1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
|
# 项目背景
随着 k8s/云原生等技术日渐普及,docker 容器在生产中的应用愈加广泛。由于 docker 并不是一个完整的操作系统,使用的内核依然是宿主机内核,则在 docker 实际使用过程中,可能会遭受攻击或产生泄露,从而威胁其他 docker 或宿主机。因而我们需要对 docker 内部的进程行为、文件修改等进行监视,在出现问题后便于回溯。
# 设计思路
## 整体设计
项目整体采用 MVC 的设计方式,设计思路如下图所示:
<svg xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink" version="1.1" width="550px" height="450px" viewBox="-0.5 -0.5 789 561" content="<mxfile><diagram id="I_XTTxZs5cPDDl4HmgJE" name="第 1 页">7Vldb5swFP01kbaHTYADSR6btN0eWmlSpK19dIMD1gzOjGnIfv1sbPNlqtJ8NG21p+Dra+N77jmXCxmBRVJ8Y3AT39IQkZHnhMUIXI48z/XdifiRlp2yBL6nDBHDoXaqDUv8F2mjo605DlHWcuSUEo43beOKpila8ZYNMka3bbc1Je27bmCELMNyBYlt/YVDHivr1JvU9u8IR7G5sxvM1EwCjbOOJIthSLcNE7gagQWjlKurpFggIsEzuKh110/MVgdjKOVDFmjcHyHJdWwjLyBi6XxNxQ4CG7hSE8GfXB5qvqAJXomJJUwz8XO7rKdkPHxH2v5yny9ZmcIL4eBON0XpWi8KIvl7g9O8EA6/EUslXdQpxMnVQZSTBq26icdonoZIBuOK6W2MOVpu1JG3gnvCFvOE6GkdK2IcFU/i5VZZEPRFNEGc7YSLWTDWidPMnRhKbmseBMYnbnFAG6HmXlTtXadHXOgM9WdrbGWL4IyjFDGD1wMzUH2KaEg/HwaYhP4aJpjIaO3EKwctT3d6GoTHvo2wG/QhPD0CwiZLLUF0IERpeCGLiBitCMwygcphqKEC8zsxcPT1feP6smgOdmaQirjumoN7ffNyUC8qR2aVigSFVnHr5EZES3OmdW8A4JBFiDd4aGeQIQI5fmzv3pcNvfQHxWWN0Zn3OpkPJp2EqlPpVc2i1tkIPLeRisXaqCRHFc8wvrgWX/RDhzKbOAL5G/ggqhuYMyRqInwop5w2fyDBUSrJJbIilA3mUk9YPH0u9ESCw1Au3Fef+oT67vXD6DndOgemfbAI+55KrybCr57/ch26/3V4Xh0CizIwD7E8DKHRh1Oi91pKnJ1ViXsIsfVA1DscXYpjW4rg0OLYLyF/0umGuk3OcC36rY0qbR5fi57dQ+F0TbMPp8LZK6mw5y1tjYnE4t1192B6zu7eC/YsZ5lQB39LVa4ubCdsOHo6jqfKXCN9fk/2jO3Qahh02DPbsxqOnc5G3bfzI1bDicW5nxht36N4A3+AeMHJxHvOXsRtarRS7MtU6pxEpQbvpkoV586l0rH/TKsxVKVBp/nxwclUCuyeJaFpRC/tT45ZDDfyMoQcZuI1H71NsXZLnBf0iNXrE2s3XfuIFQx4hTdAwvJjyZsEsfqkbxjo2CD2dStT/8UQimH92V8xuP7zBFz9Aw==</diagram></mxfile>">
<defs />
<g>
<rect x="40" y="450" width="640" height="110" rx="16.5" ry="16.5" fill="rgb(255, 255, 255)" stroke="rgb(0, 0, 0)" pointer-events="all" />
<g transform="translate(-0.5 -0.5)">
<switch>
<foreignObject pointer-events="none" width="100%" height="100%" requiredFeatures="http://www.w3.org/TR/SVG11/feature#Extensibility" style="overflow: visible; text-align: left;">
<div xmlns="http://www.w3.org/1999/xhtml" style="display: flex; align-items: unsafe center; justify-content: unsafe center; width: 638px; height: 1px; padding-top: 505px; margin-left: 41px;">
<div data-drawio-colors="color: rgb(0, 0, 0); " style="box-sizing: border-box; font-size: 0px; text-align: center;">
<div style="display: inline-block; font-size: 12px; font-family: Helvetica; color: rgb(0, 0, 0); line-height: 1.2; pointer-events: all; white-space: normal; overflow-wrap: normal;">
<font style="font-size: 18px;" face="Comic Sans MS">
Linux kernel
</font>
</div>
</div>
</div>
</foreignObject>
<text x="360" y="509" fill="rgb(0, 0, 0)" font-family="Helvetica" font-size="12px" text-anchor="middle">
Linux kernel
</text>
</switch>
</g>
<rect x="40" y="190" width="160" height="180" rx="24" ry="24" fill="rgb(255, 255, 255)" stroke="rgb(0, 0, 0)" pointer-events="all" />
<g transform="translate(-0.5 -0.5)">
<switch>
<foreignObject pointer-events="none" width="100%" height="100%" requiredFeatures="http://www.w3.org/TR/SVG11/feature#Extensibility" style="overflow: visible; text-align: left;">
<div xmlns="http://www.w3.org/1999/xhtml" style="display: flex; align-items: unsafe center; justify-content: unsafe center; width: 158px; height: 1px; padding-top: 280px; margin-left: 41px;">
<div data-drawio-colors="color: rgb(0, 0, 0); " style="box-sizing: border-box; font-size: 0px; text-align: center;">
<div style="display: inline-block; font-size: 18px; font-family: "Comic Sans MS"; color: rgb(0, 0, 0); line-height: 1.2; pointer-events: all; white-space: normal; overflow-wrap: normal;">
listener
<br />
(godo)
</div>
</div>
</div>
</foreignObject>
<text x="120" y="285" fill="rgb(0, 0, 0)" font-family="Comic Sans MS" font-size="18px" text-anchor="middle">
listener...
