1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
|
package main
import (
"fmt"
"sync"
"time"
"go.mongodb.org/mongo-driver/bson/primitive"
)
type eventType int
const (
NEWPID eventType = iota
PIDEXIT
EXECVE
FILEOPEN
FILECLOSE
FILEWRITE
TYPENUM
)
func (et eventType) String() string {
names := []string{"NEWPID", "PIDEXIT", "EXECVE", "FILEOPEN", "FILECLOSE", "FILEWRITE", "TYPENUM"}
if et < NEWPID || et > TYPENUM {
return "Unknown"
}
return names[et]
}
type Event struct {
tag eventType
timestamp time.Time
pid, ppid int
syscall int
exit_code uint64
argc int
argv []string
cwd string
syscallParam [4]uint64
pathName string
}
func (event Event) String() string {
var res string
res = fmt.Sprintf("tag: %v\ntimestamp: %v\nppid: %d\npid: %d\n", event.tag, event.timestamp.Local(), event.ppid, event.pid)
res += fmt.Sprintf("syscall: %s\nexit_code: %d\nargs: \n", syscallTable[event.syscall], event.exit_code)
for i := 0; i < len(event.argv); i++ {
res += fmt.Sprintf("\t\"%s\"\n", event.argv[i])
}
res += "syscallParam: "
for i := 0; i < len(event.syscallParam); i++ {
res += fmt.Sprintf("\t\"%d\"\n", event.syscallParam[i])
}
res += "pathName: \"" + event.pathName + "\"\n------\n"
return res
}
type pidExec struct {
timestamp time.Time `bson:"timestamp"`
execArgs []string `bson:"execArgs"`
}
type pid struct {
ID primitive.ObjectID `bson:"_id,ometempty"`
start_timestamp time.Time `bson:"start_timestamp"`
ppid int `bson:"ppid"`
pid int `bson:"pid"`
cwd string `bson:"cwd"`
args []string `bson:"args"`
execve []pidExec `bson:"execve"`
children []int `bson:"children"`
exit_timestamp time.Time `bson:"exit_timestamp"`
exit_code uint64 `bson:"exit_code"`
}
var wg sync.WaitGroup // 掌管协程
var rawChan chan interface{} // 从接收到整理的管道
var cookedChan chan Event // 整理好的信息的管道
var syscallTable [500]string //记录一下系统调用
var containerdPid int
|