summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
Diffstat
-rw-r--r--src/deal.go16
-rw-r--r--src/godo.go8
-rw-r--r--src/organize.go1
3 files changed, 9 insertions, 16 deletions
diff --git a/src/deal.go b/src/deal.go
index ae69003..871b7ff 100644
--- a/src/deal.go
+++ b/src/deal.go
@@ -191,18 +191,8 @@ func dealExecve(cooked Event) {
191} 191}
192 192
193func fileOpen(cooked Event) { 193func fileOpen(cooked Event) {
194 fmt.Printf("Open: %6d\t%6d\t%s\n", cooked.ppid, cooked.pid, cooked.pathName) 194 // fmt.Printf("Open: %6d\t%6d\t%s\n", cooked.ppid, cooked.pid, cooked.pathName)
195 // 查看是否记录了该进程
196 res, err := pidCol.Finddoc(bson.M{"pid": cooked.pid})
197 if err != nil {
198 fmt.Printf("Error finding pid %d: %v\n", cooked.pid, err)
199 }
200 if len(res) == 0 {
201 // 没找着,滚
202 return
203 }
204 195
205 // 确有该进程
206 // 权限检查过了,不必再查 196 // 权限检查过了,不必再查
207 fdCol.InsertOne(bson.M{ 197 fdCol.InsertOne(bson.M{
208 "timestamp": cooked.timestamp, 198 "timestamp": cooked.timestamp,
@@ -223,7 +213,7 @@ func fileOpen(cooked Event) {
223} 213}
224 214
225func fileClose(cooked Event) { 215func fileClose(cooked Event) {
226 fmt.Printf("Close: %6d\t%6d\t%s\n", cooked.ppid, cooked.pid, cooked.pathName) 216 // fmt.Printf("Close: %6d\t%6d\t%s\n", cooked.ppid, cooked.pid, cooked.pathName)
227 // 直接看文件表有无记录 217 // 直接看文件表有无记录
228 res, err := fdCol.Finddoc(bson.M{ 218 res, err := fdCol.Finddoc(bson.M{
229 "pid": cooked.pid, 219 "pid": cooked.pid,
@@ -244,7 +234,7 @@ func fileClose(cooked Event) {
244} 234}
245 235
246func fileWrite(cooked Event) { 236func fileWrite(cooked Event) {
247 fmt.Printf("Write: %6d\t%6d\t%s\n", cooked.ppid, cooked.pid, cooked.pathName) 237 // fmt.Printf("Write: %6d\t%6d\t%s\n", cooked.ppid, cooked.pid, cooked.pathName)
248 // 直接看文件表有无记录 238 // 直接看文件表有无记录
249 res, err := fdCol.Finddoc(bson.M{ 239 res, err := fdCol.Finddoc(bson.M{
250 "pid": cooked.pid, 240 "pid": cooked.pid,
diff --git a/src/godo.go b/src/godo.go
index cbd9e0a..2ba32d6 100644
--- a/src/godo.go
+++ b/src/godo.go
@@ -37,9 +37,11 @@ func main() {
37 fmt.Printf("Error figuring out syscall numbers: %v\n", err) 37 fmt.Printf("Error figuring out syscall numbers: %v\n", err)
38 } 38 }
39 39
40 exec.Command("auditctl", "-D").Run()
41 exec.Command("auditctl", "-b", "1000000000").Run()
42 exec.Command("auditctl", "--reset-lost").Run()
43
40 var auditCmd *exec.Cmd 44 var auditCmd *exec.Cmd
41 auditCmd = exec.Command("auditctl", "-D") // 清空所有规则
42 auditCmd.Run()
43 45
44 pidSyscall := []string{"execve"} 46 pidSyscall := []string{"execve"}
45 // pidSyscall := []string{"fork", "vfork", "clone", "execve", "exit", "exit_group"} 47 // pidSyscall := []string{"fork", "vfork", "clone", "execve", "exit", "exit_group"}
@@ -50,7 +52,7 @@ func main() {
50 } 52 }
51 53
52 // 监听文件的消息 54 // 监听文件的消息
53 fileSyscall := []string{"open", "write", "close"} 55 fileSyscall := []string{"open"}
54 // fileSyscall := []string{"open", "write", "creat", "unlink", "opendir", "mkdir", "rmdir", "chmod", "fchmod", "chown", "fchown", "lchown", "flock"} 56 // fileSyscall := []string{"open", "write", "creat", "unlink", "opendir", "mkdir", "rmdir", "chmod", "fchmod", "chown", "fchown", "lchown", "flock"}
55 for i := 0; i < len(fileSyscall); i++ { 57 for i := 0; i < len(fileSyscall); i++ {
56 auditCmd = exec.Command("auditctl", "-a", "exit,always", "-F", "arch=b64", "-S", fileSyscall[i]) 58 auditCmd = exec.Command("auditctl", "-a", "exit,always", "-F", "arch=b64", "-S", fileSyscall[i])
diff --git a/src/organize.go b/src/organize.go
index 238509f..8deba53 100644
--- a/src/organize.go
+++ b/src/organize.go
@@ -47,6 +47,7 @@ func orgnaze() {
47 break 47 break
48 } 48 }
49 rawEvent = raw.(libaudit.RawAuditMessage) 49 rawEvent = raw.(libaudit.RawAuditMessage)
50 // fmt.Printf("type=%v msg=%s\n", rawEvent.Type, rawEvent.Data)
50 51
51 switch rawEvent.Type { 52 switch rawEvent.Type {
52 case auparse.AUDIT_SYSCALL: 53 case auparse.AUDIT_SYSCALL:
generated by cgit v1.2.3-70-g09d2 (git 2.46.0) at 2025-01-08 18:06:09 +0800