1 files changed, 213 insertions, 0 deletions
diff --git a/godo.go b/godo.go
new file mode 100644
index 0000000..6b6f48f
--- /dev/null
+++ b/godo.go
@@ -0,0 +1,213 @@
+package main
+import (
+        "bufio"
+        "flag"
+        "fmt"
+        "io"
+        "log"
+        "os"
+        "os/exec"
+        "path/filepath"
+        "strconv"
+        "strings"
+        "sync"
+        "github.com/elastic/go-libaudit/v2"
+        "github.com/elastic/go-libaudit/v2/auparse"
+)
+var (
+        fs          = flag.NewFlagSet("audit", flag.ExitOnError)
+        diag        = fs.String("diag", "", "dump raw information from kernel to file")
+        rate        = fs.Uint("rate", 0, "rate limit in kernel (default 0, no rate limit)")
+        backlog     = fs.Uint("backlog", 8192, "backlog limit")
+        immutable   = fs.Bool("immutable", false, "make kernel audit settings immutable (requires reboot to undo)")
+        receiveOnly = fs.Bool("ro", false, "receive only using multicast, requires kernel 3.16+")
+)
+type process struct {
+        cmdline  string
+        rootfs   string
+        children []int
+}
+var pids map[int]*process     //古希腊掌管进程的神
+var containers map[string]int // 古希腊掌管容器的神
+var wg sync.WaitGroup         // 掌管协程
+func main() {
+        // 检查用户身份，并添加auditd规则，监听所有syscall
+        if os.Geteuid() != 0 {
+                fmt.Printf("Err: Please run me as root, %d!\n", os.Getegid())
+                return
+        }
+        syscall := [5]string{"fork", "vfork", "execve", "exit", "exit_group"}
+        var auditCmd *exec.Cmd
+        auditCmd = exec.Command("auditctl", "-D") // 清空所有规则
+        auditCmd.Run()
+        // 设置监听规则
+        for i := 0; i < 5; i++ {
+                auditCmd = exec.Command("auditctl", "-a", "exit,always", "-F", "arch=b64", "-S", syscall[i])
+                auditCmd.Run()
+        }
+        // 查找pid
+        containerdPid, err := getPid()
+        if err != nil {
+                fmt.Printf("Error finding containerd: %v\n", err)
+                return
+        }
+        pids = make(map[int]*process)
+        containers = make(map[string]int)
+        pids[containerdPid] = &process{cmdline: "/usr/bin/cmdline", rootfs: "/", children: make([]int, 0)}
+        // 开始运行，解析命令行参数后监听
+        if err := fs.Parse(os.Args[1:]); err != nil {
+                log.Fatal(err)
+        }
+        if err := read(); err != nil {
+                log.Fatalf("error: %v", err)
+        }
+}
+func getPid() (int, error) {
+        // 指定要搜索的关键词
+        keyword := "/usr/bin/containerd"
+        // 获取/proc目录下的所有子目录
+        procDir, err := filepath.Glob("/proc/*")
+        if err != nil {
+                return 0, err
+        }
+        // 遍历子目录，查找包含关键词的进程
+        for _, dir := range procDir {
+                pid, err := strconv.Atoi(filepath.Base(dir))
+                if err != nil {
+                        continue // 跳过非PID的目录
+                }
+                // 检查进程是否包含关键词
+                if containsKeyword(pid, keyword) {
+                        return pid, nil
+                }
+        }
+        err = fmt.Errorf("Error: no containerd process found.\n")
+        return 0, err
+}
+func containsKeyword(pid int, keyword string) bool {
+        // 构造完整的进程命令路径
+        cmdPath := fmt.Sprintf("/proc/%d/cmdline", pid)
+        // 打开文件
+        file, err := os.Open(cmdPath)
+        if err != nil {
+                return false
+        }
+        defer file.Close()
+        // 读取文件内容
+        scanner := bufio.NewScanner(file)
+        scanner.Split(bufio.ScanLines)
+        for scanner.Scan() {
+                line := scanner.Text()
+                if strings.Contains(line, keyword) {
+                        return true
+                }
+        }
+        return false
+}
+func read() error {
+        // Write netlink response to a file for further analysis or for writing
+        // tests cases.
