diff options
Diffstat (limited to '')
| -rw-r--r-- | listener/organize.go (renamed from src/organize.go) | 32 |
1 files changed, 16 insertions, 16 deletions
diff --git a/src/organize.go b/listener/organize.go index 293371b..0c05eb4 100644 --- a/src/organize.go +++ b/listener/organize.go | |||
| @@ -23,14 +23,12 @@ var event Event | |||
| 23 | var pEvent *Event | 23 | var pEvent *Event |
| 24 | var eventId, argc int | 24 | var eventId, argc int |
| 25 | 25 | ||
| 26 | // var errs [6]error | ||
| 27 | |||
| 28 | // 要用的正则匹配列表 | 26 | // 要用的正则匹配列表 |
| 29 | var ( | 27 | var ( |
| 30 | syscallRegex = regexp.MustCompile(`audit\((\d+\.\d+):(\d+)\).*?syscall=(\d+)(?:.*?exit=([-+]?\d+))?.*?ppid=(\d+) pid=(\d+).*?subj=(.*?):(.*?):(.*?):(.*?) .*?$`) | 28 | syscallRegex = regexp.MustCompile(`audit\((\d+\.\d+):(\d+)\).*?syscall=(\d+)(?:.*?exit=([-+]?\d+))?.*?ppid=(\d+) pid=(\d+).*?subj=(.*?):(.*?):(.*?):(.*?) .*?$`) |
| 31 | execveRegex = regexp.MustCompile(`audit\(\d+\.\d+:(\d+)\): argc=(\d+)`) | 29 | execveRegex = regexp.MustCompile(`audit\(\d+\.\d+:(\d+)\): argc=(\d+)`) |
| 32 | argsRegex = regexp.MustCompile(`a\d+=("(.*?)"|([0-9a-fA-F]+))`) | 30 | argsRegex = regexp.MustCompile(`a\d+=("(.*?)"|([0-9a-fA-F]+))`) |
| 33 | pathRegex = regexp.MustCompile(`audit\(\d+\.\d+:(\d+)\): item=(\d+) name="(.*?)"`) | 31 | pathRegex = regexp.MustCompile(`audit\(\d+\.\d+:(\d+)\): item=(\d+) name="(.*?)" .*objtype=([A-Z]+) `) |
| 34 | cwdRegex = regexp.MustCompile(`audit\(\d+\.\d+:(\d+)\): cwd="(.*?)"`) | 32 | cwdRegex = regexp.MustCompile(`audit\(\d+\.\d+:(\d+)\): cwd="(.*?)"`) |
| 35 | proctitleRegex = regexp.MustCompile(`audit\(\d+\.\d+:(\d+)\): proctitle=("(.*?)"|([0-9a-fA-F]+))$`) | 33 | proctitleRegex = regexp.MustCompile(`audit\(\d+\.\d+:(\d+)\): proctitle=("(.*?)"|([0-9a-fA-F]+))$`) |
| 36 | eoeRegex = regexp.MustCompile(`audit\(\d+\.\d+:(\d+)\)`) | 34 | eoeRegex = regexp.MustCompile(`audit\(\d+\.\d+:(\d+)\)`) |
| @@ -112,12 +110,12 @@ func syscallRaw(rawEvent libaudit.RawAuditMessage) { | |||
| 112 | tag: EXECVE, | 110 | tag: EXECVE, |
| 113 | timestamp: event.timestamp, | 111 | timestamp: event.timestamp, |
| 114 | syscall: event.syscall, | 112 | syscall: event.syscall, |
| 115 | exit_code: a[0], | 113 | // exit_code: a[0], // 为啥这么写? |
| 116 | ppid: event.ppid, | 114 | ppid: event.ppid, |
| 117 | pid: event.pid, | 115 | pid: event.pid, |
| 118 | argc: 0, | 116 | argc: 0, |
| 119 | argv: make([]string, 0), | 117 | argv: make([]string, 0), |
| 120 | cwd: "", | 118 | cwd: "", |
| 121 | }) | 119 | }) |
| 122 | case "open": | 120 | case "open": |
| 123 | // 检查打开的权限 | 121 | // 检查打开的权限 |
| @@ -129,7 +127,7 @@ func syscallRaw(rawEvent libaudit.RawAuditMessage) { | |||
| 129 | tag: FILEOPEN, | 127 | tag: FILEOPEN, |
| 130 | timestamp: event.timestamp, | 128 | timestamp: event.timestamp, |
| 131 | syscall: event.syscall, | 129 | syscall: event.syscall, |
| 132 | exit_code: uint64(exit), | 130 | exit_code: exit, |
| 133 | ppid: event.ppid, | 131 | ppid: event.ppid, |
| 134 | pid: event.pid, | 132 | pid: event.pid, |
| 135 | argc: 0, | 133 | argc: 0, |
| @@ -143,7 +141,7 @@ func syscallRaw(rawEvent libaudit.RawAuditMessage) { | |||
| 143 | tag: FILEWRITE, | 141 | tag: FILEWRITE, |
| 144 | timestamp: event.timestamp, | 142 | timestamp: event.timestamp, |
| 145 | syscall: event.syscall, | 143 | syscall: event.syscall, |
| 146 | exit_code: uint64(exit), | 144 | exit_code: exit, |
| 147 | ppid: event.ppid, | 145 | ppid: event.ppid, |
| 148 | pid: event.pid, | 146 | pid: event.pid, |
| 149 | argc: 0, | 147 | argc: 0, |
| @@ -157,7 +155,7 @@ func syscallRaw(rawEvent libaudit.RawAuditMessage) { | |||
| 157 | tag: FILECLOSE, | 155 | tag: FILECLOSE, |
| 158 | timestamp: event.timestamp, | 156 | timestamp: event.timestamp, |
| 159 | syscall: event.syscall, | 157 | syscall: event.syscall, |
| 160 | exit_code: uint64(exit), | 158 | exit_code: exit, |
| 161 | ppid: event.ppid, | 159 | ppid: event.ppid, |
| 162 | pid: event.pid, | 160 | pid: event.pid, |
| 163 | argc: 0, | 161 | argc: 0, |
| @@ -271,6 +269,7 @@ func path(rawEvent libaudit.RawAuditMessage) { | |||
| 271 | eventId, _ = strconv.Atoi(string(match[1])) | 269 | eventId, _ = strconv.Atoi(string(match[1])) |
| 272 | // item, _ := strconv.Atoi(string(match[2])) | 270 | // item, _ := strconv.Atoi(string(match[2])) |
| 273 | name := string(match[3]) | 271 | name := string(match[3]) |
| 272 | objtype := string(match[4]) | ||
| 274 | 273 | ||
| 275 | tmp, ok = eventTable.Load(eventId) | 274 | tmp, ok = eventTable.Load(eventId) |
| 276 | if !ok { | 275 | if !ok { |
| @@ -278,14 +277,15 @@ func path(rawEvent libaudit.RawAuditMessage) { | |||
| 278 | } | 277 | } |
| 279 | pEvent = tmp.(*Event) | 278 | pEvent = tmp.(*Event) |
| 280 | 279 | ||
| 281 | // 先看看是不是文件操作 | 280 | // 先看看是不是文件操作,再看是不是所在目录 |
| 282 | if pEvent.tag != FILEOPEN { | 281 | if pEvent.tag != FILEOPEN || objtype == "PARENT" { |
| 283 | return | 282 | return |
| 284 | } | 283 | } |
| 285 | 284 | ||
| 286 | if name[0] == '/' { | 285 | if pEvent.cwd == "/" || name[0] == '/' { |
| 287 | pEvent.srcPath = name | 286 | pEvent.srcPath = name |
| 288 | } else { | 287 | } else { |
| 289 | pEvent.srcPath += "/" + name | 288 | pEvent.srcPath = pEvent.cwd + "/" + name |
| 290 | } | 289 | } |
| 290 | // ATTENTION: 这里需要做路径简化,留给过滤清洗流程吧 | ||
| 291 | } | 291 | } |