aboutsummaryrefslogtreecommitdiffstats
path: root/README.md
diff options
context:
space:
mode:
Diffstat (limited to '')
-rw-r--r--README.md549
1 files changed, 549 insertions, 0 deletions
diff --git a/README.md b/README.md
new file mode 100644
index 0000000..bd0dbf8
--- /dev/null
+++ b/README.md
@@ -0,0 +1,549 @@
1# 项目背景
2
3随着 k8s/云原生等技术日渐普及,docker 容器在生产中的应用愈加广泛。由于 docker 并不是一个完整的操作系统,使用的内核依然是宿主机内核,则在 docker 实际使用过程中,可能会遭受攻击或产生泄露,从而威胁其他 docker 或宿主机。因而我们需要对 docker 内部的进程行为、文件修改等进行监视,在出现问题后便于回溯。
4
5# 设计思路
6
7## 整体设计
8
9项目整体采用 MVC 的设计方式,设计思路如下图所示:
10
11<svg xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink" version="1.1" width="550px" height="450px" viewBox="-0.5 -0.5 789 561" content="&lt;mxfile&gt;&lt;diagram id=&quot;I_XTTxZs5cPDDl4HmgJE&quot; name=&quot;第 1 页&quot;&gt;7Vldb5swFP01kbaHTYADSR6btN0eWmlSpK19dIMD1gzOjGnIfv1sbPNlqtJ8NG21p+Dra+N77jmXCxmBRVJ8Y3AT39IQkZHnhMUIXI48z/XdifiRlp2yBL6nDBHDoXaqDUv8F2mjo605DlHWcuSUEo43beOKpila8ZYNMka3bbc1Je27bmCELMNyBYlt/YVDHivr1JvU9u8IR7G5sxvM1EwCjbOOJIthSLcNE7gagQWjlKurpFggIsEzuKh110/MVgdjKOVDFmjcHyHJdWwjLyBi6XxNxQ4CG7hSE8GfXB5qvqAJXomJJUwz8XO7rKdkPHxH2v5yny9ZmcIL4eBON0XpWi8KIvl7g9O8EA6/EUslXdQpxMnVQZSTBq26icdonoZIBuOK6W2MOVpu1JG3gnvCFvOE6GkdK2IcFU/i5VZZEPRFNEGc7YSLWTDWidPMnRhKbmseBMYnbnFAG6HmXlTtXadHXOgM9WdrbGWL4IyjFDGD1wMzUH2KaEg/HwaYhP4aJpjIaO3EKwctT3d6GoTHvo2wG/QhPD0CwiZLLUF0IERpeCGLiBitCMwygcphqKEC8zsxcPT1feP6smgOdmaQirjumoN7ffNyUC8qR2aVigSFVnHr5EZES3OmdW8A4JBFiDd4aGeQIQI5fmzv3pcNvfQHxWWN0Zn3OpkPJp2EqlPpVc2i1tkIPLeRisXaqCRHFc8wvrgWX/RDhzKbOAL5G/ggqhuYMyRqInwop5w2fyDBUSrJJbIilA3mUk9YPH0u9ESCw1Au3Fef+oT67vXD6DndOgemfbAI+55KrybCr57/ch26/3V4Xh0CizIwD7E8DKHRh1Oi91pKnJ1ViXsIsfVA1DscXYpjW4rg0OLYLyF/0umGuk3OcC36rY0qbR5fi57dQ+F0TbMPp8LZK6mw5y1tjYnE4t1192B6zu7eC/YsZ5lQB39LVa4ubCdsOHo6jqfKXCN9fk/2jO3Qahh02DPbsxqOnc5G3bfzI1bDicW5nxht36N4A3+AeMHJxHvOXsRtarRS7MtU6pxEpQbvpkoV586l0rH/TKsxVKVBp/nxwclUCuyeJaFpRC/tT45ZDDfyMoQcZuI1H71NsXZLnBf0iNXrE2s3XfuIFQx4hTdAwvJjyZsEsfqkbxjo2CD2dStT/8UQimH92V8xuP7zBFz9Aw==&lt;/diagram&gt;&lt;/mxfile&gt;">
12 <defs />
13 <g>
14 <rect x="40" y="450" width="640" height="110" rx="16.5" ry="16.5" fill="rgb(255, 255, 255)" stroke="rgb(0, 0, 0)" pointer-events="all" />
15 <g transform="translate(-0.5 -0.5)">
16 <switch>
17 <foreignObject pointer-events="none" width="100%" height="100%" requiredFeatures="http://www.w3.org/TR/SVG11/feature#Extensibility" style="overflow: visible; text-align: left;">
18 <div xmlns="http://www.w3.org/1999/xhtml" style="display: flex; align-items: unsafe center; justify-content: unsafe center; width: 638px; height: 1px; padding-top: 505px; margin-left: 41px;">
19 <div data-drawio-colors="color: rgb(0, 0, 0); " style="box-sizing: border-box; font-size: 0px; text-align: center;">
20 <div style="display: inline-block; font-size: 12px; font-family: Helvetica; color: rgb(0, 0, 0); line-height: 1.2; pointer-events: all; white-space: normal; overflow-wrap: normal;">
21 <font style="font-size: 18px;" face="Comic Sans MS">
22 Linux kernel
23 </font>
24 </div>
25 </div>
26 </div>
27 </foreignObject>
28 <text x="360" y="509" fill="rgb(0, 0, 0)" font-family="Helvetica" font-size="12px" text-anchor="middle">
29 Linux kernel
30 </text>
31 </switch>
32 </g>
33 <rect x="40" y="190" width="160" height="180" rx="24" ry="24" fill="rgb(255, 255, 255)" stroke="rgb(0, 0, 0)" pointer-events="all" />
34 <g transform="translate(-0.5 -0.5)">
35 <switch>
36 <foreignObject pointer-events="none" width="100%" height="100%" requiredFeatures="http://www.w3.org/TR/SVG11/feature#Extensibility" style="overflow: visible; text-align: left;">
37 <div xmlns="http://www.w3.org/1999/xhtml" style="display: flex; align-items: unsafe center; justify-content: unsafe center; width: 158px; height: 1px; padding-top: 280px; margin-left: 41px;">
38 <div data-drawio-colors="color: rgb(0, 0, 0); " style="box-sizing: border-box; font-size: 0px; text-align: center;">
39 <div style="display: inline-block; font-size: 18px; font-family: &quot;Comic Sans MS&quot;; color: rgb(0, 0, 0); line-height: 1.2; pointer-events: all; white-space: normal; overflow-wrap: normal;">
40 listener
41 <br />
42 (godo)
43 </div>
44 </div>
45 </div>
46 </foreignObject>
47 <text x="120" y="285" fill="rgb(0, 0, 0)" font-family="Comic Sans MS" font-size="18px" text-anchor="middle">
48 listener...