</text>
</switch>
</g>
<path d="M 40 450 L 40 376.37" fill="none" stroke="rgb(0, 0, 0)" stroke-miterlimit="10" pointer-events="stroke" />
<path d="M 40 371.12 L 43.5 378.12 L 40 376.37 L 36.5 378.12 Z" fill="rgb(0, 0, 0)" stroke="rgb(0, 0, 0)" stroke-miterlimit="10" pointer-events="all" />
<g transform="translate(-0.5 -0.5)">
<switch>
<foreignObject pointer-events="none" width="100%" height="100%" requiredFeatures="http://www.w3.org/TR/SVG11/feature#Extensibility" style="overflow: visible; text-align: left;">
<div xmlns="http://www.w3.org/1999/xhtml" style="display: flex; align-items: unsafe center; justify-content: unsafe center; width: 1px; height: 1px; padding-top: 411px; margin-left: 41px;">
<div data-drawio-colors="color: rgb(0, 0, 0); background-color: rgb(255, 255, 255); " style="box-sizing: border-box; font-size: 0px; text-align: center;">
<div style="display: inline-block; font-size: 18px; font-family: "Comic Sans MS"; color: rgb(0, 0, 0); line-height: 1.2; pointer-events: all; background-color: rgb(255, 255, 255); white-space: nowrap;">
connector
</div>
</div>
</div>
</foreignObject>
<text x="41" y="416" fill="rgb(0, 0, 0)" font-family="Comic Sans MS" font-size="18px" text-anchor="middle">
connector
</text>
</switch>
</g>
<path d="M 200 450 L 200 376.37" fill="none" stroke="rgb(0, 0, 0)" stroke-miterlimit="10" pointer-events="stroke" />
<path d="M 200 371.12 L 203.5 378.12 L 200 376.37 L 196.5 378.12 Z" fill="rgb(0, 0, 0)" stroke="rgb(0, 0, 0)" stroke-miterlimit="10" pointer-events="all" />
<g transform="translate(-0.5 -0.5)">
<switch>
<foreignObject pointer-events="none" width="100%" height="100%" requiredFeatures="http://www.w3.org/TR/SVG11/feature#Extensibility" style="overflow: visible; text-align: left;">
<div xmlns="http://www.w3.org/1999/xhtml" style="display: flex; align-items: unsafe center; justify-content: unsafe center; width: 1px; height: 1px; padding-top: 411px; margin-left: 201px;">
<div data-drawio-colors="color: rgb(0, 0, 0); background-color: rgb(255, 255, 255); " style="box-sizing: border-box; font-size: 0px; text-align: center;">
<div style="display: inline-block; font-size: 18px; font-family: "Comic Sans MS"; color: rgb(0, 0, 0); line-height: 1.2; pointer-events: all; background-color: rgb(255, 255, 255); white-space: nowrap;">
audit log
</div>
</div>
</div>
</foreignObject>
<text x="201" y="416" fill="rgb(0, 0, 0)" font-family="Comic Sans MS" font-size="18px" text-anchor="middle">
audit log
</text>
</switch>
</g>
<path d="M 120 190 L 294.7 73.53" fill="none" stroke="rgb(0, 0, 0)" stroke-miterlimit="10" pointer-events="stroke" />
<path d="M 299.07 70.62 L 295.19 77.42 L 294.7 73.53 L 291.3 71.59 Z" fill="rgb(0, 0, 0)" stroke="rgb(0, 0, 0)" stroke-miterlimit="10" pointer-events="all" />
<g transform="translate(-0.5 -0.5)">
<switch>
<foreignObject pointer-events="none" width="100%" height="100%" requiredFeatures="http://www.w3.org/TR/SVG11/feature#Extensibility" style="overflow: visible; text-align: left;">
<div xmlns="http://www.w3.org/1999/xhtml" style="display: flex; align-items: unsafe center; justify-content: unsafe center; width: 1px; height: 1px; padding-top: 131px; margin-left: 210px;">
<div data-drawio-colors="color: rgb(0, 0, 0); background-color: rgb(255, 255, 255); " style="box-sizing: border-box; font-size: 0px; text-align: center;">
<div style="display: inline-block; font-size: 18px; font-family: "Comic Sans MS"; color: rgb(0, 0, 0); line-height: 1.2; pointer-events: all; background-color: rgb(255, 255, 255); white-space: nowrap;">
infos
</div>
</div>
</div>
</foreignObject>
<text x="210" y="136" fill="rgb(0, 0, 0)" font-family="Comic Sans MS" font-size="18px" text-anchor="middle">
infos
</text>
</switch>
</g>
<rect x="280" y="190" width="160" height="180" rx="24" ry="24" fill="rgb(255, 255, 255)" stroke="rgb(0, 0, 0)" pointer-events="all" />
<g transform="translate(-0.5 -0.5)">
<switch>
<foreignObject pointer-events="none" width="100%" height="100%" requiredFeatures="http://www.w3.org/TR/SVG11/feature#Extensibility" style="overflow: visible; text-align: left;">
<div xmlns="http://www.w3.org/1999/xhtml" style="display: flex; align-items: unsafe center; justify-content: unsafe center; width: 158px; height: 1px; padding-top: 280px; margin-left: 281px;">
<div data-drawio-colors="color: rgb(0, 0, 0); " style="box-sizing: border-box; font-size: 0px; text-align: center;">
<div style="display: inline-block; font-size: 18px; font-family: "Comic Sans MS"; color: rgb(0, 0, 0); line-height: 1.2; pointer-events: all; white-space: normal; overflow-wrap: normal;">
filter
</div>
</div>
</div>
</foreignObject>
<text x="360" y="285" fill="rgb(0, 0, 0)" font-family="Comic Sans MS" font-size="18px" text-anchor="middle">
