aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
-rw-r--r--src/deal.go51
-rw-r--r--src/global.go6
-rw-r--r--src/godo.go24
-rw-r--r--src/organize.go81
4 files changed, 103 insertions, 59 deletions
diff --git a/src/deal.go b/src/deal.go
index f2b7d4b..e553174 100644
--- a/src/deal.go
+++ b/src/deal.go
@@ -2,6 +2,7 @@ package main
2 2
3import ( 3import (
4 "fmt" 4 "fmt"
5 "os"
5 "syscall" 6 "syscall"
6 7
7 "go.mongodb.org/mongo-driver/bson" 8 "go.mongodb.org/mongo-driver/bson"
@@ -26,7 +27,7 @@ func deal() {
26 var ok bool 27 var ok bool
27 28
28 if err = pidCol.init(dbName, pidColName); err != nil { 29 if err = pidCol.init(dbName, pidColName); err != nil {
29 fmt.Printf("Error while initing the mongodb: %v\n", err) 30 fmt.Fprintf(os.Stderr, "Error while initing the mongodb: %v\n", err)
30 return 31 return
31 } 32 }
32 err = pidCol.InsertOne(bson.M{ 33 err = pidCol.InsertOne(bson.M{
@@ -37,16 +38,16 @@ func deal() {
37 "daemon": true, 38 "daemon": true,
38 }) 39 })
39 if err != nil { 40 if err != nil {
40 fmt.Printf("Error while initing the mongodb: %v\n", err) 41 fmt.Fprintf(os.Stderr, "Error while initing the mongodb: %v\n", err)
41 return 42 return
42 } 43 }
43 44
44 if err = fdCol.init(dbName, fdColName); err != nil { 45 if err = fdCol.init(dbName, fdColName); err != nil {
45 fmt.Printf("Error while initing the mongodb: %v\n", err) 46 fmt.Fprintf(os.Stderr, "Error while initing the mongodb: %v\n", err)
46 return 47 return
47 } 48 }
48 if err = fileCol.init(dbName, fileColName); err != nil { 49 if err = fileCol.init(dbName, fileColName); err != nil {
49 fmt.Printf("Error while initing the mongodb: %v\n", err) 50 fmt.Fprintf(os.Stderr, "Error while initing the mongodb: %v\n", err)
50 } 51 }
51 52
52 fmt.Printf("Containerd: %d\n", containerdPid) 53 fmt.Printf("Containerd: %d\n", containerdPid)
@@ -73,6 +74,8 @@ func deal() {
73 go fileWrite(cooked) 74 go fileWrite(cooked)
74 case FILECLOSE: 75 case FILECLOSE:
75 go fileClose(cooked) 76 go fileClose(cooked)
77 case PIVOTROOT:
78 go pivotRoot(cooked)
76 } 79 }
77 } 80 }
78} 81}
@@ -85,9 +88,6 @@ func deletePid(cooked Event) {
85 }, 88 },
86 }) 89 })
87 90
88 // 孩子们需要收容
89 // 不必到children里一个个找,直接看ppid即可
90 // pidCol.UpdateMany(bson.M{"ppid": cooked.pid}, bson.M{"ppid": 1})
91 // 在这套逻辑里,孩子是不需要收容的,因为我们根本就不看ppid来工作 91 // 在这套逻辑里,孩子是不需要收容的,因为我们根本就不看ppid来工作
92 92
93 // 可以去死了 93 // 可以去死了
@@ -98,13 +98,15 @@ func deletePid(cooked Event) {
98 "exit_signal": cooked.exit_signal, 98 "exit_signal": cooked.exit_signal,
99 }, 99 },
100 }) 100 })
101
102 // 理论上这里需要关闭所有文件描述符,但为了处理效率,留给后续流程
101} 103}
102 104
103func dealNewPid(cooked Event) { 105func dealNewPid(cooked Event) {
104 // 自身是否已经记录 106 // 自身是否已经记录
105 docRes, err = pidCol.Finddoc(bson.M{"pid": cooked.pid}) 107 docRes, err = pidCol.Finddoc(bson.M{"pid": cooked.pid})
