From 3e49a044d22635157916651f0acb5a062397b34b Mon Sep 17 00:00:00 2001 From: We-unite <3205135446@qq.com> Date: Fri, 9 Aug 2024 13:56:37 +0800 Subject: Add db structure, fix filePath, start filtering This commit I made several changes: - Use structure instead of simple bson.M(interface{}). bson.M has some shortcomings: 1) It makes the database in chaos and hard to read, but this's not important; 2) Some entrys may has more or less content than others, which makes it hard to decode and filt. So I design new data structure to encode and decode. Hopes that there's no bugs. - Fix the way to calculate file path. The original method is to add all the PATH entries together, that's totally wrong! PATH entry has several types, as it shows in "objtype". I can't find it in the kernel src code, so what i know is just "PARENT" means the dir the file is in, while the filename itself has the path, so we whould ignore all "PARENT"s. When the src code is found, we should check it again. - Fix bugs in updating. The update function of mongodb is set to required to has a '$' such as 'set'/'push', so when we update a whole doc, we should use replace but not update function. And, we should never ignore the error infomation it gives us. Hope that there's no more bugs for this Big Change. Now its' time to write filter as well as viewer. Best wishes with NO BUGS! --- .gitignore | 1 + .gitmodules | 2 +- filter/filter.go | 118 +++++++++++++++++++++ filter/go.mod | 18 ++++ filter/go.sum | 50 +++++++++ listener/audit.go | 84 +++++++++++++++ listener/basefunc.go | 129 +++++++++++++++++++++++ listener/deal.go | 269 +++++++++++++++++++++++++++++++++++++++++++++++ listener/global.go | 84 +++++++++++++++ listener/go.mod | 26 +++++ listener/go.sum | 96 +++++++++++++++++ listener/go.work | 6 ++ listener/go.work.sum | 4 + listener/godo.go | 176 +++++++++++++++++++++++++++++++ listener/mongo.go | 122 +++++++++++++++++++++ listener/netlink | 1 + listener/organize.go | 291 +++++++++++++++++++++++++++++++++++++++++++++++++++ listener/receive.go | 29 +++++ src/audit.go | 84 --------------- src/basefunc.go | 129 ----------------------- src/deal.go | 265 ---------------------------------------------- src/global.go | 49 --------- src/go.mod | 26 ----- src/go.sum | 96 ----------------- src/go.work | 6 -- src/go.work.sum | 4 - src/godo.go | 164 ----------------------------- src/mongo.go | 98 ----------------- src/netlink | 1 - src/organize.go | 291 --------------------------------------------------- src/receive.go | 29 ----- 31 files changed, 1505 insertions(+), 1243 deletions(-) create mode 100644 filter/filter.go create mode 100644 filter/go.mod create mode 100644 filter/go.sum create mode 100644 listener/audit.go create mode 100644 listener/basefunc.go create mode 100644 listener/deal.go create mode 100644 listener/global.go create mode 100644 listener/go.mod create mode 100644 listener/go.sum create mode 100644 listener/go.work create mode 100644 listener/go.work.sum create mode 100644 listener/godo.go create mode 100644 listener/mongo.go create mode 160000 listener/netlink create mode 100644 listener/organize.go create mode 100644 listener/receive.go delete mode 100644 src/audit.go delete mode 100644 src/basefunc.go delete mode 100644 src/deal.go delete mode 100644 src/global.go delete mode 100644 src/go.mod delete mode 100644 src/go.sum delete mode 100644 src/go.work delete mode 100644 src/go.work.sum delete mode 100644 src/godo.go delete mode 100644 src/mongo.go delete mode 160000 src/netlink delete mode 100644 src/organize.go delete mode 100644 src/receive.go diff --git a/.gitignore b/.gitignore index b9f0a38..336d320 100644 --- a/.gitignore +++ b/.gitignore @@ -1,6 +1,7 @@ .vscode/* */godo */hello +*/filter old/* !old/*.* diff --git a/.gitmodules b/.gitmodules index 6a63c7b..16e998b 100644 --- a/.gitmodules +++ b/.gitmodules @@ -1,3 +1,3 @@ [submodule "src/netlink"] - path = src/netlink + path = listener/netlink url = https://github.com/We-unite/netlink diff --git a/filter/filter.go b/filter/filter.go new file mode 100644 index 0000000..c83fb13 --- /dev/null +++ b/filter/filter.go @@ -0,0 +1,118 @@ +package main + +import ( + "context" + "fmt" + "log" + "os" + "time" + + "go.mongodb.org/mongo-driver/bson" + "go.mongodb.org/mongo-driver/mongo" + "go.mongodb.org/mongo-driver/mongo/options" + "go.mongodb.org/mongo-driver/mongo/readpref" +) + +type Exec struct { + timestamp time.Time `bson:"timestamp"` + execArgs []string `bson:"execArgs"` +} + +type Process struct { + timestamp time.Time `bson:"start_timestamp"` + ppid int `bson:"ppid"` + parentTgid int `bson:"parentTgid"` + pid int `bson:"pid"` + tgid int `bson:"tgid"` + args []string `bson:"args"` + comm string `bson:"comm"` + cwd string `bson:"cwd"` + execve []Exec `bson:"execve"` + exit_code int `bson:"exit_code"` + exit_signal int `bson:"exit_signal"` + exit_timestamp time.Time `bson:"exit_timestamp"` +} + +func (p Process) String() string { + var res string + res = "" + res += fmt.Sprintf("timestamp\t%v\n", p.timestamp) + res += fmt.Sprintf("ppid\t%d\nparentTgid\t%d\n", p.ppid, p.parentTgid) + res += fmt.Sprintf("pid\t%d\ntgid\t%d\nargs: ", p.pid, p.tgid) + for i := 0; i < len(p.args); i++ { + res += fmt.Sprintf("%s ", p.args[i]) + } + res += fmt.Sprintf("\ncomm\t%s\ncwd\t%s\n", p.comm, p.cwd) + return res +} + +// type Process struct { +// StartTimestamp time.Time `bson:"start_timestamp"` +// Ppid *int `bson:"ppid"` +// ParentTgid *int `bson:"parentTgid"` +// Pid int `bson:"pid"` +// Tgid int `bson:"tgid"` +// Args []string `bson:"args"` +// Comm *string `bson:"comm"` +// Cwd *string `bson:"cwd"` +// Execve []Exec `bson:"execve"` +// ExitCode *int `bson:"exit_code"` +// ExitSignal *int `bson:"exit_signal"` +// ExitTimestamp *time.Time `bson:"exit_timestamp"` +// } + +// func (p Process) String() string { +// var res string +// res = "" +// res += fmt.Sprintf("timestamp\t%v\n", p.StartTimestamp) +// if p.Ppid != nil && p.ParentTgid != nil { +// res += fmt.Sprintf("ppid\t%d\nparentTgid\t%d\n", *(p.Ppid), *(p.ParentTgid)) +// } +// res += fmt.Sprintf("pid\t%d\ntgid\t%d\nargs: ", p.Pid, p.Tgid) +// for i := 0; i < len(p.Args); i++ { +// res += fmt.Sprintf("%s ", p.Args[i]) +// } +// if p.Comm != nil && p.Cwd != nil { +// res += fmt.Sprintf("\ncomm\t%s\ncwd\t%s\n", *(p.Comm), *(p.Cwd)) +// } +// return res +// } + +func main() { + client, err := mongo.Connect(context.TODO(), options.Client().ApplyURI("mongodb://localhost:27017")) + if err != nil { + fmt.Fprintf(os.Stderr, "Err connecting mongodb: %v\n", err) + } + defer client.Disconnect(context.TODO()) + + // 检查连接 + err = client.Ping(context.TODO(), readpref.Primary()) + if err != nil { + log.Fatal(err) + } + + pidCol := client.Database("test").Collection("pids") + cur, err := pidCol.Find(context.TODO(), bson.M{}) // 查询所有文档 + if err != nil { + log.Fatal(err) + } + defer cur.Close(context.TODO()) // 确保游标被关闭 + + var res []Process + for cur.Next(context.TODO()) { + var tmp Process + // 解码到Process结构体 + if err := cur.Decode(&tmp); err != nil { + log.Fatal(err) + } + res = append(res, tmp) + } + + if err := cur.Err(); err != nil { + log.Fatal(err) + } + + for i := 0; i < len(res); i++ { + fmt.Printf("------\n%v\n", res[i]) + } +} diff --git a/filter/go.mod b/filter/go.mod new file mode 100644 index 0000000..4e9c553 --- /dev/null +++ b/filter/go.mod @@ -0,0 +1,18 @@ +module filter + +go 1.21.5 + +require go.mongodb.org/mongo-driver v1.16.1 + +require ( + github.com/golang/snappy v0.0.4 // indirect + github.com/klauspost/compress v1.13.6 // indirect + github.com/montanaflynn/stats v0.7.1 // indirect + github.com/xdg-go/pbkdf2 v1.0.0 // indirect + github.com/xdg-go/scram v1.1.2 // indirect + github.com/xdg-go/stringprep v1.0.4 // indirect + github.com/youmark/pkcs8 v0.0.0-20181117223130-1be2e3e5546d // indirect + golang.org/x/crypto v0.22.0 // indirect + golang.org/x/sync v0.7.0 // indirect + golang.org/x/text v0.14.0 // indirect +) diff --git a/filter/go.sum b/filter/go.sum new file mode 100644 index 0000000..3bc8cc9 --- /dev/null +++ b/filter/go.sum @@ -0,0 +1,50 @@ +github.com/davecgh/go-spew v1.1.1 h1:vj9j/u1bqnvCEfJOwUhtlOARqs3+rkHYY13jYWTU97c= +github.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38= +github.com/golang/snappy v0.0.4 h1:yAGX7huGHXlcLOEtBnF4w7FQwA26wojNCwOYAEhLjQM= +github.com/golang/snappy v0.0.4/go.mod h1:/XxbfmMg8lxefKM7IXC3fBNl/7bRcc72aCRzEWrmP2Q= +github.com/google/go-cmp v0.6.0 h1:ofyhxvXcZhMsU5ulbFiLKl/XBFqE1GSq7atu8tAmTRI= +github.com/google/go-cmp v0.6.0/go.mod h1:17dUlkBOakJ0+DkrSSNjCkIjxS6bF9zb3elmeNGIjoY= +github.com/klauspost/compress v1.13.6 h1:P76CopJELS0TiO2mebmnzgWaajssP/EszplttgQxcgc= +github.com/klauspost/compress v1.13.6/go.mod h1:/3/Vjq9QcHkK5uEr5lBEmyoZ1iFhe47etQ6QUkpK6sk= +github.com/montanaflynn/stats v0.7.1 h1:etflOAAHORrCC44V+aR6Ftzort912ZU+YLiSTuV8eaE= +github.com/montanaflynn/stats v0.7.1/go.mod h1:etXPPgVO6n31NxCd9KQUMvCM+ve0ruNzt6R8Bnaayow= +github.com/xdg-go/pbkdf2 v1.0.0 h1:Su7DPu48wXMwC3bs7MCNG+z4FhcyEuz5dlvchbq0B0c= +github.com/xdg-go/pbkdf2 v1.0.0/go.mod h1:jrpuAogTd400dnrH08LKmI/xc1MbPOebTwRqcT5RDeI= +github.com/xdg-go/scram v1.1.2 h1:FHX5I5B4i4hKRVRBCFRxq1iQRej7WO3hhBuJf+UUySY= +github.com/xdg-go/scram v1.1.2/go.mod h1:RT/sEzTbU5y00aCK8UOx6R7YryM0iF1N2MOmC3kKLN4= +github.com/xdg-go/stringprep v1.0.4 h1:XLI/Ng3O1Atzq0oBs3TWm+5ZVgkq2aqdlvP9JtoZ6c8= +github.com/xdg-go/stringprep v1.0.4/go.mod h1:mPGuuIYwz7CmR2bT9j4GbQqutWS1zV24gijq1dTyGkM= +github.com/youmark/pkcs8 v0.0.0-20181117223130-1be2e3e5546d h1:splanxYIlg+5LfHAM6xpdFEAYOk8iySO56hMFq6uLyA= +github.com/youmark/pkcs8 v0.0.0-20181117223130-1be2e3e5546d/go.mod h1:rHwXgn7JulP+udvsHwJoVG1YGAP6VLg4y9I5dyZdqmA= +github.com/yuin/goldmark v1.4.13/go.mod h1:6yULJ656Px+3vBD8DxQVa3kxgyrAnzto9xy5taEt/CY= +go.mongodb.org/mongo-driver v1.16.1 h1:rIVLL3q0IHM39dvE+z2ulZLp9ENZKThVfuvN/IiN4l8= +go.mongodb.org/mongo-driver v1.16.1/go.mod h1:oB6AhJQvFQL4LEHyXi6aJzQJtBiTQHiAd83l0GdFaiw= +golang.org/x/crypto v0.0.0-20190308221718-c2843e01d9a2/go.mod h1:djNgcEr1/C05ACkg1iLfiJU5Ep61QUkGW8qpdssI0+w= +golang.org/x/crypto v0.0.0-20210921155107-089bfa567519/go.mod h1:GvvjBRRGRdwPK5ydBHafDWAxML/pGHZbMvKqRZ5+Abc= +golang.org/x/crypto v0.22.0 h1:g1v0xeRhjcugydODzvb3mEM9SQ0HGp9s/nh3COQ/C30= +golang.org/x/crypto v0.22.0/go.mod h1:vr6Su+7cTlO45qkww3VDJlzDn0ctJvRgYbC2NvXHt+M= +golang.org/x/mod v0.6.0-dev.0.20220419223038-86c51ed26bb4/go.mod h1:jJ57K6gSWd91VN4djpZkiMVwK6gcyfeH4XE8wZrZaV4= +golang.org/x/net v0.0.0-20190620200207-3b0461eec859/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s= +golang.org/x/net v0.0.0-20210226172049-e18ecbb05110/go.mod h1:m0MpNAwzfU5UDzcl9v0D8zg8gWTRqZa9RBIspLL5mdg= +golang.org/x/net v0.0.0-20220722155237-a158d28d115b/go.mod h1:XRhObCWvk6IyKnWLug+ECip1KBveYUHfp+8e9klMJ9c= +golang.org/x/sync v0.0.0-20190423024810-112230192c58/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= +golang.org/x/sync v0.0.0-20220722155255-886fb9371eb4/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= +golang.org/x/sync v0.7.0 h1:YsImfSBoP9QPYL0xyKJPq0gcaJdG3rInoqxTWbfQu9M= +golang.org/x/sync v0.7.0/go.mod