49 </text>
50 </switch>
51 </g>
52 <path d="M 40 450 L 40 376.37" fill="none" stroke="rgb(0, 0, 0)" stroke-miterlimit="10" pointer-events="stroke" />
53 <path d="M 40 371.12 L 43.5 378.12 L 40 376.37 L 36.5 378.12 Z" fill="rgb(0, 0, 0)" stroke="rgb(0, 0, 0)" stroke-miterlimit="10" pointer-events="all" />
54 <g transform="translate(-0.5 -0.5)">
55 <switch>
56 <foreignObject pointer-events="none" width="100%" height="100%" requiredFeatures="http://www.w3.org/TR/SVG11/feature#Extensibility" style="overflow: visible; text-align: left;">
57 <div xmlns="http://www.w3.org/1999/xhtml" style="display: flex; align-items: unsafe center; justify-content: unsafe center; width: 1px; height: 1px; padding-top: 411px; margin-left: 41px;">
58 <div data-drawio-colors="color: rgb(0, 0, 0); background-color: rgb(255, 255, 255); " style="box-sizing: border-box; font-size: 0px; text-align: center;">
59 <div style="display: inline-block; font-size: 18px; font-family: &quot;Comic Sans MS&quot;; color: rgb(0, 0, 0); line-height: 1.2; pointer-events: all; background-color: rgb(255, 255, 255); white-space: nowrap;">
60 connector
61 </div>
62 </div>
63 </div>
64 </foreignObject>
65 <text x="41" y="416" fill="rgb(0, 0, 0)" font-family="Comic Sans MS" font-size="18px" text-anchor="middle">
66 connector
67 </text>
68 </switch>
69 </g>
70 <path d="M 200 450 L 200 376.37" fill="none" stroke="rgb(0, 0, 0)" stroke-miterlimit="10" pointer-events="stroke" />
71 <path d="M 200 371.12 L 203.5 378.12 L 200 376.37 L 196.5 378.12 Z" fill="rgb(0, 0, 0)" stroke="rgb(0, 0, 0)" stroke-miterlimit="10" pointer-events="all" />
72 <g transform="translate(-0.5 -0.5)">
73 <switch>
74 <foreignObject pointer-events="none" width="100%" height="100%" requiredFeatures="http://www.w3.org/TR/SVG11/feature#Extensibility" style="overflow: visible; text-align: left;">
75 <div xmlns="http://www.w3.org/1999/xhtml" style="display: flex; align-items: unsafe center; justify-content: unsafe center; width: 1px; height: 1px; padding-top: 411px; margin-left: 201px;">
76 <div data-drawio-colors="color: rgb(0, 0, 0); background-color: rgb(255, 255, 255); " style="box-sizing: border-box; font-size: 0px; text-align: center;">
77 <div style="display: inline-block; font-size: 18px; font-family: &quot;Comic Sans MS&quot;; color: rgb(0, 0, 0); line-height: 1.2; pointer-events: all; background-color: rgb(255, 255, 255); white-space: nowrap;">
78 audit log
79 </div>
80 </div>
81 </div>
82 </foreignObject>
83 <text x="201" y="416" fill="rgb(0, 0, 0)" font-family="Comic Sans MS" font-size="18px" text-anchor="middle">
84 audit log
85 </text>
86 </switch>
87 </g>
88 <path d="M 120 190 L 294.7 73.53" fill="none" stroke="rgb(0, 0, 0)" stroke-miterlimit="10" pointer-events="stroke" />
89 <path d="M 299.07 70.62 L 295.19 77.42 L 294.7 73.53 L 291.3 71.59 Z" fill="rgb(0, 0, 0)" stroke="rgb(0, 0, 0)" stroke-miterlimit="10" pointer-events="all" />
90 <g transform="translate(-0.5 -0.5)">
91 <switch>
92 <foreignObject pointer-events="none" width="100%" height="100%" requiredFeatures="http://www.w3.org/TR/SVG11/feature#Extensibility" style="overflow: visible; text-align: left;">
93 <div xmlns="http://www.w3.org/1999/xhtml" style="display: flex; align-items: unsafe center; justify-content: unsafe center; width: 1px; height: 1px; padding-top: 131px; margin-left: 210px;">
94 <div data-drawio-colors="color: rgb(0, 0, 0); background-color: rgb(255, 255, 255); " style="box-sizing: border-box; font-size: 0px; text-align: center;">
95 <div style="display: inline-block; font-size: 18px; font-family: &quot;Comic Sans MS&quot;; color: rgb(0, 0, 0); line-height: 1.2; pointer-events: all; background-color: rgb(255, 255, 255); white-space: nowrap;">
96 infos
97 </div>
98 </div>
99 </div>
100 </foreignObject>
101 <text x="210" y="136" fill="rgb(0, 0, 0)" font-family="Comic Sans MS" font-size="18px" text-anchor="middle">
102 infos
103 </text>
104 </switch>
105 </g>
106 <rect x="280" y="190" width="160" height="180" rx="24" ry="24" fill="rgb(255, 255, 255)" stroke="rgb(0, 0, 0)" pointer-events="all" />
107 <g transform="translate(-0.5 -0.5)">
108 <switch>
109 <foreignObject pointer-events="none" width="100%" height="100%" requiredFeatures="http://www.w3.org/TR/SVG11/feature#Extensibility" style="overflow: visible; text-align: left;">
110 <div xmlns="http://www.w3.org/1999/xhtml" style="display: flex; align-items: unsafe center; justify-content: unsafe center; width: 158px; height: 1px; padding-top: 280px; margin-left: 281px;">
111 <div data-drawio-colors="color: rgb(0, 0, 0); " style="box-sizing: border-box; font-size: 0px; text-align: center;">
112 <div style="display: inline-block; font-size: 18px; font-family: &quot;Comic Sans MS&quot;; color: rgb(0, 0, 0); line-height: 1.2; pointer-events: all; white-space: normal; overflow-wrap: normal;">
113 filter
114 </div>
115 </div>
116 </div>
117 </foreignObject>
118 <text x="360" y="285" fill="rgb(0, 0, 0)" font-family="Comic Sans MS" font-size="18px" text-anchor="middle">
