDIT_CONTROL
+      - BPF
+      - PERFMON
+      - SYS_RESOURCE
 
   # This is a proxy used to block beats until all services are healthy.
   # See: https://github.com/docker/compose/issues/4369
 
@@ -28,8 +28,13 @@ to only send events for new or modified files.
 
 The operating system features that power this feature are as follows.
 
-* Linux - `inotify` is used, and therefore the kernel must have inotify support.
+* Linux - Multiple backends are supported: `auto`, `fsnotify`, `kprobes`, `ebpf`.
+By default, `fsnotify` is used, and therefore the kernel must have inotify support.
 Inotify was initially merged into the 2.6.13 Linux kernel.
+The eBPF backend uses modern eBPF features and supports 5.10.16+ kernels.
+FSNotify doesn't have the ability to associate user data to file events.
+The preferred backend can be selected by specifying the `backend` config option.
+Since eBPF and Kprobes are in technical preview, `auto` will default to `fsnotify`.
 * macOS (Darwin) - Uses the `FSEvents` API, present since macOS 10.5. This API
 coalesces multiple changes to a file into a single event. {beatname_uc} translates
 this coalesced changes into a meaningful sequence of actions. However,
@@ -144,6 +149,9 @@ of this directories are watched. If `recursive` is set to `true`, the
 `file_integrity` module will watch for changes on this directories and all
 their subdirectories.
 
+*`backend`*:: (*Linux only*) Select the backend which will be used to
+source events. Valid values: `auto`, `fsnotify`, `kprobes`, `ebpf`. Default: `fsnotify`.
+
 include::{docdir}/auditbeat-options.asciidoc[]
 
 
 
@@ -55,6 +55,14 @@
   #- '/\.ssh($|/)'
   {{- end }}
 
+  {{- if eq .GOOS "linux" }}
+  # Select the backend which will be used to source events.
+  # "fsnotify" doesn't have the ability to associate user data to file events.
+  # Valid values: auto, fsnotify, kprobes, ebpf.
+  # Default: fsnotify.
+  backend: fsnotify
+  {{- end }}
+
   # Scan over the configured file paths at startup and send events for new or
   # modified files since the last time Auditbeat was running.
   scan_at_start: true
 
@@ -21,8 +21,13 @@ to only send events for new or modified files.
 
 The operating system features that power this feature are as follows.
 
-* Linux - `inotify` is used, and therefore the kernel must have inotify support.
+* Linux - Multiple backends are supported: `auto`, `fsnotify`, `kprobes`, `ebpf`.
+By default, `fsnotify` is used, and therefore the kernel must have inotify support.
 Inotify was initially merged into the 2.6.13 Linux kernel.
+The eBPF backend uses modern eBPF features and supports 5.10.16+ kernels.
+FSNotify doesn't have the ability to associate user data to file events.
+The preferred backend can be selected by specifying the `backend` config option.
+Since eBPF and Kprobes are in technical preview, `auto` will default to `fsnotify`.
 * macOS (Darwin) - Uses the `FSEvents` API, present since macOS 10.5. This API
 coalesces multiple changes to a file into a single event. {beatname_uc} translates
 this coalesced changes into a meaningful sequence of actions. However,
@@ -137,4 +142,7 @@ of this directories are watched. If `recursive` is set to `true`, the
 `file_integrity` module will watch for changes on this directories and all
 their subdirectories.
 
+*`backend`*:: (*Linux only*) Select the backend which will be used to
+source events. Valid values: `auto`, `fsnotify`, `kprobes`, `ebpf`. Default: `fsnotify`.
+
 include::{docdir}/auditbeat-options.asciidoc[]
@@ -18,10 +18,12 @@
 package file_integrity
 
 import (
+	"errors"
 	"fmt"
 	"math"
 	"path/filepath"
 	"regexp"
+	"runtime"
 	"sort"
 	"strings"
 
@@ -72,6 +74,25 @@ const (
 	XXH64       HashType = "xxh64"
 )
 
+type Backend string
+
+const (
+	BackendFSNotify Backend = "fsnotify"
+	BackendKprobes  Backend = "kprobes"
+	BackendEBPF     Backend = "ebpf"
+	BackendAuto     Backend = "auto"
+)
+
+func (b *Backend) Unpack(v string) error {
+	*b = Backend(v)
+	switch *b {
+	case BackendFSNotify, BackendKprobes, BackendEBPF, BackendAuto:
+		return nil
+	default:
+		return fmt.Errorf("invalid backend: %q", v)
+	}
+}
+
 // Config contains the configuration parameters for the file integrity
 // metricset.
 type Config struct {
@@ -86,6 +107,7 @@ type Config struct {
 	Recursive           bool            `config:"recursive"` // Recursive enables recursive monitoring of directories.
 	ExcludeFiles        []match.Matcher `config:"exclude_files"`
 	IncludeFiles        []match.Matcher `config:"include_files"`
+	Backend             Backend         `config:"backend"`
 }
 
 // Validate validates the config data and return an error explaining all the
@@ -160,6 +182,11 @@ nextHash:
 	if err != nil {
 		errs = append(errs, fmt.Errorf("invalid scan_rate_per_sec value: %w", err))
 	}
+
+	if c.Backend != "" && c.Backend != BackendAuto && runtime.GOOS != "linux" {
+		errs = append(errs, errors.New("backend can only be specified on linux"))
+	}
+
 	return errs.Err()
 }