aboutsummaryrefslogtreecommitdiffstats
path: root/listener
diff options
context:
space:
mode:
Diffstat (limited to 'listener')
-rw-r--r--listener/godo.go11
1 files changed, 7 insertions, 4 deletions
diff --git a/listener/godo.go b/listener/godo.go
index efe9585..87e9446 100644
--- a/listener/godo.go
+++ b/listener/godo.go
@@ -24,6 +24,8 @@ var (
24 receiveOnly = fs.Bool("ro", false, "receive only using multicast, requires kernel 3.16+") 24 receiveOnly = fs.Bool("ro", false, "receive only using multicast, requires kernel 3.16+")
25) 25)
26 26
27const bufferPages = 100
28
27func main() { 29func main() {
28 // 检查用户身份,并添加auditd规则,监听所有syscall 30 // 检查用户身份,并添加auditd规则,监听所有syscall
29 if os.Geteuid() != 0 { 31 if os.Geteuid() != 0 {
@@ -44,7 +46,7 @@ func main() {
44 var auditCmd *exec.Cmd 46 var auditCmd *exec.Cmd
45 47
46 pidSyscall := []string{"execve", "pivot_root"} 48 pidSyscall := []string{"execve", "pivot_root"}
47 // // 设置监听规则 49 // 设置监听规则
48 for i := 0; i < len(pidSyscall); i++ { 50 for i := 0; i < len(pidSyscall); i++ {
49 auditCmd = exec.Command("auditctl", "-a", "exit,always", "-F", "arch=b64", "-S", pidSyscall[i]) 51 auditCmd = exec.Command("auditctl", "-a", "exit,always", "-F", "arch=b64", "-S", pidSyscall[i])
50 auditCmd.Run() 52 auditCmd.Run()
@@ -77,8 +79,9 @@ func main() {
77 79
78func coroutine(client *libaudit.AuditClient) { 80func coroutine(client *libaudit.AuditClient) {
79 // 各协程至此开始 81 // 各协程至此开始
80 rawChan = make(chan interface{}, 65536) 82 bufferSize := bufferPages * syscall.Getpagesize()
81 cookedChan = make(chan Event, 65536) 83 rawChan = make(chan interface{}, bufferSize)
84 cookedChan = make(chan Event, bufferSize)
82 85
83 wg.Add(1) 86 wg.Add(1)
84 go procWatch() 87 go procWatch()
@@ -102,7 +105,7 @@ func procWatch() error {
102 } 105 }
103 defer ns.Close() 106 defer ns.Close()
104 for { 107 for {
105 res, err := ns.Receive(20) 108 res, err := ns.Receive(bufferPages)
106 if err != nil { 109 if err != nil {
107 fmt.Fprintf(os.Stderr, "Error recv: %v\n", err) 110 fmt.Fprintf(os.Stderr, "Error recv: %v\n", err)
108 continue 111 continue