diff options
Diffstat (limited to 'src')
-rw-r--r-- | src/deal.go | 51 | ||||
-rw-r--r-- | src/global.go | 6 | ||||
-rw-r--r-- | src/godo.go | 24 | ||||
-rw-r--r-- | src/organize.go | 81 |
4 files changed, 103 insertions, 59 deletions
diff --git a/src/deal.go b/src/deal.go index f2b7d4b..e553174 100644 --- a/src/deal.go +++ b/src/deal.go | |||
@@ -2,6 +2,7 @@ package main | |||
2 | 2 | ||
3 | import ( | 3 | import ( |
4 | "fmt" | 4 | "fmt" |
5 | "os" | ||
5 | "syscall" | 6 | "syscall" |
6 | 7 | ||
7 | "go.mongodb.org/mongo-driver/bson" | 8 | "go.mongodb.org/mongo-driver/bson" |
@@ -26,7 +27,7 @@ func deal() { | |||
26 | var ok bool | 27 | var ok bool |
27 | 28 | ||
28 | if err = pidCol.init(dbName, pidColName); err != nil { | 29 | if err = pidCol.init(dbName, pidColName); err != nil { |
29 | fmt.Printf("Error while initing the mongodb: %v\n", err) | 30 | fmt.Fprintf(os.Stderr, "Error while initing the mongodb: %v\n", err) |
30 | return | 31 | return |
31 | } | 32 | } |
32 | err = pidCol.InsertOne(bson.M{ | 33 | err = pidCol.InsertOne(bson.M{ |
@@ -37,16 +38,16 @@ func deal() { | |||
37 | "daemon": true, | 38 | "daemon": true, |
38 | }) | 39 | }) |
39 | if err != nil { | 40 | if err != nil { |
40 | fmt.Printf("Error while initing the mongodb: %v\n", err) | 41 | fmt.Fprintf(os.Stderr, "Error while initing the mongodb: %v\n", err) |
41 | return | 42 | return |
42 | } | 43 | } |
43 | 44 | ||
44 | if err = fdCol.init(dbName, fdColName); err != nil { | 45 | if err = fdCol.init(dbName, fdColName); err != nil { |
45 | fmt.Printf("Error while initing the mongodb: %v\n", err) | 46 | fmt.Fprintf(os.Stderr, "Error while initing the mongodb: %v\n", err) |
46 | return | 47 | return |
47 | } | 48 | } |
48 | if err = fileCol.init(dbName, fileColName); err != nil { | 49 | if err = fileCol.init(dbName, fileColName); err != nil { |
49 | fmt.Printf("Error while initing the mongodb: %v\n", err) | 50 | fmt.Fprintf(os.Stderr, "Error while initing the mongodb: %v\n", err) |
50 | } | 51 | } |
51 | 52 | ||
52 | fmt.Printf("Containerd: %d\n", containerdPid) | 53 | fmt.Printf("Containerd: %d\n", containerdPid) |
@@ -73,6 +74,8 @@ func deal() { | |||
73 | go fileWrite(cooked) | 74 | go fileWrite(cooked) |
74 | case FILECLOSE: | 75 | case FILECLOSE: |
75 | go fileClose(cooked) | 76 | go fileClose(cooked) |
77 | case PIVOTROOT: | ||
78 | go pivotRoot(cooked) | ||
76 | } | 79 | } |
77 | } | 80 | } |
78 | } | 81 | } |
@@ -85,9 +88,6 @@ func deletePid(cooked Event) { | |||
85 | }, | 88 | }, |
86 | }) | 89 | }) |
87 | 90 | ||
88 | // 孩子们需要收容 | ||
89 | // 不必到children里一个个找,直接看ppid即可 | ||
90 | // pidCol.UpdateMany(bson.M{"ppid": cooked.pid}, bson.M{"ppid": 1}) | ||
91 | // 在这套逻辑里,孩子是不需要收容的,因为我们根本就不看ppid来工作 | 91 | // 在这套逻辑里,孩子是不需要收容的,因为我们根本就不看ppid来工作 |
92 | 92 | ||
93 | // 可以去死了 | 93 | // 可以去死了 |
@@ -98,13 +98,15 @@ func deletePid(cooked Event) { | |||
