Documentation ¶
Overview ¶
Copyright © 2020 GUILLAUME FOURNIER
Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License. You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions and limitations under the License.
Copyright © 2020 GUILLAUME FOURNIER ¶
Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License. You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions and limitations under the License.
Copyright © 2020 GUILLAUME FOURNIER ¶
Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License. You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions and limitations under the License.
Copyright © 2020 GUILLAUME FOURNIER ¶
Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License. You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions and limitations under the License.
Copyright © 2020 GUILLAUME FOURNIER ¶
Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License. You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions and limitations under the License.
Index ¶
- Constants
- Variables
- func GetBinaryPathKey(cookie uint32, path string) (unsafe.Pointer, error)
- func GetInodeSelector(inode uint64, cookie uint32, accessRight uint8) (unsafe.Pointer, error)
- func GetSyscallName(id uint32) string
- type AccessRight
- type Action
- type ActionKey
- type BinaryPath
- type BinaryPathKey
- type Category
- type FIM
- type FilePolicy
- type InodeSelector
- type KillRequest
- type MFASelector
- type Notification
- type OTPRequest
- type Profile
- type Profiles
- type Resolver
- type Syscall
Constants ¶
const ( // UsernameMaxLength is the maximum length allowed for a user name UsernameMaxLength = 32 // PathMax is the maximum path length for the binary paths handled by the project. // Since binary path are watched automatically (and modification to them is denied by default), we do not need // to worry about inodes for processes. Although the theoretical PATH_MAX is 4096, we assume that 255 is enough. PathMax = 255 // OTPRequestSize is the maximum size of an OTP request string OTPRequestSize = 75 // MaxOTPFailures is the maximum number of failed OTP requests that are authorized before ssh-probe kills the session MaxOTPFailures = 5 // UnknownUserNameCookie is the profile cookie used for unknown users UnknownUserNameCookie = 42 // MaxOTPTimeout is the maximum OTP timeout that can be requested MaxOTPTimeout = 10 * time.Minute )
Variables ¶
var AllCategories = []Category{ CategoryFim, CategoryProcessMonitoring, CategoryUnknownBinary, CategorySocketCreation, CategoryDeletionsAndMoves, CategoryPrivilegeElevation, CategoryOSLevelProtections, CategoryProcessLevelProtections, CategoryPerformanceMonitoring, CategoryKill, CategoryGlobal, CategoryFailedMFA, CategoryUnknownFile, }
AllCategories lists all the available categories
var ErrNotEnoughData = errors.New("not enough data")
ErrNotEnoughData is returned when the buffer is too small to unmarshal the event
var UnknownUserProfile = Profile{
User: "unknown_user",
}
UnknownUserProfile default unknown user profile
Functions ¶
func GetBinaryPathKey ¶
GetBinaryPathKey returns an unsafe pointer to a BinaryPathKey instance
func GetInodeSelector ¶
GetInodeSelector returns an unsafe pointer to a InodeSelector instance
func GetSyscallName ¶
GetSyscallName - Returns a syscall name from its id
Types ¶
type AccessRight ¶
type AccessRight string
const ( Read AccessRight = "read" Write AccessRight = "write" Any AccessRight = "any" )
func (AccessRight) KernelValues ¶
func (ar AccessRight) KernelValues() []uint8
KernelValue returns the kernel value of an AccessRight
func (AccessRight) Sanitize ¶
func (ar AccessRight) Sanitize() error
Sanitize checks if the provided access right is valid
type Action ¶
type Action string
func ActionFromKernelValue ¶
ActionFromKernelValue returns an action from its kernel value
func (Action) KernelValue ¶
KernelValue returns the kernel value of an action
type BinaryPath ¶
func (*BinaryPath) String ¶
func (bp *BinaryPath) String() string
func (*BinaryPath) UnmarshalBinary ¶
func (bp *BinaryPath) UnmarshalBinary(data []byte) (int, error)
