From cf5618ff2e2a183c5bdf6444787dccdcbf26ce76 Mon Sep 17 00:00:00 2001 From: We-unite <3205135446@qq.com> Date: Mon, 22 Jul 2024 11:41:59 +0800 Subject: Use mongodb, insert process info into it I failed to print the process tree out. While I'm printing the tree, the tree itself gets changed, maybe deleted. What's more, the output show that there are 4 lines with the same ppid and pid, how an absurd result! It may be caused by multi-thread. So, use database instead. Mongodb uses bson(binary json) to store data but not relational database like mysql, which means it's more easy to use.(?) Beside inserting, I've also solved a question that "fork" is called once but returns twice. For instance, pid 1 forked pid 2, in the audit log it's not an event "syscall=clone,ppid=1,pid=2", but actually two events "syscall=clone,exit=0,ppid=0,pid=1" and "syscall=clone,exit= 2,ppid=0,pid=1", which is just what we see in sys_fork in kernel source. To deal with this, when syscall is clone and exit is 0 we just drop it. Left question: To find out the exit code when a process exit/exit_group, and finish the code to record it in the database. --- .gitignore | 8 +-- src/deal.go | 165 ++++++++++++++++++++++++++++++++++---------------------- src/global.go | 23 +++++++- src/go.mod | 16 ++++-- src/go.sum | 43 +++++++++++++-- src/godo.go | 18 ------- src/organize.go | 54 ++++++++++++------- 7 files changed, 216 insertions(+), 111 deletions(-) diff --git a/.gitignore b/.gitignore index 8a2ac54..9fe8ea9 100644 --- a/.gitignore +++ b/.gitignore @@ -3,6 +3,8 @@ godo old/* !old/*.* -old/*.log -old/*.json -old/go.* \ No newline at end of file +old/go.* + +*/*.log +*/*.json +!logs/*.log diff --git a/src/deal.go b/src/deal.go index fd9f788..118d914 100644 --- a/src/deal.go +++ b/src/deal.go @@ -1,97 +1,134 @@ package main import ( + "context" "fmt" "time" + + "go.mongodb.org/mongo-driver/bson" + "go.mongodb.org/mongo-driver/mongo" + "go.mongodb.org/mongo-driver/mongo/options" +) + +const ( + dbName string = "test" + colName string = "pids" ) func deal() { defer wg.Done() var cooked Event var ok bool + + var err error + var mongo *mongo.Client + var res []bson.M + + mongo, err = connect() + if err != nil { + fmt.Printf("Err connecting the mongodb: %v\n", err) + } + pidCol := mongo.Database(dbName).Collection(colName) + + err = pidCol.Drop(context.Background()) + if err != nil { + fmt.Printf("Err drop: %v\n", err) + } + + _, err = pidCol.InsertOne(context.Background(), bson.M{ + "ppid": 1, + "pid": containerdPid, + "cwd": "/", + }) + if err != nil { + fmt.Printf("Err containerd: %v", err) + return + } + + fmt.Printf("Containerd: %d\n", containerdPid) + for { cooked, ok = <-cookedChan if !ok { break } - // type Event struct { - // timestamp time.Time - // pid, ppid int - // syscall int - // argc int - // args []string - // cwd string - // } - // type process struct { - // timestamp time.Time - // pid, ppid int - // argv []string - // cwd string - // rootfs string - // children []int - // } + switch syscallTable[cooked.syscall] { case "fork", "vfork", "clone": - ppid := cooked.ppid - pid := cooked.pid - parent, ok := pids.Load(ppid) - if !ok { + // 有无父进程在观察中 + res, err = findDocuments(mongo, "test", "pids", bson.M{"pid": cooked.ppid}) + if err != nil || len(res) != 1 { break } - parent.