98 | "exit_signal": cooked.exit_signal, | 98 | "exit_signal": cooked.exit_signal, |
99 | }, | 99 | }, |
100 | }) | 100 | }) |
101 | |||
102 | // 理论上这里需要关闭所有文件描述符,但为了处理效率,留给后续流程 | ||
101 | } | 103 | } |
102 | 104 | ||
103 | func dealNewPid(cooked Event) { | 105 | func dealNewPid(cooked Event) { |
104 | // 自身是否已经记录 | 106 | // 自身是否已经记录 |
105 | docRes, err = pidCol.Finddoc(bson.M{"pid": cooked.pid}) | 107 | docRes, err = pidCol.Finddoc(bson.M{"pid": cooked.pid}) |
106 | if err != nil { | 108 | if err != nil { |
107 | fmt.Printf("Err finding: %v\n", err) | 109 | fmt.Fprintf(os.Stderr, "Err finding: %v\n", err) |
108 | return | 110 | return |
109 | } | 111 | } |
110 | 112 | ||
@@ -189,7 +191,7 @@ func fileOpen(cooked Event) { | |||
189 | // 权限检查过了,不必再查 | 191 | // 权限检查过了,不必再查 |
190 | fdCol.InsertOne(bson.M{ | 192 | fdCol.InsertOne(bson.M{ |
191 | "timestamp": cooked.timestamp, | 193 | "timestamp": cooked.timestamp, |
192 | "fileName": cooked.pathName, | 194 | "fileName": cooked.srcPath, |
193 | "pid": cooked.pid, | 195 | "pid": cooked.pid, |
194 | "fd": cooked.exit_code, | 196 | "fd": cooked.exit_code, |
195 | "flags": cooked.syscallParam, | 197 | "flags": cooked.syscallParam, |
@@ -212,7 +214,7 @@ func fileClose(cooked Event) { | |||
212 | } | 214 | } |
213 | res["close_timestamp"] = cooked.timestamp | 215 | res["close_timestamp"] = cooked.timestamp |
214 | if err := fileCol.InsertOne(res); err != nil { | 216 | if err := fileCol.InsertOne(res); err != nil { |
215 | fmt.Printf("Err inserting files: %v\n", err) | 217 | fmt.Fprintf(os.Stderr, "Err inserting files: %v\n", err) |
216 | } | 218 | } |
217 | } | 219 | } |
218 | 220 | ||
@@ -223,7 +225,7 @@ func fileWrite(cooked Event) { | |||
223 | "close_timestamp": bson.M{"$exists": false}, | 225 | "close_timestamp": bson.M{"$exists": false}, |
224 | }) | 226 | }) |
225 | if err != nil { | 227 | if err != nil { |
226 | fmt.Printf("Err closing fd %d of pid %d: %v\n", cooked.syscallParam[0], cooked.pid, err) | 228 | fmt.Fprintf(os.Stderr, "Err closing fd %d of pid %d: %v\n", cooked.syscallParam[0], cooked.pid, err) |
227 | } | 229 | } |
228 | if len(res) == 0 { | 230 | if len(res) == 0 { |
229 | return | 231 | return |
@@ -234,3 +236,30 @@ func fileWrite(cooked Event) { | |||
234 | "close_timestamp": bson.M{"$exists": false}, | 236 | "close_timestamp": bson.M{"$exists": false}, |
235 | }, bson.M{"$push": bson.M{"written": cooked.timestamp}}) | 237 | }, bson.M{"$push": bson.M{"written": cooked.timestamp}}) |
236 | } | 238 | } |
239 | |||
240 | func pivotRoot(cooked Event) { | ||
241 | // docker的根目录信息,记录 | ||
242 | docRes, err := pidCol.Finddoc(bson.M{"pid": cooked.pid}) | ||
243 | if err != nil { | ||
244 | fmt.Fprintf(os.Stderr, "Err finding: %v\n", err) | ||
245 | return | ||
246 | } | ||
247 | |||
248 | if len(docRes) == 0 { | ||
249 | // fork还没到,等一下 | ||
