From cf5618ff2e2a183c5bdf6444787dccdcbf26ce76 Mon Sep 17 00:00:00 2001
From: We-unite <3205135446@qq.com>
Date: Mon, 22 Jul 2024 11:41:59 +0800
Subject: Use mongodb, insert process info into it

I failed to print the process tree out. While I'm printing the tree,
the tree itself gets changed, maybe deleted. What's more, the output
show that there are 4 lines with the same ppid and pid, how an absurd
result! It may be caused by multi-thread. So, use database instead.

Mongodb uses bson(binary json) to store data but not relational
database like mysql, which means it's more easy to use.(?)

Beside inserting, I've also solved a question that "fork" is called
once but returns twice. For instance, pid 1 forked pid 2, in the
audit log it's not an event "syscall=clone,ppid=1,pid=2", but actually
two events "syscall=clone,exit=0,ppid=0,pid=1" and "syscall=clone,exit=
2,ppid=0,pid=1", which is just what we see in sys_fork in kernel source.
To deal with this, when syscall is clone and exit is 0 we just drop it.

Left question: To find out the exit code when a process exit/exit_group,
and finish the code to record it in the database.
---
 src/godo.go | 18 ------------------
 1 file changed, 18 deletions(-)

(limited to 'src/godo.go')

diff --git a/src/godo.go b/src/godo.go
index 6f73893..72f68c0 100644
--- a/src/godo.go
+++ b/src/godo.go
@@ -20,24 +20,6 @@ var (
 	receiveOnly = fs.Bool("ro", false, "receive only using multicast, requires kernel 3.16+")
 )
 
-type Event struct {
-	timestamp time.Time
-	pid, ppid int
-	syscall   int
-	argc      int
-	argv      []string
-	cwd       string
-}
-
-type process struct {
-	timestamp time.Time
-	pid, ppid int
-	argv      []string
-	cwd       string
-	rootfs    string
-	children  []int
-}
-
 func main() {
 	// 检查用户身份，并添加auditd规则，监听所有syscall
 	if os.Geteuid() != 0 {
-- 
cgit v1.2.3-70-g09d2