diff --git a/eventhandler.go b/eventhandler.go index f534717..99db53d 100644 --- a/eventhandler.go +++ b/eventhandler.go @@ -49,6 +49,14 @@ func (eventHandler *EventHandler) handleFileEvent(event *Event) { writeDone() } + if strings.Contains(event.FileName, "daemon.json") { + WriteAnnotation(fmt.Sprintf("[File OverWritten] OverWrite for %s detected", dockerDaemonConfigPath)) + } + + if strings.Contains(event.FileName, "resolved.conf") { + WriteAnnotation(fmt.Sprintf("[File OverWritten] OverWrite for %s detected", resolvedConfigPath)) + } + // Uncomment to log file writes (only uncomment in INT env) // WriteLog(fmt.Sprintf("file write %s, syscall %s", event.FileName, event.Syscall)) diff --git a/procmon_linux.go b/procmon_linux.go index 44dabb1..587c81c 100644 --- a/procmon_linux.go +++ b/procmon_linux.go @@ -6,14 +6,15 @@ package main import ( "fmt" + "io/ioutil" + "os" + "strings" + "github.com/elastic/go-libaudit/v2" "github.com/elastic/go-libaudit/v2/auparse" "github.com/elastic/go-libaudit/v2/rule" "github.com/elastic/go-libaudit/v2/rule/flags" "github.com/pkg/errors" - "io/ioutil" - "os" - "strings" ) func (p *ProcessMonitor) MonitorProcesses(errc chan error) { @@ -69,6 +70,26 @@ func (p *ProcessMonitor) MonitorProcesses(errc chan error) { WriteLog("Agent file monitor added") + r, _ = flags.Parse(fmt.Sprintf("-w %s -p w -k %s", dockerDaemonConfigPath, fileMonitorTag)) + actualBytes, _ = rule.Build(r) + + if err = client.AddRule(actualBytes); err != nil { + WriteLog(fmt.Sprintf("failed to add audit rule %v", err)) + errc <- errors.Wrap(err, "failed to add audit rule") + } + + WriteLog("Docker's daemon.json file monitor added") + + r, _ = flags.Parse(fmt.Sprintf("-w %s -p w -k %s", resolvedConfigPath, fileMonitorTag)) + actualBytes, _ = rule.Build(r) + + if err = client.AddRule(actualBytes); err != nil { + WriteLog(fmt.Sprintf("failed to add audit rule %v", err)) + errc <- errors.Wrap(err, "failed to add audit rule") + } + + WriteLog("Systemd's resolved.conf file monitor added") + // syscall connect r, _ = flags.Parse(fmt.Sprintf("-a exit,always -S connect -k %s", netMonitorTag))