diff options
Diffstat (limited to 'src/godo.go')
| -rw-r--r-- | src/godo.go | 21 |
1 files changed, 9 insertions, 12 deletions
diff --git a/src/godo.go b/src/godo.go index 2ba32d6..77e677c 100644 --- a/src/godo.go +++ b/src/godo.go | |||
| @@ -44,7 +44,6 @@ func main() { | |||
| 44 | var auditCmd *exec.Cmd | 44 | var auditCmd *exec.Cmd |
| 45 | 45 | ||
| 46 | pidSyscall := []string{"execve"} | 46 | pidSyscall := []string{"execve"} |
| 47 | // pidSyscall := []string{"fork", "vfork", "clone", "execve", "exit", "exit_group"} | ||
| 48 | // 设置监听规则 | 47 | // 设置监听规则 |
| 49 | for i := 0; i < len(pidSyscall); i++ { | 48 | for i := 0; i < len(pidSyscall); i++ { |
| 50 | auditCmd = exec.Command("auditctl", "-a", "exit,always", "-F", "arch=b64", "-S", pidSyscall[i]) | 49 | auditCmd = exec.Command("auditctl", "-a", "exit,always", "-F", "arch=b64", "-S", pidSyscall[i]) |
| @@ -52,7 +51,7 @@ func main() { | |||
| 52 | } | 51 | } |
| 53 | 52 | ||
| 54 | // 监听文件的消息 | 53 | // 监听文件的消息 |
| 55 | fileSyscall := []string{"open"} | 54 | fileSyscall := []string{"open", "write", "close"} |
| 56 | // fileSyscall := []string{"open", "write", "creat", "unlink", "opendir", "mkdir", "rmdir", "chmod", "fchmod", "chown", "fchown", "lchown", "flock"} | 55 | // fileSyscall := []string{"open", "write", "creat", "unlink", "opendir", "mkdir", "rmdir", "chmod", "fchmod", "chown", "fchown", "lchown", "flock"} |
| 57 | for i := 0; i < len(fileSyscall); i++ { | 56 | for i := 0; i < len(fileSyscall); i++ { |
| 58 | auditCmd = exec.Command("auditctl", "-a", "exit,always", "-F", "arch=b64", "-S", fileSyscall[i]) | 57 | auditCmd = exec.Command("auditctl", "-a", "exit,always", "-F", "arch=b64", "-S", fileSyscall[i]) |
| @@ -118,16 +117,14 @@ func procWatch() error { | |||
| 118 | case netlink.PROC_EVENT_FORK: | 117 | case netlink.PROC_EVENT_FORK: |
| 119 | data := procEvent.Data.(netlink.ProcEventFork) | 118 | data := procEvent.Data.(netlink.ProcEventFork) |
| 120 | cooked := Event{ | 119 | cooked := Event{ |
| 121 | tag: NEWPID, | 120 | tag: NEWPID, |
| 122 | ppid: int(data.ParentTgid), | 121 | timestamp: time.Now(), |
| 123 | pid: int(data.ChildPid), | 122 | pid: int(data.ChildPid), |
| 124 | timestamp: time.Now(), | 123 | tgid: int(data.ChildTgid), |
| 124 | ppid: int(data.ParentPid), | ||
| 125 | parentTgid: int(data.ParentTgid), | ||
| 125 | } | 126 | } |
| 126 | checkProc(&cooked) | 127 | checkProc(&cooked) |
| 127 | if data.ChildPid != data.ChildTgid { | ||
| 128 | cooked.ppid = int(data.ChildTgid) | ||
| 129 | cooked.pid = int(data.ChildPid) | ||
| 130 | } | ||
| 131 | cookedChan <- cooked | 128 | cookedChan <- cooked |
| 132 | case netlink.PROC_EVENT_EXIT: | 129 | case netlink.PROC_EVENT_EXIT: |
| 133 | data := procEvent.Data.(netlink.ProcEventExit) | 130 | data := procEvent.Data.(netlink.ProcEventExit) |
| @@ -146,7 +143,7 @@ func procWatch() error { | |||
| 146 | } | 143 | } |
| 147 | 144 | ||
| 148 | func checkProc(pCooked *Event) { | 145 | func checkProc(pCooked *Event) { |
| 149 | fileName := fmt.Sprintf("/proc/%d/cmdline", pCooked.pid) | 146 | fileName := fmt.Sprintf("/proc/%d/task/%d/cmdline", pCooked.tgid, pCooked.pid) |
| 150 | fd, err := os.Open(fileName) | 147 | fd, err := os.Open(fileName) |
| 151 | if err != nil { | 148 | if err != nil { |
| 152 | fmt.Printf("Err: %v\n", err) | 149 | fmt.Printf("Err: %v\n", err) |
| @@ -162,7 +159,7 @@ func checkProc(pCooked *Event) { | |||
| 162 | pCooked.argc = len(pCooked.argv) | 159 | pCooked.argc = len(pCooked.argv) |
| 163 | fd.Close() | 160 | fd.Close() |
| 164 | 161 | ||
| 165 | fileName = fmt.Sprintf("/proc/%d/cwd", pCooked.pid) | 162 | fileName = fmt.Sprintf("/proc/%d/task/%d/cwd", pCooked.tgid, pCooked.pid) |
| 166 | pCooked.cwd, err = os.Readlink(fileName) | 163 | pCooked.cwd, err = os.Readlink(fileName) |
| 167 | if err != nil { | 164 | if err != nil { |
| 168 | fmt.Printf("Err readlink %s: %v\n", fileName, err) | 165 | fmt.Printf("Err readlink %s: %v\n", fileName, err) |