summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorWe-unite <3205135446@qq.com>2024-07-22 11:41:59 +0800
committerWe-unite <3205135446@qq.com>2024-07-22 19:36:34 +0800
commitcf5618ff2e2a183c5bdf6444787dccdcbf26ce76 (patch)
tree6cc173b9bffe2c1414887a338b6dc2bdbd594fd1
parent7cf8e470471d30fc821a8be350dcb97dc64e5add (diff)
downloadgodo-cf5618ff2e2a183c5bdf6444787dccdcbf26ce76.tar.gz
godo-cf5618ff2e2a183c5bdf6444787dccdcbf26ce76.zip
Use mongodb, insert process info into it
I failed to print the process tree out. While I'm printing the tree, the tree itself gets changed, maybe deleted. What's more, the output show that there are 4 lines with the same ppid and pid, how an absurd result! It may be caused by multi-thread. So, use database instead. Mongodb uses bson(binary json) to store data but not relational database like mysql, which means it's more easy to use.(?) Beside inserting, I've also solved a question that "fork" is called once but returns twice. For instance, pid 1 forked pid 2, in the audit log it's not an event "syscall=clone,ppid=1,pid=2", but actually two events "syscall=clone,exit=0,ppid=0,pid=1" and "syscall=clone,exit= 2,ppid=0,pid=1", which is just what we see in sys_fork in kernel source. To deal with this, when syscall is clone and exit is 0 we just drop it. Left question: To find out the exit code when a process exit/exit_group, and finish the code to record it in the database.
Diffstat
-rw-r--r--.gitignore8
-rw-r--r--src/deal.go165
-rw-r--r--src/global.go23
-rw-r--r--src/go.mod16
-rw-r--r--src/go.sum43
-rw-r--r--src/godo.go18
-rw-r--r--src/organize.go54
7 files changed, 216 insertions, 111 deletions
diff --git a/.gitignore b/.gitignore
index 8a2ac54..9fe8ea9 100644
--- a/.gitignore
+++ b/.gitignore
@@ -3,6 +3,8 @@ godo
3 3
4old/* 4old/*
5!old/*.* 5!old/*.*
6old/*.log 6old/go.*
7old/*.json 7
8old/go.* \ No newline at end of file 8*/*.log
9*/*.json
10!logs/*.log
diff --git a/src/deal.go b/src/deal.go
index fd9f788..118d914 100644
--- a/src/deal.go
+++ b/src/deal.go
@@ -1,97 +1,134 @@
1package main 1package main
2 2
3import ( 3import (
4 "context"
4 "fmt" 5 "fmt"
5 "time" 6 "time"
7
8 "go.mongodb.org/mongo-driver/bson"
9 "go.mongodb.org/mongo-driver/mongo"
10 "go.mongodb.org/mongo-driver/mongo/options"
11)
12
13const (
14 dbName string = "test"
15 colName string = "pids"
6) 16)
7 17
8func deal() { 18func deal() {
9 defer wg.Done() 19 defer wg.Done()
10 var cooked Event 20 var cooked Event
11 var ok bool 21 var ok bool
22
23 var err error
24 var mongo *mongo.Client
25 var res []bson.M
26
27 mongo, err = connect()
28 if err != nil {
29 fmt.Printf("Err connecting the mongodb: %v\n", err)
30 }
31 pidCol := mongo.Database(dbName).Collection(colName)
32
33 err = pidCol.Drop(context.Background())
34 if err != nil {
35 fmt.Printf("Err drop: %v\n", err)
36 }
37
38 _, err = pidCol.InsertOne(context.Background(), bson.M{
39 "ppid": 1,
40 "pid": containerdPid,
41 "cwd": "/",
42 })
43 if err != nil {
44 fmt.Printf("Err containerd: %v", err)
45 return
46 }
47
48 fmt.Printf("Containerd: %d\n", containerdPid)
49
12 for { 50 for {
13 cooked, ok = <-cookedChan 51 cooked, ok = <-cookedChan
