From 2c2975d032b1c26fd0094c8d3aa568251b5c9c6a Mon Sep 17 00:00:00 2001
From: We-unite <3205135446@qq.com>
Date: Mon, 5 Aug 2024 14:56:57 +0800
Subject: The fds problem may comes from slow consumption

There are some possible reasons that have been thought:
- auditd lost. Each time I use `auditctl -b xxx` or `auditctl
  --reset-lost`, there are always a big number of losts. at first i
  thought it means how many auditd info was lost throw the net, or
  how many was thrown because of the audit info queue in the kernel
  was full. However, form the src code of kernel, it actually means
  how much is thrown away as there's no listener of auditd info. In
  other words, audit is a userspace-kernel function, but not two
  independent parts.
- audit backlog size. As the above.

But when i only listen to the syscall "open", i can almost always
hear the info in the docker. So I think this may be because the
audit info production is flooding, while in this program i check this
and that, causes too much time, the consumption is far slower.

Next step, I will use the MVC, all recvd info will be push into the
database, and add a new independent part to make database clean and
clear.

The key problem is, a process can open file1 as fd 3, write, close,
and open file2 as fd 3, write, close: which means i must figure out
which file to write when "write" event comes. Now i check the
pid/fd/close_time in database to choose which is written, but find
and check doc also use lots of time. Maybe, use two collections, one
is fds that records files not closed, the other records closed files?

Besides, as clone/fork/pthread_create all uses syscall clone, but
their flags are different. Maybe i can also use `pid/tgid` pair to
distinguish between process and thread. Good idea.

Be quick, your internship has passed a half. What kinds of answer
will you hand in?
---
 src/deal.go     | 16 +++-------------
 src/godo.go     |  8 +++++---
 src/organize.go |  1 +
 3 files changed, 9 insertions(+), 16 deletions(-)

diff --git a/src/deal.go b/src/deal.go
index ae69003..871b7ff 100644
--- a/src/deal.go
+++ b/src/deal.go
@@ -191,18 +191,8 @@ func dealExecve(cooked Event) {
 }
 
 func fileOpen(cooked Event) {
-	fmt.Printf("Open: %6d\t%6d\t%s\n", cooked.ppid, cooked.pid, cooked.pathName)
-	// 查看是否记录了该进程
-	res, err := pidCol.Finddoc(bson.M{"pid": cooked.pid})
-	if err != nil {
-		fmt.Printf("Error finding pid %d: %v\n", cooked.pid, err)
-	}
-	if len(res) == 0 {
-		// 没找着，滚
-		return
-	}
+	// fmt.Printf("Open: %6d\t%6d\t%s\n", cooked.ppid, cooked.pid, cooked.pathName)
 
-	// 确有该进程
 	// 权限检查过了，不必再查
 	fdCol.InsertOne(bson.M{
 		"timestamp": cooked.timestamp,
@@ -223,7 +213,7 @@ func fileOpen(cooked Event) {
 }
 
 func fileClose(cooked Event) {
-	fmt.Printf("Close: %6d\t%6d\t%s\n", cooked.ppid, cooked.pid, cooked.pathName)
+	// fmt.Printf("Close: %6d\t%6d\t%s\n", cooked.ppid, cooked.pid, cooked.pathName)
 	// 直接看文件表有无记录
 	res, err := fdCol.Finddoc(bson.M{
 		"pid":             cooked.pid,
@@ -244,7 +234,7 @@ func fileClose(cooked Event) {
 }
 
 func fileWrite(cooked Event) {
-	fmt.Printf("Write: %6d\t%6d\t%s\n", cooked.ppid, cooked.pid, cooked.pathName)
+	// fmt.Printf("Write: %6d\t%6d\t%s\n", cooked.ppid, cooked.pid, cooked.pathName)
 	// 直接看文件表有无记录
 	res, err := fdCol.Finddoc(bson.M{
 		"pid":             cooked.pid,
diff --git a/src/godo.go b/src/godo.go
index cbd9e0a..2ba32d6 100644
--- a/src/godo.go
+++ b/src/godo.go
@@ -37,9 +37,11 @@ func main() {
 		fmt.Printf("Error figuring out syscall numbers: %v\n", err)
 	}
 
+	exec.Command("auditctl", "-D").Run()
+	exec.Command("auditctl", "-b", "1000000000").Run()
+	exec.Command("auditctl", "--reset-lost").Run()
+
 	var auditCmd *exec.Cmd
-	auditCmd = exec.Command("auditctl", "-D") // 清空所有规则
-	auditCmd.Run()
 
 	pidSyscall := []string{"execve"}
 	// pidSyscall := []string{"fork", "vfork", "clone", "execve", "exit", "exit_group"}
@@ -50,7 +52,7 @@ func main() {
 	}
 
 	// 监听文件的消息
-	fileSyscall := []string{"open", "write", "close"}
+	fileSyscall := []string{"open"}
 	// fileSyscall := []string{"open", "write", "creat", "unlink", "opendir", "mkdir", "rmdir", "chmod", "fchmod", "chown", "fchown", "lchown", "flock"}
 	for i := 0; i < len(fileSyscall); i++ {
 		auditCmd = exec.Command("auditctl", "-a", "exit,always", "-F", "arch=b64", "-S", fileSyscall[i])
diff --git a/src/organize.go b/src/organize.go
index 238509f..8deba53 100644
--- a/src/organize.go
+++ b/src/organize.go
@@ -47,6 +47,7 @@ func orgnaze() {
 			break
 		}
 		rawEvent = raw.(libaudit.RawAuditMessage)
+		// fmt.Printf("type=%v msg=%s\n", rawEvent.Type, rawEvent.Data)
 
 		switch rawEvent.Type {
 		case auparse.AUDIT_SYSCALL:
-- 
cgit v1.2.3-70-g09d2