The fds problem may comes from slow consumption

There are some possible reasons that have been thought: - auditd lost. Each time I use `auditctl -b xxx` or `auditctl --reset-lost`, there are always a big number of losts. at first i thought it means how many auditd info was lost throw the net, or how many was thrown because of the audit info queue in the kernel was full. However, form the src code of kernel, it actually means how much is thrown away as there's no listener of auditd info. In other words, audit is a userspace-kernel function, but not two independent parts. - audit backlog size. As the above. But when i only listen to the syscall "open", i can almost always hear the info in the docker. So I think this may be because the audit info production is flooding, while in this program i check this and that, causes too much time, the consumption is far slower. Next step, I will use the MVC, all recvd info will be push into the database, and add a new independent part to make database clean and clear. The key problem is, a process can open file1 as fd 3, write, close, and open file2 as fd 3, write, close: which means i must figure out which file to write when "write" event comes. Now i check the pid/fd/close_time in database to choose which is written, but find and check doc also use lots of time. Maybe, use two collections, one is fds that records files not closed, the other records closed files? Besides, as clone/fork/pthread_create all uses syscall clone, but their flags are different. Maybe i can also use `pid/tgid` pair to distinguish between process and thread. Good idea. Be quick, your internship has passed a half. What kinds of answer will you hand in?
author: We-unite <3205135446@qq.com> 2024-08-05 14:56:57 +0800
committer: We-unite <3205135446@qq.com> 2024-08-05 14:56:57 +0800
commit: 2c2975d032b1c26fd0094c8d3aa568251b5c9c6a (patch)
tree: fca1b95df9caadd6608a4572685ef9c78cca82b8
parent: f29dff60ef36ef9903df4f767393bcba2ac3ce83 (diff)
download: godo-2c2975d032b1c26fd0094c8d3aa568251b5c9c6a.tar.gz
godo-2c2975d032b1c26fd0094c8d3aa568251b5c9c6a.zip
3 files changed, 9 insertions, 16 deletions
diff --git a/src/deal.go b/src/deal.go
index ae69003..871b7ff 100644
--- a/src/deal.go
+++ b/src/deal.go
@@ -191,18 +191,8 @@ func dealExecve(cooked Event) {
 }
 func fileOpen(cooked Event) {
-        fmt.Printf("Open: %6d\t%6d\t%s\n", cooked.ppid, cooked.pid, cooked.pathName)
+        // fmt.Printf("Open: %6d\t%6d\t%s\n", cooked.ppid, cooked.pid, cooked.pathName)
-        // 查看是否记录了该进程
-        res, err := pidCol.Finddoc(bson.M{"pid": cooked.pid})
-        if err != nil {
-                fmt.Printf("Error finding pid %d: %v\n", cooked.pid, err)
-        }
-        if len(res) == 0 {
-                // 没找着，滚
-                return
-        }
-        // 确有该进程
        // 权限检查过了，不必再查
        fdCol.InsertOne(bson.M{
                "timestamp": cooked.timestamp,
@@ -223,7 +213,7 @@ func fileOpen(cooked Event) {
 }
 func fileClose(cooked Event) {
-        fmt.Printf("Close: %6d\t%6d\t%s\n", cooked.ppid, cooked.pid, cooked.pathName)
+        // fmt.Printf("Close: %6d\t%6d\t%s\n", cooked.ppid, cooked.pid, cooked.pathName)
        // 直接看文件表有无记录
        res, err := fdCol.Finddoc(bson.M{
                "pid":             cooked.pid,
@@ -244,7 +234,7 @@ func fileClose(cooked Event) {
 }
 func fileWrite(cooked Event) {
-        fmt.Printf("Write: %6d\t%6d\t%s\n", cooked.ppid, cooked.pid, cooked.pathName)
+        // fmt.Printf("Write: %6d\t%6d\t%s\n", cooked.ppid, cooked.pid, cooked.pathName)
        // 直接看文件表有无记录
        res, err := fdCol.Finddoc(bson.M{
                "pid":             cooked.pid,
diff --git a/src/godo.go b/src/godo.go
index cbd9e0a..2ba32d6 100644
--- a/src/godo.go
+++ b/src/godo.go
@@ -37,9 +37,11 @@ func main() {
                fmt.Printf("Error figuring out syscall numbers: %v\n", err)
        }
+        exec.Command("auditctl", "-D").Run()
+        exec.Command("auditctl", "-b", "1000000000").Run()
+        exec.Command("auditctl", "--reset-lost").Run()
        var auditCmd *exec.Cmd
-        auditCmd = exec.Command("auditctl", "-D") // 清空所有规则
-        auditCmd.Run()
        pidSyscall := []string{"execve"}
        // pidSyscall := []string{"fork", "vfork", "clone", "execve", "exit", "exit_group"}
@@ -50,7 +52,7 @@ func main() {
        }
        // 监听文件的消息
-        fileSyscall := []string{"open", "write", "close"}
+        fileSyscall := []string{"open"}
        // fileSyscall := []string{"open", "write", "creat", "unlink", "opendir", "mkdir", "rmdir", "chmod", "fchmod", "chown", "fchown", "lchown", "flock"}
        for i := 0; i < len(fileSyscall); i++ {
                auditCmd = exec.Command("auditctl", "-a", "exit,always", "-F", "arch=b64", "-S", fileSyscall[i])
diff --git a/src/organize.go b/src/organize.go
index 238509f..8deba53 100644
--- a/src/organize.go
+++ b/src/organize.go
@@ -47,6 +47,7 @@ func orgnaze() {
                        break
                }
                rawEvent = raw.(libaudit.RawAuditMessage)
+                // fmt.Printf("type=%v msg=%s\n", rawEvent.Type, rawEvent.Data)
                switch rawEvent.Type {
                case auparse.AUDIT_SYSCALL:
author	We-unite <3205135446@qq.com>	2024-08-05 14:56:57 +0800
committer	We-unite <3205135446@qq.com>	2024-08-05 14:56:57 +0800
commit	2c2975d032b1c26fd0094c8d3aa568251b5c9c6a (patch)
tree	fca1b95df9caadd6608a4572685ef9c78cca82b8
parent	f29dff60ef36ef9903df4f767393bcba2ac3ce83 (diff)
download	godo-2c2975d032b1c26fd0094c8d3aa568251b5c9c6a.tar.gz godo-2c2975d032b1c26fd0094c8d3aa568251b5c9c6a.zip