filter
</text>
</switch>
</g>
<path d="M 360 183.63 L 360 146.37" fill="none" stroke="rgb(0, 0, 0)" stroke-miterlimit="10" pointer-events="stroke" />
<path d="M 360 188.88 L 356.5 181.88 L 360 183.63 L 363.5 181.88 Z" fill="rgb(0, 0, 0)" stroke="rgb(0, 0, 0)" stroke-miterlimit="10" pointer-events="all" />
<path d="M 360 141.12 L 363.5 148.12 L 360 146.37 L 356.5 148.12 Z" fill="rgb(0, 0, 0)" stroke="rgb(0, 0, 0)" stroke-miterlimit="10" pointer-events="all" />
<rect x="550" y="190" width="130" height="180" rx="19.5" ry="19.5" fill="rgb(255, 255, 255)" stroke="rgb(0, 0, 0)" pointer-events="all" />
<g transform="translate(-0.5 -0.5)">
<switch>
<foreignObject pointer-events="none" width="100%" height="100%" requiredFeatures="http://www.w3.org/TR/SVG11/feature#Extensibility" style="overflow: visible; text-align: left;">
<div xmlns="http://www.w3.org/1999/xhtml" style="display: flex; align-items: unsafe center; justify-content: unsafe center; width: 128px; height: 1px; padding-top: 280px; margin-left: 551px;">
<div data-drawio-colors="color: rgb(0, 0, 0); " style="box-sizing: border-box; font-size: 0px; text-align: center;">
<div style="display: inline-block; font-size: 18px; font-family: "Comic Sans MS"; color: rgb(0, 0, 0); line-height: 1.2; pointer-events: all; white-space: normal; overflow-wrap: normal;">
Viewer
</div>
</div>
</div>
</foreignObject>
<text x="615" y="285" fill="rgb(0, 0, 0)" font-family="Comic Sans MS" font-size="18px" text-anchor="middle">
Viewer
</text>
</switch>
</g>
<path d="M 420 70 L 609.58 186.66" fill="none" stroke="rgb(0, 0, 0)" stroke-miterlimit="10" pointer-events="stroke" />
<path d="M 614.05 189.41 L 606.25 188.73 L 609.58 186.66 L 609.92 182.76 Z" fill="rgb(0, 0, 0)" stroke="rgb(0, 0, 0)" stroke-miterlimit="10" pointer-events="all" />
<path d="M 300 18 C 300 -6 420 -6 420 18 L 420 122 C 420 146 300 146 300 122 Z" fill="rgb(255, 255, 255)" stroke="rgb(0, 0, 0)" stroke-miterlimit="10" pointer-events="all" />
<path d="M 300 18 C 300 36 420 36 420 18 M 300 27 C 300 45 420 45 420 27 M 300 36 C 300 54 420 54 420 36" fill="none" stroke="rgb(0, 0, 0)" stroke-miterlimit="10" pointer-events="all" />
<g transform="translate(-0.5 -0.5)">
<switch>
<foreignObject pointer-events="none" width="100%" height="100%" requiredFeatures="http://www.w3.org/TR/SVG11/feature#Extensibility" style="overflow: visible; text-align: left;">
<div xmlns="http://www.w3.org/1999/xhtml" style="display: flex; align-items: unsafe center; justify-content: unsafe center; width: 118px; height: 1px; padding-top: 92px; margin-left: 301px;">
<div data-drawio-colors="color: rgb(0, 0, 0); " style="box-sizing: border-box; font-size: 0px; text-align: center;">
<div style="display: inline-block; font-size: 18px; font-family: "Comic Sans MS"; color: rgb(0, 0, 0); line-height: 1.2; pointer-events: all; white-space: normal; overflow-wrap: normal;">
mongoDB
</div>
</div>
</div>
</foreignObject>
<text x="360" y="97" fill="rgb(0, 0, 0)" font-family="Comic Sans MS" font-size="18px" text-anchor="middle">
mongoDB
</text>
</switch>
</g>
<path d="M 727 325 C 727 291 727 274 757 274 C 737 274 737 240 757 240 C 777 240 777 274 757 274 C 787 274 787 291 787 325 Z" fill="rgb(255, 255, 255)" stroke="rgb(0, 0, 0)" stroke-miterlimit="10" pointer-events="all" />
</g>
</svg>
项目主要分为信息采集、信息过滤、数据库、信息展示四个模块,其工作方式如下:
- 信息采集模块,在各宿主机上安装、并**以 root 权限启动**,负责监听由 Linux 内核发出的 netlink connector 消息、audit 审计消息,将其整理为有关进程的、有关文件的数据,送入数据库中。
- 在使用时,用信息过滤模块连接数据库,该模块将从数据库中取出所有的消息并过滤无关内容,得到以 docker 守护进程为根的进程树;并在此树的基础上,对数据库中关于文件的记录进行过滤与整理。完成后,将过滤得到的数据送入数据库。
- 信息展示模块,简要地展示过滤得到的、有关 docker 的数据。
## 信息采集
<svg xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink" version="1.1" width="900px" height="250px" viewBox="-0.5 -0.5 1161 321" content="<mxfile><diagram id="bYij1YhiqdmEnY_ocicr" name="第 1 页">7VrLcuI4FP0alp3yAz9YBpLMLNLVXcViepbCFkYV22KEeKS/vq8sydiWKQgY4lCzAevKkqV7zj3SlT1wJ9nuL4aWi+80xunAseLdwH0aOI7jDofwJyzv0uJ7jjQkjMTSZO8NU/IbK6OlrGsS41XtRk5pysmyboxonuOI12yIMbqt3zanaf2pS5RgwzCNUGpa/yExX0hr6AR7+9+YJAv9ZNsfyZoM6ZvVTFYLFNNtxeQ+D9wJo5TLq2w3walwnvaLbPdyoLYcGMM5P6WB68kWG5Su1eQGjp9C2/GcQhcwQv6upu3/t6a64tuqAOURbrDDJQA73tcLj6Ko3mZCMxJBxRTlK/j7Pq3e7ifiP6N5QuOZfjyMWY5A1ip3lYNxwHNLcRkjjlacMrgebxeE4+lSPnwL3APbgmcplOyyjw1mHO8O+ssuUQD6Ypphzt7hFt3A0hxU1A1Vcbvnga3BXVQ44GojUtxLyr738MCFQugAWkFv0LIfoCIlK47zIvrEzwKL+a1jAiOZ6IHNmG6yRCvRW7ZKROjTbf5RqJeMRhj6OAr0DEVvCaPrPP6x5inJcYcEGHk1/G27hQB+CwFGXeAfHsP/Y1CeRRcJkiPw/8ESlIt7HYvhaBOX6JK8YATegFfFY2fCg5zBGECOCRWUydfZDLOvSIGhYx2lQLlUdU6BUW8o4AoKvLZIwBtmebHiq/WXskIPrAQXZJhT9gbTxDuhEyVHJgUGhUJAL9kXlgjXq0tEiXuVH4F3HX4Mrd4sEUPBjyeM0mLqMPOKICi5KEBfr0TVEmYAIJMUF/oxp3sZ+fimoA80CNzjMmF7LTLhBF3wwOmNTrySfL2ryMJpUBag4Fjhcf2d3bdT4LKuBtewBa6GR3AeP4rkBUpRCkoJYNWcINz5gjKSihmYYMobVDJlh1AWCvxLNRbX/8K19eB4qvgkPGPpwrsu5DC1X9WCbBZ4urxvV5R0QzkfHBupVQMhmDNdM8XNksccMVg+qttgE0mGU8TJpt5/Gyqq6U9KikjYNdDVDAgbwMpxqVbVpKrRUSnCuqOmsMvJGB0VJCnncxpvzPxNbcCtlCYmhcD7r2gGUeiOGYbYRbOiyqozCaUkyQXNABnYo7ljEVkE8t9HVZGROBYNP865QTUxV08flOnwkQiWUXIB8CeHo3/IrZc5NMVz3uLOGeWcZr1xp1ZE1aR777alsZ8jdsF5YufcUOxGVxG78IhE9VHrzOxX7/PuTecuXeBOjkQzm8yx2Ae/mcc3lWTurkTwgK+vLYJeW6L2OSJ4ngZeRwL1EWdNAsN2iCo787Y8StsuVEo3qCuc0zzJPVUqjXOjZuLQnVTq9yk9IFe/0gl9fFal19AatNLrQt4EQUdLbHisow554xq8eVZHNve1wsoAucEK6/Unse/XXle/y/hKkWh01Dwh6DASzcT+TiPxVjm9Z+b0nxOJ9hlhaH/1fNNp7qLOPVwbukc66jAGzXOKMuFUryjuLBb9W8Vi24vsF+FcMM4v1rh+ZZiHvHrtDNM3N3OftfU4OQl4sGALWtt+uJZzRPuK0k/MCHhIRNMlgmi1CKJ3nU1J2JEghsc66k4QfXMzW7y2vUsxlOFzAzH0277B63mK8GD5QSNhd4L/47QvcWpuddWHFdEC5eBq43D3LgP4UkIcCGAo7j/QlejsP3N2n/8A</diagram></mxfile>">
<defs />
<g>
<path d="M 1040 40 C 1040 -13.33 1160 -13.33 1160 40 L 1160 280 C 1160 333.33 1040 333.33 1040 280 Z" fill="rgb(255, 255, 255)" stroke="rgb(0, 0, 0)" stroke-miterlimit="10" pointer-events="all" />
<path d="M 1040 40 C 1040 80 1160 80 1160 40 M 1040 60 C 1040 100 1160 100 1160 60 M 1040 80 C 1040 120 1160 120 1160 80" fill="none" stroke="rgb(0, 0, 0)" stroke-miterlimit="10" pointer-events="all" />
<g transform="translate(-0.5 -0.5)">
<switch>
<foreignObject pointer-events="none" width="100%" height="100%" requiredFeatures="http://www.w3.org/TR/SVG11/feature#Extensibility" style="overflow: visible; text-align: left;">
<div xmlns="http://www.w3.org/1999/xhtml" style="display: flex; align-items: unsafe center; justify-content: unsafe center; width: 118px; height: 1px; padding-top: 210px; margin-left: 1041px;">
<div data-drawio-colors="color: rgb(0, 0, 0); " style="box-sizing: border-box; font-size: 0px; text-align: center;">
<div style="display: inline-block; font-size: 12px; font-family: Helvetica; color: rgb(0, 0, 0); line-height: 1.2; pointer-events: all; white-space: normal; overflow-wrap: normal;">
<font face="Comic Sans MS" style="font-size: 18px;">
mongodb
</font>
</div>
</div>
</div>
</foreignObject>
<text x="1100" y="214" fill="rgb(0, 0, 0)" font-family="Helvetica" font-size="12px" text-anchor="middle">
mongodb
</text>
</switch>
</g>
<rect x="225" y="30" width="160" height="90" fill="rgb(255, 255, 255)" stroke="rgb(0, 0, 0)" pointer-events="all" />
<path d="M 241 30 L 241 120 M 369 30 L 369 120" fill="none" stroke="rgb(0, 0, 0)" stroke-miterlimit="10" pointer-events="all" />
<g transform="translate(-0.5 -0.5)">
<switch>
<foreignObject pointer-events="none" width="100%" height="100%" requiredFeatures="http://www.w3.org/TR/SVG11/feature#Extensibility" style="overflow: visible; text-align: left;">
<div xmlns="http://www.w3.org/1999/xhtml" style="display: flex; align-items: unsafe center; justify-content: unsafe center; width: 126px; height: 1px; padding-top: 75px; margin-left: 241px;">
<div data-drawio-colors="color: rgb(0, 0, 0); " style="box-sizing: border-box; font-size: 0px; text-align: center;">
<div style="display: inline-block; font-size: 12px; font-family: Helvetica; color: rgb(0, 0, 0); line-height: 1.2; pointer-events: all; white-space: normal; overflow-wrap: normal;">
<font face="Comic Sans MS" style="font-size: 18px;">
1. listen to the audit,
<br />
pass msg down
</font>
</div>
</div>
</div>
</foreignObject>
<text x="304" y="79" fill="rgb(0, 0, 0)" font-family="Helvetica" font-size="12px" text-anchor="middle">
1. listen to the audi...
</text>
</switch>
</g>
<rect x="450" y="30" width="210" height="90" fill="rgb(255, 255, 255)" stroke="rgb(0, 0, 0)" pointer-events="all" />
<path d="M 471 30 L 471 120 M 639 30 L 639 120" fill="none" stroke="rgb(0, 0, 0)" stroke-miterlimit="10" pointer-events="all" />
<g transform="translate(-0.5 -0.5)">
<switch>
<foreignObject pointer-events="none" width="100%" height="100%" requiredFeatures="http://www.w3.org/TR/SVG11/feature#Extensibility" style="overflow: visible; text-align: left;">
<div xmlns="http://www.w3.org/1999/xhtml" style="display: flex; align-items: unsafe center; justify-content: unsafe center; width: 166px; height: 1px; padding-top: 75px; margin-left: 473px;">
<div data-drawio-colors="color: rgb(0, 0, 0); " style="box-sizing: border-box; font-size: 0px; text-align: center;">
<div style="display: inline-block; font-size: 12px; font-family: Helvetica; color: rgb(0, 0, 0); line-height: 1.2; pointer-events: all; white-space: normal; overflow-wrap: normal;">
<font style="font-size: 18px;" face="Comic Sans MS">
2. Organize recvd msg into events by transection number
</font>
</div>
</div>
</div>
</foreignObject>
<text x="556" y="79" fill="rgb(0, 0, 0)" font-family="Helvetica" font-size="12px" text-anchor="middle">
2. Organize recvd msg into e...
</text>
</switch>
</g>
<rect x="385" y="210" width="275" height="90" fill="rgb(255, 255, 255)" stroke="rgb(0, 0, 0)" pointer-events="all" />
<path d="M 413 210 L 413 300 M 632 210 L 632 300" fill="none" stroke="rgb(0, 0, 0)" stroke-miterlimit="10" pointer-events="all" />
<g transform="translate(-0.5 -0.5)">
<switch>
<foreignObject pointer-events="none" width="100%" height="100%" requiredFeatures="http://www.w3.org/TR/SVG11/feature#Extensibility" style="overflow: visible; text-align: left;">
<div xmlns="http://www.w3.org/1999/xhtml" style="display: flex; align-items: unsafe center; justify-content: unsafe center; width: 218px; height: 1px; padding-top: 255px; margin-left: 414px;">
<div data-drawio-colors="color: rgb(0, 0, 0); " style="box-sizing: border-box; font-size: 0px; text-align: center;">
<div style="display: inline-block; font-size: 12px; font-family: Helvetica; color: rgb(0, 0, 0); line-height: 1.2; pointer-events: all; white-space: normal; overflow-wrap: normal;">
<font style="font-size: 18px;" face="Comic Sans MS">
3. Listen to the kernel connector, gets fork/exit events, pass them down
</font>
</div>
</div>
</div>
</foreignObject>
<text x="523" y="259" fill="rgb(0, 0, 0)" font-family="Helvetica" font-size="12px" text-anchor="middle">
3. Listen to the kernel connector, g...
</text>
</switch>
</g>
<rect x="760" y="30" width="150" height="270" fill="rgb(255, 255, 255)" stroke="rgb(0, 0, 0)" pointer-events="all" />
<path d="M 775 30 L 775 300 M 895 30 L 895 300" fill="none" stroke="rgb(0, 0, 0)" stroke-miterlimit="10" pointer-events="all" />
<g transform="translate(-0.5 -0.5)">
<switch>
<foreignObject pointer-events="none" width="100%" height="100%" requiredFeatures="http://www.w3.org/TR/SVG11/feature#Extensibility" style="overflow: visible; text-align: left;">
<div xmlns="http://www.w3.org/1999/xhtml" style="display: flex; align-items: unsafe center; justify-content: unsafe center; width: 117px; height: 1px; padding-top: 165px; margin-left: 776px;">
<div data-drawio-colors="color: rgb(0, 0, 0); " style="box-sizing: border-box; font-size: 0px; text-align: center;">
<div style="display: inline-block; font-size: 12px; font-family: Helvetica; color: rgb(0, 0, 0); line-height: 1.2; pointer-events: all; white-space: normal; overflow-wrap: normal;">
<font face="Comic Sans MS" style="font-size: 18px;">
4. Deal with events recvd, push pid/file info into db
</font>
</div>
</div>
</div>
</foreignObject>
<text x="835" y="169" fill="rgb(0, 0, 0)" font-family="Helvetica" font-size="12px" text-anchor="middle">
4. Deal with events...
</text>
</switch>
</g>
<rect x="0" y="30" width="100" height="270" rx="15" ry="15" fill="rgb(255, 255, 255)" stroke="rgb(0, 0, 0)" pointer-events="all" />
<g transform="translate(-0.5 -0.5)">
<switch>
<foreignObject pointer-events="none" width="100%" height="100%" requiredFeatures="http://www.w3.org/TR/SVG11/feature#Extensibility" style="overflow: visible; text-align: left;">
<div xmlns="http://www.w3.org/1999/xhtml" style="display: flex; align-items: unsafe center; justify-content: unsafe center; width: 98px; height: 1px; padding-top: 165px; margin-left: 1px;">
<div data-drawio-colors="color: rgb(0, 0, 0); " style="box-sizing: border-box; font-size: 0px; text-align: center;">
<div style="display: inline-block; font-size: 12px; font-family: Helvetica; color: rgb(0, 0, 0); line-height: 1.2; pointer-events: all; white-space: normal; overflow-wrap: normal;">
<font style="font-size: 18px;" face="Comic Sans MS">
Linux kernel
</font>
</div>
</div>
</div>
</foreignObject>
<text x="50" y="169" fill="rgb(0, 0, 0)" font-family="Helvetica" font-size="12px" text-anchor="middle">
Linux kernel
</text>
</switch>
</g>
<path d="M 100 97.5 L 218.63 97.5" fill="none" stroke="rgb(0, 0, 0)" stroke-miterlimit="10" pointer-events="stroke" />
<path d="M 223.88 97.5 L 216.88 101 L 218.63 97.5 L 216.88 94 Z" fill="rgb(0, 0, 0)" stroke="rgb(0, 0, 0)" stroke-miterlimit="10" pointer-events="all" />
<g transform="translate(-0.5 -0.5)">
<switch>
<foreignObject pointer-events="none" width="100%" height="100%" requiredFeatures="http://www.w3.org/TR/SVG11/feature#Extensibility" style="overflow: visible; text-align: left;">
<div xmlns="http://www.w3.org/1999/xhtml" style="display: flex; align-items: unsafe center; justify-content: unsafe center; width: 1px; height: 1px; padding-top: 98px; margin-left: 164px;">
<div data-drawio-colors="color: rgb(0, 0, 0); background-color: rgb(255, 255, 255); " style="box-sizing: border-box; font-size: 0px; text-align: center;">
<div style="display: inline-block; font-size: 18px; font-family: "Comic Sans MS"; color: rgb(0, 0, 0); line-height: 1.2; pointer-events: all; background-color: rgb(255, 255, 255); white-space: nowrap;">
audit log
</div>
</div>
</div>
</foreignObject>
<text x="164" y="104" fill="rgb(0, 0, 0)" font-family="Comic Sans MS" font-size="18px" text-anchor="middle">
audit log
</text>
</switch>
</g>
<g transform="translate(-0.5 -0.5)">
<switch>
<foreignObject pointer-events="none" width="100%" height="100%" requiredFeatures="http://www.w3.org/TR/SVG11/feature#Extensibility" style="overflow: visible; text-align: left;">