14 if !ok { 52 if !ok {
15 break 53 break
16 } 54 }
17 // type Event struct { 55
18 // timestamp time.Time
19 // pid, ppid int
20 // syscall int
21 // argc int
22 // args []string
23 // cwd string
24 // }
25 // type process struct {
26 // timestamp time.Time
27 // pid, ppid int
28 // argv []string
29 // cwd string
30 // rootfs string
31 // children []int
32 // }
33 switch syscallTable[cooked.syscall] { 56 switch syscallTable[cooked.syscall] {
34 case "fork", "vfork", "clone": 57 case "fork", "vfork", "clone":
35 ppid := cooked.ppid 58 // 有无父进程在观察中
36 pid := cooked.pid 59 res, err = findDocuments(mongo, "test", "pids", bson.M{"pid": cooked.ppid})
37 parent, ok := pids.Load(ppid) 60 if err != nil || len(res) != 1 {
38 if !ok {
39 break 61 break
40 } 62 }
41 parent.(*process).children = append(parent.(*process).children, pid) 63
42 pids.Store(pid, &process{ 64 // 自身是否已经记录
43 timestamp: cooked.timestamp, 65 res, err = findDocuments(mongo, "test", "pids", bson.M{"pid": cooked.pid})
44 pid: cooked.pid, 66 if err != nil {
45 ppid: cooked.ppid, 67 fmt.Printf("Err finding: %v\n", err)
46 argv: cooked.argv, 68 break
47 cwd: cooked.cwd, 69 } else if len(res) != 0 {
48 children: make([]int, 0), 70 fmt.Printf("Err inserting pid %v: already in db: %v\n", cooked.pid, res)
71 break
72 }
73
74 doc := []bson.A{}
75 for _, str := range cooked.argv {
76 doc = append(doc, bson.A{str})
77 }
78 _, err := pidCol.InsertOne(context.Background(), bson.M{
79 "timestamp": cooked.timestamp,
80 "ppid": cooked.ppid,
81 "pid": cooked.pid,
82 "cwd": cooked.cwd,
83 "args": doc,
84 "children": []bson.M{},
49 }) 85 })
50 fmt.Printf("%v syscall=%d, ppid=%d, pid=%d, cwd=\"%s\", argc=%d, ", cooked.timestamp, cooked.syscall, cooked.ppid, cooked.pid, cooked.cwd, cooked.argc) 86 if err != nil {
51 for i := 0; i < cooked.argc; i++ { 87 fmt.Printf("Err insert: %v\n", err)
52 fmt.Printf("arg[%d]=\"%s\", ", i, cooked.argv[i])
53 } 88 }
54 fmt.Printf("\n") 89
55 case "exit", "exit_group": 90 _, err = pidCol.UpdateOne(context.Background(), bson.M{"pid": cooked.pid}, bson.M{
56 _, ok := pids.Load(cooked.pid) 91 "$push": bson.M{
57 if !ok { 92 "children": cooked.pid,
58 break 93 },
94 })
95 if err != nil {
96 fmt.Printf("Err insert: %v\n", err)
59 } 97 }
60 go deletePid(cooked) 98 case "exit", "exit_group":
99 // TODO: 记得补全退出逻辑
100 // 上哪找exit code呢?
61 } 101 }
62 } 102 }
63} 103}
64 104
65func deletePid(cooked Event) { 105func connect() (*mongo.Client, error) {
66 time.Sleep(1 * time.Second) 106 client, err := mongo.NewClient(options.Client().ApplyURI("mongodb://localhost:27017"))
67 Process, ok := pids.Load(cooked.pid) 107
68 if !ok { 108 if err != nil {
69 return 109 return nil, err
70 } 110 }
71 pProcess := Process.(*process) 111
72 112 ctx, _ := context.WithTimeout(context.Background(), 10*time.Second)
73 // 先从爹那里注销户籍 113 err = client.Connect(ctx)
74 parent, ok := pids.Load(pProcess.ppid) 114
75 if ok { 115 if err != nil {
76 pParent := parent.(*process) 116 return nil, err
77 for i, child := range pParent.children {
78 if child == pProcess.pid {
79 pParent.children = append(pParent.children[:i], pParent.children[i+1:]...)
