Documentation ¶
Index ¶
- Constants
- Variables
- func GenID() float64
- func GenerateLoaderKey() string
- func GenerateLoaderPrefix() string
- func ProcessLog(logctx Logging, l Log) (stop bool, err error)
- func RandAPIKeyString(length int) string
- func ValidateLoaderKey(key string) error
- func ValidateLoaderPrefix(prefix string) error
- func ValidateLoaderPrefixAndKey(pk string) error
- type ACL
- type Action
- func (a Action) IndentedString() (string, error)
- func (a Action) PrintCounters()
- func (a Action) Sign(keyid string, secring io.Reader) (sig string, err error)
- func (a Action) String() (str string, err error)
- func (a Action) ToTempFile() (filename string, err error)
- func (a Action) Validate() (err error)
- func (a Action) VerifyACL(acl ACL, keyring io.Reader, onlyVerifyPubKey bool) (err error)
- func (a Action) VerifySignatures(keyring io.Reader) (err error)
- type ActionCounters
- type Agent
- type AgentEnv
- type AgentEnvAWS
- type AgentsStats
- type AgentsVersionsSum
- type BundleDictionaryEntry
- type Command
- type Description
- type Investigator
- type InvestigatorAPIAuthHelper
- type InvestigatorPerms
- func (ip *InvestigatorPerms) AdminSet()
- func (ip *InvestigatorPerms) DefaultSet()
- func (ip *InvestigatorPerms) FromMask(mask int64)
- func (ip *InvestigatorPerms) FromSetList(sl []string) error
- func (ip *InvestigatorPerms) LoaderSet()
- func (ip *InvestigatorPerms) ManifestSet()
- func (ip *InvestigatorPerms) ToDescriptive() string
- func (ip *InvestigatorPerms) ToMask() (ret int64)
- type LoaderAuthDetails
- type LoaderEntry
- type Log
- type Logging
- type ManifestEntry
- type ManifestFetchResponse
- type ManifestParameters
- type ManifestRecord
- func (m *ManifestRecord) ContentFromFile(path string) (err error)
- func (m *ManifestRecord) FileFromContent(path string) (err error)
- func (m *ManifestRecord) ManifestObject(obj string) ([]byte, error)
- func (m *ManifestRecord) ManifestResponse() (ManifestResponse, error)
- func (m *ManifestRecord) Sign(keyid string, secring io.Reader) (sig string, err error)
- func (m *ManifestRecord) Validate() (err error)
- type ManifestResponse
- type Operation
- type RunnerResult
- type Threat
Constants ¶
const ( AgtStatusOnline string = "online" AgtStatusDestroyed string = "destroyed" AgtStatusOffline string = "offline" AgtStatusIdle string = "idle" )
Various agent status values
const ( StatusSent string = "sent" StatusSuccess string = "success" StatusCancelled string = "cancelled" StatusExpired string = "expired" StatusFailed string = "failed" StatusTimeout string = "timeout" )
Various command status values
const ( ExchangeToAgents = "toagents" ExchangeToSchedulers = "toschedulers" QueueAgentHeartbeat = "mig.agt.heartbeats" QueueAgentResults = "mig.agt.results" )
Various constants that indicate exchange and queue names used in RabbitMQ
const ( PermSearch = 1 << iota PermAction PermActionCreate PermCommand PermAgent PermDashboard PermLoader PermLoaderStatus PermLoaderExpect PermLoaderKey PermLoaderNew PermManifest PermManifestSign PermManifestNew PermManifestStatus PermManifestLoaders PermInvestigator PermInvestigatorCreate PermInvestigatorUpdate )
Permissions that can be assigned to investigators
const ( StatusActiveInvestigator string = "active" StatusDisabledInvestigator string = "disabled" )
Possible status values for an investigator
const ActionVersion uint16 = 2
ActionVersion is the version of the syntax that is expected
const LoaderHashedKeyLength = 32
LoaderHashedKeyLength is the length of the hashed loader key in the database
const LoaderKeyLength = 32
LoaderKeyLength is the length of the loader key
const LoaderPrefixAndKeyLength = 40
LoaderPrefixAndKeyLength is the key length for a loader key including the prefix
const LoaderPrefixLength = 8
LoaderPrefixLength is the length of the loader prefix
const LoaderSaltLength = 16
LoaderSaltLength is the length of the salt applied to loader keys
Variables ¶
var BundleDictionary = map[string][]BundleDictionaryEntry{
"linux": bundleEntryLinux,
"darwin": bundleEntryDarwin,
"windows": bundleEntryWindows,
}
BundleDictionary maps GOOS platform names to specific bundle entry values
var PermSets = []string{"PermManifest", "PermLoader", "PermAdmin"}
PermSets describes permission sets that can be applied; note default is omitted as this is currently always applied
var Version = ""
Version can be set at compile time to indicate the version of MIG components. You'd typically want to set this during install using flags such as -ldflags "-X mig.ninja/mig.Version=20170913-0.06824ce0.dev" when calling the go build tools.