<div xmlns="http://www.w3.org/1999/xhtml" style="display: flex; align-items: unsafe flex-end; justify-content: unsafe flex-start; width: 1px; height: 1px; padding-top: 96px; margin-left: 102px;">
<div data-drawio-colors="color: rgb(0, 0, 0); background-color: rgb(255, 255, 255); " style="box-sizing: border-box; font-size: 0px; text-align: left;">
<div style="display: inline-block; font-size: 18px; font-family: "Comic Sans MS"; color: rgb(0, 0, 0); line-height: 1.2; pointer-events: all; background-color: rgb(255, 255, 255); white-space: nowrap;">
audit
</div>
</div>
</div>
</foreignObject>
<text x="102" y="96" fill="rgb(0, 0, 0)" font-family="Comic Sans MS" font-size="18px">
audit
</text>
</switch>
</g>
<path d="M 100 232.5 L 378.63 232.5" fill="none" stroke="rgb(0, 0, 0)" stroke-miterlimit="10" pointer-events="stroke" />
<path d="M 383.88 232.5 L 376.88 236 L 378.63 232.5 L 376.88 229 Z" fill="rgb(0, 0, 0)" stroke="rgb(0, 0, 0)" stroke-miterlimit="10" pointer-events="all" />
<g transform="translate(-0.5 -0.5)">
<switch>
<foreignObject pointer-events="none" width="100%" height="100%" requiredFeatures="http://www.w3.org/TR/SVG11/feature#Extensibility" style="overflow: visible; text-align: left;">
<div xmlns="http://www.w3.org/1999/xhtml" style="display: flex; align-items: unsafe center; justify-content: unsafe center; width: 1px; height: 1px; padding-top: 233px; margin-left: 244px;">
<div data-drawio-colors="color: rgb(0, 0, 0); background-color: rgb(255, 255, 255); " style="box-sizing: border-box; font-size: 0px; text-align: center;">
<div style="display: inline-block; font-size: 18px; font-family: "Comic Sans MS"; color: rgb(0, 0, 0); line-height: 1.2; pointer-events: all; background-color: rgb(255, 255, 255); white-space: nowrap;">
process
</div>
</div>
</div>
</foreignObject>
<text x="244" y="239" fill="rgb(0, 0, 0)" font-family="Comic Sans MS" font-size="18px" text-anchor="middle">
process
</text>
</switch>
</g>
<g transform="translate(-0.5 -0.5)">
<switch>
<foreignObject pointer-events="none" width="100%" height="100%" requiredFeatures="http://www.w3.org/TR/SVG11/feature#Extensibility" style="overflow: visible; text-align: left;">
<div xmlns="http://www.w3.org/1999/xhtml" style="display: flex; align-items: unsafe flex-end; justify-content: unsafe flex-start; width: 1px; height: 1px; padding-top: 231px; margin-left: 102px;">
<div data-drawio-colors="color: rgb(0, 0, 0); background-color: rgb(255, 255, 255); " style="box-sizing: border-box; font-size: 0px; text-align: left;">
<div style="display: inline-block; font-size: 18px; font-family: "Comic Sans MS"; color: rgb(0, 0, 0); line-height: 1.2; pointer-events: all; background-color: rgb(255, 255, 255); white-space: nowrap;">
netlink
<br />
connector
</div>
</div>
</div>
</foreignObject>
<text x="102" y="231" fill="rgb(0, 0, 0)" font-family="Comic Sans MS" font-size="18px">
netlink...
</text>
</switch>
</g>
<path d="M 385 75 L 443.63 75" fill="none" stroke="rgb(0, 0, 0)" stroke-miterlimit="10" pointer-events="stroke" />
<path d="M 448.88 75 L 441.88 78.5 L 443.63 75 L 441.88 71.5 Z" fill="rgb(0, 0, 0)" stroke="rgb(0, 0, 0)" stroke-miterlimit="10" pointer-events="all" />
<path d="M 660 232.5 L 753.63 232.5" fill="none" stroke="rgb(0, 0, 0)" stroke-miterlimit="10" pointer-events="stroke" />
<path d="M 758.88 232.5 L 751.88 236 L 753.63 232.5 L 751.88 229 Z" fill="rgb(0, 0, 0)" stroke="rgb(0, 0, 0)" stroke-miterlimit="10" pointer-events="all" />
<g transform="translate(-0.5 -0.5)">
<switch>
<foreignObject pointer-events="none" width="100%" height="100%" requiredFeatures="http://www.w3.org/TR/SVG11/feature#Extensibility" style="overflow: visible; text-align: left;">
<div xmlns="http://www.w3.org/1999/xhtml" style="display: flex; align-items: unsafe center; justify-content: unsafe center; width: 1px; height: 1px; padding-top: 233px; margin-left: 712px;">
<div data-drawio-colors="color: rgb(0, 0, 0); background-color: rgb(255, 255, 255); " style="box-sizing: border-box; font-size: 0px; text-align: center;">
<div style="display: inline-block; font-size: 18px; font-family: "Comic Sans MS"; color: rgb(0, 0, 0); line-height: 1.2; pointer-events: all; background-color: rgb(255, 255, 255); white-space: nowrap;">
Events
</div>
</div>
</div>
</foreignObject>
<text x="712" y="239" fill="rgb(0, 0, 0)" font-family="Comic Sans MS" font-size="18px" text-anchor="middle">
Events
</text>
</switch>
</g>
<path d="M 660 97.5 L 753.63 97.5" fill="none" stroke="rgb(0, 0, 0)" stroke-miterlimit="10" pointer-events="stroke" />
<path d="M 758.88 97.5 L 751.88 101 L 753.63 97.5 L 751.88 94 Z" fill="rgb(0, 0, 0)" stroke="rgb(0, 0, 0)" stroke-miterlimit="10" pointer-events="all" />
<g transform="translate(-0.5 -0.5)">
<switch>
<foreignObject pointer-events="none" width="100%" height="100%" requiredFeatures="http://www.w3.org/TR/SVG11/feature#Extensibility" style="overflow: visible; text-align: left;">
<div xmlns="http://www.w3.org/1999/xhtml" style="display: flex; align-items: unsafe center; justify-content: unsafe center; width: 1px; height: 1px; padding-top: 98px; margin-left: 712px;">
