package main import ( "fmt" "sync" "time" "go.mongodb.org/mongo-driver/bson/primitive" ) type eventType int const ( NEWPID eventType = iota PIDEXIT EXECVE FILEOPEN FILECLOSE FILEWRITE TYPENUM ) func (et eventType) String() string { names := []string{"NEWPID", "PIDEXIT", "EXECVE", "FILEOPEN", "FILECLOSE", "FILEWRITE", "TYPENUM"} if et < NEWPID || et > TYPENUM { return "Unknown" } return names[et] } type Event struct { tag eventType timestamp time.Time pid, ppid int syscall int syscallParam [4]uint64 pathName string argc int argv []string cwd string exit_code uint64 exit_signal int } func (event Event) String() string { var res string res = fmt.Sprintf("tag: %v\ntimestamp: %v\nppid: %d\npid: %d\n", event.tag, event.timestamp.Local(), event.ppid, event.pid) res += fmt.Sprintf("syscall: %s\nexit_code: %d\nargs: \n", syscallTable[event.syscall], event.exit_code) for i := 0; i < len(event.argv); i++ { res += fmt.Sprintf("\t\"%s\"\n", event.argv[i]) } res += "syscallParam: " for i := 0; i < len(event.syscallParam); i++ { res += fmt.Sprintf("\t\"%d\"\n", event.syscallParam[i]) } res += "pathName: \"" + event.pathName + "\"\n------\n" return res } type pidExec struct { timestamp time.Time `bson:"timestamp"` execArgs []string `bson:"execArgs"` } type pid struct { ID primitive.ObjectID `bson:"_id,ometempty"` start_timestamp time.Time `bson:"start_timestamp"` ppid int `bson:"ppid"` pid int `bson:"pid"` cwd string `bson:"cwd"` args []string `bson:"args"` execve []pidExec `bson:"execve"` children []int `bson:"children"` exit_timestamp time.Time `bson:"exit_timestamp"` exit_code uint64 `bson:"exit_code"` } var wg sync.WaitGroup // 掌管协程 var rawChan chan interface{} // 从接收到整理的管道 var cookedChan chan Event // 整理好的信息的管道 var syscallTable [500]string //记录一下系统调用 var containerdPid int