taziden/spyfile_sysnove.lua

## spyfile_sysnove.lua
--[[
Copyright (C) 2014 Draios inc.
Copyright (C) 2016 Sysnove

This program is free software: you can redistribute it and/or modify
it under the terms of the GNU General Public License version 2 as
published by the Free Software Foundation.


This program is distributed in the hope that it will be useful,
but WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
GNU General Public License for more details.

You should have received a copy of the GNU General Public License
along with this program.  If not, see <http://www.gnu.org/licenses/>.
--]]

-- Chisel description
description = "This chisel intercepts all writes to a set a files defined by a filter."
short_description = "This chisel intercepts all writes to a set a files defined by a filter.";
category = "I/O";

-- Argument list
args = {}

-- Imports and globals
require "common"

-- Initialization callback
function on_init()
    local filter

    -- Request the fields that we need
    fbuf = chisel.request_field("evt.buffer")
    fdata = chisel.request_field("evt.arg.data")
    ffdname = chisel.request_field("fd.name")
    fisw = chisel.request_field("evt.is_io_write")
    fpid = chisel.request_field("proc.pid")
    fpname = chisel.request_field("proc.name")
    fres = chisel.request_field("evt.rawarg.res")
    ftid = chisel.request_field("thread.tid")
    fts = chisel.request_field("evt.time")

    -- set the output format to ascii
    sysdig.set_output_format("ascii")

    --[[ set the filter, this is the most important part, the one you could modify to fit your needs.
      Filter as defined below is selecting successful write events to files with names ending in php
      and belonging to a particular group named "client1".
    --]]
    filter = "(not fd.name contains /dev/pt and not fd.name contains /dev/tty) and "
    filter = string.format("%s%s", filter, "evt.is_io_write=true and ")
    filter = string.format("%s%s", filter, "fd.type=file and evt.dir=< and evt.failed=false and group.name=client1")
    filter = string.format("%s%s", filter, " and fd.filename contains .php")

    chisel.set_filter(filter)

    return true
end

-- Event parsing callback
function on_event()
    -- Extract the event details
    local data = evt.field(fdata)
    local fdname = evt.field(ffdname)
    local pid = evt.field(fpid)
    local pname = evt.field(fpname)
    local res = evt.field(fres)
    local ts = evt.field(fts)
    local read_write

    -- Render the message to screen
    print(string.format("%s %s(%s) %s %s %s", ts, pname, pid, format_bytes(res), fdname))

    return true
end
	--[[
	Copyright (C) 2014 Draios inc.
	Copyright (C) 2016 Sysnove

	This program is free software: you can redistribute it and/or modify
	it under the terms of the GNU General Public License version 2 as
	published by the Free Software Foundation.


	This program is distributed in the hope that it will be useful,
	but WITHOUT ANY WARRANTY; without even the implied warranty of
	MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
	GNU General Public License for more details.

	You should have received a copy of the GNU General Public License
	along with this program. If not, see <http://www.gnu.org/licenses/>.
	--]]

	-- Chisel description
	description = "This chisel intercepts all writes to a set a files defined by a filter."
	short_description = "This chisel intercepts all writes to a set a files defined by a filter.";
	category = "I/O";

	-- Argument list
	args = {}

	-- Imports and globals
	require "common"

	-- Initialization callback
	function on_init()
	local filter

	-- Request the fields that we need
	fbuf = chisel.request_field("evt.buffer")
	fdata = chisel.request_field("evt.arg.data")
	ffdname = chisel.request_field("fd.name")
	fisw = chisel.request_field("evt.is_io_write")
	fpid = chisel.request_field("proc.pid")
	fpname = chisel.request_field("proc.name")
	fres = chisel.request_field("evt.rawarg.res")
	ftid = chisel.request_field("thread.tid")
	fts = chisel.request_field("evt.time")

	-- set the output format to ascii
	sysdig.set_output_format("ascii")

	--[[ set the filter, this is the most important part, the one you could modify to fit your needs.
	Filter as defined below is selecting successful write events to files with names ending in php
	and belonging to a particular group named "client1".
	--]]
	filter = "(not fd.name contains /dev/pt and not fd.name contains /dev/tty) and "
	filter = string.format("%s%s", filter, "evt.is_io_write=true and ")
	filter = string.format("%s%s", filter, "fd.type=file and evt.dir=< and evt.failed=false and group.name=client1")
	filter = string.format("%s%s", filter, " and fd.filename contains .php")

	chisel.set_filter(filter)

	return true
	end

	-- Event parsing callback
	function on_event()
	-- Extract the event details
	local data = evt.field(fdata)
	local fdname = evt.field(ffdname)
	local pid = evt.field(fpid)
	local pname = evt.field(fpname)
	local res = evt.field(fres)
	local ts = evt.field(fts)
	local read_write

	-- Render the message to screen
	print(string.format("%s %s(%s) %s %s %s", ts, pname, pid, format_bytes(res), fdname))

	return true
	end