<div data-drawio-colors="color: rgb(0, 0, 0); background-color: rgb(255, 255, 255); " style="box-sizing: border-box; font-size: 0px; text-align: center;">
<div style="display: inline-block; font-size: 18px; font-family: "Comic Sans MS"; color: rgb(0, 0, 0); line-height: 1.2; pointer-events: all; background-color: rgb(255, 255, 255); white-space: nowrap;">
Events
</div>
</div>
</div>
</foreignObject>
<text x="712" y="104" fill="rgb(0, 0, 0)" font-family="Comic Sans MS" font-size="18px" text-anchor="middle">
Events
</text>
</switch>
</g>
<path d="M 100 300 L 378.63 300" fill="none" stroke="rgb(0, 0, 0)" stroke-miterlimit="10" pointer-events="stroke" />
<path d="M 383.88 300 L 376.88 303.5 L 378.63 300 L 376.88 296.5 Z" fill="rgb(0, 0, 0)" stroke="rgb(0, 0, 0)" stroke-miterlimit="10" pointer-events="all" />
<g transform="translate(-0.5 -0.5)">
<switch>
<foreignObject pointer-events="none" width="100%" height="100%" requiredFeatures="http://www.w3.org/TR/SVG11/feature#Extensibility" style="overflow: visible; text-align: left;">
<div xmlns="http://www.w3.org/1999/xhtml" style="display: flex; align-items: unsafe center; justify-content: unsafe center; width: 1px; height: 1px; padding-top: 301px; margin-left: 244px;">
<div data-drawio-colors="color: rgb(0, 0, 0); background-color: rgb(255, 255, 255); " style="box-sizing: border-box; font-size: 0px; text-align: center;">
<div style="display: inline-block; font-size: 18px; font-family: "Comic Sans MS"; color: rgb(0, 0, 0); line-height: 1.2; pointer-events: all; background-color: rgb(255, 255, 255); white-space: nowrap;">
process info
</div>
</div>
</div>
</foreignObject>
<text x="244" y="306" fill="rgb(0, 0, 0)" font-family="Comic Sans MS" font-size="18px" text-anchor="middle">
process info
</text>
</switch>
</g>
<g transform="translate(-0.5 -0.5)">
<switch>
<foreignObject pointer-events="none" width="100%" height="100%" requiredFeatures="http://www.w3.org/TR/SVG11/feature#Extensibility" style="overflow: visible; text-align: left;">
<div xmlns="http://www.w3.org/1999/xhtml" style="display: flex; align-items: unsafe flex-end; justify-content: unsafe flex-start; width: 1px; height: 1px; padding-top: 299px; margin-left: 102px;">
<div data-drawio-colors="color: rgb(0, 0, 0); background-color: rgb(255, 255, 255); " style="box-sizing: border-box; font-size: 0px; text-align: left;">
<div style="display: inline-block; font-size: 18px; font-family: "Comic Sans MS"; color: rgb(0, 0, 0); line-height: 1.2; pointer-events: all; background-color: rgb(255, 255, 255); white-space: nowrap;">
/proc fs
</div>
</div>
</div>
</foreignObject>
<text x="102" y="299" fill="rgb(0, 0, 0)" font-family="Comic Sans MS" font-size="18px">
/proc fs
</text>
</switch>
</g>
<path d="M 910 97.5 L 1039.99 96.68" fill="none" stroke="rgb(0, 0, 0)" stroke-miterlimit="10" pointer-events="stroke" />
<path d="M 1045.24 96.65 L 1038.26 100.19 L 1039.99 96.68 L 1038.22 93.19 Z" fill="rgb(0, 0, 0)" stroke="rgb(0, 0, 0)" stroke-miterlimit="10" pointer-events="all" />
<g transform="translate(-0.5 -0.5)">
<switch>
<foreignObject pointer-events="none" width="100%" height="100%" requiredFeatures="http://www.w3.org/TR/SVG11/feature#Extensibility" style="overflow: visible; text-align: left;">
<div xmlns="http://www.w3.org/1999/xhtml" style="display: flex; align-items: unsafe center; justify-content: unsafe center; width: 1px; height: 1px; padding-top: 98px; margin-left: 978px;">
<div data-drawio-colors="color: rgb(0, 0, 0); background-color: rgb(255, 255, 255); " style="box-sizing: border-box; font-size: 0px; text-align: center;">
<div style="display: inline-block; font-size: 18px; font-family: "Comic Sans MS"; color: rgb(0, 0, 0); line-height: 1.2; pointer-events: all; background-color: rgb(255, 255, 255); white-space: nowrap;">
pid info
</div>
</div>
</div>
</foreignObject>
<text x="978" y="103" fill="rgb(0, 0, 0)" font-family="Comic Sans MS" font-size="18px" text-anchor="middle">
pid info
</text>
</switch>
</g>
<path d="M 910 232.5 L 1041.67 232.63" fill="none" stroke="rgb(0, 0, 0)" stroke-miterlimit="10" pointer-events="stroke" />
<path d="M 1046.92 232.64 L 1039.92 236.13 L 1041.67 232.63 L 1039.93 229.13 Z" fill="rgb(0, 0, 0)" stroke="rgb(0, 0, 0)" stroke-miterlimit="10" pointer-events="all" />
<g transform="translate(-0.5 -0.5)">
<switch>
<foreignObject pointer-events="none" width="100%" height="100%" requiredFeatures="http://www.w3.org/TR/SVG11/feature#Extensibility" style="overflow: visible; text-align: left;">
<div xmlns="http://www.w3.org/1999/xhtml" style="display: flex; align-items: unsafe center; justify-content: unsafe center; width: 1px; height: 1px; padding-top: 233px; margin-left: 980px;">
<div data-drawio-colors="color: rgb(0, 0, 0); background-color: rgb(255, 255, 255); " style="box-sizing: border-box; font-size: 0px; text-align: center;">
<div style="display: inline-block; font-size: 18px; font-family: "Comic Sans MS"; color: rgb(0, 0, 0); line-height: 1.2; pointer-events: all; background-color: rgb(255, 255, 255); white-space: nowrap;">
file change
<br />
info
</div>
</div>
</div>
</foreignObject>
<text x="980" y="239" fill="rgb(0, 0, 0)" font-family="Comic Sans MS" font-size="18px" text-anchor="middle">
file change...
