2 Star 1 Fork 0

李玮 / trireme-lib

加入 Gitee
与超过 1200万 开发者一起发现、参与优秀开源项目,私有仓库也完全免费 :)
免费加入
克隆/下载
linux.go 6.26 KB
一键复制 编辑 原始数据 按行查看 历史
李玮 提交于 2020-02-05 19:51 . add getinfo params
package extractors
import (
"crypto/md5"
"debug/elf"
"fmt"
"io"
"net"
"os"
"os/user"
"strconv"
"strings"
"time"
"git.cloud.top/DSec/trireme-lib/common"
"git.cloud.top/DSec/trireme-lib/controller/constants"
"git.cloud.top/DSec/trireme-lib/policy"
"git.cloud.top/DSec/trireme-lib/utils/cgnetcls"
portspec "git.cloud.top/DSec/trireme-lib/utils/portspec"
"github.com/shirou/gopsutil/process"
)
// LinuxMetadataExtractorType is a type of Linux metadata extractors
type LinuxMetadataExtractorType func(event *common.EventInfo) (*policy.PURuntime, error)
// DefaultHostMetadataExtractor is a host specific metadata extractor
func DefaultHostMetadataExtractor(event *common.EventInfo) (*policy.PURuntime, error) {
runtimeTags := policy.NewTagStore()
for _, tag := range event.Tags {
parts := strings.SplitN(tag, "=", 2)
if len(parts) != 2 {
return nil, fmt.Errorf("invalid tag: %s", tag)
}
runtimeTags.AppendKeyValue("@usr:"+parts[0], parts[1])
}
options := &policy.OptionsType{
CgroupName: event.PUID,
CgroupMark: strconv.FormatUint(cgnetcls.MarkVal(), 10),
Services: event.Services,
Getinfo: event.Getinfo,
}
runtimeIps := policy.ExtendedMap{"bridge": "0.0.0.0/0"}
return policy.NewPURuntime(event.Name, int(event.PID), "", runtimeTags, runtimeIps, event.PUType, options), nil
}
// SystemdEventMetadataExtractor is a systemd based metadata extractor
// TODO: Remove OLDTAGS
func SystemdEventMetadataExtractor(event *common.EventInfo) (*policy.PURuntime, error) {
runtimeTags := policy.NewTagStore()
for _, tag := range event.Tags {
parts := strings.SplitN(tag, "=", 2)
if len(parts) != 2 {
return nil, fmt.Errorf("invalid tag: %s", tag)
}
key, value := parts[0], parts[1]
if strings.HasPrefix(key, "@app:linux:") {
runtimeTags.AppendKeyValue(key, value)
continue
}
runtimeTags.AppendKeyValue("@usr:"+key, value)
}
userdata := ProcessInfo(event.PID)
for _, u := range userdata {
runtimeTags.AppendKeyValue("@sys:"+u, "true")
runtimeTags.AppendKeyValue("@app:linux:"+u, "true")
}
runtimeTags.AppendKeyValue("@sys:hostname", findFQDN(time.Second))
runtimeTags.AppendKeyValue("@os:hostname", findFQDN(time.Second))
options := policy.OptionsType{}
for index, s := range event.Services {
if s.Port != 0 && s.Ports == nil {
if pspec, err := portspec.NewPortSpec(s.Port, s.Port, nil); err == nil {
event.Services[index].Ports = pspec
event.Services[index].Port = 0
} else {
return nil, fmt.Errorf("Invalid Port Spec %s", err)
}
}
}
options.Services = event.Services
options.UserID, _ = runtimeTags.Get("@usr:originaluser")
options.CgroupMark = strconv.FormatUint(cgnetcls.MarkVal(), 10)
options.AutoPort = event.AutoPort
runtimeIps := policy.ExtendedMap{"bridge": "0.0.0.0/0"}
return policy.NewPURuntime(event.Name, int(event.PID), "", runtimeTags, runtimeIps, event.PUType, &options), nil
}
// ProcessInfo returns all metadata captured by a process
func ProcessInfo(pid int32) []string {
userdata := []string{}
p, err := process.NewProcess(pid)
if err != nil {
return userdata
}
uids, err := p.Uids()
if err != nil {
return userdata
}
