From 3e49a044d22635157916651f0acb5a062397b34b Mon Sep 17 00:00:00 2001 From: We-unite <3205135446@qq.com> Date: Fri, 9 Aug 2024 13:56:37 +0800 Subject: Add db structure, fix filePath, start filtering This commit I made several changes: - Use structure instead of simple bson.M(interface{}). bson.M has some shortcomings: 1) It makes the database in chaos and hard to read, but this's not important; 2) Some entrys may has more or less content than others, which makes it hard to decode and filt. So I design new data structure to encode and decode. Hopes that there's no bugs. - Fix the way to calculate file path. The original method is to add all the PATH entries together, that's totally wrong! PATH entry has several types, as it shows in "objtype". I can't find it in the kernel src code, so what i know is just "PARENT" means the dir the file is in, while the filename itself has the path, so we whould ignore all "PARENT"s. When the src code is found, we should check it again. - Fix bugs in updating. The update function of mongodb is set to required to has a '$' such as 'set'/'push', so when we update a whole doc, we should use replace but not update function. And, we should never ignore the error infomation it gives us. Hope that there's no more bugs for this Big Change. Now its' time to write filter as well as viewer. Best wishes with NO BUGS! --- listener/godo.go | 176 +++++++++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 176 insertions(+) create mode 100644 listener/godo.go (limited to 'listener/godo.go') diff --git a/listener/godo.go b/listener/godo.go new file mode 100644 index 0000000..efe9585 --- /dev/null +++ b/listener/godo.go @@ -0,0 +1,176 @@ +package main + +import ( + "bufio" + "flag" + "fmt" + "log" + "netlink" + "os" + "os/exec" + "strings" + "syscall" + "time" + + "github.com/elastic/go-libaudit/v2" +) + +var ( + fs = flag.NewFlagSet("audit", flag.ExitOnError) + diag = fs.String("diag", "", "dump raw information from kernel to file") + rate = fs.Uint("rate", 0, "rate limit in kernel (default 0, no rate limit)") + backlog = fs.Uint("backlog", 8192, "backlog limit") + immutable = fs.Bool("immutable", false, "make kernel audit settings immutable (requires reboot to undo)") + receiveOnly = fs.Bool("ro", false, "receive only using multicast, requires kernel 3.16+") +) + +func main() { + // 检查用户身份,并添加auditd规则,监听所有syscall + if os.Geteuid() != 0 { + fmt.Fprintf(os.Stderr, "Err: Please run me as root, %d!\n", os.Getegid()) + return + } + + // 所有的系统调用号与名称的关系 + err := figureOutSyscalls() + if err != nil { + fmt.Fprintf(os.Stderr, "Error figuring out syscall numbers: %v\n", err) + } + + exec.Command("auditctl", "-D").Run() + exec.Command("auditctl", "-b", "1000000000").Run() + exec.Command("auditctl", "--reset-lost").Run() + + var auditCmd *exec.Cmd + + pidSyscall := []string{"execve", "pivot_root"} + // // 设置监听规则 + for i := 0; i < len(pidSyscall); i++ { + auditCmd = exec.Command("auditctl", "-a", "exit,always", "-F", "arch=b64", "-S", pidSyscall[i]) + auditCmd.Run() + } + + // 监听文件的消息 + fileSyscall := []string{"open", "close", "write"} + // fileSyscall := []string{"open", "write", "creat", "unlink", "opendir", "mkdir", "rmdir", "chmod", "fchmod", "chown", "fchown", "lchown", "flock"} + for i := 0; i < len(fileSyscall); i++ { + auditCmd = exec.Command("auditctl", "-a", "exit,always", "-F", "arch=b64", "-S", fileSyscall[i]) + auditCmd.Run() + } + + // 查找pid + containerdPid, err = getPid() + if err != nil { + fmt.Fprintf(os.Stderr, "Error finding containerd: %v\n", err) + return + } + + // 开始运行,解析命令行参数后监听 + if err := fs.Parse(os.Args[1:]); err != nil { + log.Fatal(err) + } + + if err := read(); err != nil { + log.Fatalf("error: %v", err) + } +} + +func coroutine(client *libaudit.AuditClient) { + // 各协程至此开始 + rawChan = make(chan interface{}, 65536) + cookedChan = make(chan Event, 65536) + + wg.Add(1) + go procWatch() + + wg.Add(1) + go receive(client) + wg.Add(1) + go orgnaze() + wg.Add(1) + go deal() + + wg.Wait() + time.Sleep(2 * time.Second) +} + +func procWatch() error { + ns, err := netlink.NewNetlinkSocket(syscall.NETLINK_CONNECTOR, 12345) + if err != nil { + fmt.Fprintf(os.Stderr, "Error creating socket: %v\n", err) + return err + } + defer ns.Close() + for { + res, err := ns.Receive(20) + if err != nil { + fmt.Fprintf(os.Stderr, "Error recv: %v\n", err) + continue + } + for i := 0; i < len(res); i++ { + procEvent := netlink.ParseProcEvent(res[i].Data) + switch procEvent.What { + case netlink.PROC_EVENT_FORK: + data := procEvent.Data.(netlink.ProcEventFork) + cooked := Event{ + tag: NEWPID, + timestamp: time.Now(), + pid: int(data.ChildPid), + tgid: int(data.ChildTgid), + ppid: int(data.ParentPid), + parentTgid: int(data.ParentTgid), + } + checkProc(&cooked) + cookedChan <- cooked + case netlink.PROC_EVENT_EXIT: + data := procEvent.Data.(netlink.ProcEventExit) + cooked := Event{ + tag: PIDEXIT, + timestamp: time.Now(), + pid: int(data.ProcessPid), + exit_code: int(data.ExitCode), + exit_signal: int(data.ExitSignal), + } + cookedChan <- cooked + default: + } + } + } +} + +func checkProc(pCooked *Event) { + fileName := fmt.Sprintf("/proc/%d/task/%d/", pCooked.tgid, pCooked.pid) + fd, err := os.Open(fileName + "cmdline") + if err != nil { + fmt.Fprintf(os.Stderr, "Err: %v\n", err) + return + } + + scanner := bufio.NewScanner(fd) + scanner.Split(bufio.ScanLines) + for scanner.Scan() { + line := scanner.Text() + pCooked.argv = append(pCooked.argv, strings.Split(line, "\x00")...) + } + pCooked.argc = len(pCooked.argv) + fd.Close() + + fd, err = os.Open(fileName + "comm") + if err != nil { + fmt.Fprintf(os.Stderr, "Err: %v\n", err) + return + } + scanner = bufio.NewScanner(fd) + scanner.Split(bufio.ScanLines) + for scanner.Scan() { + line := scanner.Text() + pCooked.comm = line + } + fd.Close() + + pCooked.cwd, err = os.Readlink(fileName + "cwd") + if err != nil { + fmt.Fprintf(os.Stderr, "Err: %v\n", err) + pCooked.cwd = "" + } +} -- cgit v1.2.3-70-g09d2