From 935a7198f0432419eda6321c1ba4f6f87bcb1b0e Mon Sep 17 00:00:00 2001 From: Varun Sharma Date: Fri, 12 Aug 2022 12:14:28 -0700 Subject: [PATCH 01/12] Update release-monitor.yml --- release-monitor.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/release-monitor.yml b/release-monitor.yml index b71acd2..2c12eff 100644 --- a/release-monitor.yml +++ b/release-monitor.yml @@ -7,7 +7,7 @@ release-process: - artifact: agent_{{.Version}}_linux_amd64.tar.gz binary: agent build-command: go build -trimpath -ldflags="-s -w -X main.version={{.Version}} -X main.commit={{.FullCommit}} -X main.date=123" - go-version: 1.17.12 + go-version: 1.17.13 pipeline: github-action: repo: step-security/agent From 50020a4ac3bd1723a64ad65553b6c353f2b2a0eb Mon Sep 17 00:00:00 2001 From: h0x0er Date: Mon, 5 Sep 2022 16:05:03 +0530 Subject: [PATCH 02/12] monitor dns config files --- procmon_linux.go | 27 ++++++++++++++++++++++++--- 1 file changed, 24 insertions(+), 3 deletions(-) diff --git a/procmon_linux.go b/procmon_linux.go index 44dabb1..8b56030 100644 --- a/procmon_linux.go +++ b/procmon_linux.go @@ -6,14 +6,15 @@ package main import ( "fmt" + "io/ioutil" + "os" + "strings" + "github.com/elastic/go-libaudit/v2" "github.com/elastic/go-libaudit/v2/auparse" "github.com/elastic/go-libaudit/v2/rule" "github.com/elastic/go-libaudit/v2/rule/flags" "github.com/pkg/errors" - "io/ioutil" - "os" - "strings" ) func (p *ProcessMonitor) MonitorProcesses(errc chan error) { @@ -69,6 +70,26 @@ func (p *ProcessMonitor) MonitorProcesses(errc chan error) { WriteLog("Agent file monitor added") + r, _ = flags.Parse(fmt.Sprintf("-w %s -p w -k %s", "/etc/docker/daemon.json", fileMonitorTag)) + actualBytes, _ = rule.Build(r) + + if err = client.AddRule(actualBytes); err != nil { + WriteLog(fmt.Sprintf("failed to add audit rule %v", err)) + errc <- errors.Wrap(err, "failed to add audit rule") + } + + WriteLog("Docker's daemon.json file monitor added") + + r, _ = flags.Parse(fmt.Sprintf("-w %s -p w -k %s", "/etc/systemd/resolved.conf", fileMonitorTag)) + actualBytes, _ = rule.Build(r) + + if err = client.AddRule(actualBytes); err != nil { + WriteLog(fmt.Sprintf("failed to add audit rule %v", err)) + errc <- errors.Wrap(err, "failed to add audit rule") + } + + WriteLog("Systemd's resolved.conf file monitor added") + // syscall connect r, _ = flags.Parse(fmt.Sprintf("-a exit,always -S connect -k %s", netMonitorTag)) From 806464285c9c72837fcaa533c0b3100b7d279540 Mon Sep 17 00:00:00 2001 From: h0x0er Date: Mon, 5 Sep 2022 16:10:52 +0530 Subject: [PATCH 03/12] adding annotation if agent reverts --- dnsproxy.go | 1 + 1 file changed, 1 insertion(+) diff --git a/dnsproxy.go b/dnsproxy.go index c8bf3c7..868ea48 100644 --- a/dnsproxy.go +++ b/dnsproxy.go @@ -195,6 +195,7 @@ func (proxy *DNSProxy) getIPByDomain(domain string) (string, error) { answer, err := proxy.ResolveDomain(domain) if err != nil { go WriteLog(fmt.Sprintf("unable to resolve domain: %s", domain)) + go WriteAnnotation(fmt.Sprintf("[AgentFailed] unable to resolve domain: %v", domain)) return "", fmt.Errorf("error in response from dns.google %v", err) } From d2bb915a7c6f5f67941663f34d955482d200499f Mon Sep 17 00:00:00 2001 From: h0x0er Date: Wed, 14 Sep 2022 14:14:25 +0530 Subject: [PATCH 04/12] changed the location of annotation logging --- agent.go | 2 ++ dnsproxy.go | 1 - 2 files changed, 2 insertions(+), 1 deletion(-) diff --git a/agent.go