80 break
81 }
82 }
83 } 117 }
84 118
85 // 子进程需要收容 119 return client, nil
86 for i := 0; i < len(pProcess.children); i++ { 120}
87 child, ok := pids.Load(pProcess.children[i]) 121
88 if ok { 122func findDocuments(client *mongo.Client, dbName, colName string, filter bson.M) ([]bson.M, error) {
89 child.(*process).ppid = 1 123 collection := client.Database(dbName).Collection(colName)
90 } 124
125 cur, err := collection.Find(context.Background(), filter)
126 if err != nil {
127 return nil, err
91 } 128 }
92 129
93 // 可以去死了 130 var results []bson.M
94 pids.Delete(cooked.pid) 131 err = cur.All(context.Background(), &results)
95 _, ok = pids.Load(cooked.pid) 132
96 fmt.Printf("%v Goodbye, %d! ok = %v\n", time.Now(), cooked.pid, ok) 133 return results, err
97} 134}
diff --git a/src/global.go b/src/global.go
index 4e08866..0439df6 100644
--- a/src/global.go
+++ b/src/global.go
@@ -1,6 +1,27 @@
1package main 1package main
2 2
3import "sync" 3import (
4 "sync"
5 "time"
6)
7
8type Event struct {
9 timestamp time.Time
10 pid, ppid int
11 syscall int
12 argc int
13 argv []string
14 cwd string
15}
16
17type process struct {
18 timestamp time.Time
19 pid, ppid int
20 argv []string
21 cwd string
22 rootfs string
23 children []int
24}
4 25
5var pids sync.Map // 古希腊掌管进程的神,int->*process 26var pids sync.Map // 古希腊掌管进程的神,int->*process
6var wg sync.WaitGroup // 掌管协程 27var wg sync.WaitGroup // 掌管协程
diff --git a/src/go.mod b/src/go.mod
index 2969b32..ed40331 100644
--- a/src/go.mod
+++ b/src/go.mod
@@ -5,12 +5,22 @@ go 1.21.5
5require ( 5require (
6 github.com/elastic/go-libaudit/v2 v2.5.0 6 github.com/elastic/go-libaudit/v2 v2.5.0
7 github.com/mohae/deepcopy v0.0.0-20170929034955-c48cc78d4826 7 github.com/mohae/deepcopy v0.0.0-20170929034955-c48cc78d4826
8 gopkg.in/yaml.v3 v3.0.1 8 go.mongodb.org/mongo-driver v1.16.0
9) 9)
10 10
11require ( 11require (
12 github.com/golang/snappy v0.0.4 // indirect
13 github.com/klauspost/compress v1.13.6 // indirect
14 github.com/montanaflynn/stats v0.7.1 // indirect
15 github.com/xdg-go/pbkdf2 v1.0.0 // indirect
16 github.com/xdg-go/scram v1.1.2 // indirect
17 github.com/xdg-go/stringprep v1.0.4 // indirect
18 github.com/youmark/pkcs8 v0.0.0-20181117223130-1be2e3e5546d // indirect
12 go.uber.org/atomic v1.7.0 // indirect 19 go.uber.org/atomic v1.7.0 // indirect
13 go.uber.org/multierr v1.7.0 // indirect 20 go.uber.org/multierr v1.7.0 // indirect
14 golang.org/x/sys v0.11.0 // indirect 21 golang.org/x/crypto v0.22.0 // indirect
15 gopkg.in/yaml.v2 v2.4.0 // indirect 22 golang.org/x/sync v0.7.0 // indirect
23 golang.org/x/sys v0.19.0 // indirect
24 golang.org/x/text v0.14.0 // indirect
25 gopkg.in/yaml.v3 v3.0.1 // indirect
16) 26)
diff --git a/src/go.sum b/src/go.sum
index 7ce498a..9164cd3 100644
--- a/src/go.sum
+++ b/src/go.sum
@@ -5,53 +5,90 @@ github.com/elastic/go-libaudit/v2 v2.5.0 h1:5OK919QRnGtcjVBz3n/cs5F42im1mPlVTA9T
5github.com/elastic/go-libaudit/v2 v2.5.0/go.mod h1:AjlnhinP+kKQuUJoXLVrqxBM8uyhQmkzoV6jjsCFP4Q= 5github.com/elastic/go-libaudit/v2 v2.5.0/go.mod h1:AjlnhinP+kKQuUJoXLVrqxBM8uyhQmkzoV6jjsCFP4Q=
6github.com/elastic/go-licenser v0.4.1 h1:1xDURsc8pL5zYT9R29425J3vkHdt4RT5TNEMeRN48x4= 6github.com/elastic/go-licenser v0.4.1 h1:1xDURsc8pL5zYT9R29425J3vkHdt4RT5TNEMeRN48x4=
7github.com/elastic/go-licenser v0.4.1/go.mod h1:V56wHMpmdURfibNBggaSBfqgPxyT1Tldns1i87iTEvU= 7github.com/elastic/go-licenser v0.4.1/go.mod h1:V56wHMpmdURfibNBggaSBfqgPxyT1Tldns1i87iTEvU=
