Hear file Open and close, especially O_TRUNC

this commit i successfully catch open/close syscall, and insert them as an independent collection in mongodb otherwise along with pids. and now I've record those open flag "O_TRUNC" as written.
author: We-unite <3205135446@qq.com> 2024-07-29 11:46:02 +0800
committer: We-unite <3205135446@qq.com> 2024-07-29 11:46:02 +0800
commit: a345258c3082903702c81c6c830ff1fd35758861 (patch)
tree: a8521e954630b299c85adc10182ee3470a982415 /src/deal.go
parent: ec260a31927ef77295eaa07ba370b58b416f47f5 (diff)
download: godo-a345258c3082903702c81c6c830ff1fd35758861.tar.gz
godo-a345258c3082903702c81c6c830ff1fd35758861.zip
1 files changed, 77 insertions, 24 deletions
diff --git a/src/deal.go b/src/deal.go
index a9861a5..d3b5da0 100644
--- a/src/deal.go
+++ b/src/deal.go
@@ -3,6 +3,7 @@ package main
 import (
        "fmt"
        "sync"
+        "syscall"
        "time"
        "go.mongodb.org/mongo-driver/bson"
@@ -11,10 +12,11 @@ import (
 const (
        dbName     string = "test"
        pidColName string = "pids"
+        fdColName  string = "fds"
 )
 var mongoMutex sync.Mutex
-var pidCol mongoClient
+var pidCol, fdCol mongoClient
 var docRes []bson.M
 var err error
@@ -24,11 +26,29 @@ func deal() {
        var cooked Event
        var ok bool
-        if err = initMongo(); err != nil {
+        if err = pidCol.init(dbName, pidColName); err != nil {
                fmt.Printf("Error while initing the mongodb: %v\n", err)
                return
        }
+        err = pidCol.InsertOne(bson.M{
+                "ppid":     1,
+                "pid":      containerdPid,
+                "cwd":      "/",
+                "children": []bson.M{},
+        })
+        if err != nil {
+                fmt.Printf("Error while initing the mongodb: %v\n", err)
+                return
+        }
+        if err = fdCol.init(dbName, fdColName); err != nil {
+                fmt.Printf("Error while initing the mongodb: %v\n", err)
+                return
+        }
+        fmt.Printf("Containerd: %d\n", containerdPid)
        defer pidCol.Disconnect()
+        defer fdCol.Disconnect()
        for {
                cooked, ok = <-cookedChan
@@ -43,6 +63,10 @@ func deal() {
                        dealExecve(cooked)
                case PIDEXIT:
                        go deletePid(cooked)
+                case FILEOPEN:
+                        fileOpen(cooked)
+                case FILECLOSE:
+                        fileClose(cooked)
                }
        }
 }
@@ -71,28 +95,6 @@ func deletePid(cooked Event) {
        mongoMutex.Unlock()
 }
-func initMongo() error {
-        var err error
-        if err = pidCol.Connect(dbName, pidColName); err != nil {
-                return err
-        }
-        if err = pidCol.Drop(); err != nil {
-                return err
-        }
-        err = pidCol.InsertOne(bson.M{
-                "ppid":     1,
-                "pid":      containerdPid,
-                "cwd":      "/",
-                "children": bson.M{},
-        })
-        if err != nil {
-                return err
-        }
-        fmt.Printf("Containerd: %d\n", containerdPid)
-        return nil
-}
 func dealNewPid(cooked Event) {
        // 有无父进程在观察中
        docRes, err = pidCol.Finddoc(bson.M{"pid": cooked.ppid})
@@ -181,3 +183,54 @@ func dealExecve(cooked Event) {
        }
        mongoMutex.Unlock()
 }
+func fileOpen(cooked Event) {
+        // 查看是否记录了该进程
+        res, err := pidCol.Finddoc(bson.M{"pid": cooked.pid})
+        if err != nil {
+                fmt.Printf("Error finding pid %d: %v\n", cooked.pid, err)
+        }
+        if len(res) == 0 {
+                // 没找着，滚
+                return
+        }
+        // 确有该进程
+        // 权限检查过了，不必再查
+        fdCol.InsertOne(bson.M{
+                "timestamp": cooked.timestamp,
+                "fileName":  cooked.pathName,
+                "pid":       cooked.pid,
+                "fd":        cooked.exit_code,
+                "flags":     cooked.syscallParam,
+                "written":   []bson.M{},
+        })
+        if cooked.syscallParam[1]&syscall.O_TRUNC != 0 {
+                fdCol.UpdateOne(bson.M{"pid": cooked.pid, "fd": cooked.exit_code}, bson.M{
+                        "$push": bson.M{
+                                "written": cooked.timestamp,
+                        },
+                })
+        }
+}
+func fileClose(cooked Event) {
+        // 直接看文件表有无记录
+        res, err := fdCol.Finddoc(bson.M{
+                "pid":             cooked.pid,
+                "fd":              cooked.syscallParam[0],
+                "close_timestamp": bson.M{"$exists": false},
+        })
+        if err != nil {
+                fmt.Printf("Err closing fd %d of pid %d: %v\n", cooked.syscallParam[0], cooked.pid, err)
+        }
+        if len(res) == 0 {
+                return
+        }
+        fdCol.UpdateOne(bson.M{
+                "pid":             cooked.pid,
+                "fd":              cooked.syscallParam[0],
+                "close_timestamp": bson.M{"$exists": false},
+        }, bson.M{"$set": bson.M{"close_timestamp": cooked.timestamp}})
+}
author	We-unite <3205135446@qq.com>	2024-07-29 11:46:02 +0800
committer	We-unite <3205135446@qq.com>	2024-07-29 11:46:02 +0800
commit	a345258c3082903702c81c6c830ff1fd35758861 (patch)
tree	a8521e954630b299c85adc10182ee3470a982415 /src/deal.go
parent	ec260a31927ef77295eaa07ba370b58b416f47f5 (diff)
download	godo-a345258c3082903702c81c6c830ff1fd35758861.tar.gz godo-a345258c3082903702c81c6c830ff1fd35758861.zip

diff --git a/src/deal.go b/src/deal.go index a9861a5..d3b5da0 100644 --- a/src/deal.go +++ b/src/deal.go
@@ -3,6 +3,7 @@ package main
3	import (	3	import (
4	"fmt"	4	"fmt"
5	"sync"	5	"sync"
		6	"syscall"
6	"time"	7	"time"
7		8
8	"go.mongodb.org/mongo-driver/bson"	9	"go.mongodb.org/mongo-driver/bson"
@@ -11,10 +12,11 @@ import (
11	const (	12	const (
12	dbName string = "test"	13	dbName string = "test"
13	pidColName string = "pids"	14	pidColName string = "pids"
		15	fdColName string = "fds"
14	)	16	)
15		17
16	var mongoMutex sync.Mutex	18	var mongoMutex sync.Mutex
17	var pidCol mongoClient	19	var pidCol, fdCol mongoClient
18		20
19	var docRes []bson.M	21	var docRes []bson.M
20	var err error	22	var err error
@@ -24,11 +26,29 @@ func deal() {
24	var cooked Event	26	var cooked Event
25	var ok bool	27	var ok bool
26		28
27	if err = initMongo(); err != nil {	29	if err = pidCol.init(dbName, pidColName); err != nil {
28	fmt.Printf("Error while initing the mongodb: %v\n", err)	30	fmt.Printf("Error while initing the mongodb: %v\n", err)
29	return	31	return
30	}	32	}
		33	err = pidCol.InsertOne(bson.M{
		34	"ppid": 1,
		35	"pid": containerdPid,
		36	"cwd": "/",
		37	"children": []bson.M{},
		38	})
		39	if err != nil {
		40	fmt.Printf("Error while initing the mongodb: %v\n", err)
		41	return
		42	}
		43
		44	if err = fdCol.init(dbName, fdColName); err != nil {
		45	fmt.Printf("Error while initing the mongodb: %v\n", err)
		46	return
		47	}
		48
		49	fmt.Printf("Containerd: %d\n", containerdPid)
31	defer pidCol.Disconnect()	50	defer pidCol.Disconnect()
		51	defer fdCol.Disconnect()
32		52
33	for {	53	for {
34	cooked, ok = <-cookedChan	54	cooked, ok = <-cookedChan
@@ -43,6 +63,10 @@ func deal() {
43	dealExecve(cooked)	63	dealExecve(cooked)
44	case PIDEXIT:	64	case PIDEXIT:
45	go deletePid(cooked)	65	go deletePid(cooked)
		66	case FILEOPEN:
		67	fileOpen(cooked)
		68	case FILECLOSE:
		69	fileClose(cooked)
46	}	70	}
47	}	71	}
48	}	72	}
@@ -71,28 +95,6 @@ func deletePid(cooked Event) {
71	mongoMutex.Unlock()	95	mongoMutex.Unlock()
72	}	96	}
73		97
74	func initMongo() error {
75	var err error
76	if err = pidCol.Connect(dbName, pidColName); err != nil {
77	return err
78	}
79	if err = pidCol.Drop(); err != nil {
80	return err
81	}
82
83	err = pidCol.InsertOne(bson.M{
84	"ppid": 1,
85	"pid": containerdPid,
86	"cwd": "/",
87	"children": bson.M{},
88	})
89	if err != nil {
90	return err
91	}
92	fmt.Printf("Containerd: %d\n", containerdPid)
93	return nil
94	}
95
96	func dealNewPid(cooked Event) {	98	func dealNewPid(cooked Event) {
97	// 有无父进程在观察中	99	// 有无父进程在观察中
98	docRes, err = pidCol.Finddoc(bson.M{"pid": cooked.ppid})	100	docRes, err = pidCol.Finddoc(bson.M{"pid": cooked.ppid})
@@ -181,3 +183,54 @@ func dealExecve(cooked Event) {
181	}	183	}
182	mongoMutex.Unlock()	184	mongoMutex.Unlock()
183	}	185	}
		186
		187	func fileOpen(cooked Event) {
		188	// 查看是否记录了该进程
		189	res, err := pidCol.Finddoc(bson.M{"pid": cooked.pid})
		190	if err != nil {
		191	fmt.Printf("Error finding pid %d: %v\n", cooked.pid, err)
		192	}
		193	if len(res) == 0 {
		194	// 没找着，滚
		195	return
		196	}
		197
		198	// 确有该进程
		199	// 权限检查过了，不必再查
		200	fdCol.InsertOne(bson.M{
		201	"timestamp": cooked.timestamp,
		202	"fileName": cooked.pathName,
		203	"pid": cooked.pid,
		204	"fd": cooked.exit_code,
		205	"flags": cooked.syscallParam,
		206	"written": []bson.M{},
		207	})
		208
		209	if cooked.syscallParam[1]&syscall.O_TRUNC != 0 {
		210	fdCol.UpdateOne(bson.M{"pid": cooked.pid, "fd": cooked.exit_code}, bson.M{
		211	"$push": bson.M{
		212	"written": cooked.timestamp,
		213	},
		214	})
		215	}
		216	}
		217
		218	func fileClose(cooked Event) {
		219	// 直接看文件表有无记录
		220	res, err := fdCol.Finddoc(bson.M{
		221	"pid": cooked.pid,
		222	"fd": cooked.syscallParam[0],
		223	"close_timestamp": bson.M{"$exists": false},
		224	})
		225	if err != nil {
		226	fmt.Printf("Err closing fd %d of pid %d: %v\n", cooked.syscallParam[0], cooked.pid, err)
		227	}
		228	if len(res) == 0 {
		229	return
		230	}
		231	fdCol.UpdateOne(bson.M{
		232	"pid": cooked.pid,
		233	"fd": cooked.syscallParam[0],
		234	"close_timestamp": bson.M{"$exists": false},
		235	}, bson.M{"$set": bson.M{"close_timestamp": cooked.timestamp}})
		236	}