Functions ¶
func GenID ¶
func GenID() float64
GenID returns a float64 ID number that is unique to this process. The ID is initialized at the number of seconds since MIG's creation date, shifted 16 bits to the right and incremented by one every time a new ID is requested. The resulting value must fit in 53 bits of precision provided by the float64 type.
func GenerateLoaderKey ¶
func GenerateLoaderKey() string
GenerateLoaderKey will generate a new loader key value
func GenerateLoaderPrefix ¶
func GenerateLoaderPrefix() string
GenerateLoaderPrefix will generate a new loader prefix value
func ProcessLog ¶
ProcessLog receives events and performs logging and evaluation of the log severity level, in the event of an emergency level entry stop will be true
func RandAPIKeyString ¶
RandAPIKeyString is used for prefix and key generation, and just returns a random string consisting of alphanumeric characters of length characters long
func ValidateLoaderKey ¶
ValidateLoaderKey validates a loader key, returns nil if it is valid
func ValidateLoaderPrefix ¶
ValidateLoaderPrefix validates a loader prefix value, returns nil if it is valid
func ValidateLoaderPrefixAndKey ¶
ValidateLoaderPrefixAndKey validates a loader key that includes the prefix
Types ¶
type ACL ¶
type ACL map[string]struct { MinimumWeight int Investigators map[string]struct { Fingerprint string Weight int } }
ACL defines an access control list used by the agent to determine what investigators can call a given module. The key in this map is the module name, and can be "default" in which case this element will be used if no key for a given module exists.
The value includes a minimum weight to authorize the request, and a map of investigators with the key of the map being the name of the investigator, and the value storing the PGP fingerprint of the investigators key and the weight that investigator has.
type Action ¶
type Action struct { ID float64 `json:"id"` Name string `json:"name"` Target string `json:"target"` Description Description `json:"description,omitempty"` Threat Threat `json:"threat,omitempty"` ValidFrom time.Time `json:"validfrom"` ExpireAfter time.Time `json:"expireafter"` Operations []Operation `json:"operations"` PGPSignatures []string `json:"pgpsignatures"` Investigators []Investigator `json:"investigators,omitempty"` Status string `json:"status,omitempty"` StartTime time.Time `json:"starttime,omitempty"` FinishTime time.Time `json:"finishtime,omitempty"` LastUpdateTime time.Time `json:"lastupdatetime,omitempty"` Counters ActionCounters `json:"counters,omitempty"` SyntaxVersion uint16 `json:"syntaxversion,omitempty"` }
Action is the json object that is created by an investigator and provided to the MIG platform. It must be PGP signed.
func ActionFromFile ¶
ActionFromFile reads an action from a local file on the file system and returns a mig.Action structure
func (Action) IndentedString ¶
IndentedString returns an indented JSON string representing the action suitable for display
func (Action) PrintCounters ¶
func (a Action) PrintCounters()
PrintCounters prints the counters of an action to stderr
func (Action) Sign ¶
Sign computes and returns the GPG signature of a MIG action in its stringified form
func (Action) ToTempFile ¶
ToTempFile writes an action into a generated temporary file and returns its filename
func (Action) Validate ¶
Validate verifies that the Action received contained all the necessary fields, and returns an error when it doesn't.