(*process).children = append(parent.(*process).children, pid) - pids.Store(pid, &process{ - timestamp: cooked.timestamp, - pid: cooked.pid, - ppid: cooked.ppid, - argv: cooked.argv, - cwd: cooked.cwd, - children: make([]int, 0), + + // 自身是否已经记录 + res, err = findDocuments(mongo, "test", "pids", bson.M{"pid": cooked.pid}) + if err != nil { + fmt.Printf("Err finding: %v\n", err) + break + } else if len(res) != 0 { + fmt.Printf("Err inserting pid %v: already in db: %v\n", cooked.pid, res) + break + } + + doc := []bson.A{} + for _, str := range cooked.argv { + doc = append(doc, bson.A{str}) + } + _, err := pidCol.InsertOne(context.Background(), bson.M{ + "timestamp": cooked.timestamp, + "ppid": cooked.ppid, + "pid": cooked.pid, + "cwd": cooked.cwd, + "args": doc, + "children": []bson.M{}, }) - fmt.Printf("%v syscall=%d, ppid=%d, pid=%d, cwd=\"%s\", argc=%d, ", cooked.timestamp, cooked.syscall, cooked.ppid, cooked.pid, cooked.cwd, cooked.argc) - for i := 0; i < cooked.argc; i++ { - fmt.Printf("arg[%d]=\"%s\", ", i, cooked.argv[i]) + if err != nil { + fmt.Printf("Err insert: %v\n", err) } - fmt.Printf("\n") - case "exit", "exit_group": - _, ok := pids.Load(cooked.pid) - if !ok { - break + + _, err = pidCol.UpdateOne(context.Background(), bson.M{"pid": cooked.pid}, bson.M{ + "$push": bson.M{ + "children": cooked.pid, + }, + }) + if err != nil { + fmt.Printf("Err insert: %v\n", err) } - go deletePid(cooked) + case "exit", "exit_group": + // TODO: 记得补全退出逻辑 + // 上哪找exit code呢? } } } -func deletePid(cooked Event) { - time.Sleep(1 * time.Second) - Process, ok := pids.Load(cooked.pid) - if !ok { - return +func connect() (*mongo.Client, error) { + client, err := mongo.NewClient(options.Client().ApplyURI("mongodb://localhost:27017")) + + if err != nil { + return nil, err } - pProcess := Process.(*process) - - // 先从爹那里注销户籍 - parent, ok := pids.Load(pProcess.ppid) - if ok { - pParent := parent.(*process) - for i, child := range pParent.children { - if child == pProcess.pid { - pParent.children = append(pParent.children[:i], pParent.children[i+1:]...) - break - } - } + + ctx, _ := context.WithTimeout(context.Background(), 10*time.Second) + err = client.Connect(ctx) + + if err != nil { + return nil, err } - // 子进程需要收容 - for i := 0; i < len(pProcess.children); i++ { - child, ok := pids.Load(pProcess.children[i]) - if ok { - child.(*process).ppid = 1 - } + return client, nil +} + +func findDocuments(client *mongo.Client, dbName, colName string, filter bson.M) ([]bson.M, error) { + collection := client.Database(dbName).Collection(colName) + + cur, err := collection.Find(context.Background(), filter) + if err != nil { + return nil, err } - // 可以去死了 - pids.Delete(cooked.pid) - _, ok = pids.Load(cooked.pid) - fmt.Printf("%v Goodbye, %d! ok = %v\n", time.Now(), cooked.pid, ok) + var results []bson.M + err = cur.All(context.Background(), &results) + + return results, err } diff --git a/src/global.go b/src/global.go index 4e08866..0439df6 100644 --- a/src/global.go +++ b/src/global.go @@ -1,6 +1,27 @@ package main -import "sync" +import ( + "sync" + "time" +) + +type Event struct { + timestamp time.Time + pid, ppid int + syscall int + argc int + argv []string + cwd string +} + +type process struct { + timestamp time.Time + pid, ppid int + argv []string + cwd string + rootfs string + children []int +} var pids sync.Map // 古希腊掌管进程的神,int->*process var wg sync.WaitGroup // 掌管协程 diff --git a/src/go.mod b/src/go.mod index 2969b32..ed40331 100644 --- a/src/go.mod +++ b/src/go.mod @@ -5,12 +5,22 @@ go 1.21.5 require ( github.com/elastic/go-libaudit/v2 v2.5.0 github.com/mohae/deepcopy v0.0.0-20170929034955-c48cc78d4826 - gopkg.in/yaml.v3 v3.0.1 + go.mongodb.org/mongo-driver v1.16.0 ) require ( + github.com/golang/snappy v0.0.4 // indirect + github.com/klauspost/compress v1.13.6 // indirect + github.com/montanaflynn/stats v0.7.1 // indirect + github.com/xdg-go/pbkdf2 v1.0.0 // indirect + github.com/xdg-go/scram v1.1.2 // indirect + github.com/xdg-go/stringprep v1.0.4 // indirect + github.com/youmark/pkcs8 v0.0.0-20181117223130-1be2e3e5546d // indirect go.uber.org/atomic v1.7.0 // indirect go.uber.org/multierr v1.7.0 // indirect - golang.org/x/sys v0.11.0 // indirect - gopkg.in/yaml.v2 v2.4.0 // indirect + golang.org/x/crypto v0.22.0 // indirect + golang.org/x/sync v0.7.0 // indirect + golang.org/x/sys v0.19.0 // indirect + golang.org/x/text v0.14.0 // indirect + gopkg.in/yaml.v3 v3.0.1 // indirect ) diff --git a/src/go.sum b/src/go.sum index 7ce498a..9164cd3 100644 --- a/src/go.sum +++ b/src/go.sum @@ -5,53 +5,90 @@ github.com/elastic/go-libaudit/v2 v2.5.0 h1:5OK919QRnGtcjVBz3n/cs5F42im1mPlVTA9T github.com/elastic/go-libaudit/v2 v2.5.0/go.mod h1:AjlnhinP+kKQuUJoXLVrqxBM8uyhQmkzoV6jjsCFP4Q= github.com/elastic/go-licenser v0.4.1 h1:1xDURsc8pL5zYT9R29425J3vkHdt4RT5TNEMeRN48x4= github.com/elastic/go-licenser v0.4.1/go.mod h1:V56wHMpmdURfibNBggaSBfqgPxyT1Tldns1i87iTEvU= +github.com/golang/snappy v0.0.4 h1:yAGX7huGHXlcLOEtBnF4w7FQwA26wojNCwOYAEhLjQM= +github.com/golang/snappy v0.0.4/go.mod h1:/XxbfmMg8lxefKM7IXC3fBNl/7bRcc72aCRzEWrmP2Q= +github.com/google/go-cmp v0.6.0 h1:ofyhxvXcZhMsU5ulbFiLKl/XBFqE1GSq7atu8tAmTRI= +github.com/google/go-cmp v0.6.0/go.mod h1:17dUlkBOakJ0+DkrSSNjCkIjxS6bF9zb3elmeNGIjoY= github.com/kballard/go-shellquote v0.0.0-20180428030007-95032a82bc51 h1:Z9n2FFNUXsshfwJMBgNA0RU6/i7WVaAegv3PtuIHPMs= github.com/kballard/go-shellquote v0.0.0-20180428030007-95032a82bc51/go.mod h1:CzGEWj7cYgsdH8dAjBGEr58BoE7ScuLd+fwFZ44+/x8= +github.com/klauspost/compress v1.13.6 h1:P76CopJELS0TiO2mebmnzgWaajssP/EszplttgQxcgc= +github.com/klauspost/compress v1.13.6/go.mod h1:/3/Vjq9QcHkK5uEr5lBEmyoZ1iFhe47etQ6QUkpK6sk= github.com/mohae/deepcopy v0.0.0-20170929034955-c48cc78d4826 h1:RWengNIwukTxcDr9M+97sNutRR1RKhG96O6jWumTTnw= github.com/mohae/deepcopy v0.0.0-20170929034955-c48cc78d4826/go.mod h1:TaXosZuwdSHYgviHp1DAtfrULt5eUgsSMsZf+YrPgl8= +github.com/montanaflynn/stats v0.7.1 h1:etflOAAHORrCC44V+aR6Ftzort912ZU+YLiSTuV8eaE= +github.com/montanaflynn/stats v0.7.1/go.mod h1:etXPPgVO6n31NxCd9KQUMvCM+ve0ruNzt6R8Bnaayow= github.com/pmezard/go-difflib v1.0.0 h1:4DBwDE0NGyQoBHbLQYPwSUPoCMWR5BEzIk/f1lZbAQM= github.com/pmezard/go-difflib v1.0.0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4= github.com/stretchr/objx v0.1.0/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME= github.com/stretchr/testify v1.3.0/go.mod