106 if err != nil { 108 if err != nil {
107 fmt.Printf("Err finding: %v\n", err) 109 fmt.Fprintf(os.Stderr, "Err finding: %v\n", err)
108 return 110 return
109 } 111 }
110 112
@@ -189,7 +191,7 @@ func fileOpen(cooked Event) {
189 // 权限检查过了,不必再查 191 // 权限检查过了,不必再查
190 fdCol.InsertOne(bson.M{ 192 fdCol.InsertOne(bson.M{
191 "timestamp": cooked.timestamp, 193 "timestamp": cooked.timestamp,
192 "fileName": cooked.pathName, 194 "fileName": cooked.srcPath,
193 "pid": cooked.pid, 195 "pid": cooked.pid,
194 "fd": cooked.exit_code, 196 "fd": cooked.exit_code,
195 "flags": cooked.syscallParam, 197 "flags": cooked.syscallParam,
@@ -212,7 +214,7 @@ func fileClose(cooked Event) {
212 } 214 }
213 res["close_timestamp"] = cooked.timestamp 215 res["close_timestamp"] = cooked.timestamp
214 if err := fileCol.InsertOne(res); err != nil { 216 if err := fileCol.InsertOne(res); err != nil {
215 fmt.Printf("Err inserting files: %v\n", err) 217 fmt.Fprintf(os.Stderr, "Err inserting files: %v\n", err)
216 } 218 }
217} 219}
218 220
@@ -223,7 +225,7 @@ func fileWrite(cooked Event) {
223 "close_timestamp": bson.M{"$exists": false}, 225 "close_timestamp": bson.M{"$exists": false},
224 }) 226 })
225 if err != nil { 227 if err != nil {
226 fmt.Printf("Err closing fd %d of pid %d: %v\n", cooked.syscallParam[0], cooked.pid, err) 228 fmt.Fprintf(os.Stderr, "Err closing fd %d of pid %d: %v\n", cooked.syscallParam[0], cooked.pid, err)
227 } 229 }
228 if len(res) == 0 { 230 if len(res) == 0 {
229 return 231 return
@@ -234,3 +236,30 @@ func fileWrite(cooked Event) {
234 "close_timestamp": bson.M{"$exists": false}, 236 "close_timestamp": bson.M{"$exists": false},
235 }, bson.M{"$push": bson.M{"written": cooked.timestamp}}) 237 }, bson.M{"$push": bson.M{"written": cooked.timestamp}})
236} 238}
239
240func pivotRoot(cooked Event) {
241 // docker的根目录信息,记录
242 docRes, err := pidCol.Finddoc(bson.M{"pid": cooked.pid})
243 if err != nil {
244 fmt.Fprintf(os.Stderr, "Err finding: %v\n", err)
245 return
246 }
247
248 if len(docRes) == 0 {
249 // fork还没到,等一下
250 pidCol.InsertOne(bson.M{
251 "start_timestamp": cooked.timestamp,
252 "ppid": cooked.ppid,
253 "pid": cooked.pid,
254 "rootfs": "cwd",
255 })
256 } else {
257 // 读取已有的工作目录
258 cwd := docRes[0]["cwd"]
259 pidCol.UpdateOne(bson.M{"pid": cooked.pid}, bson.M{
260 "$set": bson.M{
261 "rootfs": cwd,
262 },
263 })
264 }
265}
diff --git a/src/global.go b/src/global.go
index b6635c9..349ba6c 100644
--- a/src/global.go
+++ b/src/global.go
@@ -14,11 +14,12 @@ const (
14 FILEOPEN 14 FILEOPEN
15 FILECLOSE 15 FILECLOSE
16 FILEWRITE 16 FILEWRITE
17 PIVOTROOT
17 TYPENUM 18 TYPENUM
18) 19)
19 20
20func (et eventType) String() string { 21func (et eventType) String() string {