type ActionCounters ¶
type ActionCounters struct { Sent int `json:"sent,omitempty"` Done int `json:"done,omitempty"` InFlight int `json:"inflight,omitempty"` Success int `json:"success,omitempty"` Cancelled int `json:"cancelled,omitempty"` Expired int `json:"expired,omitempty"` Failed int `json:"failed,omitempty"` TimeOut int `json:"timeout,omitempty"` }
ActionCounters are counters used to track the completion of an action
type Agent ¶
type Agent struct { ID float64 `json:"id,omitempty"` Name string `json:"name"` QueueLoc string `json:"queueloc"` Mode string `json:"mode"` Version string `json:"version,omitempty"` PID int `json:"pid,omitempty"` LoaderName string `json:"loadername,omitempty"` StartTime time.Time `json:"starttime,omitempty"` DestructionTime time.Time `json:"destructiontime,omitempty"` HeartBeatTS time.Time `json:"heartbeatts,omitempty"` RefreshTS time.Time `json:"refreshts,omitempty"` Status string `json:"status,omitempty"` Authorized bool `json:"authorized,omitempty"` Env AgentEnv `json:"environment,omitempty"` Tags map[string]string `json:"tags,omitempty"` }
Agent stores the description of an agent and serves as a canvas for heartbeat messages
type AgentEnv ¶
type AgentEnv struct { Init string `json:"init,omitempty"` Ident string `json:"ident,omitempty"` OS string `json:"os,omitempty"` Arch string `json:"arch,omitempty"` IsProxied bool `json:"isproxied"` Proxy string `json:"proxy,omitempty"` Addresses []string `json:"addresses,omitempty"` PublicIP string `json:"publicip,omitempty"` AWS AgentEnvAWS `json:"aws,omitempty"` Modules []string `json:"modules,omitempty"` }
AgentEnv stores basic information of the endpoint
type AgentEnvAWS ¶
type AgentEnvAWS struct { InstanceID string `json:"instanceid,omitempty"` LocalIPV4 string `json:"localipv4,omitempty"` AMIID string `json:"amiid,omitempty"` InstanceType string `json:"instancetype,omitempty"` }
AgentEnvAWS stores AWS specific agent environment values
type AgentsStats ¶
type AgentsStats struct { Timestamp time.Time `json:"timestamp"` OnlineAgents float64 `json:"onlineagents"` OnlineAgentsByVersion []AgentsVersionsSum `json:"onlineagentsbyversion"` OnlineEndpoints float64 `json:"onlineendpoints"` IdleAgents float64 `json:"idleagents"` IdleAgentsByVersion []AgentsVersionsSum `json:"idleagentsbyversion"` IdleEndpoints float64 `json:"idleendpoints"` NewEndpoints float64 `json:"newendpoints"` MultiAgentsEndpoints float64 `json:"multiagentsendpoints"` DisappearedEndpoints float64 `json:"disappearedendpoints"` FlappingEndpoints float64 `json:"flappingendpoints"` }
AgentsStats stores information about the global MIG environment, primarily used in command line tools and the API/scheduler
type AgentsVersionsSum ¶
AgentsVersionsSum stores information on the count of agents at a specific version level, primarily used in command line tools and the API/scheduler
type BundleDictionaryEntry ¶
BundleDictionaryEntry is used to map tokens within the loader manifest to objects on the file system. We don't allow specification of an exact path for interrogation or manipulation in the manifest. This results in some restrictions but hardens the loader against making unauthorized changes to the file system.
func GetHostBundle ¶
func GetHostBundle() ([]BundleDictionaryEntry, error)
GetHostBundle returns the correct BundleDictionaryEntry given the platform the code is executing on
func HashBundle ¶
func HashBundle(b []BundleDictionaryEntry) ([]BundleDictionaryEntry, error)
HashBundle populates a slice of BundleDictionaryEntrys, adding the SHA256 checksums from the file system
type Command ¶
type Command struct { ID float64 `json:"id"` Action Action `json:"action"` Agent Agent `json:"agent"` // Status can be one of: // sent: the command has been sent by the scheduler to the agent // success: the command has successfully ran on the agent and been returned to the scheduler // cancelled: the command has been cancelled by the investigator // expired: the command has been expired by the scheduler // failed: the command has failed on the agent and been returned to the scheduler // timeout: module execution has timed out, and the agent returned the command to the scheduler Status string `json:"status"` Results []modules.Result `json:"results"` StartTime time.Time `json:"starttime"` FinishTime time.Time `json:"finishtime"` }
Command describes an action as applied to a single agent, and will include results
func CmdFromFile ¶
CmdFromFile reads a command from a local file on the file system and return the mig.Command structure
type Description ¶
type Description struct { Author string `json:"author,omitempty"` Email string `json:"email,omitempty"` URL string `json:"url,omitempty"` Revision float64 `json:"revision,omitempty"` }
Description is a simple object that contains detail about the action's author, and it's revision.
