Use Go Modules && Add Logger/Global Cache for UserSpace Agent(Golang)

.gitignore

@@ -44,7 +44,6 @@
 *.pdb
 
 # Kernel Module Compile Results
-*.mod*
 *.cmd
 .tmp_versions/
 modules.order
@@ -65,4 +64,4 @@ Cargo.lock
 
 .DS_Store
 .idea/
-.vscode/
+.vscode/

agent_golang/src/common/cache.go

@@ -1 +1,47 @@
 package common
+
+import (
+	"github.com/allegro/bigcache"
+	"time"
+)
+
+func NewCache(ttl int, MaxEntrySize int, HardMaxCacheSize int) (*bigcache.BigCache, error) {
+	config := bigcache.Config{
+		// number of shards (must be a power of 2)
+		Shards: 1024,
+		// time after which entry can be evicted
+		LifeWindow:  time.Duration(ttl) * time.Second,
+		CleanWindow: 15 * time.Second,
+		// rps * lifeWindow, used only in initial memory allocation
+		MaxEntriesInWindow: 1000 * 10 * 60,
+		// max entry size in bytes, used only in initial memory allocation
+		MaxEntrySize: MaxEntrySize,
+		// prints information about additional memory allocation
+		Verbose: false,
+		// cache will not allocate more memory than this limit, value in MB
+		// if value is reached then the oldest entries can be overridden for the new ones
+		// 0 value means no size limit
+		HardMaxCacheSize: HardMaxCacheSize,
+		// callback fired when the oldest entry is removed because of its expiration time or no space left
+		// for the new entry, or because delete was called. A bitmask representing the reason will be returned.
+		// Default value is nil which means no callback and it prevents from unwrapping the oldest entry.
+		OnRemove: nil,
+		// OnRemoveWithReason is a callback fired when the oldest entry is removed because of its expiration time or no space left
+		// for the new entry, or because delete was called. A constant representing the reason will be passed through.
+		// Default value is nil which means no callback and it prevents from unwrapping the oldest entry.
+		// Ignored if OnRemove is specified.
+		OnRemoveWithReason: nil,
+	}
+
+	cache, initErr := bigcache.NewBigCache(config)
+	return cache, initErr
+}
+
+func GetGlobalCache() *bigcache.BigCache {
+	c, err := NewCache(120, 2048, 64)
+	if err != nil {
+		return nil
+	}
+
+	return c
+}

agent_golang/src/common/logger.go

@@ -1 +1,12 @@
 package common
+
+import (
+	"github.com/rs/zerolog"
+	"os"
+)
+
+func LogInit() zerolog.Logger {
+	logFile, _ := os.OpenFile("/var/log/smith_hids.log", os.O_RDWR|os.O_CREATE|os.O_APPEND, 0644)
+	log := zerolog.New(logFile).With().Caller().Timestamp().Logger()
+	return log
+}

agent_golang/src/go.mod

@@ -0,0 +1,9 @@
+module agent_golang
+
+go 1.13
+
+require (
+	github.com/allegro/bigcache v1.2.1
+	github.com/rs/zerolog v1.15.0
+	github.com/stretchr/testify v1.4.0 // indirect
+)

agent_golang/src/go.sum

@@ -0,0 +1,25 @@
+github.com/allegro/bigcache v1.2.1 h1:hg1sY1raCwic3Vnsvje6TT7/pnZba83LeFck5NrFKSc=
+github.com/allegro/bigcache v1.2.1/go.mod h1:Cb/ax3seSYIx7SuZdm2G2xzfwmv3TPSk2ucNfQESPXM=
+github.com/coreos/go-systemd v0.0.0-20190321100706-95778dfbb74e/go.mod h1:F5haX7vjVVG0kc13fIWeqUViNPyEJxv/OmvnBo0Yme4=
+github.com/davecgh/go-spew v1.1.0 h1:ZDRjVQ15GmhC3fiQ8ni8+OwkZQO4DARzQgrnXU1Liz8=
+github.com/davecgh/go-spew v1.1.0/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
+github.com/pkg/errors v0.8.1/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0=
+github.com/pmezard/go-difflib v1.0.0 h1:4DBwDE0NGyQoBHbLQYPwSUPoCMWR5BEzIk/f1lZbAQM=
+github.com/pmezard/go-difflib v1.0.0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4=
+github.com/rs/xid v1.2.1/go.mod h1:+uKXf+4Djp6Md1KODXJxgGQPKngRmWyn10oCKFzNHOQ=
+github.com/rs/zerolog v1.15.0 h1:uPRuwkWF4J6fGsJ2R0Gn2jB1EQiav9k3S6CSdygQJXY=
+github.com/rs/zerolog v1.15.0/go.mod h1:xYTKnLHcpfU2225ny5qZjxnj9NvkumZYjJHlAThCjNc=
+github.com/stretchr/objx v0.1.0/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME=
+github.com/stretchr/testify v1.4.0 h1:2E4SXV/wtOkTonXsotYi4li6zVWxYlZuYNCXe9XRJyk=
+github.com/stretchr/testify v1.4.0/go.mod h1:j7eGeouHqKxXV5pUuKE4zz7dFj8WfuZ+81PSLYec5m4=
+github.com/zenazn/goji v0.9.0/go.mod h1:7S9M489iMyHBNxwZnk9/EHS098H4/F6TATF2mIxtB1Q=
+golang.org/x/crypto v0.0.0-20190308221718-c2843e01d9a2/go.mod h1:djNgcEr1/C05ACkg1iLfiJU5Ep61QUkGW8qpdssI0+w=
+golang.org/x/net v0.0.0-20190311183353-d8887717615a/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg=
+golang.org/x/sync v0.0.0-20190423024810-112230192c58/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
+golang.org/x/sys v0.0.0-20190215142949-d0b11bdaac8a/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
+golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
+golang.org/x/tools v0.0.0-20190425163242-31fd60d6bfdc/go.mod h1:RgjU9mgBXZiqYHBnxXauZ1Gv1EHHAz9KjViQ78xBX0Q=
+gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405 h1:yhCVgyC4o1eVCa2tZl7eS0r+SDo693bJlVdllGtEeKM=
+gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
+gopkg.in/yaml.v2 v2.2.2 h1:ZCJp+EgiOT7lHqUV2J862kp8Qj64Jo6az82+3Td9dZw=
+gopkg.in/yaml.v2 v2.2.2/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI=

