import "github.com/mozilla/mig"
acl.go action.go agent.go command.go constants.go investigator.go loader.go logging_posix.go manifest.go misc.go runner.go version.go
const (
AgtStatusOnline string = "online"
AgtStatusDestroyed string = "destroyed"
AgtStatusOffline string = "offline"
AgtStatusIdle string = "idle"
)Various agent status values
const (
StatusSent string = "sent"
StatusSuccess string = "success"
StatusCancelled string = "cancelled"
StatusExpired string = "expired"
StatusFailed string = "failed"
StatusTimeout string = "timeout"
)Various command status values
const (
ExchangeToAgents = "toagents"
ExchangeToSchedulers = "toschedulers"
QueueAgentHeartbeat = "mig.agt.heartbeats"
QueueAgentResults = "mig.agt.results"
)Various constants that indicate exchange and queue names used in RabbitMQ
const (
PermSearch = 1 << iota
PermAction
PermActionCreate
PermCommand
PermAgent
PermDashboard
PermLoader
PermLoaderStatus
PermLoaderExpect
PermLoaderKey
PermLoaderNew
PermManifest
PermManifestSign
PermManifestNew
PermManifestStatus
PermManifestLoaders
PermInvestigator
PermInvestigatorCreate
PermInvestigatorUpdate
)Permissions that can be assigned to investigators
const (
StatusActiveInvestigator string = "active"
StatusDisabledInvestigator string = "disabled"
)Possible status values for an investigator
ActionVersion is the version of the syntax that is expected
const LoaderHashedKeyLength = 32LoaderHashedKeyLength is the length of the hashed loader key in the database
const LoaderKeyLength = 32LoaderKeyLength is the length of the loader key
const LoaderPrefixAndKeyLength = 40LoaderPrefixAndKeyLength is the key length for a loader key including the prefix
const LoaderPrefixLength = 8LoaderPrefixLength is the length of the loader prefix
const LoaderSaltLength = 16LoaderSaltLength is the length of the salt applied to loader keys
var BundleDictionary = map[string][]BundleDictionaryEntry{ "linux": bundleEntryLinux, "darwin": bundleEntryDarwin, "windows": bundleEntryWindows, }
BundleDictionary maps GOOS platform names to specific bundle entry values
PermSets describes permission sets that can be applied; note default is omitted as this is currently always applied
var Version = ""Version can be set at compile time to indicate the version of MIG components. You'd typically want to set this during install using flags such as -ldflags "-X github.com/mozilla/mig.Version=20170913-0.06824ce0.dev" when calling the go build tools.
GenID returns a float64 ID number that is unique to this process. The ID is initialized at the number of seconds since MIG's creation date, shifted 16 bits to the right and incremented by one every time a new ID is requested. The resulting value must fit in 53 bits of precision provided by the float64 type.
GenerateLoaderKey will generate a new loader key value
GenerateLoaderPrefix will generate a new loader prefix value
ProcessLog receives events and performs logging and evaluation of the log severity level, in the event of an emergency level entry stop will be true
RandAPIKeyString is used for prefix and key generation, and just returns a random string consisting of alphanumeric characters of length characters long
ValidateLoaderKey validates a loader key, returns nil if it is valid
ValidateLoaderPrefix validates a loader prefix value, returns nil if it is valid
ValidateLoaderPrefixAndKey validates a loader key that includes the prefix
type ACL map[string]struct { MinimumWeight int Investigators map[string]struct { Fingerprint string Weight int } }
ACL defines an access control list used by the agent to determine what investigators can call a given module. The key in this map is the module name, and can be "default" in which case this element will be used if no key for a given module exists.
The value includes a minimum weight to authorize the request, and a map of investigators with the key of the map being the name of the investigator, and the value storing the PGP fingerprint of the investigators key and the weight that investigator has.
type Action struct {
ID float64 `json:"id"`
Name string `json:"name"`
Target string `json:"target"`
Description Description `json:"description,omitempty"`
Threat Threat `json:"threat,omitempty"`
ValidFrom time.Time `json:"validfrom"`
ExpireAfter time.Time `json:"expireafter"`
Operations []Operation `json:"operations"`
PGPSignatures []string `json:"pgpsignatures"`
Investigators []Investigator `json:"investigators,omitempty"`
Status string `json:"status,omitempty"`
StartTime time.Time `json:"starttime,omitempty"`
FinishTime time.Time `json:"finishtime,omitempty"`
LastUpdateTime time.Time `json:"lastupdatetime,omitempty"`
Counters ActionCounters `json:"counters,omitempty"`
SyntaxVersion uint16 `json:"syntaxversion,omitempty"`
}Action is the json object that is created by an investigator and provided to the MIG platform. It must be PGP signed.
ActionFromFile reads an action from a local file on the file system and returns a mig.Action structure
IndentedString returns an indented JSON string representing the action suitable for display
PrintCounters prints the counters of an action to stderr
Sign computes and returns the GPG signature of a MIG action in its stringified form
concatenates Action components into a string
ToTempFile writes an action into a generated temporary file and returns its filename
Validate verifies that the Action received contained all the necessary fields, and returns an error when it doesn't.
VerifyACL validates that an action has been issued by investigators that have adequate permissions to execute the action. It takes a look at each operation included in the action and verifies the signatures in the action against the agents ACL.
VerifySignatures verifies that the Action contains valid signatures from known investigators. It does not verify permissions.
type ActionCounters struct {
Sent int `json:"sent,omitempty"`
Done int `json:"done,omitempty"`
InFlight int `json:"inflight,omitempty"`
Success int `json:"success,omitempty"`
Cancelled int `json:"cancelled,omitempty"`
Expired int `json:"expired,omitempty"`
Failed int `json:"failed,omitempty"`
TimeOut int `json:"timeout,omitempty"`
}ActionCounters are counters used to track the completion of an action
type Agent struct {
ID float64 `json:"id,omitempty"`
Name string `json:"name"`
QueueLoc string `json:"queueloc"`
Mode string `json:"mode"`
Version string `json:"version,omitempty"`
PID int `json:"pid,omitempty"`
LoaderName string `json:"loadername,omitempty"`
StartTime time.Time `json:"starttime,omitempty"`
DestructionTime time.Time `json:"destructiontime,omitempty"`
HeartBeatTS time.Time `json:"heartbeatts,omitempty"`
RefreshTS time.Time `json:"refreshts,omitempty"`
Status string `json:"status,omitempty"`
Authorized bool `json:"authorized,omitempty"`
Env AgentEnv `json:"environment,omitempty"`
Tags map[string]string `json:"tags,omitempty"`
}Agent stores the description of an agent and serves as a canvas for heartbeat messages
type AgentEnv struct {
Init string `json:"init,omitempty"`
Ident string `json:"ident,omitempty"`
OS string `json:"os,omitempty"`
Arch string `json:"arch,omitempty"`
IsProxied bool `json:"isproxied"`
Proxy string `json:"proxy,omitempty"`
Addresses []string `json:"addresses,omitempty"`
PublicIP string `json:"publicip,omitempty"`
AWS AgentEnvAWS `json:"aws,omitempty"`
Modules []string `json:"modules,omitempty"`
}AgentEnv stores basic information of the endpoint
type AgentEnvAWS struct {
InstanceID string `json:"instanceid,omitempty"`
LocalIPV4 string `json:"localipv4,omitempty"`
AMIID string `json:"amiid,omitempty"`
InstanceType string `json:"instancetype,omitempty"`
}AgentEnvAWS stores AWS specific agent environment values
type AgentsStats struct {
Timestamp time.Time `json:"timestamp"`
OnlineAgents float64 `json:"onlineagents"`
OnlineAgentsByVersion []AgentsVersionsSum `json:"onlineagentsbyversion"`
OnlineEndpoints float64 `json:"onlineendpoints"`
IdleAgents float64 `json:"idleagents"`
IdleAgentsByVersion []AgentsVersionsSum `json:"idleagentsbyversion"`
IdleEndpoints float64 `json:"idleendpoints"`
NewEndpoints float64 `json:"newendpoints"`
MultiAgentsEndpoints float64 `json:"multiagentsendpoints"`
DisappearedEndpoints float64 `json:"disappearedendpoints"`
FlappingEndpoints float64 `json:"flappingendpoints"`
}AgentsStats stores information about the global MIG environment, primarily used in command line tools and the API/scheduler
AgentsVersionsSum stores information on the count of agents at a specific version level, primarily used in command line tools and the API/scheduler
BundleDictionaryEntry is used to map tokens within the loader manifest to objects on the file system. We don't allow specification of an exact path for interrogation or manipulation in the manifest. This results in some restrictions but hardens the loader against making unauthorized changes to the file system.
func GetHostBundle() ([]BundleDictionaryEntry, error)
GetHostBundle returns the correct BundleDictionaryEntry given the platform the code is executing on
func HashBundle(b []BundleDictionaryEntry) ([]BundleDictionaryEntry, error)
HashBundle populates a slice of BundleDictionaryEntrys, adding the SHA256 checksums from the file system
type Command struct {
ID float64 `json:"id"`
Action Action `json:"action"`
Agent Agent `json:"agent"`
// Status can be one of:
// sent: the command has been sent by the scheduler to the agent
// success: the command has successfully ran on the agent and been returned to the scheduler
// cancelled: the command has been cancelled by the investigator
// expired: the command has been expired by the scheduler
// failed: the command has failed on the agent and been returned to the scheduler
// timeout: module execution has timed out, and the agent returned the command to the scheduler
Status string `json:"status"`
Results []modules.Result `json:"results"`
StartTime time.Time `json:"starttime"`
FinishTime time.Time `json:"finishtime"`
}Command describes an action as applied to a single agent, and will include results
CmdFromFile reads a command from a local file on the file system and return the mig.Command structure
type Description struct {
Author string `json:"author,omitempty"`
Email string `json:"email,omitempty"`
URL string `json:"url,omitempty"`
Revision float64 `json:"revision,omitempty"`
}Description is a simple object that contains detail about the action's author, and it's revision.
type Investigator struct {
ID float64 `json:"id,omitempty"`
Name string `json:"name"`
PGPFingerprint string `json:"pgpfingerprint"`
PublicKey []byte `json:"publickey,omitempty"`
PrivateKey []byte `json:"privatekey,omitempty"`
Status string `json:"status"`
CreatedAt time.Time `json:"createdat"`
LastModified time.Time `json:"lastmodified"`
APIKey string `json:"apikey,omitempty"`
Permissions InvestigatorPerms `json:"permissions"`
}Investigator describes a single MIG investigator
func (i *Investigator) CheckPermission(pv int64) bool
CheckPermission validates if an investigator has given permission pv
type InvestigatorAPIAuthHelper struct {
ID float64 // Investigator ID
APIKey []byte // Key hash
Salt []byte // Key salt
}InvestigatorAPIAuthHelper is a small struct used to pass information between the database and the API, and is used primarily for authorizing requests using API keys.
type InvestigatorPerms struct {
Search bool `json:"search"`
Action bool `json:"action"`
ActionCreate bool `json:"action_create"`
Command bool `json:"command"`
Agent bool `json:"agent"`
Dashboard bool `json:"dashboard"`
Loader bool `json:"loader"`
LoaderStatus bool `json:"loader_status"`
LoaderExpect bool `json:"loader_expect"`
LoaderKey bool `json:"loader_key"`
LoaderNew bool `json:"loader_new"`
Manifest bool `json:"manifest"`
ManifestSign bool `json:"manifest_sign"`
ManifestStatus bool `json:"manifest_status"`
ManifestNew bool `json:"manifest_new"`
ManifestLoaders bool `json:"manifest_loaders"`
Investigator bool `json:"investigator"`
InvestigatorCreate bool `json:"investigator_create"`
InvestigatorUpdate bool `json:"investigator_update"`
}InvestigatorPerms describes permissions assigned to an investigator
func (ip *InvestigatorPerms) AdminSet()
AdminSet sets administrative permissions on the investigator
func (ip *InvestigatorPerms) DefaultSet()
DefaultSet sets a default set of permissions on the investigator
func (ip *InvestigatorPerms) FromMask(mask int64)
FromMask converts a permission bit mask into a boolean permission set
func (ip *InvestigatorPerms) FromSetList(sl []string) error
FromSetList applies permission sets in slice sl to the investigator
func (ip *InvestigatorPerms) LoaderSet()
LoaderSet sets loader related permissions on the investigator
func (ip *InvestigatorPerms) ManifestSet()
ManifestSet sets manifest related permissions on the investigator
func (ip *InvestigatorPerms) ToDescriptive() string
ToDescriptive converts an existing boolean permission set to a descriptive string, used primarily in mig-console for summarizing permissions assigned to an investigator
func (ip *InvestigatorPerms) ToMask() (ret int64)
ToMask converts a boolean permission set to a permission bit mask
LoaderAuthDetails is a small helper type used primarily during the loader authentication process between the API and database code, temporarily stores authentication information
func (lad *LoaderAuthDetails) Validate() error
