From 3e49a044d22635157916651f0acb5a062397b34b Mon Sep 17 00:00:00 2001 From: We-unite <3205135446@qq.com> Date: Fri, 9 Aug 2024 13:56:37 +0800 Subject: Add db structure, fix filePath, start filtering This commit I made several changes: - Use structure instead of simple bson.M(interface{}). bson.M has some shortcomings: 1) It makes the database in chaos and hard to read, but this's not important; 2) Some entrys may has more or less content than others, which makes it hard to decode and filt. So I design new data structure to encode and decode. Hopes that there's no bugs. - Fix the way to calculate file path. The original method is to add all the PATH entries together, that's totally wrong! PATH entry has several types, as it shows in "objtype". I can't find it in the kernel src code, so what i know is just "PARENT" means the dir the file is in, while the filename itself has the path, so we whould ignore all "PARENT"s. When the src code is found, we should check it again. - Fix bugs in updating. The update function of mongodb is set to required to has a '$' such as 'set'/'push', so when we update a whole doc, we should use replace but not update function. And, we should never ignore the error infomation it gives us. Hope that there's no more bugs for this Big Change. Now its' time to write filter as well as viewer. Best wishes with NO BUGS! --- listener/organize.go | 291 +++++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 291 insertions(+) create mode 100644 listener/organize.go (limited to 'listener/organize.go') diff --git a/listener/organize.go b/listener/organize.go new file mode 100644 index 0000000..0c05eb4 --- /dev/null +++ b/listener/organize.go @@ -0,0 +1,291 @@ +package main + +import ( + "fmt" + "os" + "regexp" + "strconv" + "strings" + "sync" + "syscall" + + "github.com/elastic/go-libaudit/v2" + "github.com/elastic/go-libaudit/v2/auparse" +) + +// 为每个事务id存储其信息,事务id在操作系统运行期间是唯一的 +var eventTable sync.Map + +// 事件信息 +var tmp any +var ok bool +var event Event +var pEvent *Event +var eventId, argc int + +// 要用的正则匹配列表 +var ( + syscallRegex = regexp.MustCompile(`audit\((\d+\.\d+):(\d+)\).*?syscall=(\d+)(?:.*?exit=([-+]?\d+))?.*?ppid=(\d+) pid=(\d+).*?subj=(.*?):(.*?):(.*?):(.*?) .*?$`) + execveRegex = regexp.MustCompile(`audit\(\d+\.\d+:(\d+)\): argc=(\d+)`) + argsRegex = regexp.MustCompile(`a\d+=("(.*?)"|([0-9a-fA-F]+))`) + pathRegex = regexp.MustCompile(`audit\(\d+\.\d+:(\d+)\): item=(\d+) name="(.*?)" .*objtype=([A-Z]+) `) + cwdRegex = regexp.MustCompile(`audit\(\d+\.\d+:(\d+)\): cwd="(.*?)"`) + proctitleRegex = regexp.MustCompile(`audit\(\d+\.\d+:(\d+)\): proctitle=("(.*?)"|([0-9a-fA-F]+))$`) + eoeRegex = regexp.MustCompile(`audit\(\d+\.\d+:(\d+)\)`) +) + +func orgnaze() { + defer wg.Done() + defer close(cookedChan) + // 接收信息 + var raw interface{} + var rawEvent libaudit.RawAuditMessage + + for { + raw, ok = <-rawChan + if !ok { + break + } + rawEvent = raw.(libaudit.RawAuditMessage) + // fmt.Printf("type=%v msg=%s\n", rawEvent.Type, rawEvent.Data) + + switch rawEvent.Type { + case auparse.AUDIT_SYSCALL: + syscallRaw(rawEvent) + case auparse.AUDIT_EXECVE: + execve(rawEvent) + case auparse.AUDIT_CWD: + cwd(rawEvent) + case auparse.AUDIT_PATH: + path(rawEvent) + case auparse.AUDIT_PROCTITLE: + proctitle(rawEvent) + case auparse.AUDIT_EOE: + eoe(rawEvent) + default: + } + } +} + +func syscallRaw(rawEvent libaudit.RawAuditMessage) { + if !syscallRegex.Match(rawEvent.Data) { + return + } + + var exit int + var a [4]uint64 + var subj [4]string + // 捕获基础信息 + match := syscallRegex.FindSubmatch(rawEvent.Data) + event.timestamp, _ = getTimeFromStr(string(match[1])) + eventId, _ = strconv.Atoi(string(match[2])) + event.syscall, _ = strconv.Atoi(string(match[3])) + if string(match[4]) == "" { + // exit没捕获到 + exit = 0 + } else { + exit, _ = strconv.Atoi(string(match[4])) + } + event.ppid, _ = strconv.Atoi(string(match[5])) + event.pid, _ = strconv.Atoi(string(match[6])) + + // 几个subj,说不定会有用 + for i := 0; i < 4; i++ { + subj[i] = string(match[7+i]) + } + + // 捕获参数 + if !argsRegex.Match(rawEvent.Data) { + fmt.Fprintf(os.Stderr, "Error: don't get args in syscall event!