8github.com/golang/snappy v0.0.4 h1:yAGX7huGHXlcLOEtBnF4w7FQwA26wojNCwOYAEhLjQM=
9github.com/golang/snappy v0.0.4/go.mod h1:/XxbfmMg8lxefKM7IXC3fBNl/7bRcc72aCRzEWrmP2Q=
10github.com/google/go-cmp v0.6.0 h1:ofyhxvXcZhMsU5ulbFiLKl/XBFqE1GSq7atu8tAmTRI=
11github.com/google/go-cmp v0.6.0/go.mod h1:17dUlkBOakJ0+DkrSSNjCkIjxS6bF9zb3elmeNGIjoY=
8github.com/kballard/go-shellquote v0.0.0-20180428030007-95032a82bc51 h1:Z9n2FFNUXsshfwJMBgNA0RU6/i7WVaAegv3PtuIHPMs= 12github.com/kballard/go-shellquote v0.0.0-20180428030007-95032a82bc51 h1:Z9n2FFNUXsshfwJMBgNA0RU6/i7WVaAegv3PtuIHPMs=
9github.com/kballard/go-shellquote v0.0.0-20180428030007-95032a82bc51/go.mod h1:CzGEWj7cYgsdH8dAjBGEr58BoE7ScuLd+fwFZ44+/x8= 13github.com/kballard/go-shellquote v0.0.0-20180428030007-95032a82bc51/go.mod h1:CzGEWj7cYgsdH8dAjBGEr58BoE7ScuLd+fwFZ44+/x8=
14github.com/klauspost/compress v1.13.6 h1:P76CopJELS0TiO2mebmnzgWaajssP/EszplttgQxcgc=
15github.com/klauspost/compress v1.13.6/go.mod h1:/3/Vjq9QcHkK5uEr5lBEmyoZ1iFhe47etQ6QUkpK6sk=
10github.com/mohae/deepcopy v0.0.0-20170929034955-c48cc78d4826 h1:RWengNIwukTxcDr9M+97sNutRR1RKhG96O6jWumTTnw= 16github.com/mohae/deepcopy v0.0.0-20170929034955-c48cc78d4826 h1:RWengNIwukTxcDr9M+97sNutRR1RKhG96O6jWumTTnw=
11github.com/mohae/deepcopy v0.0.0-20170929034955-c48cc78d4826/go.mod h1:TaXosZuwdSHYgviHp1DAtfrULt5eUgsSMsZf+YrPgl8= 17github.com/mohae/deepcopy v0.0.0-20170929034955-c48cc78d4826/go.mod h1:TaXosZuwdSHYgviHp1DAtfrULt5eUgsSMsZf+YrPgl8=
18github.com/montanaflynn/stats v0.7.1 h1:etflOAAHORrCC44V+aR6Ftzort912ZU+YLiSTuV8eaE=
19github.com/montanaflynn/stats v0.7.1/go.mod h1:etXPPgVO6n31NxCd9KQUMvCM+ve0ruNzt6R8Bnaayow=
12github.com/pmezard/go-difflib v1.0.0 h1:4DBwDE0NGyQoBHbLQYPwSUPoCMWR5BEzIk/f1lZbAQM= 20github.com/pmezard/go-difflib v1.0.0 h1:4DBwDE0NGyQoBHbLQYPwSUPoCMWR5BEzIk/f1lZbAQM=
13github.com/pmezard/go-difflib v1.0.0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4= 21github.com/pmezard/go-difflib v1.0.0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4=
14github.com/stretchr/objx v0.1.0/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME= 22github.com/stretchr/objx v0.1.0/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME=
15github.com/stretchr/testify v1.3.0/go.mod h1:M5WIy9Dh21IEIfnGCwXGc5bZfKNJtfHm1UVUgZn+9EI= 23github.com/stretchr/testify v1.3.0/go.mod h1:M5WIy9Dh21IEIfnGCwXGc5bZfKNJtfHm1UVUgZn+9EI=
16github.com/stretchr/testify v1.7.0 h1:nwc3DEeHmmLAfoZucVR881uASk0Mfjw8xYJ99tb5CcY= 24github.com/stretchr/testify v1.7.0 h1:nwc3DEeHmmLAfoZucVR881uASk0Mfjw8xYJ99tb5CcY=
17github.com/stretchr/testify v1.7.0/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg= 25github.com/stretchr/testify v1.7.0/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg=
26github.com/xdg-go/pbkdf2 v1.0.0 h1:Su7DPu48wXMwC3bs7MCNG+z4FhcyEuz5dlvchbq0B0c=
27github.com/xdg-go/pbkdf2 v1.0.0/go.mod h1:jrpuAogTd400dnrH08LKmI/xc1MbPOebTwRqcT5RDeI=
28github.com/xdg-go/scram v1.1.2 h1:FHX5I5B4i4hKRVRBCFRxq1iQRej7WO3hhBuJf+UUySY=
29github.com/xdg-go/scram v1.1.2/go.mod h1:RT/sEzTbU5y00aCK8UOx6R7YryM0iF1N2MOmC3kKLN4=
30github.com/xdg-go/stringprep v1.0.4 h1:XLI/Ng3O1Atzq0oBs3TWm+5ZVgkq2aqdlvP9JtoZ6c8=
31github.com/xdg-go/stringprep v1.0.4/go.mod h1:mPGuuIYwz7CmR2bT9j4GbQqutWS1zV24gijq1dTyGkM=
32github.com/youmark/pkcs8 v0.0.0-20181117223130-1be2e3e5546d h1:splanxYIlg+5LfHAM6xpdFEAYOk8iySO56hMFq6uLyA=