groups, err := p.Gids()
if err != nil {
return userdata
}
username, err := p.Username()
if err != nil {
return userdata
}
for _, uid := range uids {
userdata = append(userdata, "uid:"+strconv.Itoa(int(uid)))
}
for _, gid := range groups {
userdata = append(userdata, "gid:"+strconv.Itoa(int(gid)))
}
userdata = append(userdata, "username:"+username)
userid, err := user.Lookup(username)
if err != nil {
return userdata
}
gids, err := userid.GroupIds()
if err != nil {
return userdata
}
for i := 0; i < len(gids); i++ {
userdata = append(userdata, "gids:"+gids[i])
group, err := user.LookupGroupId(gids[i])
if err != nil {
continue
}
userdata = append(userdata, "groups:"+group.Name)
}
return userdata
}
// ComputeFileMd5 computes the Md5 of a file
func ComputeFileMd5(filePath string) ([]byte, error) {
var result []byte
file, err := os.Open(filePath)
if err != nil {
return result, err
}
defer file.Close() //nolint : errcheck
hash := md5.New()
if _, err := io.Copy(hash, file); err != nil {
return result, err
}
return hash.Sum(result), nil
}
func findFQDN(expiration time.Duration) string {
hostname, err := os.Hostname()
if err != nil {
return "unknown"
}
// Try to find FQDN
globalHostname := make(chan string, 1)
go func() {
addrs, err := net.LookupIP(hostname)
if err != nil {
globalHostname <- hostname
return
}
for _, addr := range addrs {
ip, err := addr.MarshalText()
if err != nil {
globalHostname <- hostname
return
}
hosts, err := net.LookupAddr(string(ip))
if err != nil || len(hosts) == 0 {
globalHostname <- hostname
return
}
fqdn := hosts[0]
globalHostname <- strings.TrimSuffix(fqdn, ".") // return fqdn without trailing dot
}
}()
// Use OS hostname if we dont hear back in a second
select {
case <-time.After(expiration):
return hostname
case name := <-globalHostname:
return name
}
}
// Libs returns the list of dynamic library dependencies of an executable
func Libs(binpath string) []string {
f, err := elf.Open(binpath)
if err != nil {
return []string{}
}
libraries, _ := f.ImportedLibraries()
return libraries
}
// policyExtensions retrieves policy extensions. Moving this function from extractor package.
func policyExtensions(runtime policy.RuntimeReader) (extensions policy.ExtendedMap) {
if runtime == nil {
return nil
}
if runtime.Options().PolicyExtensions == nil {
return nil
}
if extensions, ok := runtime.Options().PolicyExtensions.(policy.ExtendedMap); ok {
return extensions
}
return nil
}
// IsHostmodePU returns true if puType stored by policy extensions is hostmode PU
func IsHostmodePU(runtime policy.RuntimeReader, mode constants.ModeType) bool {
if runtime == nil {
return false
}
if mode != constants.LocalServer {
return false
}
return runtime.PUType() == common.HostPU || runtime.PUType() == common.HostNetworkPU
}
// IsHostPU returns true if puType stored by policy extensions is host PU
func IsHostPU(runtime policy.RuntimeReader, mode constants.ModeType) bool {
if runtime == nil {
return false
}
if mode != constants.LocalServer {
return false
}
return runtime.PUType() == common.HostPU
}
1
https://gitee.com/emmoblin/trireme-lib.git
git@gitee.com:emmoblin/trireme-lib.git
emmoblin
trireme-lib
trireme-lib
7726874a2b9a

搜索帮助

14c37bed 8189591 565d56ea 8189591