\n") + return + } + argsMatch := argsRegex.FindAllSubmatch(rawEvent.Data, -1) + for i := 0; i < 4; i++ { + a[i], _ = strconv.ParseUint(string(argsMatch[i][3]), 16, 64) + } + + switch syscallTable[event.syscall] { + case "execve": + eventTable.Store(eventId, &Event{ + tag: EXECVE, + timestamp: event.timestamp, + syscall: event.syscall, + // exit_code: a[0], // 为啥这么写? + ppid: event.ppid, + pid: event.pid, + argc: 0, + argv: make([]string, 0), + cwd: "", + }) + case "open": + // 检查打开的权限 + if a[1]&(syscall.O_APPEND|syscall.O_WRONLY|syscall.O_RDWR|syscall.O_TRUNC) == 0 { + break + } + // TRUNC应该被直接标记为改变,而不是打开 + eventTable.Store(eventId, &Event{ + tag: FILEOPEN, + timestamp: event.timestamp, + syscall: event.syscall, + exit_code: exit, + ppid: event.ppid, + pid: event.pid, + argc: 0, + argv: make([]string, 0), + cwd: "", + syscallParam: a, + srcPath: "", + }) + case "write": + eventTable.Store(eventId, &Event{ + tag: FILEWRITE, + timestamp: event.timestamp, + syscall: event.syscall, + exit_code: exit, + ppid: event.ppid, + pid: event.pid, + argc: 0, + argv: make([]string, 0), + cwd: "", + syscallParam: a, + }) + case "close": + // 文件关闭 + eventTable.Store(eventId, &Event{ + tag: FILECLOSE, + timestamp: event.timestamp, + syscall: event.syscall, + exit_code: exit, + ppid: event.ppid, + pid: event.pid, + argc: 0, + argv: make([]string, 0), + cwd: "", + syscallParam: a, + }) + case "pivot_root": + if subj[2] == "container_runtime_t" { + eventTable.Store(eventId, &Event{ + tag: PIVOTROOT, + timestamp: event.timestamp, + syscall: event.syscall, + ppid: event.ppid, + pid: event.pid, + syscallParam: a, + }) + } + } +} + +func execve(rawEvent libaudit.RawAuditMessage) { + if !execveRegex.Match(rawEvent.Data) { + return + } + + match := execveRegex.FindSubmatch(rawEvent.Data) + eventId, _ = strconv.Atoi(string(match[1])) + argc, _ = strconv.Atoi(string(match[2])) + tmp, ok = eventTable.Load(eventId) + if !ok { + return + } + pEvent = tmp.(*Event) + if argsRegex.Match(rawEvent.Data) { + match := argsRegex.FindAllSubmatch(rawEvent.Data, -1) + for i := 0; i < argc; i++ { + if len(match[i][2]) == 0 { + // 代表着匹配到的是十六进制数 + str := hexToAscii(string(match[i][3])) + pEvent.argv = append(pEvent.argv, str) + } else { + pEvent.argv = append(pEvent.argv, string(match[i][2])) + } + } + pEvent.argc = argc + } +} + +func cwd(rawEvent libaudit.RawAuditMessage) { + if !cwdRegex.Match(rawEvent.Data) { + return + } + + match := cwdRegex.FindSubmatch(rawEvent.Data) + eventId, _ = strconv.Atoi(string(match[1])) + tmp, ok = eventTable.Load(eventId) + if !ok { + return + } + tmp.(*Event).cwd = string(match[2]) +} + +func proctitle(rawEvent libaudit.RawAuditMessage) { + if !proctitleRegex.Match(rawEvent.Data) { + return + } + + var cmdline string + match := proctitleRegex.FindSubmatch(rawEvent.Data) + eventId, _ = strconv.Atoi(string(match[1])) + tmp, ok = eventTable.Load(eventId) + if !ok { + return + } + pEvent = tmp.(*Event) + if pEvent.argc == 0 { + // 只有等于0,才证明没经过EXECVE提取参数,才允许使用PROCTITLE提取参数 + if match[3] == nil { + // PROCTITLE写的是十六进制,转换为字符串 + cmdline = hexToAscii(string(match[4])) + } else { + cmdline = string(match[3]) + } + pEvent.argv = strings.Split(cmdline, " ") + pEvent.argc = len(pEvent.argv) + } +} + +func eoe(rawEvent libaudit.RawAuditMessage) { + if !eoeRegex.Match(rawEvent.Data) { + return + } + + match := eoeRegex.FindSubmatch(rawEvent.Data) + eventId, _ = strconv.Atoi(string(match[1])) + tmp, ok = eventTable.Load(eventId) + if !ok { + return + } + cooked := *(tmp.(*Event)) + cookedChan <- cooked + eventTable.Delete(eventId) // 死人别占地 +} + +func path(rawEvent libaudit.RawAuditMessage) { + if !pathRegex.Match(rawEvent.Data) { + return + } + match := pathRegex.FindSubmatch(rawEvent.Data) + eventId, _ = strconv.Atoi(string(match[1])) + // item, _ := strconv.Atoi(string(match[2])) + name := string(match[3]) + objtype := string(match[4]) + + tmp, ok = eventTable.Load(eventId) + if !ok { + return + } + pEvent = tmp.(*Event) + + // 先看看是不是文件操作,再看是不是所在目录 + if pEvent.tag != FILEOPEN || objtype == "PARENT" { + return + } + + if pEvent.cwd == "/" || name[0] == '/' { + pEvent.srcPath = name + } else { + pEvent.srcPath = pEvent.cwd + "/" + name + } + // ATTENTION: 这里需要做路径简化,留给过滤清洗流程吧 +} -- cgit v1.2.3-70-g09d2