21 names := []string{"NEWPID", "PIDEXIT", "EXECVE", "FILEOPEN", "FILECLOSE", "FILEWRITE", "TYPENUM"} 22 names := []string{"NEWPID", "PIDEXIT", "EXECVE", "FILEOPEN", "FILECLOSE", "FILEWRITE", "PIVOTROOT", "TYPENUM"}
22 if et < NEWPID || et > TYPENUM { 23 if et < NEWPID || et > TYPENUM {
23 return "Unknown" 24 return "Unknown"
24 } 25 }
@@ -32,12 +33,13 @@ type Event struct {
32 ppid, parentTgid int 33 ppid, parentTgid int
33 syscall int 34 syscall int
34 syscallParam [4]uint64 35 syscallParam [4]uint64
35 pathName string
36 argc int 36 argc int
37 argv []string 37 argv []string
38 cwd string 38 cwd string
39 exit_code uint64 39 exit_code uint64
40 exit_signal int 40 exit_signal int
41 srcPath string
42 destPath string
41} 43}
42 44
43var wg sync.WaitGroup // 掌管协程 45var wg sync.WaitGroup // 掌管协程
diff --git a/src/godo.go b/src/godo.go
index 923ef85..a30aa88 100644
--- a/src/godo.go
+++ b/src/godo.go
@@ -27,14 +27,14 @@ var (
27func main() { 27func main() {
28 // 检查用户身份,并添加auditd规则,监听所有syscall 28 // 检查用户身份,并添加auditd规则,监听所有syscall
29 if os.Geteuid() != 0 { 29 if os.Geteuid() != 0 {
30 fmt.Printf("Err: Please run me as root, %d!\n", os.Getegid()) 30 fmt.Fprintf(os.Stderr, "Err: Please run me as root, %d!\n", os.Getegid())
31 return 31 return
32 } 32 }
33 33
34 // 所有的系统调用号与名称的关系 34 // 所有的系统调用号与名称的关系
35 err := figureOutSyscalls() 35 err := figureOutSyscalls()
36 if err != nil { 36 if err != nil {
37 fmt.Printf("Error figuring out syscall numbers: %v\n", err) 37 fmt.Fprintf(os.Stderr, "Error figuring out syscall numbers: %v\n", err)
38 } 38 }
39 39
40 exec.Command("auditctl", "-D").Run() 40 exec.Command("auditctl", "-D").Run()
@@ -43,7 +43,7 @@ func main() {
43 43
44 var auditCmd *exec.Cmd 44 var auditCmd *exec.Cmd
45 45
46 pidSyscall := []string{"execve"} 46 pidSyscall := []string{"execve", "pivot_root"}
47 // // 设置监听规则 47 // // 设置监听规则
48 for i := 0; i < len(pidSyscall); i++ { 48 for i := 0; i < len(pidSyscall); i++ {
49 auditCmd = exec.Command("auditctl", "-a", "exit,always", "-F", "arch=b64", "-S", pidSyscall[i]) 49 auditCmd = exec.Command("auditctl", "-a", "exit,always", "-F", "arch=b64", "-S", pidSyscall[i])
@@ -61,14 +61,10 @@ func main() {
61 // 查找pid 61 // 查找pid
62 containerdPid, err = getPid() 62 containerdPid, err = getPid()
63 if err != nil { 63 if err != nil {
64 fmt.Printf("Error finding containerd: %v\n", err) 64 fmt.Fprintf(os.Stderr, "Error finding containerd: %v\n", err)
65 return 65 return
66 } 66 }
67 67
68 // 创世之神,1号进程
69 // 1号进程还是不要在进程树上直接出现了,不然它的小儿子们都会出现
70 // /usr/bin/containerd,也就是我们最关注的进程
71
72 // 开始运行,解析命令行参数后监听 68 // 开始运行,解析命令行参数后监听
73 if err := fs.Parse(os.Args[1:]); err != nil { 69 if err := fs.Parse(os.Args[1:]); err != nil {
74 log.Fatal(err) 70 log.Fatal(err)
@@ -81,8 +77,8 @@ func main() {
81 77
82func coroutine(client *libaudit.AuditClient) { 78func coroutine(client *libaudit.AuditClient) {