250 | pidCol.InsertOne(bson.M{ | ||
251 | "start_timestamp": cooked.timestamp, | ||
252 | "ppid": cooked.ppid, | ||
253 | "pid": cooked.pid, | ||
254 | "rootfs": "cwd", | ||
255 | }) | ||
256 | } else { | ||
257 | // 读取已有的工作目录 | ||
258 | cwd := docRes[0]["cwd"] | ||
259 | pidCol.UpdateOne(bson.M{"pid": cooked.pid}, bson.M{ | ||
260 | "$set": bson.M{ | ||
261 | "rootfs": cwd, | ||
262 | }, | ||
263 | }) | ||
264 | } | ||
265 | } | ||
diff --git a/src/global.go b/src/global.go index b6635c9..349ba6c 100644 --- a/src/global.go +++ b/src/global.go | |||
@@ -14,11 +14,12 @@ const ( | |||
14 | FILEOPEN | 14 | FILEOPEN |
15 | FILECLOSE | 15 | FILECLOSE |
16 | FILEWRITE | 16 | FILEWRITE |
17 | PIVOTROOT | ||
17 | TYPENUM | 18 | TYPENUM |
18 | ) | 19 | ) |
19 | 20 | ||
20 | func (et eventType) String() string { | 21 | func (et eventType) String() string { |
21 | names := []string{"NEWPID", "PIDEXIT", "EXECVE", "FILEOPEN", "FILECLOSE", "FILEWRITE", "TYPENUM"} | 22 | names := []string{"NEWPID", "PIDEXIT", "EXECVE", "FILEOPEN", "FILECLOSE", "FILEWRITE", "PIVOTROOT", "TYPENUM"} |
22 | if et < NEWPID || et > TYPENUM { | 23 | if et < NEWPID || et > TYPENUM { |
23 | return "Unknown" | 24 | return "Unknown" |
24 | } | 25 | } |
@@ -32,12 +33,13 @@ type Event struct { | |||
32 | ppid, parentTgid int | 33 | ppid, parentTgid int |
33 | syscall int | 34 | syscall int |
34 | syscallParam [4]uint64 | 35 | syscallParam [4]uint64 |
35 | pathName string | ||
36 | argc int | 36 | argc int |
37 | argv []string | 37 | argv []string |
38 | cwd string | 38 | cwd string |
39 | exit_code uint64 | 39 | exit_code uint64 |
40 | exit_signal int | 40 | exit_signal int |
41 | srcPath string | ||
42 | destPath string | ||
41 | } | 43 | } |
42 | 44 | ||
43 | var wg sync.WaitGroup // 掌管协程 | 45 | var wg sync.WaitGroup // 掌管协程 |
diff --git a/src/godo.go b/src/godo.go index 923ef85..a30aa88 100644 --- a/src/godo.go +++ b/src/godo.go | |||
@@ -27,14 +27,14 @@ var ( | |||
27 | func main() { | 27 | func main() { |
28 | // 检查用户身份,并添加auditd规则,监听所有syscall | 28 | // 检查用户身份,并添加auditd规则,监听所有syscall |
29 | if os.Geteuid() != 0 { | 29 | if os.Geteuid() != 0 { |
30 | fmt.Printf("Err: Please run me as root, %d!\n", os.Getegid()) | 30 | fmt.Fprintf(os.Stderr, "Err: Please run me as root, %d!\n", os.Getegid()) |
31 | return | 31 | return |
32 | } | 32 | } |
33 | 33 | ||
34 | // 所有的系统调用号与名称的关系 | 34 | // 所有的系统调用号与名称的关系 |
35 | err := figureOutSyscalls() | 35 | err := figureOutSyscalls() |
36 | if err != nil { | 36 | if err != nil { |
37 | fmt.Printf("Error figuring out syscall numbers: %v\n", err) | 37 | fmt.Fprintf(os.Stderr, "Error figuring out syscall numbers: %v\n", err) |
38 | } | 38 | } |
39 | 39 | ||
40 | exec.Command("auditctl", "-D").Run() | 40 | exec.Command("auditctl", "-D").Run() |
@@ -43,7 +43,7 @@ func main() { | |||
43 | 43 | ||
