1 files changed, 49 insertions, 32 deletions
diff --git a/src/organize.go b/src/organize.go
index 12119ad..293371b 100644
--- a/src/organize.go
+++ b/src/organize.go
@@ -2,6 +2,7 @@ package main
 import (
        "fmt"
+        "os"
        "regexp"
        "strconv"
        "strings"
@@ -21,14 +22,15 @@ var ok bool
 var event Event
 var pEvent *Event
 var eventId, argc int
-var errs [6]error
+// var errs [6]error
 // 要用的正则匹配列表
 var (
-        syscallRegex   = regexp.MustCompile(`audit\((\d+\.\d+):(\d+)\).*?syscall=(\d+)(?:.*?exit=([-+]?\d+))?.*?ppid=(\d+) pid=(\d+).*?$`)
+        syscallRegex   = regexp.MustCompile(`audit\((\d+\.\d+):(\d+)\).*?syscall=(\d+)(?:.*?exit=([-+]?\d+))?.*?ppid=(\d+) pid=(\d+).*?subj=(.*?):(.*?):(.*?):(.*?) .*?$`)
        execveRegex    = regexp.MustCompile(`audit\(\d+\.\d+:(\d+)\): argc=(\d+)`)
        argsRegex      = regexp.MustCompile(`a\d+=("(.*?)"|([0-9a-fA-F]+))`)
-        pathRegex      = regexp.MustCompile(`audit\(\d+\.\d+:(\d+)\):.*?name="(.*?)"`)
+        pathRegex      = regexp.MustCompile(`audit\(\d+\.\d+:(\d+)\): item=(\d+) name="(.*?)"`)
        cwdRegex       = regexp.MustCompile(`audit\(\d+\.\d+:(\d+)\):  cwd="(.*?)"`)
        proctitleRegex = regexp.MustCompile(`audit\(\d+\.\d+:(\d+)\): proctitle=("(.*?)"|([0-9a-fA-F]+))$`)
        eoeRegex       = regexp.MustCompile(`audit\(\d+\.\d+:(\d+)\)`)
@@ -47,22 +49,22 @@ func orgnaze() {
                        break
                }
                rawEvent = raw.(libaudit.RawAuditMessage)
+                // fmt.Printf("type=%v msg=%s\n", rawEvent.Type, rawEvent.Data)
                switch rawEvent.Type {
                case auparse.AUDIT_SYSCALL:
-                        go syscallRaw(rawEvent)
+                        syscallRaw(rawEvent)
                case auparse.AUDIT_EXECVE:
-                        go execve(rawEvent)
+                        execve(rawEvent)
                case auparse.AUDIT_CWD:
-                        go cwd(rawEvent)
+                        cwd(rawEvent)
                case auparse.AUDIT_PATH:
-                        go path(rawEvent)
+                        path(rawEvent)
                case auparse.AUDIT_PROCTITLE:
-                        go proctitle(rawEvent)
+                        proctitle(rawEvent)
                case auparse.AUDIT_EOE:
-                        go eoe(rawEvent)
+                        eoe(rawEvent)
                default:
-                        // ATTENTION: 这里也需要做防护
                }
        }
 }
@@ -74,28 +76,34 @@ func syscallRaw(rawEvent libaudit.RawAuditMessage) {
        var exit int
        var a [4]uint64
+        var subj [4]string
        // 捕获基础信息
        match := syscallRegex.FindSubmatch(rawEvent.Data)
-        event.timestamp, errs[0] = getTimeFromStr(string(match[1]))
+        event.timestamp, _ = getTimeFromStr(string(match[1]))
-        eventId, errs[1] = strconv.Atoi(string(match[2]))
+        eventId, _ = strconv.Atoi(string(match[2]))
-        event.syscall, errs[2] = strconv.Atoi(string(match[3]))
+        event.syscall, _ = strconv.Atoi(string(match[3]))
        if string(match[4]) == "" {
                // exit没捕获到
                exit = 0
        } else {
-                exit, errs[3] = strconv.Atoi(string(match[4]))
+                exit, _ = strconv.Atoi(string(match[4]))
+        }
+        event.ppid, _ = strconv.Atoi(string(match[5]))
+        event.pid, _ = strconv.Atoi(string(match[6]))
+        // 几个subj，说不定会有用
+        for i := 0; i < 4; i++ {
+                subj[i] = string(match[7+i])