83 // 各协程至此开始 79 // 各协程至此开始
84 rawChan = make(chan interface{}) 80 rawChan = make(chan interface{}, 65536)
85 cookedChan = make(chan Event) 81 cookedChan = make(chan Event, 65536)
86 82
87 wg.Add(1) 83 wg.Add(1)
88 go procWatch() 84 go procWatch()
@@ -101,14 +97,14 @@ func coroutine(client *libaudit.AuditClient) {
101func procWatch() error { 97func procWatch() error {
102 ns, err := netlink.NewNetlinkSocket(syscall.NETLINK_CONNECTOR, 12345) 98 ns, err := netlink.NewNetlinkSocket(syscall.NETLINK_CONNECTOR, 12345)
103 if err != nil { 99 if err != nil {
104 fmt.Printf("Error creating socket: %v\n", err) 100 fmt.Fprintf(os.Stderr, "Error creating socket: %v\n", err)
105 return err 101 return err
106 } 102 }
107 defer ns.Close() 103 defer ns.Close()
108 for { 104 for {
109 res, err := ns.Receive(20) 105 res, err := ns.Receive(20)
110 if err != nil { 106 if err != nil {
111 fmt.Printf("Error recv: %v\n", err) 107 fmt.Fprintf(os.Stderr, "Error recv: %v\n", err)
112 continue 108 continue
113 } 109 }
114 for i := 0; i < len(res); i++ { 110 for i := 0; i < len(res); i++ {
@@ -146,7 +142,7 @@ func checkProc(pCooked *Event) {
146 fileName := fmt.Sprintf("/proc/%d/task/%d/cmdline", pCooked.tgid, pCooked.pid) 142 fileName := fmt.Sprintf("/proc/%d/task/%d/cmdline", pCooked.tgid, pCooked.pid)
147 fd, err := os.Open(fileName) 143 fd, err := os.Open(fileName)
148 if err != nil { 144 if err != nil {
149 fmt.Printf("Err: %v\n", err) 145 fmt.Fprintf(os.Stderr, "Err: %v\n", err)
150 return 146 return
151 } 147 }
152 148
@@ -162,7 +158,7 @@ func checkProc(pCooked *Event) {
162 fileName = fmt.Sprintf("/proc/%d/task/%d/cwd", pCooked.tgid, pCooked.pid) 158 fileName = fmt.Sprintf("/proc/%d/task/%d/cwd", pCooked.tgid, pCooked.pid)
163 pCooked.cwd, err = os.Readlink(fileName) 159 pCooked.cwd, err = os.Readlink(fileName)
164 if err != nil { 160 if err != nil {
165 fmt.Printf("Err readlink %s: %v\n", fileName, err) 161 fmt.Fprintf(os.Stderr, "Err: %v\n", err)
166 pCooked.cwd = "" 162 pCooked.cwd = ""
167 } 163 }
168} 164}
diff --git a/src/organize.go b/src/organize.go
index 12119ad..293371b 100644
--- a/src/organize.go
+++ b/src/organize.go
@@ -2,6 +2,7 @@ package main
2 2
3import ( 3import (
4 "fmt" 4 "fmt"
5 "os"
5 "regexp" 6 "regexp"
6 "strconv" 7 "strconv"
7 "strings" 8 "strings"
@@ -21,14 +22,15 @@ var ok bool
21var event Event 22var event Event
22var pEvent *Event 23var pEvent *Event
23var eventId, argc int 24var eventId, argc int
24var errs [6]error 25
26// var errs [6]error
25 27
26// 要用的正则匹配列表 28// 要用的正则匹配列表
27var ( 29var (
28 syscallRegex = regexp.MustCompile(`audit\((\d+\.\d+):(\d+)\).*?syscall=(\d+)(?:.*?exit=([-+]?\d+))?.*?ppid=(\d+) pid=(\d+).*?$`) 30 syscallRegex = regexp.MustCompile(`audit\((\d+\.\d+):(\d+)\).*?syscall=(\d+)(?:.*?exit=([-+]?\d+))?.*?ppid=(\d+) pid=(\d+).*?subj=(.*?):(.*?):(.*?):(.*?) .*?$`)