</text>
</switch>
</g>
</g>
<switch>
<g requiredFeatures="http://www.w3.org/TR/SVG11/feature#Extensibility" />
<a transform="translate(0,-5)" xlink:href="https://www.diagrams.net/doc/faq/svg-export-text-problems" target="_blank">
<text text-anchor="middle" font-size="10px" x="50%" y="100%">
Text is not SVG - cannot display
</text>
</a>
</switch>
</svg>
信息采集模块对应本项目下的 listener 目录,主要负责收集 Linux-kernel 发出的 audit 系统审计消息、netlink connector 进程消息。分为四个协程,各自功能如下:
- 1 号协程,**接收来自内核的 audit 审计消息**,传递给 2 号协程
- 2 号,拿到 1 号发来的消息。对于 audit 审计消息而言,一个事件会被拆分为多条消息发送,但使用相同的时间戳、事务号。因而 2 号将收到的**消息使用正则表达式进行简单解析,并用哈希表按照事务号存储**,直到收到 eoe(本事件到此结束),**将 hash 表中整理得到的 Event 事件发送给 4 号协程**。
- 3 号,接收来自内核的 connector 消息,获取其中的进程事件(fork/exit)及进程号(ppid/parentTgid/pid/tgid),并通过/proc 文件系统查询 pid 对应的命令行参数 args、当前运行目录 cwd、根文件系统 rootfs、docker id(从 cgroup 查看),**整理为 Event 事件,发送给 4 号协程**
- 4 号,**接收 Event 事件,判断其类型,分别处理**。代码中事件类型主要有进程复制、进程退出、进程执行文件(execve)、文件打开、文件关闭、写文件、切换根系统(pivot_root)等几种。
## 信息过滤
### 进程过滤与优化
首先,由于 listener 模块在插入时采用了多线程,可能出现同一个进程的两条消息被并行处理、数据库中出现两条记录,因而第一步,是**将相同 pid 的多条记录合并为一条**。
现在开始考虑清洗数据的问题。Docker 是一个 C/S 架构的服务,因而我们真正关心的 docker 有关进程一定是 docker 守护进程的后代(虽然可能作为孤儿进程被 systemd 收养)。**过滤进程数据,只需要构建以守护进程为根的进程树**。在信息收集过程中,我们对 docker 守护进程(`/usr/bin/dockerd`)进行了特殊记录,标记了该 pid 的`star=true`。在过滤过程中,主要工作即围绕该 pid 展开。
- 我们记录的条目以 pid 区分,而这里的 pid 实质上指的是 task id、可能是线程,tgid 才是 task group id 应当理解为进程。因而,为了构建进程树,最简单的办法是将各个 pid 按照 tgid 区分,成为一个新的结构;这些结构代表着进程、是进程树的节点,因而称为 tgidNode。在此过程中,我们也可以整理得到每个 tgid 的所有子代 tgid 编号。
- 整理出来若干 tgidNode,从标记了 star 的 tgidNode 开始,采用广度优先遍历,得到整个进程树上的所有 tgidNode
接着,进行**数据优化**:
- 同一个 docker id 使用相同的 rootfs。在记录中,同一个 docker id 只有一个进程进行过 pivot_root,因而需要加以处理。
- 同一个进程(tgid)的不同线程(pid)可能 ppid/parentTgid 不一样。原因为,在进程(pid==tgid)创建的时候,父进程一定还在;但过一会创建线程的时候,原父进程可能已死、该进程已经被 systemd 收容,所以记录的 ppid/parentTgid 不对。为解决该问题,需要检查每个 pid,如果存在该问题则进行修正,防止在按 pid 溯源时出错。
- 部分 pid 可能并未收到对应的退出消息。为了部分地解决该问题,我们将进程退出时间(也就是 pid==tgid 的 pid 的退出时间)记录为没有 exit timestamp 的 pid 的退出时间。这样的补全是为了接下来在处理文件时使用。
### 文件过滤
众所周知,Linux 环境下,进程操作文件使用的是系统调用+文件描述符。
在记录的时候,由于 Linux 下进程是通过 open 系统调用,传入文件名和权限,得到文件描述符,使用、关闭时都是操作文件描述符而非文件名,所以记录时应当把已经关闭的和尚未关闭的区分开来。写文件时,在已经打开但尚未关闭的文件里按照 pid+fd 查找,记录写入时间;关闭时,将记录从 fd 表删除,加上关闭时间后存储到关闭的文件里。
但在整理时,二者都有写入记录,应该等同视之。将两张表的所有记录提取出来进行筛选,只保留 pid 在进程树上的那些文件记录;而后,对于尚未关闭的文件,查询 pid 退出时间,如有记录,则认为该文件在 pid 退出时才关闭。
最后,将处理得到的 tgidNode 构成的进程树、筛选之后的文件,全部记录到数据库里。
## 信息展示
现在已经获取了进程树和文件修改的详细记录,展示即可。本项目目前是在过滤完成之后,直接由过滤模块将进程树、进程详细信息、文件修改记录全部打印到标准输出。
# 编译与运行
本项目的编译运行较为简单。
在将本项目克隆下来后:
```bash
git submodule --init
cd listener
go build -o godo
cd ../filter
go build -o filter
```
编译完成后,将 godo 放置在宿主机上运行,**godo 必须以 root 权限运行**。有若干命令行参数,可以通过`sudo ./godo -h`查看。注意:
- 指定参数使用等号,如`-diag`参数表示将内核原始 audit 消息输出到指定文件,使用时即`sudo ./godo -diag=1.txt`
- 默认的数据库是本机的 mongodb,端口 27017;如要连接别的数据库,需要使用`-mongo`参数指定其链接,格式为`ip:port`。本处并未设置 mongodb 的用户名、密码,而是放开了权限直接登录。使用的数据库名为"test"。
- backlog 大小默认为 1GB,最好只大不小。以字节为单位。
- filter 放置在数据库所在的机器上,连接数据库。使用的数据库为 test,写入的数据库为 cooked。
而filter程序则直接放置在**数据库所在机器上**,在需要回溯的时候,直接运行filter程序(数据库没有账号密码控制),会输出进程树、每个进程的参数,及最终受改变的文件列表。
|