        }
-        event.ppid, errs[4] = strconv.Atoi(string(match[5]))
-        event.pid, errs[5] = strconv.Atoi(string(match[6]))
        // 捕获参数
        if !argsRegex.Match(rawEvent.Data) {
-                fmt.Printf("Error: don't get args in syscall event!\n")
+                fmt.Fprintf(os.Stderr, "Error: don't get args in syscall event!\n")
                return
        }
        argsMatch := argsRegex.FindAllSubmatch(rawEvent.Data, -1)
        for i := 0; i < 4; i++ {
-                a[i], errs[0] = strconv.ParseUint(string(argsMatch[i][3]), 16, 64)
+                a[i], _ = strconv.ParseUint(string(argsMatch[i][3]), 16, 64)
        }
        switch syscallTable[event.syscall] {
@@ -128,7 +136,7 @@ func syscallRaw(rawEvent libaudit.RawAuditMessage) {
                        argv:         make([]string, 0),
                        cwd:          "",
                        syscallParam: a,
-                        pathName:     "",
+                        srcPath:      "",
                })
        case "write":
                eventTable.Store(eventId, &Event{
@@ -142,7 +150,6 @@ func syscallRaw(rawEvent libaudit.RawAuditMessage) {
                        argv:         make([]string, 0),
                        cwd:          "",
                        syscallParam: a,
-                        // pathName:     "",
                })
        case "close":
                // 文件关闭
@@ -157,8 +164,18 @@ func syscallRaw(rawEvent libaudit.RawAuditMessage) {
                        argv:         make([]string, 0),
                        cwd:          "",
                        syscallParam: a,
-                        // pathName:     "",
                })
+        case "pivot_root":
+                if subj[2] == "container_runtime_t" {
+                        eventTable.Store(eventId, &Event{
+                                tag:          PIVOTROOT,
+                                timestamp:    event.timestamp,
+                                syscall:      event.syscall,
+                                ppid:         event.ppid,
+                                pid:          event.pid,
+                                syscallParam: a,
+                        })
+                }
        }
 }
@@ -168,14 +185,14 @@ func execve(rawEvent libaudit.RawAuditMessage) {
        }
        match := execveRegex.FindSubmatch(rawEvent.Data)
-        eventId, errs[0] = strconv.Atoi(string(match[1]))
+        eventId, _ = strconv.Atoi(string(match[1]))
-        argc, errs[1] = strconv.Atoi(string(match[2]))
+        argc, _ = strconv.Atoi(string(match[2]))
        tmp, ok = eventTable.Load(eventId)
        if !ok {
                return
        }
        pEvent = tmp.(*Event)
-        if errs[0] == nil && errs[1] == nil && argsRegex.Match(rawEvent.Data) {
+        if argsRegex.Match(rawEvent.Data) {
                match := argsRegex.FindAllSubmatch(rawEvent.Data, -1)
                for i := 0; i < argc; i++ {
                        if len(match[i][2]) == 0 {
@@ -196,7 +213,7 @@ func cwd(rawEvent libaudit.RawAuditMessage) {
        }
        match := cwdRegex.FindSubmatch(rawEvent.Data)
-        eventId, errs[0] = strconv.Atoi(string(match[1]))
+        eventId, _ = strconv.Atoi(string(match[1]))
        tmp, ok = eventTable.Load(eventId)
        if !ok {
                return
@@ -211,7 +228,7 @@ func proctitle(rawEvent libaudit.RawAuditMessage) {
        var cmdline string
        match := proctitleRegex.FindSubmatch(rawEvent.Data)
-        eventId, errs[0] = strconv.Atoi(string(match[1]))
