diff options
author | We-unite <3205135446@qq.com> | 2024-07-22 11:41:59 +0800 |
---|---|---|
committer | We-unite <3205135446@qq.com> | 2024-07-22 19:36:34 +0800 |
commit | cf5618ff2e2a183c5bdf6444787dccdcbf26ce76 (patch) | |
tree | 6cc173b9bffe2c1414887a338b6dc2bdbd594fd1 /src/godo.go | |
parent | 7cf8e470471d30fc821a8be350dcb97dc64e5add (diff) | |
download | godo-cf5618ff2e2a183c5bdf6444787dccdcbf26ce76.tar.gz godo-cf5618ff2e2a183c5bdf6444787dccdcbf26ce76.zip |
Use mongodb, insert process info into it
I failed to print the process tree out. While I'm printing the tree,
the tree itself gets changed, maybe deleted. What's more, the output
show that there are 4 lines with the same ppid and pid, how an absurd
result! It may be caused by multi-thread. So, use database instead.
Mongodb uses bson(binary json) to store data but not relational
database like mysql, which means it's more easy to use.(?)
Beside inserting, I've also solved a question that "fork" is called
once but returns twice. For instance, pid 1 forked pid 2, in the
audit log it's not an event "syscall=clone,ppid=1,pid=2", but actually
two events "syscall=clone,exit=0,ppid=0,pid=1" and "syscall=clone,exit=
2,ppid=0,pid=1", which is just what we see in sys_fork in kernel source.
To deal with this, when syscall is clone and exit is 0 we just drop it.
Left question: To find out the exit code when a process exit/exit_group,
and finish the code to record it in the database.
Diffstat (limited to '')
-rw-r--r-- | src/godo.go | 18 |
1 files changed, 0 insertions, 18 deletions
diff --git a/src/godo.go b/src/godo.go index 6f73893..72f68c0 100644 --- a/src/godo.go +++ b/src/godo.go | |||
@@ -20,24 +20,6 @@ var ( | |||
20 | receiveOnly = fs.Bool("ro", false, "receive only using multicast, requires kernel 3.16+") | 20 | receiveOnly = fs.Bool("ro", false, "receive only using multicast, requires kernel 3.16+") |
21 | ) | 21 | ) |
22 | 22 | ||
23 | type Event struct { | ||
24 | timestamp time.Time | ||
25 | pid, ppid int | ||
26 | syscall int | ||
27 | argc int | ||
28 | argv []string | ||
29 | cwd string | ||
30 | } | ||
31 | |||
32 | type process struct { | ||
33 | timestamp time.Time | ||
34 | pid, ppid int | ||
35 | argv []string | ||
36 | cwd string | ||
37 | rootfs string | ||
38 | children []int | ||
39 | } | ||
40 | |||
41 | func main() { | 23 | func main() { |
42 | // 检查用户身份,并添加auditd规则,监听所有syscall | 24 | // 检查用户身份,并添加auditd规则,监听所有syscall |
43 | if os.Geteuid() != 0 { | 25 | if os.Geteuid() != 0 { |