h1:M5WIy9Dh21IEIfnGCwXGc5bZfKNJtfHm1UVUgZn+9EI= github.com/stretchr/testify v1.7.0 h1:nwc3DEeHmmLAfoZucVR881uASk0Mfjw8xYJ99tb5CcY= github.com/stretchr/testify v1.7.0/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg= +github.com/xdg-go/pbkdf2 v1.0.0 h1:Su7DPu48wXMwC3bs7MCNG+z4FhcyEuz5dlvchbq0B0c= +github.com/xdg-go/pbkdf2 v1.0.0/go.mod h1:jrpuAogTd400dnrH08LKmI/xc1MbPOebTwRqcT5RDeI= +github.com/xdg-go/scram v1.1.2 h1:FHX5I5B4i4hKRVRBCFRxq1iQRej7WO3hhBuJf+UUySY= +github.com/xdg-go/scram v1.1.2/go.mod h1:RT/sEzTbU5y00aCK8UOx6R7YryM0iF1N2MOmC3kKLN4= +github.com/xdg-go/stringprep v1.0.4 h1:XLI/Ng3O1Atzq0oBs3TWm+5ZVgkq2aqdlvP9JtoZ6c8= +github.com/xdg-go/stringprep v1.0.4/go.mod h1:mPGuuIYwz7CmR2bT9j4GbQqutWS1zV24gijq1dTyGkM= +github.com/youmark/pkcs8 v0.0.0-20181117223130-1be2e3e5546d h1:splanxYIlg+5LfHAM6xpdFEAYOk8iySO56hMFq6uLyA= +github.com/youmark/pkcs8 v0.0.0-20181117223130-1be2e3e5546d/go.mod h1:rHwXgn7JulP+udvsHwJoVG1YGAP6VLg4y9I5dyZdqmA= github.com/yuin/goldmark v1.4.0/go.mod h1:mwnBkeHKe2W/ZEtQ+71ViKU8L12m81fl3OWwC1Zlc8k= +github.com/yuin/goldmark v1.4.13/go.mod h1:6yULJ656Px+3vBD8DxQVa3kxgyrAnzto9xy5taEt/CY= +go.mongodb.org/mongo-driver v1.16.0 h1:tpRsfBJMROVHKpdGyc1BBEzzjDUWjItxbVSZ8Ls4BQ4= +go.mongodb.org/mongo-driver v1.16.0/go.mod h1:oB6AhJQvFQL4LEHyXi6aJzQJtBiTQHiAd83l0GdFaiw= go.uber.org/atomic v1.7.0 h1:ADUqmZGgLDDfbSL9ZmPxKTybcoEYHgpYfELNoN+7hsw= go.uber.org/atomic v1.7.0/go.mod h1:fEN4uk6kAWBTFdckzkM89CLk9XfWZrxpCo0nPH17wJc= go.uber.org/multierr v1.7.0 h1:zaiO/rmgFjbmCXdSYJWQcdvOCsthmdaHfr3Gm2Kx4Ec= go.uber.org/multierr v1.7.0/go.mod h1:7EAYxJLBy9rStEaz58O2t4Uvip6FSURkq8/ppBp95ak= golang.org/x/crypto v0.0.0-20190308221718-c2843e01d9a2/go.mod h1:djNgcEr1/C05ACkg1iLfiJU5Ep61QUkGW8qpdssI0+w= golang.org/x/crypto v0.0.0-20191011191535-87dc89f01550/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI= +golang.org/x/crypto v0.0.0-20210921155107-089bfa567519/go.mod h1:GvvjBRRGRdwPK5ydBHafDWAxML/pGHZbMvKqRZ5+Abc= +golang.org/x/crypto v0.22.0 h1:g1v0xeRhjcugydODzvb3mEM9SQ0HGp9s/nh3COQ/C30= +golang.org/x/crypto v0.22.0/go.mod h1:vr6Su+7cTlO45qkww3VDJlzDn0ctJvRgYbC2NvXHt+M= golang.org/x/lint v0.0.0-20210508222113-6edffad5e616/go.mod h1:3xt1FjdF8hUf6vQPIChWIBhFzV8gjjsPE/fR3IyQdNY= golang.org/x/mod v0.1.1-0.20191105210325-c90efee705ee/go.mod h1:QqPTAvyqsEbceGzBzNggFXnrqF1CaUcvgkdR5Ot7KZg= golang.org/x/mod v0.4.2/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA= golang.org/x/mod v0.5.1/go.mod h1:5OXOZSfqPIIbmVBIIKWRFfZjPR0E5r58TLhUjH0a2Ro= +golang.org/x/mod v0.6.0-dev.0.20220419223038-86c51ed26bb4/go.mod h1:jJ57K6gSWd91VN4djpZkiMVwK6gcyfeH4XE8wZrZaV4= golang.org/x/net v0.0.0-20190404232315-eb5bcb51f2a3/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg= golang.org/x/net v0.0.0-20190620200207-3b0461eec859/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s= +golang.org/x/net v0.0.0-20210226172049-e18ecbb05110/go.mod h1:m0MpNAwzfU5UDzcl9v0D8zg8gWTRqZa9RBIspLL5mdg= golang.org/x/net v0.0.0-20210805182204-aaa1db679c0d/go.mod h1:9nx3DQGgdP8bBQD5qxJ1jj9UTztislL4KSBs9R2vV5Y= +golang.org/x/net v0.0.0-20220722155237-a158d28d115b/go.mod h1:XRhObCWvk6IyKnWLug+ECip1KBveYUHfp+8e9klMJ9c= golang.org/x/sync v0.0.0-20190423024810-112230192c58/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= golang.org/x/sync