+        var diagWriter io.Writer
+        if *diag != "" {
+                f, err := os.OpenFile(*diag, os.O_CREATE|os.O_RDWR|os.O_TRUNC, 0o600)
+                if err != nil {
+                        return err
+                }
+                defer f.Close()
+                diagWriter = f
+        }
+        log.Println("starting netlink client")
+        var err error
+        var client *libaudit.AuditClient
+        if *receiveOnly {
+                client, err = libaudit.NewMulticastAuditClient(diagWriter)
+                if err != nil {
+                        return fmt.Errorf("failed to create receive-only audit client: %w", err)
+                }
+                defer client.Close()
+        } else {
+                client, err = libaudit.NewAuditClient(diagWriter)
+                if err != nil {
+                        return fmt.Errorf("failed to create audit client: %w", err)
+                }
+                defer client.Close()
+                status, err := client.GetStatus()
+                if err != nil {
+                        return fmt.Errorf("failed to get audit status: %w", err)
+                }
+                log.Printf("received audit status=%+v", status)
+                if status.Enabled == 0 {
+                        log.Println("enabling auditing in the kernel")
+                        if err = client.SetEnabled(true, libaudit.WaitForReply); err != nil {
+                                return fmt.Errorf("failed to set enabled=true: %w", err)
+                        }
+                }
+                if status.RateLimit != uint32(*rate) {
+                        log.Printf("setting rate limit in kernel to %v", *rate)
+                        if err = client.SetRateLimit(uint32(*rate), libaudit.NoWait); err != nil {
+                                return fmt.Errorf("failed to set rate limit to unlimited: %w", err)
+                        }
+                }
+                if status.BacklogLimit != uint32(*backlog) {
+                        log.Printf("setting backlog limit in kernel to %v", *backlog)
+                        if err = client.SetBacklogLimit(uint32(*backlog), libaudit.NoWait); err != nil {
+                                return fmt.Errorf("failed to set backlog limit: %w", err)
+                        }
+                }
+                if status.Enabled != 2 && *immutable {
+                        log.Printf("setting kernel settings as immutable")
+                        if err = client.SetImmutable(libaudit.NoWait); err != nil {
+                                return fmt.Errorf("failed to set kernel as immutable: %w", err)
+                        }
+                }
+                log.Printf("sending message to kernel registering our PID (%v) as the audit daemon", os.Getpid())
+                if err = client.SetPID(libaudit.NoWait); err != nil {
+                        return fmt.Errorf("failed to set audit PID: %w", err)
+                }
+        }
+        return receive(client)
+}
+func receive(r *libaudit.AuditClient) error {
+        for {
+                rawEvent, err := r.Receive(false)
+                if err != nil {
+                        return fmt.Errorf("receive failed: %w", err)
+                }
+                // Messages from 1300-2999 are valid audit messages.
+                if rawEvent.Type < auparse.AUDIT_USER_AUTH ||
+                        rawEvent.Type > auparse.AUDIT_LAST_USER_MSG2 {
+                        continue
+                }
+                fmt.Printf("type=%v msg=%s\n", rawEvent.Type, rawEvent.Data)
+        }
+}

diff --git a/godo.go b/godo.go new file mode 100644 index 0000000..6b6f48f --- /dev/null +++ b/godo.go
@@ -0,0 +1,213 @@
	1	package main
	2
	3	import (
	4	"bufio"
	5	"flag"
	6	"fmt"
	7	"io"
	8	"log"
	9	"os"
	10	"os/exec"
	11	"path/filepath"
	12	"strconv"
	13	"strings"
	14	"sync"
	15
	16	"github.com/elastic/go-libaudit/v2"
	17	"github.com/elastic/go-libaudit/v2/auparse"
	18	)
	19
	20	var (
	21	fs = flag.NewFlagSet("audit", flag.ExitOnError)
	22	diag = fs.String("diag", "", "dump raw information from kernel to file")
	23	rate = fs.Uint("rate", 0, "rate limit in kernel (default 0, no rate limit)")
	24	backlog = fs.Uint("backlog", 8192, "backlog limit")
	25	immutable = fs.Bool("immutable", false, "make kernel audit settings immutable (requires reboot to undo)")
	26	receiveOnly = fs.Bool("ro", false, "receive only using multicast, requires kernel 3.16+")
	27	)
	28
	29	type process struct {
	30	cmdline string
	31	rootfs string
	32	children []int
	33	}
	34
	35	var pids map[int]*process //古希腊掌管进程的神
	36	var containers map[string]int // 古希腊掌管容器的神
	37	var wg sync.WaitGroup // 掌管协程
	38
	39	func main() {
	40	// 检查用户身份，并添加auditd规则，监听所有syscall
	41	if os.Geteuid() != 0 {
