Depart the whole program into several files.

Put all the src code in only one file is to ugly, so devide it!
and mv them into src dir to keep the whole repo clear.

1 files changed, 116 insertions, 0 deletions

diff --git a/src/godo.go b/src/godo.go
new file mode 100644
index 0000000..6f73893
--- /dev/null
+++ b/src/godo.go
@@ -0,0 +1,116 @@
+package main
+
+import (
+        "flag"
+        "fmt"
+        "log"
+        "os"
+        "os/exec"
+        "time"
+
+        "github.com/elastic/go-libaudit/v2"
+)
+
+var (
+        fs          = flag.NewFlagSet("audit", flag.ExitOnError)
+        diag        = fs.String("diag", "", "dump raw information from kernel to file")
+        rate        = fs.Uint("rate", 0, "rate limit in kernel (default 0, no rate limit)")
+        backlog     = fs.Uint("backlog", 8192, "backlog limit")
+        immutable   = fs.Bool("immutable", false, "make kernel audit settings immutable (requires reboot to undo)")
+        receiveOnly = fs.Bool("ro", false, "receive only using multicast, requires kernel 3.16+")
+)
+
+type Event struct {
+        timestamp time.Time
+        pid, ppid int
+        syscall   int
+        argc      int
+        argv      []string
+        cwd       string
+}
+
+type process struct {
+        timestamp time.Time
+        pid, ppid int
+        argv      []string
+        cwd       string
+        rootfs    string
+        children  []int
+}
+
+func main() {
+        // 检查用户身份，并添加auditd规则，监听所有syscall
+        if os.Geteuid() != 0 {
+                fmt.Printf("Err: Please run me as root, %d!\n", os.Getegid())
+                return
+        }
+
+        // 所有的系统调用号与名称的关系
+        err := figureOutSyscalls()
+        if err != nil {
+                fmt.Printf("Error figuring out syscall numbers: %v\n", err)
+        }
+
+        syscall := [6]string{"fork", "vfork", "clone", "execve", "exit", "exit_group"}
+        var auditCmd *exec.Cmd
+        auditCmd = exec.Command("auditctl", "-D") // 清空所有规则
+        auditCmd.Run()
+        // 设置监听规则
+        for i := 0; i < len(syscall); i++ {
+                auditCmd = exec.Command("auditctl", "-a", "exit,always", "-F", "arch=b64", "-S", syscall[i])
+                auditCmd.Run()
+        }
+
+        // 查找pid
+        containerdPid, err = getPid()
+        if err != nil {
+                fmt.Printf("Error finding containerd: %v\n", err)
+                return
+        }
+
+        // 创世之神，1号进程
+        // pids[1] = &process{rootfs: "/", children: make([]int, 0)}
+        // pids[1].children = append(pids[1].children, containerdPid)
+        // 1号进程还是不要在进程树上直接出现了，不然它的小儿子们都会出现
+
+        // /usr/bin/containerd，也就是我们最关注的进程
+        // pids[containerdPid] = &process{rootfs: "/", children: make([]int, 0)}
+        pids.Store(containerdPid, &process{
+                ppid:     1,
+                pid:      containerdPid,
+                argv:     make([]string, 0),
+                cwd:      "/",
+                rootfs:   "/",
+                children: make([]int, 0),
+        })
+        p, ok := pids.Load(containerdPid)
+        if !ok {
+                fmt.Printf("???\n")
+                return
+        }
+        p.(*process).argv = append(p.(*process).argv, "/usr/bin/containerd")
+
+        // 开始运行，解析命令行参数后监听
+        if err := fs.Parse(os.Args[1:]); err != nil {
+                log.Fatal(err)
+        }
+
+        if err := read(); err != nil {
+                log.Fatalf("error: %v", err)
+        }
+}
+
+func coroutine(client *libaudit.AuditClient) {
+        // 各协程至此开始
+        rawChan = make(chan interface{})
+        cookedChan = make(chan Event)
+        wg.Add(1)
+        go receive(client)
+        wg.Add(1)
+        go orgnaze()
+        wg.Add(1)
+        go deal()
+
+        wg.Wait()
+        time.Sleep(2 * time.Second)
+}