+        eventId, _ = strconv.Atoi(string(match[1]))
        tmp, ok = eventTable.Load(eventId)
        if !ok {
                return
@@ -236,14 +253,13 @@ func eoe(rawEvent libaudit.RawAuditMessage) {
        }
        match := eoeRegex.FindSubmatch(rawEvent.Data)
-        eventId, errs[0] = strconv.Atoi(string(match[1]))
+        eventId, _ = strconv.Atoi(string(match[1]))
        tmp, ok = eventTable.Load(eventId)
        if !ok {
                return
        }
        cooked := *(tmp.(*Event))
        cookedChan <- cooked
-        // fmt.Printf("Send: %10d\t%v\t%7d\t%7d\n", eventId, cooked.tag, cooked.ppid, cooked.pid)
        eventTable.Delete(eventId) // 死人别占地
 }
@@ -252,8 +268,9 @@ func path(rawEvent libaudit.RawAuditMessage) {
                return
        }
        match := pathRegex.FindSubmatch(rawEvent.Data)
-        eventId, errs[0] = strconv.Atoi(string(match[1]))
+        eventId, _ = strconv.Atoi(string(match[1]))
-        name := string(match[2])
+        // item, _ := strconv.Atoi(string(match[2]))
+        name := string(match[3])
        tmp, ok = eventTable.Load(eventId)
        if !ok {
@@ -267,8 +284,8 @@ func path(rawEvent libaudit.RawAuditMessage) {
        }
        if name[0] == '/' {
-                pEvent.pathName = name
+                pEvent.srcPath = name
        } else {
-                pEvent.pathName += "/" + name
+                pEvent.srcPath += "/" + name
        }
 }

diff --git a/src/organize.go b/src/organize.go index 12119ad..293371b 100644 --- a/src/organize.go +++ b/src/organize.go
@@ -2,6 +2,7 @@ package main
2		2
3	import (	3	import (
4	"fmt"	4	"fmt"
		5	"os"
5	"regexp"	6	"regexp"
6	"strconv"	7	"strconv"
7	"strings"	8	"strings"
@@ -21,14 +22,15 @@ var ok bool
21	var event Event	22	var event Event
22	var pEvent *Event	23	var pEvent *Event
23	var eventId, argc int	24	var eventId, argc int
24	var errs [6]error	25
		26	// var errs [6]error
25		27
26	// 要用的正则匹配列表	28	// 要用的正则匹配列表
27	var (	29	var (
28	syscallRegex = regexp.MustCompile(`audit\((\d+\.\d+):(\d+)\).?syscall=(\d+)(?:.?exit=([-+]?\d+))?.?ppid=(\d+) pid=(\d+).?$`)	30	syscallRegex = regexp.MustCompile(`audit\((\d+\.\d+):(\d+)\).?syscall=(\d+)(?:.?exit=([-+]?\d+))?.?ppid=(\d+) pid=(\d+).?subj=(.?):(.?):(.?):(.?) .*?$`)
29	execveRegex = regexp.MustCompile(`audit\(\d+\.\d+:(\d+)\): argc=(\d+)`)	31	execveRegex = regexp.MustCompile(`audit\(\d+\.\d+:(\d+)\): argc=(\d+)`)
30	argsRegex = regexp.MustCompile(`a\d+=("(.*?)"\|([0-9a-fA-F]+))`)	32	argsRegex = regexp.MustCompile(`a\d+=("(.*?)"\|([0-9a-fA-F]+))`)
31	pathRegex = regexp.MustCompile(`audit\(\d+\.\d+:(\d+)\):.?name="(.?)"`)	33	pathRegex = regexp.MustCompile(`audit\(\d+\.\d+:(\d+)\): item=(\d+) name="(.*?)"`)
32	cwdRegex = regexp.MustCompile(`audit\(\d+\.\d+:(\d+)\): cwd="(.*?)"`)	34	cwdRegex = regexp.MustCompile(`audit\(\d+\.\d+:(\d+)\): cwd="(.*?)"`)
33	proctitleRegex = regexp.MustCompile(`audit\(\d+\.\d+:(\d+)\): proctitle=("(.*?)"\|([0-9a-fA-F]+))$`)	35	proctitleRegex = regexp.MustCompile(`audit\(\d+\.\d+:(\d+)\): proctitle=("(.*?)"\|([0-9a-fA-F]+))$`)
34	eoeRegex = regexp.MustCompile(`audit\(\d+\.\d+:(\d+)\)`)	36	eoeRegex = regexp.MustCompile(`audit\(\d+\.\d+:(\d+)\)`)
@@ -47,22 +49,22 @@ func orgnaze() {
47	break	49	break
48	}	50	}
49	rawEvent = raw.(libaudit.RawAuditMessage)	51	rawEvent = raw.(libaudit.RawAuditMessage)
		52	// fmt.Printf("type=%v msg=%s\n", rawEvent.Type, rawEvent.Data)
50		53
51	switch rawEvent.Type {	54	switch rawEvent.Type {
52	case auparse.AUDIT_SYSCALL:	55	case auparse.AUDIT_SYSCALL:
53	go syscallRaw(rawEvent)	56	syscallRaw(rawEvent)
54	case auparse.AUDIT_EXECVE:	57	case auparse.AUDIT_EXECVE:
55	go execve(rawEvent)	58	execve(rawEvent)
56	case auparse.AUDIT_CWD:	59	case auparse.AUDIT_CWD:
57	go cwd(rawEvent)	60	cwd(rawEvent)
58	case auparse.AUDIT_PATH:	61	case auparse.AUDIT_PATH:
59	go path(rawEvent)	62	path(rawEvent)
60	case auparse.AUDIT_PROCTITLE:	63	case auparse.AUDIT_PROCTITLE:
61	go proctitle(rawEvent)	64	proctitle(rawEvent)
62	case auparse.AUDIT_EOE:	65	case auparse.AUDIT_EOE:
63	go eoe(rawEvent)	66	eoe(rawEvent)
64	default:	67	default:
65	// ATTENTION: 这里也需要做防护
66	}	68	}
67	}	69	}
68	}	70	}
@@ -74,28 +76,34 @@ func syscallRaw(rawEvent libaudit.RawAuditMessage) {
74		76
75	var exit int	77	var exit int
76	var a [4]uint64	78	var a [4]uint64
		79	var subj [4]string
77	// 捕获基础信息	80	// 捕获基础信息
78	match := syscallRegex.FindSubmatch(rawEvent.Data)	81	match := syscallRegex.FindSubmatch(rawEvent.Data)
79	event.timestamp, errs[0] = getTimeFromStr(string(match[1]))	82	event.timestamp, _ = getTimeFromStr(string(match[1]))
80	eventId, errs[1] = strconv.Atoi(string(match[2]))	83	eventId, _ = strconv.Atoi(string(match[2]))
81	event.syscall, errs[2] = strconv.Atoi(string(match[3]))	84	event.syscall, _ = strconv.Atoi(string(match[3]))
82	if string(match[4]) == "" {	85	if string(match[4]) == "" {
83	// exit没捕获到	86	// exit没捕获到
84	exit = 0	87	exit = 0
85	} else {	88	} else {
86	exit, errs[3] = strconv.Atoi(string(match[4]))	89	exit, _ = strconv.Atoi(string(match[4]))
		90	}
		91	event.ppid, _ = strconv.Atoi(string(match[5]))
		92	event.pid, _ = strconv.Atoi(string(match[6]))
		93
		94	// 几个subj，说不定会有用
		95	for i := 0; i < 4; i++ {
		96	subj[i] = string(match[7+i])
87	}	97	}
88	event.ppid, errs[4] = strconv.Atoi(string(match[5]))
89	event.pid, errs[5] = strconv.Atoi(string(match[6]))
90		98
91	// 捕获参数	99	// 捕获参数
92	if !argsRegex.Match(rawEvent.Data) {	100	if !argsRegex.Match(rawEvent.Data) {
93	fmt.Printf("Error: don't get args in syscall event!\n")	101	fmt.Fprintf(os.Stderr, "Error: don't get args in syscall event!\n")
94	return	102	return
95	}	103	}
96	argsMatch := argsRegex.FindAllSubmatch(rawEvent.Data, -1)	104	argsMatch := argsRegex.FindAllSubmatch(rawEvent.Data, -1)
97	for i := 0; i < 4; i++ {	105	for i := 0; i < 4; i++ {
98	a[i], errs[0] = strconv.ParseUint(string(argsMatch[i][3]), 16, 64)	106	a[i], _ = strconv.ParseUint(string(argsMatch[i][3]), 16, 64)
99	}	107	}
100		108
101	switch syscallTable[event.syscall] {	109	switch syscallTable[event.syscall] {
@@ -128,7 +136,7 @@ func syscallRaw(rawEvent libaudit.RawAuditMessage) {
128	argv: make([]string, 0),	136	argv: make([]string, 0),
129	cwd: "",	137	cwd: "",
130	syscallParam: a,	138	syscallParam: a,
131	pathName: "",	139	srcPath: "",
132	})	140	})
133	case "write":	141	case "write":
134	eventTable.Store(eventId, &Event{	142	eventTable.Store(eventId, &Event{
@@ -142,7 +150,6 @@ func syscallRaw(rawEvent libaudit.RawAuditMessage) {
142	argv: make([]string, 0),	150	argv: make([]string, 0),
143	cwd: "",	151	cwd: "",
144	syscallParam: a,	152	syscallParam: a,
145	// pathName: "",
146	})	153	})
147	case "close":	154	case "close":
148	// 文件关闭	155	// 文件关闭
@@ -157,8 +164,18 @@ func syscallRaw(rawEvent libaudit.RawAuditMessage) {
157	argv: make([]string, 0),	164	argv: make([]string, 0),
158	cwd: "",	165	cwd: "",
159	syscallParam: a,	166	syscallParam: a,
160	// pathName: "",
161	})	167	})
		168	case "pivot_root":
		169	if subj[2] == "container_runtime_t" {
		170	eventTable.Store(eventId, &Event{
		171	tag: PIVOTROOT,
		172	timestamp: event.timestamp,