	42	fmt.Printf("Err: Please run me as root, %d!\n", os.Getegid())
	43	return
	44	}
	45	syscall := [5]string{"fork", "vfork", "execve", "exit", "exit_group"}
	46	var auditCmd *exec.Cmd
	47	auditCmd = exec.Command("auditctl", "-D") // 清空所有规则
	48	auditCmd.Run()
	49	// 设置监听规则
	50	for i := 0; i < 5; i++ {
	51	auditCmd = exec.Command("auditctl", "-a", "exit,always", "-F", "arch=b64", "-S", syscall[i])
	52	auditCmd.Run()
	53	}
	54
	55	// 查找pid
	56	containerdPid, err := getPid()
	57	if err != nil {
	58	fmt.Printf("Error finding containerd: %v\n", err)
	59	return
	60	}
	61
	62	pids = make(map[int]*process)
	63	containers = make(map[string]int)
	64	pids[containerdPid] = &process{cmdline: "/usr/bin/cmdline", rootfs: "/", children: make([]int, 0)}
	65
	66	// 开始运行，解析命令行参数后监听
	67	if err := fs.Parse(os.Args[1:]); err != nil {
	68	log.Fatal(err)
	69	}
	70
	71	if err := read(); err != nil {
	72	log.Fatalf("error: %v", err)
	73	}
	74	}
	75
	76	func getPid() (int, error) {
	77	// 指定要搜索的关键词
	78	keyword := "/usr/bin/containerd"
	79
	80	// 获取/proc目录下的所有子目录
	81	procDir, err := filepath.Glob("/proc/*")
	82	if err != nil {
	83	return 0, err
	84	}
	85
	86	// 遍历子目录，查找包含关键词的进程
	87	for _, dir := range procDir {
	88	pid, err := strconv.Atoi(filepath.Base(dir))
	89	if err != nil {
	90	continue // 跳过非PID的目录
	91	}
	92
	93	// 检查进程是否包含关键词
	94	if containsKeyword(pid, keyword) {
	95	return pid, nil
	96	}
	97	}
	98	err = fmt.Errorf("Error: no containerd process found.\n")
	99	return 0, err
	100	}
	101
	102	func containsKeyword(pid int, keyword string) bool {
	103	// 构造完整的进程命令路径
	104	cmdPath := fmt.Sprintf("/proc/%d/cmdline", pid)
	105
	106	// 打开文件
	107	file, err := os.Open(cmdPath)
	108	if err != nil {
	109	return false
	110	}
	111	defer file.Close()
	112
	113	// 读取文件内容
	114	scanner := bufio.NewScanner(file)
	115	scanner.Split(bufio.ScanLines)
	116	for scanner.Scan() {
	117	line := scanner.Text()
	118	if strings.Contains(line, keyword) {
	119	return true
	120	}
	121	}
	122	return false
	123	}
	124
	125	func read() error {
	126	// Write netlink response to a file for further analysis or for writing
	127	// tests cases.
	128	var diagWriter io.Writer
	129	if *diag != "" {
	130	f, err := os.OpenFile(*diag, os.O_CREATE\|os.O_RDWR\|os.O_TRUNC, 0o600)
	131	if err != nil {
	132	return err
	133	}
	134	defer f.Close()
	135	diagWriter = f
	136	}
	137
	138	log.Println("starting netlink client")
	139
	140	var err error
	141	var client *libaudit.AuditClient
	142	if *receiveOnly {
	143	client, err = libaudit.NewMulticastAuditClient(diagWriter)
	144	if err != nil {
	145	return fmt.Errorf("failed to create receive-only audit client: %w", err)
	146	}
	147	defer client.Close()
	148	} else {
	149	client, err = libaudit.NewAuditClient(diagWriter)
	150	if err != nil {
	151	return fmt.Errorf("failed to create audit client: %w", err)
	152	}
	153	defer client.Close()
	154
	155	status, err := client.GetStatus()
	156	if err != nil {
	157	return fmt.Errorf("failed to get audit status: %w", err)
	158	}
	159	log.Printf("received audit status=%+v", status)
	160
	161	if status.Enabled == 0 {
	162	log.Println("enabling auditing in the kernel")
	163	if err = client.SetEnabled(true, libaudit.WaitForReply); err != nil {
	164	return fmt.Errorf("failed to set enabled=true: %w", err)
	165	}
	166	}
	167
	168	if status.RateLimit != uint32(*rate) {
	169	log.Printf("setting rate limit in kernel to %v", *rate)
	170	if err = client.SetRateLimit(uint32(*rate), libaudit.NoWait); err != nil {
	171	return fmt.Errorf("failed to set rate limit to unlimited: %w", err)
	172	}
	173	}
	174
	175	if status.BacklogLimit != uint32(*backlog) {
	176	log.Printf("setting backlog limit in kernel to %v", *backlog)
	177	if err = client.SetBacklogLimit(uint32(*backlog), libaudit.NoWait); err != nil {
	178	return fmt.Errorf("failed to set backlog limit: %w", err)
	179	}
	180	}
	181
	182	if status.Enabled != 2 && *immutable {
	183	log.Printf("setting kernel settings as immutable")
	184	if err = client.SetImmutable(libaudit.NoWait); err != nil {
	185	return fmt.Errorf("failed to set kernel as immutable: %w", err)
	186	}
	187	}
	188
	189	log.Printf("sending message to kernel registering our PID (%v) as the audit daemon", os.Getpid())
	190	if err = client.SetPID(libaudit.NoWait); err != nil {
	191	return fmt.Errorf("failed to set audit PID: %w", err)
	192	}
	193	}
	194
	195	return receive(client)
	196	}
	197
	198	func receive(r *libaudit.AuditClient) error {
	199	for {
	200	rawEvent, err := r.Receive(false)
	201	if err != nil {
	202	return fmt.Errorf("receive failed: %w", err)
	203	}
	204
	205	// Messages from 1300-2999 are valid audit messages.
	206	if rawEvent.Type < auparse.AUDIT_USER_AUTH \|\|
	207	rawEvent.Type > auparse.AUDIT_LAST_USER_MSG2 {
	208	continue
	209	}
	210
	211	fmt.Printf("type=%v msg=%s\n", rawEvent.Type, rawEvent.Data)
	212	}
	213	}