29 execveRegex = regexp.MustCompile(`audit\(\d+\.\d+:(\d+)\): argc=(\d+)`) 31 execveRegex = regexp.MustCompile(`audit\(\d+\.\d+:(\d+)\): argc=(\d+)`)
30 argsRegex = regexp.MustCompile(`a\d+=("(.*?)"|([0-9a-fA-F]+))`) 32 argsRegex = regexp.MustCompile(`a\d+=("(.*?)"|([0-9a-fA-F]+))`)
31 pathRegex = regexp.MustCompile(`audit\(\d+\.\d+:(\d+)\):.*?name="(.*?)"`) 33 pathRegex = regexp.MustCompile(`audit\(\d+\.\d+:(\d+)\): item=(\d+) name="(.*?)"`)
32 cwdRegex = regexp.MustCompile(`audit\(\d+\.\d+:(\d+)\): cwd="(.*?)"`) 34 cwdRegex = regexp.MustCompile(`audit\(\d+\.\d+:(\d+)\): cwd="(.*?)"`)
33 proctitleRegex = regexp.MustCompile(`audit\(\d+\.\d+:(\d+)\): proctitle=("(.*?)"|([0-9a-fA-F]+))$`) 35 proctitleRegex = regexp.MustCompile(`audit\(\d+\.\d+:(\d+)\): proctitle=("(.*?)"|([0-9a-fA-F]+))$`)
34 eoeRegex = regexp.MustCompile(`audit\(\d+\.\d+:(\d+)\)`) 36 eoeRegex = regexp.MustCompile(`audit\(\d+\.\d+:(\d+)\)`)
@@ -47,22 +49,22 @@ func orgnaze() {
47 break 49 break
48 } 50 }
49 rawEvent = raw.(libaudit.RawAuditMessage) 51 rawEvent = raw.(libaudit.RawAuditMessage)
52 // fmt.Printf("type=%v msg=%s\n", rawEvent.Type, rawEvent.Data)
50 53
51 switch rawEvent.Type { 54 switch rawEvent.Type {
52 case auparse.AUDIT_SYSCALL: 55 case auparse.AUDIT_SYSCALL:
53 go syscallRaw(rawEvent) 56 syscallRaw(rawEvent)
54 case auparse.AUDIT_EXECVE: 57 case auparse.AUDIT_EXECVE:
55 go execve(rawEvent) 58 execve(rawEvent)
56 case auparse.AUDIT_CWD: 59 case auparse.AUDIT_CWD:
57 go cwd(rawEvent) 60 cwd(rawEvent)
58 case auparse.AUDIT_PATH: 61 case auparse.AUDIT_PATH:
59 go path(rawEvent) 62 path(rawEvent)
60 case auparse.AUDIT_PROCTITLE: 63 case auparse.AUDIT_PROCTITLE:
61 go proctitle(rawEvent) 64 proctitle(rawEvent)
62 case auparse.AUDIT_EOE: 65 case auparse.AUDIT_EOE:
63 go eoe(rawEvent) 66 eoe(rawEvent)
64 default: 67 default:
65 // ATTENTION: 这里也需要做防护
66 } 68 }
67 } 69 }
68} 70}
@@ -74,28 +76,34 @@ func syscallRaw(rawEvent libaudit.RawAuditMessage) {
74 76
75 var exit int 77 var exit int
76 var a [4]uint64 78 var a [4]uint64
79 var subj [4]string
77 // 捕获基础信息 80 // 捕获基础信息
78 match := syscallRegex.FindSubmatch(rawEvent.Data) 81 match := syscallRegex.FindSubmatch(rawEvent.Data)
79 event.timestamp, errs[0] = getTimeFromStr(string(match[1])) 82 event.timestamp, _ = getTimeFromStr(string(match[1]))
80 eventId, errs[1] = strconv.Atoi(string(match[2])) 83 eventId, _ = strconv.Atoi(string(match[2]))
81 event.syscall, errs[2] = strconv.Atoi(string(match[3])) 84 event.syscall, _ = strconv.Atoi(string(match[3]))
82 if string(match[4]) == "" { 85 if string(match[4]) == "" {
83 // exit没捕获到 86 // exit没捕获到
84 exit = 0 87 exit = 0
85 } else { 88 } else {
86 exit, errs[3] = strconv.Atoi(string(match[4])) 89 exit, _ = strconv.Atoi(string(match[4]))
