From a345258c3082903702c81c6c830ff1fd35758861 Mon Sep 17 00:00:00 2001 From: We-unite <3205135446@qq.com> Date: Mon, 29 Jul 2024 11:46:02 +0800 Subject: Hear file Open and close, especially O_TRUNC this commit i successfully catch open/close syscall, and insert them as an independent collection in mongodb otherwise along with pids. and now I've record those open flag "O_TRUNC" as written. --- src/deal.go | 101 +++++++++++++++++++++++++++++++++++++++++++++--------------- 1 file changed, 77 insertions(+), 24 deletions(-) (limited to 'src/deal.go') diff --git a/src/deal.go b/src/deal.go index a9861a5..d3b5da0 100644 --- a/src/deal.go +++ b/src/deal.go @@ -3,6 +3,7 @@ package main import ( "fmt" "sync" + "syscall" "time" "go.mongodb.org/mongo-driver/bson" @@ -11,10 +12,11 @@ import ( const ( dbName string = "test" pidColName string = "pids" + fdColName string = "fds" ) var mongoMutex sync.Mutex -var pidCol mongoClient +var pidCol, fdCol mongoClient var docRes []bson.M var err error @@ -24,11 +26,29 @@ func deal() { var cooked Event var ok bool - if err = initMongo(); err != nil { + if err = pidCol.init(dbName, pidColName); err != nil { fmt.Printf("Error while initing the mongodb: %v\n", err) return } + err = pidCol.InsertOne(bson.M{ + "ppid": 1, + "pid": containerdPid, + "cwd": "/", + "children": []bson.M{}, + }) + if err != nil { + fmt.Printf("Error while initing the mongodb: %v\n", err) + return + } + + if err = fdCol.init(dbName, fdColName); err != nil { + fmt.Printf("Error while initing the mongodb: %v\n", err) + return + } + + fmt.Printf("Containerd: %d\n", containerdPid) defer pidCol.Disconnect() + defer fdCol.Disconnect() for { cooked, ok = <-cookedChan @@ -43,6 +63,10 @@ func deal() { dealExecve(cooked) case PIDEXIT: go deletePid(cooked) + case FILEOPEN: + fileOpen(cooked) + case FILECLOSE: + fileClose(cooked) } } } @@ -71,28 +95,6 @@ func deletePid(cooked Event) { mongoMutex.Unlock() } -func initMongo() error { - var err error - if err = pidCol.Connect(dbName, pidColName); err != nil { - return err - } - if err = pidCol.Drop(); err != nil { - return err - } - - err = pidCol.InsertOne(bson.M{ - "ppid": 1, - "pid": containerdPid, - "cwd": "/", - "children": bson.M{}, - }) - if err != nil { - return err - } - fmt.Printf("Containerd: %d\n", containerdPid) - return nil -} - func dealNewPid(cooked Event) { // 有无父进程在观察中 docRes, err = pidCol.Finddoc(bson.M{"pid": cooked.ppid}) @@ -181,3 +183,54 @@ func dealExecve(cooked Event) { } mongoMutex.Unlock() } + +func fileOpen(cooked Event) { + // 查看是否记录了该进程 + res, err := pidCol.Finddoc(bson.M{"pid": cooked.pid}) + if err != nil { + fmt.Printf("Error finding pid %d: %v\n", cooked.pid, err) + } + if len(res) == 0 { + // 没找着,滚 + return + } + + // 确有该进程 + // 权限检查过了,不必再查 + fdCol.InsertOne(bson.M{ + "timestamp": cooked.timestamp, + "fileName": cooked.pathName, + "pid": cooked.pid, + "fd": cooked.exit_code, + "flags": cooked.syscallParam, + "written": []bson.M{}, + }) + + if cooked.syscallParam[1]&syscall.O_TRUNC != 0 { + fdCol.UpdateOne(bson.M{"pid": cooked.pid, "fd": cooked.exit_code}, bson.M{ + "$push": bson.M{ + "written": cooked.timestamp, + }, + }) + } +} + +func fileClose(cooked Event) { + // 直接看文件表有无记录 + res, err := fdCol.Finddoc(bson.M{ + "pid": cooked.pid, + "fd": cooked.syscallParam[0], + "close_timestamp": bson.M{"$exists": false}, + }) + if err != nil { + fmt.Printf("Err closing fd %d of pid %d: %v\n", cooked.syscallParam[0], cooked.pid, err) + } + if len(res) == 0 { + return + } + fdCol.UpdateOne(bson.M{ + "pid": cooked.pid, + "fd": cooked.syscallParam[0], + "close_timestamp": bson.M{"$exists": false}, + }, bson.M{"$set": bson.M{"close_timestamp": cooked.timestamp}}) +} -- cgit v1.2.3-70-g09d2