From 0deb0b10c28f72f08c330f183ef64d90405b1358 Mon Sep 17 00:00:00 2001
From: We-unite <3205135446@qq.com>
Date: Mon, 29 Jul 2024 14:25:06 +0800
Subject: Add write

---
 src/deal.go     | 22 ++++++++++++++++++++++
 src/organize.go | 14 ++++++++++++++
 2 files changed, 36 insertions(+)

diff --git a/src/deal.go b/src/deal.go
index d3b5da0..56f6d1d 100644
--- a/src/deal.go
+++ b/src/deal.go
@@ -65,6 +65,8 @@ func deal() {
 			go deletePid(cooked)
 		case FILEOPEN:
 			fileOpen(cooked)
+		case FILEWRITE:
+			fileWrite(cooked)
 		case FILECLOSE:
 			fileClose(cooked)
 		}
@@ -234,3 +236,23 @@ func fileClose(cooked Event) {
 		"close_timestamp": bson.M{"$exists": false},
 	}, bson.M{"$set": bson.M{"close_timestamp": cooked.timestamp}})
 }
+
+func fileWrite(cooked Event) {
+	// 直接看文件表有无记录
+	res, err := fdCol.Finddoc(bson.M{
+		"pid":             cooked.pid,
+		"fd":              cooked.syscallParam[0],
+		"close_timestamp": bson.M{"$exists": false},
+	})
+	if err != nil {
+		fmt.Printf("Err closing fd %d of pid %d: %v\n", cooked.syscallParam[0], cooked.pid, err)
+	}
+	if len(res) == 0 {
+		return
+	}
+	fdCol.UpdateOne(bson.M{
+		"pid":             cooked.pid,
+		"fd":              cooked.syscallParam[0],
+		"close_timestamp": bson.M{"$exists": false},
+	}, bson.M{"$push": bson.M{"written": cooked.timestamp}})
+}
diff --git a/src/organize.go b/src/organize.go
index 1b064c1..f5c9992 100644
--- a/src/organize.go
+++ b/src/organize.go
@@ -160,6 +160,20 @@ func syscallRaw(rawEvent libaudit.RawAuditMessage) {
 			syscallParam: a,
 			pathName:     "",
 		})
+	case "write":
+		eventTable.Store(eventId, &Event{
+			tag:          FILEWRITE,
+			timestamp:    event.timestamp,
+			syscall:      event.syscall,
+			exit_code:    uint64(exit),
+			ppid:         event.ppid,
+			pid:          event.pid,
+			argc:         0,
+			argv:         make([]string, 0),
+			cwd:          "",
+			syscallParam: a,
+			// pathName:     "",
+		})
 	case "close":
 		// 文件关闭
 		eventTable.Store(eventId, &Event{
-- 
cgit v1.2.3-70-g09d2