model

package
v0.0.0-...-f0a4a60 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: May 9, 2021 License: Apache-2.0 Imports: 18 Imported by: 0

Documentation

Overview

Copyright © 2020 GUILLAUME FOURNIER

Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License. You may obtain a copy of the License at 

http://www.apache.org/licenses/LICENSE-2.0

Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions and limitations under the License.

Copyright © 2020 GUILLAUME FOURNIER

Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License. You may obtain a copy of the License at 

http://www.apache.org/licenses/LICENSE-2.0

Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions and limitations under the License.

Copyright © 2020 GUILLAUME FOURNIER

Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License. You may obtain a copy of the License at 

http://www.apache.org/licenses/LICENSE-2.0

Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions and limitations under the License.

Copyright © 2020 GUILLAUME FOURNIER

Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License. You may obtain a copy of the License at 

http://www.apache.org/licenses/LICENSE-2.0

Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions and limitations under the License.

Copyright © 2020 GUILLAUME FOURNIER

Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License. You may obtain a copy of the License at 

http://www.apache.org/licenses/LICENSE-2.0

Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions and limitations under the License.

Index

Constants

View Source 
const (
	// UsernameMaxLength is the maximum length allowed for a user name
	UsernameMaxLength = 32
	// PathMax is the maximum path length for the binary paths handled by the project.
	// Since binary path are watched automatically (and modification to them is denied by default), we do not need
	// to worry about inodes for processes. Although the theoretical PATH_MAX is 4096, we assume that 255 is enough.
	PathMax = 255
	// OTPRequestSize is the maximum size of an OTP request string
	OTPRequestSize = 75
	// MaxOTPFailures is the maximum number of failed OTP requests that are authorized before ssh-probe kills the session
	MaxOTPFailures = 5
	// UnknownUserNameCookie is the profile cookie used for unknown users
	UnknownUserNameCookie = 42
	// MaxOTPTimeout is the maximum OTP timeout that can be requested
	MaxOTPTimeout = 10 * time.Minute
)

Variables

View Source 
var AllCategories = []Category{
	CategoryFim,
	CategoryProcessMonitoring,
	CategoryUnknownBinary,
	CategorySocketCreation,
	CategoryDeletionsAndMoves,
	CategoryPrivilegeElevation,
	CategoryOSLevelProtections,
	CategoryProcessLevelProtections,
	CategoryPerformanceMonitoring,
	CategoryKill,
	CategoryGlobal,
	CategoryFailedMFA,
	CategoryUnknownFile,
}

AllCategories lists all the available categories

View Source 
var ErrNotEnoughData = errors.New("not enough data")

ErrNotEnoughData is returned when the buffer is too small to unmarshal the event

View Source 
var UnknownUserProfile = Profile{
	User: "unknown_user",
}

UnknownUserProfile default unknown user profile

Functions

func GetBinaryPathKey 

func GetBinaryPathKey(cookie uint32, path string) (unsafe.Pointer, error)

GetBinaryPathKey returns an unsafe pointer to a BinaryPathKey instance

func GetInodeSelector 

func GetInodeSelector(inode uint64, cookie uint32, accessRight uint8) (unsafe.Pointer, error)

GetInodeSelector returns an unsafe pointer to a InodeSelector instance

func GetSyscallName 

func GetSyscallName(id uint32) string

GetSyscallName - Returns a syscall name from its id

Types

type AccessRight 

type AccessRight string
const (
	Read  AccessRight = "read"
	Write AccessRight = "write"
	Any   AccessRight = "any"
)

func (AccessRight) KernelValues 

func (ar AccessRight) KernelValues() []uint8

KernelValue returns the kernel value of an AccessRight

func (AccessRight) Sanitize 

func (ar AccessRight) Sanitize() error

Sanitize checks if the provided access right is valid

type Action 

type Action string
const (
	Allow Action = "allow"
	Block Action = "block"
	MFA   Action = "mfa"
	Kill  Action = "kill"
)

func ActionFromKernelValue 

func ActionFromKernelValue(action uint8) Action

ActionFromKernelValue returns an action from its kernel value

func (Action) KernelValue 

func (a Action) KernelValue() uint8

KernelValue returns the kernel value of an action

func (Action) Sanitize 

func (a Action) Sanitize() error

Sanitize checks if the provided action is valid

type ActionKey 

type ActionKey struct {
	ProfileCookie uint32
	Category      Category
}

func (ActionKey) GetActionKey 

func (ak ActionKey) GetActionKey() (unsafe.Pointer, error)

GetActionKey returns a kernel ready representation of an ActionKey instance

type BinaryPath 

type BinaryPath struct {
	ProfileCookie uint32 `json:"-"`
	BinaryPath    string `json:"binary_path"`
}

func (*BinaryPath) String 

func (bp *BinaryPath) String() string

func (*BinaryPath) UnmarshalBinary 

func (bp *BinaryPath) UnmarshalBinary(data []byte) (int, error)

type BinaryPathKey 

type BinaryPathKey struct {
	Cookie uint32
	Path   [PathMax]byte
}

BinaryPathKey is the key structure of the allowed_binaries map

type Category 

type Category uint8

Category is used to regroup actions in the kernel 

const (
	CategoryFim                     Category = 1
	CategoryProcessMonitoring       Category = 2
	CategoryUnknownBinary           Category = 3
	CategorySocketCreation          Category = 4
	CategoryDeletionsAndMoves       Category = 5
	CategoryPrivilegeElevation      Category = 6
	CategoryOSLevelProtections      Category = 7
	CategoryProcessLevelProtections Category = 8
	CategoryPerformanceMonitoring   Category = 9
	CategoryKill                    Category = 10
	CategoryGlobal                  Category = 11
	CategoryFailedMFA               Category = 12
	CategoryUnknownFile             Category = 13
)

func GetCategory 

func GetCategory(val string) (Category, error)

GetCategory parses a string into its category if it exists

func (Category) MarshalJSON 

func (c Category) MarshalJSON() ([]byte, error)

MarshalJSON encodes the category using its string representation

func (Category) Sanitize 

func (c Category) Sanitize() error

Sanitize checks if the current category exists

func (Category) String 

func (c Category) String() string

type FIM 

type FIM struct {
	Inode uint64 `json:"inode"`
	Path  string `json:"path"`
}

func (*FIM) String 

func (f *FIM) String() string

func (*FIM) UnmarshalBinary 

func (f *FIM) UnmarshalBinary(data []byte, resolver Resolver) (int, error)

type FilePolicy 

type FilePolicy struct {
	Pattern     string            `yaml:"pattern"`
	AccessRight AccessRight       `yaml:"access_right"`
	Action      Action            `yaml:"action"`
	Inodes      map[uint64]string `yaml:"-"`
}

func (*FilePolicy) ExpandPattern 

func (p *FilePolicy) ExpandPattern() error

func (*FilePolicy) Sanitize 

func (p *FilePolicy) Sanitize() error

type InodeSelector 

type InodeSelector struct {
	Inode         uint64
	ProfileCookie uint32
	AccessRight   uint8
}

type KillRequest 

type KillRequest struct {
	Timestamp             time.Time
	SessionLoginTimestamp time.Time
	ProfileCookie         uint32
	SessionCookie         uint32
	SessionInitPid        uint32
}

func (*KillRequest) UnmarshalBinary 

func (kr *KillRequest) UnmarshalBinary(data []byte, bootTime time.Time) (int, error)

type MFASelector 

type MFASelector struct {
	ProfileCookie uint32
	SessionCookie uint32
	Scope         Category
}

func (MFASelector) GetMFASelectorKey 

func (mfa MFASelector) GetMFASelectorKey() (unsafe.Pointer, error)

GetMFASelectorKey returns a kernel ready representation of an MFASelector instance

type Notification 

type Notification struct {
	Timestamp             time.Time `json:"timestamp"`
	SessionLoginTimestamp time.Time `json:"session_login_timestamp"`
	User                  string    `json:"profile_user"`
	ProfileCookie         uint32    `json:"profile_cookie"`
	SessionCookie         uint32    `json:"session_cookie"`
	Category              Category  `json:"category"`
	Action                Action    `json:"action"`
	Pid                   uint32    `json:"pid"`
	Tid                   uint32    `json:"tid"`
	Comm                  string    `json:"comm"`