44 | var auditCmd *exec.Cmd | 44 | var auditCmd *exec.Cmd |
45 | 45 | ||
46 | pidSyscall := []string{"execve"} | 46 | pidSyscall := []string{"execve", "pivot_root"} |
47 | // // 设置监听规则 | 47 | // // 设置监听规则 |
48 | for i := 0; i < len(pidSyscall); i++ { | 48 | for i := 0; i < len(pidSyscall); i++ { |
49 | auditCmd = exec.Command("auditctl", "-a", "exit,always", "-F", "arch=b64", "-S", pidSyscall[i]) | 49 | auditCmd = exec.Command("auditctl", "-a", "exit,always", "-F", "arch=b64", "-S", pidSyscall[i]) |
@@ -61,14 +61,10 @@ func main() { | |||
61 | // 查找pid | 61 | // 查找pid |
62 | containerdPid, err = getPid() | 62 | containerdPid, err = getPid() |
63 | if err != nil { | 63 | if err != nil { |
64 | fmt.Printf("Error finding containerd: %v\n", err) | 64 | fmt.Fprintf(os.Stderr, "Error finding containerd: %v\n", err) |
65 | return | 65 | return |
66 | } | 66 | } |
67 | 67 | ||
68 | // 创世之神,1号进程 | ||
69 | // 1号进程还是不要在进程树上直接出现了,不然它的小儿子们都会出现 | ||
70 | // /usr/bin/containerd,也就是我们最关注的进程 | ||
71 | |||
72 | // 开始运行,解析命令行参数后监听 | 68 | // 开始运行,解析命令行参数后监听 |
73 | if err := fs.Parse(os.Args[1:]); err != nil { | 69 | if err := fs.Parse(os.Args[1:]); err != nil { |
74 | log.Fatal(err) | 70 | log.Fatal(err) |
@@ -81,8 +77,8 @@ func main() { | |||
81 | 77 | ||
82 | func coroutine(client *libaudit.AuditClient) { | 78 | func coroutine(client *libaudit.AuditClient) { |
83 | // 各协程至此开始 | 79 | // 各协程至此开始 |
84 | rawChan = make(chan interface{}) | 80 | rawChan = make(chan interface{}, 65536) |
85 | cookedChan = make(chan Event) | 81 | cookedChan = make(chan Event, 65536) |
86 | 82 | ||
87 | wg.Add(1) | 83 | wg.Add(1) |
88 | go procWatch() | 84 | go procWatch() |
@@ -101,14 +97,14 @@ func coroutine(client *libaudit.AuditClient) { | |||
101 | func procWatch() error { | 97 | func procWatch() error { |
102 | ns, err := netlink.NewNetlinkSocket(syscall.NETLINK_CONNECTOR, 12345) | 98 | ns, err := netlink.NewNetlinkSocket(syscall.NETLINK_CONNECTOR, 12345) |
103 | if err != nil { | 99 | if err != nil { |
104 | fmt.Printf("Error creating socket: %v\n", err) | 100 | fmt.Fprintf(os.Stderr, "Error creating socket: %v\n", err) |
105 | return err | 101 | return err |
106 | } | 102 | } |
107 | defer ns.Close() | 103 | defer ns.Close() |
108 | for { | 104 | for { |
109 | res, err := ns.Receive(20) | 105 | res, err := ns.Receive(20) |
110 | if err != nil { | 106 | if err != nil { |
111 | fmt.Printf("Error recv: %v\n", err) | 107 | fmt.Fprintf(os.Stderr, "Error recv: %v\n", err) |
112 | continue | 108 | continue |
113 | } | 109 | } |
114 | for i := 0; i < len(res); i++ { | 110 | for i := 0; i < len(res); i++ { |
@@ -146,7 +142,7 @@ func checkProc(pCooked *Event) { | |||
146 | fileName := fmt.Sprintf("/proc/%d/task/%d/cmdline", pCooked.tgid, pCooked.pid) | 142 | fileName := fmt.Sprintf("/proc/%d/task/%d/cmdline", pCooked.tgid, pCooked.pid) |
