diff --git a/agent.go b/agent.go index a4ddaab..73498db 100644 --- a/agent.go +++ b/agent.go @@ -5,6 +5,7 @@ import ( "fmt" "net/http" "os" + "strings" "time" "github.com/florianl/go-nflog/v2" @@ -12,6 +13,7 @@ import ( const ( StepSecurityLogCorrelationPrefix = "Step Security Job Correlation ID:" + StepSecurityAnnotationPrefix = "StepSecurity Harden Runner:" EgressPolicyAudit = "audit" EgressPolicyBlock = "block" ) @@ -109,6 +111,7 @@ func Run(ctx context.Context, configFilePath string, hostDNSServer DNSServer, ipAddress, err := dnsProxy.getIPByDomain(domainName) if err != nil { WriteLog(fmt.Sprintf("Error resolving allowed domain %v", err)) + WriteAnnotation(fmt.Sprintf("%s Reverting agent since allowed endpoint %s could not be resolved", StepSecurityAnnotationPrefix, strings.Trim(domainName, "."))) RevertChanges(iptables, nflog, cmd, resolvdConfigPath, dockerDaemonConfigPath, dnsConfig) return err } diff --git a/eventhandler.go b/eventhandler.go index f534717..a2a52e8 100644 --- a/eventhandler.go +++ b/eventhandler.go @@ -49,6 +49,14 @@ func (eventHandler *EventHandler) handleFileEvent(event *Event) { writeDone() } + if strings.Contains(event.FileName, "daemon.json") { + WriteAnnotation(fmt.Sprintf("%s Overwrite detected for %s", StepSecurityAnnotationPrefix, dockerDaemonConfigPath)) + } + + if strings.Contains(event.FileName, "resolved.conf") { + WriteAnnotation(fmt.Sprintf("%s Overwrite detected for %s", StepSecurityAnnotationPrefix, resolvedConfigPath)) + } + // Uncomment to log file writes (only uncomment in INT env) // WriteLog(fmt.Sprintf("file write %s, syscall %s", event.FileName, event.Syscall)) diff --git a/main.go b/main.go index 04f27f7..999c56a 100644 --- a/main.go +++ b/main.go @@ -17,9 +17,7 @@ func main() { ctx, cancel := context.WithCancel(ctx) signalChan := make(chan os.Signal, 1) - signal.Notify(signalChan, os.Kill, syscall.SIGHUP) - - c := &config{} + signal.Notify(signalChan, syscall.SIGINT, syscall.SIGTERM) defer func() { signal.Stop(signalChan) @@ -29,15 +27,8 @@ func main() { go func() { for { select { - case s := <-signalChan: - switch s { - case syscall.SIGHUP: - c.init(agentConfigFilePath) - case os.Interrupt: - WriteLog("got os.kill") - cancel() - os.Exit(1) - } + case <-signalChan: + WriteAnnotation(fmt.Sprintf("%s Received SIGTERM signal", StepSecurityAnnotationPrefix)) case <-ctx.Done(): WriteLog("called ctx.Done()") os.Exit(1) diff --git a/procmon_linux.go b/procmon_linux.go index 44dabb1..5f2be85 100644 --- a/procmon_linux.go +++ b/procmon_linux.go @@ -6,14 +6,15 @@ package main import ( "fmt" + "io/ioutil" + "os" + "strings" + "github.com/elastic/go-libaudit/v2" "github.com/elastic/go-libaudit/v2/auparse" "github.com/elastic/go-libaudit/v2/rule" "github.com/elastic/go-libaudit/v2/rule/flags" "github.com/pkg/errors" - "io/ioutil" - "os" - "strings" ) func (p *ProcessMonitor) MonitorProcesses(errc chan error) { @@ -69,6 +70,26 @@ func (p *ProcessMonitor) MonitorProcesses(errc chan error) { WriteLog("Agent file monitor added") + r, _ = flags.Parse(fmt.Sprintf("-w %s -p w -k %s", dockerDaemonConfigPath, fileMonitorTag)) + actualBytes, _ = rule.Build(r) + + if err = client.AddRule(actualBytes); err != nil { + WriteLog(fmt.Sprintf("failed to add audit rule for dockerDaemonConfigPath %v", err)) + errc <- errors.Wrap(err, "failed to add audit rule") + } + + WriteLog("Docker's daemon.json file monitor added") + + r, _ = flags.Parse(fmt.Sprintf("-w %s -p w -k %s", resolvedConfigPath, fileMonitorTag)) + actualBytes, _ = rule.Build(r) + + if err = client.AddRule(actualBytes); err != nil { + WriteLog(fmt.Sprintf("failed to add audit rule for resolvedConfigPath %v", err)) + errc <- errors.Wrap(err, "failed to add audit rule") + } + + WriteLog("Systemd's resolved.conf file monitor added") + // syscall connect r, _ = flags.Parse(fmt.Sprintf("-a exit,always -S connect -k %s", netMonitorTag)) diff --git a/release-monitor.yml b/release-monitor.yml index b71acd2..2c12eff 100644 --- a/release-monitor.yml +++ b/release-monitor.yml @@ -7,7 +7,7 @@ release-process: - artifact: agent_{{.Version}}_linux_amd64.tar.gz binary: agent build-command: go build -trimpath -ldflags="-s -w -X main.version={{.Version}} -X main.commit={{.FullCommit}} -X main.date=123" - go-version: 1.17.12 + go-version: 1.17.13 pipeline: github-action: repo: step-security/agent