Depart the whole program into several files.

Put all the src code in only one file is to ugly, so devide it! and mv them into src dir to keep the whole repo clear.
author: We-unite <3205135446@qq.com> 2024-07-19 17:02:11 +0800
committer: We-unite <3205135446@qq.com> 2024-07-19 17:05:29 +0800
commit: 7cf8e470471d30fc821a8be350dcb97dc64e5add (patch)
tree: e747afbc698bba079047f17674eef260a4c6733d /src/organize.go
parent: 2e37dcf708be08dff963ee08cb7a9557f32e690d (diff)
download: godo-7cf8e470471d30fc821a8be350dcb97dc64e5add.tar.gz
godo-7cf8e470471d30fc821a8be350dcb97dc64e5add.zip
1 files changed, 124 insertions, 0 deletions
diff --git a/src/organize.go b/src/organize.go
new file mode 100644
index 0000000..025d8c0
--- /dev/null
+++ b/src/organize.go
@@ -0,0 +1,124 @@
+package main
+import (
+        "regexp"
+        "strconv"
+        "strings"
+        "github.com/elastic/go-libaudit/v2"
+        "github.com/elastic/go-libaudit/v2/auparse"
+)
+func orgnaze() {
+        defer wg.Done()
+        defer close(cookedChan)
+        // 接收信息
+        var raw interface{}
+        var ok bool
+        var rawEvent libaudit.RawAuditMessage
+        // 事件信息
+        var eventId, argc int
+        var err [6]error
+        var event, cooked Event
+        // 为每个事务id存储其信息，事务id在操作系统运行期间是唯一的
+        eventTable := make(map[int]*Event)
+        // 要用的正则匹配列表
+        syscallRegex := regexp.MustCompile(`audit\((\d+\.\d+):(\d+)\).*?syscall=(\d+).*?ppid=(\d+) pid=(\d+).*?$`)
+        execveRegex := regexp.MustCompile(`audit\(\d+\.\d+:(\d+)\): argc=(\d+)`)
+        argsRegex := regexp.MustCompile(`a\d+=("(.*?)"|([0-9a-fA-F]+))`)
+        cwdRegex := regexp.MustCompile(`audit\(\d+\.\d+:(\d+)\):  cwd="(.*?)"`)
+        proctitleRegex := regexp.MustCompile(`audit\(\d+\.\d+:(\d+)\): proctitle=("(.*?)"|([0-9a-fA-F]+))$`)
+        eoeRegex := regexp.MustCompile(`audit\(\d+\.\d+:(\d+)\)`)
+        for {
+                raw, ok = <-rawChan
+                if !ok {
+                        break
+                }
+                rawEvent = raw.(libaudit.RawAuditMessage)
+                // type Event struct {
+                //      timestamp time.Time
+                //      pid, ppid int
+                //      syscall   int
+                //      argc      int
+                //      args      []string
+                //      cwd       string
+                // }
+                switch rawEvent.Type {
+                case auparse.AUDIT_SYSCALL:
+                        if syscallRegex.Match(rawEvent.Data) {
+                                match := syscallRegex.FindSubmatch(rawEvent.Data)
+                                event.timestamp, err[0] = getTimeFromStr(string(match[1]))
+                                eventId, err[1] = strconv.Atoi(string(match[2]))
+                                event.syscall, err[2] = strconv.Atoi(string(match[3]))
+                                event.ppid, err[3] = strconv.Atoi(string(match[4]))
+                                event.pid, err[4] = strconv.Atoi(string(match[5]))
+                                eventTable[eventId] = &Event{
+                                        timestamp: event.timestamp,
+                                        syscall:   event.syscall,
+                                        ppid:      event.ppid,
+                                        pid:       event.pid,
+                                        argc:      0,
+                                        argv:      make([]string, 0),
+                                        cwd:       "",
+                                }
+                        }
+                case auparse.AUDIT_EXECVE:
+                        if execveRegex.Match(rawEvent.Data) {
+                                match := execveRegex.FindSubmatch(rawEvent.Data)
+                                eventId, err[0] = strconv.Atoi(string(match[1]))
+                                argc, err[1] = strconv.Atoi(string(match[2]))
