summaryrefslogtreecommitdiffstats
path: root/src/organize.go
diff options
context:
space:
mode:
authorWe-unite <3205135446@qq.com>2024-08-07 19:08:59 +0800
committerWe-unite <3205135446@qq.com>2024-08-07 19:08:59 +0800
commitea32e017e579f168d87732893335c38d539ac2f1 (patch)
tree96a893ae0ffd4c5186e1c87f2fd7c60a125e970a /src/organize.go
parent2104c8ac26f320eacc3fa04d608843c3bf0fdc57 (diff)
downloadgodo-collector.tar.gz
godo-collector.zip
Print err in stderr, Find out docker rootfs.collector
When I use godo, error infomation comes along with other output, so change all err report into stderr. And I listen to `pivot_root` sys- call to find out the root file system of dockers. However, I'm afraid of causing too more delay, so don't check rootfs of ppid and record in the pid. Besides, the method to deal with pivot_root is hardcoded, which may causes crush. Shall I listen to the chdir syscall to find out exact cwd? Maybe It's useful to the pivot_root? Next step: Find out appropriate data stracture, and add more file operations to be watched. This task must be completed this week.
Diffstat (limited to '')
-rw-r--r--src/organize.go81
1 files changed, 49 insertions, 32 deletions
diff --git a/src/organize.go b/src/organize.go
index 12119ad..293371b 100644
--- a/src/organize.go
+++ b/src/organize.go
@@ -2,6 +2,7 @@ package main
2 2
3import ( 3import (
4 "fmt" 4 "fmt"
5 "os"
5 "regexp" 6 "regexp"
6 "strconv" 7 "strconv"
7 "strings" 8 "strings"
@@ -21,14 +22,15 @@ var ok bool
21var event Event 22var event Event
22var pEvent *Event 23var pEvent *Event
23var eventId, argc int 24var eventId, argc int
24var errs [6]error 25
26// var errs [6]error
25 27
26// 要用的正则匹配列表 28// 要用的正则匹配列表
27var ( 29var (
28 syscallRegex = regexp.MustCompile(`audit\((\d+\.\d+):(\d+)\).*?syscall=(\d+)(?:.*?exit=([-+]?\d+))?.*?ppid=(\d+) pid=(\d+).*?$`) 30 syscallRegex = regexp.MustCompile(`audit\((\d+\.\d+):(\d+)\).*?syscall=(\d+)(?:.*?exit=([-+]?\d+))?.*?ppid=(\d+) pid=(\d+).*?subj=(.*?):(.*?):(.*?):(.*?) .*?$`)
29 execveRegex = regexp.MustCompile(`audit\(\d+\.\d+:(\d+)\): argc=(\d+)`) 31 execveRegex = regexp.MustCompile(`audit\(\d+\.\d+:(\d+)\): argc=(\d+)`)
30 argsRegex = regexp.MustCompile(`a\d+=("(.*?)"|([0-9a-fA-F]+))`) 32 argsRegex = regexp.MustCompile(`a\d+=("(.*?)"|([0-9a-fA-F]+))`)
31 pathRegex = regexp.MustCompile(`audit\(\d+\.\d+:(\d+)\):.*?name="(.*?)"`) 33 pathRegex = regexp.MustCompile(`audit\(\d+\.\d+:(\d+)\): item=(\d+) name="(.*?)"`)
32 cwdRegex = regexp.MustCompile(`audit\(\d+\.\d+:(\d+)\): cwd="(.*?)"`) 34 cwdRegex = regexp.MustCompile(`audit\(\d+\.\d+:(\d+)\): cwd="(.*?)"`)
33 proctitleRegex = regexp.MustCompile(`audit\(\d+\.\d+:(\d+)\): proctitle=("(.*?)"|([0-9a-fA-F]+))$`) 35 proctitleRegex = regexp.MustCompile(`audit\(\d+\.\d+:(\d+)\): proctitle=("(.*?)"|([0-9a-fA-F]+))$`)
34 eoeRegex = regexp.MustCompile(`audit\(\d+\.\d+:(\d+)\)`) 36 eoeRegex = regexp.MustCompile(`audit\(\d+\.\d+:(\d+)\)`)
@@ -47,22 +49,22 @@ func orgnaze() {
47 break 49 break
48 } 50 }
49 rawEvent = raw.(libaudit.RawAuditMessage) 51 rawEvent = raw.(libaudit.RawAuditMessage)
52 // fmt.Printf("type=%v msg=%s\n", rawEvent.Type, rawEvent.Data)
50 53
51 switch rawEvent.Type { 54 switch rawEvent.Type {
52 case auparse.AUDIT_SYSCALL: 55 case auparse.AUDIT_SYSCALL:
53 go syscallRaw(rawEvent) 56 syscallRaw(rawEvent)
54 case auparse.AUDIT_EXECVE: 57 case auparse.AUDIT_EXECVE:
55 go execve(rawEvent) 58 execve(rawEvent)