119 filter
120 </text>
121 </switch>
122 </g>
123 <path d="M 360 183.63 L 360 146.37" fill="none" stroke="rgb(0, 0, 0)" stroke-miterlimit="10" pointer-events="stroke" />
124 <path d="M 360 188.88 L 356.5 181.88 L 360 183.63 L 363.5 181.88 Z" fill="rgb(0, 0, 0)" stroke="rgb(0, 0, 0)" stroke-miterlimit="10" pointer-events="all" />
125 <path d="M 360 141.12 L 363.5 148.12 L 360 146.37 L 356.5 148.12 Z" fill="rgb(0, 0, 0)" stroke="rgb(0, 0, 0)" stroke-miterlimit="10" pointer-events="all" />
126 <rect x="550" y="190" width="130" height="180" rx="19.5" ry="19.5" fill="rgb(255, 255, 255)" stroke="rgb(0, 0, 0)" pointer-events="all" />
127 <g transform="translate(-0.5 -0.5)">
128 <switch>
129 <foreignObject pointer-events="none" width="100%" height="100%" requiredFeatures="http://www.w3.org/TR/SVG11/feature#Extensibility" style="overflow: visible; text-align: left;">
130 <div xmlns="http://www.w3.org/1999/xhtml" style="display: flex; align-items: unsafe center; justify-content: unsafe center; width: 128px; height: 1px; padding-top: 280px; margin-left: 551px;">
131 <div data-drawio-colors="color: rgb(0, 0, 0); " style="box-sizing: border-box; font-size: 0px; text-align: center;">
132 <div style="display: inline-block; font-size: 18px; font-family: &quot;Comic Sans MS&quot;; color: rgb(0, 0, 0); line-height: 1.2; pointer-events: all; white-space: normal; overflow-wrap: normal;">
133 Viewer
134 </div>
135 </div>
136 </div>
137 </foreignObject>
138 <text x="615" y="285" fill="rgb(0, 0, 0)" font-family="Comic Sans MS" font-size="18px" text-anchor="middle">
139 Viewer
140 </text>
141 </switch>
142 </g>
143 <path d="M 420 70 L 609.58 186.66" fill="none" stroke="rgb(0, 0, 0)" stroke-miterlimit="10" pointer-events="stroke" />
144 <path d="M 614.05 189.41 L 606.25 188.73 L 609.58 186.66 L 609.92 182.76 Z" fill="rgb(0, 0, 0)" stroke="rgb(0, 0, 0)" stroke-miterlimit="10" pointer-events="all" />
145 <path d="M 300 18 C 300 -6 420 -6 420 18 L 420 122 C 420 146 300 146 300 122 Z" fill="rgb(255, 255, 255)" stroke="rgb(0, 0, 0)" stroke-miterlimit="10" pointer-events="all" />
146 <path d="M 300 18 C 300 36 420 36 420 18 M 300 27 C 300 45 420 45 420 27 M 300 36 C 300 54 420 54 420 36" fill="none" stroke="rgb(0, 0, 0)" stroke-miterlimit="10" pointer-events="all" />
147 <g transform="translate(-0.5 -0.5)">
148 <switch>
149 <foreignObject pointer-events="none" width="100%" height="100%" requiredFeatures="http://www.w3.org/TR/SVG11/feature#Extensibility" style="overflow: visible; text-align: left;">
150 <div xmlns="http://www.w3.org/1999/xhtml" style="display: flex; align-items: unsafe center; justify-content: unsafe center; width: 118px; height: 1px; padding-top: 92px; margin-left: 301px;">
151 <div data-drawio-colors="color: rgb(0, 0, 0); " style="box-sizing: border-box; font-size: 0px; text-align: center;">
152 <div style="display: inline-block; font-size: 18px; font-family: &quot;Comic Sans MS&quot;; color: rgb(0, 0, 0); line-height: 1.2; pointer-events: all; white-space: normal; overflow-wrap: normal;">
153 mongoDB
154 </div>
155 </div>
156 </div>
157 </foreignObject>
158 <text x="360" y="97" fill="rgb(0, 0, 0)" font-family="Comic Sans MS" font-size="18px" text-anchor="middle">
159 mongoDB
160 </text>
161 </switch>
162 </g>
163 <path d="M 727 325 C 727 291 727 274 757 274 C 737 274 737 240 757 240 C 777 240 777 274 757 274 C 787 274 787 291 787 325 Z" fill="rgb(255, 255, 255)" stroke="rgb(0, 0, 0)" stroke-miterlimit="10" pointer-events="all" />
164 </g>
165</svg>
166
167项目主要分为信息采集、信息过滤、数据库、信息展示四个模块,其工作方式如下:
168
169- 信息采集模块,在各宿主机上安装、并**以 root 权限启动**,负责监听由 Linux 内核发出的 netlink connector 消息、audit 审计消息,将其整理为有关进程的、有关文件的数据,送入数据库中。
170- 在使用时,用信息过滤模块连接数据库,该模块将从数据库中取出所有的消息并过滤无关内容,得到以 docker 守护进程为根的进程树;并在此树的基础上,对数据库中关于文件的记录进行过滤与整理。完成后,将过滤得到的数据送入数据库。
171- 信息展示模块,简要地展示过滤得到的、有关 docker 的数据。
172
173## 信息采集
174
175<svg xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink" version="1.1" width="900px" height="250px" viewBox="-0.5 -0.5 1161 321" content="&lt;mxfile&gt;&lt;diagram id=&quot;bYij1YhiqdmEnY_ocicr&quot; name=&quot;第 1 页&quot;&gt;7VrLcuI4FP0alp3yAz9YBpLMLNLVXcViepbCFkYV22KEeKS/vq8sydiWKQgY4lCzAevKkqV7zj3SlT1wJ9nuL4aWi+80xunAseLdwH0aOI7jDofwJyzv0uJ7jjQkjMTSZO8NU/IbK6OlrGsS41XtRk5pysmyboxonuOI12yIMbqt3zanaf2pS5RgwzCNUGpa/yExX0hr6AR7+9+YJAv9ZNsfyZoM6ZvVTFYLFNNtxeQ+D9wJo5TLq2w3walwnvaLbPdyoLYcGMM5P6WB68kWG5Su1eQGjp9C2/GcQhcwQv6upu3/t6a64tuqAOURbrDDJQA73tcLj6Ko3mZCMxJBxRTlK/j7Pq3e7ifiP6N5QuOZfjyMWY5A1ip3lYNxwHNLcRkjjlacMrgebxeE4+lSPnwL3APbgmcplOyyjw1mHO8O+ssuUQD6Ypphzt7hFt3A0hxU1A1Vcbvnga3BXVQ44GojUtxLyr738MCFQugAWkFv0LIfoCIlK47zIvrEzwKL+a1jAiOZ6IHNmG6yRCvRW7ZKROjTbf5RqJeMRhj6OAr0DEVvCaPrPP6x5inJcYcEGHk1/G27hQB+CwFGXeAfHsP/Y1CeRRcJkiPw/8ESlIt7HYvhaBOX6JK8YATegFfFY2fCg5zBGECOCRWUydfZDLOvSIGhYx2lQLlUdU6BUW8o4AoKvLZIwBtmebHiq/WXskIPrAQXZJhT9gbTxDuhEyVHJgUGhUJAL9kXlgjXq0tEiXuVH4F3HX4Mrd4sEUPBjyeM0mLqMPOKICi5KEBfr0TVEmYAIJMUF/oxp3sZ+fimoA80CNzjMmF7LTLhBF3wwOmNTrySfL2ryMJpUBag4Fjhcf2d3bdT4LKuBtewBa6GR3AeP4rkBUpRCkoJYNWcINz5gjKSihmYYMobVDJlh1AWCvxLNRbX/8K19eB4qvgkPGPpwrsu5DC1X9WCbBZ4urxvV5R0QzkfHBupVQMhmDNdM8XNksccMVg+qttgE0mGU8TJpt5/Gyqq6U9KikjYNdDVDAgbwMpxqVbVpKrRUSnCuqOmsMvJGB0VJCnncxpvzPxNbcCtlCYmhcD7r2gGUeiOGYbYRbOiyqozCaUkyQXNABnYo7ljEVkE8t9HVZGROBYNP865QTUxV08flOnwkQiWUXIB8CeHo3/IrZc5NMVz3uLOGeWcZr1xp1ZE1aR777alsZ8jdsF5YufcUOxGVxG78IhE9VHrzOxX7/PuTecuXeBOjkQzm8yx2Ae/mcc3lWTurkTwgK+vLYJeW6L2OSJ4ngZeRwL1EWdNAsN2iCo787Y8StsuVEo3qCuc0zzJPVUqjXOjZuLQnVTq9yk9IFe/0gl9fFal19AatNLrQt4EQUdLbHisow554xq8eVZHNve1wsoAucEK6/Unse/XXle/y/hKkWh01Dwh6DASzcT+TiPxVjm9Z+b0nxOJ9hlhaH/1fNNp7qLOPVwbukc66jAGzXOKMuFUryjuLBb9W8Vi24vsF+FcMM4v1rh+ZZiHvHrtDNM3N3OftfU4OQl4sGALWtt+uJZzRPuK0k/MCHhIRNMlgmi1CKJ3nU1J2JEghsc66k4QfXMzW7y2vUsxlOFzAzH0277B63mK8GD5QSNhd4L/47QvcWpuddWHFdEC5eBq43D3LgP4UkIcCGAo7j/QlejsP3N2n/8A&lt;/diagram&gt;&lt;/mxfile&gt;">
176 <defs />
177 <g>
178 <path d="M 1040 40 C 1040 -13.33 1160 -13.33 1160 40 L 1160 280 C 1160 333.33 1040 333.33 1040 280 Z" fill="rgb(255, 255, 255)" stroke="rgb(0, 0, 0)" stroke-miterlimit="10" pointer-events="all" />
179 <path d="M 1040 40 C 1040 80 1160 80 1160 40 M 1040 60 C 1040 100 1160 100 1160 60 M 1040 80 C 1040 120 1160 120 1160 80" fill="none" stroke="rgb(0, 0, 0)" stroke-miterlimit="10" pointer-events="all" />
180 <g transform="translate(-0.5 -0.5)">
181 <switch>
182 <foreignObject pointer-events="none" width="100%" height="100%" requiredFeatures="http://www.w3.org/TR/SVG11/feature#Extensibility" style="overflow: visible; text-align: left;">
183 <div xmlns="http://www.w3.org/1999/xhtml" style="display: flex; align-items: unsafe center; justify-content: unsafe center; width: 118px; height: 1px; padding-top: 210px; margin-left: 1041px;">
184 <div data-drawio-colors="color: rgb(0, 0, 0); " style="box-sizing: border-box; font-size: 0px; text-align: center;">
185 <div style="display: inline-block; font-size: 12px; font-family: Helvetica; color: rgb(0, 0, 0); line-height: 1.2; pointer-events: all; white-space: normal; overflow-wrap: normal;">
186 <font face="Comic Sans MS" style="font-size: 18px;">
187 mongodb
188 </font>
189 </div>
190 </div>
191 </div>
192 </foreignObject>
193 <text x="1100" y="214" fill="rgb(0, 0, 0)" font-family="Helvetica" font-size="12px" text-anchor="middle">
194 mongodb
195 </text>
196 </switch>
197 </g>
198 <rect x="225" y="30" width="160" height="90" fill="rgb(255, 255, 255)" stroke="rgb(0, 0, 0)" pointer-events="all" />
199 <path d="M 241 30 L 241 120 M 369 30 L 369 120" fill="none" stroke="rgb(0, 0, 0)" stroke-miterlimit="10" pointer-events="all" />
200 <g transform="translate(-0.5 -0.5)">
201 <switch>
202 <foreignObject pointer-events="none" width="100%" height="100%" requiredFeatures="http://www.w3.org/TR/SVG11/feature#Extensibility" style="overflow: visible; text-align: left;">
203 <div xmlns="http://www.w3.org/1999/xhtml" style="display: flex; align-items: unsafe center; justify-content: unsafe center; width: 126px; height: 1px; padding-top: 75px; margin-left: 241px;">
204 <div data-drawio-colors="color: rgb(0, 0, 0); " style="box-sizing: border-box; font-size: 0px; text-align: center;">
205 <div style="display: inline-block; font-size: 12px; font-family: Helvetica; color: rgb(0, 0, 0); line-height: 1.2; pointer-events: all; white-space: normal; overflow-wrap: normal;">
206 <font face="Comic Sans MS" style="font-size: 18px;">
207 1. listen to the audit,
208 <br />
209 pass msg down
210 </font>
211 </div>
212 </div>
213 </div>
214 </foreignObject>
215 <text x="304" y="79" fill="rgb(0, 0, 0)" font-family="Helvetica" font-size="12px" text-anchor="middle">
216 1. listen to the audi...
217 </text>
218 </switch>
219 </g>
220 <rect x="450" y="30" width="210" height="90" fill="rgb(255, 255, 255)" stroke="rgb(0, 0, 0)" pointer-events="all" />
221 <path d="M 471 30 L 471 120 M 639 30 L 639 120" fill="none" stroke="rgb(0, 0, 0)" stroke-miterlimit="10" pointer-events="all" />
222 <g transform="translate(-0.5 -0.5)">
223 <switch>
224 <foreignObject pointer-events="none" width="100%" height="100%" requiredFeatures="http://www.w3.org/TR/SVG11/feature#Extensibility" style="overflow: visible; text-align: left;">
225 <div xmlns="http://www.w3.org/1999/xhtml" style="display: flex; align-items: unsafe center; justify-content: unsafe center; width: 166px; height: 1px; padding-top: 75px; margin-left: 473px;">
226 <div data-drawio-colors="color: rgb(0, 0, 0); " style="box-sizing: border-box; font-size: 0px; text-align: center;">
227 <div style="display: inline-block; font-size: 12px; font-family: Helvetica; color: rgb(0, 0, 0); line-height: 1.2; pointer-events: all; white-space: normal; overflow-wrap: normal;">
228 <font style="font-size: 18px;" face="Comic Sans MS">
229 2. Organize recvd msg into events by transection number
230 </font>
231 </div>
232 </div>
233 </div>
234 </foreignObject>
235 <text x="556" y="79" fill="rgb(0, 0, 0)" font-family="Helvetica" font-size="12px" text-anchor="middle">
236 2. Organize recvd msg into e...
