Add db structure, fix filePath, start filtering

This commit I made several changes:

- Use structure instead of simple bson.M(interface{}). bson.M has
  some shortcomings: 1) It makes the database in chaos and hard to
  read, but this's not important; 2) Some entrys may has more or
  less content than others, which makes it hard to decode and filt.
  So I design new data structure to encode and decode. Hopes that
  there's no bugs.
- Fix the way to calculate file path. The original method is to add
  all the PATH entries together, that's totally wrong! PATH entry
  has several types, as it shows in "objtype". I can't find it in
  the kernel src code, so what i know is just "PARENT" means the dir
  the file is in, while the filename itself has the path, so we
  whould ignore all "PARENT"s. When the src code is found, we should
  check it again.
- Fix bugs in updating. The update function of mongodb is set to
  required to has a '$' such as 'set'/'push', so when we update a
  whole doc, we should use replace but not update function. And,
  we should never ignore the error infomation it gives us.

Hope that there's no more bugs for this Big Change.

Now its' time to write filter as well as viewer. Best wishes with
NO BUGS!

1 files changed, 16 insertions, 16 deletions

diff --git a/src/organize.go b/listener/organize.go
index 293371b..0c05eb4 100644
--- a/src/organize.go
+++ b/listener/organize.go
@@ -23,14 +23,12 @@ var event Event
 var pEvent *Event
 var eventId, argc int
 
-// var errs [6]error
-
 // 要用的正则匹配列表
 var (
         syscallRegex   = regexp.MustCompile(`audit\((\d+\.\d+):(\d+)\).*?syscall=(\d+)(?:.*?exit=([-+]?\d+))?.*?ppid=(\d+) pid=(\d+).*?subj=(.*?):(.*?):(.*?):(.*?) .*?$`)
         execveRegex    = regexp.MustCompile(`audit\(\d+\.\d+:(\d+)\): argc=(\d+)`)
         argsRegex      = regexp.MustCompile(`a\d+=("(.*?)"|([0-9a-fA-F]+))`)
-        pathRegex      = regexp.MustCompile(`audit\(\d+\.\d+:(\d+)\): item=(\d+) name="(.*?)"`)
+        pathRegex      = regexp.MustCompile(`audit\(\d+\.\d+:(\d+)\): item=(\d+) name="(.*?)" .*objtype=([A-Z]+) `)
         cwdRegex       = regexp.MustCompile(`audit\(\d+\.\d+:(\d+)\):  cwd="(.*?)"`)
         proctitleRegex = regexp.MustCompile(`audit\(\d+\.\d+:(\d+)\): proctitle=("(.*?)"|([0-9a-fA-F]+))$`)
         eoeRegex       = regexp.MustCompile(`audit\(\d+\.\d+:(\d+)\)`)
@@ -112,12 +110,12 @@ func syscallRaw(rawEvent libaudit.RawAuditMessage) {
                         tag:       EXECVE,
                         timestamp: event.timestamp,
                         syscall:   event.syscall,
-                        exit_code: a[0],
-                        ppid:      event.ppid,
-                        pid:       event.pid,
-                        argc:      0,
-                        argv:      make([]string, 0),
-                        cwd:       "",
+                        // exit_code: a[0], // 为啥这么写？
+                        ppid: event.ppid,
+                        pid:  event.pid,
+                        argc: 0,
+                        argv: make([]string, 0),
+                        cwd:  "",
                 })
         case "open":
                 // 检查打开的权限
@@ -129,7 +127,7 @@ func syscallRaw(rawEvent libaudit.RawAuditMessage) {
                         tag:          FILEOPEN,
                         timestamp:    event.timestamp,
                         syscall:      event.syscall,
-                        exit_code:    uint64(exit),
+                        exit_code:    exit,
                         ppid:         event.ppid,
                         pid:          event.pid,
                         argc:         0,
@@ -143,7 +141,7 @@ func syscallRaw(rawEvent libaudit.RawAuditMessage) {
                         tag:          FILEWRITE,
                         timestamp:    event.timestamp,
                         syscall:      event.syscall,
-                        exit_code:    uint64(exit),
+                        exit_code:    exit,
                         ppid:         event.ppid,
                         pid:          event.pid,
                         argc:         0,
@@ -157,7 +155,7 @@ func syscallRaw(rawEvent libaudit.RawAuditMessage) {
                         tag:          FILECLOSE,
                         timestamp:    event.timestamp,
                         syscall:      event.syscall,
-                        exit_code:    uint64(exit),
+                        exit_code:    exit,
                         ppid:         event.ppid,
                         pid:          event.pid,
                         argc:         0,
@@ -271,6 +269,7 @@ func path(rawEvent libaudit.RawAuditMessage) {
         eventId, _ = strconv.Atoi(string(match[1]))
         // item, _ := strconv.Atoi(string(match[2]))
         name := string(match[3])
+        objtype := string(match[4])
 
         tmp, ok = eventTable.Load(eventId)
         if !ok {
@@ -278,14 +277,15 @@ func path(rawEvent libaudit.RawAuditMessage) {
         }
         pEvent = tmp.(*Event)
 
-        // 先看看是不是文件操作
-        if pEvent.tag != FILEOPEN {
+        // 先看看是不是文件操作，再看是不是所在目录
+        if pEvent.tag != FILEOPEN || objtype == "PARENT" {
                 return
         }
 
-        if name[0] == '/' {
+        if pEvent.cwd == "/" || name[0] == '/' {
                 pEvent.srcPath = name
         } else {
-                pEvent.srcPath += "/" + name
+                pEvent.srcPath = pEvent.cwd + "/" + name
         }
+        // ATTENTION: 这里需要做路径简化，留给过滤清洗流程吧
 }