56 case auparse.AUDIT_CWD: 59 case auparse.AUDIT_CWD:
57 go cwd(rawEvent) 60 cwd(rawEvent)
58 case auparse.AUDIT_PATH: 61 case auparse.AUDIT_PATH:
59 go path(rawEvent) 62 path(rawEvent)
60 case auparse.AUDIT_PROCTITLE: 63 case auparse.AUDIT_PROCTITLE:
61 go proctitle(rawEvent) 64 proctitle(rawEvent)
62 case auparse.AUDIT_EOE: 65 case auparse.AUDIT_EOE:
63 go eoe(rawEvent) 66 eoe(rawEvent)
64 default: 67 default:
65 // ATTENTION: 这里也需要做防护
66 } 68 }
67 } 69 }
68} 70}
@@ -74,28 +76,34 @@ func syscallRaw(rawEvent libaudit.RawAuditMessage) {
74 76
75 var exit int 77 var exit int
76 var a [4]uint64 78 var a [4]uint64
79 var subj [4]string
77 // 捕获基础信息 80 // 捕获基础信息
78 match := syscallRegex.FindSubmatch(rawEvent.Data) 81 match := syscallRegex.FindSubmatch(rawEvent.Data)
79 event.timestamp, errs[0] = getTimeFromStr(string(match[1])) 82 event.timestamp, _ = getTimeFromStr(string(match[1]))
80 eventId, errs[1] = strconv.Atoi(string(match[2])) 83 eventId, _ = strconv.Atoi(string(match[2]))
81 event.syscall, errs[2] = strconv.Atoi(string(match[3])) 84 event.syscall, _ = strconv.Atoi(string(match[3]))
82 if string(match[4]) == "" { 85 if string(match[4]) == "" {
83 // exit没捕获到 86 // exit没捕获到
84 exit = 0 87 exit = 0
85 } else { 88 } else {
86 exit, errs[3] = strconv.Atoi(string(match[4])) 89 exit, _ = strconv.Atoi(string(match[4]))
90 }
91 event.ppid, _ = strconv.Atoi(string(match[5]))
92 event.pid, _ = strconv.Atoi(string(match[6]))
93
94 // 几个subj,说不定会有用
95 for i := 0; i < 4; i++ {
96 subj[i] = string(match[7+i])
87 } 97 }
88 event.ppid, errs[4] = strconv.Atoi(string(match[5]))
89 event.pid, errs[5] = strconv.Atoi(string(match[6]))
90 98
91 // 捕获参数 99 // 捕获参数
92 if !argsRegex.Match(rawEvent.Data) { 100 if !argsRegex.Match(rawEvent.Data) {
93 fmt.Printf("Error: don't get args in syscall event!\n") 101 fmt.Fprintf(os.Stderr, "Error: don't get args in syscall event!\n")
94 return 102 return
95 } 103 }
96 argsMatch := argsRegex.FindAllSubmatch(rawEvent.Data, -1) 104 argsMatch := argsRegex.FindAllSubmatch(rawEvent.Data, -1)
97 for i := 0; i < 4; i++ { 105 for i := 0; i < 4; i++ {
98 a[i], errs[0] = strconv.ParseUint(string(argsMatch[i][3]), 16, 64) 106 a[i], _ = strconv.ParseUint(string(argsMatch[i][3]), 16, 64)
99 } 107 }
100 108
101 switch syscallTable[event.syscall] { 109 switch syscallTable[event.syscall] {
@@ -128,7 +136,7 @@ func syscallRaw(rawEvent libaudit.RawAuditMessage) {
128 argv: make([]string, 0), 136 argv: make([]string, 0),
129 cwd: "", 137 cwd: "",
130 syscallParam: a, 138 syscallParam: a,
131 pathName: "", 139 srcPath: "",
132 }) 140 })
133 case "write": 141 case "write":
134 eventTable.Store(eventId, &Event{ 142 eventTable.Store(eventId, &Event{
@@ -142,7 +150,6 @@ func syscallRaw(rawEvent libaudit.RawAuditMessage) {
142 argv: make([]string, 0), 150 argv: make([]string, 0),
143 cwd: "", 151 cwd: "",
144 syscallParam: a, 152 syscallParam: a,
145 // pathName: "",
146 }) 153 })
147 case "close": 154 case "close":
148 // 文件关闭 155 // 文件关闭
@@ -157,8 +164,18 @@ func syscallRaw(rawEvent libaudit.RawAuditMessage) {
157 argv: make([]string, 0), 164 argv: make([]string, 0),
158 cwd: "", 165 cwd: "",
159 syscallParam: a, 166 syscallParam: a,
160 // pathName: "",
161 }) 167 })
168 case "pivot_root":
169 if subj[2] == "container_runtime_t" {
170 eventTable.Store(eventId, &Event{
171 tag: PIVOTROOT,
172 timestamp: event.timestamp,
173 syscall: event.syscall,
174 ppid: event.ppid,
175 pid: event.pid,