237 </text>
238 </switch>
239 </g>
240 <rect x="385" y="210" width="275" height="90" fill="rgb(255, 255, 255)" stroke="rgb(0, 0, 0)" pointer-events="all" />
241 <path d="M 413 210 L 413 300 M 632 210 L 632 300" fill="none" stroke="rgb(0, 0, 0)" stroke-miterlimit="10" pointer-events="all" />
242 <g transform="translate(-0.5 -0.5)">
243 <switch>
244 <foreignObject pointer-events="none" width="100%" height="100%" requiredFeatures="http://www.w3.org/TR/SVG11/feature#Extensibility" style="overflow: visible; text-align: left;">
245 <div xmlns="http://www.w3.org/1999/xhtml" style="display: flex; align-items: unsafe center; justify-content: unsafe center; width: 218px; height: 1px; padding-top: 255px; margin-left: 414px;">
246 <div data-drawio-colors="color: rgb(0, 0, 0); " style="box-sizing: border-box; font-size: 0px; text-align: center;">
247 <div style="display: inline-block; font-size: 12px; font-family: Helvetica; color: rgb(0, 0, 0); line-height: 1.2; pointer-events: all; white-space: normal; overflow-wrap: normal;">
248 <font style="font-size: 18px;" face="Comic Sans MS">
249 3. Listen to the kernel connector, gets fork/exit events, pass them down
250 </font>
251 </div>
252 </div>
253 </div>
254 </foreignObject>
255 <text x="523" y="259" fill="rgb(0, 0, 0)" font-family="Helvetica" font-size="12px" text-anchor="middle">
256 3. Listen to the kernel connector, g...
257 </text>
258 </switch>
259 </g>
260 <rect x="760" y="30" width="150" height="270" fill="rgb(255, 255, 255)" stroke="rgb(0, 0, 0)" pointer-events="all" />
261 <path d="M 775 30 L 775 300 M 895 30 L 895 300" fill="none" stroke="rgb(0, 0, 0)" stroke-miterlimit="10" pointer-events="all" />
262 <g transform="translate(-0.5 -0.5)">
263 <switch>
264 <foreignObject pointer-events="none" width="100%" height="100%" requiredFeatures="http://www.w3.org/TR/SVG11/feature#Extensibility" style="overflow: visible; text-align: left;">
265 <div xmlns="http://www.w3.org/1999/xhtml" style="display: flex; align-items: unsafe center; justify-content: unsafe center; width: 117px; height: 1px; padding-top: 165px; margin-left: 776px;">
266 <div data-drawio-colors="color: rgb(0, 0, 0); " style="box-sizing: border-box; font-size: 0px; text-align: center;">
267 <div style="display: inline-block; font-size: 12px; font-family: Helvetica; color: rgb(0, 0, 0); line-height: 1.2; pointer-events: all; white-space: normal; overflow-wrap: normal;">
268 <font face="Comic Sans MS" style="font-size: 18px;">
269 4. Deal with events recvd, push pid/file info into db
270 </font>
271 </div>
272 </div>
273 </div>
274 </foreignObject>
275 <text x="835" y="169" fill="rgb(0, 0, 0)" font-family="Helvetica" font-size="12px" text-anchor="middle">
276 4. Deal with events...
277 </text>
278 </switch>
279 </g>
280 <rect x="0" y="30" width="100" height="270" rx="15" ry="15" fill="rgb(255, 255, 255)" stroke="rgb(0, 0, 0)" pointer-events="all" />
281 <g transform="translate(-0.5 -0.5)">
282 <switch>
283 <foreignObject pointer-events="none" width="100%" height="100%" requiredFeatures="http://www.w3.org/TR/SVG11/feature#Extensibility" style="overflow: visible; text-align: left;">
284 <div xmlns="http://www.w3.org/1999/xhtml" style="display: flex; align-items: unsafe center; justify-content: unsafe center; width: 98px; height: 1px; padding-top: 165px; margin-left: 1px;">
285 <div data-drawio-colors="color: rgb(0, 0, 0); " style="box-sizing: border-box; font-size: 0px; text-align: center;">
286 <div style="display: inline-block; font-size: 12px; font-family: Helvetica; color: rgb(0, 0, 0); line-height: 1.2; pointer-events: all; white-space: normal; overflow-wrap: normal;">
287 <font style="font-size: 18px;" face="Comic Sans MS">
288 Linux kernel
289 </font>
290 </div>
291 </div>
292 </div>
293 </foreignObject>
294 <text x="50" y="169" fill="rgb(0, 0, 0)" font-family="Helvetica" font-size="12px" text-anchor="middle">
295 Linux kernel
296 </text>
297 </switch>
298 </g>
299 <path d="M 100 97.5 L 218.63 97.5" fill="none" stroke="rgb(0, 0, 0)" stroke-miterlimit="10" pointer-events="stroke" />
300 <path d="M 223.88 97.5 L 216.88 101 L 218.63 97.5 L 216.88 94 Z" fill="rgb(0, 0, 0)" stroke="rgb(0, 0, 0)" stroke-miterlimit="10" pointer-events="all" />
301 <g transform="translate(-0.5 -0.5)">
302 <switch>
303 <foreignObject pointer-events="none" width="100%" height="100%" requiredFeatures="http://www.w3.org/TR/SVG11/feature#Extensibility" style="overflow: visible; text-align: left;">
304 <div xmlns="http://www.w3.org/1999/xhtml" style="display: flex; align-items: unsafe center; justify-content: unsafe center; width: 1px; height: 1px; padding-top: 98px; margin-left: 164px;">
305 <div data-drawio-colors="color: rgb(0, 0, 0); background-color: rgb(255, 255, 255); " style="box-sizing: border-box; font-size: 0px; text-align: center;">
306 <div style="display: inline-block; font-size: 18px; font-family: &quot;Comic Sans MS&quot;; color: rgb(0, 0, 0); line-height: 1.2; pointer-events: all; background-color: rgb(255, 255, 255); white-space: nowrap;">
307 audit log
308 </div>
309 </div>
310 </div>
311 </foreignObject>
312 <text x="164" y="104" fill="rgb(0, 0, 0)" font-family="Comic Sans MS" font-size="18px" text-anchor="middle">
313 audit log
314 </text>
315 </switch>
316 </g>
317 <g transform="translate(-0.5 -0.5)">
318 <switch>
319 <foreignObject pointer-events="none" width="100%" height="100%" requiredFeatures="http://www.w3.org/TR/SVG11/feature#Extensibility" style="overflow: visible; text-align: left;">
