cmd/safe/safe.go

@@ -7,7 +7,6 @@ import (
 	"path/filepath"
 	"strings"
 	"sysmonitord/internal/config"
-	"sysmonitord/internal/scanner/process"
 	"sysmonitord/internal/storage"
 	"sysmonitord/pkg/logger"
 	"time"
@@ -57,7 +56,7 @@ func readKeyWithESC() (string, error) {
 func interactiveSafe(cfg *config.Config) {
 	dataDir := cfg.Storage.DataDir
 
-	dubiousFiles, err := readDubiousFileList(filepath.Join(dataDir, cfg.Storage.DubiousFileListFile))
+	dubiousFiles, err := readDubiousList(filepath.Join(dataDir, cfg.Storage.DubiousFileListFile))
 	if err != nil {
 		fmt.Printf("无法读取可疑文件列表: %v\n", err)
 		return
@@ -67,16 +66,6 @@ func interactiveSafe(cfg *config.Config) {
 		return
 	}
 
-	dubiousProcesses, err := storage.LoadDubiousProcesses(dataDir, cfg.Storage.DubiousProcessListFile)
-	if err != nil {
-		fmt.Printf("无法读取可疑进程列表: %v\n", err)
-		return
-	}
-	if len(dubiousProcesses) == 0 {
-		fmt.Println("没有可疑进程需要处理。")
-		return
-	}
-
 	fmt.Println("\n╔══════════════════════════════════════════════╗")
 	fmt.Println("║           可疑文件清单 (" + fmt.Sprintf("%d", len(dubiousFiles)) + "个)                 ║")
 	fmt.Println("╠══════════════════════════════════════════════╣")
@@ -86,18 +75,8 @@ func interactiveSafe(cfg *config.Config) {
 	}
 	fmt.Println("╚══════════════════════════════════════════════╝")
 
-	fmt.Println("\n╔══════════════════════════════════════════════╗")
-	fmt.Println("║           可疑进程清单 (" + fmt.Sprintf("%d", len(dubiousProcesses)) + "个)                 ║")
-	fmt.Println("╠══════════════════════════════════════════════╣")
-	for _, proc := range dubiousProcesses {
-		fmt.Printf("║ %-45s║\n", fmt.Sprintf("%s (%s)", proc.Name, proc.Path))
-	}
-	fmt.Println("╚══════════════════════════════════════════════╝")
-
 	fmt.Println("\n请选择操作:")
 	fmt.Println("[1] 将以上可疑文件全部确认为安全 (移至白名单)")
-	fmt.Println("[2] 将以上可疑进程全部确认为安全 (移至白名单)")
-	fmt.Println("[3] 全部确认安全 (文件和进程)")
 	// Todo: 支持逐个确认
 	fmt.Println("[ESC] 退出不处理")
 	fmt.Print("请输入选项: ")
@@ -116,34 +95,14 @@ func interactiveSafe(cfg *config.Config) {
 		} else {
 			fmt.Println("已将可疑文件移入白名单。")
 		}
-	case "2":
-		fmt.Println("正在处理...")
-		if err := confirmProcessesAsSafe(cfg, dubiousProcesses); err != nil {
-			fmt.Printf("处理失败: %v\n", err)
-		} else {
-			fmt.Println("已将可疑进程移入白名单。")
-		}
-	case "3":
-		fmt.Println("正在处理...")
-		if err := confirmFilesAsSafe(cfg, dubiousFiles); err != nil {
-			fmt.Printf("处理失败: %v\n", err)
-		} else {
-			fmt.Println("已将可疑文件移入白名单。")
-		}
-		if err := confirmProcessesAsSafe(cfg, dubiousProcesses); err != nil {
-			fmt.Printf("处理失败: %v\n", err)
-		} else {
-			fmt.Println("已将可疑进程移入白名单。")
-		}
 	case "ESC":
 		fmt.Println("已取消操作。")
 	default:
 		fmt.Println("无效选项，已退出。")
 	}
-
 }
 
-func readDubiousFileList(filePath string) ([]storage.DubiousFileInfo, error) {
+func readDubiousList(filePath string) ([]storage.DubiousFileInfo, error) {
 	file, err := os.Open(filePath)
 	if err != nil {
 		if os.IsNotExist(err) {
@@ -172,41 +131,6 @@ func readDubiousFileList(filePath string) ([]storage.DubiousFileInfo, error) {
 	return list, scanner.Err()
 }
 
