From 5ec5811b0bf2310d6857c997a0355d34684c0301 Mon Sep 17 00:00:00 2001
From: "Lee E. Hinman" <lee.e.hinman@elastic.co>
Date: Thu, 2 Sep 2021 14:46:17 -0500
Subject: [PATCH 1/2] [Auditbeat] scanner honor include_files

- If included_path is set and file is not an included path then it is
  skipped
- directories are included even if they don't match included path
  because the contents might

Closes #27273
---
 CHANGELOG.next.asciidoc                           | 1 +
 auditbeat/module/file_integrity/metricset_test.go | 2 +-
 auditbeat/module/file_integrity/scanner.go        | 5 +++++
 3 files changed, 7 insertions(+), 1 deletion(-)

diff --git a/CHANGELOG.next.asciidoc b/CHANGELOG.next.asciidoc
index 72d8a6a4c60f..e208fe74a0c6 100644
--- a/CHANGELOG.next.asciidoc
+++ b/CHANGELOG.next.asciidoc
@@ -213,6 +213,7 @@ https://github.com/elastic/beats/compare/v7.0.0-alpha2...master[Check the HEAD d
 - system/package: Fix an error that can occur while trying to persist package metadata. {issue}18536[18536] {pull}18887[18887]
 - system/socket: Fix dataset using 100% CPU and becoming unresponsive in some scenarios. {pull}19033[19033] {pull}19764[19764]
 - system/socket: Fixed tracking of long-running connections. {pull}19033[19033]
+- file_integrity: honor include_files when doing initial scan. {issue}27273[27273] {pull}27722[27722]
 
 *Filebeat*
 
diff --git a/auditbeat/module/file_integrity/metricset_test.go b/auditbeat/module/file_integrity/metricset_test.go
index aad49679c490..1d1dc5300516 100644
--- a/auditbeat/module/file_integrity/metricset_test.go
+++ b/auditbeat/module/file_integrity/metricset_test.go
@@ -258,7 +258,7 @@ func TestIncludedExcludedFiles(t *testing.T) {
 	}
 
 	config := getConfig(dir)
-	config["include_files"] = []string{`\.ssh/`}
+	config["include_files"] = []string{`\.ssh\/`}
 	config["recursive"] = true
 	ms := mbtest.NewPushMetricSetV2(t, config)
 
diff --git a/auditbeat/module/file_integrity/scanner.go b/auditbeat/module/file_integrity/scanner.go
index 6a960065d1c3..a4bf72776334 100644
--- a/auditbeat/module/file_integrity/scanner.go
+++ b/auditbeat/module/file_integrity/scanner.go
@@ -140,6 +140,11 @@ func (s *scanner) walkDir(dir string, action Action) error {
 			}
 			return nil
 		}
+
+		if !info.IsDir() && !s.config.IsIncludedPath(path) {
+			return nil
+		}
+
 		defer func() { startTime = time.Now() }()
 
 		event := s.newScanEvent(path, info, err, action)

From 90ee7d3cc1e3128a92d45b4d849833ec67be8d54 Mon Sep 17 00:00:00 2001
From: "Lee E. Hinman" <lee.e.hinman@elastic.co>
Date: Thu, 2 Sep 2021 21:12:54 -0500
Subject: [PATCH 2/2] change test regex to work on linux, mac and windows

---
 auditbeat/module/file_integrity/metricset_test.go | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/auditbeat/module/file_integrity/metricset_test.go b/auditbeat/module/file_integrity/metricset_test.go
index 1d1dc5300516..14522bcd6271 100644
--- a/auditbeat/module/file_integrity/metricset_test.go
+++ b/auditbeat/module/file_integrity/metricset_test.go
@@ -258,7 +258,7 @@ func TestIncludedExcludedFiles(t *testing.T) {
 	}
 
 	config := getConfig(dir)
-	config["include_files"] = []string{`\.ssh\/`}
+	config["include_files"] = []string{`\.ssh`}
 	config["recursive"] = true
 	ms := mbtest.NewPushMetricSetV2(t, config)