320 <div xmlns="http://www.w3.org/1999/xhtml" style="display: flex; align-items: unsafe flex-end; justify-content: unsafe flex-start; width: 1px; height: 1px; padding-top: 96px; margin-left: 102px;">
321 <div data-drawio-colors="color: rgb(0, 0, 0); background-color: rgb(255, 255, 255); " style="box-sizing: border-box; font-size: 0px; text-align: left;">
322 <div style="display: inline-block; font-size: 18px; font-family: &quot;Comic Sans MS&quot;; color: rgb(0, 0, 0); line-height: 1.2; pointer-events: all; background-color: rgb(255, 255, 255); white-space: nowrap;">
323 audit
324 </div>
325 </div>
326 </div>
327 </foreignObject>
328 <text x="102" y="96" fill="rgb(0, 0, 0)" font-family="Comic Sans MS" font-size="18px">
329 audit
330 </text>
331 </switch>
332 </g>
333 <path d="M 100 232.5 L 378.63 232.5" fill="none" stroke="rgb(0, 0, 0)" stroke-miterlimit="10" pointer-events="stroke" />
334 <path d="M 383.88 232.5 L 376.88 236 L 378.63 232.5 L 376.88 229 Z" fill="rgb(0, 0, 0)" stroke="rgb(0, 0, 0)" stroke-miterlimit="10" pointer-events="all" />
335 <g transform="translate(-0.5 -0.5)">
336 <switch>
337 <foreignObject pointer-events="none" width="100%" height="100%" requiredFeatures="http://www.w3.org/TR/SVG11/feature#Extensibility" style="overflow: visible; text-align: left;">
338 <div xmlns="http://www.w3.org/1999/xhtml" style="display: flex; align-items: unsafe center; justify-content: unsafe center; width: 1px; height: 1px; padding-top: 233px; margin-left: 244px;">
339 <div data-drawio-colors="color: rgb(0, 0, 0); background-color: rgb(255, 255, 255); " style="box-sizing: border-box; font-size: 0px; text-align: center;">
340 <div style="display: inline-block; font-size: 18px; font-family: &quot;Comic Sans MS&quot;; color: rgb(0, 0, 0); line-height: 1.2; pointer-events: all; background-color: rgb(255, 255, 255); white-space: nowrap;">
341 process
342 </div>
343 </div>
344 </div>
345 </foreignObject>
346 <text x="244" y="239" fill="rgb(0, 0, 0)" font-family="Comic Sans MS" font-size="18px" text-anchor="middle">
347 process
348 </text>
349 </switch>
350 </g>
351 <g transform="translate(-0.5 -0.5)">
352 <switch>
353 <foreignObject pointer-events="none" width="100%" height="100%" requiredFeatures="http://www.w3.org/TR/SVG11/feature#Extensibility" style="overflow: visible; text-align: left;">
354 <div xmlns="http://www.w3.org/1999/xhtml" style="display: flex; align-items: unsafe flex-end; justify-content: unsafe flex-start; width: 1px; height: 1px; padding-top: 231px; margin-left: 102px;">
355 <div data-drawio-colors="color: rgb(0, 0, 0); background-color: rgb(255, 255, 255); " style="box-sizing: border-box; font-size: 0px; text-align: left;">
356 <div style="display: inline-block; font-size: 18px; font-family: &quot;Comic Sans MS&quot;; color: rgb(0, 0, 0); line-height: 1.2; pointer-events: all; background-color: rgb(255, 255, 255); white-space: nowrap;">
357 netlink
358 <br />
359 connector
360 </div>
361 </div>
362 </div>
363 </foreignObject>
364 <text x="102" y="231" fill="rgb(0, 0, 0)" font-family="Comic Sans MS" font-size="18px">
365 netlink...
366 </text>
367 </switch>
368 </g>
369 <path d="M 385 75 L 443.63 75" fill="none" stroke="rgb(0, 0, 0)" stroke-miterlimit="10" pointer-events="stroke" />
370 <path d="M 448.88 75 L 441.88 78.5 L 443.63 75 L 441.88 71.5 Z" fill="rgb(0, 0, 0)" stroke="rgb(0, 0, 0)" stroke-miterlimit="10" pointer-events="all" />
371 <path d="M 660 232.5 L 753.63 232.5" fill="none" stroke="rgb(0, 0, 0)" stroke-miterlimit="10" pointer-events="stroke" />
372 <path d="M 758.88 232.5 L 751.88 236 L 753.63 232.5 L 751.88 229 Z" fill="rgb(0, 0, 0)" stroke="rgb(0, 0, 0)" stroke-miterlimit="10" pointer-events="all" />
373 <g transform="translate(-0.5 -0.5)">
374 <switch>
375 <foreignObject pointer-events="none" width="100%" height="100%" requiredFeatures="http://www.w3.org/TR/SVG11/feature#Extensibility" style="overflow: visible; text-align: left;">
376 <div xmlns="http://www.w3.org/1999/xhtml" style="display: flex; align-items: unsafe center; justify-content: unsafe center; width: 1px; height: 1px; padding-top: 233px; margin-left: 712px;">
377 <div data-drawio-colors="color: rgb(0, 0, 0); background-color: rgb(255, 255, 255); " style="box-sizing: border-box; font-size: 0px; text-align: center;">
378 <div style="display: inline-block; font-size: 18px; font-family: &quot;Comic Sans MS&quot;; color: rgb(0, 0, 0); line-height: 1.2; pointer-events: all; background-color: rgb(255, 255, 255); white-space: nowrap;">
379 Events
380 </div>
381 </div>
382 </div>
383 </foreignObject>
384 <text x="712" y="239" fill="rgb(0, 0, 0)" font-family="Comic Sans MS" font-size="18px" text-anchor="middle">
385 Events
386 </text>
387 </switch>
388 </g>
389 <path d="M 660 97.5 L 753.63 97.5" fill="none" stroke="rgb(0, 0, 0)" stroke-miterlimit="10" pointer-events="stroke" />
390 <path d="M 758.88 97.5 L 751.88 101 L 753.63 97.5 L 751.88 94 Z" fill="rgb(0, 0, 0)" stroke="rgb(0, 0, 0)" stroke-miterlimit="10" pointer-events="all" />
391 <g transform="translate(-0.5 -0.5)">
392 <switch>
393 <foreignObject pointer-events="none" width="100%" height="100%" requiredFeatures="http://www.w3.org/TR/SVG11/feature#Extensibility" style="overflow: visible; text-align: left;">
394 <div xmlns="http://www.w3.org/1999/xhtml" style="display: flex; align-items: unsafe center; justify-content: unsafe center; width: 1px; height: 1px; padding-top: 98px; margin-left: 712px;">
395 <div data-drawio-colors="color: rgb(0, 0, 0); background-color: rgb(255, 255, 255); " style="box-sizing: border-box; font-size: 0px; text-align: center;">
