diff options
| author |   We-unite <3205135446@qq.com> | 2024-07-31 11:46:01 +0800 |
|---|---|---|
| committer | We-unite <3205135446@qq.com> | 2024-08-01 15:10:36 +0800 |
| commit | 3efeef969ebc344c993ce0fc46f557c7d8560525 (patch) | |
| tree | f0f917080c64c8def6922c365465f1ee5371c464 /src/organize.go | |
| parent | d6c6e13796435f9e1e59fec891aa53680748a2d7 (diff) | |
| download | godo-3efeef969ebc344c993ce0fc46f557c7d8560525.tar.gz godo-3efeef969ebc344c993ce0fc46f557c7d8560525.zip | |
Use netlink connector to recv pid info, fix exec
For some reasons, kernel-connector can catch exec event, but it
doesn't tell me about what the process exec and what're its args.
So we should use audit to collect these infomations, and complete
in the database.
However, there's different delays between connector and audit,
although they both use netlink socket, as a result of which, exec
may comes before fork. we deal with it the same way. But, there's
also exec event lost, may because of the check for ppid in exec
event, but it's necessary, and if is deleted, too much irrelavent
infomation would flood into database, i've tried. So make it there,
just go forward.
Besides, what's newly discovered is that pthread_create also use
clone syscall, but if pid 1 has a thread 2, the exec info will say
that pid 2 execs. So i shouldn't ignore connector msg that childPid
ne childTgid.
This is my first attempt to use git-submodule function in my own pro-
ject, also golang local package. Congratulations!
Now, fight to fix about file operations. Hope that there wouldn't
be too many fucking bugs.
Diffstat (limited to 'src/organize.go')
| -rw-r--r-- | src/organize.go | 31 |
1 files changed, 0 insertions, 31 deletions
diff --git a/src/organize.go b/src/organize.go index d7a1df1..238509f 100644 --- a/src/organize.go +++ b/src/organize.go | |||
| @@ -47,7 +47,6 @@ func orgnaze() { | |||
| 47 | break | 47 | break |
| 48 | } | 48 | } |
| 49 | rawEvent = raw.(libaudit.RawAuditMessage) | 49 | rawEvent = raw.(libaudit.RawAuditMessage) |
| 50 | fmt.Printf("type=%v msg=%s\n", rawEvent.Type, rawEvent.Data) | ||
| 51 | 50 | ||
| 52 | switch rawEvent.Type { | 51 | switch rawEvent.Type { |
| 53 | case auparse.AUDIT_SYSCALL: | 52 | case auparse.AUDIT_SYSCALL: |
| @@ -100,24 +99,6 @@ func syscallRaw(rawEvent libaudit.RawAuditMessage) { | |||
| 100 | } | 99 | } |
| 101 | 100 | ||
| 102 | switch syscallTable[event.syscall] { | 101 | switch syscallTable[event.syscall] { |
| 103 | case "clone": | ||
| 104 | if exit == 0 || event.pid > exit { | ||
| 105 | // exit=0是给新进程的返回,没用 | ||
| 106 | // pid>exit,证明有问题,抛弃 | ||
| 107 | break | ||
| 108 | } else { | ||
| 109 | eventTable.Store(eventId, &Event{ | ||
| 110 | tag: NEWPID, | ||
| 111 | timestamp: event.timestamp, | ||
| 112 | syscall: event.syscall, | ||
| 113 | exit_code: 0, | ||
| 114 | ppid: event.pid, | ||
| 115 | pid: exit, | ||
| 116 | argc: 0, | ||
| 117 | argv: make([]string, 0), | ||
| 118 | cwd: "", | ||
| 119 | }) | ||
| 120 | } | ||
| 121 | case "execve": | 102 | case "execve": |
| 122 | eventTable.Store(eventId, &Event{ | 103 | eventTable.Store(eventId, &Event{ |
| 123 | tag: EXECVE, | 104 | tag: EXECVE, |
| @@ -130,18 +111,6 @@ func syscallRaw(rawEvent libaudit.RawAuditMessage) { | |||
| 130 | argv: make([]string, 0), | 111 | argv: make([]string, 0), |
| 131 | cwd: "", | 112 | cwd: "", |
| 132 | }) | 113 | }) |
| 133 | case "exit", "exit_group": | ||
| 134 | eventTable.Store(eventId, &Event{ | ||
| 135 | tag: PIDEXIT, | ||
| 136 | timestamp: event.timestamp, | ||
| 137 | syscall: event.syscall, | ||
| 138 | exit_code: a[0], | ||
| 139 | ppid: event.ppid, | ||
| 140 | pid: event.pid, | ||
| 141 | argc: 0, | ||
| 142 | argv: make([]string, 0), | ||
| 143 | cwd: "", | ||
| 144 | }) | ||
| 145 | case "open": | 114 | case "open": |
| 146 | // 检查打开的权限 | 115 | // 检查打开的权限 |
| 147 | if a[1]&(syscall.O_APPEND|syscall.O_WRONLY|syscall.O_RDWR|syscall.O_TRUNC) == 0 { | 116 | if a[1]&(syscall.O_APPEND|syscall.O_WRONLY|syscall.O_RDWR|syscall.O_TRUNC) == 0 { |