v0.0.0-20210220032951-036812b2e83c/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= +golang.org/x/sync v0.0.0-20220722155255-886fb9371eb4/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= +golang.org/x/sync v0.7.0 h1:YsImfSBoP9QPYL0xyKJPq0gcaJdG3rInoqxTWbfQu9M= +golang.org/x/sync v0.7.0/go.mod h1:Czt+wKu1gCyEFDUtn0jG5QVvpJ6rzVqr5aXyt9drQfk= golang.org/x/sys v0.0.0-20190215142949-d0b11bdaac8a/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY= golang.org/x/sys v0.0.0-20190412213103-97732733099d/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20201119102817-f84b799fce68/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20210423082822-04245dca01da/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= +golang.org/x/sys v0.0.0-20210615035016-665e8c7367d1/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.0.0-20210809222454-d867a43fc93e/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.0.0-20211102192858-4dd72447c267/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= -golang.org/x/sys v0.11.0 h1:eG7RXZHdqOJ1i+0lgLgCpSXAp6M3LYlAo6osgSi0xOM= +golang.org/x/sys v0.0.0-20220520151302-bc2c85ada10a/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= +golang.org/x/sys v0.0.0-20220722155257-8c9f86f7a55f/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.11.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= +golang.org/x/sys v0.19.0 h1:q5f1RH2jigJ1MoAWp2KTp3gm5zAGFUTarQZ5U386+4o= +golang.org/x/sys v0.19.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA= golang.org/x/term v0.0.0-20201126162022-7de9c90e9dd1/go.mod h1:bj7SfCRtBDWHUb9snDiAeCFNEtKQo2Wmx5Cou7ajbmo= +golang.org/x/term v0.0.0-20210927222741-03fcf44c2211/go.mod h1:jbD1KX2456YbFQfuXm/mYQcufACuNUgVhRMnK/tPxf8= golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ= +golang.org/x/text v0.3.3/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ= golang.org/x/text v0.3.6/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ= +golang.org/x/text v0.3.7/go.mod h1:u+2+/6zg+i71rQMx5EYifcz6MCKuco9NR6JIITiCfzQ= +golang.org/x/text v0.3.8/go.mod h1:E6s5w1FMmriuDzIBO73fBruAKo1PCIq6d2Q6DHfQ8WQ= +golang.org/x/text v0.14.0 h1:ScX5w1eTa3QqT8oi6+ziP7dTV1S2+ALU0bI+0zXKWiQ= +golang.org/x/text v0.14.0/go.mod h1:18ZOQIKpY8NJVqYksKHtTdi31H5itFRjB5/qKTNYzSU= golang.org/x/tools v0.0.0-20180917221912-90fa682c2a6e/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ= golang.org/x/tools v0.0.0-20191119224855-298f0cb1881e/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo= golang.org/x/tools v0.0.0-20200130002326-2f3ba24bd6e7/go.mod h1:TB2adYChydJhpapKDTa4BR/hXlZSLoq2Wpct/0txZ28= golang.org/x/tools v0.1.7/go.mod h1:LGqMHiF4EqQNHR1JncWGqT5BVaXmza+X+BDGol+dOxo= +golang.org/x/tools v0.1.12/go.mod h1:hNGJHUnrk76NpqgfD5Aqm5Crs+Hm0VOH/i9J2+nxYbc= golang.org/x/xerrors v0.0.0-20190717185122-a985d3407aa7/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0= golang.org/x/xerrors v0.0.0-20191011141410-1b5146add898/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0= golang.org/x/xerrors v0.0.0-20200804184101-5ec99f83aff1/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0= -gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405 