From a345258c3082903702c81c6c830ff1fd35758861 Mon Sep 17 00:00:00 2001 From: We-unite <3205135446@qq.com> Date: Mon, 29 Jul 2024 11:46:02 +0800 Subject: Hear file Open and close, especially O_TRUNC this commit i successfully catch open/close syscall, and insert them as an independent collection in mongodb otherwise along with pids. and now I've record those open flag "O_TRUNC" as written. --- src/organize.go | 59 ++++++++++++++++++++++++++++++++++++--------------------- 1 file changed, 37 insertions(+), 22 deletions(-) (limited to 'src/organize.go') diff --git a/src/organize.go b/src/organize.go index 2489961..1b064c1 100644 --- a/src/organize.go +++ b/src/organize.go @@ -95,7 +95,7 @@ func syscallRaw(rawEvent libaudit.RawAuditMessage) { } argsMatch := argsRegex.FindAllSubmatch(rawEvent.Data, -1) for i := 0; i < 4; i++ { - a[i], errs[0] = strconv.ParseUint(string(argsMatch[i][2]), 16, 64) + a[i], errs[0] = strconv.ParseUint(string(argsMatch[i][3]), 16, 64) } switch syscallTable[event.syscall] { @@ -117,25 +117,6 @@ func syscallRaw(rawEvent libaudit.RawAuditMessage) { cwd: "", }) } - case "open": - // 检查打开的权限 - if a[1]&(syscall.O_APPEND|syscall.O_WRONLY|syscall.O_RDWR|syscall.O_TRUNC) == 0 { - break - } - // TRUNC应该被直接标记为改变,而不是打开 - eventTable.Store(eventId, &Event{ - tag: FILEOPEN, - timestamp: event.timestamp, - syscall: event.syscall, - exit_code: uint64(exit), - ppid: event.ppid, - pid: event.pid, - argc: 0, - argv: make([]string, 0), - cwd: "", - syscallParam: a, - pathName: "", - }) case "execve": eventTable.Store(eventId, &Event{ tag: EXECVE, @@ -160,6 +141,40 @@ func syscallRaw(rawEvent libaudit.RawAuditMessage) { argv: make([]string, 0), cwd: "", }) + case "open": + // 检查打开的权限 + if a[1]&(syscall.O_APPEND|syscall.O_WRONLY|syscall.O_RDWR|syscall.O_TRUNC) == 0 { + break + } + // TRUNC应该被直接标记为改变,而不是打开 + eventTable.Store(eventId, &Event{ + tag: FILEOPEN, + timestamp: event.timestamp, + syscall: event.syscall, + exit_code: uint64(exit), + ppid: event.ppid, + pid: event.pid, + argc: 0, + argv: make([]string, 0), + cwd: "", + syscallParam: a, + pathName: "", + }) + case "close": + // 文件关闭 + eventTable.Store(eventId, &Event{ + tag: FILECLOSE, + timestamp: event.timestamp, + syscall: event.syscall, + exit_code: uint64(exit), + ppid: event.ppid, + pid: event.pid, + argc: 0, + argv: make([]string, 0), + cwd: "", + syscallParam: a, + // pathName: "", + }) } } @@ -244,7 +259,7 @@ func eoe(rawEvent libaudit.RawAuditMessage) { } cooked := *(tmp.(*Event)) cookedChan <- cooked - fmt.Printf("Send: %10d\t%v\t%7d\t%7d\n", eventId, cooked.tag, cooked.ppid, cooked.pid) + // fmt.Printf("Send: %10d\t%v\t%7d\t%7d\n", eventId, cooked.tag, cooked.ppid, cooked.pid) eventTable.Delete(eventId) // 死人别占地 } @@ -267,7 +282,7 @@ func path(rawEvent libaudit.RawAuditMessage) { return } - if pEvent.pathName == "" { + if name[0] == '/' { pEvent.pathName = name } else { pEvent.pathName += "/" + name -- cgit v1.2.3-70-g09d2