-func confirmProcessesAsSafe(cfg *config.Config, processes []storage.DubiousProcessInfo) error {
-	dataDir := cfg.Storage.DataDir
-	whiteListPath := filepath.Join(dataDir, cfg.Storage.ProcessSystemFile)
-	// dubiousFile := filepath.Join(dataDir, cfg.Storage.DubiousProcessListFile)
-
-	f, err := os.OpenFile(whiteListPath, os.O_APPEND|os.O_WRONLY, 0644)
-	if err != nil {
-		return fmt.Errorf("无法打开白名单文件: %v", err)
-	}
-	defer f.Close()
-
-	var toWhitelist []process.ProcessInfo
-	for _, proc := range processes {
-		toWhitelist = append(toWhitelist, process.ProcessInfo{
-			Name:     proc.Name,
-			Path:     proc.Path,
-			FileHash: proc.FileHash,
-		})
-	}
-
-	if err := storage.AppendProcessToWhitelist(toWhitelist, dataDir, cfg.Storage.ProcessSystemFile); err != nil {
-		return fmt.Errorf("更新白名单失败: %v", err)
-	}
-
-	logger.Log.Debug("已将可疑进程移入白名单", zap.Int("count", len(toWhitelist)))
-
-	// Todo: 逐个删除条目
-	if err := storage.RemoveDubiousProcesses(dataDir, cfg.Storage.DubiousProcessListFile, []storage.DubiousProcessInfo{}); err != nil {
-		return fmt.Errorf("删除可疑进程列表失败: %v", err)
-	}
-
-	return nil
-
-}
-
 func confirmFilesAsSafe(cfg *config.Config, files []storage.DubiousFileInfo) error {
 	dataDir := cfg.Storage.DataDir
 	whiteListPath := filepath.Join(dataDir, cfg.Storage.FileSystemFile)
@@ -225,7 +149,7 @@ func confirmFilesAsSafe(cfg *config.Config, files []storage.DubiousFileInfo) err
 		if _, err := writer.WriteString(line); err != nil {
 			return fmt.Errorf("写入白名单失败: %v", err)
 		}
-		logger.Log.Debug("已将可疑文件移入白名单", zap.String("path", file.Path), zap.String("hash", file.Hash))
+		logger.Log.Info("已将可疑文件移入白名单", zap.String("path", file.Path), zap.String("hash", file.Hash))
 	}
 	if err := writer.Flush(); err != nil {
 		return fmt.Errorf("刷新写入缓冲区失败: %v", err)

config.yaml.example

@@ -30,18 +30,17 @@ scanner:
     interval: 300 # seconds
 
 storage:
-  data_dir: "/var/lib/sysmonitord"
+  data_dir: "./data"
   process_system_file: "process_system.data"
   file_system_file: "file_system.data"
   dubious_file_list_file: "dubious_files.data"
   dubious_process_list_file: "dubious_processes.data"
 
 notification:
-  interval: 5 # minutes
   email:
     enabled: true
     recipients:
-      -
+      - admin@wuko.top
     smtp:
       server:
       port: 465

internal/config/config.go

@@ -9,8 +9,7 @@ type Config struct {
 }
 
 type NotificationConfig struct {
-	Email    EmailConfig `yaml:"email"`
+	Email EmailConfig `yaml:"email"`
-	Interval int         `yaml:"interval"`
 }
 
 type EmailConfig struct {

internal/monitor/watcher/watcher.go

@@ -78,11 +78,6 @@ func (w *Watcher) eventLoop() {
 				return
 			}
 
-			// 忽略不需要监控的路径
-			if w.shouldIgnore(event.Name) {
-				continue
-			}
-
 			// 添加新创建的目录到监听列表
 			if event.Op&fsnotify.Create == fsnotify.Create {
 				info, err := os.Stat(event.Name)
@@ -137,35 +132,3 @@ func (w *Watcher) addPath(path string) {
 func (w *Watcher) Errors() <-chan error {
 	return w.fsnWatcher.Errors
 }
-
-func (w *Watcher) shouldIgnore(path string) bool {
-	dataDir := w.cfg.Storage.DataDir
-
-	absDataDir, err := filepath.Abs(dataDir)
-	if err != nil {
-		absDataDir = dataDir
-	}
-
-	absPath, err := filepath.Abs(path)
-	if err != nil {
-		absPath = path
-	}
-
-	if strings.HasPrefix(absPath, absDataDir) {
-		// 忽略数据目录下的指定文件
-		fileSystemName := w.cfg.Storage.FileSystemFile
-		processListName := w.cfg.Storage.ProcessSystemFile
-		dubiousFileName := w.cfg.Storage.DubiousFileListFile
-		dubiousProcessName := w.cfg.Storage.DubiousProcessListFile
-
-		if strings.HasSuffix(absPath, fileSystemName) ||
-			strings.HasSuffix(absPath, processListName) ||
-			strings.HasSuffix(absPath, dubiousFileName) ||
-			strings.HasSuffix(absPath, dubiousProcessName) {
-			logger.Log.Debug("[monitor] 忽略数据目录下的文件", zap.String("path", absPath))
-			return true
-		}
-	}
-
-	return false
-}

