aboutsummaryrefslogtreecommitdiffstats
path: root/src/deal.go
diff options
context:
space:
mode:
authorWe-unite <3205135446@qq.com>2024-07-31 11:46:01 +0800
committerWe-unite <3205135446@qq.com>2024-08-01 15:10:36 +0800
commit3efeef969ebc344c993ce0fc46f557c7d8560525 (patch)
treef0f917080c64c8def6922c365465f1ee5371c464 /src/deal.go
parentd6c6e13796435f9e1e59fec891aa53680748a2d7 (diff)
downloadgodo-3efeef969ebc344c993ce0fc46f557c7d8560525.tar.gz
godo-3efeef969ebc344c993ce0fc46f557c7d8560525.zip
Use netlink connector to recv pid info, fix exec
For some reasons, kernel-connector can catch exec event, but it doesn't tell me about what the process exec and what're its args. So we should use audit to collect these infomations, and complete in the database. However, there's different delays between connector and audit, although they both use netlink socket, as a result of which, exec may comes before fork. we deal with it the same way. But, there's also exec event lost, may because of the check for ppid in exec event, but it's necessary, and if is deleted, too much irrelavent infomation would flood into database, i've tried. So make it there, just go forward. Besides, what's newly discovered is that pthread_create also use clone syscall, but if pid 1 has a thread 2, the exec info will say that pid 2 execs. So i shouldn't ignore connector msg that childPid ne childTgid. This is my first attempt to use git-submodule function in my own pro- ject, also golang local package. Congratulations! Now, fight to fix about file operations. Hope that there wouldn't be too many fucking bugs.
Diffstat (limited to '')
-rw-r--r--src/deal.go30
1 files changed, 17 insertions, 13 deletions
diff --git a/src/deal.go b/src/deal.go
index 717344c..3119fff 100644
--- a/src/deal.go
+++ b/src/deal.go
@@ -98,12 +98,15 @@ func deletePid(cooked Event) {
98 "$set": bson.M{ 98 "$set": bson.M{
99 "exit_timestamp": cooked.timestamp, 99 "exit_timestamp": cooked.timestamp,
100 "exit_code": cooked.exit_code, 100 "exit_code": cooked.exit_code,
101 "exit_signal": cooked.exit_signal,
101 }, 102 },
102 }) 103 })
103 mongoMutex.Unlock() 104 mongoMutex.Unlock()
105 fmt.Printf("Exit: %v\t%6d\t%6d\n", cooked.timestamp, cooked.pid, cooked.exit_code)
104} 106}
105 107
106func dealNewPid(cooked Event) { 108func dealNewPid(cooked Event) {
109 fmt.Printf("Fork: %v\t%6d\t%6d\n", cooked.timestamp, cooked.ppid, cooked.pid)
107 // 有无父进程在观察中 110 // 有无父进程在观察中
108 docRes, err = pidCol.Finddoc(bson.M{"pid": cooked.ppid}) 111 docRes, err = pidCol.Finddoc(bson.M{"pid": cooked.ppid})
109 if err != nil || len(docRes) != 1 { 112 if err != nil || len(docRes) != 1 {
@@ -153,6 +156,7 @@ func dealNewPid(cooked Event) {
153} 156}
154 157
155func dealExecve(cooked Event) { 158func dealExecve(cooked Event) {
159 fmt.Printf("EXEC: %6d\t%6d\n", cooked.ppid, cooked.pid)
156 // 父进程在不在?不在扔 160 // 父进程在不在?不在扔
157 docRes, err = pidCol.Finddoc(bson.M{"pid": cooked.ppid}) 161 docRes, err = pidCol.Finddoc(bson.M{"pid": cooked.ppid})
158 if err != nil || len(docRes) != 1 { 162 if err != nil || len(docRes) != 1 {
@@ -175,19 +179,19 @@ func dealExecve(cooked Event) {
175 }, 179 },
176 }, 180 },
177 }) 181 })
178 // } else { 182 } else {
179 // // 先fork抵达,插入 183 // 先fork抵达,插入
180 // pidCol.InsertOne(bson.M{ 184 pidCol.InsertOne(bson.M{
181 // "ppid": cooked.ppid, 185 "ppid": cooked.ppid,
182 // "pid": cooked.pid, 186 "pid": cooked.pid,
183 // "children": []bson.M{}, 187 "children": []bson.M{},
184 // "execve": []bson.M{ 188 "execve": []bson.M{
185 // { 189 {
186 // "timestamp": cooked.timestamp, 190 "timestamp": cooked.timestamp,
187 // "execArgs": cooked.argv, 191 "execArgs": cooked.argv,
188 // }, 192 },
189 // }, 193 },
190 // }) 194 })
191 } 195 }
192 mongoMutex.Unlock() 196 mongoMutex.Unlock()
193} 197}