diff options
| author |   We-unite <3205135446@qq.com> | 2024-07-22 11:41:59 +0800 |
|---|---|---|
| committer | We-unite <3205135446@qq.com> | 2024-07-22 19:36:34 +0800 |
| commit | cf5618ff2e2a183c5bdf6444787dccdcbf26ce76 (patch) | |
| tree | 6cc173b9bffe2c1414887a338b6dc2bdbd594fd1 /src/organize.go | |
| parent | 7cf8e470471d30fc821a8be350dcb97dc64e5add (diff) | |
| download | godo-cf5618ff2e2a183c5bdf6444787dccdcbf26ce76.tar.gz godo-cf5618ff2e2a183c5bdf6444787dccdcbf26ce76.zip | |
Use mongodb, insert process info into it
I failed to print the process tree out. While I'm printing the tree,
the tree itself gets changed, maybe deleted. What's more, the output
show that there are 4 lines with the same ppid and pid, how an absurd
result! It may be caused by multi-thread. So, use database instead.
Mongodb uses bson(binary json) to store data but not relational
database like mysql, which means it's more easy to use.(?)
Beside inserting, I've also solved a question that "fork" is called
once but returns twice. For instance, pid 1 forked pid 2, in the
audit log it's not an event "syscall=clone,ppid=1,pid=2", but actually
two events "syscall=clone,exit=0,ppid=0,pid=1" and "syscall=clone,exit=
2,ppid=0,pid=1", which is just what we see in sys_fork in kernel source.
To deal with this, when syscall is clone and exit is 0 we just drop it.
Left question: To find out the exit code when a process exit/exit_group,
and finish the code to record it in the database.
Diffstat (limited to 'src/organize.go')
| -rw-r--r-- | src/organize.go | 54 |
1 files changed, 35 insertions, 19 deletions
diff --git a/src/organize.go b/src/organize.go index 025d8c0..bb6736a 100644 --- a/src/organize.go +++ b/src/organize.go | |||
| @@ -23,7 +23,7 @@ func orgnaze() { | |||
| 23 | // 为每个事务id存储其信息,事务id在操作系统运行期间是唯一的 | 23 | // 为每个事务id存储其信息,事务id在操作系统运行期间是唯一的 |
| 24 | eventTable := make(map[int]*Event) | 24 | eventTable := make(map[int]*Event) |
| 25 | // 要用的正则匹配列表 | 25 | // 要用的正则匹配列表 |
| 26 | syscallRegex := regexp.MustCompile(`audit\((\d+\.\d+):(\d+)\).*?syscall=(\d+).*?ppid=(\d+) pid=(\d+).*?$`) | 26 | syscallRegex := regexp.MustCompile(`audit\((\d+\.\d+):(\d+)\).*?syscall=(\d+).*?(exit=([-+]?\d+).*?)?ppid=(\d+) pid=(\d+).*?$`) |
| 27 | execveRegex := regexp.MustCompile(`audit\(\d+\.\d+:(\d+)\): argc=(\d+)`) | 27 | execveRegex := regexp.MustCompile(`audit\(\d+\.\d+:(\d+)\): argc=(\d+)`) |
| 28 | argsRegex := regexp.MustCompile(`a\d+=("(.*?)"|([0-9a-fA-F]+))`) | 28 | argsRegex := regexp.MustCompile(`a\d+=("(.*?)"|([0-9a-fA-F]+))`) |
| 29 | cwdRegex := regexp.MustCompile(`audit\(\d+\.\d+:(\d+)\): cwd="(.*?)"`) | 29 | cwdRegex := regexp.MustCompile(`audit\(\d+\.\d+:(\d+)\): cwd="(.*?)"`) |
| @@ -36,14 +36,6 @@ func orgnaze() { | |||
| 36 | } | 36 | } |
| 37 | rawEvent = raw.(libaudit.RawAuditMessage) | 37 | rawEvent = raw.(libaudit.RawAuditMessage) |
| 38 | 38 | ||
| 39 | // type Event struct { | ||
| 40 | // timestamp time.Time | ||
| 41 | // pid, ppid int | ||
| 42 | // syscall int | ||
| 43 | // argc int | ||
| 44 | // args []string | ||
| 45 | // cwd string | ||
| 46 | // } | ||
| 47 | switch rawEvent.Type { | 39 | switch rawEvent.Type { |
| 48 | case auparse.AUDIT_SYSCALL: | 40 | case auparse.AUDIT_SYSCALL: |
| 49 | if syscallRegex.Match(rawEvent.Data) { | 41 | if syscallRegex.Match(rawEvent.Data) { |
| @@ -51,16 +43,40 @@ func orgnaze() { | |||
| 51 | event.timestamp, err[0] = getTimeFromStr(string(match[1])) | 43 | event.timestamp, err[0] = getTimeFromStr(string(match[1])) |
| 52 | eventId, err[1] = strconv.Atoi(string(match[2])) | 44 | eventId, err[1] = strconv.Atoi(string(match[2])) |
| 53 | event.syscall, err[2] = strconv.Atoi(string(match[3])) | 45 | event.syscall, err[2] = strconv.Atoi(string(match[3])) |
| 54 | event.ppid, err[3] = strconv.Atoi(string(match[4])) | 46 | var exit int |
| 55 | event.pid, err[4] = strconv.Atoi(string(match[5])) | 47 | // exit, err[3] = strconv.Atoi(string(match[4])) |
| 56 | eventTable[eventId] = &Event{ | 48 | if string(match[5]) == "" { |
| 57 | timestamp: event.timestamp, | 49 | // exit没捕获到 |
| 58 | syscall: event.syscall, | 50 | exit = 0 |
| 59 | ppid: event.ppid, | 51 | } else { |
| 60 | pid: event.pid, | 52 | exit, err[3] = strconv.Atoi(string(match[5])) |
| 61 | argc: 0, | 53 | } |
| 62 | argv: make([]string, 0), | 54 | event.ppid, err[4] = strconv.Atoi(string(match[5])) |
| 63 | cwd: "", | 55 | event.pid, err[5] = strconv.Atoi(string(match[6])) |
| 56 | if syscallTable[event.syscall] == "clone" { | ||
| 57 | if exit == 0 { | ||
| 58 | break | ||
| 59 | } else { | ||
| 60 | eventTable[eventId] = &Event{ | ||
| 61 | timestamp: event.timestamp, | ||
| 62 | syscall: event.syscall, | ||
| 63 | ppid: event.pid, | ||
| 64 | pid: exit, | ||
| 65 | argc: 0, | ||
| 66 | argv: make([]string, 0), | ||
| 67 | cwd: "", | ||
| 68 | } | ||
| 69 | } | ||
| 70 | } else { | ||
| 71 | eventTable[eventId] = &Event{ | ||
| 72 | timestamp: event.timestamp, | ||
| 73 | syscall: event.syscall, | ||
| 74 | ppid: event.ppid, | ||
| 75 | pid: event.pid, | ||
| 76 | argc: 0, | ||
| 77 | argv: make([]string, 0), | ||
| 78 | cwd: "", | ||
| 79 | } | ||
| 64 | } | 80 | } |
| 65 | } | 81 | } |
| 66 | case auparse.AUDIT_EXECVE: | 82 | case auparse.AUDIT_EXECVE: |