+                                if err[0] == nil && err[1] == nil && argsRegex.Match(rawEvent.Data) {
+                                        match := argsRegex.FindAllSubmatch(rawEvent.Data, -1)
+                                        for i := 0; i < argc; i++ {
+                                                if len(match[i][2]) == 0 {
+                                                        // 代表着匹配到的是十六进制数
+                                                        str := hexToAscii(string(match[i][3]))
+                                                        eventTable[eventId].argv = append(eventTable[eventId].argv, str)
+                                                } else {
+                                                        eventTable[eventId].argv = append(eventTable[eventId].argv, string(match[i][2]))
+                                                }
+                                        }
+                                        eventTable[eventId].argc = argc
+                                }
+                        }
+                // case auparse.AUDIT_PATH:
+                case auparse.AUDIT_CWD:
+                        if cwdRegex.Match(rawEvent.Data) {
+                                match := cwdRegex.FindSubmatch(rawEvent.Data)
+                                eventId, err[0] = strconv.Atoi(string(match[1]))
+                                eventTable[eventId].cwd = string(match[2])
+                        }
+                case auparse.AUDIT_PROCTITLE:
+                        if proctitleRegex.Match(rawEvent.Data) {
+                                var cmdline string
+                                var pEvent *Event
+                                match := proctitleRegex.FindSubmatch(rawEvent.Data)
+                                eventId, err[0] = strconv.Atoi(string(match[1]))
+                                pEvent = eventTable[eventId]
+                                if pEvent.argc == 0 {
+                                        // 只有等于0，才证明没经过EXECVE提取参数，才允许使用PROCTITLE提取参数
+                                        if match[3] == nil {
+                                                // PROCTITLE写的是十六进制，转换为字符串
+                                                cmdline = hexToAscii(string(match[4]))
+                                        } else {
+                                                cmdline = string(match[3])
+                                        }
+                                        pEvent.argv = strings.Split(cmdline, " ")
+                                        pEvent.argc = len(eventTable[eventId].argv)
+                                }
+                        }
+                case auparse.AUDIT_EOE:
+                        if eoeRegex.Match(rawEvent.Data) {
+                                match := eoeRegex.FindSubmatch(rawEvent.Data)
+                                eventId, err[0] = strconv.Atoi(string(match[1]))
+                                // ATTENTION: 事件整理完毕，即刻发出，是否合理呢？
+                                cooked = *eventTable[eventId] // 应当采用深拷贝吗？有待实验
+                                cookedChan <- cooked
+                                delete(eventTable, eventId) //发出之后就从信息表扔掉，死人别占地
+                        }
+                default:
+                        // ATTENTION: 这里也需要做防护
+                }
+        }
+}
author	We-unite <3205135446@qq.com>	2024-07-19 17:02:11 +0800
committer	We-unite <3205135446@qq.com>	2024-07-19 17:05:29 +0800
commit	7cf8e470471d30fc821a8be350dcb97dc64e5add (patch)
tree	e747afbc698bba079047f17674eef260a4c6733d /src/organize.go
parent	2e37dcf708be08dff963ee08cb7a9557f32e690d (diff)
download	godo-7cf8e470471d30fc821a8be350dcb97dc64e5add.tar.gz godo-7cf8e470471d30fc821a8be350dcb97dc64e5add.zip

diff --git a/src/organize.go b/src/organize.go new file mode 100644 index 0000000..025d8c0 --- /dev/null +++ b/src/organize.go