	Syscall    *Syscall    `json:"syscall,omitempty"`
	BinaryPath *BinaryPath `json:"binary_path,omitempty"`
	FIM        *FIM        `json:"fim,omitempty"`
	OTPRequest *OTPRequest `json:"otp,omitempty"`
}

func (*Notification) String 

func (n *Notification) String() string

func (*Notification) UnmarshalBinary 

func (n *Notification) UnmarshalBinary(data []byte, bootTime time.Time, resolver Resolver) (int, error)

type OTPRequest 

type OTPRequest struct {
	Timestamp             time.Time            `json:"-"`
	SessionLoginTimestamp time.Time            `json:"-"`
	ProfileCookie         uint32               `json:"-"`
	SessionCookie         uint32               `json:"-"`
	SessionInitPid        uint32               `json:"-"`
	RequestPid            uint32               `json:"-"`
	OTPRequest            string               `json:"-"`
	OTPRequestRaw         [OTPRequestSize]byte `json:"-"`

	OTPTimeout time.Duration `json:"timeout"`
	OTPToken   string        `json:"-"`
	OTPScope   Category      `json:"scope"`
}

OTPRequest is used to represent an OTP request from the ssh-probe-auth

func (*OTPRequest) ParseOTPRequest 

func (or *OTPRequest) ParseOTPRequest() error

ParseOTPRequest parses an OTP request to extract the timeout and the one time password

func (*OTPRequest) UnmarshalBinary 

func (or *OTPRequest) UnmarshalBinary(data []byte, bootTime time.Time) (int, error)

UnmarshalBinary parses raw bytes into an OTPRequest instance

type Profile 

type Profile struct {
	KernelCookie      uint32               `yaml:"-"`
	OTPConfig         *dgoogauth.OTPConfig `yaml:"-"`
	OTPFailedRequests int                  `yaml:"-"`

	User string `yaml:"user"`

	// Process monitoring
	Binaries             map[string]Action `yaml:"binaries"`
	UnknownBinaryDefault Action            `yaml:"unknown_binary_default"`

	// File Integrity Monitoring
	FIM               []*FilePolicy `yaml:"fim"`
	DeletionsAndMoves Action        `yaml:"deletions_and_moves"`
	UnknownFile       Action        `yaml:"unknown_file_default"`

	// Socket creation
	SocketCreation Action `yaml:"socket_creation"`

	// Privilege elevation
	PrivilegeElevation Action `yaml:"privilege_elevation"`

	// OS level protections
	OSLevelProtections Action `yaml:"os_level_protections"`

	// Process level protections
	ProcessLevelProtections Action `yaml:"process_level_protections"`

	// Performance monitoring
	PerformanceMonitoring Action `yaml:"performance_monitoring"`

	// Kill
	Kill Action `yaml:"kill"`
}

func (*Profile) GetUserKey 

func (p *Profile) GetUserKey() unsafe.Pointer

GetUserKey returns an unsafe pointer to a byte representation of the user name

func (*Profile) Sanitize 

func (p *Profile) Sanitize() error

type Profiles 

type Profiles struct {
	UnknownUserDefault Action     `yaml:"unknown_user_default"`
	UserProfiles       []*Profile `yaml:"user_profiles"`
}

func (*Profiles) Sanitize 

func (p *Profiles) Sanitize() error

type Resolver 

type Resolver interface {
	CacheInode(path string) (uint64, error)
	ResolveInode(ino uint64) (string, bool)
}

type Syscall 

type Syscall struct {
	ID   uint32 `json:"id"`
	Name string `json:"name"`
}

func (*Syscall) String 

func (sn *Syscall) String() string

func (*Syscall) UnmarshalBinary 

func (sn *Syscall) UnmarshalBinary(data []byte) (int, error)

Source Files

View all Source files

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.