summaryrefslogtreecommitdiffstats
path: root/src/organize.go
diff options
context:
space:
mode:
Diffstat (limited to 'src/organize.go')
-rw-r--r--src/organize.go59
1 files changed, 37 insertions, 22 deletions
diff --git a/src/organize.go b/src/organize.go
index 2489961..1b064c1 100644
--- a/src/organize.go
+++ b/src/organize.go
@@ -95,7 +95,7 @@ func syscallRaw(rawEvent libaudit.RawAuditMessage) {
95 } 95 }
96 argsMatch := argsRegex.FindAllSubmatch(rawEvent.Data, -1) 96 argsMatch := argsRegex.FindAllSubmatch(rawEvent.Data, -1)
97 for i := 0; i < 4; i++ { 97 for i := 0; i < 4; i++ {
98 a[i], errs[0] = strconv.ParseUint(string(argsMatch[i][2]), 16, 64) 98 a[i], errs[0] = strconv.ParseUint(string(argsMatch[i][3]), 16, 64)
99 } 99 }
100 100
101 switch syscallTable[event.syscall] { 101 switch syscallTable[event.syscall] {
@@ -117,25 +117,6 @@ func syscallRaw(rawEvent libaudit.RawAuditMessage) {
117 cwd: "", 117 cwd: "",
118 }) 118 })
119 } 119 }
120 case "open":
121 // 检查打开的权限
122 if a[1]&(syscall.O_APPEND|syscall.O_WRONLY|syscall.O_RDWR|syscall.O_TRUNC) == 0 {
123 break
124 }
125 // TRUNC应该被直接标记为改变,而不是打开
126 eventTable.Store(eventId, &Event{
127 tag: FILEOPEN,
128 timestamp: event.timestamp,
129 syscall: event.syscall,
130 exit_code: uint64(exit),
131 ppid: event.ppid,
132 pid: event.pid,
133 argc: 0,
134 argv: make([]string, 0),
135 cwd: "",
136 syscallParam: a,
137 pathName: "",
138 })
139 case "execve": 120 case "execve":
140 eventTable.Store(eventId, &Event{ 121 eventTable.Store(eventId, &Event{
141 tag: EXECVE, 122 tag: EXECVE,
@@ -160,6 +141,40 @@ func syscallRaw(rawEvent libaudit.RawAuditMessage) {
160 argv: make([]string, 0), 141 argv: make([]string, 0),
161 cwd: "", 142 cwd: "",
162 }) 143 })
144 case "open":
145 // 检查打开的权限
146 if a[1]&(syscall.O_APPEND|syscall.O_WRONLY|syscall.O_RDWR|syscall.O_TRUNC) == 0 {
147 break
148 }
149 // TRUNC应该被直接标记为改变,而不是打开
150 eventTable.Store(eventId, &Event{
151 tag: FILEOPEN,
152 timestamp: event.timestamp,
153 syscall: event.syscall,
154 exit_code: uint64(exit),
155 ppid: event.ppid,
156 pid: event.pid,
157 argc: 0,
158 argv: make([]string, 0),
159 cwd: "",
160 syscallParam: a,
161 pathName: "",
162 })
163 case "close":
164 // 文件关闭
165 eventTable.Store(eventId, &Event{
166 tag: FILECLOSE,
167 timestamp: event.timestamp,
168 syscall: event.syscall,
169 exit_code: uint64(exit),
170 ppid: event.ppid,
171 pid: event.pid,
172 argc: 0,
173 argv: make([]string, 0),
174 cwd: "",
175 syscallParam: a,
176 // pathName: "",
177 })
163 } 178 }
164} 179}
165 180
@@ -244,7 +259,7 @@ func eoe(rawEvent libaudit.RawAuditMessage) {
244 } 259 }
245 cooked := *(tmp.(*Event)) 260 cooked := *(tmp.(*Event))
246 cookedChan <- cooked 261 cookedChan <- cooked
247 fmt.Printf("Send: %10d\t%v\t%7d\t%7d\n", eventId, cooked.tag, cooked.ppid, cooked.pid) 262 // fmt.Printf("Send: %10d\t%v\t%7d\t%7d\n", eventId, cooked.tag, cooked.ppid, cooked.pid)
248 eventTable.Delete(eventId) // 死人别占地 263 eventTable.Delete(eventId) // 死人别占地
249} 264}
250 265
@@ -267,7 +282,7 @@ func path(rawEvent libaudit.RawAuditMessage) {
267 return 282 return
268 } 283 }
269 284
270 if pEvent.pathName == "" { 285 if name[0] == '/' {
271 pEvent.pathName = name 286 pEvent.pathName = name
272 } else { 287 } else {
273 pEvent.pathName += "/" + name 288 pEvent.pathName += "/" + name
generated by cgit v1.2.3-70-g09d2 (git 2.46.0) at 2025-01-08 18:23:55 +0800