@@ -0,0 +1,124 @@
	1	package main
	2
	3	import (
	4	"regexp"
	5	"strconv"
	6	"strings"
	7
	8	"github.com/elastic/go-libaudit/v2"
	9	"github.com/elastic/go-libaudit/v2/auparse"
	10	)
	11
	12	func orgnaze() {
	13	defer wg.Done()
	14	defer close(cookedChan)
	15	// 接收信息
	16	var raw interface{}
	17	var ok bool
	18	var rawEvent libaudit.RawAuditMessage
	19	// 事件信息
	20	var eventId, argc int
	21	var err [6]error
	22	var event, cooked Event
	23	// 为每个事务id存储其信息，事务id在操作系统运行期间是唯一的
	24	eventTable := make(map[int]*Event)
	25	// 要用的正则匹配列表
	26	syscallRegex := regexp.MustCompile(`audit\((\d+\.\d+):(\d+)\).?syscall=(\d+).?ppid=(\d+) pid=(\d+).*?$`)
	27	execveRegex := regexp.MustCompile(`audit\(\d+\.\d+:(\d+)\): argc=(\d+)`)
	28	argsRegex := regexp.MustCompile(`a\d+=("(.*?)"\|([0-9a-fA-F]+))`)
	29	cwdRegex := regexp.MustCompile(`audit\(\d+\.\d+:(\d+)\): cwd="(.*?)"`)
	30	proctitleRegex := regexp.MustCompile(`audit\(\d+\.\d+:(\d+)\): proctitle=("(.*?)"\|([0-9a-fA-F]+))$`)
	31	eoeRegex := regexp.MustCompile(`audit\(\d+\.\d+:(\d+)\)`)
	32	for {
	33	raw, ok = <-rawChan
	34	if !ok {
	35	break
	36	}
	37	rawEvent = raw.(libaudit.RawAuditMessage)
	38
	39	// type Event struct {
	40	// timestamp time.Time
	41	// pid, ppid int
	42	// syscall int
	43	// argc int
	44	// args []string
	45	// cwd string
	46	// }
	47	switch rawEvent.Type {
	48	case auparse.AUDIT_SYSCALL:
	49	if syscallRegex.Match(rawEvent.Data) {
	50	match := syscallRegex.FindSubmatch(rawEvent.Data)
	51	event.timestamp, err[0] = getTimeFromStr(string(match[1]))
	52	eventId, err[1] = strconv.Atoi(string(match[2]))
	53	event.syscall, err[2] = strconv.Atoi(string(match[3]))
	54	event.ppid, err[3] = strconv.Atoi(string(match[4]))
	55	event.pid, err[4] = strconv.Atoi(string(match[5]))
	56	eventTable[eventId] = &Event{
	57	timestamp: event.timestamp,
	58	syscall: event.syscall,
	59	ppid: event.ppid,
	60	pid: event.pid,
	61	argc: 0,
	62	argv: make([]string, 0),
	63	cwd: "",
	64	}
	65	}
	66	case auparse.AUDIT_EXECVE:
	67	if execveRegex.Match(rawEvent.Data) {
	68	match := execveRegex.FindSubmatch(rawEvent.Data)
	69	eventId, err[0] = strconv.Atoi(string(match[1]))
	70	argc, err[1] = strconv.Atoi(string(match[2]))
	71	if err[0] == nil && err[1] == nil && argsRegex.Match(rawEvent.Data) {
	72	match := argsRegex.FindAllSubmatch(rawEvent.Data, -1)
	73	for i := 0; i < argc; i++ {
	74	if len(match[i][2]) == 0 {
	75	// 代表着匹配到的是十六进制数
	76	str := hexToAscii(string(match[i][3]))
	77	eventTable[eventId].argv = append(eventTable[eventId].argv, str)
	78	} else {
	79	eventTable[eventId].argv = append(eventTable[eventId].argv, string(match[i][2]))
	80	}
	81	}
	82	eventTable[eventId].argc = argc
	83	}
	84	}
	85	// case auparse.AUDIT_PATH:
	86	case auparse.AUDIT_CWD:
	87	if cwdRegex.Match(rawEvent.Data) {
	88	match := cwdRegex.FindSubmatch(rawEvent.Data)
	89	eventId, err[0] = strconv.Atoi(string(match[1]))
	90	eventTable[eventId].cwd = string(match[2])
	91	}
	92	case auparse.AUDIT_PROCTITLE:
	93	if proctitleRegex.Match(rawEvent.Data) {
	94	var cmdline string
	95	var pEvent *Event
	96	match := proctitleRegex.FindSubmatch(rawEvent.Data)
	97	eventId, err[0] = strconv.Atoi(string(match[1]))
	98	pEvent = eventTable[eventId]
	99	if pEvent.argc == 0 {
	100	// 只有等于0，才证明没经过EXECVE提取参数，才允许使用PROCTITLE提取参数
	101	if match[3] == nil {
	102	// PROCTITLE写的是十六进制，转换为字符串
	103	cmdline = hexToAscii(string(match[4]))
	104	} else {
	105	cmdline = string(match[3])
	106	}
	107	pEvent.argv = strings.Split(cmdline, " ")
	108	pEvent.argc = len(eventTable[eventId].argv)
	109	}
	110	}
	111	case auparse.AUDIT_EOE:
	112	if eoeRegex.Match(rawEvent.Data) {
	113	match := eoeRegex.FindSubmatch(rawEvent.Data)
	114	eventId, err[0] = strconv.Atoi(string(match[1]))
	115	// ATTENTION: 事件整理完毕，即刻发出，是否合理呢？
	116	cooked = *eventTable[eventId] // 应当采用深拷贝吗？有待实验
	117	cookedChan <- cooked
	118	delete(eventTable, eventId) //发出之后就从信息表扔掉，死人别占地
	119	}
	120	default:
	121	// ATTENTION: 这里也需要做防护
	122	}
	123	}
	124	}