		173	syscall: event.syscall,
		174	ppid: event.ppid,
		175	pid: event.pid,
		176	syscallParam: a,
		177	})
		178	}
162	}	179	}
163	}	180	}
164		181
@@ -168,14 +185,14 @@ func execve(rawEvent libaudit.RawAuditMessage) {
168	}	185	}
169		186
170	match := execveRegex.FindSubmatch(rawEvent.Data)	187	match := execveRegex.FindSubmatch(rawEvent.Data)
171	eventId, errs[0] = strconv.Atoi(string(match[1]))	188	eventId, _ = strconv.Atoi(string(match[1]))
172	argc, errs[1] = strconv.Atoi(string(match[2]))	189	argc, _ = strconv.Atoi(string(match[2]))
173	tmp, ok = eventTable.Load(eventId)	190	tmp, ok = eventTable.Load(eventId)
174	if !ok {	191	if !ok {
175	return	192	return
176	}	193	}
177	pEvent = tmp.(*Event)	194	pEvent = tmp.(*Event)
178	if errs[0] == nil && errs[1] == nil && argsRegex.Match(rawEvent.Data) {	195	if argsRegex.Match(rawEvent.Data) {
179	match := argsRegex.FindAllSubmatch(rawEvent.Data, -1)	196	match := argsRegex.FindAllSubmatch(rawEvent.Data, -1)
180	for i := 0; i < argc; i++ {	197	for i := 0; i < argc; i++ {
181	if len(match[i][2]) == 0 {	198	if len(match[i][2]) == 0 {
@@ -196,7 +213,7 @@ func cwd(rawEvent libaudit.RawAuditMessage) {
196	}	213	}
197		214
198	match := cwdRegex.FindSubmatch(rawEvent.Data)	215	match := cwdRegex.FindSubmatch(rawEvent.Data)
199	eventId, errs[0] = strconv.Atoi(string(match[1]))	216	eventId, _ = strconv.Atoi(string(match[1]))
200	tmp, ok = eventTable.Load(eventId)	217	tmp, ok = eventTable.Load(eventId)
201	if !ok {	218	if !ok {
202	return	219	return
@@ -211,7 +228,7 @@ func proctitle(rawEvent libaudit.RawAuditMessage) {
211		228
212	var cmdline string	229	var cmdline string
213	match := proctitleRegex.FindSubmatch(rawEvent.Data)	230	match := proctitleRegex.FindSubmatch(rawEvent.Data)
214	eventId, errs[0] = strconv.Atoi(string(match[1]))	231	eventId, _ = strconv.Atoi(string(match[1]))
215	tmp, ok = eventTable.Load(eventId)	232	tmp, ok = eventTable.Load(eventId)
216	if !ok {	233	if !ok {
217	return	234	return
@@ -236,14 +253,13 @@ func eoe(rawEvent libaudit.RawAuditMessage) {
236	}	253	}
237		254
238	match := eoeRegex.FindSubmatch(rawEvent.Data)	255	match := eoeRegex.FindSubmatch(rawEvent.Data)
239	eventId, errs[0] = strconv.Atoi(string(match[1]))	256	eventId, _ = strconv.Atoi(string(match[1]))
240	tmp, ok = eventTable.Load(eventId)	257	tmp, ok = eventTable.Load(eventId)
241	if !ok {	258	if !ok {
242	return	259	return
243	}	260	}
244	cooked := (tmp.(Event))	261	cooked := (tmp.(Event))
245	cookedChan <- cooked	262	cookedChan <- cooked
246	// fmt.Printf("Send: %10d\t%v\t%7d\t%7d\n", eventId, cooked.tag, cooked.ppid, cooked.pid)
247	eventTable.Delete(eventId) // 死人别占地	263	eventTable.Delete(eventId) // 死人别占地
248	}	264	}
249		265
@@ -252,8 +268,9 @@ func path(rawEvent libaudit.RawAuditMessage) {
252	return	268	return
253	}	269	}
254	match := pathRegex.FindSubmatch(rawEvent.Data)	270	match := pathRegex.FindSubmatch(rawEvent.Data)
255	eventId, errs[0] = strconv.Atoi(string(match[1]))	271	eventId, _ = strconv.Atoi(string(match[1]))
256	name := string(match[2])	272	// item, _ := strconv.Atoi(string(match[2]))
		273	name := string(match[3])
257		274
258	tmp, ok = eventTable.Load(eventId)	275	tmp, ok = eventTable.Load(eventId)
259	if !ok {	276	if !ok {
@@ -267,8 +284,8 @@ func path(rawEvent libaudit.RawAuditMessage) {
267	}	284	}
268		285
269	if name[0] == '/' {	286	if name[0] == '/' {
270	pEvent.pathName = name	287	pEvent.srcPath = name
271	} else {	288	} else {
272	pEvent.pathName += "/" + name	289	pEvent.srcPath += "/" + name
273	}	290	}
274	}	291	}