From cf5618ff2e2a183c5bdf6444787dccdcbf26ce76 Mon Sep 17 00:00:00 2001
From: We-unite <3205135446@qq.com>
Date: Mon, 22 Jul 2024 11:41:59 +0800
Subject: Use mongodb, insert process info into it

I failed to print the process tree out. While I'm printing the tree,
the tree itself gets changed, maybe deleted. What's more, the output
show that there are 4 lines with the same ppid and pid, how an absurd
result! It may be caused by multi-thread. So, use database instead.

Mongodb uses bson(binary json) to store data but not relational
database like mysql, which means it's more easy to use.(?)

Beside inserting, I've also solved a question that "fork" is called
once but returns twice. For instance, pid 1 forked pid 2, in the
audit log it's not an event "syscall=clone,ppid=1,pid=2", but actually
two events "syscall=clone,exit=0,ppid=0,pid=1" and "syscall=clone,exit=
2,ppid=0,pid=1", which is just what we see in sys_fork in kernel source.
To deal with this, when syscall is clone and exit is 0 we just drop it.

Left question: To find out the exit code when a process exit/exit_group,
and finish the code to record it in the database.
---
 src/go.mod | 16 +++++++++++++---
 1 file changed, 13 insertions(+), 3 deletions(-)

(limited to 'src/go.mod')

diff --git a/src/go.mod b/src/go.mod
index 2969b32..ed40331 100644
--- a/src/go.mod
+++ b/src/go.mod
@@ -5,12 +5,22 @@ go 1.21.5
 require (
 	github.com/elastic/go-libaudit/v2 v2.5.0
 	github.com/mohae/deepcopy v0.0.0-20170929034955-c48cc78d4826
-	gopkg.in/yaml.v3 v3.0.1
+	go.mongodb.org/mongo-driver v1.16.0
 )
 
 require (
+	github.com/golang/snappy v0.0.4 // indirect
+	github.com/klauspost/compress v1.13.6 // indirect
+	github.com/montanaflynn/stats v0.7.1 // indirect
+	github.com/xdg-go/pbkdf2 v1.0.0 // indirect
+	github.com/xdg-go/scram v1.1.2 // indirect
+	github.com/xdg-go/stringprep v1.0.4 // indirect
+	github.com/youmark/pkcs8 v0.0.0-20181117223130-1be2e3e5546d // indirect
 	go.uber.org/atomic v1.7.0 // indirect
 	go.uber.org/multierr v1.7.0 // indirect
-	golang.org/x/sys v0.11.0 // indirect
-	gopkg.in/yaml.v2 v2.4.0 // indirect
+	golang.org/x/crypto v0.22.0 // indirect
+	golang.org/x/sync v0.7.0 // indirect
+	golang.org/x/sys v0.19.0 // indirect
+	golang.org/x/text v0.14.0 // indirect
+	gopkg.in/yaml.v3 v3.0.1 // indirect
 )
-- 
cgit v1.2.3-70-g09d2