396 <div style="display: inline-block; font-size: 18px; font-family: &quot;Comic Sans MS&quot;; color: rgb(0, 0, 0); line-height: 1.2; pointer-events: all; background-color: rgb(255, 255, 255); white-space: nowrap;">
397 Events
398 </div>
399 </div>
400 </div>
401 </foreignObject>
402 <text x="712" y="104" fill="rgb(0, 0, 0)" font-family="Comic Sans MS" font-size="18px" text-anchor="middle">
403 Events
404 </text>
405 </switch>
406 </g>
407 <path d="M 100 300 L 378.63 300" fill="none" stroke="rgb(0, 0, 0)" stroke-miterlimit="10" pointer-events="stroke" />
408 <path d="M 383.88 300 L 376.88 303.5 L 378.63 300 L 376.88 296.5 Z" fill="rgb(0, 0, 0)" stroke="rgb(0, 0, 0)" stroke-miterlimit="10" pointer-events="all" />
409 <g transform="translate(-0.5 -0.5)">
410 <switch>
411 <foreignObject pointer-events="none" width="100%" height="100%" requiredFeatures="http://www.w3.org/TR/SVG11/feature#Extensibility" style="overflow: visible; text-align: left;">
412 <div xmlns="http://www.w3.org/1999/xhtml" style="display: flex; align-items: unsafe center; justify-content: unsafe center; width: 1px; height: 1px; padding-top: 301px; margin-left: 244px;">
413 <div data-drawio-colors="color: rgb(0, 0, 0); background-color: rgb(255, 255, 255); " style="box-sizing: border-box; font-size: 0px; text-align: center;">
414 <div style="display: inline-block; font-size: 18px; font-family: &quot;Comic Sans MS&quot;; color: rgb(0, 0, 0); line-height: 1.2; pointer-events: all; background-color: rgb(255, 255, 255); white-space: nowrap;">
415 process info
416 </div>
417 </div>
418 </div>
419 </foreignObject>
420 <text x="244" y="306" fill="rgb(0, 0, 0)" font-family="Comic Sans MS" font-size="18px" text-anchor="middle">
421 process info
422 </text>
423 </switch>
424 </g>
425 <g transform="translate(-0.5 -0.5)">
426 <switch>
427 <foreignObject pointer-events="none" width="100%" height="100%" requiredFeatures="http://www.w3.org/TR/SVG11/feature#Extensibility" style="overflow: visible; text-align: left;">
428 <div xmlns="http://www.w3.org/1999/xhtml" style="display: flex; align-items: unsafe flex-end; justify-content: unsafe flex-start; width: 1px; height: 1px; padding-top: 299px; margin-left: 102px;">
429 <div data-drawio-colors="color: rgb(0, 0, 0); background-color: rgb(255, 255, 255); " style="box-sizing: border-box; font-size: 0px; text-align: left;">
430 <div style="display: inline-block; font-size: 18px; font-family: &quot;Comic Sans MS&quot;; color: rgb(0, 0, 0); line-height: 1.2; pointer-events: all; background-color: rgb(255, 255, 255); white-space: nowrap;">
431 /proc fs
432 </div>
433 </div>
434 </div>
435 </foreignObject>
436 <text x="102" y="299" fill="rgb(0, 0, 0)" font-family="Comic Sans MS" font-size="18px">
437 /proc fs
438 </text>
439 </switch>
440 </g>
441 <path d="M 910 97.5 L 1039.99 96.68" fill="none" stroke="rgb(0, 0, 0)" stroke-miterlimit="10" pointer-events="stroke" />
442 <path d="M 1045.24 96.65 L 1038.26 100.19 L 1039.99 96.68 L 1038.22 93.19 Z" fill="rgb(0, 0, 0)" stroke="rgb(0, 0, 0)" stroke-miterlimit="10" pointer-events="all" />
443 <g transform="translate(-0.5 -0.5)">
444 <switch>
445 <foreignObject pointer-events="none" width="100%" height="100%" requiredFeatures="http://www.w3.org/TR/SVG11/feature#Extensibility" style="overflow: visible; text-align: left;">
446 <div xmlns="http://www.w3.org/1999/xhtml" style="display: flex; align-items: unsafe center; justify-content: unsafe center; width: 1px; height: 1px; padding-top: 98px; margin-left: 978px;">
447 <div data-drawio-colors="color: rgb(0, 0, 0); background-color: rgb(255, 255, 255); " style="box-sizing: border-box; font-size: 0px; text-align: center;">
448 <div style="display: inline-block; font-size: 18px; font-family: &quot;Comic Sans MS&quot;; color: rgb(0, 0, 0); line-height: 1.2; pointer-events: all; background-color: rgb(255, 255, 255); white-space: nowrap;">
449 pid info
450 </div>
451 </div>
452 </div>
453 </foreignObject>
454 <text x="978" y="103" fill="rgb(0, 0, 0)" font-family="Comic Sans MS" font-size="18px" text-anchor="middle">
455 pid info
456 </text>
457 </switch>
458 </g>
459 <path d="M 910 232.5 L 1041.67 232.63" fill="none" stroke="rgb(0, 0, 0)" stroke-miterlimit="10" pointer-events="stroke" />
460 <path d="M 1046.92 232.64 L 1039.92 236.13 L 1041.67 232.63 L 1039.93 229.13 Z" fill="rgb(0, 0, 0)" stroke="rgb(0, 0, 0)" stroke-miterlimit="10" pointer-events="all" />
461 <g transform="translate(-0.5 -0.5)">
462 <switch>
463 <foreignObject pointer-events="none" width="100%" height="100%" requiredFeatures="http://www.w3.org/TR/SVG11/feature#Extensibility" style="overflow: visible; text-align: left;">
464 <div xmlns="http://www.w3.org/1999/xhtml" style="display: flex; align-items: unsafe center; justify-content: unsafe center; width: 1px; height: 1px; padding-top: 233px; margin-left: 980px;">
465 <div data-drawio-colors="color: rgb(0, 0, 0); background-color: rgb(255, 255, 255); " style="box-sizing: border-box; font-size: 0px; text-align: center;">
466 <div style="display: inline-block; font-size: 18px; font-family: &quot;Comic Sans MS&quot;; color: rgb(0, 0, 0); line-height: 1.2; pointer-events: all; background-color: rgb(255, 255, 255); white-space: nowrap;">
467 file change
468 <br />
469 info
470 </div>
471 </div>
472 </div>
473 </foreignObject>
474 <text x="980" y="239" fill="rgb(0, 0, 0)" font-family="Comic Sans MS" font-size="18px" text-anchor="middle">
475 file change...