h1:Czt+wKu1gCyEFDUtn0jG5QVvpJ6rzVqr5aXyt9drQfk= +golang.org/x/sys v0.0.0-20190215142949-d0b11bdaac8a/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY= +golang.org/x/sys v0.0.0-20201119102817-f84b799fce68/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= +golang.org/x/sys v0.0.0-20210615035016-665e8c7367d1/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= +golang.org/x/sys v0.0.0-20220520151302-bc2c85ada10a/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= +golang.org/x/sys v0.0.0-20220722155257-8c9f86f7a55f/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= +golang.org/x/term v0.0.0-20201126162022-7de9c90e9dd1/go.mod h1:bj7SfCRtBDWHUb9snDiAeCFNEtKQo2Wmx5Cou7ajbmo= +golang.org/x/term v0.0.0-20210927222741-03fcf44c2211/go.mod h1:jbD1KX2456YbFQfuXm/mYQcufACuNUgVhRMnK/tPxf8= +golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ= +golang.org/x/text v0.3.3/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ= +golang.org/x/text v0.3.7/go.mod h1:u+2+/6zg+i71rQMx5EYifcz6MCKuco9NR6JIITiCfzQ= +golang.org/x/text v0.3.8/go.mod h1:E6s5w1FMmriuDzIBO73fBruAKo1PCIq6d2Q6DHfQ8WQ= +golang.org/x/text v0.14.0 h1:ScX5w1eTa3QqT8oi6+ziP7dTV1S2+ALU0bI+0zXKWiQ= +golang.org/x/text v0.14.0/go.mod h1:18ZOQIKpY8NJVqYksKHtTdi31H5itFRjB5/qKTNYzSU= +golang.org/x/tools v0.0.0-20180917221912-90fa682c2a6e/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ= +golang.org/x/tools v0.0.0-20191119224855-298f0cb1881e/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo= +golang.org/x/tools v0.1.12/go.mod h1:hNGJHUnrk76NpqgfD5Aqm5Crs+Hm0VOH/i9J2+nxYbc= +golang.org/x/xerrors v0.0.0-20190717185122-a985d3407aa7/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0= diff --git a/listener/audit.go b/listener/audit.go new file mode 100644 index 0000000..ed48691 --- /dev/null +++ b/listener/audit.go @@ -0,0 +1,84 @@ +package main + +import ( + "fmt" + "io" + "log" + "os" + + "github.com/elastic/go-libaudit/v2" +) + +func read() error { + // Write netlink response to a file for further analysis or for writing + // tests cases. + var diagWriter io.Writer + if *diag != "" { + f, err := os.OpenFile(*diag, os.O_CREATE|os.O_RDWR|os.O_TRUNC, 0o600) + if err != nil { + return err + } + defer f.Close() + diagWriter = f + } + + log.Println("starting netlink client") + + var err error + var client *libaudit.AuditClient + if *receiveOnly { + client, err = libaudit.NewMulticastAuditClient(diagWriter) + if err != nil { + return fmt.Errorf("failed to create receive-only audit client: %w", err) + } + defer client.Close() + } else { + client, err = libaudit.NewAuditClient(diagWriter) + if err != nil { + return fmt.Errorf("failed to create audit client: %w", err) + } + defer client.Close() + + status, err := client.GetStatus() + if err != nil { + return fmt.Errorf("failed to get audit status: %w", err) + } + log.Printf("received audit status=%+v", status) + + if status.Enabled == 0 { + log.Println("enabling auditing in the kernel") + if err = client.SetEnabled(true, libaudit.WaitForReply); err != nil { + return fmt.Errorf("failed to set enabled=true: %w", err) + } + } + + if status.RateLimit != uint32(*rate) { + log.Printf("setting rate limit in kernel to %v", *rate) + if err = client.SetRateLimit(uint32(*rate), libaudit.NoWait); err != nil { + return fmt.Errorf("failed to set rate limit to unlimited: %w", err) + } + } + + if status.BacklogLimit != uint32(*backlog) { + log.Printf("setting backlog limit in kernel to %v", *backlog) + if err = client.SetBacklogLimit(uint32(*backlog), libaudit.NoWait); err != nil { + return fmt.Errorf("failed to set backlog limit: %w", err) + } + } + + if status.Enabled != 2 && *immutable { + log.Printf("setting kernel settings as immutable") + if err = client.SetImmutable(libaudit.NoWait); err != nil { + return fmt.Errorf("failed to set kernel as immutable: %w", err) + } + } + + log.Printf("sending message to kernel registering our PID (%v) as the audit daemon", os.Getpid()) + if err = client.SetPID(libaudit.NoWait); err != nil { + return fmt.Errorf("failed to set audit PID: %w", err) + } + } + + coroutine(client) + return nil +} diff --git a/listener/basefunc.go b/listener/basefunc.go new file mode 100644 index 0000000..2f39507 --- /dev/null +++ b/listener/basefunc.go @@ -0,0 +1,129 @@ +package main + +import ( + "bufio" + "fmt" + "os" + "os/exec" + "path/filepath" + "strconv" + "strings" + "time" +) + +func figureOutSyscalls() error { + cmd := exec.Command("ausyscall", "--dump") + stdout, err := cmd.StdoutPipe() + if err != nil { + return err + } + + if err := cmd.Start(); err != nil { + return err + } + + scanner := bufio.NewScanner(stdout) + for i := 0; scanner.Scan(); i++ { + if i == 0 { + continue + } + line := scanner.Text() + parts := strings.Split(line, "\t") + if len(parts) != 2 { + return fmt.Errorf("invalid ausyscall format") + } + num, err := strconv.Atoi(parts[0]) + if err != nil { + return err + } + syscallTable[num] = parts[1] + } + + if err := scanner.Err(); err != nil { + return err + } + if err := cmd.Wait(); err != nil { + return err + } + return nil +} + +func getPid() (int, error) { + // 指定要搜索的关键词 + keyword := "/usr/bin/containerd" + + // 获取/proc目录下的所有子目录 + procDir, err := filepath.Glob("/proc/*") + if err != nil { + return 0, err + } + + // 遍历子目录,查找包含关键词的进程 + for _, dir := range procDir { + pid, err := strconv.Atoi(filepath.Base(dir)) + if err != nil { + continue // 跳过非PID的目录 + } + + // 检查进程是否包含关键词 + if containsKeyword(pid, keyword) { + return pid, nil + } + } + err = fmt.Errorf("Error: no containerd process found.") + return 0, err +} + +func containsKeyword(pid int, keyword string) bool { + // 构造完整的进程命令路径 + cmdPath := fmt.Sprintf("/proc/%d/cmdline", pid) + + // 打开文件 + file, err := os.Open(cmdPath) + if err != nil { + return false + } + defer file.Close() + + // 读取文件内容 + scanner := bufio.NewScanner(file) + scanner.Split(bufio.ScanLines) + for scanner.Scan() { + line := scanner.Text() + if strings.Contains(line, keyword) { + return true + } + } + return false +} + +func getTimeFromStr(timeStr string) (time.Time, error) { + timestampFloat, err := strconv.ParseFloat(timeStr, 64) + if err != nil { + return time.Unix(0, 0), err + } + secs := int64(timestampFloat) + nsecs := int64((timestampFloat - float64(secs)) * 1e9) + + // 只精确到毫秒就够了 + t := time.Unix(secs, nsecs).Truncate(time.Millisecond) + return t, nil +} + +func hexToAscii(hexString string) string { + bytes := []byte{} + for i := 0; i < len(hexString); i += 2 { + hexPair := hexString[i : i+2] + // 将十六进制数转换为十进制数 + decimal, err := strconv.ParseInt(hexPair, 16, 8) + if err != nil { + return "Invalid hex string" + } + char := byte(decimal) + bytes = append(bytes, char) + } + + asciiString := strings.ReplaceAll(string(bytes), "\000", " ") + + return asciiString +} diff --git a/listener/deal.go b/listener/deal.go new file mode 100644 index 0000000..8f77431 --- /dev/null +++ b/listener/deal.go @@ -0,0 +1,269 @@ +package main + +import ( + "fmt" + "os" + "syscall" + "time" + + "go.mongodb.org/mongo-driver/bson" +) + +const ( + dbName string = "test" + pidColName string = "pids" + fdColName string = "fds" + fileColName string = "files" +) + +var pidCol, fdCol, fileCol mongoClient +var err error + +func deal() { + defer wg.Done() + var cooked Event + var ok bool + + if err = pidCol.init(dbName, pidColName); err != nil { + fmt.Fprintf(os.Stderr, "Error while initing the mongodb: %v\n", err) + return + } + err = pidCol.InsertOne(Process{ + Ppid: 1, + Pid: containerdPid, + Cwd: "/", + Children: make([]int, 0), + Star: true, + }) + if err != nil { + fmt.Fprintf(os.Stderr, "Error while initing the mongodb: %v\n", err) + return + } + + if err = fdCol.init(dbName, fdColName); err != nil { + fmt.Fprintf(os.Stderr, "Error while initing the mongodb: %v\n", err) + return + } + if err = fileCol.init(dbName, fileColName); err != nil { + fmt.Fprintf(os.Stderr, "Error while initing the mongodb: %v\n", err) + } + + defer pidCol.Disconnect() + defer fdCol.Disconnect() + defer fileCol.Disconnect() + + for { + cooked, ok = <-cookedChan + if !ok { + break + } + + switch cooked.tag { + case NEWPID: + go dealNewPid(cooked) + case EXECVE: + go dealExecve(cooked) + case PIDEXIT: + go deletePid(cooked) + case FILEOPEN: + go fileOpen(cooked) + case FILEWRITE: + go fileWrite(cooked) + case FILECLOSE: + go fileClose(cooked) + case PIVOTROOT: + go pivotRoot(cooked) + } + } +} + +func deletePid(cooked Event) { + // 在这套逻辑里,孩子是不需要收容的,因为我们根本就不看ppid来工作 + // 父节点那里也不需要销户 + // 理论上这里需要关闭所有文件描述符,但为了处理效率,留给后续流程 + err := pidCol.UpdateOne(bson.M{"pid": cooked.pid}, bson.M{ + "$set": bson.M{ + "exit_timestamp": cooked.timestamp, + "exit_code": cooked.exit_code, + "exit_signal": cooked.exit_signal, + }, + }) + if err != nil { + fmt.Fprintf(os.Stderr, "Err updating: %v\n", err) + } +} + +func dealNewPid(cooked Event) { + // 自身是否已经记录 + var docRes []Process + err = pidCol.Finddoc(bson.M{"pid": cooked.pid}, &docRes) + if err != nil { + fmt.Fprintf(os.Stderr, "Err finding: %v\n", err) + return + } + + if len(docRes) != 0 { + // 进程原本就存在,换言之别的消息先到了 + // 所有先行抵达的消息必须保留execve/children字段 + docRes[0].Ppid = cooked.ppid + docRes[0].ParentTgid = cooked.parentTgid + docRes[0].Pid = cooked.pid + docRes[0].Tgid = cooked.tgid + docRes[0].Cwd = cooked.cwd + docRes[0].Comm = cooked.comm + docRes[0].Args = cooked.argv + + err := pidCol.ReplaceOne(bson.M{"pid": cooked.pid}, docRes[0]) + if err != nil { + fmt.Fprintf(os.Stderr, "Err replaceing: %v\n", err) + } + } else { + // 这进程本是新修的 + err := pidCol.InsertOne(Process{ + StartTimestamp: cooked.timestamp, + Ppid: cooked.ppid, + ParentTgid: cooked.parentTgid, + Pid: cooked.pid, + Tgid: cooked.tgid, + Args: cooked.argv, + Comm: cooked.comm, + Cwd: cooked.cwd, + Execve: make([]Exec, 0), + Children: make([]int, 0), + }) + if err != nil { + fmt.Fprintf(os.Stderr, "Err inserting: %v\n", err) + } + } + + err := pidCol.UpdateOne(bson.M{"pid": cooked.ppid}, bson.M{ + "$push": bson.M{ + "children": cooked.pid, + }, + }) + if err != nil { + fmt.Fprintf(os.Stderr, "Err updating: %v\n", err) + } +} + +func dealExecve(cooked Event) { + var docRes []Process + // 首先检查进程是否存在,如不存在则为之创建 + err = pidCol.Finddoc(bson.M{"pid": cooked.pid}, &docRes) + if err != nil { + return + } + + if len(docRes) == 1 { + // 自身已在,直接记录 + docRes[0].Execve = append(docRes[0].Execve, Exec{ + Timestamp: cooked.timestamp, + ExecArgs: cooked.argv, + }) + + err := pidCol.ReplaceOne(bson.M{"pid": cooked.pid}, docRes[0]) + if err != nil { + fmt.Fprintf(os.Stderr, "Err replacing: %v\n", err) + } + } else { + // 先fork抵达,插入 + process := Process{ + Ppid: cooked.ppid, + Pid: cooked.pid, + Execve: make([]Exec, 0), + Children: make([]int, 0), + } + process.Execve = append(process.Execve, Exec{ + Timestamp: cooked.timestamp, + ExecArgs: cooked.argv, + }) + + err := pidCol.InsertOne(process) + if err != nil { + fmt.Fprintf(os.Stderr, "Err inserting: %v\n", err) + } + } +} + +func fileOpen(cooked Event) { + // 权限检查过了,不必再查 + file := File{ + OpenTimestamp: cooked.timestamp, + FileName: cooked.srcPath, + Pid: cooked.pid, + Fd: cooked.exit_code, + Flags: cooked.syscallParam, + Written: make([]time.Time, 0), + } + if cooked.syscallParam[1]&syscall.O_TRUNC != 0 { + // 文件以清空方式打开 + file.Written = append(file.Written, cooked.timestamp) + } + + err := fdCol.InsertOne(file) + if err != nil { + fmt.Fprintf(os.Stderr, "Err inserting: %v\n", err) + } +} + +func fileClose(cooked Event) { + res, err := fdCol.FindOneAndDelete(bson.M{"pid": cooked.pid, "fd": cooked.syscallParam[0]}) + if err != nil { + return + } + res["close_timestamp"] = cooked.timestamp + + err = fileCol.InsertOne(res) + if err != nil { + fmt.Fprintf(os.Stderr, "Err inserting files: %v\n", err) + } +} + +func fileWrite(cooked Event) { + var res []File + err := fdCol.Finddoc(bson.M{ + "pid": cooked.pid, + "fd": cooked.syscallParam[0], + }, &res) + if err != nil { + fmt.Fprintf(os.Stderr, "Err closing fd %d of pid %d: %v\n", cooked.syscallParam[0], cooked.pid, err) + } + if len(res) == 0 { + return + } + + err = fdCol.UpdateOne(bson.M{ + "pid": cooked.pid, + "fd": cooked.syscallParam[0], + }, bson.M{"$push": bson.M{"written": cooked.timestamp}}) + if err != nil { + fmt.Fprintf(os.Stderr, "Err updating: %v\n", err) + } +} + +func pivotRoot(cooked Event) { + var docRes []Process + // docker的根目录信息,记录 + err := pidCol.Finddoc(bson.M{"pid": cooked.pid}, &docRes) + if err != nil { + fmt.Fprintf(os.Stderr, "Err finding: %v\n", err) + return + } + + if len(docRes) == 0 { + // fork还没到,等一下 + pidCol.InsertOne(bson.M{ + "start_timestamp": cooked.timestamp, + "ppid": cooked.ppid, + "pid": cooked.pid, + "rootfs": "cwd", + }) + } else { + // 读取已有的工作目录 + pidCol.UpdateOne(bson.M{"pid": cooked.pid}, bson.M{ + "$set": bson.M{ + "rootfs": docRes[0].Cwd, + }, + }) + } +} diff --git a/listener/global.go b/listener/global.go new file mode 100644 index 0000000..11b18bf --- /dev/null +++ b/listener/global.go @@ -0,0 +1,84 @@ +package main + +import ( + "sync" + "time" +) + +type eventType int + +const ( + NEWPID eventType = iota + PIDEXIT + EXECVE + FILEOPEN + FILECLOSE + FILEWRITE + PIVOTROOT + TYPENUM +) + +func (et eventType) String() string { + names := []string{"NEWPID", "PIDEXIT", "EXECVE", "FILEOPEN", "FILECLOSE", "FILEWRITE", "PIVOTROOT", "TYPENUM"} + if et < NEWPID || et > TYPENUM { + return "Unknown" + } + return names[et] +} + +type Event struct { + tag eventType + timestamp time.Time + pid, tgid int + ppid, parentTgid int + syscall int + syscallParam [4]uint64 + argc int + argv []string + comm string + cwd string + exit_code int + exit_signal int + srcPath string + destPath string +} + +var wg sync.WaitGroup // 掌管协程 +var rawChan chan interface{} // 从接收到整理的管道 +var cookedChan chan Event // 整理好的信息的管道 +var syscallTable [500]string //记录一下系统调用 +var containerdPid int + +// 插入到数据库的结构 +type Exec struct { + Timestamp time.Time `bson:"timestamp"` + ExecArgs []string `bson:"execArgs"` +} + +type Process struct { + Star bool `bson:"star"` + StartTimestamp time.Time `bson:"start_timestamp"` + Ppid int `bson:"ppid"` + ParentTgid int `bson:"parentTgid"` + Pid int `bson:"pid"` + Tgid int `bson:"tgid"` + Args []string `bson:"args"` + Comm string `bson:"comm"` + RootFS string `bson:"rootfs"` + Cwd string `bson:"cwd"` + Children []int `bson:"children"` + Execve []Exec `bson:"execve"` + ExitCode int `bson:"exit_code"` + ExitSignal int `bson:"exit_signal"` + ExitTimestamp time.Time `bson:"exit_timestamp"` +} + +type File struct { + OpenTimestamp time.Time `bson:"timestamp"` + FileName string `bson:"fileName"` + Pid int `bson:"pid"` + Fd int `bson:"fd"` + Flags [4]uint64 `bson:"flags"` + Written []time.Time `bson:"written"` + CloseTimestamp time.Time `bson:"close_timestamp"` +} diff --git a/listener/go.mod b/listener/go.mod new file mode 100644 index 0000000..ed40331 --- /dev/null +++ b/listener/go.mod @@ -0,0 +1,26 @@ +module godo + +go 1.21.5 + +require ( + github.com/elastic/go-libaudit/v2 v2.5.0 + github.com/mohae/deepcopy v0.0.0-20170929034955-c48cc78d4826 + go.mongodb.org/mongo-driver v1.16.0 +) + +require ( + github.com/golang/snappy v0.0.4 // indirect + github.com/klauspost/compress v1.13.6 // indirect + github.com/montanaflynn/stats v0.7.1 // indirect + github.com/xdg-go/pbkdf2 v1.0.0 // indirect + github.com/xdg-go/scram v1.1.2 // indirect + github.com/xdg-go/stringprep v1.0.4 // indirect + github.com/youmark/pkcs8 v0.0.0-20181117223130-1be2e3e5546d // indirect + go.uber.org/atomic v1.7.0 // indirect + go.uber.org/multierr v1.7.0 // indirect + golang.org/x/crypto v0.22.0 // indirect + golang.org/x/sync v0.7.0 // indirect + golang.org/x/sys v0.19.0 // indirect + golang.org/x/text v0.14.0 // indirect + gopkg.in/yaml.v3 v3.0.1 // indirect +) diff --git a/listener/go.sum b/listener/go.sum new file mode 100644 index 0000000..9164cd3 --- /dev/null +++ b/listener/go.sum @@ -0,0 +1,96 @@ +github.com/davecgh/go-spew v1.1.0/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38= +github.com/davecgh/go-spew v1.1.1 h1:vj9j/u1bqnvCEfJOwUhtlOARqs3+rkHYY13jYWTU97c= +github.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38= +github.com/elastic/go-libaudit/v2 v2.5.0 h1:5OK919QRnGtcjVBz3n/cs5F42im1mPlVTA9TyIn2K54= +github.com/elastic/go-libaudit/v2 v2.5.0/go.mod h1:AjlnhinP+kKQuUJoXLVrqxBM8uyhQmkzoV6jjsCFP4Q= +github.com/elastic/go-licenser v0.4.1 h1:1xDURsc8pL5zYT9R29425J3vkHdt4RT5TNEMeRN48x4= +github.com/elastic/go-licenser v0.4.1/go.mod h1:V56wHMpmdURfibNBggaSBfqgPxyT1Tldns1i87iTEvU= +github.com/golang/snappy v0.0.4 h1:yAGX7huGHXlcLOEtBnF4w7FQwA26wojNCwOYAEhLjQM= +github.com/golang/snappy v0.0.4/go.mod h1:/XxbfmMg8lxefKM7IXC3fBNl/7bRcc72aCRzEWrmP2Q= +github.com/google/go-cmp v0.6.0 h1:ofyhxvXcZhMsU5ulbFiLKl/XBFqE1GSq7atu8tAmTRI= +github.com/google/go-cmp v0.6.0/go.mod h1:17dUlkBOakJ0+DkrSSNjCkIjxS6bF9zb3elmeNGIjoY= +github.com/kballard/go-shellquote v0.0.0-20180428030007-95032a82bc51 h1:Z9n2FFNUXsshfwJMBgNA0RU6/i7WVaAegv3PtuIHPMs= +github.com/kballard/go-shellquote v0.0.0-20180428030007-95032a82bc51/go.mod h1:CzGEWj7cYgsdH8dAjBGEr58BoE7ScuLd+fwFZ44+/x8= +github.com/klauspost/compress v1.13.6 h1:P76CopJELS0TiO2mebmnzgWaajssP/EszplttgQxcgc= +github.com/klauspost/compress v1.13.6/go.mod h1:/3/Vjq9QcHkK5uEr5lBEmyoZ1iFhe47etQ6QUkpK6sk= +github.com/mohae/deepcopy v0.0.0-20170929034955-c48cc78d4826 h1:RWengNIwukTxcDr9M+97sNutRR1RKhG96O6jWumTTnw= +github.com/mohae/deepcopy v0.0.0-20170929034955-c48cc78d4826/go.mod h1:TaXosZuwdSHYgviHp1DAtfrULt5eUgsSMsZf+YrPgl8= +github.com/montanaflynn/stats v0.7.1 h1:etflOAAHORrCC44V+aR6Ftzort912ZU+YLiSTuV8eaE= +github.com/montanaflynn/stats v0.7.1/go.mod h1:etXPPgVO6n31NxCd9KQUMvCM+ve0ruNzt6R8Bnaayow= +github.com/pmezard/go-difflib v1.0.0 h1:4DBwDE0NGyQoBHbLQYPwSUPoCMWR5BEzIk/f1lZbAQM= +github.com/pmezard/go-difflib v1.0.0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4= +github.com/stretchr/objx v0.1.0/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME= +github.com/stretchr/testify v1.3.0/go.mod h1:M5WIy9Dh21IEIfnGCwXGc5bZfKNJtfHm1UVUgZn+9EI= +github.com/stretchr/testify v1.7.0 h1:nwc3DEeHmmLAfoZucVR881uASk0Mfjw8xYJ99tb5CcY= +github.com/stretchr/testify v1.7.0/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg= +github.com/xdg-go/pbkdf2 v1.0.0 h1:Su7DPu48wXMwC3bs7MCNG+z4FhcyEuz5dlvchbq0B0c= +github.com/xdg-go/pbkdf2 v1.0.0/go.mod h1:jrpuAogTd400dnrH08LKmI/xc1MbPOebTwRqcT5RDeI= +github.com/xdg-go/scram v1.1.2 h1:FHX5I5B4i4hKRVRBCFRxq1iQRej7WO3hhBuJf+UUySY= +github.com/xdg-go/scram v1.1.2/go.mod h1:RT/sEzTbU5y00aCK8UOx6R7YryM0iF1N2MOmC3kKLN4= +github.com/xdg-go/stringprep v1.0.4 h1:XLI/Ng3O1Atzq0oBs3TWm+5ZVgkq2aqdlvP9JtoZ6c8= +github.com/xdg-go/stringprep v1.0.4/go.mod h1:mPGuuIYwz7CmR2bT9j4GbQqutWS1zV24gijq1dTyGkM= +github.com/youmark/pkcs8 v0.0.0-20181117223130-1be2e3e5546d h1:splanxYIlg+5LfHAM6xpdFEAYOk8iySO56hMFq6uLyA= +github.com/youmark/pkcs8 v0.0.0-20181117223130-1be2e3e5546d/go.mod h1:rHwXgn7JulP+udvsHwJoVG1YGAP6VLg4y9I5dyZdqmA= +github.com/yuin/goldmark v1.4.0/go.mod h1:mwnBkeHKe2W/ZEtQ+71ViKU8L12m81fl3OWwC1Zlc8k= +github.com/yuin/goldmark v1.4.13/go.mod h1:6yULJ656Px+3vBD8DxQVa3kxgyrAnzto9xy5taEt/CY= +go.mongodb.org/mongo-driver v1.16.0 h1:tpRsfBJMROVHKpdGyc1BBEzzjDUWjItxbVSZ8Ls4BQ4= +go.mongodb.org/mongo-driver v1.16.0/go.mod h1:oB6AhJQvFQL4LEHyXi6aJzQJtBiTQHiAd83l0GdFaiw= +go.uber.org/atomic v1.7.0 h1:ADUqmZGgLDDfbSL9ZmPxKTybcoEYHgpYfELNoN+7hsw= +go.uber.org/atomic v1.7.0/go.mod h1:fEN4uk6kAWBTFdckzkM89CLk9XfWZrxpCo0nPH17wJc= +go.uber.org/multierr v1.7.0 h1:zaiO/rmgFjbmCXdSYJWQcdvOCsthmdaHfr3Gm2Kx4Ec= +go.uber.org/multierr v1.7.0/go.mod h1:7EAYxJLBy9rStEaz58O2t4Uvip6FSURkq8/ppBp95ak= +golang.org/x/crypto v0.0.0-20190308221718-c2843e01d9a2/go.mod h1:djNgcEr1/C05ACkg1iLfiJU5Ep61QUkGW8qpdssI0+w= +golang.org/x/crypto v0.0.0-20191011191535-87dc89f01550/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI= +golang.org/x/crypto v0.0.0-20210921155107-089bfa567519/go.mod h1:GvvjBRRGRdwPK5ydBHafDWAxML/pGHZbMvKqRZ5+Abc= +golang.org/x/crypto v0.22.0 h1:g1v0xeRhjcugydODzvb3mEM9SQ0HGp9s/nh3COQ/C30= +golang.org/x/crypto v0.22.0/go.mod h1:vr6Su+7cTlO45qkww3VDJlzDn0ctJvRgYbC2NvXHt+M= +golang.org/x/lint v0.0.0-20210508222113-6edffad5e616/go.mod h1:3xt1FjdF8hUf6vQPIChWIBhFzV8gjjsPE/fR3IyQdNY= +golang.org/x/mod v0.1.1-0.20191105210325-c90efee705ee/go.mod h1:QqPTAvyqsEbceGzBzNggFXnrqF1CaUcvgkdR5Ot7KZg= +golang.org/x/mod v0.4.2/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA= +golang.org/x/mod v0.5.1/go.mod h1:5OXOZSfqPIIbmVBIIKWRFfZjPR0E5r58TLhUjH0a2Ro= +golang.org/x/mod v0.6.0-dev.0.20220419223038-86c51ed26bb4/go.mod h1:jJ57K6gSWd91VN4djpZkiMVwK6gcyfeH4XE8wZrZaV4= +golang.org/x/net v0.0.0-20190404232315-eb5bcb51f2a3/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg= +golang.org/x/net v0.0.0-20190620200207-3b0461eec859/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s= +golang.org/x/net v0.0.0-20210226172049-e18ecbb05110/go.mod h1:m0MpNAwzfU5UDzcl9v0D8zg8gWTRqZa9RBIspLL5mdg= +golang.org/x/net v0.0.0-20210805182204-aaa1db679c0d/go.mod h1:9nx3DQGgdP8bBQD5qxJ1jj9UTztislL4KSBs9R2vV5Y= +golang.org/x/net v0.0.0-20220722155237-a158d28d115b/go.mod h1:XRhObCWvk6IyKnWLug+ECip1KBveYUHfp+8e9klMJ9c= +golang.org/x/sync v0.0.0-20190423024810-112230192c58/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= +golang.org/x/sync v0.0.0-20210220032951-036812b2e83c/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= +golang.org/x/sync v0.0.0-20220722155255-886fb9371eb4/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= +golang.org/x/sync v0.7.0 h1:YsImfSBoP9QPYL0xyKJPq0gcaJdG3rInoqxTWbfQu9M= +golang.org/x/sync v0.7.0/go.mod h1:Czt+wKu1gCyEFDUtn0jG5QVvpJ6rzVqr5aXyt9drQfk= +golang.org/x/sys v0.0.0-20190215142949-d0b11bdaac8a/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY= +golang.org/x/sys v0.0.0-20190412213103-97732733099d/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= +golang.org/x/sys v0.0.0-20201119102817-f84b799fce68/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= +golang.org/x/sys v0.0.0-20210423082822-04245dca01da/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= +golang.org/x/sys v0.0.0-20210615035016-665e8c7367d1/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= +golang.org/x/sys v0.0.0-20210809222454-d867a43fc93e/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= +golang.org/x/sys v0.0.0-20211102192858-4dd72447c267/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= +golang.org/x/sys v0.0.0-20220520151302-bc2c85ada10a/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= +golang.org/x/sys v0.0.0-20220722155257-8c9f86f7a55f/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= +golang.org/x/sys v0.11.