147 | fd, err := os.Open(fileName) | 143 | fd, err := os.Open(fileName) |
148 | if err != nil { | 144 | if err != nil { |
149 | fmt.Printf("Err: %v\n", err) | 145 | fmt.Fprintf(os.Stderr, "Err: %v\n", err) |
150 | return | 146 | return |
151 | } | 147 | } |
152 | 148 | ||
@@ -162,7 +158,7 @@ func checkProc(pCooked *Event) { | |||
162 | fileName = fmt.Sprintf("/proc/%d/task/%d/cwd", pCooked.tgid, pCooked.pid) | 158 | fileName = fmt.Sprintf("/proc/%d/task/%d/cwd", pCooked.tgid, pCooked.pid) |
163 | pCooked.cwd, err = os.Readlink(fileName) | 159 | pCooked.cwd, err = os.Readlink(fileName) |
164 | if err != nil { | 160 | if err != nil { |
165 | fmt.Printf("Err readlink %s: %v\n", fileName, err) | 161 | fmt.Fprintf(os.Stderr, "Err: %v\n", err) |
166 | pCooked.cwd = "" | 162 | pCooked.cwd = "" |
167 | } | 163 | } |
168 | } | 164 | } |
diff --git a/src/organize.go b/src/organize.go index 12119ad..293371b 100644 --- a/src/organize.go +++ b/src/organize.go | |||
@@ -2,6 +2,7 @@ package main | |||
2 | 2 | ||
3 | import ( | 3 | import ( |
4 | "fmt" | 4 | "fmt" |
5 | "os" | ||
5 | "regexp" | 6 | "regexp" |
6 | "strconv" | 7 | "strconv" |
7 | "strings" | 8 | "strings" |
@@ -21,14 +22,15 @@ var ok bool | |||
21 | var event Event | 22 | var event Event |
22 | var pEvent *Event | 23 | var pEvent *Event |
23 | var eventId, argc int | 24 | var eventId, argc int |
24 | var errs [6]error | 25 | |
26 | // var errs [6]error | ||
25 | 27 | ||
26 | // 要用的正则匹配列表 | 28 | // 要用的正则匹配列表 |
27 | var ( | 29 | var ( |
28 | syscallRegex = regexp.MustCompile(`audit\((\d+\.\d+):(\d+)\).*?syscall=(\d+)(?:.*?exit=([-+]?\d+))?.*?ppid=(\d+) pid=(\d+).*?$`) | 30 | syscallRegex = regexp.MustCompile(`audit\((\d+\.\d+):(\d+)\).*?syscall=(\d+)(?:.*?exit=([-+]?\d+))?.*?ppid=(\d+) pid=(\d+).*?subj=(.*?):(.*?):(.*?):(.*?) .*?$`) |
29 | execveRegex = regexp.MustCompile(`audit\(\d+\.\d+:(\d+)\): argc=(\d+)`) | 31 | execveRegex = regexp.MustCompile(`audit\(\d+\.\d+:(\d+)\): argc=(\d+)`) |
30 | argsRegex = regexp.MustCompile(`a\d+=("(.*?)"|([0-9a-fA-F]+))`) | 32 | argsRegex = regexp.MustCompile(`a\d+=("(.*?)"|([0-9a-fA-F]+))`) |
31 | pathRegex = regexp.MustCompile(`audit\(\d+\.\d+:(\d+)\):.*?name="(.*?)"`) | 33 | pathRegex = regexp.MustCompile(`audit\(\d+\.\d+:(\d+)\): item=(\d+) name="(.*?)"`) |
32 | cwdRegex = regexp.MustCompile(`audit\(\d+\.\d+:(\d+)\): cwd="(.*?)"`) | 34 | cwdRegex = regexp.MustCompile(`audit\(\d+\.\d+:(\d+)\): cwd="(.*?)"`) |
33 | proctitleRegex = regexp.MustCompile(`audit\(\d+\.\d+:(\d+)\): proctitle=("(.*?)"|([0-9a-fA-F]+))$`) | 35 | proctitleRegex = regexp.MustCompile(`audit\(\d+\.\d+:(\d+)\): proctitle=("(.*?)"|([0-9a-fA-F]+))$`) |
34 | eoeRegex = regexp.MustCompile(`audit\(\d+\.\d+:(\d+)\)`) | 36 | eoeRegex = regexp.MustCompile(`audit\(\d+\.\d+:(\d+)\)`) |
@@ -47,22 +49,22 @@ func orgnaze() { | |||
47 | break | 49 | break |
48 | } | 50 | } |