internal/notifier/alert_manager.go

@@ -34,7 +34,7 @@ func NewAlerter(cfg config.NotificationConfig) *Alerter {
 		mailer:    mail.NewMailer(cfg.Email),
 		eventChan: make(chan AlertEvent, 100),
 		buffer:    make([]AlertEvent, 0),
-		interval:  time.Duration(cfg.Interval) * time.Minute,
+		interval:  30 * time.Second, // Todo: 可配置化
 	}
 }
 

internal/storage/storage.go

@@ -124,8 +124,7 @@ func SaveDubiousProcesses(proc DubiousProcessInfo, dataDir string, dubiousProces
 
 	writer := bufio.NewWriter(f)
 
-	line := fmt.Sprintf("%s:%s:%s\n",
+	line := fmt.Sprintf("%d:%s:%s:%s:%s\n", proc.PID, proc.Name, proc.Path, proc.Cmdline, proc.DiscoveredAt)
-		proc.Name, proc.Path, proc.FileHash)
 	if _, err := writer.WriteString(line); err != nil {
 		return err
 	}
@@ -133,77 +132,6 @@ func SaveDubiousProcesses(proc DubiousProcessInfo, dataDir string, dubiousProces
 	return writer.Flush()
 }
 
-func LoadDubiousProcesses(dataDir string, dubiousProcessFile string) ([]DubiousProcessInfo, error) {
-	filePath := filepath.Join(dataDir, dubiousProcessFile)
-	f, err := os.Open(filePath)
-	if err != nil {
-		return nil, fmt.Errorf("[storage]无法打开可疑进程记录文件%s: %w", filePath, err)
-	}
-	defer f.Close()
-
-	var processes []DubiousProcessInfo
-	scanner := bufio.NewScanner(f)
-	for scanner.Scan() {
-		line := scanner.Text()
-		if line == "" || strings.HasPrefix(line, "#") {
-			continue
-		}
-		parts := strings.Split(line, ":")
-		if len(parts) >= 3 {
-			processes = append(processes, DubiousProcessInfo{
-				Name:     parts[0],
-				Path:     parts[1],
-				FileHash: parts[2],
-			})
-		}
-	}
-	return processes, scanner.Err()
-}
-
-func AppendProcessToWhitelist(procs []process.ProcessInfo, dataDir string, processSystemFile string) error {
-	filePath := filepath.Join(dataDir, processSystemFile)
-	f, err := os.OpenFile(filePath, os.O_APPEND|os.O_CREATE|os.O_WRONLY, 0644)
-	if err != nil {
-		return fmt.Errorf("[storage]无法创建或打开进程白名单文件%s: %w", filePath, err)
-	}
-	defer f.Close()
-
-	writer := bufio.NewWriter(f)
-
-	for _, p := range procs {
-		line := p.String() + "\n"
-		if _, err := writer.WriteString(line); err != nil {
-			return err
-		}
-	}
-
-	return writer.Flush()
-}
-
-func RemoveDubiousProcesses(dataDir string, dubiousProcessFile string, toKeep []DubiousProcessInfo) error {
-	filePath := filepath.Join(dataDir, dubiousProcessFile)
-	if len(toKeep) == 0 {
-		return os.Remove(filePath)
-	}
-
-	f, err := os.Create(filePath)
-	if err != nil {
-		return fmt.Errorf("[storage]无法创建可疑进程记录文件%s: %w", filePath, err)
-	}
-	defer f.Close()
-
-	writer := bufio.NewWriter(f)
-
-	for _, proc := range toKeep {
-		line := fmt.Sprintf("%s:%s:%s\n", proc.Name, proc.Path, proc.FileHash)
-		if _, err := writer.WriteString(line); err != nil {
-			return err
-		}
-	}
-
-	return writer.Flush()
-}
-
 func SaveDubiousFiles(files DubiousFileInfo, dataDir string, dubiousFileName string) error {
 	filePath := filepath.Join(dataDir, dubiousFileName)