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= +golang.org/x/sys v0.19.0 h1:q5f1RH2jigJ1MoAWp2KTp3gm5zAGFUTarQZ5U386+4o= +golang.org/x/sys v0.19.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA= +golang.org/x/term v0.0.0-20201126162022-7de9c90e9dd1/go.mod h1:bj7SfCRtBDWHUb9snDiAeCFNEtKQo2Wmx5Cou7ajbmo= +golang.org/x/term v0.0.0-20210927222741-03fcf44c2211/go.mod h1:jbD1KX2456YbFQfuXm/mYQcufACuNUgVhRMnK/tPxf8= +golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ= +golang.org/x/text v0.3.3/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ= +golang.org/x/text v0.3.6/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ= +golang.org/x/text v0.3.7/go.mod h1:u+2+/6zg+i71rQMx5EYifcz6MCKuco9NR6JIITiCfzQ= +golang.org/x/text v0.3.8/go.mod h1:E6s5w1FMmriuDzIBO73fBruAKo1PCIq6d2Q6DHfQ8WQ= +golang.org/x/text v0.14.0 h1:ScX5w1eTa3QqT8oi6+ziP7dTV1S2+ALU0bI+0zXKWiQ= +golang.org/x/text v0.14.0/go.mod h1:18ZOQIKpY8NJVqYksKHtTdi31H5itFRjB5/qKTNYzSU= +golang.org/x/tools v0.0.0-20180917221912-90fa682c2a6e/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ= +golang.org/x/tools v0.0.0-20191119224855-298f0cb1881e/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo= +golang.org/x/tools v0.0.0-20200130002326-2f3ba24bd6e7/go.mod h1:TB2adYChydJhpapKDTa4BR/hXlZSLoq2Wpct/0txZ28= +golang.org/x/tools v0.1.7/go.mod h1:LGqMHiF4EqQNHR1JncWGqT5BVaXmza+X+BDGol+dOxo= +golang.org/x/tools v0.1.12/go.mod h1:hNGJHUnrk76NpqgfD5Aqm5Crs+Hm0VOH/i9J2+nxYbc= +golang.org/x/xerrors v0.0.0-20190717185122-a985d3407aa7/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0= +golang.org/x/xerrors v0.0.0-20191011141410-1b5146add898/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0= +golang.org/x/xerrors v0.0.0-20200804184101-5ec99f83aff1/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0= +gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0= +gopkg.in/yaml.v2 v2.4.0/go.mod h1:RDklbk79AGWmwhnvt/jBztapEOGDOx6ZbXqjP6csGnQ= +gopkg.in/yaml.v3 v3.0.0-20200313102051-9f266ea9e77c/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM= +gopkg.in/yaml.v3 v3.0.0-20210107192922-496545a6307b/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM= +gopkg.in/yaml.v3 v3.0.1 h1:fxVm/GzAzEWqLHuvctI91KS9hhNmmWOoWu0XTYJS7CA= +gopkg.in/yaml.v3 v3.0.1/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM= diff --git a/listener/go.work b/listener/go.work new file mode 100644 index 0000000..5b6c957 --- /dev/null +++ b/listener/go.work @@ -0,0 +1,6 @@ +go 1.21.5 + +use ( + ./netlink + ./ +) \ No newline at end of file diff --git a/listener/go.work.sum b/listener/go.work.sum new file mode 100644 index 0000000..8201e39 --- /dev/null +++ b/listener/go.work.sum @@ -0,0 +1,4 @@ +golang.org/x/mod v0.8.0/go.mod h1:iBbtSCu2XBx23ZKBPSOrRkjjQPZFPuis4dIYUhu/chs= +golang.org/x/net v0.21.0/go.mod h1:bIjVDfnllIU7BJ2DNgfnXvpSvtn8VRwhlsaeUTyUS44= +golang.org/x/term v0.19.0/go.mod h1:2CuTdWZ7KHSQwUzKva0cbMg6q2DMI3Mmxp+gKJbskEk= +golang.org/x/tools v0.6.0/go.mod h1:Xwgl3UAJ/d3gWutnCtw505GrjyAbvKui8lOU390QaIU= diff --git a/listener/godo.go b/listener/godo.go new file mode 100644 index 0000000..efe9585 --- /dev/null +++ b/listener/godo.go @@ -0,0 +1,176 @@ +package main + +import ( + "bufio" + "flag" + "fmt" + "log" + "netlink" + "os" + "os/exec" + "strings" + "syscall" + "time" + + "github.com/elastic/go-libaudit/v2" +) + +var ( + fs = flag.NewFlagSet("audit", flag.ExitOnError) + diag = fs.String("diag", "", "dump raw information from kernel to file") + rate = fs.Uint("rate", 0, "rate limit in kernel (default 0, no rate limit)") + backlog = fs.Uint("backlog", 8192, "backlog limit") + immutable = fs.Bool("immutable", false, "make kernel audit settings immutable (requires reboot to undo)") + receiveOnly = fs.Bool("ro", false, "receive only using multicast, requires kernel 3.16+") +) + +func main() { + // 检查用户身份,并添加auditd规则,监听所有syscall + if os.Geteuid() != 0 { + fmt.Fprintf(os.Stderr, "Err: Please run me as root, %d!\n", os.Getegid()) + return + } + + // 所有的系统调用号与名称的关系 + err := figureOutSyscalls() + if err != nil { + fmt.Fprintf(os.Stderr, "Error figuring out syscall numbers: %v\n", err) + } + + exec.Command("auditctl", "-D").Run() + exec.Command("auditctl", "-b", "1000000000").Run() + exec.Command("auditctl", "--reset-lost").Run() + + var auditCmd *exec.Cmd + + pidSyscall := []string{"execve", "pivot_root"} + // // 设置监听规则 + for i := 0; i < len(pidSyscall); i++ { + auditCmd = exec.Command("auditctl", "-a", "exit,always", "-F", "arch=b64", "-S", pidSyscall[i]) + auditCmd.Run() + } + + // 监听文件的消息 + fileSyscall := []string{"open", "close", "write"} + // fileSyscall := []string{"open", "write", "creat", "unlink", "opendir", "mkdir", "rmdir", "chmod", "fchmod", "chown", "fchown", "lchown", "flock"} + for i := 0; i < len(fileSyscall); i++ { + auditCmd = exec.Command("auditctl", "-a", "exit,always", "-F", "arch=b64", "-S", fileSyscall[i]) + auditCmd.Run() + } + + // 查找pid + containerdPid, err = getPid() + if err != nil { + fmt.Fprintf(os.Stderr, "Error finding containerd: %v\n", err) + return + } + + // 开始运行,解析命令行参数后监听 + if err := fs.Parse(os.Args[1:]); err != nil { + log.Fatal(err) + } + + if err := read(); err != nil { + log.Fatalf("error: %v", err) + } +} + +func coroutine(client *libaudit.AuditClient) { + // 各协程至此开始 + rawChan = make(chan interface{}, 65536) + cookedChan = make(chan Event, 65536) + + wg.Add(1) + go procWatch() + + wg.Add(1) + go receive(client) + wg.Add(1) + go orgnaze() + wg.Add(1) + go deal() + + wg.Wait() + time.Sleep(2 * time.Second) +} + +func procWatch() error { + ns, err := netlink.NewNetlinkSocket(syscall.NETLINK_CONNECTOR, 12345) + if err != nil { + fmt.Fprintf(os.Stderr, "Error creating socket: %v\n", err) + return err + } + defer ns.Close() + for { + res, err := ns.Receive(20) + if err != nil { + fmt.Fprintf(os.Stderr, "Error recv: %v\n", err) + continue + } + for i := 0; i < len(res); i++ { + procEvent := netlink.ParseProcEvent(res[i].Data) + switch procEvent.What { + case netlink.PROC_EVENT_FORK: + data := procEvent.Data.(netlink.ProcEventFork) + cooked := Event{ + tag: NEWPID, + timestamp: time.Now(), + pid: int(data.ChildPid), + tgid: int(data.ChildTgid), + ppid: int(data.ParentPid), + parentTgid: int(data.ParentTgid), + } + checkProc(&cooked) + cookedChan <- cooked + case netlink.PROC_EVENT_EXIT: + data := procEvent.Data.(netlink.ProcEventExit) + cooked := Event{ + tag: PIDEXIT, + timestamp: time.Now(), + pid: int(data.ProcessPid), + exit_code: int(data.ExitCode), + exit_signal: int(data.ExitSignal), + } + cookedChan <- cooked + default: + } + } + } +} + +func checkProc(pCooked *Event) { + fileName := fmt.Sprintf("/proc/%d/task/%d/", pCooked.tgid, pCooked.pid) + fd, err := os.Open(fileName + "cmdline") + if err != nil { + fmt.Fprintf(os.Stderr, "Err: %v\n", err) + return + } + + scanner := bufio.NewScanner(fd) + scanner.Split(bufio.ScanLines) + for scanner.Scan() { + line := scanner.Text() + pCooked.argv = append(pCooked.argv, strings.Split(line, "\x00")...) + } + pCooked.argc = len(pCooked.argv) + fd.Close() + + fd, err = os.Open(fileName + "comm") + if err != nil { + fmt.Fprintf(os.Stderr, "Err: %v\n", err) + return + } + scanner = bufio.NewScanner(fd) + scanner.Split(bufio.ScanLines) + for scanner.Scan() { + line := scanner.Text() + pCooked.comm = line + } + fd.Close() + + pCooked.cwd, err = os.Readlink(fileName + "cwd") + if err != nil { + fmt.Fprintf(os.Stderr, "Err: %v\n", err) + pCooked.cwd = "" + } +} diff --git a/listener/mongo.go b/listener/mongo.go new file mode 100644 index 0000000..a51350e --- /dev/null +++ b/listener/mongo.go @@ -0,0 +1,122 @@ +package main + +import ( + "context" + "fmt" + "reflect" + "time" + + "go.mongodb.org/mongo-driver/bson" + "go.mongodb.org/mongo-driver/mongo" + "go.mongodb.org/mongo-driver/mongo/options" +) + +type mongoClient struct { + dbName, colName string + client *mongo.Client + col *mongo.Collection +} + +func (mc *mongoClient) init(dbName, colName string) error { + var err error + if err = mc.Connect(dbName, colName); err != nil { + return err + } + if err = mc.Drop(); err != nil { + return err + } + + return nil +} + +func (mc *mongoClient) Connect(dbName, colName string) error { + var err error + mc.client, err = mongo.NewClient(options.Client().ApplyURI("mongodb://localhost:27017")) + + if err != nil { + return err + } + + ctx, _ := context.WithTimeout(context.Background(), 10*time.Second) + err = mc.client.Connect(ctx) + if err != nil { + return err + } + + mc.col = mc.client.Database(dbName).Collection(colName) + mc.dbName = dbName + mc.colName = colName + return nil +} + +func (mc *mongoClient) InsertOne(document interface{}) error { + _, err := mc.col.InsertOne(context.Background(), document) + return err +} + +func (mc *mongoClient) UpdateOne(filter, update interface{}) error { + _, err := mc.col.UpdateOne(context.Background(), filter, update) + return err +} + +func (mc *mongoClient) UpdateMany(filter, update interface{}) error { + _, err := mc.col.UpdateMany(context.Background(), filter, update) + return err +} + +func (mc *mongoClient) ReplaceOne(filter, new interface{}) error { + _, err := mc.col.ReplaceOne(context.Background(), filter, new) + return err +} + +func (mc *mongoClient) Finddoc(filter bson.M, results interface{}) error { + sliceValue := reflect.ValueOf(results) + + if sliceValue.Kind() != reflect.Ptr || sliceValue.Elem().Kind() != reflect.Slice { + return fmt.Errorf("Error: result argument must be pointer to slice") + } + cur, err := mc.col.Find(context.TODO(), filter) + if err != nil { + return err + } + defer cur.Close(context.TODO()) + + elemType := sliceValue.Elem().Type().Elem() + + sliceValue = sliceValue.Elem() + + for cur.Next(context.TODO()) { + elem := reflect.New(elemType).Interface() + err := cur.Decode(elem) + if err != nil { + return err + } + sliceValue = reflect.Append(sliceValue, reflect.ValueOf(elem).Elem()) + } + + reflect.ValueOf(results).Elem().Set(sliceValue) + return nil +} + +func (mc *mongoClient) FindOneAndDelete(filter bson.M) (bson.M, error) { + res := mc.col.FindOneAndDelete(context.Background(), filter) + var result bson.M + err := res.Decode(&result) + return result, err +} + +func (mc *mongoClient) Drop() error { + return mc.col.Drop(context.Background()) +} + +func (mc *mongoClient) Disconnect() error { + err := mc.client.Disconnect(context.Background()) + if err != nil { + return err + } + mc.col = nil + mc.client = nil + mc.dbName = "" + mc.colName = "" + return nil +} diff --git a/listener/netlink b/listener/netlink new file mode 160000 index 0000000..e53c272 --- /dev/null +++ b/listener/netlink @@ -0,0 +1 @@ +Subproject commit e53c2724725c5991cdd9ea088c26832c5c9fcf0d diff --git a/listener/organize.go b/listener/organize.go new file mode 100644 index 0000000..0c05eb4 --- /dev/null +++ b/listener/organize.go @@ -0,0 +1,291 @@ +package main + +import ( + "fmt" + "os" + "regexp" + "strconv" + "strings" + "sync" + "syscall" + + "github.com/elastic/go-libaudit/v2" + "github.com/elastic/go-libaudit/v2/auparse" +) + +// 为每个事务id存储其信息,事务id在操作系统运行期间是唯一的 +var eventTable sync.Map + +// 事件信息 +var tmp any +var ok bool +var event Event +var pEvent *Event +var eventId, argc int + +// 要用的正则匹配列表 +var ( + syscallRegex = regexp.MustCompile(`audit\((\d+\.