type BinaryPathKey ¶
BinaryPathKey is the key structure of the allowed_binaries map
type Category ¶
type Category uint8
Category is used to regroup actions in the kernel
const ( CategoryFim Category = 1 CategoryProcessMonitoring Category = 2 CategoryUnknownBinary Category = 3 CategorySocketCreation Category = 4 CategoryDeletionsAndMoves Category = 5 CategoryPrivilegeElevation Category = 6 CategoryOSLevelProtections Category = 7 CategoryProcessLevelProtections Category = 8 CategoryPerformanceMonitoring Category = 9 CategoryKill Category = 10 CategoryGlobal Category = 11 CategoryFailedMFA Category = 12 CategoryUnknownFile Category = 13 )
func GetCategory ¶
GetCategory parses a string into its category if it exists
func (Category) MarshalJSON ¶
MarshalJSON encodes the category using its string representation
type FilePolicy ¶
type FilePolicy struct { Pattern string `yaml:"pattern"` AccessRight AccessRight `yaml:"access_right"` Action Action `yaml:"action"` Inodes map[uint64]string `yaml:"-"` }
func (*FilePolicy) ExpandPattern ¶
func (p *FilePolicy) ExpandPattern() error
func (*FilePolicy) Sanitize ¶
func (p *FilePolicy) Sanitize() error
type InodeSelector ¶
type KillRequest ¶
type KillRequest struct { Timestamp time.Time SessionLoginTimestamp time.Time ProfileCookie uint32 SessionCookie uint32 SessionInitPid uint32 }
func (*KillRequest) UnmarshalBinary ¶
type MFASelector ¶
func (MFASelector) GetMFASelectorKey ¶
func (mfa MFASelector) GetMFASelectorKey() (unsafe.Pointer, error)
GetMFASelectorKey returns a kernel ready representation of an MFASelector instance
type Notification ¶
type Notification struct { Timestamp time.Time `json:"timestamp"` SessionLoginTimestamp time.Time `json:"session_login_timestamp"` User string `json:"profile_user"` ProfileCookie uint32 `json:"profile_cookie"` SessionCookie uint32 `json:"session_cookie"` Category Category `json:"category"` Action Action `json:"action"` Pid uint32 `json:"pid"` Tid uint32 `json:"tid"` Comm string `json:"comm"` Syscall *Syscall `json:"syscall,omitempty"` BinaryPath *BinaryPath `json:"binary_path,omitempty"` FIM *FIM `json:"fim,omitempty"` OTPRequest *OTPRequest `json:"otp,omitempty"` }
func (*Notification) String ¶
func (n *Notification) String() string
func (*Notification) UnmarshalBinary ¶
type OTPRequest ¶
type OTPRequest struct { Timestamp time.Time `json:"-"` SessionLoginTimestamp time.Time `json:"-"` ProfileCookie uint32 `json:"-"` SessionCookie uint32 `json:"-"` SessionInitPid uint32 `json:"-"` RequestPid uint32 `json:"-"` OTPRequest string `json:"-"` OTPRequestRaw [OTPRequestSize]byte `json:"-"` OTPTimeout time.Duration `json:"timeout"` OTPToken string `json:"-"` OTPScope Category `json:"scope"` }
OTPRequest is used to represent an OTP request from the ssh-probe-auth
func (*OTPRequest) ParseOTPRequest ¶
func (or *OTPRequest) ParseOTPRequest() error
ParseOTPRequest parses an OTP request to extract the timeout and the one time password
func (*OTPRequest) UnmarshalBinary ¶
UnmarshalBinary parses raw bytes into an OTPRequest instance
type Profile ¶
type Profile struct { KernelCookie uint32 `yaml:"-"` OTPConfig *dgoogauth.OTPConfig `yaml:"-"` OTPFailedRequests int `yaml:"-"` User string `yaml:"user"` // Process monitoring Binaries map[string]Action `yaml:"binaries"` UnknownBinaryDefault Action `yaml:"unknown_binary_default"` // File Integrity Monitoring FIM []*FilePolicy `yaml:"fim"` DeletionsAndMoves Action `yaml:"deletions_and_moves"` UnknownFile Action `yaml:"unknown_file_default"` // Socket creation SocketCreation Action `yaml:"socket_creation"` // Privilege elevation PrivilegeElevation Action `yaml:"privilege_elevation"` // OS level protections OSLevelProtections Action `yaml:"os_level_protections"` // Process level protections ProcessLevelProtections Action `yaml:"process_level_protections"` // Performance monitoring PerformanceMonitoring Action `yaml:"performance_monitoring"` // Kill Kill Action `yaml:"kill"` }
func (*Profile) GetUserKey ¶
GetUserKey returns an unsafe pointer to a byte representation of the user name