blob: a266b1b1b9036db87595ba0bad0139635f239b64 (
plain) (
blame)
package main
import (
"fmt"
"sync"
"time"
"go.mongodb.org/mongo-driver/bson/primitive"
)
type eventType int
const (
NEWPID eventType = iota
PIDEXIT
EXECVE
FILEOPEN
FILECLOSE
FILEWRITE
TYPENUM
)
func (et eventType) String() string {
names := []string{"NEWPID", "PIDEXIT", "EXECVE", "FILEOPEN", "FILECLOSE", "FILEWRITE", "TYPENUM"}
if et < NEWPID || et > TYPENUM {
return "Unknown"
}
return names[et]
}
type Event struct {
tag eventType
timestamp time.Time
pid, ppid int
syscall int
syscallParam [4]uint64
pathName string
argc int
argv []string
cwd string
exit_code uint64
exit_signal int
}
func (event Event) String() string {
var res string
res = fmt.Sprintf("tag: %v\ntimestamp: %v\nppid: %d\npid: %d\n", event.tag, event.timestamp.Local(), event.ppid, event.pid)
res += fmt.Sprintf("syscall: %s\nexit_code: %d\nargs: \n", syscallTable[event.syscall], event.exit_code)
for i := 0; i < len(event.argv); i++ {
res += fmt.Sprintf("\t\"%s\"\n", event.argv[i])
}
res += "syscallParam: "
for i := 0; i < len(event.syscallParam); i++ {
res += fmt.Sprintf("\t\"%d\"\n", event.syscallParam[i])
}
res += "pathName: \"" + event.pathName + "\"\n------\n"
return res
}
type pidExec struct {
timestamp time.Time `bson:"timestamp"`
execArgs []string `bson:"execArgs"`
}
type pid struct {
ID primitive.ObjectID `bson:"_id,ometempty"`
start_timestamp time.Time `bson:"start_timestamp"`
ppid int `bson:"ppid"`
pid int `bson:"pid"`
cwd string `bson:"cwd"`
args []string `bson:"args"`
execve []pidExec `bson:"execve"`
children []int `bson:"children"`
exit_timestamp time.Time `bson:"exit_timestamp"`
exit_code uint64 `bson:"exit_code"`
}
var wg sync.WaitGroup // 掌管协程
var rawChan chan interface{} // 从接收到整理的管道
var cookedChan chan Event // 整理好的信息的管道
var syscallTable [500]string //记录一下系统调用
var containerdPid int
|
