|
|
|
|
@ -1,8 +1,11 @@ |
|
|
|
|
package main |
|
|
|
|
|
|
|
|
|
import ( |
|
|
|
|
"bytes" |
|
|
|
|
"context" |
|
|
|
|
"bufio" |
|
|
|
|
"sync" |
|
|
|
|
"encoding/binary"
|
|
|
|
|
"encoding/base64" |
|
|
|
|
"crypto/rand" |
|
|
|
|
"crypto/sha256" |
|
|
|
|
@ -27,10 +30,13 @@ import ( |
|
|
|
|
"github.com/yang3yen/xxtea-go/xxtea" |
|
|
|
|
) |
|
|
|
|
|
|
|
|
|
const sizeofFanotifyEventMetadata = int(unsafe.Sizeof(unix.FanotifyEventMetadata{})) |
|
|
|
|
|
|
|
|
|
const ( |
|
|
|
|
configFile = "/etc/execguard/config.json" |
|
|
|
|
dbFile = "/etc/execguard/allowed.db" |
|
|
|
|
logFile = "/var/log/execguard.log" |
|
|
|
|
mailPath = "/usr/bin/mail" |
|
|
|
|
) |
|
|
|
|
|
|
|
|
|
type Config struct { |
|
|
|
|
@ -50,6 +56,7 @@ var migrateMode bool |
|
|
|
|
var newKey bool |
|
|
|
|
var config *Config |
|
|
|
|
var dbMutex sync.Mutex |
|
|
|
|
var alertCache sync.Map |
|
|
|
|
|
|
|
|
|
func main() { |
|
|
|
|
flag.BoolVar(&initMode, "init", false, "initialize and populate allowed executable database") |
|
|
|
|
@ -361,7 +368,13 @@ func periodicScan(dirs []string, db *sql.DB) { |
|
|
|
|
} else if !isAllowed(db, absPath) { |
|
|
|
|
log.Printf("Found unauthorized executable: %s", absPath) |
|
|
|
|
os.Chmod(absPath, info.Mode()&^0111) |
|
|
|
|
go sendAlert(fmt.Sprintf("Unauthorized executable found and blocked: %s", absPath)) |
|
|
|
|
|
|
|
|
|
if _, seen := alertCache.LoadOrStore(absPath, struct{}{}); !seen { |
|
|
|
|
go sendAlert(fmt.Sprintf("Unauthorized execution attempt blocked: %s", absPath), db) |
|
|
|
|
time.AfterFunc(10*time.Minute, func() { |
|
|
|
|
alertCache.Delete(absPath) |
|
|
|
|
}) |
|
|
|
|
} |
|
|
|
|
} |
|
|
|
|
} |
|
|
|
|
return nil |
|
|
|
|
@ -374,31 +387,48 @@ func periodicScan(dirs []string, db *sql.DB) { |
|
|
|
|
func monitorExecutions(db *sql.DB) error { |
|
|
|
|
fd, err := unix.FanotifyInit(unix.FAN_CLOEXEC|unix.FAN_CLASS_CONTENT, unix.O_RDONLY|unix.O_LARGEFILE) |
|
|
|
|
if err != nil { |
|
|
|
|
return err |
|
|
|
|
return fmt.Errorf("fanotify init failed: %w", err) |
|
|
|
|
} |
|
|
|
|
defer unix.Close(fd) |
|
|
|
|
|
|
|
|
|
success := false |
|
|
|
|
for _, dir := range config.ProtectedDirs { |
|
|
|
|
if err := unix.FanotifyMark(fd, unix.FAN_MARK_ADD|unix.FAN_MARK_MOUNT, |
|
|
|
|
unix.FAN_OPEN_EXEC_PERM, unix.AT_FDCWD, dir); err != nil { |
|
|
|
|
if err := unix.FanotifyMark(fd, unix.FAN_MARK_ADD|unix.FAN_MARK_MOUNT, unix.FAN_OPEN_EXEC_PERM, unix.AT_FDCWD, dir); err != nil { |
|
|
|
|
log.Printf("Failed to mark %s: %v", dir, err) |
|
|
|
|
} else { |
|
|
|
|
success = true |
|
|
|
|
} |
|
|
|
|
} |
|
|
|
|
if !success { |
|
|
|
|
return fmt.Errorf("failed to mark any protected directories") |
|
|
|
|
} |
|
|
|
|
|
|
|
|
|
buf := make([]byte, 4096) |
|
|
|
|
|
|
|
|
|
defer func() { |
|
|
|
|
if r := recover(); r != nil { |
|
|
|
|
log.Printf("Recovered from panic in monitorExecutions: %v", r) |
|
|
|
|
} |
|
|
|
|
}() |
|
|
|
|
|
|
|
|
|
for { |
|
|
|
|
n, err := unix.Read(fd, buf) |
|
|
|
|
if err != nil { |
|
|
|
|
return err |
|
|
|
|
return fmt.Errorf("fanotify read failed: %w", err) |
|
|
|
|
} |
|
|
|
|
|
|
|
|
|
for offset := 0; offset < n; { |
|
|
|
|
if n-offset < sizeofFanotifyEventMetadata { |
|
|
|
|
break |
|
|
|
|
} |
|
|
|
|
|
|
|
|
|
meta := (*unix.FanotifyEventMetadata)(unsafe.Pointer(&buf[offset])) |
|
|
|
|
if meta.Event_len == 0 { |
|
|
|
|
break |
|
|
|
|
} |
|
|
|
|
|
|
|
|
|
resp := unix.FanotifyResponse{Fd: meta.Fd, Response: unix.FAN_ALLOW} |
|
|
|
|
defer unix.Close(int(meta.Fd)) |
|
|
|
|
shouldClose := true |
|
|
|
|
|
|
|
|
|
if meta.Mask&unix.FAN_OPEN_EXEC_PERM != 0 { |
|
|
|
|
fdpath := fmt.Sprintf("/proc/self/fd/%d", meta.Fd) |
|
|
|
|
@ -406,41 +436,75 @@ func monitorExecutions(db *sql.DB) error { |
|
|
|
|
if err == nil { |
|
|
|
|
absPath, _ := filepath.Abs(path) |
|
|
|
|
absPath, _ = filepath.EvalSymlinks(absPath) |
|
|
|
|
info, statErr := os.Stat(absPath) |
|
|
|
|
if statErr == nil && info.Mode().IsRegular() && (info.Mode().Perm()&0111 != 0) { |
|
|
|
|
if info, statErr := os.Stat(absPath); statErr == nil && |
|
|
|
|
info.Mode().IsRegular() && (info.Mode().Perm()&0111 != 0) { |
|
|
|
|
|
|
|
|
|
if initMode { |
|
|
|
|
addToAllowed(db, absPath) |
|
|
|
|
} else if !isAllowed(db, absPath) { |
|
|
|
|
go func(p string, fd int) { |
|
|
|
|
addToAllowed(db, p) |
|
|
|
|
unix.Close(fd) |
|
|
|
|
}(absPath, int(meta.Fd)) |
|
|
|
|
shouldClose = false |
|
|
|
|
} else { |
|
|
|
|
if !isAllowed(db, absPath) { |
|
|
|
|
log.Printf("Blocked execution attempt: %s", absPath) |
|
|
|
|
// To avoid locking up the Whole System...use go function on sendAlert!!!