b/agent.go index a4ddaab..2bdb1fa 100644 --- a/agent.go +++ b/agent.go @@ -12,6 +12,7 @@ import ( const ( StepSecurityLogCorrelationPrefix = "Step Security Job Correlation ID:" + StepSecurityAnnotationPrefix = "StepSecurity Harden Runner:" EgressPolicyAudit = "audit" EgressPolicyBlock = "block" ) @@ -109,6 +110,7 @@ func Run(ctx context.Context, configFilePath string, hostDNSServer DNSServer, ipAddress, err := dnsProxy.getIPByDomain(domainName) if err != nil { WriteLog(fmt.Sprintf("Error resolving allowed domain %v", err)) + WriteAnnotation(fmt.Sprintf("%s Reverting agent since allowed endpoint %s could not be resolved",StepSecurityAnnotationPrefix, domainName)) RevertChanges(iptables, nflog, cmd, resolvdConfigPath, dockerDaemonConfigPath, dnsConfig) return err } diff --git a/dnsproxy.go b/dnsproxy.go index 868ea48..c8bf3c7 100644 --- a/dnsproxy.go +++ b/dnsproxy.go @@ -195,7 +195,6 @@ func (proxy *DNSProxy) getIPByDomain(domain string) (string, error) { answer, err := proxy.ResolveDomain(domain) if err != nil { go WriteLog(fmt.Sprintf("unable to resolve domain: %s", domain)) - go WriteAnnotation(fmt.Sprintf("[AgentFailed] unable to resolve domain: %v", domain)) return "", fmt.Errorf("error in response from dns.google %v", err) } From 1a4c45f5aae7f57c049f851f6996ff011e1de8cb Mon Sep 17 00:00:00 2001 From: h0x0er Date: Wed, 14 Sep 2022 14:57:21 +0530 Subject: [PATCH 05/12] changed fileNames to constants --- procmon_linux.go | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/procmon_linux.go b/procmon_linux.go index 8b56030..587c81c 100644 --- a/procmon_linux.go +++ b/procmon_linux.go @@ -70,7 +70,7 @@ func (p *ProcessMonitor) MonitorProcesses(errc chan error) { WriteLog("Agent file monitor added") - r, _ = flags.Parse(fmt.Sprintf("-w %s -p w -k %s", "/etc/docker/daemon.json", fileMonitorTag)) + r, _ = flags.Parse(fmt.Sprintf("-w %s -p w -k %s", dockerDaemonConfigPath, fileMonitorTag)) actualBytes, _ = rule.Build(r) if err = client.AddRule(actualBytes); err != nil { @@ -80,7 +80,7 @@ func (p *ProcessMonitor) MonitorProcesses(errc chan error) { WriteLog("Docker's daemon.json file monitor added") - r, _ = flags.Parse(fmt.Sprintf("-w %s -p w -k %s", "/etc/systemd/resolved.conf", fileMonitorTag)) + r, _ = flags.Parse(fmt.Sprintf("-w %s -p w -k %s", resolvedConfigPath, fileMonitorTag)) actualBytes, _ = rule.Build(r) if err = client.AddRule(actualBytes); err != nil { From 7776012622e7fdef112aa3f28153c359ead54880 Mon Sep 17 00:00:00 2001 From: h0x0er Date: Wed, 14 Sep 2022 14:58:01 +0530 Subject: [PATCH 06/12] writing annotation if files get overwritten --- eventhandler.go | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/eventhandler.go b/eventhandler.go index f534717..99db53d 100644 --- a/eventhandler.go +++ b/eventhandler.go @@ -49,6 +49,14 @@ func (eventHandler *EventHandler) handleFileEvent(event *Event) { writeDone() } + if strings.Contains(event.FileName, "daemon.json") { + WriteAnnotation(fmt.Sprintf("[File OverWritten] OverWrite for %s detected", dockerDaemonConfigPath)) + } + + if strings.Contains(event.FileName, "resolved.conf") { + WriteAnnotation(fmt.Sprintf("[File OverWritten] OverWrite for %s detected", resolvedConfigPath)) + } + // Uncomment to log file writes (only uncomment in INT env) // WriteLog(fmt.Sprintf("file write %s, syscall %s", event.FileName, event.Syscall)) From e55b9a7830f01fe59c167f0826152848e53702a9 Mon Sep 17 