h1:yhCVgyC4o1eVCa2tZl7eS0r+SDo693bJlVdllGtEeKM= gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0= -gopkg.in/yaml.v2 v2.4.0 h1:D8xgwECY7CYvx+Y2n4sBz93Jn9JRvxdiyyo8CTfuKaY= gopkg.in/yaml.v2 v2.4.0/go.mod h1:RDklbk79AGWmwhnvt/jBztapEOGDOx6ZbXqjP6csGnQ= gopkg.in/yaml.v3 v3.0.0-20200313102051-9f266ea9e77c/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM= gopkg.in/yaml.v3 v3.0.0-20210107192922-496545a6307b/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM= diff --git a/src/godo.go b/src/godo.go index 6f73893..72f68c0 100644 --- a/src/godo.go +++ b/src/godo.go @@ -20,24 +20,6 @@ var ( receiveOnly = fs.Bool("ro", false, "receive only using multicast, requires kernel 3.16+") ) -type Event struct { - timestamp time.Time - pid, ppid int - syscall int - argc int - argv []string - cwd string -} - -type process struct { - timestamp time.Time - pid, ppid int - argv []string - cwd string - rootfs string - children []int -} - func main() { // 检查用户身份,并添加auditd规则,监听所有syscall if os.Geteuid() != 0 { diff --git a/src/organize.go b/src/organize.go index 025d8c0..bb6736a 100644 --- a/src/organize.go +++ b/src/organize.go @@ -23,7 +23,7 @@ func orgnaze() { // 为每个事务id存储其信息,事务id在操作系统运行期间是唯一的 eventTable := make(map[int]*Event) // 要用的正则匹配列表 - syscallRegex := regexp.MustCompile(`audit\((\d+\.\d+):(\d+)\).*?syscall=(\d+).*?ppid=(\d+) pid=(\d+).*?$`) + syscallRegex := regexp.MustCompile(`audit\((\d+\.\d+):(\d+)\).*?syscall=(\d+).*?(exit=([-+]?\d+).*?)?ppid=(\d+) pid=(\d+).*?$`) execveRegex := regexp.MustCompile(`audit\(\d+\.\d+:(\d+)\): argc=(\d+)`) argsRegex := regexp.MustCompile(`a\d+=("(.*?)"|([0-9a-fA-F]+))`) cwdRegex := regexp.MustCompile(`audit\(\d+\.\d+:(\d+)\): cwd="(.*?)"`) @@ -36,14 +36,6 @@ func orgnaze() { } rawEvent = raw.(libaudit.RawAuditMessage) - // type Event struct { - // timestamp time.Time - // pid, ppid int - // syscall int - // argc int - // args []string - // cwd string - // } switch rawEvent.Type { case auparse.AUDIT_SYSCALL: if syscallRegex.Match(rawEvent.Data) { @@ -51,16 +43,40 @@ func orgnaze() { event.timestamp, err[0] = getTimeFromStr(string(match[1])) eventId, err[1] = strconv.Atoi(string(match[2])) event.syscall, err[2] = strconv.Atoi(string(match[3])) - event.ppid, err[3] = strconv.Atoi(string(match[4])) - event.pid, err[4] = strconv.Atoi(string(match[5])) - eventTable[eventId] = &Event{ - timestamp: event.timestamp, - syscall: event.syscall, - ppid: event.ppid, - pid: event.pid, - argc: 0, - argv: make([]string, 0), - cwd: "", + var exit int + // exit, err[3] = strconv.Atoi(string(match[4])) + if string(match[5]) == "" { + // exit没捕获到 + exit = 0 + } else { + exit, err[3] = strconv.Atoi(string(match[5])) + } + event.ppid, err[4] = strconv.Atoi(string(match[5])) + event.pid, err[5] = strconv.Atoi(string(match[6])) + if syscallTable[event.syscall] == "clone" { + if exit == 0 { + break + } else { + eventTable[eventId] = &Event{ + timestamp: event.timestamp, + syscall: event.syscall, + ppid: event.pid, + pid: exit, + argc: 0, + argv: make([]string, 0), + cwd: "", + } + } + } else { + eventTable[eventId] = &Event{ + timestamp: event.timestamp, + syscall: event.syscall, + ppid: event.ppid, + pid: event.pid, + argc: 0, + argv: make([]string, 0), + cwd: "", + } } } case auparse.AUDIT_EXECVE: -- cgit v1.2.3-70-g09d2