476 </text>
477 </switch>
478 </g>
479 </g>
480 <switch>
481 <g requiredFeatures="http://www.w3.org/TR/SVG11/feature#Extensibility" />
482 <a transform="translate(0,-5)" xlink:href="https://www.diagrams.net/doc/faq/svg-export-text-problems" target="_blank">
483 <text text-anchor="middle" font-size="10px" x="50%" y="100%">
484 Text is not SVG - cannot display
485 </text>
486 </a>
487 </switch>
488</svg>
489
490信息采集模块对应本项目下的 listener 目录,主要负责收集 Linux-kernel 发出的 audit 系统审计消息、netlink connector 进程消息。分为四个协程,各自功能如下:
491
492- 1 号协程,**接收来自内核的 audit 审计消息**,传递给 2 号协程
493- 2 号,拿到 1 号发来的消息。对于 audit 审计消息而言,一个事件会被拆分为多条消息发送,但使用相同的时间戳、事务号。因而 2 号将收到的**消息使用正则表达式进行简单解析,并用哈希表按照事务号存储**,直到收到 eoe(本事件到此结束),**将 hash 表中整理得到的 Event 事件发送给 4 号协程**。
494- 3 号,接收来自内核的 connector 消息,获取其中的进程事件(fork/exit)及进程号(ppid/parentTgid/pid/tgid),并通过/proc 文件系统查询 pid 对应的命令行参数 args、当前运行目录 cwd、根文件系统 rootfs、docker id(从 cgroup 查看),**整理为 Event 事件,发送给 4 号协程**
495- 4 号,**接收 Event 事件,判断其类型,分别处理**。代码中事件类型主要有进程复制、进程退出、进程执行文件(execve)、文件打开、文件关闭、写文件、切换根系统(pivot_root)等几种。
496
497## 信息过滤
498
499### 进程过滤与优化
500
501首先,由于 listener 模块在插入时采用了多线程,可能出现同一个进程的两条消息被并行处理、数据库中出现两条记录,因而第一步,是**将相同 pid 的多条记录合并为一条**。
502
503现在开始考虑清洗数据的问题。Docker 是一个 C/S 架构的服务,因而我们真正关心的 docker 有关进程一定是 docker 守护进程的后代(虽然可能作为孤儿进程被 systemd 收养)。**过滤进程数据,只需要构建以守护进程为根的进程树**。在信息收集过程中,我们对 docker 守护进程(`/usr/bin/dockerd`)进行了特殊记录,标记了该 pid 的`star=true`。在过滤过程中,主要工作即围绕该 pid 展开。
504
505- 我们记录的条目以 pid 区分,而这里的 pid 实质上指的是 task id、可能是线程,tgid 才是 task group id 应当理解为进程。因而,为了构建进程树,最简单的办法是将各个 pid 按照 tgid 区分,成为一个新的结构;这些结构代表着进程、是进程树的节点,因而称为 tgidNode。在此过程中,我们也可以整理得到每个 tgid 的所有子代 tgid 编号。
506- 整理出来若干 tgidNode,从标记了 star 的 tgidNode 开始,采用广度优先遍历,得到整个进程树上的所有 tgidNode
507
508接着,进行**数据优化**:
509
510- 同一个 docker id 使用相同的 rootfs。在记录中,同一个 docker id 只有一个进程进行过 pivot_root,因而需要加以处理。
511- 同一个进程(tgid)的不同线程(pid)可能 ppid/parentTgid 不一样。原因为,在进程(pid==tgid)创建的时候,父进程一定还在;但过一会创建线程的时候,原父进程可能已死、该进程已经被 systemd 收容,所以记录的 ppid/parentTgid 不对。为解决该问题,需要检查每个 pid,如果存在该问题则进行修正,防止在按 pid 溯源时出错。
512- 部分 pid 可能并未收到对应的退出消息。为了部分地解决该问题,我们将进程退出时间(也就是 pid==tgid 的 pid 的退出时间)记录为没有 exit timestamp 的 pid 的退出时间。这样的补全是为了接下来在处理文件时使用。
513
514### 文件过滤
515
516众所周知,Linux 环境下,进程操作文件使用的是系统调用+文件描述符。
517
518在记录的时候,由于 Linux 下进程是通过 open 系统调用,传入文件名和权限,得到文件描述符,使用、关闭时都是操作文件描述符而非文件名,所以记录时应当把已经关闭的和尚未关闭的区分开来。写文件时,在已经打开但尚未关闭的文件里按照 pid+fd 查找,记录写入时间;关闭时,将记录从 fd 表删除,加上关闭时间后存储到关闭的文件里。
519
520但在整理时,二者都有写入记录,应该等同视之。将两张表的所有记录提取出来进行筛选,只保留 pid 在进程树上的那些文件记录;而后,对于尚未关闭的文件,查询 pid 退出时间,如有记录,则认为该文件在 pid 退出时才关闭。
521
522最后,将处理得到的 tgidNode 构成的进程树、筛选之后的文件,全部记录到数据库里。
523
524## 信息展示
525
526现在已经获取了进程树和文件修改的详细记录,展示即可。本项目目前是在过滤完成之后,直接由过滤模块将进程树、进程详细信息、文件修改记录全部打印到标准输出。
527
528# 编译与运行
529
530本项目的编译运行较为简单。
531
532在将本项目克隆下来后:
533
534```bash
535git submodule --init
536cd listener
537go build -o godo
538cd ../filter
539go build -o filter
540```
541
542编译完成后,将 godo 放置在宿主机上运行,**godo 必须以 root 权限运行**。有若干命令行参数,可以通过`sudo ./godo -h`查看。注意:
543
544- 指定参数使用等号,如`-diag`参数表示将内核原始 audit 消息输出到指定文件,使用时即`sudo ./godo -diag=1.txt`
545- 默认的数据库是本机的 mongodb,端口 27017;如要连接别的数据库,需要使用`-mongo`参数指定其链接,格式为`ip:port`。本处并未设置 mongodb 的用户名、密码,而是放开了权限直接登录。使用的数据库名为"test"。
546- backlog 大小默认为 1GB,最好只大不小。以字节为单位。
547- filter 放置在数据库所在的机器上,连接数据库。使用的数据库为 test,写入的数据库为 cooked。
548
549而filter程序则直接放置在**数据库所在机器上**,在需要回溯的时候,直接运行filter程序(数据库没有账号密码控制),会输出进程树、每个进程的参数,及最终受改变的文件列表。 \ No newline at end of file
generated by cgit v1.2.3-70-g09d2 (git 2.46.0) at 2025-01-10 20:19:43 +0800