type Investigator ¶
type Investigator struct { ID float64 `json:"id,omitempty"` Name string `json:"name"` PGPFingerprint string `json:"pgpfingerprint"` PublicKey []byte `json:"publickey,omitempty"` PrivateKey []byte `json:"privatekey,omitempty"` Status string `json:"status"` CreatedAt time.Time `json:"createdat"` LastModified time.Time `json:"lastmodified"` APIKey string `json:"apikey,omitempty"` Permissions InvestigatorPerms `json:"permissions"` }
Investigator describes a single MIG investigator
func (*Investigator) CheckPermission ¶
func (i *Investigator) CheckPermission(pv int64) bool
CheckPermission validates if an investigator has given permission pv
type InvestigatorAPIAuthHelper ¶
type InvestigatorAPIAuthHelper struct { ID float64 // Investigator ID APIKey []byte // Key hash Salt []byte // Key salt }
InvestigatorAPIAuthHelper is a small struct used to pass information between the database and the API, and is used primarily for authorizing requests using API keys.
type InvestigatorPerms ¶
type InvestigatorPerms struct { Search bool `json:"search"` Action bool `json:"action"` ActionCreate bool `json:"action_create"` Command bool `json:"command"` Agent bool `json:"agent"` Dashboard bool `json:"dashboard"` Loader bool `json:"loader"` LoaderStatus bool `json:"loader_status"` LoaderExpect bool `json:"loader_expect"` LoaderKey bool `json:"loader_key"` LoaderNew bool `json:"loader_new"` Manifest bool `json:"manifest"` ManifestSign bool `json:"manifest_sign"` ManifestStatus bool `json:"manifest_status"` ManifestNew bool `json:"manifest_new"` ManifestLoaders bool `json:"manifest_loaders"` Investigator bool `json:"investigator"` InvestigatorCreate bool `json:"investigator_create"` InvestigatorUpdate bool `json:"investigator_update"` }
InvestigatorPerms describes permissions assigned to an investigator
func (*InvestigatorPerms) AdminSet ¶
func (ip *InvestigatorPerms) AdminSet()
AdminSet sets administrative permissions on the investigator
func (*InvestigatorPerms) DefaultSet ¶
func (ip *InvestigatorPerms) DefaultSet()
DefaultSet sets a default set of permissions on the investigator
func (*InvestigatorPerms) FromMask ¶
func (ip *InvestigatorPerms) FromMask(mask int64)
FromMask converts a permission bit mask into a boolean permission set
func (*InvestigatorPerms) FromSetList ¶
func (ip *InvestigatorPerms) FromSetList(sl []string) error
FromSetList applies permission sets in slice sl to the investigator
func (*InvestigatorPerms) LoaderSet ¶
func (ip *InvestigatorPerms) LoaderSet()
LoaderSet sets loader related permissions on the investigator
func (*InvestigatorPerms) ManifestSet ¶
func (ip *InvestigatorPerms) ManifestSet()
ManifestSet sets manifest related permissions on the investigator
func (*InvestigatorPerms) ToDescriptive ¶
func (ip *InvestigatorPerms) ToDescriptive() string
ToDescriptive converts an existing boolean permission set to a descriptive string, used primarily in mig-console for summarizing permissions assigned to an investigator
func (*InvestigatorPerms) ToMask ¶
func (ip *InvestigatorPerms) ToMask() (ret int64)
ToMask converts a boolean permission set to a permission bit mask
type LoaderAuthDetails ¶
LoaderAuthDetails is a small helper type used primarily during the loader authentication process between the API and database code, temporarily stores authentication information
func (*LoaderAuthDetails) Validate ¶
func (lad *LoaderAuthDetails) Validate() error
Validate validates a LoaderAuthDetails type
type LoaderEntry ¶
type LoaderEntry struct { ID float64 `json:"id"` // Loader ID Name string `json:"name"` // Loader name Prefix string `json:"prefix"` // Loader key prefix Key string `json:"key"` // Loader key (only populated during creation) AgentName string `json:"agentname"` // Loader environment, agent name LastSeen time.Time `json:"lastseen"` // Last time loader was used Enabled bool `json:"enabled"` // Loader entry is active ExpectEnv string `json:"expectenv"` // Expected environment }
LoaderEntry describes a loader entry stored in the database
func (*LoaderEntry) Validate ¶
func (le *LoaderEntry) Validate() (err error)
Validate validates a loader entry
type Logging ¶