49 | rawEvent = raw.(libaudit.RawAuditMessage) | 51 | rawEvent = raw.(libaudit.RawAuditMessage) |
52 | // fmt.Printf("type=%v msg=%s\n", rawEvent.Type, rawEvent.Data) | ||
50 | 53 | ||
51 | switch rawEvent.Type { | 54 | switch rawEvent.Type { |
52 | case auparse.AUDIT_SYSCALL: | 55 | case auparse.AUDIT_SYSCALL: |
53 | go syscallRaw(rawEvent) | 56 | syscallRaw(rawEvent) |
54 | case auparse.AUDIT_EXECVE: | 57 | case auparse.AUDIT_EXECVE: |
55 | go execve(rawEvent) | 58 | execve(rawEvent) |
56 | case auparse.AUDIT_CWD: | 59 | case auparse.AUDIT_CWD: |
57 | go cwd(rawEvent) | 60 | cwd(rawEvent) |
58 | case auparse.AUDIT_PATH: | 61 | case auparse.AUDIT_PATH: |
59 | go path(rawEvent) | 62 | path(rawEvent) |
60 | case auparse.AUDIT_PROCTITLE: | 63 | case auparse.AUDIT_PROCTITLE: |
61 | go proctitle(rawEvent) | 64 | proctitle(rawEvent) |
62 | case auparse.AUDIT_EOE: | 65 | case auparse.AUDIT_EOE: |
63 | go eoe(rawEvent) | 66 | eoe(rawEvent) |
64 | default: | 67 | default: |
65 | // ATTENTION: 这里也需要做防护 | ||
66 | } | 68 | } |
67 | } | 69 | } |
68 | } | 70 | } |
@@ -74,28 +76,34 @@ func syscallRaw(rawEvent libaudit.RawAuditMessage) { | |||
74 | 76 | ||
75 | var exit int | 77 | var exit int |
76 | var a [4]uint64 | 78 | var a [4]uint64 |
79 | var subj [4]string | ||
77 | // 捕获基础信息 | 80 | // 捕获基础信息 |
78 | match := syscallRegex.FindSubmatch(rawEvent.Data) | 81 | match := syscallRegex.FindSubmatch(rawEvent.Data) |
79 | event.timestamp, errs[0] = getTimeFromStr(string(match[1])) | 82 | event.timestamp, _ = getTimeFromStr(string(match[1])) |
80 | eventId, errs[1] = strconv.Atoi(string(match[2])) | 83 | eventId, _ = strconv.Atoi(string(match[2])) |
81 | event.syscall, errs[2] = strconv.Atoi(string(match[3])) | 84 | event.syscall, _ = strconv.Atoi(string(match[3])) |
82 | if string(match[4]) == "" { | 85 | if string(match[4]) == "" { |
83 | // exit没捕获到 | 86 | // exit没捕获到 |
84 | exit = 0 | 87 | exit = 0 |
85 | } else { | 88 | } else { |
86 | exit, errs[3] = strconv.Atoi(string(match[4])) | 89 | exit, _ = strconv.Atoi(string(match[4])) |
90 | } | ||
91 | event.ppid, _ = strconv.Atoi(string(match[5])) | ||
92 | event.pid, _ = strconv.Atoi(string(match[6])) | ||
93 | |||
94 | // 几个subj,说不定会有用 | ||
95 | for i := 0; i < 4; i++ { | ||
96 | subj[i] = string(match[7+i]) | ||
87 | } | 97 | } |
88 | event.ppid, errs[4] = strconv.Atoi(string(match[5])) | ||
89 | event.pid, errs[5] = strconv.Atoi(string(match[6])) | ||
90 | 98 | ||
91 | // 捕获参数 | 99 | // 捕获参数 |
92 | if !argsRegex.Match(rawEvent.Data) { | 100 | if !argsRegex.Match(rawEvent.Data) { |
93 | fmt.Printf("Error: don't get args in syscall event!\n") | 101 | fmt.Fprintf(os.Stderr, "Error: don't get args in syscall event!\n") |
94 | return | 102 | return |
95 | } | 103 | } |
96 | argsMatch := argsRegex.FindAllSubmatch(rawEvent.Data, -1) | 104 | argsMatch := argsRegex.FindAllSubmatch(rawEvent.Data, -1) |
97 | for i := 0; i < 4; i++ { | 105 | for i := 0; i < 4; i++ { |
98 | a[i], errs[0] = strconv.ParseUint(string(argsMatch[i][3]), 16, 64) | 106 | a[i], _ = strconv.ParseUint(string(argsMatch[i][3]), 16, 64) |
99 | } | 107 | } |
100 | 108 | ||
101 | switch syscallTable[event.syscall] { | 109 | switch syscallTable[event.syscall] { |
@@ -128,7 +136,7 @@ func syscallRaw(rawEvent libaudit.RawAuditMessage) { | |||
128 | argv: make([]string, 0), | 136 | argv: make([]string, 0), |
129 | cwd: "", | 137 | cwd: "", |
130 | syscallParam: a, | 138 | syscallParam: a, |
131 | pathName: "", | 139 | srcPath: "", |
132 | }) | 140 | }) |
133 | case "write": | 141 | case "write": |
134 | eventTable.Store(eventId, &Event{ | 142 | eventTable.Store(eventId, &Event{ |
@@ -142,7 +150,6 @@ func syscallRaw(rawEvent libaudit.RawAuditMessage) { | |||
142 | argv: make([]string, 0), | 150 | argv: make([]string, 0), |
143 | cwd: "", | 151 | cwd: "", |
144 | syscallParam: a, | 152 | syscallParam: a, |
145 | // pathName: "", | ||
146 | }) | 153 | }) |
147 | case "close": | 154 | case "close": |
148 | // 文件关闭 | 155 | // 文件关闭 |
@@ -157,8 +164,18 @@ func syscallRaw(rawEvent libaudit.RawAuditMessage) { | |||
157 | argv: make([]string, 0), | 164 | argv: make([]string, 0), |
158 | cwd: "", | 165 | cwd: "", |
159 | syscallParam: a, | 166 | syscallParam: a, |
160 | // pathName: "", | ||
161 | }) | 167 | }) |
168 | case "pivot_root": | ||
169 | if subj[2] == "container_runtime_t" { | ||
170 | eventTable.Store(eventId, &Event{ | ||
171 | tag: PIVOTROOT, | ||
172 | timestamp: event.timestamp, | ||
173 | syscall: event.syscall, | ||
174 | ppid: event.ppid, | ||
175 | pid: event.pid, | ||
176 | syscallParam: a, | ||
177 | }) | ||
178 | } | ||
162 | } | 179 | } |
163 | } | 180 | } |
164 | 181 | ||
@@ -168,14 +185,14 @@ func execve(rawEvent libaudit.RawAuditMessage) { | |||
168 | } | 185 | } |
169 | 186 | ||
170 | match := execveRegex.FindSubmatch(rawEvent.Data) | 187 | match := execveRegex.FindSubmatch(rawEvent.Data) |
171 | eventId, errs[0] = strconv.Atoi(string(match[1])) | 188 | eventId, _ = strconv.Atoi(string(match[1])) |
172 | argc, errs[1] = strconv.Atoi(string(match[2])) | 189 | argc, _ = strconv.Atoi(string(match[2])) |
173 | tmp, ok = eventTable.Load(eventId) | 190 | tmp, ok = eventTable.Load(eventId) |
174 | if !ok { | 191 | if !ok { |
175 | return | 192 | return |
176 | } | 193 | } |
177 | pEvent = tmp.(*Event) | 194 | pEvent = tmp.(*Event) |
178 | if errs[0] == nil && errs[1] == nil && argsRegex.Match(rawEvent.Data) { | 195 | if argsRegex.Match(rawEvent.Data) { |
179 | match := argsRegex.FindAllSubmatch(rawEvent.Data, -1) | 196 | match := argsRegex.FindAllSubmatch(rawEvent.Data, -1) |
180 | for i := 0; i < argc; i++ { | 197 | for i := 0; i < argc; i++ { |
181 | if len(match[i][2]) == 0 { | 198 | if len(match[i][2]) == 0 { |
