From a345258c3082903702c81c6c830ff1fd35758861 Mon Sep 17 00:00:00 2001
From: We-unite <3205135446@qq.com>
Date: Mon, 29 Jul 2024 11:46:02 +0800
Subject: Hear file Open and close, especially O_TRUNC

this commit i successfully catch open/close syscall, and insert them
as an independent collection in mongodb otherwise along with pids.
and now I've record those open flag "O_TRUNC" as written.
---
 src/godo.go | 11 ++++++-----
 1 file changed, 6 insertions(+), 5 deletions(-)

(limited to 'src/godo.go')

diff --git a/src/godo.go b/src/godo.go
index 2a00dad..0edcc9f 100644
--- a/src/godo.go
+++ b/src/godo.go
@@ -44,12 +44,13 @@ func main() {
 		auditCmd.Run()
 	}
 
-	// // 监听文件的消息
+	// 监听文件的消息
+	fileSyscall := []string{"open", "write", "close"}
 	// fileSyscall := []string{"open", "write", "creat", "unlink", "opendir", "mkdir", "rmdir", "chmod", "fchmod", "chown", "fchown", "lchown", "flock"}
-	// for i := 0; i < len(fileSyscall); i++ {
-	// 	auditCmd = exec.Command("auditctl", "-a", "exit,always", "-F", "arch=b64", "-S", pidSyscall[i])
-	// 	auditCmd.Run()
-	// }
+	for i := 0; i < len(fileSyscall); i++ {
+		auditCmd = exec.Command("auditctl", "-a", "exit,always", "-F", "arch=b64", "-S", fileSyscall[i])
+		auditCmd.Run()
+	}
 
 	// 查找pid
 	containerdPid, err = getPid()
-- 
cgit v1.2.3-70-g09d2