Add write

author: We-unite <3205135446@qq.com> 2024-07-29 14:25:06 +0800
committer: We-unite <3205135446@qq.com> 2024-07-29 14:25:06 +0800
commit: 0deb0b10c28f72f08c330f183ef64d90405b1358 (patch)
tree: 257cecc63c0de65d04493ef09e5719747ae89975
parent: a345258c3082903702c81c6c830ff1fd35758861 (diff)
download: godo-0deb0b10c28f72f08c330f183ef64d90405b1358.tar.gz
godo-0deb0b10c28f72f08c330f183ef64d90405b1358.zip
2 files changed, 36 insertions, 0 deletions
diff --git a/src/deal.go b/src/deal.go
index d3b5da0..56f6d1d 100644
--- a/src/deal.go
+++ b/src/deal.go
@@ -65,6 +65,8 @@ func deal() {
                        go deletePid(cooked)
                case FILEOPEN:
                        fileOpen(cooked)
+                case FILEWRITE:
+                        fileWrite(cooked)
                case FILECLOSE:
                        fileClose(cooked)
                }
@@ -234,3 +236,23 @@ func fileClose(cooked Event) {
                "close_timestamp": bson.M{"$exists": false},
        }, bson.M{"$set": bson.M{"close_timestamp": cooked.timestamp}})
 }
+func fileWrite(cooked Event) {
+        // 直接看文件表有无记录
+        res, err := fdCol.Finddoc(bson.M{
+                "pid":             cooked.pid,
+                "fd":              cooked.syscallParam[0],
+                "close_timestamp": bson.M{"$exists": false},
+        })
+        if err != nil {
+                fmt.Printf("Err closing fd %d of pid %d: %v\n", cooked.syscallParam[0], cooked.pid, err)
+        }
+        if len(res) == 0 {
+                return
+        }
+        fdCol.UpdateOne(bson.M{
+                "pid":             cooked.pid,
+                "fd":              cooked.syscallParam[0],
+                "close_timestamp": bson.M{"$exists": false},
+        }, bson.M{"$push": bson.M{"written": cooked.timestamp}})
+}
diff --git a/src/organize.go b/src/organize.go
index 1b064c1..f5c9992 100644
--- a/src/organize.go
+++ b/src/organize.go
@@ -160,6 +160,20 @@ func syscallRaw(rawEvent libaudit.RawAuditMessage) {
                        syscallParam: a,
                        pathName:     "",
                })
+        case "write":
+                eventTable.Store(eventId, &Event{
+                        tag:          FILEWRITE,
+                        timestamp:    event.timestamp,
+                        syscall:      event.syscall,
+                        exit_code:    uint64(exit),
+                        ppid:         event.ppid,
+                        pid:          event.pid,
+                        argc:         0,
+                        argv:         make([]string, 0),
+                        cwd:          "",
+                        syscallParam: a,
+                        // pathName:     "",
+                })
        case "close":
                // 文件关闭
                eventTable.Store(eventId, &Event{
author	We-unite <3205135446@qq.com>	2024-07-29 14:25:06 +0800
committer	We-unite <3205135446@qq.com>	2024-07-29 14:25:06 +0800
commit	0deb0b10c28f72f08c330f183ef64d90405b1358 (patch)
tree	257cecc63c0de65d04493ef09e5719747ae89975
parent	a345258c3082903702c81c6c830ff1fd35758861 (diff)
download	godo-0deb0b10c28f72f08c330f183ef64d90405b1358.tar.gz godo-0deb0b10c28f72f08c330f183ef64d90405b1358.zip

diff --git a/src/deal.go b/src/deal.go index d3b5da0..56f6d1d 100644 --- a/src/deal.go +++ b/src/deal.go
@@ -65,6 +65,8 @@ func deal() {
65	go deletePid(cooked)	65	go deletePid(cooked)
66	case FILEOPEN:	66	case FILEOPEN:
67	fileOpen(cooked)	67	fileOpen(cooked)
		68	case FILEWRITE:
		69	fileWrite(cooked)
68	case FILECLOSE:	70	case FILECLOSE:
69	fileClose(cooked)	71	fileClose(cooked)
70	}	72	}
@@ -234,3 +236,23 @@ func fileClose(cooked Event) {
234	"close_timestamp": bson.M{"$exists": false},	236	"close_timestamp": bson.M{"$exists": false},
235	}, bson.M{"$set": bson.M{"close_timestamp": cooked.timestamp}})	237	}, bson.M{"$set": bson.M{"close_timestamp": cooked.timestamp}})
236	}	238	}
		239
		240	func fileWrite(cooked Event) {
		241	// 直接看文件表有无记录
		242	res, err := fdCol.Finddoc(bson.M{
		243	"pid": cooked.pid,
		244	"fd": cooked.syscallParam[0],
		245	"close_timestamp": bson.M{"$exists": false},
		246	})
		247	if err != nil {
		248	fmt.Printf("Err closing fd %d of pid %d: %v\n", cooked.syscallParam[0], cooked.pid, err)
		249	}
		250	if len(res) == 0 {
		251	return
		252	}
		253	fdCol.UpdateOne(bson.M{
		254	"pid": cooked.pid,
		255	"fd": cooked.syscallParam[0],
		256	"close_timestamp": bson.M{"$exists": false},
		257	}, bson.M{"$push": bson.M{"written": cooked.timestamp}})
		258	}


diff --git a/src/organize.go b/src/organize.go index 1b064c1..f5c9992 100644 --- a/src/organize.go +++ b/src/organize.go
@@ -160,6 +160,20 @@ func syscallRaw(rawEvent libaudit.RawAuditMessage) {
160	syscallParam: a,	160	syscallParam: a,
161	pathName: "",	161	pathName: "",
162	})	162	})
		163	case "write":
		164	eventTable.Store(eventId, &Event{
		165	tag: FILEWRITE,
		166	timestamp: event.timestamp,
		167	syscall: event.syscall,
		168	exit_code: uint64(exit),
		169	ppid: event.ppid,
		170	pid: event.pid,
		171	argc: 0,
		172	argv: make([]string, 0),
		173	cwd: "",
		174	syscallParam: a,
		175	// pathName: "",
		176	})
163	case "close":	177	case "close":
164	// 文件关闭	178	// 文件关闭
165	eventTable.Store(eventId, &Event{	179	eventTable.Store(eventId, &Event{