Golang AuditEvent示例

示例#1

文件： atrace.go 项目： Fsero/atrace

func EventCallback(ae *audit.AuditEvent, ce chan error, args ...interface{}) {
	pid, _ := ae.GetValueInt("pid", 10)
	syscallid, _ := ae.GetValueInt("syscall", 10)
	a0, _ := ae.GetValueInt("a0", 16)
	a1, _ := ae.GetValueInt("a1", 16)
	a2, _ := ae.GetValueInt("a2", 16)
	a3, _ := ae.GetValueInt("a3", 16)
	a4, _ := ae.GetValueInt("a4", 16)
	a5, _ := ae.GetValueInt("a5", 16)
	exit, _ := ae.GetValueInt("exit", 10)

	at, _ := args[0].(*Atrace)

	at.l_processes.Lock()
	process := at.processes[pid]
	at.l_processes.Unlock()

	// TODO: Review "task" auditd messages.
	switch syscallid {
	case syscall.SYS_EXIT:
		at.l_processes.Lock()
		delete(at.processes, pid)
		at.l_processes.Unlock()
	case syscall.SYS_CLONE, syscall.SYS_FORK, syscall.SYS_VFORK:
		fmt.Println(process)
		if process.recursive {
			at.AddProcess(exit, process.syscalls, process.recursive)
		}
	}

	scRes := syscallinfo.NewResolver(linux_amd64.SyscallTable)
	sc, _ := scRes.SyscallN(syscallid)
	scc, _ := syscallinfo.NewSyscallCall(sc, exit, a0, a1, a2, a3, a4, a5)
	fmt.Printf("[%d] %s\n", pid, scc)
	fmt.Printf("[%d] %s\n", pid, str)
	os.Stdout.Sync()
}

示例#2

文件： atrace.go 项目： apuigsech/atrace

func EventCallback(ae *audit.AuditEvent, ce chan error, args ...interface{}) {
	at, _ := args[0].(*Atrace)

	pid, _ := ae.GetValueInt("pid", 10)
	scNR, _ := ae.GetValueInt("syscall", 10)
	a0, _ := ae.GetValueInt("a0", 16)
	a1, _ := ae.GetValueInt("a1", 16)
	a2, _ := ae.GetValueInt("a2", 16)
	a3, _ := ae.GetValueInt("a3", 16)
	a4, _ := ae.GetValueInt("a4", 16)
	a5, _ := ae.GetValueInt("a5", 16)
	exit, _ := ae.GetValueInt("exit", 10)

	r := syscallinfo.NewResolver(linux_amd64.SyscallTable)
	sc, err := r.SyscallN(scNR)
	if err != nil {
		return
	}

	scc, err := syscallinfo.NewSyscallCall(sc, uint64(exit), uint64(a0), uint64(a1), uint64(a2), uint64(a3), uint64(a4), uint64(a5))
	if err != nil {
		return
	}

	at.l_processes.Lock()
	process := at.processes[pid]
	process.sccList = append(process.sccList, scc)
	//fmt.Println(">", process.sccList)
	at.l_processes.Unlock()

	switch scNR {
	case syscall.SYS_EXIT:
		at.l_processes.Lock()
		//delete(at.processes, pid)
		at.l_processes.Unlock()
	case syscall.SYS_CLONE, syscall.SYS_FORK, syscall.SYS_VFORK:
		//if process.recursive {
		at.AddProcess(exit, process.scList, process.recursive)
		//}
	}

	fmt.Printf("[%v] %v\n", pid, scc)
	os.Stdout.Sync()
}