wk233/sysmonitord
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Compare commits

base: wk233:9970e93665ebc68a331615bd9b112ee16a5fff1a
Branches Tags
wk233:main
..
compare: wk233:99eb6c2aed1d50abf72f0eec8c708fd0d76370a3
Branches Tags
wk233:main

No commits in common. "9970e93665ebc68a331615bd9b112ee16a5fff1a" and "99eb6c2aed1d50abf72f0eec8c708fd0d76370a3" have entirely different histories.
9970e93665 ... 99eb6c2aed

8 changed files with 9 additions and 171 deletions
Show Stats Expand all files Collapse all files

9
cmd/start/start.go
View File

@ -95,13 +95,6 @@ var StartCmd = &cobra.Command{
mon.Start() mon.Start()
// ====== 初始化文件检测器 ======
fileDetector, err := detector.NewFileDetector(cfg)
if err != nil {
logger.Log.Error("初始化文件检测器失败", zap.Error(err))
os.Exit(1)
}
// ====== 启动进程检测定时任务 ====== // ====== 启动进程检测定时任务 ======
procDetector := detector.NewProcessDetector(cfg) procDetector := detector.NewProcessDetector(cfg)
procScheduler := timer.NewScheduler(time.Duration(cfg.Scanner.Process.Interval)*time.Second, procDetector) procScheduler := timer.NewScheduler(time.Duration(cfg.Scanner.Process.Interval)*time.Second, procDetector)
@ -122,8 +115,8 @@ var StartCmd = &cobra.Command{
) )
if event.FileInfo != nil { if event.FileInfo != nil {
// Todo: 处理文件系统事件,例如更新白名单、触发告警等
logger.Log.Debug("文件详情", zap.Int64("size", event.FileInfo.Size())) logger.Log.Debug("文件详情", zap.Int64("size", event.FileInfo.Size()))
fileDetector.HandleEvent(event.Path, event.Op.String())
} }
case err := <-mon.Errors(): case err := <-mon.Errors():

1
config.yaml
View File

@ -33,4 +33,3 @@ storage:
data_dir: "./data" data_dir: "./data"
process_system_file: "process_system.data" process_system_file: "process_system.data"
file_system_file: "file_system.data" file_system_file: "file_system.data"
dubious_file_list_file: "dubious_files.data"

1
internal/config/config.go
View File

@ -36,7 +36,6 @@ type StorageConfig struct {
DataDir string `yaml:"data_dir"` DataDir string `yaml:"data_dir"`
ProcessSystemFile string `yaml:"process_system_file"` ProcessSystemFile string `yaml:"process_system_file"`
FileSystemFile string `yaml:"file_system_file"` FileSystemFile string `yaml:"file_system_file"`
DubiousFileListFile string `yaml:"dubious_file_list_file"`
} }
type FileScannerConfig struct { type FileScannerConfig struct {

0
internal/monitor/detector/process_detector.go → internal/monitor/detector/detector.go
View File

98
internal/monitor/detector/file_detector.go
View File

@ -1,98 +0,0 @@
package detector
import (
"sync"
"sysmonitord/internal/config"
"sysmonitord/internal/scanner/hash"
"sysmonitord/internal/storage"
"sysmonitord/pkg/logger"
"time"
"go.uber.org/zap"
)
type FileDetector struct {
cfg *config.Config
whiteList map[string]string
storageDir string
mu sync.RWMutex
}
func NewFileDetector(cfg *config.Config) (*FileDetector, error) {
d := &FileDetector{
cfg: cfg,
storageDir: cfg.Storage.DataDir,
}
if err := d.loadWhiteList(); err != nil {
return nil, err
}
return d, nil
}
func (d *FileDetector) loadWhiteList() error {
whiteMap, err := storage.LoadFileSystemWhitelist(d.cfg.Storage.DataDir, d.cfg.Storage.FileSystemFile)
if err != nil {
logger.Log.Warn("[monitor] 加载文件白名单失败, 使用空白名单...", zap.Error((err)))
d.whiteList = make(map[string]string)
return nil
}
d.whiteList = whiteMap
logger.Log.Info("[monitor] 文件白名单加载成功", zap.Int("count", len(d.whiteList)))
return nil
}
func (d *FileDetector) HandleEvent(eventPath string, opStr string) {
// Todo: 忽略临时文件等
info, err := storage.GetFileInfo(eventPath)
if err != nil {
logger.Log.Warn("[monitor] 获取文件信息失败", zap.String("path", eventPath), zap.Error(err))
return
}
if info.IsDir() {
return
}
hashCfg, err := d.cfg.GetHashConfig()
if err != nil {
logger.Log.Warn("[monitor] 获取哈希配置失败", zap.Error(err))
return
}
curHash, err := hash.Calculate(eventPath, info.Size(), hashCfg)
if err != nil {
logger.Log.Warn("[monitor] 计算文件哈希失败", zap.String("path", eventPath), zap.Error(err))
return
}
d.mu.RLock()
whiteHash, exist := d.whiteList[eventPath]
d.mu.RUnlock()
isSuspicious := false
reason := ""
if !exist {
// 新文件
isSuspicious = true
reason = "新文件"
} else if whiteHash != curHash {
// 文件被修改
isSuspicious = true
reason = "文件被修改"
}
if isSuspicious {
logger.Log.Warn("[monitor] 可疑文件事件", zap.String("path", eventPath), zap.String("reason", reason), zap.String("hash", curHash))
dubiousInfo := storage.DubiousFileInfo{
Path: eventPath,
Hash: curHash,
DiscoveredAt: time.Now().Format("2006-01-02 15:04:05"),
}
if err := storage.SaveDubiousFiles(dubiousInfo, d.storageDir, d.cfg.Storage.DubiousFileListFile); err != nil {
logger.Log.Error("[monitor] 保存可疑文件信息失败", zap.String("path", eventPath), zap.Error(err))
}
}
}