@@ -196,7 +213,7 @@ func cwd(rawEvent libaudit.RawAuditMessage) { | |||
196 | } | 213 | } |
197 | 214 | ||
198 | match := cwdRegex.FindSubmatch(rawEvent.Data) | 215 | match := cwdRegex.FindSubmatch(rawEvent.Data) |
199 | eventId, errs[0] = strconv.Atoi(string(match[1])) | 216 | eventId, _ = strconv.Atoi(string(match[1])) |
200 | tmp, ok = eventTable.Load(eventId) | 217 | tmp, ok = eventTable.Load(eventId) |
201 | if !ok { | 218 | if !ok { |
202 | return | 219 | return |
@@ -211,7 +228,7 @@ func proctitle(rawEvent libaudit.RawAuditMessage) { | |||
211 | 228 | ||
212 | var cmdline string | 229 | var cmdline string |
213 | match := proctitleRegex.FindSubmatch(rawEvent.Data) | 230 | match := proctitleRegex.FindSubmatch(rawEvent.Data) |
214 | eventId, errs[0] = strconv.Atoi(string(match[1])) | 231 | eventId, _ = strconv.Atoi(string(match[1])) |
215 | tmp, ok = eventTable.Load(eventId) | 232 | tmp, ok = eventTable.Load(eventId) |
216 | if !ok { | 233 | if !ok { |
217 | return | 234 | return |
@@ -236,14 +253,13 @@ func eoe(rawEvent libaudit.RawAuditMessage) { | |||
236 | } | 253 | } |
237 | 254 | ||
238 | match := eoeRegex.FindSubmatch(rawEvent.Data) | 255 | match := eoeRegex.FindSubmatch(rawEvent.Data) |
239 | eventId, errs[0] = strconv.Atoi(string(match[1])) | 256 | eventId, _ = strconv.Atoi(string(match[1])) |
240 | tmp, ok = eventTable.Load(eventId) | 257 | tmp, ok = eventTable.Load(eventId) |
241 | if !ok { | 258 | if !ok { |
242 | return | 259 | return |
243 | } | 260 | } |
244 | cooked := *(tmp.(*Event)) | 261 | cooked := *(tmp.(*Event)) |
245 | cookedChan <- cooked | 262 | cookedChan <- cooked |
246 | // fmt.Printf("Send: %10d\t%v\t%7d\t%7d\n", eventId, cooked.tag, cooked.ppid, cooked.pid) | ||
247 | eventTable.Delete(eventId) // 死人别占地 | 263 | eventTable.Delete(eventId) // 死人别占地 |
248 | } | 264 | } |
249 | 265 | ||
@@ -252,8 +268,9 @@ func path(rawEvent libaudit.RawAuditMessage) { | |||
252 | return | 268 | return |
253 | } | 269 | } |
254 | match := pathRegex.FindSubmatch(rawEvent.Data) | 270 | match := pathRegex.FindSubmatch(rawEvent.Data) |
255 | eventId, errs[0] = strconv.Atoi(string(match[1])) | 271 | eventId, _ = strconv.Atoi(string(match[1])) |
256 | name := string(match[2]) | 272 | // item, _ := strconv.Atoi(string(match[2])) |
273 | name := string(match[3]) | ||
257 | 274 | ||
258 | tmp, ok = eventTable.Load(eventId) | 275 | tmp, ok = eventTable.Load(eventId) |
259 | if !ok { | 276 | if !ok { |
@@ -267,8 +284,8 @@ func path(rawEvent libaudit.RawAuditMessage) { | |||
267 | } | 284 | } |
268 | 285 | ||
269 | if name[0] == '/' { | 286 | if name[0] == '/' { |
270 | pEvent.pathName = name | 287 | pEvent.srcPath = name |
271 | } else { | 288 | } else { |
272 | pEvent.pathName += "/" + name | 289 | pEvent.srcPath += "/" + name |
273 | } | 290 | } |
274 | } | 291 | } |