33github.com/youmark/pkcs8 v0.0.0-20181117223130-1be2e3e5546d/go.mod h1:rHwXgn7JulP+udvsHwJoVG1YGAP6VLg4y9I5dyZdqmA=
18github.com/yuin/goldmark v1.4.0/go.mod h1:mwnBkeHKe2W/ZEtQ+71ViKU8L12m81fl3OWwC1Zlc8k= 34github.com/yuin/goldmark v1.4.0/go.mod h1:mwnBkeHKe2W/ZEtQ+71ViKU8L12m81fl3OWwC1Zlc8k=
35github.com/yuin/goldmark v1.4.13/go.mod h1:6yULJ656Px+3vBD8DxQVa3kxgyrAnzto9xy5taEt/CY=
36go.mongodb.org/mongo-driver v1.16.0 h1:tpRsfBJMROVHKpdGyc1BBEzzjDUWjItxbVSZ8Ls4BQ4=
37go.mongodb.org/mongo-driver v1.16.0/go.mod h1:oB6AhJQvFQL4LEHyXi6aJzQJtBiTQHiAd83l0GdFaiw=
19go.uber.org/atomic v1.7.0 h1:ADUqmZGgLDDfbSL9ZmPxKTybcoEYHgpYfELNoN+7hsw= 38go.uber.org/atomic v1.7.0 h1:ADUqmZGgLDDfbSL9ZmPxKTybcoEYHgpYfELNoN+7hsw=
20go.uber.org/atomic v1.7.0/go.mod h1:fEN4uk6kAWBTFdckzkM89CLk9XfWZrxpCo0nPH17wJc= 39go.uber.org/atomic v1.7.0/go.mod h1:fEN4uk6kAWBTFdckzkM89CLk9XfWZrxpCo0nPH17wJc=
21go.uber.org/multierr v1.7.0 h1:zaiO/rmgFjbmCXdSYJWQcdvOCsthmdaHfr3Gm2Kx4Ec= 40go.uber.org/multierr v1.7.0 h1:zaiO/rmgFjbmCXdSYJWQcdvOCsthmdaHfr3Gm2Kx4Ec=
22go.uber.org/multierr v1.7.0/go.mod h1:7EAYxJLBy9rStEaz58O2t4Uvip6FSURkq8/ppBp95ak= 41go.uber.org/multierr v1.7.0/go.mod h1:7EAYxJLBy9rStEaz58O2t4Uvip6FSURkq8/ppBp95ak=
23golang.org/x/crypto v0.0.0-20190308221718-c2843e01d9a2/go.mod h1:djNgcEr1/C05ACkg1iLfiJU5Ep61QUkGW8qpdssI0+w= 42golang.org/x/crypto v0.0.0-20190308221718-c2843e01d9a2/go.mod h1:djNgcEr1/C05ACkg1iLfiJU5Ep61QUkGW8qpdssI0+w=
24golang.org/x/crypto v0.0.0-20191011191535-87dc89f01550/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI= 43golang.org/x/crypto v0.0.0-20191011191535-87dc89f01550/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI=
44golang.org/x/crypto v0.0.0-20210921155107-089bfa567519/go.mod h1:GvvjBRRGRdwPK5ydBHafDWAxML/pGHZbMvKqRZ5+Abc=
45golang.org/x/crypto v0.22.0 h1:g1v0xeRhjcugydODzvb3mEM9SQ0HGp9s/nh3COQ/C30=
46golang.org/x/crypto v0.22.0/go.mod h1:vr6Su+7cTlO45qkww3VDJlzDn0ctJvRgYbC2NvXHt+M=
25golang.org/x/lint v0.0.0-20210508222113-6edffad5e616/go.mod h1:3xt1FjdF8hUf6vQPIChWIBhFzV8gjjsPE/fR3IyQdNY= 47golang.org/x/lint v0.0.0-20210508222113-6edffad5e616/go.mod h1:3xt1FjdF8hUf6vQPIChWIBhFzV8gjjsPE/fR3IyQdNY=
26golang.org/x/mod v0.1.1-0.20191105210325-c90efee705ee/go.mod h1:QqPTAvyqsEbceGzBzNggFXnrqF1CaUcvgkdR5Ot7KZg= 48golang.org/x/mod v0.1.1-0.20191105210325-c90efee705ee/go.mod h1:QqPTAvyqsEbceGzBzNggFXnrqF1CaUcvgkdR5Ot7KZg=
27golang.org/x/mod v0.4.2/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA= 49golang.org/x/mod v0.4.2/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA=
28golang.org/x/mod v0.5.1/go.mod h1:5OXOZSfqPIIbmVBIIKWRFfZjPR0E5r58TLhUjH0a2Ro= 50golang.org/x/mod v0.5.1/go.mod h1:5OXOZSfqPIIbmVBIIKWRFfZjPR0E5r58TLhUjH0a2Ro=
51golang.org/x/mod v0.6.0-dev.0.20220419223038-86c51ed26bb4/go.mod h1:jJ57K6gSWd91VN4djpZkiMVwK6gcyfeH4XE8wZrZaV4=
29golang.org/x/net v0.0.0-20190404232315-eb5bcb51f2a3/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg= 52golang.org/x/net v0.0.0-20190404232315-eb5bcb51f2a3/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg=
30golang.org/x/net v0.0.0-20190620200207-3b0461eec859/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s= 53golang.org/x/net v0.0.0-20190620200207-3b0461eec859/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
54golang.org/x/net v0.0.0-20210226172049-e18ecbb05110/go.mod h1:m0MpNAwzfU5UDzcl9v0D8zg8gWTRqZa9RBIspLL5mdg=
31golang.org/x/net v0.0.0-20210805182204-aaa1db679c0d/go.mod h1:9nx3DQGgdP8bBQD5qxJ1jj9UTztislL4KSBs9R2vV5Y= 55golang.org/x/net v0.0.0-20210805182204-aaa1db679c0d/go.mod h1:9nx3DQGgdP8bBQD5qxJ1jj9UTztislL4KSBs9R2vV5Y=