6
internal/monitor/watcher/watcher.go
View File

@ -42,7 +42,7 @@ func (w *Watcher) Start() {
for _, path := range paths { for _, path := range paths {
if _, err := os.Stat(path); os.IsNotExist(err) { if _, err := os.Stat(path); os.IsNotExist(err) {
logger.Log.Warn("[monitor] 路径不存在", zap.String("path", path)) fmt.Printf("[monitor] 路径不存在: %s\n", path)
continue continue
} }
@ -72,7 +72,7 @@ func (w *Watcher) eventLoop() {
if !ok { if !ok {
return return
} }
logger.Log.Error("[monitor] 监听错误", zap.Error(err)) fmt.Printf("[monitor] 监听错误: %v\n", err)
case event, ok := <-w.fsnWatcher.Events: case event, ok := <-w.fsnWatcher.Events:
if !ok { if !ok {
return return
@ -121,7 +121,7 @@ func (w *Watcher) addPath(path string) {
} }
if err := w.fsnWatcher.Add(subPath); err != nil { if err := w.fsnWatcher.Add(subPath); err != nil {
logger.Log.Error("[monitor] 添加监听失败", zap.String("path", subPath), zap.Error(err)) fmt.Printf("[monitor] 添加监听失败: %s, 错误: %v\n", subPath, err)
} }
} }

2
internal/scanner/file/scanner.go
View File

@ -63,7 +63,7 @@ func (s *Scanner) Scan() ([]FileInfo, error) {
progressbar.OptionShowIts(), progressbar.OptionShowIts(),
progressbar.OptionSetItsString("files"), progressbar.OptionSetItsString("files"),
progressbar.OptionOnCompletion(func() { progressbar.OptionOnCompletion(func() {
logger.Log.Info("[scan]文件哈希计算完成") fmt.Fprintln(os.Stderr, "\n[scan]文件哈希计算完成")
}), }),
) )

55
internal/storage/storage.go
View File

@ -5,7 +5,6 @@ import (
"fmt" "fmt"
"os" "os"
"path/filepath" "path/filepath"
"strings"
"sysmonitord/internal/scanner/file" "sysmonitord/internal/scanner/file"
"sysmonitord/internal/scanner/process" "sysmonitord/internal/scanner/process"
"sysmonitord/pkg/logger" "sysmonitord/pkg/logger"
@ -97,57 +96,3 @@ func SaveFileSystem(files []file.FileInfo, dataDir string, fileSystemFile string
return nil return nil
} }
type DubiousFileInfo struct {
Path string
Hash string
DiscoveredAt string
}
func SaveDubiousFiles(files DubiousFileInfo, dataDir string, dubiousFileName string) error {
filePath := filepath.Join(dataDir, dubiousFileName)
f, err := os.OpenFile(filePath, os.O_APPEND|os.O_CREATE|os.O_WRONLY, 0644)
if err != nil {
return fmt.Errorf("[storage]无法创建或打开可疑文件记录文件%s: %w", filePath, err)
}
defer f.Close()
writer := bufio.NewWriter(f)
line := fmt.Sprintf("%s:%s:%s\n", files.Path, files.Hash, files.DiscoveredAt)
if _, err := writer.WriteString(line); err != nil {
return err
}
return writer.Flush()
}
func LoadFileSystemWhitelist(dataDir string, fileSystemFile string) (map[string]string, error) {
filePath := filepath.Join(dataDir, fileSystemFile)
f, err := os.Open(filePath)
if err != nil {
return nil, fmt.Errorf("[storage]无法打开文件系统白名单文件%s: %w", filePath, err)
}
defer f.Close()
whitelist := make(map[string]string)
scanner := bufio.NewScanner(f)
for scanner.Scan() {
line := scanner.Text()
if strings.HasPrefix(line, "#") || line == "" {
continue
}
parts := strings.SplitN(line, ":", 2)
if len(parts) >= 2 {
whitelist[parts[0]] = parts[1]
}
}
return whitelist, nil
}
func GetFileInfo(path string) (os.FileInfo, error) {
return os.Stat(path)
}