aboutsummaryrefslogtreecommitdiffstats
path: root/listener/godo.go
diff options
context:
space:
mode:
authorWe-unite <3205135446@qq.com>2024-08-14 17:28:28 +0800
committerWe-unite <3205135446@qq.com>2024-08-14 17:28:28 +0800
commit61809e72c524294cb07535d0e31c80a283495f80 (patch)
treef3f8c6b4584d9071b58e8866b747399b3797c22c /listener/godo.go
parentdfdb18f83f7a957f99196369d97827d6209eeb9a (diff)
downloadgodo-61809e72c524294cb07535d0e31c80a283495f80.tar.gz
godo-61809e72c524294cb07535d0e31c80a283495f80.zip
Filter mainly finished, fix sth in lintener
This commit I make some changes: - The filter got mainly finished. - Build a big node by the same tgid, and use the tgid node to build th tree we need by bfs. - Filt relative files, and for the files not closed, add close time stamp according to the exit time of their pids. - Put all the results into database. Besides, I enlarge the buffer size of netlink connector and channels in lintener. TODO: - the pivot_root syscall is used only by the initial shell(`docker start` makes a shell), other processes of shell change their root by changing namespace(mnt ns?), using setns syscall. So fix it. - It's time to fix the netlink connector socket.
Diffstat (limited to 'listener/godo.go')
-rw-r--r--listener/godo.go11
1 files changed, 7 insertions, 4 deletions
diff --git a/listener/godo.go b/listener/godo.go
index efe9585..87e9446 100644
--- a/listener/godo.go
+++ b/listener/godo.go
@@ -24,6 +24,8 @@ var (
24 receiveOnly = fs.Bool("ro", false, "receive only using multicast, requires kernel 3.16+") 24 receiveOnly = fs.Bool("ro", false, "receive only using multicast, requires kernel 3.16+")
25) 25)
26 26
27const bufferPages = 100
28
27func main() { 29func main() {
28 // 检查用户身份,并添加auditd规则,监听所有syscall 30 // 检查用户身份,并添加auditd规则,监听所有syscall
29 if os.Geteuid() != 0 { 31 if os.Geteuid() != 0 {
@@ -44,7 +46,7 @@ func main() {
44 var auditCmd *exec.Cmd 46 var auditCmd *exec.Cmd
45 47
46 pidSyscall := []string{"execve", "pivot_root"} 48 pidSyscall := []string{"execve", "pivot_root"}
47 // // 设置监听规则 49 // 设置监听规则
48 for i := 0; i < len(pidSyscall); i++ { 50 for i := 0; i < len(pidSyscall); i++ {
49 auditCmd = exec.Command("auditctl", "-a", "exit,always", "-F", "arch=b64", "-S", pidSyscall[i]) 51 auditCmd = exec.Command("auditctl", "-a", "exit,always", "-F", "arch=b64", "-S", pidSyscall[i])
50 auditCmd.Run() 52 auditCmd.Run()
@@ -77,8 +79,9 @@ func main() {
77 79
78func coroutine(client *libaudit.AuditClient) { 80func coroutine(client *libaudit.AuditClient) {
79 // 各协程至此开始 81 // 各协程至此开始
80 rawChan = make(chan interface{}, 65536) 82 bufferSize := bufferPages * syscall.Getpagesize()
81 cookedChan = make(chan Event, 65536) 83 rawChan = make(chan interface{}, bufferSize)
84 cookedChan = make(chan Event, bufferSize)
82 85
83 wg.Add(1) 86 wg.Add(1)
84 go procWatch() 87 go procWatch()
@@ -102,7 +105,7 @@ func procWatch() error {
102 } 105 }
103 defer ns.Close() 106 defer ns.Close()
104 for { 107 for {
105 res, err := ns.Receive(20) 108 res, err := ns.Receive(bufferPages)
106 if err != nil { 109 if err != nil {
107 fmt.Fprintf(os.Stderr, "Error recv: %v\n", err) 110 fmt.Fprintf(os.Stderr, "Error recv: %v\n", err)
108 continue 111 continue