From 61809e72c524294cb07535d0e31c80a283495f80 Mon Sep 17 00:00:00 2001 From: We-unite <3205135446@qq.com> Date: Wed, 14 Aug 2024 17:28:28 +0800 Subject: Filter mainly finished, fix sth in lintener This commit I make some changes: - The filter got mainly finished. - Build a big node by the same tgid, and use the tgid node to build th tree we need by bfs. - Filt relative files, and for the files not closed, add close time stamp according to the exit time of their pids. - Put all the results into database. Besides, I enlarge the buffer size of netlink connector and channels in lintener. TODO: - the pivot_root syscall is used only by the initial shell(`docker start` makes a shell), other processes of shell change their root by changing namespace(mnt ns?), using setns syscall. So fix it. - It's time to fix the netlink connector socket. --- listener/godo.go | 11 +++++++---- 1 file changed, 7 insertions(+), 4 deletions(-) (limited to 'listener') diff --git a/listener/godo.go b/listener/godo.go index efe9585..87e9446 100644 --- a/listener/godo.go +++ b/listener/godo.go @@ -24,6 +24,8 @@ var ( receiveOnly = fs.Bool("ro", false, "receive only using multicast, requires kernel 3.16+") ) +const bufferPages = 100 + func main() { // 检查用户身份,并添加auditd规则,监听所有syscall if os.Geteuid() != 0 { @@ -44,7 +46,7 @@ func main() { var auditCmd *exec.Cmd pidSyscall := []string{"execve", "pivot_root"} - // // 设置监听规则 + // 设置监听规则 for i := 0; i < len(pidSyscall); i++ { auditCmd = exec.Command("auditctl", "-a", "exit,always", "-F", "arch=b64", "-S", pidSyscall[i]) auditCmd.Run() @@ -77,8 +79,9 @@ func main() { func coroutine(client *libaudit.AuditClient) { // 各协程至此开始 - rawChan = make(chan interface{}, 65536) - cookedChan = make(chan Event, 65536) + bufferSize := bufferPages * syscall.Getpagesize() + rawChan = make(chan interface{}, bufferSize) + cookedChan = make(chan Event, bufferSize) wg.Add(1) go procWatch() @@ -102,7 +105,7 @@ func procWatch() error { } defer ns.Close() for { - res, err := ns.Receive(20) + res, err := ns.Receive(bufferPages) if err != nil { fmt.Fprintf(os.Stderr, "Error recv: %v\n", err) continue -- cgit v1.2.3-70-g09d2