in auditbeat/module/file_integrity/event.go [506:569]
func diffEvents(old, new *Event) (Action, bool) {
if old == new {
return None, false
}
if old == nil && new != nil {
return Created, true
}
if old != nil && new == nil {
return Deleted, true
}
if old.Path != new.Path {
return Moved, true
}
result := None
// Test if new.Hashes is a subset of old.Hashes.
hasAllHashes := true
for hashType, newValue := range new.Hashes {
oldValue, found := old.Hashes[hashType]
if !found {
hasAllHashes = false
continue
}
// The Updated action takes precedence over a new hash type being configured.
if !bytes.Equal(oldValue, newValue) {
result |= Updated
break
}
}
if old.TargetPath != new.TargetPath ||
(old.Info == nil && new.Info != nil) ||
(old.Info != nil && new.Info == nil) {
result |= AttributesModified
}
// Test if metadata has changed.
if o, n := old.Info, new.Info; o != nil && n != nil {
// The owner and group names are ignored (they aren't persisted).
if o.Inode != n.Inode || o.UID != n.UID || o.GID != n.GID || o.SID != n.SID ||
o.Mode != n.Mode || o.Type != n.Type || o.SetUID != n.SetUID || o.SetGID != n.SetGID ||
o.SELinux != n.SELinux || !bytes.Equal(o.POSIXACLAccess, n.POSIXACLAccess) {
result |= AttributesModified
}
// For files consider mtime and size.
if n.Type == FileType && (!o.MTime.Equal(n.MTime) || o.Size != n.Size) {
result |= AttributesModified
}
}
// The old event didn't have all the requested hash types.
if !hasAllHashes {
result |= ConfigChange
}
return result, result != None
}