\d+):(\d+)\).*?syscall=(\d+)(?:.*?exit=([-+]?\d+))?.*?ppid=(\d+) pid=(\d+).*?subj=(.*?):(.*?):(.*?):(.*?) .*?$`) + execveRegex = regexp.MustCompile(`audit\(\d+\.\d+:(\d+)\): argc=(\d+)`) + argsRegex = regexp.MustCompile(`a\d+=("(.*?)"|([0-9a-fA-F]+))`) + pathRegex = regexp.MustCompile(`audit\(\d+\.\d+:(\d+)\): item=(\d+) name="(.*?)" .*objtype=([A-Z]+) `) + cwdRegex = regexp.MustCompile(`audit\(\d+\.\d+:(\d+)\): cwd="(.*?)"`) + proctitleRegex = regexp.MustCompile(`audit\(\d+\.\d+:(\d+)\): proctitle=("(.*?)"|([0-9a-fA-F]+))$`) + eoeRegex = regexp.MustCompile(`audit\(\d+\.\d+:(\d+)\)`) +) + +func orgnaze() { + defer wg.Done() + defer close(cookedChan) + // 接收信息 + var raw interface{} + var rawEvent libaudit.RawAuditMessage + + for { + raw, ok = <-rawChan + if !ok { + break + } + rawEvent = raw.(libaudit.RawAuditMessage) + // fmt.Printf("type=%v msg=%s\n", rawEvent.Type, rawEvent.Data) + + switch rawEvent.Type { + case auparse.AUDIT_SYSCALL: + syscallRaw(rawEvent) + case auparse.AUDIT_EXECVE: + execve(rawEvent) + case auparse.AUDIT_CWD: + cwd(rawEvent) + case auparse.AUDIT_PATH: + path(rawEvent) + case auparse.AUDIT_PROCTITLE: + proctitle(rawEvent) + case auparse.AUDIT_EOE: + eoe(rawEvent) + default: + } + } +} + +func syscallRaw(rawEvent libaudit.RawAuditMessage) { + if !syscallRegex.Match(rawEvent.Data) { + return + } + + var exit int + var a [4]uint64 + var subj [4]string + // 捕获基础信息 + match := syscallRegex.FindSubmatch(rawEvent.Data) + event.timestamp, _ = getTimeFromStr(string(match[1])) + eventId, _ = strconv.Atoi(string(match[2])) + event.syscall, _ = strconv.Atoi(string(match[3])) + if string(match[4]) == "" { + // exit没捕获到 + exit = 0 + } else { + exit, _ = strconv.Atoi(string(match[4])) + } + event.ppid, _ = strconv.Atoi(string(match[5])) + event.pid, _ = strconv.Atoi(string(match[6])) + + // 几个subj,说不定会有用 + for i := 0; i < 4; i++ { + subj[i] = string(match[7+i]) + } + + // 捕获参数 + if !argsRegex.Match(rawEvent.Data) { + fmt.Fprintf(os.Stderr, "Error: don't get args in syscall event!\n") + return + } + argsMatch := argsRegex.FindAllSubmatch(rawEvent.Data, -1) + for i := 0; i < 4; i++ { + a[i], _ = strconv.ParseUint(string(argsMatch[i][3]), 16, 64) + } + + switch syscallTable[event.syscall] { + case "execve": + eventTable.Store(eventId, &Event{ + tag: EXECVE, + timestamp: event.timestamp, + syscall: event.syscall, + // exit_code: a[0], // 为啥这么写? + ppid: event.ppid, + pid: event.pid, + argc: 0, + argv: make([]string, 0), + cwd: "", + }) + case "open": + // 检查打开的权限 + if a[1]&(syscall.O_APPEND|syscall.O_WRONLY|syscall.O_RDWR|syscall.O_TRUNC) == 0 { + break + } + // TRUNC应该被直接标记为改变,而不是打开 + eventTable.Store(eventId, &Event{ + tag: FILEOPEN, + timestamp: event.timestamp, + syscall: event.syscall, + exit_code: exit, + ppid: event.ppid, + pid: event.pid, + argc: 0, + argv: make([]string, 0), + cwd: "", + syscallParam: a, + srcPath: "", + }) + case "write": + eventTable.Store(eventId, &Event{ + tag: FILEWRITE, + timestamp: event.timestamp, + syscall: event.syscall, + exit_code: exit, + ppid: event.ppid, + pid: event.pid, + argc: 0, + argv: make([]string, 0), + cwd: "", + syscallParam: a, + }) + case "close": + // 文件关闭 + eventTable.Store(eventId, &Event{ + tag: FILECLOSE, + timestamp: event.timestamp, + syscall: event.syscall, + exit_code: exit, + ppid: event.ppid, + pid: event.pid, + argc: 0, + argv: make([]string, 0), + cwd: "", + syscallParam: a, + }) + case "pivot_root": + if subj[2] == "container_runtime_t" { + eventTable.Store(eventId, &Event{ + tag: PIVOTROOT, + timestamp: event.timestamp, + syscall: event.syscall, + ppid: event.ppid, + pid: event.pid, + syscallParam: a, + }) + } + } +} + +func execve(rawEvent libaudit.RawAuditMessage) { + if !execveRegex.Match(rawEvent.Data) { + return + } + + match := execveRegex.FindSubmatch(rawEvent.Data) + eventId, _ = strconv.Atoi(string(match[1])) + argc, _ = strconv.Atoi(string(match[2])) + tmp, ok = eventTable.Load(eventId) + if !ok { + return + } + pEvent = tmp.(*Event) + if argsRegex.Match(rawEvent.Data) { + match := argsRegex.FindAllSubmatch(rawEvent.Data, -1) + for i := 0; i < argc; i++ { + if len(match[i][2]) == 0 { + // 代表着匹配到的是十六进制数 + str := hexToAscii(string(match[i][3])) + pEvent.argv = append(pEvent.argv, str) + } else { + pEvent.argv = append(pEvent.argv, string(match[i][2])) + } + } + pEvent.argc = argc + } +} + +func cwd(rawEvent libaudit.RawAuditMessage) { + if !cwdRegex.Match(rawEvent.Data) { + return + } + + match := cwdRegex.FindSubmatch(rawEvent.Data) + eventId, _ = strconv.Atoi(string(match[1])) + tmp, ok = eventTable.Load(eventId) + if !ok { + return + } + tmp.(*Event).cwd = string(match[2]) +} + +func proctitle(rawEvent libaudit.RawAuditMessage) { + if !proctitleRegex.Match(rawEvent.Data) { + return + } + + var cmdline string + match := proctitleRegex.FindSubmatch(rawEvent.Data) + eventId, _ = strconv.Atoi(string(match[1])) + tmp, ok = eventTable.Load(eventId) + if !ok { + return + } + pEvent = tmp.(*Event) + if pEvent.argc == 0 { + // 只有等于0,才证明没经过EXECVE提取参数,才允许使用PROCTITLE提取参数 + if match[3] == nil { + // PROCTITLE写的是十六进制,转换为字符串 + cmdline = hexToAscii(string(match[4])) + } else { + cmdline = string(match[3]) + } + pEvent.argv = strings.Split(cmdline, " ") + pEvent.argc = len(pEvent.argv) + } +} + +func eoe(rawEvent libaudit.RawAuditMessage) { + if !eoeRegex.Match(rawEvent.Data) { + return + } + + match := eoeRegex.FindSubmatch(rawEvent.Data) + eventId, _ = strconv.Atoi(string(match[1])) + tmp, ok = eventTable.Load(eventId) + if !ok { + return + } + cooked := *(tmp.(*Event)) + cookedChan <- cooked + eventTable.Delete(eventId) // 死人别占地 +} + +func path(rawEvent libaudit.RawAuditMessage) { + if !pathRegex.Match(rawEvent.Data) { + return + } + match := pathRegex.FindSubmatch(rawEvent.Data) + eventId, _ = strconv.Atoi(string(match[1])) + // item, _ := strconv.Atoi(string(match[2])) + name := string(match[3]) + objtype := string(match[4]) + + tmp, ok = eventTable.Load(eventId) + if !ok { + return + } + pEvent = tmp.(*Event) + + // 先看看是不是文件操作,再看是不是所在目录 + if pEvent.tag != FILEOPEN || objtype == "PARENT" { + return + } + + if pEvent.cwd == "/" || name[0] == '/' { + pEvent.srcPath = name + } else { + pEvent.srcPath = pEvent.cwd + "/" + name + } + // ATTENTION: 这里需要做路径简化,留给过滤清洗流程吧 +} diff --git a/listener/receive.go b/listener/receive.go new file mode 100644 index 0000000..c0dea00 --- /dev/null +++ b/listener/receive.go @@ -0,0 +1,29 @@ +package main + +import ( + "fmt" + + "github.com/elastic/go-libaudit/v2" + "github.com/elastic/go-libaudit/v2/auparse" + "github.com/mohae/deepcopy" +) + +func receive(r *libaudit.AuditClient) error { + defer wg.Done() + defer close(rawChan) + for { + rawEvent, err := r.Receive(false) + if err != nil { + return fmt.Errorf("receive failed: %w", err) + } + + // Messages from 1300-2999 are valid audit messages. + if rawEvent.Type < auparse.AUDIT_USER_AUTH || + rawEvent.Type > auparse.AUDIT_LAST_USER_MSG2 { + continue + } + + rawEventMessage := deepcopy.Copy(*rawEvent) + rawChan <- rawEventMessage + } +} diff --git a/src/audit.go b/src/audit.go deleted file mode 100644 index ed48691..0000000 --- a/src/audit.go +++ /dev/null @@ -1,84 +0,0 @@ -package main - -import ( - "fmt" - "io" - "log" - "os" - - "github.com/elastic/go-libaudit/v2" -) - -func read() error { - // Write netlink response to a file for further analysis or for writing - // tests cases. - var diagWriter io.Writer - if *diag != "" { - f, err := os.OpenFile(*diag, os.O_CREATE|os.O_RDWR|os.O_TRUNC, 0o600) - if err != nil { - return err - } - defer f.Close() - diagWriter = f - } - - log.Println("starting netlink client") - - var err error - var client *libaudit.AuditClient - if *receiveOnly { - client, err = libaudit.NewMulticastAuditClient(diagWriter) - if err != nil { - return fmt.Errorf("failed to create receive-only audit client: %w", err) - } - defer client.Close() - } else { - client, err = libaudit.NewAuditClient(diagWriter) - if err != nil { - return fmt.Errorf("failed to create audit client: %w", err) - } - defer client.Close() - - status, err := client.GetStatus() - if err != nil { - return fmt.Errorf("failed to get audit status: %w", err) - } - log.Printf("received audit status=%+v", status) - - if status.Enabled == 0 { - log.Println("enabling auditing in the kernel") - if err = client.SetEnabled(true, libaudit.WaitForReply); err != nil { - return fmt.Errorf("failed to set enabled=true: %w", err) - } - } - - if status.RateLimit != uint32(*rate) { - log.Printf("setting rate limit in kernel to %v", *rate) - if err = client.SetRateLimit(uint32(*rate), libaudit.NoWait); err != nil { - return fmt.Errorf("failed to set rate limit to unlimited: %w", err) - } - } - - if status.BacklogLimit != uint32(*backlog) { - log.Printf("setting backlog limit in kernel to %v", *backlog) - if err = client.SetBacklogLimit(uint32(*backlog), libaudit.NoWait); err != nil { - return fmt.Errorf("failed to set backlog limit: %w", err) - } - } - - if status.Enabled != 2 && *immutable { - log.Printf("setting kernel settings as immutable") - if err = client.SetImmutable(libaudit.NoWait); err != nil { - return fmt.Errorf("failed to set kernel as immutable: %w", err) - } - } - - log.Printf("sending message to kernel registering our PID (%v) as the audit daemon", os.Getpid()) - if err = client.SetPID(libaudit.NoWait); err != nil { - return fmt.Errorf("failed to set audit PID: %w", err) - } - } - - coroutine(client) - return nil -} diff --git a/src/basefunc.go b/src/basefunc.go deleted file mode 100644 index 2f39507..0000000 --- a/src/basefunc.go +++ /dev/null @@ -1,129 +0,0 @@ -package main - -import ( - "bufio" - "fmt" - "os" - "os/exec" - "path/filepath" - "strconv" - "strings" - "time" -) - -func figureOutSyscalls() error { - cmd := exec.Command("ausyscall", "--dump") - stdout, err := cmd.StdoutPipe() - if err != nil { - return err - } - - if err := cmd.Start(); err != nil { - return err - } - - scanner := bufio.NewScanner(stdout) - for i := 0; scanner.Scan(); i++ { - if i == 0 { - continue - } - line := scanner.Text() - parts := strings.Split(line, "\t") - if len(parts) != 2 { - return fmt.Errorf("invalid ausyscall format") - } - num, err := strconv.Atoi(parts[0]) - if err != nil { - return err - } - syscallTable[num] = parts[1] - } - - if err := scanner.Err(); err != nil { - return err - } - if err := cmd.Wait(); err != nil { - return err - } - return nil -} - -func getPid() (int, error) { - // 指定要搜索的关键词 - keyword := "/usr/bin/containerd" - - // 获取/proc目录下的所有子目录 - procDir, err := filepath.Glob("/proc/*") - if err != nil { - return 0, err - } - - // 遍历子目录,查找包含关键词的进程 - for _, dir := range procDir { - pid, err := strconv.Atoi(filepath.Base(dir)) - if err != nil { - continue // 跳过非PID的目录 - } - - // 检查进程是否包含关键词 - if containsKeyword(pid, keyword) { - return pid, nil - } - } - err = fmt.Errorf("Error: no containerd process found.") - return 0, err -} - -func containsKeyword(pid int, keyword string) bool { - // 构造完整的进程命令路径 - cmdPath := fmt.Sprintf("/proc/%d/cmdline", pid) - - // 打开文件 - file, err := os.Open(cmdPath) - if err != nil { - return false - } - defer file.Close() - - // 读取文件内容 - scanner := bufio.NewScanner(file) - scanner.Split(bufio.ScanLines) - for scanner.Scan() { - line := scanner.Text() - if strings.Contains(line, keyword) { - return true - } - } - return false -} - -func getTimeFromStr(timeStr string) (time.Time, error) { - timestampFloat, err := strconv.ParseFloat(timeStr, 64) - if err != nil { - return time.Unix(0, 0), err - } - secs := int64(timestampFloat) - nsecs := int64((timestampFloat - float64(secs)) * 1e9) - - // 只精确到毫秒就够了 - t := time.Unix(secs, nsecs).Truncate(time.Millisecond) - return t, nil -} - -func hexToAscii(hexString string) string { - bytes := []byte{} - for i := 0; i < len(hexString); i += 2 { - hexPair := hexString[i : i+2] - // 将十六进制数转换为十进制数 - decimal, err := strconv.ParseInt(hexPair, 16, 8) - if err != nil { - return "Invalid hex string" - } - char := byte(decimal) - bytes = append(bytes, char) - } - - asciiString := strings.ReplaceAll(string(bytes), "\000", " ") - - return asciiString -} diff --git a/src/deal.go b/src/deal.go deleted file mode 100644 index e553174..0000000 --- a/src/deal.go +++ /dev/null @@ -1,265 +0,0 @@ -package main - -import ( - "fmt" - "os" - "syscall" - - "go.mongodb.org/mongo-driver/bson" -) - -const ( - dbName string = "test" - pidColName string = "pids" - fdColName string = "fds" - fileColName string = "files" -) - -// var mongoMutex sync.Mutex -var pidCol, fdCol, fileCol mongoClient - -var docRes []bson.M -var err error - -func deal() { - defer wg.Done() - var cooked Event - var ok bool - - if err = pidCol.init(dbName, pidColName); err != nil { - fmt.Fprintf(os.Stderr, "Error while initing the mongodb: %v\n", err) - return - } - err = pidCol.InsertOne(bson.M{ - "ppid": 1, - "pid": containerdPid, - "cwd": "/", - "children": []bson.M{}, - "daemon": true, - }) - if err != nil { - fmt.Fprintf(os.Stderr, "Error while initing the mongodb: %v\n", err) - return - } - - if err = fdCol.init(dbName, fdColName); err != nil { - fmt.Fprintf(os.Stderr, "Error while initing the mongodb: %v\n", err) - return - } - if err = fileCol.init(dbName, fileColName); err != nil { - fmt.Fprintf(os.Stderr, "Error while initing the mongodb: %v\n", err) - } - - fmt.Printf("Containerd: %d\n", containerdPid) - defer pidCol.Disconnect() - defer fdCol.Disconnect() - defer fileCol.Disconnect() - - for { - cooked, ok = <-cookedChan - if !ok { - break - } - - switch cooked.tag { - case NEWPID: - go dealNewPid(cooked) - case EXECVE: - go dealExecve(cooked) - case PIDEXIT: - go deletePid(cooked) - case FILEOPEN: - go fileOpen(cooked) - case FILEWRITE: - go fileWrite(cooked) - case FILECLOSE: - go fileClose(cooked) - case PIVOTROOT: - go pivotRoot(cooked) - } - } -} - -func deletePid(cooked Event) { - // 先从老爹那里销户 - pidCol.UpdateOne(bson.M{"pid": cooked.ppid}, bson.M{ - "$pull": bson.M{ - "children": cooked.pid, - }, - }) - - // 在这套逻辑里,孩子是不需要收容的,因为我们根本就不看ppid来工作 - - // 可以去死了 - pidCol.UpdateOne(bson.M{"pid": cooked.pid}, bson.M{ - "$set": bson.M{ - "exit_timestamp": cooked.timestamp, - "exit_code": cooked.exit_code, - "exit_signal": cooked.exit_signal, - }, - }) - - // 理论上这里需要关闭所有文件描述符,但为了处理效率,留给后续流程 -} - -func dealNewPid(cooked Event) { - // 自身是否已经记录 - docRes, err = pidCol.Finddoc(bson.M{"pid": cooked.pid}) - if err != nil { - fmt.Fprintf(os.Stderr, "Err finding: %v\n", err) - return - } - - if len(docRes) != 0 { - // 进程原本就存在,换言之别的消息先到了 - // 所有先行抵达的消息必须保留execve/children字段 - // 此处不再更新 - // 以防把原有信息更没了 - pidCol.UpdateOne(bson.M{"pid": cooked.pid}, bson.M{ - "start_timestamp": cooked.timestamp, - "ppid": cooked.ppid, - "parentTgid": cooked.parentTgid, - "pid": cooked.pid, - "tgid": cooked.tgid, - "cwd": cooked.cwd, - // "execve": []bson.M{}, - "args": cooked.argv, - // "children": []bson.M{}, - }) - } else { - // 这进程本是新修的 - pidCol.InsertOne(bson.M{ - "start_timestamp": cooked.timestamp, - "ppid": cooked.ppid, - "parentTgid": cooked.parentTgid, - "pid": cooked.pid, - "tgid": cooked.tgid, - "cwd": cooked.cwd, - "execve": []bson.M{}, - "args": cooked.argv, - "children": []bson.M{}, - }) - } - - pidCol.UpdateOne(bson.M{"pid": cooked.ppid}, bson.M{ - "$push": bson.M{ - "children": cooked.pid, - }, - }) -} - -func dealExecve(cooked Event) { - // 父进程在不在?不在扔 - docRes, err = pidCol.Finddoc(bson.M{"pid": cooked.ppid}) - if err != nil || len(docRes) != 1 { - return - } - - // 首先检查进程是否存在,如不存在则为之创建 - docRes, err = pidCol.Finddoc(bson.M{"pid": cooked.pid}) - if err != nil { - return - } - - if len(docRes) == 1 { - // 自身已在,直接记录 - pidCol.UpdateOne(bson.M{"pid": cooked.pid}, bson.M{ - "$push": bson.M{ - "execve": bson.M{ - "timestamp": cooked.timestamp, - "execArgs": cooked.argv, - }, - }, - }) - } else { - // 先fork抵达,插入 - pidCol.InsertOne(bson.M{ - "ppid": cooked.ppid, - "pid": cooked.pid, - "children": []bson.M{}, - "execve": []bson.M{ - { - "timestamp": cooked.timestamp, - "execArgs": cooked.argv, - }, - }, - }) - } -} - -func fileOpen(cooked Event) { - // 权限检查过了,不必再查 - fdCol.InsertOne(bson.M{ - "timestamp": cooked.timestamp, - "fileName": cooked.srcPath, - "pid": cooked.pid, - "fd": cooked.exit_code, - "flags": cooked.syscallParam, - "written": []bson.M{}, - }) - - if cooked.syscallParam[1]&syscall.O_TRUNC != 0 { - fdCol.UpdateOne(bson.M{"pid": cooked.pid, "fd": cooked.exit_code}, bson.M{ - "$push": bson.M{ - "written": cooked.timestamp, - }, - }) - } -} - -func fileClose(cooked Event) { - res, err := fdCol.FindOneAndDelete(bson.M{"pid": cooked.pid, "fd": cooked.syscallParam[0]}) - if err != nil { - return - } - res["close_timestamp"] = cooked.timestamp - if err := fileCol.InsertOne(res); err != nil { - fmt.Fprintf(os.Stderr, "Err inserting files: %v\n", err) - } -} - -func fileWrite(cooked Event) { - res, err := fdCol.Finddoc(bson.M{ - "pid": cooked.pid, - "fd": cooked.syscallParam[0], - "close_timestamp": bson.M{"$exists": false}, - }) - if err != nil { - fmt.Fprintf(os.Stderr, "Err closing fd %d of pid %d: %v\n", cooked.syscallParam[0], cooked.pid, err) - } - if len(res) == 0 { - return - } - fdCol.UpdateOne(bson.M{ - "pid": cooked.pid, - "fd": cooked.syscallParam[0], - "close_timestamp": bson.M{"$exists": false}, - }, bson.M{"$push": bson.M{"written": cooked.timestamp}}) -} - -func pivotRoot(cooked Event) { - // docker的根目录信息,记录 - docRes, err := pidCol.Finddoc(bson.M{"pid": cooked.pid}) - if err != nil { - fmt.Fprintf(os.Stderr, "Err finding: %v\n", err) - return - } - - if len(docRes) == 0 { - // fork还没到,等一下 - pidCol.InsertOne(bson.M{ - "start_timestamp": cooked.timestamp, - "ppid": cooked.ppid, - "pid": cooked.pid, - "rootfs": "cwd", - }) - } else { - // 读取已有的工作目录 - cwd := docRes[0]["cwd"] - pidCol.UpdateOne(bson.M{"pid": cooked.pid}, bson.M{ - "$set": bson.M{ - "rootfs": cwd, - }, - }) - } -} diff --git a/src/global.go b/src/global.go deleted file mode 100644 index 349ba6c..0000000 --- a/src/global.go +++ /dev/null @@ -1,49 +0,0 @@ -package main - -import ( - "sync" - "time" -) - -type eventType int - -const ( - NEWPID eventType = iota - PIDEXIT - EXECVE - FILEOPEN - FILECLOSE - FILEWRITE - PIVOTROOT - TYPENUM -) - -func (et eventType) String() string { - names := []string{"NEWPID", "PIDEXIT", "EXECVE", "FILEOPEN", "FILECLOSE", "FILEWRITE", "PIVOTROOT", "TYPENUM"} - if et < NEWPID || et > TYPENUM { - return "Unknown" - } - return names[et] -} - -type Event struct { - tag eventType - timestamp time.Time - pid, tgid int - ppid, parentTgid int - syscall int - syscallParam [4]uint64 - argc int - argv []string - cwd string - exit_code uint64 - exit_signal int - srcPath string - destPath string -} - -var wg sync.WaitGroup // 掌管协程 -var rawChan chan interface{} // 从接收到整理的管道 -var cookedChan chan Event // 整理好的信息的管道 -var syscallTable [500]string //记录一下系统调用 -var containerdPid int diff --git a/src/go.mod b/src/go.mod deleted file mode 100644 index ed40331..0000000 --- a/src/go.mod +++ /dev/null @@ -1,26 +0,0 @@ -module godo - -go 1.21.5 - -require ( - github.com/elastic/go-libaudit/v2 v2.5.0 - github.com/mohae/deepcopy v0.0.0-20170929034955-c48cc78d4826 - go.mongodb.org/mongo-driver v1.16.0 -) - -require ( - github.com/golang/snappy v0.0.4 // indirect - github.com/klauspost/compress v1.13.6 // indirect - github.com/montanaflynn/stats v0.7.1 // indirect - github.com/xdg-go/pbkdf2 v1.0.0 // indirect - github.com/xdg-go/scram v1.1.2 // indirect - github.com/xdg-go/stringprep v1.0.4 // indirect - github.com/youmark/pkcs8 v0.0.0-20181117223130-1be2e3e5546d // indirect - go.uber.org/atomic v1.7.0 // indirect - go.uber.org/multierr v1.7.0 // indirect - golang.org/x/crypto v0.22.0 // indirect - golang.org/x/sync v0.7.0 // indirect - golang.org/x/sys v0.19.0 // indirect - golang.org/x/text v0.14.0 // indirect - gopkg.in/yaml.v3 v3.0.1 // indirect -) diff --git a/src/go.sum b/src/go.sum deleted file mode 100644 index 9164cd3..0000000 --- a/src/go.sum +++ /dev/null @@ -1,96 +0,0 @@ -github.com/davecgh/go-spew v1.1.0/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38= -github.com/davecgh/go-spew v1.1.1 h1:vj9j/u1bqnvCEfJOwUhtlOARqs3+rkHYY13jYWTU97c= -github.