package main import ( "sync" "time" ) type eventType int const ( NEWPID eventType = iota PIDEXIT EXECVE FILEOPEN FILECLOSE FILEWRITE PIVOTROOT TYPENUM ) func (et eventType) String() string { names := []string{"NEWPID", "PIDEXIT", "EXECVE", "FILEOPEN", "FILECLOSE", "FILEWRITE", "PIVOTROOT", "TYPENUM"} if et < NEWPID || et > TYPENUM { return "Unknown" } return names[et] } type Event struct { tag eventType timestamp time.Time pid, tgid int ppid, parentTgid int syscall int syscallParam [4]uint64 argc int argv []string comm string cwd string cgroup string exit_code int exit_signal int srcPath string destPath string } // 插入到数据库的结构 type Exec struct { Timestamp time.Time `bson:"timestamp"` ExecArgs []string `bson:"execArgs"` } type Process struct { Star bool `bson:"star"` StartTimestamp time.Time `bson:"start_timestamp"` Ppid int `bson:"ppid"` ParentTgid int `bson:"parentTgid"` Pid int `bson:"pid"` Tgid int `bson:"tgid"` Args []string `bson:"args"` Comm string `bson:"comm"` RootFS string `bson:"rootfs"` Cwd string `bson:"cwd"` Children []int `bson:"children"` DockerId string `bson:"docker_id"` Execve []Exec `bson:"execve"` ExitCode int `bson:"exit_code"` ExitSignal int `bson:"exit_signal"` ExitTimestamp time.Time `bson:"exit_timestamp"` } type File struct { OpenTimestamp time.Time `bson:"timestamp"` FileName string `bson:"fileName"` Pid int `bson:"pid"` Fd int `bson:"fd"` Flags [4]uint64 `bson:"flags"` Written []time.Time `bson:"written"` CloseTimestamp time.Time `bson:"close_timestamp"` } const ( dbName string = "test" pidColName string = "pids" fdColName string = "fds" fileColName string = "files" ) var wg sync.WaitGroup // 掌管协程 var rawChan chan interface{} // 从接收到整理的管道 var cookedChan chan Event // 整理好的信息的管道 var syscallTable [500]string //记录一下系统调用 var containerdPid int // 容器守护进程进程号 var pidCol, fdCol, fileCol mongoClient // 数据库集合