type Logging struct { // configuration Mode, Level, File, Host, Protocol, Facility string Port int MaxFileSize int64 // contains filtered or unexported fields }
Logging stores the attributes needed to perform the logging
func InitLogger ¶
InitLogger prepares the context for logging based on the configuration in Logging
type ManifestEntry ¶
type ManifestEntry struct { Name string `json:"name"` // Corresponds to a bundle name SHA256 string `json:"sha256"` // SHA256 of entry }
ManifestEntry describes an individual file element within a manifest
type ManifestFetchResponse ¶
type ManifestFetchResponse struct {
Data []byte `json:"data"`
}
ManifestFetchResponse is the response to a manifest object fetch
type ManifestParameters ¶
type ManifestParameters struct { AgentIdentifier Agent `json:"agent"` // Agent context information Object string `json:"object"` // Object being requested }
ManifestParameters are sent from the loader to the API as part of a manifest request.
func (*ManifestParameters) Validate ¶
func (m *ManifestParameters) Validate() error
Validate validetes a ManifestParameters type for correct formatting
func (*ManifestParameters) ValidateFetch ¶
func (m *ManifestParameters) ValidateFetch() error
ValidateFetch validates the parameters included in a manifest request with an object fetch component
type ManifestRecord ¶
type ManifestRecord struct { ID float64 `json:"id"` // Manifest record ID Name string `json:"name"` // The name of the manifest record Content string `json:"content,omitempty"` // Full data contents of record Timestamp time.Time `json:"timestamp"` // Record timestamp Status string `json:"status"` // Record status Target string `json:"target"` // Targetting parameters for record Signatures []string `json:"signatures"` // Signatures applied to the record }
ManifestRecord describes a manifest record stored within the MIG database
func (*ManifestRecord) ContentFromFile ¶
func (m *ManifestRecord) ContentFromFile(path string) (err error)
ContentFromFile loads manifest content from a file on the file system (a gzip'd tar file), primarily utilized by mig-console during manifest creation operations
func (*ManifestRecord) FileFromContent ¶
func (m *ManifestRecord) FileFromContent(path string) (err error)
FileFromContent writes manifest content to a file on the file system
func (*ManifestRecord) ManifestObject ¶
func (m *ManifestRecord) ManifestObject(obj string) ([]byte, error)
ManifestObject returns the requested file object as a gzip compressed byte slice from the manifest record
func (*ManifestRecord) ManifestResponse ¶
func (m *ManifestRecord) ManifestResponse() (ManifestResponse, error)
ManifestResponse converts a manifest record into a manifest response
func (*ManifestRecord) Validate ¶
func (m *ManifestRecord) Validate() (err error)
Validate validates an existing manifest record
type ManifestResponse ¶
type ManifestResponse struct { LoaderName string `json:"loader_name"` Entries []ManifestEntry `json:"entries"` Signatures []string `json:"signatures"` }
ManifestResponse is the response to a standard manifest request
func (*ManifestResponse) Validate ¶
func (m *ManifestResponse) Validate() error
Validate validates a ManifestResponse type ensuring required content is present
func (*ManifestResponse) VerifySignatures ¶
func (m *ManifestResponse) VerifySignatures(keyring io.Reader) (validcnt int, err error)
VerifySignatures verifies the signatures present in a manifest response against the keys present in keyring. It returns the number of valid unique signatures identified in the ManifestResponse.
type Operation ¶
type Operation struct { Module string `json:"module"` Parameters interface{} `json:"parameters"` // If WantCompressed is set in the operation, the parameters // will be compressed in PostAction() when the client sends the // action to the API. This will also result in IsCompressed being // marked as true, so the receiving agent knows it must decompress // the parameter data. IsCompressed bool `json:"is_compressed,omitempty"` WantCompressed bool `json:"want_compressed,omitempty"` }
Operation is an object that maps to an agent module. The parameters of the operation are passed to the module as an argument, and thus their format depends on the module itself.
