1 files changed, 0 insertions, 31 deletions
diff --git a/src/organize.go b/src/organize.go
index d7a1df1..238509f 100644
--- a/src/organize.go
+++ b/src/organize.go
@@ -47,7 +47,6 @@ func orgnaze() {
                        break
                }
                rawEvent = raw.(libaudit.RawAuditMessage)
-                fmt.Printf("type=%v msg=%s\n", rawEvent.Type, rawEvent.Data)
                switch rawEvent.Type {
                case auparse.AUDIT_SYSCALL:
@@ -100,24 +99,6 @@ func syscallRaw(rawEvent libaudit.RawAuditMessage) {
        }
        switch syscallTable[event.syscall] {
-        case "clone":
-                if exit == 0 || event.pid > exit {
-                        // exit=0是给新进程的返回，没用
-                        // pid>exit，证明有问题，抛弃
-                        break
-                } else {
-                        eventTable.Store(eventId, &Event{
-                                tag:       NEWPID,
-                                timestamp: event.timestamp,
-                                syscall:   event.syscall,
-                                exit_code: 0,
-                                ppid:      event.pid,
-                                pid:       exit,
-                                argc:      0,
-                                argv:      make([]string, 0),
-                                cwd:       "",
-                        })
-                }
        case "execve":
                eventTable.Store(eventId, &Event{
                        tag:       EXECVE,
@@ -130,18 +111,6 @@ func syscallRaw(rawEvent libaudit.RawAuditMessage) {
                        argv:      make([]string, 0),
                        cwd:       "",
                })
-        case "exit", "exit_group":
-                eventTable.Store(eventId, &Event{
-                        tag:       PIDEXIT,
-                        timestamp: event.timestamp,
-                        syscall:   event.syscall,
-                        exit_code: a[0],
-                        ppid:      event.ppid,
-                        pid:       event.pid,
-                        argc:      0,
-                        argv:      make([]string, 0),
-                        cwd:       "",
-                })
        case "open":
                // 检查打开的权限
                if a[1]&(syscall.O_APPEND|syscall.O_WRONLY|syscall.O_RDWR|syscall.O_TRUNC) == 0 {

diff --git a/src/organize.go b/src/organize.go index d7a1df1..238509f 100644 --- a/src/organize.go +++ b/src/organize.go
@@ -47,7 +47,6 @@ func orgnaze() {
47	break	47	break
48	}	48	}
49	rawEvent = raw.(libaudit.RawAuditMessage)	49	rawEvent = raw.(libaudit.RawAuditMessage)
50	fmt.Printf("type=%v msg=%s\n", rawEvent.Type, rawEvent.Data)
51		50
52	switch rawEvent.Type {	51	switch rawEvent.Type {
53	case auparse.AUDIT_SYSCALL:	52	case auparse.AUDIT_SYSCALL:
@@ -100,24 +99,6 @@ func syscallRaw(rawEvent libaudit.RawAuditMessage) {
100	}	99	}
101		100
102	switch syscallTable[event.syscall] {	101	switch syscallTable[event.syscall] {
103	case "clone":
104	if exit == 0 \|\| event.pid > exit {
105	// exit=0是给新进程的返回，没用
106	// pid>exit，证明有问题，抛弃
107	break
108	} else {
109	eventTable.Store(eventId, &Event{
110	tag: NEWPID,
111	timestamp: event.timestamp,
112	syscall: event.syscall,
113	exit_code: 0,
114	ppid: event.pid,
115	pid: exit,
116	argc: 0,
117	argv: make([]string, 0),
118	cwd: "",
119	})
120	}
121	case "execve":	102	case "execve":
122	eventTable.Store(eventId, &Event{	103	eventTable.Store(eventId, &Event{
123	tag: EXECVE,	104	tag: EXECVE,
@@ -130,18 +111,6 @@ func syscallRaw(rawEvent libaudit.RawAuditMessage) {
130	argv: make([]string, 0),	111	argv: make([]string, 0),
131	cwd: "",	112	cwd: "",
132	})	113	})
133	case "exit", "exit_group":
134	eventTable.Store(eventId, &Event{
135	tag: PIDEXIT,
136	timestamp: event.timestamp,
137	syscall: event.syscall,
138	exit_code: a[0],
139	ppid: event.ppid,
140	pid: event.pid,
141	argc: 0,
142	argv: make([]string, 0),
143	cwd: "",
144	})
145	case "open":	114	case "open":
146	// 检查打开的权限	115	// 检查打开的权限
147	if a[1]&(syscall.O_APPEND\|syscall.O_WRONLY\|syscall.O_RDWR\|syscall.O_TRUNC) == 0 {	116	if a[1]&(syscall.O_APPEND\|syscall.O_WRONLY\|syscall.O_RDWR\|syscall.O_TRUNC) == 0 {