1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
|
package main
import (
"flag"
"fmt"
"log"
"os"
"os/exec"
"time"
"github.com/elastic/go-libaudit/v2"
)
var (
fs = flag.NewFlagSet("audit", flag.ExitOnError)
diag = fs.String("diag", "", "dump raw information from kernel to file")
rate = fs.Uint("rate", 0, "rate limit in kernel (default 0, no rate limit)")
backlog = fs.Uint("backlog", 8192, "backlog limit")
immutable = fs.Bool("immutable", false, "make kernel audit settings immutable (requires reboot to undo)")
receiveOnly = fs.Bool("ro", false, "receive only using multicast, requires kernel 3.16+")
)
func main() {
// 检查用户身份,并添加auditd规则,监听所有syscall
if os.Geteuid() != 0 {
fmt.Printf("Err: Please run me as root, %d!\n", os.Getegid())
return
}
// 所有的系统调用号与名称的关系
err := figureOutSyscalls()
if err != nil {
fmt.Printf("Error figuring out syscall numbers: %v\n", err)
}
syscall := [6]string{"fork", "vfork", "clone", "execve", "exit", "exit_group"}
var auditCmd *exec.Cmd
auditCmd = exec.Command("auditctl", "-D") // 清空所有规则
auditCmd.Run()
// 设置监听规则
for i := 0; i < len(syscall); i++ {
auditCmd = exec.Command("auditctl", "-a", "exit,always", "-F", "arch=b64", "-S", syscall[i])
auditCmd.Run()
}
// 查找pid
containerdPid, err = getPid()
if err != nil {
fmt.Printf("Error finding containerd: %v\n", err)
return
}
// 创世之神,1号进程
// pids[1] = &process{rootfs: "/", children: make([]int, 0)}
// pids[1].children = append(pids[1].children, containerdPid)
// 1号进程还是不要在进程树上直接出现了,不然它的小儿子们都会出现
// /usr/bin/containerd,也就是我们最关注的进程
// pids[containerdPid] = &process{rootfs: "/", children: make([]int, 0)}
pids.Store(containerdPid, &process{
ppid: 1,
pid: containerdPid,
argv: make([]string, 0),
cwd: "/",
rootfs: "/",
children: make([]int, 0),
})
p, ok := pids.Load(containerdPid)
if !ok {
fmt.Printf("???\n")
return
}
p.(*process).argv = append(p.(*process).argv, "/usr/bin/containerd")
// 开始运行,解析命令行参数后监听
if err := fs.Parse(os.Args[1:]); err != nil {
log.Fatal(err)
}
if err := read(); err != nil {
log.Fatalf("error: %v", err)
}
}
func coroutine(client *libaudit.AuditClient) {
// 各协程至此开始
rawChan = make(chan interface{})
cookedChan = make(chan Event)
wg.Add(1)
go receive(client)
wg.Add(1)
go orgnaze()
wg.Add(1)
go deal()
wg.Wait()
time.Sleep(2 * time.Second)
}
|