func (*Operation) CompressOperationParam ¶
CompressOperationParam compresses the parameters stored within an operation
func (*Operation) DecompressOperationParam ¶
DecompressOperationParam decompresses the parameters stored within an operation
Source Files ¶
Directories ¶
Path | Synopsis |
---|---|
mig
mig is the command line tool that investigators can use to launch actions for execution by agents to retrieve/display the results of the actions.
|
mig is the command line tool that investigators can use to launch actions for execution by agents to retrieve/display the results of the actions. |
mig-action-generator
This Source Code Form is subject to the terms of the Mozilla Public License, v.
|
This Source Code Form is subject to the terms of the Mozilla Public License, v. |
mig-action-verifier
This Source Code Form is subject to the terms of the Mozilla Public License, v.
|
This Source Code Form is subject to the terms of the Mozilla Public License, v. |
mig-console
This Source Code Form is subject to the terms of the Mozilla Public License, v.
|
This Source Code Form is subject to the terms of the Mozilla Public License, v. |
This Source Code Form is subject to the terms of the Mozilla Public License, v.
|
This Source Code Form is subject to the terms of the Mozilla Public License, v. |
agentcontext
The agentcontext package provides functionality to obtain information about the system a given agent or loader is running on.
|
The agentcontext package provides functionality to obtain information about the system a given agent or loader is running on. |
This Source Code Form is subject to the terms of the Mozilla Public License, v.
|
This Source Code Form is subject to the terms of the Mozilla Public License, v. |
The MIG loader is a simple bootstrapping tool for MIG.
|
The MIG loader is a simple bootstrapping tool for MIG. |
This Source Code Form is subject to the terms of the Mozilla Public License, v.
|
This Source Code Form is subject to the terms of the Mozilla Public License, v. |
This Source Code Form is subject to the terms of the Mozilla Public License, v.
|
This Source Code Form is subject to the terms of the Mozilla Public License, v. |
This package implements interfaces to write modules for MIG.
|
This package implements interfaces to write modules for MIG. |
audit
Package audit implements a persistent module which can read and parse the operating system audit trail.
|
Package audit implements a persistent module which can read and parse the operating system audit trail. |
dispatch
Package dispatch implements alert dispatching for the agent as a module.
|
Package dispatch implements alert dispatching for the agent as a module. |
example
This is an example module.
|
This is an example module. |
file
Package file provides functions to scan a file system as an agent module.
|
Package file provides functions to scan a file system as an agent module. |
netstat
netstat is a module that retrieves network information about the endpoint, such as mac addresses, local and connected IPs, listening TCP and UDP sockets and peers
|
netstat is a module that retrieves network information about the endpoint, such as mac addresses, local and connected IPs, listening TCP and UDP sockets and peers |
scribe
scribe module implementation for MIG.
|
scribe module implementation for MIG. |
sshkey
Package sshkey implements the sshkey module in the agent
|
Package sshkey implements the sshkey module in the agent |
The PGP package is a helper around Golang's OpenPGP implementation
|
The PGP package is a helper around Golang's OpenPGP implementation |
gpgagent
Package gpgagent interacts with the local GPG Agent.
|
Package gpgagent interacts with the local GPG Agent. |
pinentry
Package pinentry interfaces with the pinentry(1) command to securely prompt the user for a password using whichever user interface the user is currently using.
|
Package pinentry interfaces with the pinentry(1) command to securely prompt the user for a password using whichever user interface the user is currently using. |
runner-plugins
|
|
runner-compliance
This Source Code Form is subject to the terms of the Mozilla Public License, v.
|
This Source Code Form is subject to the terms of the Mozilla Public License, v. |
runner-scribe
runner-scribe is a mig-runner plugin that processes results coming from automated actions and forwards the results as vulnerability events to MozDef
|
runner-scribe is a mig-runner plugin that processes results coming from automated actions and forwards the results as vulnerability events to MozDef |
Package service provides a simple way to create a system service.
|
Package service provides a simple way to create a system service. |