90 }
91 event.ppid, _ = strconv.Atoi(string(match[5]))
92 event.pid, _ = strconv.Atoi(string(match[6]))
93
94 // 几个subj,说不定会有用
95 for i := 0; i < 4; i++ {
96 subj[i] = string(match[7+i])
87 } 97 }
88 event.ppid, errs[4] = strconv.Atoi(string(match[5]))
89 event.pid, errs[5] = strconv.Atoi(string(match[6]))
90 98
91 // 捕获参数 99 // 捕获参数
92 if !argsRegex.Match(rawEvent.Data) { 100 if !argsRegex.Match(rawEvent.Data) {
93 fmt.Printf("Error: don't get args in syscall event!\n") 101 fmt.Fprintf(os.Stderr, "Error: don't get args in syscall event!\n")
94 return 102 return
95 } 103 }
96 argsMatch := argsRegex.FindAllSubmatch(rawEvent.Data, -1) 104 argsMatch := argsRegex.FindAllSubmatch(rawEvent.Data, -1)
97 for i := 0; i < 4; i++ { 105 for i := 0; i < 4; i++ {
98 a[i], errs[0] = strconv.ParseUint(string(argsMatch[i][3]), 16, 64) 106 a[i], _ = strconv.ParseUint(string(argsMatch[i][3]), 16, 64)
99 } 107 }
100 108
101 switch syscallTable[event.syscall] { 109 switch syscallTable[event.syscall] {
@@ -128,7 +136,7 @@ func syscallRaw(rawEvent libaudit.RawAuditMessage) {
128 argv: make([]string, 0), 136 argv: make([]string, 0),
129 cwd: "", 137 cwd: "",
130 syscallParam: a, 138 syscallParam: a,
131 pathName: "", 139 srcPath: "",
132 }) 140 })
133 case "write": 141 case "write":
134 eventTable.Store(eventId, &Event{ 142 eventTable.Store(eventId, &Event{
@@ -142,7 +150,6 @@ func syscallRaw(rawEvent libaudit.RawAuditMessage) {
142 argv: make([]string, 0), 150 argv: make([]string, 0),
143 cwd: "", 151 cwd: "",
144 syscallParam: a, 152 syscallParam: a,
145 // pathName: "",
146 }) 153 })
147 case "close": 154 case "close":
148 // 文件关闭 155 // 文件关闭
@@ -157,8 +164,18 @@ func syscallRaw(rawEvent libaudit.RawAuditMessage) {
157 argv: make([]string, 0), 164 argv: make([]string, 0),
158 cwd: "", 165 cwd: "",
159 syscallParam: a, 166 syscallParam: a,
160 // pathName: "",
161 }) 167 })
168 case "pivot_root":
169 if subj[2] == "container_runtime_t" {
170 eventTable.Store(eventId, &Event{
171 tag: PIVOTROOT,
172 timestamp: event.timestamp,
173 syscall: event.syscall,
174 ppid: event.ppid,
175 pid: event.pid,
176 syscallParam: a,
177 })
178 }
162 } 179 }
163} 180}
164 181
@@ -168,14 +185,14 @@ func execve(rawEvent libaudit.RawAuditMessage) {
168 } 185 }
169 186
170 match := execveRegex.FindSubmatch(rawEvent.Data) 187 match := execveRegex.FindSubmatch(rawEvent.Data)
171 eventId, errs[0] = strconv.Atoi(string(match[1])) 188 eventId, _ = strconv.Atoi(string(match[1]))
172 argc, errs[1] = strconv.Atoi(string(match[2])) 189 argc, _ = strconv.Atoi(string(match[2]))
173 tmp, ok = eventTable.Load(eventId) 190 tmp, ok = eventTable.Load(eventId)
174 if !ok { 191 if !ok {
175 return 192 return
176 } 193 }
177 pEvent = tmp.(*Event) 194 pEvent = tmp.(*Event)