|
|
|
|
|
go sendAlert(fmt.Sprintf("Unauthorized execution attempt blocked: %s", absPath)) |
|
|
|
|
|
|
|
|
|
if _, seen := alertCache.LoadOrStore(absPath, struct{}{}); !seen { |
|
|
|
|
go sendAlert(fmt.Sprintf("Unauthorized execution attempt blocked: %s", absPath), db) |
|
|
|
|
time.AfterFunc(10*time.Minute, func() { |
|
|
|
|
alertCache.Delete(absPath) |
|
|
|
|
}) |
|
|
|
|
} |
|
|
|
|
|
|
|
|
|
resp.Response = unix.FAN_DENY |
|
|
|
|
} |
|
|
|
|
} |
|
|
|
|
} |
|
|
|
|
} |
|
|
|
|
} |
|
|
|
|
|
|
|
|
|
b := (*[unsafe.Sizeof(resp)]byte)(unsafe.Pointer(&resp))[:] |
|
|
|
|
if _, err := unix.Write(fd, b); err != nil { |
|
|
|
|
var respBuf bytes.Buffer |
|
|
|
|
if err := binary.Write(&respBuf, binary.LittleEndian, resp); err != nil { |
|
|
|
|
log.Printf("Failed to encode fanotify response: %v", err) |
|
|
|
|
} else if _, err := unix.Write(fd, respBuf.Bytes()); err != nil { |
|
|
|
|
log.Printf("Fanotify response write error: %v", err) |
|
|
|
|
} |
|
|
|
|
|
|
|
|
|
if shouldClose { |
|
|
|
|
unix.Close(int(meta.Fd)) |
|
|
|
|
} |
|
|
|
|
|
|
|
|
|
offset += int(meta.Event_len) |
|
|
|
|
} |
|
|
|
|
} |
|
|
|
|
} |
|
|
|
|
|
|
|
|
|
func sendAlert(message string) { |
|
|
|
|
func sendAlert(message string, db *sql.DB) { |
|
|
|
|
if config.AlertEmail == "" { |
|
|
|
|
return |
|
|
|
|
} |
|
|
|
|
if _, err := exec.LookPath("mail"); err != nil { |
|
|
|
|
if !isAllowed(db, mailPath) { |
|
|
|
|
log.Printf("%s not allowed...blocked email, sorry.", mailPath) |
|
|
|
|
return // Prevent system crash!
|
|
|
|
|
} |
|
|
|
|
if _, err := os.Stat(mailPath); err != nil { |
|
|
|
|
log.Printf("Mail command not found: %v", err) |
|
|
|
|
return |
|
|
|
|
} |
|
|
|
|
cmd := exec.Command("mail", "-s", "ExecGuard Alert", config.AlertEmail) |
|
|
|
|
time.Sleep(time.Duration(300) * time.Millisecond) // Must give time for Block to get over with...
|
|
|
|
|
|
|
|
|
|
ctx, cancel := context.WithTimeout(context.Background(), 15*time.Second) |
|
|
|
|
defer cancel() // Ensure the context is canceled to avoid leaks
|
|
|
|
|
|
|
|
|
|
cmd := exec.CommandContext(ctx, mailPath, "-s", "ExecGuard Alert", config.AlertEmail) |
|
|
|
|
cmd.Env = []string{"PATH=/usr/bin:/bin"} // Set a minimal PATH
|
|
|
|
|
cmd.Stdin = strings.NewReader(message) |
|
|
|
|
if err := cmd.Run(); err != nil { |
|
|
|
|
log.Printf("Failed to send alert: %v", err) |
|
|
|
|
|
|
|
|
|
output, err := cmd.CombinedOutput() |
|
|
|
|
if ctx.Err() == context.DeadlineExceeded { |
|
|
|
|
log.Printf("sendAlert timeout after 15s for message: %q", message) |
|
|
|
|
} |
|
|
|
|
if err != nil { |
|
|
|
|
log.Printf("Failed to send alert: %v, output: %s", err, output) |
|
|
|
|
} |
|
|
|
|
} |
|
|
|
|
|
Robert
7 months ago