Validate validates a LoaderAuthDetails type
type LoaderEntry struct {
ID float64 `json:"id"` // Loader ID
Name string `json:"name"` // Loader name
Prefix string `json:"prefix"` // Loader key prefix
Key string `json:"key"` // Loader key (only populated during creation)
AgentName string `json:"agentname"` // Loader environment, agent name
LastSeen time.Time `json:"lastseen"` // Last time loader was used
Enabled bool `json:"enabled"` // Loader entry is active
ExpectEnv string `json:"expectenv"` // Expected environment
}LoaderEntry describes a loader entry stored in the database
func (le *LoaderEntry) Validate() (err error)
Validate validates a loader entry
Log defines a log entry
Alert sets Log entry level to alert
Crit sets Log entry level to critical
Debug sets log entry level to debug
Emerg sets Log entry level to emergency
Err sets Log entry level to error
Info sets Log entry level to info
Notice sets Log entry level to notice
Warning sets Log entry level to warning
type Logging struct {
// configuration
Mode, Level, File, Host, Protocol, Facility string
Port int
MaxFileSize int64
// contains filtered or unexported fields
}Logging stores the attributes needed to perform the logging
InitLogger prepares the context for logging based on the configuration in Logging
Destroy can be used to indicate no further logging with the given logging context will take place
type ManifestEntry struct {
Name string `json:"name"` // Corresponds to a bundle name
SHA256 string `json:"sha256"` // SHA256 of entry
}ManifestEntry describes an individual file element within a manifest
ManifestFetchResponse is the response to a manifest object fetch
type ManifestParameters struct {
AgentIdentifier Agent `json:"agent"` // Agent context information
Object string `json:"object"` // Object being requested
}ManifestParameters are sent from the loader to the API as part of a manifest request.
func (m *ManifestParameters) Validate() error
Validate validetes a ManifestParameters type for correct formatting
func (m *ManifestParameters) ValidateFetch() error
ValidateFetch validates the parameters included in a manifest request with an object fetch component
type ManifestRecord struct {
ID float64 `json:"id"` // Manifest record ID
Name string `json:"name"` // The name of the manifest record
Content string `json:"content,omitempty"` // Full data contents of record
Timestamp time.Time `json:"timestamp"` // Record timestamp
Status string `json:"status"` // Record status
Target string `json:"target"` // Targetting parameters for record
Signatures []string `json:"signatures"` // Signatures applied to the record
}ManifestRecord describes a manifest record stored within the MIG database
func (m *ManifestRecord) ContentFromFile(path string) (err error)
ContentFromFile loads manifest content from a file on the file system (a gzip'd tar file), primarily utilized by mig-console during manifest creation operations
func (m *ManifestRecord) FileFromContent(path string) (err error)
FileFromContent writes manifest content to a file on the file system
func (m *ManifestRecord) ManifestObject(obj string) ([]byte, error)
ManifestObject returns the requested file object as a gzip compressed byte slice from the manifest record
func (m *ManifestRecord) ManifestResponse() (ManifestResponse, error)
ManifestResponse converts a manifest record into a manifest response
Sign will sign a manifest record using the indicated key ID
func (m *ManifestRecord) Validate() (err error)
Validate validates an existing manifest record
type ManifestResponse struct {
LoaderName string `json:"loader_name"`
Entries []ManifestEntry `json:"entries"`
Signatures []string `json:"signatures"`
}ManifestResponse is the response to a standard manifest request
func (m *ManifestResponse) Validate() error
Validate validates a ManifestResponse type ensuring required content is present
VerifySignatures verifies the signatures present in a manifest response against the keys present in keyring. It returns the number of valid unique signatures identified in the ManifestResponse.
type Operation struct {
Module string `json:"module"`
Parameters interface{} `json:"parameters"`
// If WantCompressed is set in the operation, the parameters
// will be compressed in PostAction() when the client sends the
// action to the API. This will also result in IsCompressed being
// marked as true, so the receiving agent knows it must decompress
// the parameter data.