agent_golang/src/main.go

@@ -8,11 +8,22 @@ import (
 	"fmt"
 	"strconv"
 	"strings"
+	"os"
+	"./common"
 )
 
+var GlobalCache = common.GetGlobalCache()
+var Logger = common.LogInit()
+
 func AgentInit() {
 	C.init()
 	C.shm_init()
+	if GlobalCache == nil {
+		AgentClose()
+		Logger.Error().Msg("Global Cache Init Error")
+		os.Exit(1)
+	}
+	Logger.Info().Msg("AgentSmith-HIDS Start")
 }
 
 func AgentClose() {
@@ -27,6 +38,68 @@ func GetMsgFromKernel(c chan string) {
 	}
 }
 
+func GetUserNameByUid(uid string) (string, error) {
+	uidTmp, err := strconv.Atoi(uid)
+	if err != nil {
+		return "", err
+	}
+
+	return C.GoString(C.get_user(C.uid_t(uidTmp))), nil
+}
+
+func ParserMsg(msgChan chan string) {
+	for {
+		res := ""
+		userNmae := ""
+
+		msg := <-msgChan
+		msgList := strings.Split(msg, "\n")
+
+		msgType := msgList[1]
+		uidStr := msgList[0]
+
+		cacheRes, err := GlobalCache.Get(uidStr)
+
+		if err != nil {
+			Logger.Error().Err(err)
+		} else if cacheRes == nil {
+			userNmae, err = GetUserNameByUid(uidStr)
+			if err != nil {
+				Logger.Error().Err(err)
+			}
+
+			err = GlobalCache.Set(uidStr, []byte(userNmae))
+			if err != nil {
+				Logger.Error().Err(err)
+			}
+		} else {
+			userNmae = string(cacheRes)
+		}
+
+		msgList = append(msgList, userNmae)
+
+		switch msgType {
+		case "59":
+			res = ParserExecveMsg(msgList)
+		case "42":
+			res = ParserConnectMsg(msgList)
+		case "175":
+			res = ParserInitMsg(msgList)
+		case "313":
+			res = ParserFinitMsg(msgList)
+		case "43":
+			res = ParserAcceptMsg(msgList)
+		case "101":
+			res = ParserPtraceMsg(msgList)
+		case "601":
+			res = ParserDNSMsg(msgList)
+		case "602":
+			res = ParserCreateFileMsg(msgList)
+		}
+		fmt.Println(res)
+	}
+}
+
 func ParserExecveMsg(msg []string) string {
 	jsonStr := "{\"uid\":\"" + msg[0] + "\",\"syscall\":\"" + msg[1] + "\",\"run_path\":\"" + msg[2] + "\",\"elf\":\"" + msg[3] + "\",\"argv\":\"" + msg[4] + "\",\"pid\":\"" + msg[5] + "\",\"ppid\":\"" + msg[6] + "\",\"pgid\":\"" + msg[7] + "\",\"tgid\":\"" + msg[8] + "\",\"comm\":\"" + msg[9] + "\",\"nodename\":\"" + msg[10] + "\",\"stdin\":\"" + msg[11] + "\",\"stdout\":\"" + msg[12] + "\",\"pid_rootkit_check\":\"" + msg[13] + "\",\"file_rootkit_check\":\"" + msg[14] + "\",\"time\":\"" + msg[15] + "\",\"user\":\"" + msg[16] + "\"}"
 	return jsonStr
@@ -67,42 +140,6 @@ func ParserCreateFileMsg(msg []string) string {
 	return jsonStr
 }
 
-func ParserMsg(msgChan chan string) {
-	for {
-		res := ""
-		msg := <-msgChan
-		msgList := strings.Split(msg, "\n")
-		msgType := msgList[1]
-		uidTmp, err := strconv.Atoi(msgList[0])
-		if err != nil {
-			continue
-		}
-
-		uid := C.uid_t(uidTmp)
-		userNmae := C.GoString(C.get_user(uid))
-		msgList = append(msgList, userNmae)
-		switch msgType {
-		case "59":
-			res = ParserExecveMsg(msgList)
-		case "42":
-			res = ParserConnectMsg(msgList)
-		case "175":
-			res = ParserInitMsg(msgList)
-		case "313":
-			res = ParserFinitMsg(msgList)
-		case "43":
-			res = ParserAcceptMsg(msgList)
-		case "101":
-			res = ParserPtraceMsg(msgList)
-		case "601":
-			res = ParserDNSMsg(msgList)
-		case "602":
-			res = ParserCreateFileMsg(msgList)
-		}
-		fmt.Println(res)
-	}
-}
-
 func main() {
 	msgChan := make(chan string, 1000)
 	AgentInit()