176 syscallParam: a,
177 })
178 }
162 } 179 }
163} 180}
164 181
@@ -168,14 +185,14 @@ func execve(rawEvent libaudit.RawAuditMessage) {
168 } 185 }
169 186
170 match := execveRegex.FindSubmatch(rawEvent.Data) 187 match := execveRegex.FindSubmatch(rawEvent.Data)
171 eventId, errs[0] = strconv.Atoi(string(match[1])) 188 eventId, _ = strconv.Atoi(string(match[1]))
172 argc, errs[1] = strconv.Atoi(string(match[2])) 189 argc, _ = strconv.Atoi(string(match[2]))
173 tmp, ok = eventTable.Load(eventId) 190 tmp, ok = eventTable.Load(eventId)
174 if !ok { 191 if !ok {
175 return 192 return
176 } 193 }
177 pEvent = tmp.(*Event) 194 pEvent = tmp.(*Event)
178 if errs[0] == nil && errs[1] == nil && argsRegex.Match(rawEvent.Data) { 195 if argsRegex.Match(rawEvent.Data) {
179 match := argsRegex.FindAllSubmatch(rawEvent.Data, -1) 196 match := argsRegex.FindAllSubmatch(rawEvent.Data, -1)
180 for i := 0; i < argc; i++ { 197 for i := 0; i < argc; i++ {
181 if len(match[i][2]) == 0 { 198 if len(match[i][2]) == 0 {
@@ -196,7 +213,7 @@ func cwd(rawEvent libaudit.RawAuditMessage) {
196 } 213 }
197 214
198 match := cwdRegex.FindSubmatch(rawEvent.Data) 215 match := cwdRegex.FindSubmatch(rawEvent.Data)
199 eventId, errs[0] = strconv.Atoi(string(match[1])) 216 eventId, _ = strconv.Atoi(string(match[1]))
200 tmp, ok = eventTable.Load(eventId) 217 tmp, ok = eventTable.Load(eventId)
201 if !ok { 218 if !ok {
202 return 219 return
@@ -211,7 +228,7 @@ func proctitle(rawEvent libaudit.RawAuditMessage) {
211 228
212 var cmdline string 229 var cmdline string
213 match := proctitleRegex.FindSubmatch(rawEvent.Data) 230 match := proctitleRegex.FindSubmatch(rawEvent.Data)
214 eventId, errs[0] = strconv.Atoi(string(match[1])) 231 eventId, _ = strconv.Atoi(string(match[1]))
215 tmp, ok = eventTable.Load(eventId) 232 tmp, ok = eventTable.Load(eventId)
216 if !ok { 233 if !ok {
217 return 234 return
@@ -236,14 +253,13 @@ func eoe(rawEvent libaudit.RawAuditMessage) {
236 } 253 }
237 254
238 match := eoeRegex.FindSubmatch(rawEvent.Data) 255 match := eoeRegex.FindSubmatch(rawEvent.Data)
239 eventId, errs[0] = strconv.Atoi(string(match[1])) 256 eventId, _ = strconv.Atoi(string(match[1]))
240 tmp, ok = eventTable.Load(eventId) 257 tmp, ok = eventTable.Load(eventId)
241 if !ok { 258 if !ok {
242 return 259 return
243 } 260 }
244 cooked := *(tmp.(*Event)) 261 cooked := *(tmp.(*Event))
245 cookedChan <- cooked 262 cookedChan <- cooked
246 // fmt.Printf("Send: %10d\t%v\t%7d\t%7d\n", eventId, cooked.tag, cooked.ppid, cooked.pid)
247 eventTable.Delete(eventId) // 死人别占地 263 eventTable.Delete(eventId) // 死人别占地
248} 264}
249 265
@@ -252,8 +268,9 @@ func path(rawEvent libaudit.RawAuditMessage) {
252 return 268 return
253 } 269 }
254 match := pathRegex.FindSubmatch(rawEvent.Data) 270 match := pathRegex.FindSubmatch(rawEvent.Data)
255 eventId, errs[0] = strconv.Atoi(string(match[1])) 271 eventId, _ = strconv.Atoi(string(match[1]))
256 name := string(match[2]) 272 // item, _ := strconv.Atoi(string(match[2]))
273 name := string(match[3])
257 274
258 tmp, ok = eventTable.Load(eventId) 275 tmp, ok = eventTable.Load(eventId)
259 if !ok { 276 if !ok {
@@ -267,8 +284,8 @@ func path(rawEvent libaudit.RawAuditMessage) {
267 } 284 }
268 285
269 if name[0] == '/' { 286 if name[0] == '/' {
270 pEvent.pathName = name 287 pEvent.srcPath = name
271 } else { 288 } else {
272 pEvent.pathName += "/" + name 289 pEvent.srcPath += "/" + name
273 } 290 }
274} 291}