IsCompressed bool `json:"is_compressed,omitempty"`
WantCompressed bool `json:"want_compressed,omitempty"`
}Operation is an object that maps to an agent module. The parameters of the operation are passed to the module as an argument, and thus their format depends on the module itself.
CompressOperationParam compresses the parameters stored within an operation
DecompressOperationParam decompresses the parameters stored within an operation
type RunnerResult struct {
Action Action `json:"action"`
Commands []Command `json:"commands"`
EntityName string `json:"name"`
UsePlugin string `json:"plugin"`
}RunnerResult describes results that are produced by mig-runner. This data would be consumed by mig-runner plugins.
type Threat struct {
Ref string `json:"ref,omitempty"`
Level string `json:"level,omitempty"`
Family string `json:"family,omitempty"`
Type string `json:"type,omitempty"`
}Threat provides the investigator with details on a threat indicator if included in an action
| Path | Synopsis |
|---|---|
| client | |
| client/mig | mig is the command line tool that investigators can use to launch actions for execution by agents to retrieve/display the results of the actions. |
| client/mig-action-generator | This Source Code Form is subject to the terms of the Mozilla Public License, v. |
| client/mig-action-verifier | This Source Code Form is subject to the terms of the Mozilla Public License, v. |
| client/mig-agent-search | |
| client/mig-console | This Source Code Form is subject to the terms of the Mozilla Public License, v. |
| database | |
| database/search | |
| mig-agent | This Source Code Form is subject to the terms of the Mozilla Public License, v. |
| mig-agent/agentcontext | The agentcontext package provides functionality to obtain information about the system a given agent or loader is running on. |
| mig-api | This Source Code Form is subject to the terms of the Mozilla Public License, v. |
| mig-api/agents | |
| mig-loader | The MIG loader is a simple bootstrapping tool for MIG. |
| mig-runner | This Source Code Form is subject to the terms of the Mozilla Public License, v. |
| mig-scheduler | This Source Code Form is subject to the terms of the Mozilla Public License, v. |
| modulepack | |
| modules | This package implements interfaces to write modules for MIG. |
| modules/agentdestroy | agentdestroy is a module used in the upgrade protocol to kill an agent that has been upgraded. |
| modules/audit | Package audit implements a persistent module which can read and parse the operating system audit trail. |
| modules/dispatch | Package dispatch implements alert dispatching for the agent as a module. |
| modules/example | This is an example module. |
| modules/examplepersist | |
| modules/file | Package file provides functions to scan a file system as an agent module. |
| modules/fswatch | |
| modules/memory | The memory module implements scanning of the memory of processes using the Masche memory scanning package. |
| modules/netstat | netstat is a module that retrieves network information about the endpoint, such as mac addresses, local and connected IPs, listening TCP and UDP sockets and peers |
| modules/ping | The Ping module implements icmp, tcp and udp pings/ Usage doc is online at http://mig.mozilla.org/doc/module_ping.html |
| modules/pkg | |
| modules/scribe | scribe module implementation for MIG. |
| modules/sshkey | Package sshkey implements the sshkey module in the agent |
| modules/timedrift | The timedrift module evaluate the local time of a target against network time retrieved using NTP. |
| modules/yara | |
| pgp | The PGP package is a helper around Golang's OpenPGP implementation |
| pgp/gpgagent | Package gpgagent interacts with the local GPG Agent. |
| pgp/pinentry | Package pinentry interfaces with the pinentry(1) command to securely prompt the user for a password using whichever user interface the user is currently using. |
| runner-plugins/runner-compliance | This Source Code Form is subject to the terms of the Mozilla Public License, v. |
| runner-plugins/runner-scribe | runner-scribe is a mig-runner plugin that processes results coming from automated actions and forwards the results as vulnerability events to MozDef |
| service | Package service provides a simple way to create a system service. |
| testutil | |
| tools |
Package mig imports 23 packages (graph) and is imported by 20 packages. Updated 2019-01-16. Refresh now. Tools for package owners.