00:00:00 2001 From: Varun Sharma Date: Sat, 24 Sep 2022 21:25:58 -0700 Subject: [PATCH 07/12] Update agent.go --- agent.go | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/agent.go b/agent.go index 2bdb1fa..4e6a6fb 100644 --- a/agent.go +++ b/agent.go @@ -110,7 +110,7 @@ func Run(ctx context.Context, configFilePath string, hostDNSServer DNSServer, ipAddress, err := dnsProxy.getIPByDomain(domainName) if err != nil { WriteLog(fmt.Sprintf("Error resolving allowed domain %v", err)) - WriteAnnotation(fmt.Sprintf("%s Reverting agent since allowed endpoint %s could not be resolved",StepSecurityAnnotationPrefix, domainName)) + WriteAnnotation(fmt.Sprintf("%s Reverting agent since allowed endpoint %s could not be resolved", StepSecurityAnnotationPrefix, domainName)) RevertChanges(iptables, nflog, cmd, resolvdConfigPath, dockerDaemonConfigPath, dnsConfig) return err } From df32ca306386566588db635107f4f9409a001f5c Mon Sep 17 00:00:00 2001 From: Varun Sharma Date: Sat, 24 Sep 2022 21:37:05 -0700 Subject: [PATCH 08/12] Update agent.go --- agent.go | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/agent.go b/agent.go index 4e6a6fb..73498db 100644 --- a/agent.go +++ b/agent.go @@ -5,6 +5,7 @@ import ( "fmt" "net/http" "os" + "strings" "time" "github.com/florianl/go-nflog/v2" @@ -110,7 +111,7 @@ func Run(ctx context.Context, configFilePath string, hostDNSServer DNSServer, ipAddress, err := dnsProxy.getIPByDomain(domainName) if err != nil { WriteLog(fmt.Sprintf("Error resolving allowed domain %v", err)) - WriteAnnotation(fmt.Sprintf("%s Reverting agent since allowed endpoint %s could not be resolved", StepSecurityAnnotationPrefix, domainName)) + WriteAnnotation(fmt.Sprintf("%s Reverting agent since allowed endpoint %s could not be resolved", StepSecurityAnnotationPrefix, strings.Trim(domainName, "."))) RevertChanges(iptables, nflog, cmd, resolvdConfigPath, dockerDaemonConfigPath, dnsConfig) return err } From 231d32cd4c310bf8818f6c5437d72b40cd942761 Mon Sep 17 00:00:00 2001 From: Varun Sharma Date: Sat, 24 Sep 2022 21:53:06 -0700 Subject: [PATCH 09/12] Update messages --- eventhandler.go | 4 ++-- procmon_linux.go | 4 ++-- 2 files changed, 4 insertions(+), 4 deletions(-) diff --git a/eventhandler.go b/eventhandler.go index 99db53d..a2a52e8 100644 --- a/eventhandler.go +++ b/eventhandler.go @@ -50,11 +50,11 @@ func (eventHandler *EventHandler) handleFileEvent(event *Event) { } if strings.Contains(event.FileName, "daemon.json") { - WriteAnnotation(fmt.Sprintf("[File OverWritten] OverWrite for %s detected", dockerDaemonConfigPath)) + WriteAnnotation(fmt.Sprintf("%s Overwrite detected for %s", StepSecurityAnnotationPrefix, dockerDaemonConfigPath)) } if strings.Contains(event.FileName, "resolved.conf") { - WriteAnnotation(fmt.Sprintf("[File OverWritten] OverWrite for %s detected", resolvedConfigPath)) + WriteAnnotation(fmt.Sprintf("%s Overwrite detected for %s", StepSecurityAnnotationPrefix, resolvedConfigPath)) } // Uncomment to log file writes (only uncomment in INT env) diff --git a/procmon_linux.go b/procmon_linux.go index 587c81c..5f2be85 100644 --- a/procmon_linux.go +++ b/procmon_linux.go @@ -74,7 +74,7 @@ func (p *ProcessMonitor) MonitorProcesses(errc chan error) { actualBytes, _ = rule.Build(r) if err = client.AddRule(actualBytes); err != nil { - WriteLog(fmt.Sprintf("failed to add audit rule %v", err)) + WriteLog(fmt.Sprintf("failed to add audit rule for