56golang.org/x/net v0.0.0-20220722155237-a158d28d115b/go.mod h1:XRhObCWvk6IyKnWLug+ECip1KBveYUHfp+8e9klMJ9c=
32golang.org/x/sync v0.0.0-20190423024810-112230192c58/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= 57golang.org/x/sync v0.0.0-20190423024810-112230192c58/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
33golang.org/x/sync v0.0.0-20210220032951-036812b2e83c/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= 58golang.org/x/sync v0.0.0-20210220032951-036812b2e83c/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
59golang.org/x/sync v0.0.0-20220722155255-886fb9371eb4/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
60golang.org/x/sync v0.7.0 h1:YsImfSBoP9QPYL0xyKJPq0gcaJdG3rInoqxTWbfQu9M=
61golang.org/x/sync v0.7.0/go.mod h1:Czt+wKu1gCyEFDUtn0jG5QVvpJ6rzVqr5aXyt9drQfk=
34golang.org/x/sys v0.0.0-20190215142949-d0b11bdaac8a/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY= 62golang.org/x/sys v0.0.0-20190215142949-d0b11bdaac8a/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
35golang.org/x/sys v0.0.0-20190412213103-97732733099d/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= 63golang.org/x/sys v0.0.0-20190412213103-97732733099d/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
36golang.org/x/sys v0.0.0-20201119102817-f84b799fce68/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= 64golang.org/x/sys v0.0.0-20201119102817-f84b799fce68/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
37golang.org/x/sys v0.0.0-20210423082822-04245dca01da/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= 65golang.org/x/sys v0.0.0-20210423082822-04245dca01da/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
66golang.org/x/sys v0.0.0-20210615035016-665e8c7367d1/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
38golang.org/x/sys v0.0.0-20210809222454-d867a43fc93e/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= 67golang.org/x/sys v0.0.0-20210809222454-d867a43fc93e/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
39golang.org/x/sys v0.0.0-20211102192858-4dd72447c267/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= 68golang.org/x/sys v0.0.0-20211102192858-4dd72447c267/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
40golang.org/x/sys v0.11.0 h1:eG7RXZHdqOJ1i+0lgLgCpSXAp6M3LYlAo6osgSi0xOM= 69golang.org/x/sys v0.0.0-20220520151302-bc2c85ada10a/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
70golang.org/x/sys v0.0.0-20220722155257-8c9f86f7a55f/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
41golang.org/x/sys v0.11.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= 71golang.org/x/sys v0.11.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
72golang.org/x/sys v0.19.0 h1:q5f1RH2jigJ1MoAWp2KTp3gm5zAGFUTarQZ5U386+4o=
73golang.org/x/sys v0.19.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA=
42golang.org/x/term v0.0.0-20201126162022-7de9c90e9dd1/go.mod h1:bj7SfCRtBDWHUb9snDiAeCFNEtKQo2Wmx5Cou7ajbmo= 74golang.org/x/term v0.0.0-20201126162022-7de9c90e9dd1/go.mod h1:bj7SfCRtBDWHUb9snDiAeCFNEtKQo2Wmx5Cou7ajbmo=
75golang.org/x/term v0.0.0-20210927222741-03fcf44c2211/go.mod h1:jbD1KX2456YbFQfuXm/mYQcufACuNUgVhRMnK/tPxf8=
43golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ= 76golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
77golang.org/x/text v0.3.3/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ=
