diff options
| author |   We-unite <3205135446@qq.com> | 2024-08-14 17:28:28 +0800 |
|---|---|---|
| committer | We-unite <3205135446@qq.com> | 2024-08-14 17:28:28 +0800 |
| commit | 61809e72c524294cb07535d0e31c80a283495f80 (patch) | |
| tree | f3f8c6b4584d9071b58e8866b747399b3797c22c /listener | |
| parent | dfdb18f83f7a957f99196369d97827d6209eeb9a (diff) | |
| download | godo-61809e72c524294cb07535d0e31c80a283495f80.tar.gz godo-61809e72c524294cb07535d0e31c80a283495f80.zip | |
Filter mainly finished, fix sth in lintener
This commit I make some changes:
- The filter got mainly finished.
- Build a big node by the same tgid, and use the tgid node to
build th tree we need by bfs.
- Filt relative files, and for the files not closed, add close
time stamp according to the exit time of their pids.
- Put all the results into database.
Besides, I enlarge the buffer size of netlink connector and channels
in lintener.
TODO:
- the pivot_root syscall is used only by the initial shell(`docker
start` makes a shell), other processes of shell change their root
by changing namespace(mnt ns?), using setns syscall. So fix it.
- It's time to fix the netlink connector socket.
Diffstat (limited to '')
| -rw-r--r-- | listener/godo.go | 11 |
1 files changed, 7 insertions, 4 deletions
diff --git a/listener/godo.go b/listener/godo.go index efe9585..87e9446 100644 --- a/listener/godo.go +++ b/listener/godo.go | |||
| @@ -24,6 +24,8 @@ var ( | |||
| 24 | receiveOnly = fs.Bool("ro", false, "receive only using multicast, requires kernel 3.16+") | 24 | receiveOnly = fs.Bool("ro", false, "receive only using multicast, requires kernel 3.16+") |
| 25 | ) | 25 | ) |
| 26 | 26 | ||
| 27 | const bufferPages = 100 | ||
| 28 | |||
| 27 | func main() { | 29 | func main() { |
| 28 | // 检查用户身份,并添加auditd规则,监听所有syscall | 30 | // 检查用户身份,并添加auditd规则,监听所有syscall |
| 29 | if os.Geteuid() != 0 { | 31 | if os.Geteuid() != 0 { |
| @@ -44,7 +46,7 @@ func main() { | |||
| 44 | var auditCmd *exec.Cmd | 46 | var auditCmd *exec.Cmd |
| 45 | 47 | ||
| 46 | pidSyscall := []string{"execve", "pivot_root"} | 48 | pidSyscall := []string{"execve", "pivot_root"} |
| 47 | // // 设置监听规则 | 49 | // 设置监听规则 |
| 48 | for i := 0; i < len(pidSyscall); i++ { | 50 | for i := 0; i < len(pidSyscall); i++ { |
| 49 | auditCmd = exec.Command("auditctl", "-a", "exit,always", "-F", "arch=b64", "-S", pidSyscall[i]) | 51 | auditCmd = exec.Command("auditctl", "-a", "exit,always", "-F", "arch=b64", "-S", pidSyscall[i]) |
| 50 | auditCmd.Run() | 52 | auditCmd.Run() |
| @@ -77,8 +79,9 @@ func main() { | |||
| 77 | 79 | ||
| 78 | func coroutine(client *libaudit.AuditClient) { | 80 | func coroutine(client *libaudit.AuditClient) { |
| 79 | // 各协程至此开始 | 81 | // 各协程至此开始 |
| 80 | rawChan = make(chan interface{}, 65536) | 82 | bufferSize := bufferPages * syscall.Getpagesize() |
| 81 | cookedChan = make(chan Event, 65536) | 83 | rawChan = make(chan interface{}, bufferSize) |
| 84 | cookedChan = make(chan Event, bufferSize) | ||
| 82 | 85 | ||
| 83 | wg.Add(1) | 86 | wg.Add(1) |
| 84 | go procWatch() | 87 | go procWatch() |
| @@ -102,7 +105,7 @@ func procWatch() error { | |||
| 102 | } | 105 | } |
| 103 | defer ns.Close() | 106 | defer ns.Close() |
| 104 | for { | 107 | for { |
| 105 | res, err := ns.Receive(20) | 108 | res, err := ns.Receive(bufferPages) |
| 106 | if err != nil { | 109 | if err != nil { |
| 107 | fmt.Fprintf(os.Stderr, "Error recv: %v\n", err) | 110 | fmt.Fprintf(os.Stderr, "Error recv: %v\n", err) |
| 108 | continue | 111 | continue |