178 if errs[0] == nil && errs[1] == nil && argsRegex.Match(rawEvent.Data) { 195 if argsRegex.Match(rawEvent.Data) {
179 match := argsRegex.FindAllSubmatch(rawEvent.Data, -1) 196 match := argsRegex.FindAllSubmatch(rawEvent.Data, -1)
180 for i := 0; i < argc; i++ { 197 for i := 0; i < argc; i++ {
181 if len(match[i][2]) == 0 { 198 if len(match[i][2]) == 0 {
@@ -196,7 +213,7 @@ func cwd(rawEvent libaudit.RawAuditMessage) {
196 } 213 }
197 214
198 match := cwdRegex.FindSubmatch(rawEvent.Data) 215 match := cwdRegex.FindSubmatch(rawEvent.Data)
199 eventId, errs[0] = strconv.Atoi(string(match[1])) 216 eventId, _ = strconv.Atoi(string(match[1]))
200 tmp, ok = eventTable.Load(eventId) 217 tmp, ok = eventTable.Load(eventId)
201 if !ok { 218 if !ok {
202 return 219 return
@@ -211,7 +228,7 @@ func proctitle(rawEvent libaudit.RawAuditMessage) {
211 228
212 var cmdline string 229 var cmdline string
213 match := proctitleRegex.FindSubmatch(rawEvent.Data) 230 match := proctitleRegex.FindSubmatch(rawEvent.Data)
214 eventId, errs[0] = strconv.Atoi(string(match[1])) 231 eventId, _ = strconv.Atoi(string(match[1]))
215 tmp, ok = eventTable.Load(eventId) 232 tmp, ok = eventTable.Load(eventId)
216 if !ok { 233 if !ok {
217 return 234 return
@@ -236,14 +253,13 @@ func eoe(rawEvent libaudit.RawAuditMessage) {
236 } 253 }
237 254
238 match := eoeRegex.FindSubmatch(rawEvent.Data) 255 match := eoeRegex.FindSubmatch(rawEvent.Data)
239 eventId, errs[0] = strconv.Atoi(string(match[1])) 256 eventId, _ = strconv.Atoi(string(match[1]))
240 tmp, ok = eventTable.Load(eventId) 257 tmp, ok = eventTable.Load(eventId)
241 if !ok { 258 if !ok {
242 return 259 return
243 } 260 }
244 cooked := *(tmp.(*Event)) 261 cooked := *(tmp.(*Event))
245 cookedChan <- cooked 262 cookedChan <- cooked
246 // fmt.Printf("Send: %10d\t%v\t%7d\t%7d\n", eventId, cooked.tag, cooked.ppid, cooked.pid)
247 eventTable.Delete(eventId) // 死人别占地 263 eventTable.Delete(eventId) // 死人别占地
248} 264}
249 265
@@ -252,8 +268,9 @@ func path(rawEvent libaudit.RawAuditMessage) {
252 return 268 return
253 } 269 }
254 match := pathRegex.FindSubmatch(rawEvent.Data) 270 match := pathRegex.FindSubmatch(rawEvent.Data)
255 eventId, errs[0] = strconv.Atoi(string(match[1])) 271 eventId, _ = strconv.Atoi(string(match[1]))
256 name := string(match[2]) 272 // item, _ := strconv.Atoi(string(match[2]))
273 name := string(match[3])
257 274
258 tmp, ok = eventTable.Load(eventId) 275 tmp, ok = eventTable.Load(eventId)
259 if !ok { 276 if !ok {
@@ -267,8 +284,8 @@ func path(rawEvent libaudit.RawAuditMessage) {
267 } 284 }
268 285
269 if name[0] == '/' { 286 if name[0] == '/' {
270 pEvent.pathName = name 287 pEvent.srcPath = name
271 } else { 288 } else {
272 pEvent.pathName += "/" + name 289 pEvent.srcPath += "/" + name
273 } 290 }
274} 291}