44golang.org/x/text v0.3.6/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ= 78golang.org/x/text v0.3.6/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ=
79golang.org/x/text v0.3.7/go.mod h1:u+2+/6zg+i71rQMx5EYifcz6MCKuco9NR6JIITiCfzQ=
80golang.org/x/text v0.3.8/go.mod h1:E6s5w1FMmriuDzIBO73fBruAKo1PCIq6d2Q6DHfQ8WQ=
81golang.org/x/text v0.14.0 h1:ScX5w1eTa3QqT8oi6+ziP7dTV1S2+ALU0bI+0zXKWiQ=
82golang.org/x/text v0.14.0/go.mod h1:18ZOQIKpY8NJVqYksKHtTdi31H5itFRjB5/qKTNYzSU=
45golang.org/x/tools v0.0.0-20180917221912-90fa682c2a6e/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ= 83golang.org/x/tools v0.0.0-20180917221912-90fa682c2a6e/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ=
46golang.org/x/tools v0.0.0-20191119224855-298f0cb1881e/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo= 84golang.org/x/tools v0.0.0-20191119224855-298f0cb1881e/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo=
47golang.org/x/tools v0.0.0-20200130002326-2f3ba24bd6e7/go.mod h1:TB2adYChydJhpapKDTa4BR/hXlZSLoq2Wpct/0txZ28= 85golang.org/x/tools v0.0.0-20200130002326-2f3ba24bd6e7/go.mod h1:TB2adYChydJhpapKDTa4BR/hXlZSLoq2Wpct/0txZ28=
48golang.org/x/tools v0.1.7/go.mod h1:LGqMHiF4EqQNHR1JncWGqT5BVaXmza+X+BDGol+dOxo= 86golang.org/x/tools v0.1.7/go.mod h1:LGqMHiF4EqQNHR1JncWGqT5BVaXmza+X+BDGol+dOxo=
87golang.org/x/tools v0.1.12/go.mod h1:hNGJHUnrk76NpqgfD5Aqm5Crs+Hm0VOH/i9J2+nxYbc=
49golang.org/x/xerrors v0.0.0-20190717185122-a985d3407aa7/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0= 88golang.org/x/xerrors v0.0.0-20190717185122-a985d3407aa7/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
50golang.org/x/xerrors v0.0.0-20191011141410-1b5146add898/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0= 89golang.org/x/xerrors v0.0.0-20191011141410-1b5146add898/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
51golang.org/x/xerrors v0.0.0-20200804184101-5ec99f83aff1/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0= 90golang.org/x/xerrors v0.0.0-20200804184101-5ec99f83aff1/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
52gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405 h1:yhCVgyC4o1eVCa2tZl7eS0r+SDo693bJlVdllGtEeKM=
53gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0= 91gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
54gopkg.in/yaml.v2 v2.4.0 h1:D8xgwECY7CYvx+Y2n4sBz93Jn9JRvxdiyyo8CTfuKaY=
55gopkg.in/yaml.v2 v2.4.0/go.mod h1:RDklbk79AGWmwhnvt/jBztapEOGDOx6ZbXqjP6csGnQ= 92gopkg.in/yaml.v2 v2.4.0/go.mod h1:RDklbk79AGWmwhnvt/jBztapEOGDOx6ZbXqjP6csGnQ=
56gopkg.in/yaml.v3 v3.0.0-20200313102051-9f266ea9e77c/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM= 93gopkg.in/yaml.v3 v3.0.0-20200313102051-9f266ea9e77c/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=
57gopkg.in/yaml.v3 v3.0.0-20210107192922-496545a6307b/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM= 94gopkg.in/yaml.v3 v3.0.0-20210107192922-496545a6307b/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=
diff --git a/src/godo.go b/src/godo.go
index 6f73893..72f68c0 100644
--- a/src/godo.go
+++ b/src/godo.go
@@ -20,24 +20,6 @@ var (
20 receiveOnly = fs.Bool("ro", false, "receive only using multicast, requires kernel 3.16+") 20 receiveOnly = fs.Bool("ro", false, "receive only using multicast, requires kernel 3.16+")
21) 21)
22 22
23type Event struct {
24 timestamp time.Time
25 pid, ppid int
26 syscall int
27 argc int
