File monitoring in Neuvector versions 5.4.1, 5.4.2,5.4.3, 5.4.8 and 5.4.9 doesn't work

NeuVector
1

I made some research about newer neuvector versions in which file monitoring is limited to 3 files in my case (/etc/host /etc/resolv.conf and /etc/shadow) rest default and custom location isn’t reported so basicly file monitoring isn’t working
Last version where all of the files where monitored was 5.4.2, the best version was imo 5.4.1 where file changes were reported faster, but they are sometimes skipped as in version 5.4.2 (if you make changes on multiple files using for e.g. touch not all changes was reported)

in 5.4.3 version there is different method of finding changes on files compared to previous one I guess it’s scanning file system once?
https://github.com/neuvector/neuvector/blob/v5.4.2/share/fsmon/monitor.go
https://github.com/neuvector/neuvector/blob/v5.4.3/share/fsmon/monitor.go

also there is little changes between 5.4.3 and 5.4.8 so it’s still working the same

https[:]//github[.]com/neuvector/neuvector/blob/v5.4.8/share/fsmon/monitor.go

In enforcer I found some errors related to above files but monitoring for them is working, tho only on containers

2026-02-19T16:35:05.833|INFO|AGT|fsmon.(*FaNotify).MonitorFileEvents: FMON: start
2026-02-19T16:35:21.026|ERRO|AGT|fsmon.(*Inotify).ContainerCleanup: - err=invalid argument path=/proc/2527/root/etc/resolv.conf
2026-02-19T16:35:21.083|ERRO|AGT|fsmon.(*Inotify).ContainerCleanup: - err=invalid argument path=/proc/1420/root/etc/resolv.conf
2026-02-19T16:38:36.035|ERRO|AGT|fsmon.(*Inotify).ContainerCleanup: - err=invalid argument path=/proc/2096/root/etc/resolv.conf
2026-02-19T16:38:36.085|ERRO|AGT|fsmon.(*Inotify).ContainerCleanup: - err=invalid argument path=/proc/1411/root/etc/resolv.conf
2026-02-19T16:38:36.182|ERRO|AGT|fsmon.(*Inotify).ContainerCleanup: - err=invalid argument path=/proc/1418/root/etc/resolv.conf
2026-02-19T16:38:36.205|ERRO|AGT|fsmon.(*Inotify).ContainerCleanup: - err=invalid argument path=/proc/1650/root/etc/hosts
2026-02-19T16:38:36.205|ERRO|AGT|fsmon.(*Inotify).ContainerCleanup: - err=invalid argument path=/proc/1650/root/etc/resolv.conf
2026-02-19T16:38:36.228|ERRO|AGT|fsmon.(*Inotify).ContainerCleanup: - err=invalid argument path=/proc/1150800/root/etc/resolv.conf
2026-02-19T16:38:36.267|ERRO|AGT|fsmon.(*Inotify).ContainerCleanup: - err=invalid argument path=/proc/2527/root/etc/resolv.conf
2026-02-19T16:38:36.289|ERRO|AGT|fsmon.(*Inotify).ContainerCleanup: - err=invalid argument path=/proc/1826/root/etc/hosts
2026-02-19T16:38:36.289|ERRO|AGT|fsmon.(*Inotify).ContainerCleanup: - err=invalid argument path=/proc/1826/root/etc/resolv.conf
2026-02-19T16:39:01.013|ERRO|AGT|fsmon.(*Inotify).ContainerCleanup: - err=invalid argument path=/proc/1150800/root/etc/resolv.conf

Setup

I set appropriate runtimePath - for helm values.yaml file,
I added label “pod-security[.]kubernetes[.]io/enforce=privileged” to namespace,
my nodes utilize appparmor but in their logs there is no DENY entry also unknown process execution is working fine
Im running this on openstack, kubernetes 1.34.3 and Ubuntu 22.04.5 LTS and all of the

my values file, also used with 5.4.2, 5.4.3, 5.4.8 and 5.4.9 - non of this versions properly monitored file changes

tag: 5.4.1
controller:
  replicas: 1
  enabled: true
  resources:
    limits:
      cpu: 1250m
      memory: 2500Mi
    requests:
      cpu: 750m
      memory: 1500Mi
  federation:
    mastersvc:
      type: LoadBalancer 
      loadBalancerIP: x.x.x.x
      annotations:
        loadbalancer.openstack.org/keep-floatingip: "true"
        loadbalancer.openstack.org/load-balancer-address: "x.x.x.x"
  certificate:
    secret: https-cert
    keyFile: neuvector.key
    pemFile: neuvector.crt
  apisvc:
    type: LoadBalancer     
    ctrlServerPort: 10443  
  pvc:
    enabled: true
    storageClass: cinder-gp-ssd-retain
    capacity: 5Gi
  configmap:
    enabled: true
    data:
      sysinitcfg.yaml: |
        always_reload: true
        Cluster_Name: dbmi-neuvector-manager
        Scanner_Autoscale:
          Strategy: immediate
          Min_Pods: 1
          Max_Pods: 2
autoGenerateCert: false
enforcer:
  enabled: true
  resources:
    limits:
      cpu: 1500m
      memory: 3000Mi
    requests:
      cpu: 1000m
      memory: 2000Mi
  securityContext:
    privileged: true

manager:
  enabled: true
  resources:
    limits:
      cpu: 250m
      memory: 1000Mi
    requests:
      cpu: 250m
      memory: 250Mi
  certificate:
    secret: https-cert
    keyFile: dbmi-neuvector.key
    pemFile: dbmi-neuvector.crt
  svc: 
    type: LoadBalancer 
    loadBalancerIP: y.y.y.y
    annotations:
      loadbalancer.openstack.org/keep-floatingip: "true"
      loadbalancer.openstack.org/load-balancer-address: "y.y.y.y"
cve:
  updater:
    enabled: true
    resources:
      limits:
        cpu: 250m
        memory: 1000Mi
      requests:
        cpu: 250m
        memory: 750Mi
  scanner:
    enabled: true
    strategy:
      type: Recreate
      rollingUpdate: null
    replicas: 3
    resources:
      limits:
        cpu: 1500m
        memory: 3000Mi
      requests:
        cpu: 500m
        memory: 1500Mi
runtimePath: /var/run/containerd/containerd.sock
2

Additionally here is a showcase of how newest Neuvector 5.4.9 version file monitoring isn’t working except those 3 location mentioned above
https://youtu.be/cDGCp5TlWeg