dockerDaemonConfigPath %v", err)) errc <- errors.Wrap(err, "failed to add audit rule") } @@ -84,7 +84,7 @@ func (p *ProcessMonitor) MonitorProcesses(errc chan error) { actualBytes, _ = rule.Build(r) if err = client.AddRule(actualBytes); err != nil { - WriteLog(fmt.Sprintf("failed to add audit rule %v", err)) + WriteLog(fmt.Sprintf("failed to add audit rule for resolvedConfigPath %v", err)) errc <- errors.Wrap(err, "failed to add audit rule") } From 9cb5d2d989dfce055f7b9b2372177c6d69c1bfc9 Mon Sep 17 00:00:00 2001 From: Varun Sharma Date: Sun, 25 Sep 2022 07:22:31 -0700 Subject: [PATCH 10/12] Update main.go --- main.go | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/main.go b/main.go index 04f27f7..0decce7 100644 --- a/main.go +++ b/main.go @@ -17,7 +17,7 @@ func main() { ctx, cancel := context.WithCancel(ctx) signalChan := make(chan os.Signal, 1) - signal.Notify(signalChan, os.Kill, syscall.SIGHUP) + signal.Notify(signalChan, syscall.SIGTERM, syscall.SIGHUP) c := &config{} @@ -33,10 +33,10 @@ func main() { switch s { case syscall.SIGHUP: c.init(agentConfigFilePath) - case os.Interrupt: - WriteLog("got os.kill") - cancel() - os.Exit(1) + case syscall.SIGTERM: + WriteAnnotation(fmt.Sprintf("%s Received SIGTERM signal", StepSecurityAnnotationPrefix)) + //cancel() + //os.Exit(1) } case <-ctx.Done(): WriteLog("called ctx.Done()") From bd960154a4efe24367f6a25b4418a164267c4ca8 Mon Sep 17 00:00:00 2001 From: Varun Sharma Date: Sun, 25 Sep 2022 07:32:48 -0700 Subject: [PATCH 11/12] Update main.go --- main.go | 11 ++++++----- 1 file changed, 6 insertions(+), 5 deletions(-) diff --git a/main.go b/main.go index 0decce7..09ab47a 100644 --- a/main.go +++ b/main.go @@ -17,9 +17,9 @@ func main() { ctx, cancel := context.WithCancel(ctx) signalChan := make(chan os.Signal, 1) - signal.Notify(signalChan, syscall.SIGTERM, syscall.SIGHUP) + signal.Notify(signalChan, syscall.SIGINT, syscall.SIGTERM) - c := &config{} + //c := &config{} defer func() { signal.Stop(signalChan) @@ -29,15 +29,16 @@ func main() { go func() { for { select { - case s := <-signalChan: - switch s { + case <-signalChan: + WriteAnnotation(fmt.Sprintf("%s Received SIGTERM signal", StepSecurityAnnotationPrefix)) + /*switch s { case syscall.SIGHUP: c.init(agentConfigFilePath) case syscall.SIGTERM: WriteAnnotation(fmt.Sprintf("%s Received SIGTERM signal", StepSecurityAnnotationPrefix)) //cancel() //os.Exit(1) - } + }*/ case <-ctx.Done(): WriteLog("called ctx.Done()") os.Exit(1) From c35ba5be7a6f2bd029edd52eec007dcb1c939ca4 Mon Sep 17 00:00:00 2001 From: Varun Sharma Date: Sun, 25 Sep 2022 07:45:04 -0700 Subject: [PATCH 12/12] Update main.go --- main.go | 10 ---------- 1 file changed, 10 deletions(-) diff --git a/main.go b/main.go index 09ab47a..999c56a 100644 --- a/main.go +++ b/main.go @@ -19,8 +19,6 @@ func main() { signalChan := make(chan os.Signal, 1) signal.Notify(signalChan, syscall.SIGINT, syscall.SIGTERM) - //c := &config{} - defer func() { signal.Stop(signalChan) cancel() @@ -31,14 +29,6 @@ func main() { select { case <-signalChan: WriteAnnotation(fmt.Sprintf("%s Received SIGTERM signal", StepSecurityAnnotationPrefix)) - /*switch s { - case syscall.SIGHUP: - c.init(agentConfigFilePath) - case syscall.SIGTERM: - WriteAnnotation(fmt.Sprintf("%s Received SIGTERM signal", StepSecurityAnnotationPrefix)) - //cancel() - //os.Exit(1) - }*/ case <-ctx.Done(): WriteLog("called ctx.Done()") os.Exit(1)