28 argv []string
29 cwd string
30}
31
32type process struct {
33 timestamp time.Time
34 pid, ppid int
35 argv []string
36 cwd string
37 rootfs string
38 children []int
39}
40
41func main() { 23func main() {
42 // 检查用户身份,并添加auditd规则,监听所有syscall 24 // 检查用户身份,并添加auditd规则,监听所有syscall
43 if os.Geteuid() != 0 { 25 if os.Geteuid() != 0 {
diff --git a/src/organize.go b/src/organize.go
index 025d8c0..bb6736a 100644
--- a/src/organize.go
+++ b/src/organize.go
@@ -23,7 +23,7 @@ func orgnaze() {
23 // 为每个事务id存储其信息,事务id在操作系统运行期间是唯一的 23 // 为每个事务id存储其信息,事务id在操作系统运行期间是唯一的
24 eventTable := make(map[int]*Event) 24 eventTable := make(map[int]*Event)
25 // 要用的正则匹配列表 25 // 要用的正则匹配列表
26 syscallRegex := regexp.MustCompile(`audit\((\d+\.\d+):(\d+)\).*?syscall=(\d+).*?ppid=(\d+) pid=(\d+).*?$`) 26 syscallRegex := regexp.MustCompile(`audit\((\d+\.\d+):(\d+)\).*?syscall=(\d+).*?(exit=([-+]?\d+).*?)?ppid=(\d+) pid=(\d+).*?$`)
27 execveRegex := regexp.MustCompile(`audit\(\d+\.\d+:(\d+)\): argc=(\d+)`) 27 execveRegex := regexp.MustCompile(`audit\(\d+\.\d+:(\d+)\): argc=(\d+)`)
28 argsRegex := regexp.MustCompile(`a\d+=("(.*?)"|([0-9a-fA-F]+))`) 28 argsRegex := regexp.MustCompile(`a\d+=("(.*?)"|([0-9a-fA-F]+))`)
29 cwdRegex := regexp.MustCompile(`audit\(\d+\.\d+:(\d+)\): cwd="(.*?)"`) 29 cwdRegex := regexp.MustCompile(`audit\(\d+\.\d+:(\d+)\): cwd="(.*?)"`)
@@ -36,14 +36,6 @@ func orgnaze() {
36 } 36 }
37 rawEvent = raw.(libaudit.RawAuditMessage) 37 rawEvent = raw.(libaudit.RawAuditMessage)
38 38
39 // type Event struct {
40 // timestamp time.Time
41 // pid, ppid int
42 // syscall int
43 // argc int
44 // args []string
45 // cwd string
46 // }
47 switch rawEvent.Type { 39 switch rawEvent.Type {
48 case auparse.AUDIT_SYSCALL: 40 case auparse.AUDIT_SYSCALL:
49 if syscallRegex.Match(rawEvent.Data) { 41 if syscallRegex.Match(rawEvent.Data) {
@@ -51,16 +43,40 @@ func orgnaze() {
51 event.timestamp, err[0] = getTimeFromStr(string(match[1])) 43 event.timestamp, err[0] = getTimeFromStr(string(match[1]))
52 eventId, err[1] = strconv.Atoi(string(match[2])) 44 eventId, err[1] = strconv.Atoi(string(match[2]))
53 event.syscall, err[2] = strconv.Atoi(string(match[3])) 45 event.syscall, err[2] = strconv.Atoi(string(match[3]))
54 event.ppid, err[3] = strconv.Atoi(string(match[4])) 46 var exit int
55 event.pid, err[4] = strconv.Atoi(string(match[5])) 47 // exit, err[3] = strconv.Atoi(string(match[4]))
56 eventTable[eventId] = &Event{ 48 if string(match[5]) == "" {
57 timestamp: event.timestamp, 49 // exit没捕获到
58 syscall: event.syscall, 50 exit = 0
59 ppid: event.ppid, 51 } else {
60 pid: event.pid, 52 exit, err[3] = strconv.Atoi(string(match[5]))
61 argc: 0, 53 }
62 argv: make([]string, 0), 54 event.ppid, err[4] = strconv.Atoi(string(match[5]))
63 cwd: "", 55 event.pid, err[5] = strconv.Atoi(string(match[6]))
56 if syscallTable[event.syscall] == "clone" {
57 if exit == 0 {
58 break
59 } else {
60 eventTable[eventId] = &Event{
61 timestamp: event.timestamp,
62 syscall: event.syscall,
63 ppid: event.pid,
64 pid: exit,
65 argc: 0,
66 argv: make([]string, 0),
67 cwd: "",
68 }
69 }
70 } else {
71 eventTable[eventId] = &Event{
72 timestamp: event.timestamp,
73 syscall: event.syscall,
74 ppid: event.ppid,
75 pid: event.pid,
76 argc: 0,
77 argv: make([]string, 0),
78 cwd: "",
79 }
64 } 80 }
65 } 81 }
66 case auparse.AUDIT_EXECVE: 82 case auparse.AUDIT_EXECVE:
generated by cgit v1.2.3-70-g09d2 (git 2.46.0) at 2025-01-07 17:09:50 +0800