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38= -github.com/elastic/go-libaudit/v2 v2.5.0 h1:5OK919QRnGtcjVBz3n/cs5F42im1mPlVTA9TyIn2K54= -github.com/elastic/go-libaudit/v2 v2.5.0/go.mod h1:AjlnhinP+kKQuUJoXLVrqxBM8uyhQmkzoV6jjsCFP4Q= -github.com/elastic/go-licenser v0.4.1 h1:1xDURsc8pL5zYT9R29425J3vkHdt4RT5TNEMeRN48x4= -github.com/elastic/go-licenser v0.4.1/go.mod h1:V56wHMpmdURfibNBggaSBfqgPxyT1Tldns1i87iTEvU= -github.com/golang/snappy v0.0.4 h1:yAGX7huGHXlcLOEtBnF4w7FQwA26wojNCwOYAEhLjQM= -github.com/golang/snappy v0.0.4/go.mod h1:/XxbfmMg8lxefKM7IXC3fBNl/7bRcc72aCRzEWrmP2Q= -github.com/google/go-cmp v0.6.0 h1:ofyhxvXcZhMsU5ulbFiLKl/XBFqE1GSq7atu8tAmTRI= -github.com/google/go-cmp v0.6.0/go.mod h1:17dUlkBOakJ0+DkrSSNjCkIjxS6bF9zb3elmeNGIjoY= -github.com/kballard/go-shellquote v0.0.0-20180428030007-95032a82bc51 h1:Z9n2FFNUXsshfwJMBgNA0RU6/i7WVaAegv3PtuIHPMs= -github.com/kballard/go-shellquote v0.0.0-20180428030007-95032a82bc51/go.mod h1:CzGEWj7cYgsdH8dAjBGEr58BoE7ScuLd+fwFZ44+/x8= -github.com/klauspost/compress v1.13.6 h1:P76CopJELS0TiO2mebmnzgWaajssP/EszplttgQxcgc= -github.com/klauspost/compress v1.13.6/go.mod h1:/3/Vjq9QcHkK5uEr5lBEmyoZ1iFhe47etQ6QUkpK6sk= -github.com/mohae/deepcopy v0.0.0-20170929034955-c48cc78d4826 h1:RWengNIwukTxcDr9M+97sNutRR1RKhG96O6jWumTTnw= -github.com/mohae/deepcopy v0.0.0-20170929034955-c48cc78d4826/go.mod h1:TaXosZuwdSHYgviHp1DAtfrULt5eUgsSMsZf+YrPgl8= -github.com/montanaflynn/stats v0.7.1 h1:etflOAAHORrCC44V+aR6Ftzort912ZU+YLiSTuV8eaE= -github.com/montanaflynn/stats v0.7.1/go.mod h1:etXPPgVO6n31NxCd9KQUMvCM+ve0ruNzt6R8Bnaayow= -github.com/pmezard/go-difflib v1.0.0 h1:4DBwDE0NGyQoBHbLQYPwSUPoCMWR5BEzIk/f1lZbAQM= -github.com/pmezard/go-difflib v1.0.0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4= -github.com/stretchr/objx v0.1.0/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME= -github.com/stretchr/testify v1.3.0/go.mod h1:M5WIy9Dh21IEIfnGCwXGc5bZfKNJtfHm1UVUgZn+9EI= -github.com/stretchr/testify v1.7.0 h1:nwc3DEeHmmLAfoZucVR881uASk0Mfjw8xYJ99tb5CcY= -github.com/stretchr/testify v1.7.0/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg= -github.com/xdg-go/pbkdf2 v1.0.0 h1:Su7DPu48wXMwC3bs7MCNG+z4FhcyEuz5dlvchbq0B0c= -github.com/xdg-go/pbkdf2 v1.0.0/go.mod h1:jrpuAogTd400dnrH08LKmI/xc1MbPOebTwRqcT5RDeI= -github.com/xdg-go/scram v1.1.2 h1:FHX5I5B4i4hKRVRBCFRxq1iQRej7WO3hhBuJf+UUySY= -github.com/xdg-go/scram v1.1.2/go.mod h1:RT/sEzTbU5y00aCK8UOx6R7YryM0iF1N2MOmC3kKLN4= -github.com/xdg-go/stringprep v1.0.4 h1:XLI/Ng3O1Atzq0oBs3TWm+5ZVgkq2aqdlvP9JtoZ6c8= -github.com/xdg-go/stringprep v1.0.4/go.mod h1:mPGuuIYwz7CmR2bT9j4GbQqutWS1zV24gijq1dTyGkM= -github.com/youmark/pkcs8 v0.0.0-20181117223130-1be2e3e5546d h1:splanxYIlg+5LfHAM6xpdFEAYOk8iySO56hMFq6uLyA= -github.com/youmark/pkcs8 v0.0.0-20181117223130-1be2e3e5546d/go.mod h1:rHwXgn7JulP+udvsHwJoVG1YGAP6VLg4y9I5dyZdqmA= -github.com/yuin/goldmark v1.4.0/go.mod h1:mwnBkeHKe2W/ZEtQ+71ViKU8L12m81fl3OWwC1Zlc8k= -github.com/yuin/goldmark v1.4.13/go.mod h1:6yULJ656Px+3vBD8DxQVa3kxgyrAnzto9xy5taEt/CY= -go.mongodb.org/mongo-driver v1.16.0 h1:tpRsfBJMROVHKpdGyc1BBEzzjDUWjItxbVSZ8Ls4BQ4= -go.mongodb.org/mongo-driver v1.16.0/go.mod h1:oB6AhJQvFQL4LEHyXi6aJzQJtBiTQHiAd83l0GdFaiw= -go.uber.org/atomic v1.7.0 h1:ADUqmZGgLDDfbSL9ZmPxKTybcoEYHgpYfELNoN+7hsw= -go.uber.org/atomic v1.7.0/go.mod h1:fEN4uk6kAWBTFdckzkM89CLk9XfWZrxpCo0nPH17wJc= -go.uber.org/multierr v1.7.0 h1:zaiO/rmgFjbmCXdSYJWQcdvOCsthmdaHfr3Gm2Kx4Ec= -go.uber.org/multierr v1.7.0/go.mod h1:7EAYxJLBy9rStEaz58O2t4Uvip6FSURkq8/ppBp95ak= -golang.org/x/crypto v0.0.0-20190308221718-c2843e01d9a2/go.mod h1:djNgcEr1/C05ACkg1iLfiJU5Ep61QUkGW8qpdssI0+w= -golang.org/x/crypto v0.0.0-20191011191535-87dc89f01550/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI= -golang.org/x/crypto v0.0.0-20210921155107-089bfa567519/go.mod h1:GvvjBRRGRdwPK5ydBHafDWAxML/pGHZbMvKqRZ5+Abc= -golang.org/x/crypto v0.22.0 h1:g1v0xeRhjcugydODzvb3mEM9SQ0HGp9s/nh3COQ/C30= -golang.org/x/crypto v0.22.0/go.mod h1:vr6Su+7cTlO45qkww3VDJlzDn0ctJvRgYbC2NvXHt+M= -golang.org/x/lint v0.0.0-20210508222113-6edffad5e616/go.mod h1:3xt1FjdF8hUf6vQPIChWIBhFzV8gjjsPE/fR3IyQdNY= -golang.org/x/mod v0.1.1-0.20191105210325-c90efee705ee/go.mod h1:QqPTAvyqsEbceGzBzNggFXnrqF1CaUcvgkdR5Ot7KZg= -golang.org/x/mod v0.4.2/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA= -golang.org/x/mod v0.5.1/go.mod h1:5OXOZSfqPIIbmVBIIKWRFfZjPR0E5r58TLhUjH0a2Ro= -golang.org/x/mod v0.6.0-dev.0.20220419223038-86c51ed26bb4/go.mod h1:jJ57K6gSWd91VN4djpZkiMVwK6gcyfeH4XE8wZrZaV4= -golang.org/x/net v0.0.0-20190404232315-eb5bcb51f2a3/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg= -golang.org/x/net v0.0.0-20190620200207-3b0461eec859/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s= -golang.org/x/net v0.0.0-20210226172049-e18ecbb05110/go.mod h1:m0MpNAwzfU5UDzcl9v0D8zg8gWTRqZa9RBIspLL5mdg= -golang.org/x/net v0.0.0-20210805182204-aaa1db679c0d/go.mod h1:9nx3DQGgdP8bBQD5qxJ1jj9UTztislL4KSBs9R2vV5Y= -golang.org/x/net v0.0.0-20220722155237-a158d28d115b/go.mod h1:XRhObCWvk6IyKnWLug+ECip1KBveYUHfp+8e9klMJ9c= -golang.org/x/sync v0.0.0-20190423024810-112230192c58/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= -golang.org/x/sync v0.0.0-20210220032951-036812b2e83c/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= -golang.org/x/sync v0.0.0-20220722155255-886fb9371eb4/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= -golang.org/x/sync v0.7.0 h1:YsImfSBoP9QPYL0xyKJPq0gcaJdG3rInoqxTWbfQu9M= -golang.org/x/sync v0.7.0/go.mod h1:Czt+wKu1gCyEFDUtn0jG5QVvpJ6rzVqr5aXyt9drQfk= -golang.org/x/sys v0.0.0-20190215142949-d0b11bdaac8a/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY= -golang.org/x/sys v0.0.0-20190412213103-97732733099d/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= -golang.org/x/sys v0.0.0-20201119102817-f84b799fce68/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= -golang.org/x/sys v0.0.0-20210423082822-04245dca01da/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= -golang.org/x/sys v0.0.0-20210615035016-665e8c7367d1/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= -golang.org/x/sys v0.0.0-20210809222454-d867a43fc93e/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= -golang.org/x/sys v0.0.0-20211102192858-4dd72447c267/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= -golang.org/x/sys v0.0.0-20220520151302-bc2c85ada10a/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= -golang.org/x/sys v0.0.0-20220722155257-8c9f86f7a55f/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= -golang.org/x/sys v0.11.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= -golang.org/x/sys v0.19.0 h1:q5f1RH2jigJ1MoAWp2KTp3gm5zAGFUTarQZ5U386+4o= -golang.org/x/sys v0.19.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA= -golang.org/x/term v0.0.0-20201126162022-7de9c90e9dd1/go.mod h1:bj7SfCRtBDWHUb9snDiAeCFNEtKQo2Wmx5Cou7ajbmo= -golang.org/x/term v0.0.0-20210927222741-03fcf44c2211/go.mod h1:jbD1KX2456YbFQfuXm/mYQcufACuNUgVhRMnK/tPxf8= -golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ= -golang.org/x/text v0.3.3/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ= -golang.org/x/text v0.3.6/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ= -golang.org/x/text v0.3.7/go.mod h1:u+2+/6zg+i71rQMx5EYifcz6MCKuco9NR6JIITiCfzQ= -golang.org/x/text v0.3.8/go.mod h1:E6s5w1FMmriuDzIBO73fBruAKo1PCIq6d2Q6DHfQ8WQ= -golang.org/x/text v0.14.0 h1:ScX5w1eTa3QqT8oi6+ziP7dTV1S2+ALU0bI+0zXKWiQ= -golang.org/x/text v0.14.0/go.mod h1:18ZOQIKpY8NJVqYksKHtTdi31H5itFRjB5/qKTNYzSU= -golang.org/x/tools v0.0.0-20180917221912-90fa682c2a6e/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ= -golang.org/x/tools v0.0.0-20191119224855-298f0cb1881e/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo= -golang.org/x/tools v0.0.0-20200130002326-2f3ba24bd6e7/go.mod h1:TB2adYChydJhpapKDTa4BR/hXlZSLoq2Wpct/0txZ28= -golang.org/x/tools v0.1.7/go.mod h1:LGqMHiF4EqQNHR1JncWGqT5BVaXmza+X+BDGol+dOxo= -golang.org/x/tools v0.1.12/go.mod h1:hNGJHUnrk76NpqgfD5Aqm5Crs+Hm0VOH/i9J2+nxYbc= -golang.org/x/xerrors v0.0.0-20190717185122-a985d3407aa7/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0= -golang.org/x/xerrors v0.0.0-20191011141410-1b5146add898/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0= -golang.org/x/xerrors v0.0.0-20200804184101-5ec99f83aff1/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0= -gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0= -gopkg.in/yaml.v2 v2.4.0/go.mod h1:RDklbk79AGWmwhnvt/jBztapEOGDOx6ZbXqjP6csGnQ= -gopkg.in/yaml.v3 v3.0.0-20200313102051-9f266ea9e77c/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM= -gopkg.in/yaml.v3 v3.0.0-20210107192922-496545a6307b/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM= -gopkg.in/yaml.v3 v3.0.1 h1:fxVm/GzAzEWqLHuvctI91KS9hhNmmWOoWu0XTYJS7CA= -gopkg.in/yaml.v3 v3.0.1/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM= diff --git a/src/go.work b/src/go.work deleted file mode 100644 index 5b6c957..0000000 --- a/src/go.work +++ /dev/null @@ -1,6 +0,0 @@ -go 1.21.5 - -use ( - ./netlink - ./ -) \ No newline at end of file diff --git a/src/go.work.sum b/src/go.work.sum deleted file mode 100644 index 8201e39..0000000 --- a/src/go.work.sum +++ /dev/null @@ -1,4 +0,0 @@ -golang.org/x/mod v0.8.0/go.mod h1:iBbtSCu2XBx23ZKBPSOrRkjjQPZFPuis4dIYUhu/chs= -golang.org/x/net v0.21.0/go.mod h1:bIjVDfnllIU7BJ2DNgfnXvpSvtn8VRwhlsaeUTyUS44= -golang.org/x/term v0.19.0/go.mod h1:2CuTdWZ7KHSQwUzKva0cbMg6q2DMI3Mmxp+gKJbskEk= -golang.org/x/tools v0.6.0/go.mod h1:Xwgl3UAJ/d3gWutnCtw505GrjyAbvKui8lOU390QaIU= diff --git a/src/godo.go b/src/godo.go deleted file mode 100644 index a30aa88..0000000 --- a/src/godo.go +++ /dev/null @@ -1,164 +0,0 @@ -package main - -import ( - "bufio" - "flag" - "fmt" - "log" - "netlink" - "os" - "os/exec" - "strings" - "syscall" - "time" - - "github.com/elastic/go-libaudit/v2" -) - -var ( - fs = flag.NewFlagSet("audit", flag.ExitOnError) - diag = fs.String("diag", "", "dump raw information from kernel to file") - rate = fs.Uint("rate", 0, "rate limit in kernel (default 0, no rate limit)") - backlog = fs.Uint("backlog", 8192, "backlog limit") - immutable = fs.Bool("immutable", false, "make kernel audit settings immutable (requires reboot to undo)") - receiveOnly = fs.Bool("ro", false, "receive only using multicast, requires kernel 3.16+") -) - -func main() { - // 检查用户身份,并添加auditd规则,监听所有syscall - if os.Geteuid() != 0 { - fmt.Fprintf(os.Stderr, "Err: Please run me as root, %d!\n", os.Getegid()) - return - } - - // 所有的系统调用号与名称的关系 - err := figureOutSyscalls() - if err != nil { - fmt.Fprintf(os.Stderr, "Error figuring out syscall numbers: %v\n", err) - } - - exec.Command("auditctl", "-D").Run() - exec.Command("auditctl", "-b", "1000000000").Run() - exec.Command("auditctl", "--reset-lost").Run() - - var auditCmd *exec.Cmd - - pidSyscall := []string{"execve", "pivot_root"} - // // 设置监听规则 - for i := 0; i < len(pidSyscall); i++ { - auditCmd = exec.Command("auditctl", "-a", "exit,always", "-F", "arch=b64", "-S", pidSyscall[i]) - auditCmd.Run() - } - - // 监听文件的消息 - fileSyscall := []string{"open", "close", "write"} - // fileSyscall := []string{"open", "write", "creat", "unlink", "opendir", "mkdir", "rmdir", "chmod", "fchmod", "chown", "fchown", "lchown", "flock"} - for i := 0; i < len(fileSyscall); i++ { - auditCmd = exec.Command("auditctl", "-a", "exit,always", "-F", "arch=b64", "-S", fileSyscall[i]) - auditCmd.Run() - } - - // 查找pid - containerdPid, err = getPid() - if err != nil { - fmt.Fprintf(os.Stderr, "Error finding containerd: %v\n", err) - return - } - - // 开始运行,解析命令行参数后监听 - if err := fs.Parse(os.Args[1:]); err != nil { - log.Fatal(err) - } - - if err := read(); err != nil { - log.Fatalf("error: %v", err) - } -} - -func coroutine(client *libaudit.AuditClient) { - // 各协程至此开始 - rawChan = make(chan interface{}, 65536) - cookedChan = make(chan Event, 65536) - - wg.Add(1) - go procWatch() - - wg.Add(1) - go receive(client) - wg.Add(1) - go orgnaze() - wg.Add(1) - go deal() - - wg.Wait() - time.Sleep(2 * time.Second) -} - -func procWatch() error { - ns, err := netlink.NewNetlinkSocket(syscall.NETLINK_CONNECTOR, 12345) - if err != nil { - fmt.Fprintf(os.Stderr, "Error creating socket: %v\n", err) - return err - } - defer ns.Close() - for { - res, err := ns.Receive(20) - if err != nil { - fmt.Fprintf(os.Stderr, "Error recv: %v\n", err) - continue - } - for i := 0; i < len(res); i++ { - procEvent := netlink.ParseProcEvent(res[i].Data) - switch procEvent.What { - case netlink.PROC_EVENT_FORK: - data := procEvent.Data.