aboutsummaryrefslogtreecommitdiffstats
path: root/src
diff options
context:
space:
mode:
Diffstat (limited to 'src')
-rw-r--r--src/deal.go20
-rw-r--r--src/mongo.go16
-rw-r--r--src/organize.go1
3 files changed, 1 insertions, 36 deletions
diff --git a/src/deal.go b/src/deal.go
index 1dd309c..f2b7d4b 100644
--- a/src/deal.go
+++ b/src/deal.go
@@ -34,6 +34,7 @@ func deal() {
34 "pid": containerdPid, 34 "pid": containerdPid,
35 "cwd": "/", 35 "cwd": "/",
36 "children": []bson.M{}, 36 "children": []bson.M{},
37 "daemon": true,
37 }) 38 })
38 if err != nil { 39 if err != nil {
39 fmt.Printf("Error while initing the mongodb: %v\n", err) 40 fmt.Printf("Error while initing the mongodb: %v\n", err)
@@ -77,9 +78,6 @@ func deal() {
77} 78}
78 79
79func deletePid(cooked Event) { 80func deletePid(cooked Event) {
80 if !pidCol.GetLock() {
81 return
82 }
83 // 先从老爹那里销户 81 // 先从老爹那里销户
84 pidCol.UpdateOne(bson.M{"pid": cooked.ppid}, bson.M{ 82 pidCol.UpdateOne(bson.M{"pid": cooked.ppid}, bson.M{
85 "$pull": bson.M{ 83 "$pull": bson.M{
@@ -100,17 +98,9 @@ func deletePid(cooked Event) {
100 "exit_signal": cooked.exit_signal, 98 "exit_signal": cooked.exit_signal,
101 }, 99 },
102 }) 100 })
103 pidCol.Mutex.Unlock()
104} 101}
105 102
106func dealNewPid(cooked Event) { 103func dealNewPid(cooked Event) {
107 fmt.Printf("Fork\t%6d\t%6d\t%6d\t%6d\n", cooked.ppid, cooked.parentTgid, cooked.pid, cooked.tgid)
108 // 有无父进程在观察中
109 docRes, err = pidCol.Finddoc(bson.M{"pid": cooked.parentTgid})
110 if err != nil || len(docRes) != 1 {
111 return
112 }
113
114 // 自身是否已经记录 104 // 自身是否已经记录
115 docRes, err = pidCol.Finddoc(bson.M{"pid": cooked.pid}) 105 docRes, err = pidCol.Finddoc(bson.M{"pid": cooked.pid})
116 if err != nil { 106 if err != nil {
@@ -118,9 +108,6 @@ func dealNewPid(cooked Event) {
118 return 108 return
119 } 109 }
120 110
121 if !pidCol.GetLock() {
122 return
123 }
124 if len(docRes) != 0 { 111 if len(docRes) != 0 {
125 // 进程原本就存在,换言之别的消息先到了 112 // 进程原本就存在,换言之别的消息先到了
126 // 所有先行抵达的消息必须保留execve/children字段 113 // 所有先行抵达的消息必须保留execve/children字段
@@ -157,7 +144,6 @@ func dealNewPid(cooked Event) {
157 "children": cooked.pid, 144 "children": cooked.pid,
158 }, 145 },
159 }) 146 })
160 pidCol.Mutex.Unlock()
161} 147}
162 148
163func dealExecve(cooked Event) { 149func dealExecve(cooked Event) {
@@ -173,9 +159,6 @@ func dealExecve(cooked Event) {
173 return 159 return
174 } 160 }
175 161
176 if !pidCol.GetLock() {
177 return
178 }
179 if len(docRes) == 1 { 162 if len(docRes) == 1 {
180 // 自身已在,直接记录 163 // 自身已在,直接记录
181 pidCol.UpdateOne(bson.M{"pid": cooked.pid}, bson.M{ 164 pidCol.UpdateOne(bson.M{"pid": cooked.pid}, bson.M{
@@ -200,7 +183,6 @@ func dealExecve(cooked Event) {
200 }, 183 },
201 }) 184 })
202 } 185 }
203 pidCol.Mutex.Unlock()
204} 186}
205 187
206func fileOpen(cooked Event) { 188func fileOpen(cooked Event) {
diff --git a/src/mongo.go b/src/mongo.go
index 764f877..1d9f74f 100644
--- a/src/mongo.go
+++ b/src/mongo.go
@@ -2,8 +2,6 @@ package main
2 2
3import ( 3import (
4 "context" 4 "context"
5 "fmt"
6 "sync"
7 "time" 5 "time"
8 6
9 "go.mongodb.org/mongo-driver/bson" 7 "go.mongodb.org/mongo-driver/bson"
@@ -15,8 +13,6 @@ type mongoClient struct {
15 dbName, colName string 13 dbName, colName string
16 client *mongo.Client 14 client *mongo.Client
17 col *mongo.Collection 15 col *mongo.Collection
18 Mutex sync.Mutex
19 // Attention: 这把锁是否有必要?
20} 16}
21 17
22func (mc *mongoClient) init(dbName, colName string) error { 18func (mc *mongoClient) init(dbName, colName string) error {
@@ -100,15 +96,3 @@ func (mc *mongoClient) Disconnect() error {
100 mc.colName = "" 96 mc.colName = ""
101 return nil 97 return nil
102} 98}
103
104func (mc *mongoClient) GetLock() bool {
105 for i := 0; i < 200000; {
106 if !mc.Mutex.TryLock() {
107 i++
108 } else {
109 return true
110 }
111 }
112 fmt.Printf("Die...\n")
113 return false
114}
diff --git a/src/organize.go b/src/organize.go
index 5268a90..12119ad 100644
--- a/src/organize.go
+++ b/src/organize.go
@@ -47,7 +47,6 @@ func orgnaze() {
47 break 47 break
48 } 48 }
49 rawEvent = raw.(libaudit.RawAuditMessage) 49 rawEvent = raw.(libaudit.RawAuditMessage)
50 fmt.Printf("type=%v msg=%s\n", rawEvent.Type, rawEvent.Data)
51 50
52 switch rawEvent.Type { 51 switch rawEvent.Type {
53 case auparse.AUDIT_SYSCALL: 52 case auparse.AUDIT_SYSCALL: