diff options
Diffstat (limited to 'src/organize.go')
| -rw-r--r-- | src/organize.go | 54 |
1 files changed, 35 insertions, 19 deletions
diff --git a/src/organize.go b/src/organize.go index 025d8c0..bb6736a 100644 --- a/src/organize.go +++ b/src/organize.go | |||
| @@ -23,7 +23,7 @@ func orgnaze() { | |||
| 23 | // 为每个事务id存储其信息,事务id在操作系统运行期间是唯一的 | 23 | // 为每个事务id存储其信息,事务id在操作系统运行期间是唯一的 |
| 24 | eventTable := make(map[int]*Event) | 24 | eventTable := make(map[int]*Event) |
| 25 | // 要用的正则匹配列表 | 25 | // 要用的正则匹配列表 |
| 26 | syscallRegex := regexp.MustCompile(`audit\((\d+\.\d+):(\d+)\).*?syscall=(\d+).*?ppid=(\d+) pid=(\d+).*?$`) | 26 | syscallRegex := regexp.MustCompile(`audit\((\d+\.\d+):(\d+)\).*?syscall=(\d+).*?(exit=([-+]?\d+).*?)?ppid=(\d+) pid=(\d+).*?$`) |
| 27 | execveRegex := regexp.MustCompile(`audit\(\d+\.\d+:(\d+)\): argc=(\d+)`) | 27 | execveRegex := regexp.MustCompile(`audit\(\d+\.\d+:(\d+)\): argc=(\d+)`) |
| 28 | argsRegex := regexp.MustCompile(`a\d+=("(.*?)"|([0-9a-fA-F]+))`) | 28 | argsRegex := regexp.MustCompile(`a\d+=("(.*?)"|([0-9a-fA-F]+))`) |
| 29 | cwdRegex := regexp.MustCompile(`audit\(\d+\.\d+:(\d+)\): cwd="(.*?)"`) | 29 | cwdRegex := regexp.MustCompile(`audit\(\d+\.\d+:(\d+)\): cwd="(.*?)"`) |
| @@ -36,14 +36,6 @@ func orgnaze() { | |||
| 36 | } | 36 | } |
| 37 | rawEvent = raw.(libaudit.RawAuditMessage) | 37 | rawEvent = raw.(libaudit.RawAuditMessage) |
| 38 | 38 | ||
| 39 | // type Event struct { | ||
| 40 | // timestamp time.Time | ||
| 41 | // pid, ppid int | ||
| 42 | // syscall int | ||
| 43 | // argc int | ||
| 44 | // args []string | ||
| 45 | // cwd string | ||
| 46 | // } | ||
| 47 | switch rawEvent.Type { | 39 | switch rawEvent.Type { |
| 48 | case auparse.AUDIT_SYSCALL: | 40 | case auparse.AUDIT_SYSCALL: |
| 49 | if syscallRegex.Match(rawEvent.Data) { | 41 | if syscallRegex.Match(rawEvent.Data) { |
| @@ -51,16 +43,40 @@ func orgnaze() { | |||
| 51 | event.timestamp, err[0] = getTimeFromStr(string(match[1])) | 43 | event.timestamp, err[0] = getTimeFromStr(string(match[1])) |
| 52 | eventId, err[1] = strconv.Atoi(string(match[2])) | 44 | eventId, err[1] = strconv.Atoi(string(match[2])) |
| 53 | event.syscall, err[2] = strconv.Atoi(string(match[3])) | 45 | event.syscall, err[2] = strconv.Atoi(string(match[3])) |
| 54 | event.ppid, err[3] = strconv.Atoi(string(match[4])) | 46 | var exit int |
| 55 | event.pid, err[4] = strconv.Atoi(string(match[5])) | 47 | // exit, err[3] = strconv.Atoi(string(match[4])) |
| 56 | eventTable[eventId] = &Event{ | 48 | if string(match[5]) == "" { |
| 57 | timestamp: event.timestamp, | 49 | // exit没捕获到 |
| 58 | syscall: event.syscall, | 50 | exit = 0 |
| 59 | ppid: event.ppid, | 51 | } else { |
| 60 | pid: event.pid, | 52 | exit, err[3] = strconv.Atoi(string(match[5])) |
| 61 | argc: 0, | 53 | } |
| 62 | argv: make([]string, 0), | 54 | event.ppid, err[4] = strconv.Atoi(string(match[5])) |
| 63 | cwd: "", | 55 | event.pid, err[5] = strconv.Atoi(string(match[6])) |
| 56 | if syscallTable[event.syscall] == "clone" { | ||
| 57 | if exit == 0 { | ||
| 58 | break | ||
| 59 | } else { | ||
| 60 | eventTable[eventId] = &Event{ | ||
| 61 | timestamp: event.timestamp, | ||
| 62 | syscall: event.syscall, | ||
| 63 | ppid: event.pid, | ||
| 64 | pid: exit, | ||
| 65 | argc: 0, | ||
| 66 | argv: make([]string, 0), | ||
| 67 | cwd: "", | ||
| 68 | } | ||
| 69 | } | ||
| 70 | } else { | ||
| 71 | eventTable[eventId] = &Event{ | ||
| 72 | timestamp: event.timestamp, | ||
| 73 | syscall: event.syscall, | ||
| 74 | ppid: event.ppid, | ||
| 75 | pid: event.pid, | ||
| 76 | argc: 0, | ||
| 77 | argv: make([]string, 0), | ||
| 78 | cwd: "", | ||
| 79 | } | ||
| 64 | } | 80 | } |
| 65 | } | 81 | } |
| 66 | case auparse.AUDIT_EXECVE: | 82 | case auparse.AUDIT_EXECVE: |