(netlink.ProcEventFork) - cooked := Event{ - tag: NEWPID, - timestamp: time.Now(), - pid: int(data.ChildPid), - tgid: int(data.ChildTgid), - ppid: int(data.ParentPid), - parentTgid: int(data.ParentTgid), - } - checkProc(&cooked) - cookedChan <- cooked - case netlink.PROC_EVENT_EXIT: - data := procEvent.Data.(netlink.ProcEventExit) - cooked := Event{ - tag: PIDEXIT, - timestamp: time.Now(), - pid: int(data.ProcessPid), - exit_code: uint64(data.ExitCode), - exit_signal: int(data.ExitSignal), - } - cookedChan <- cooked - default: - } - } - } -} - -func checkProc(pCooked *Event) { - fileName := fmt.Sprintf("/proc/%d/task/%d/cmdline", pCooked.tgid, pCooked.pid) - fd, err := os.Open(fileName) - if err != nil { - fmt.Fprintf(os.Stderr, "Err: %v\n", err) - return - } - - scanner := bufio.NewScanner(fd) - scanner.Split(bufio.ScanLines) - for scanner.Scan() { - line := scanner.Text() - pCooked.argv = append(pCooked.argv, strings.Split(line, "\x00")...) - } - pCooked.argc = len(pCooked.argv) - fd.Close() - - fileName = fmt.Sprintf("/proc/%d/task/%d/cwd", pCooked.tgid, pCooked.pid) - pCooked.cwd, err = os.Readlink(fileName) - if err != nil { - fmt.Fprintf(os.Stderr, "Err: %v\n", err) - pCooked.cwd = "" - } -} diff --git a/src/mongo.go b/src/mongo.go deleted file mode 100644 index 1d9f74f..0000000 --- a/src/mongo.go +++ /dev/null @@ -1,98 +0,0 @@ -package main - -import ( - "context" - "time" - - "go.mongodb.org/mongo-driver/bson" - "go.mongodb.org/mongo-driver/mongo" - "go.mongodb.org/mongo-driver/mongo/options" -) - -type mongoClient struct { - dbName, colName string - client *mongo.Client - col *mongo.Collection -} - -func (mc *mongoClient) init(dbName, colName string) error { - var err error - if err = mc.Connect(dbName, colName); err != nil { - return err - } - if err = mc.Drop(); err != nil { - return err - } - - return nil -} - -func (mc *mongoClient) Connect(dbName, colName string) error { - var err error - mc.client, err = mongo.NewClient(options.Client().ApplyURI("mongodb://localhost:27017")) - - if err != nil { - return err - } - - ctx, _ := context.WithTimeout(context.Background(), 10*time.Second) - err = mc.client.Connect(ctx) - if err != nil { - return err - } - - mc.col = mc.client.Database(dbName).Collection(colName) - mc.dbName = dbName - mc.colName = colName - return nil -} - -func (mc *mongoClient) InsertOne(document interface{}) error { - _, err := mc.col.InsertOne(context.Background(), document) - return err -} - -func (mc *mongoClient) UpdateOne(filter, update interface{}) error { - _, err := mc.col.UpdateOne(context.Background(), filter, update) - return err -} - -func (mc *mongoClient) UpdateMany(filter, update interface{}) error { - _, err := mc.col.UpdateMany(context.Background(), filter, update) - return err -} - -func (mc *mongoClient) Finddoc(filter bson.M) ([]bson.M, error) { - cur, err := mc.col.Find(context.Background(), filter) - if err != nil { - return nil, err - } - - var results []bson.M - err = cur.All(context.Background(), &results) - - return results, err -} - -func (mc *mongoClient) FindOneAndDelete(filter bson.M) (bson.M, error) { - res := mc.col.FindOneAndDelete(context.Background(), filter) - var result bson.M - err := res.Decode(&result) - return result, err -} - -func (mc *mongoClient) Drop() error { - return mc.col.Drop(context.Background()) -} - -func (mc *mongoClient) Disconnect() error { - err := mc.client.Disconnect(context.Background()) - if err != nil { - return err - } - mc.col = nil - mc.client = nil - mc.dbName = "" - mc.colName = "" - return nil -} diff --git a/src/netlink b/src/netlink deleted file mode 160000 index e53c272..0000000 --- a/src/netlink +++ /dev/null @@ -1 +0,0 @@ -Subproject commit e53c2724725c5991cdd9ea088c26832c5c9fcf0d diff --git a/src/organize.go b/src/organize.go deleted file mode 100644 index 293371b..0000000 --- a/src/organize.go +++ /dev/null @@ -1,291 +0,0 @@ -package main - -import ( - "fmt" - "os" - "regexp" - "strconv" - "strings" - "sync" - "syscall" - - "github.com/elastic/go-libaudit/v2" - "github.com/elastic/go-libaudit/v2/auparse" -) - -// 为每个事务id存储其信息,事务id在操作系统运行期间是唯一的 -var eventTable sync.Map - -// 事件信息 -var tmp any -var ok bool -var event Event -var pEvent *Event -var eventId, argc int - -// var errs [6]error - -// 要用的正则匹配列表 -var ( - syscallRegex = regexp.MustCompile(`audit\((\d+\.\d+):(\d+)\).*?syscall=(\d+)(?:.*?exit=([-+]?\d+))?.*?ppid=(\d+) pid=(\d+).*?subj=(.*?):(.*?):(.*?):(.*?) .*?$`) - execveRegex = regexp.MustCompile(`audit\(\d+\.\d+:(\d+)\): argc=(\d+)`) - argsRegex = regexp.MustCompile(`a\d+=("(.*?)"|([0-9a-fA-F]+))`) - pathRegex = regexp.MustCompile(`audit\(\d+\.\d+:(\d+)\): item=(\d+) name="(.*?)"`) - cwdRegex = regexp.MustCompile(`audit\(\d+\.\d+:(\d+)\): cwd="(.*?)"`) - proctitleRegex = regexp.MustCompile(`audit\(\d+\.\d+:(\d+)\): proctitle=("(.*?)"|([0-9a-fA-F]+))$`) - eoeRegex = regexp.MustCompile(`audit\(\d+\.\d+:(\d+)\)`) -) - -func orgnaze() { - defer wg.Done() - defer close(cookedChan) - // 接收信息 - var raw interface{} - var rawEvent libaudit.RawAuditMessage - - for { - raw, ok = <-rawChan - if !ok { - break - } - rawEvent = raw.(libaudit.RawAuditMessage) - // fmt.Printf("type=%v msg=%s\n", rawEvent.Type, rawEvent.Data) - - switch rawEvent.Type { - case auparse.AUDIT_SYSCALL: - syscallRaw(rawEvent) - case auparse.AUDIT_EXECVE: - execve(rawEvent) - case auparse.AUDIT_CWD: - cwd(rawEvent) - case auparse.AUDIT_PATH: - path(rawEvent) - case auparse.AUDIT_PROCTITLE: - proctitle(rawEvent) - case auparse.AUDIT_EOE: - eoe(rawEvent) - default: - } - } -} - -func syscallRaw(rawEvent libaudit.RawAuditMessage) { - if !syscallRegex.Match(rawEvent.Data) { - return - } - - var exit int - var a [4]uint64 - var subj [4]string - // 捕获基础信息 - match := syscallRegex.FindSubmatch(rawEvent.Data) - event.timestamp, _ = getTimeFromStr(string(match[1])) - eventId, _ = strconv.Atoi(string(match[2])) - event.syscall, _ = strconv.Atoi(string(match[3])) - if string(match[4]) == "" { - // exit没捕获到 - exit = 0 - } else { - exit, _ = strconv.Atoi(string(match[4])) - } - event.ppid, _ = strconv.Atoi(string(match[5])) - event.pid, _ = strconv.Atoi(string(match[6])) - - // 几个subj,说不定会有用 - for i := 0; i < 4; i++ { - subj[i] = string(match[7+i]) - } - - // 捕获参数 - if !argsRegex.Match(rawEvent.Data) { - fmt.Fprintf(os.Stderr, "Error: don't get args in syscall event!\n") - return - } - argsMatch := argsRegex.FindAllSubmatch(rawEvent.Data, -1) - for i := 0; i < 4; i++ { - a[i], _ = strconv.ParseUint(string(argsMatch[i][3]), 16, 64) - } - - switch syscallTable[event.syscall] { - case "execve": - eventTable.Store(eventId, &Event{ - tag: EXECVE, - timestamp: event.timestamp, - syscall: event.syscall, - exit_code: a[0], - ppid: event.ppid, - pid: event.pid, - argc: 0, - argv: make([]string, 0), - cwd: "", - }) - case "open": - // 检查打开的权限 - if a[1]&(syscall.O_APPEND|syscall.O_WRONLY|syscall.O_RDWR|syscall.O_TRUNC) == 0 { - break - } - // TRUNC应该被直接标记为改变,而不是打开 - eventTable.Store(eventId, &Event{ - tag: FILEOPEN, - timestamp: event.timestamp, - syscall: event.syscall, - exit_code: uint64(exit), - ppid: event.ppid, - pid: event.pid, - argc: 0, - argv: make([]string, 0), - cwd: "", - syscallParam: a, - srcPath: "", - }) - case "write": - eventTable.Store(eventId, &Event{ - tag: FILEWRITE, - timestamp: event.timestamp, - syscall: event.syscall, - exit_code: uint64(exit), - ppid: event.ppid, - pid: event.pid, - argc: 0, - argv: make([]string, 0), - cwd: "", - syscallParam: a, - }) - case "close": - // 文件关闭 - eventTable.Store(eventId, &Event{ - tag: FILECLOSE, - timestamp: event.timestamp, - syscall: event.syscall, - exit_code: uint64(exit), - ppid: event.ppid, - pid: event.pid, - argc: 0, - argv: make([]string, 0), - cwd: "", - syscallParam: a, - }) - case "pivot_root": - if subj[2] == "container_runtime_t" { - eventTable.Store(eventId, &Event{ - tag: PIVOTROOT, - timestamp: event.timestamp, - syscall: event.syscall, - ppid: event.ppid, - pid: event.pid, - syscallParam: a, - }) - } - } -} - -func execve(rawEvent libaudit.RawAuditMessage) { - if !execveRegex.Match(rawEvent.Data) { - return - } - - match := execveRegex.FindSubmatch(rawEvent.Data) - eventId, _ = strconv.Atoi(string(match[1])) - argc, _ = strconv.Atoi(string(match[2])) - tmp, ok = eventTable.Load(eventId) - if !ok { - return - } - pEvent = tmp.(*Event) - if argsRegex.Match(rawEvent.Data) { - match := argsRegex.FindAllSubmatch(rawEvent.Data, -1) - for i := 0; i < argc; i++ { - if len(match[i][2]) == 0 { - // 代表着匹配到的是十六进制数 - str := hexToAscii(string(match[i][3])) - pEvent.argv = append(pEvent.argv, str) - } else { - pEvent.argv = append(pEvent.argv, string(match[i][2])) - } - } - pEvent.argc = argc - } -} - -func cwd(rawEvent libaudit.RawAuditMessage) { - if !cwdRegex.Match(rawEvent.Data) { - return - } - - match := cwdRegex.FindSubmatch(rawEvent.Data) - eventId, _ = strconv.Atoi(string(match[1])) - tmp, ok = eventTable.Load(eventId) - if !ok { - return - } - tmp.(*Event).cwd = string(match[2]) -} - -func proctitle(rawEvent libaudit.RawAuditMessage) { - if !proctitleRegex.Match(rawEvent.Data) { - return - } - - var cmdline string - match := proctitleRegex.FindSubmatch(rawEvent.Data) - eventId, _ = strconv.Atoi(string(match[1])) - tmp, ok = eventTable.Load(eventId) - if !ok { - return - } - pEvent = tmp.(*Event) - if pEvent.argc == 0 { - // 只有等于0,才证明没经过EXECVE提取参数,才允许使用PROCTITLE提取参数 - if match[3] == nil { - // PROCTITLE写的是十六进制,转换为字符串 - cmdline = hexToAscii(string(match[4])) - } else { - cmdline = string(match[3]) - } - pEvent.argv = strings.Split(cmdline, " ") - pEvent.argc = len(pEvent.argv) - } -} - -func eoe(rawEvent libaudit.RawAuditMessage) { - if !eoeRegex.Match(rawEvent.Data) { - return - } - - match := eoeRegex.FindSubmatch(rawEvent.Data) - eventId, _ = strconv.Atoi(string(match[1])) - tmp, ok = eventTable.Load(eventId) - if !ok { - return - } - cooked := *(tmp.(*Event)) - cookedChan <- cooked - eventTable.Delete(eventId) // 死人别占地 -} - -func path(rawEvent libaudit.RawAuditMessage) { - if !pathRegex.Match(rawEvent.Data) { - return - } - match := pathRegex.FindSubmatch(rawEvent.Data) - eventId, _ = strconv.Atoi(string(match[1])) - // item, _ := strconv.Atoi(string(match[2])) - name := string(match[3]) - - tmp, ok = eventTable.Load(eventId) - if !ok { - return - } - pEvent = tmp.(*Event) - - // 先看看是不是文件操作 - if pEvent.tag != FILEOPEN { - return - } - - if name[0] == '/' { - pEvent.srcPath = name - } else { - pEvent.srcPath += "/" + name - } -} diff --git a/src/receive.go b/src/receive.go deleted file mode 100644 index c0dea00..0000000 --- a/src/receive.go +++ /dev/null @@ -1,29 +0,0 @@ -package main - -import ( - "fmt" - - "github.com/elastic/go-libaudit/v2" - "github.com/elastic/go-libaudit/v2/auparse" - "github.com/mohae/deepcopy" -) - -func receive(r *libaudit.AuditClient) error { - defer wg.Done() - defer close(rawChan) - for { - rawEvent, err := r.Receive(false) - if err != nil { - return fmt.Errorf("receive failed: %w", err) - } - - // Messages from 1300-2999 are valid audit messages. - if rawEvent.Type < auparse.AUDIT_USER_AUTH || - rawEvent.Type > auparse.AUDIT_LAST_USER_MSG2 { - continue - } - - rawEventMessage := deepcopy.Copy(*rawEvent) - rawChan <- rawEventMessage - } -} -- cgit v1.2.3-70-g09d2