mirrors/opensnitch
1
0
Fork 0
mirror of https://github.com/evilsocket/opensnitch.git synced 2025-03-04 16:44:46 +01:00
Code Issues Projects Releases Packages Wiki Activity Actions 1
opensnitch/daemon/procmon/monitor/init.go

137 lines
3.5 KiB
Go
Raw Normal View History

Use ebpf program to find PID of new connections. (#397) * Use ebpf program to find PID of new connections. before running the branch you have to compile ebpf_prog/opensnitch.c opensnitch.c is an eBPF program. Compilation requires getting kernel source. cd opensnitch wget https://github.com/torvalds/linux/archive/v5.8.tar.gz tar -xf v5.8.tar.gz patch linux-5.8/tools/lib/bpf/bpf_helpers.h < ebpf_prog/file.patch cp ebpf_prog/opensnitch.c ebpf_prog/Makefile linux-5.8/samples/bpf cd linux-5.8 && yes "" | make oldconfig && make prepare && make headers_install # (1 min) cd samples/bpf && make objdump -h opensnitch.o #you should see many section, number 1 should be called kprobe/tcp_v4_connect llvm-strip -g opensnitch.o #remove debug info sudo cp opensnitch.o /etc/opensnitchd cd ../../../daemon --opensnitchd expects to find opensnitch.o in /etc/opensnitchd/ --start opensnitchd with: opensnitchd -rules-path /etc/opensnitchd/rules -process-monitor-method ebpf Co-authored-by: themighty1 <you@example.com> Co-authored-by: Gustavo Iñiguez Goia <gooffy1@gmail.com>
2021-04-05 09:28:16 +00:00
package monitor
import (
allow to filter connections by process checksum Now you can create rules to filter processes by checksum. Only md5 is available at the moment. There's a global configuration option that you can use to enable or disable this feature, from the config file or from the Preferences dialog. As part of this feature there have been more changes: - New proc monitor method (PROCESS CONNECTOR) that listens for exec/exit events from the kernel. This feature depends on CONFIG_PROC_EVENTS kernel option. - Only one cache of active processes for ebpf and proc monitor methods. More info and details: #413.
2023-09-22 00:36:26 +02:00
"context"
Use ebpf program to find PID of new connections. (#397) * Use ebpf program to find PID of new connections. before running the branch you have to compile ebpf_prog/opensnitch.c opensnitch.c is an eBPF program. Compilation requires getting kernel source. cd opensnitch wget https://github.com/torvalds/linux/archive/v5.8.tar.gz tar -xf v5.8.tar.gz patch linux-5.8/tools/lib/bpf/bpf_helpers.h < ebpf_prog/file.patch cp ebpf_prog/opensnitch.c ebpf_prog/Makefile linux-5.8/samples/bpf cd linux-5.8 && yes "" | make oldconfig && make prepare && make headers_install # (1 min) cd samples/bpf && make objdump -h opensnitch.o #you should see many section, number 1 should be called kprobe/tcp_v4_connect llvm-strip -g opensnitch.o #remove debug info sudo cp opensnitch.o /etc/opensnitchd cd ../../../daemon --opensnitchd expects to find opensnitch.o in /etc/opensnitchd/ --start opensnitchd with: opensnitchd -rules-path /etc/opensnitchd/rules -process-monitor-method ebpf Co-authored-by: themighty1 <you@example.com> Co-authored-by: Gustavo Iñiguez Goia <gooffy1@gmail.com>
2021-04-05 09:28:16 +00:00
"github.com/evilsocket/opensnitch/daemon/log"
allow to filter connections by process checksum Now you can create rules to filter processes by checksum. Only md5 is available at the moment. There's a global configuration option that you can use to enable or disable this feature, from the config file or from the Preferences dialog. As part of this feature there have been more changes: - New proc monitor method (PROCESS CONNECTOR) that listens for exec/exit events from the kernel. This feature depends on CONFIG_PROC_EVENTS kernel option. - Only one cache of active processes for ebpf and proc monitor methods. More info and details: #413.
2023-09-22 00:36:26 +02:00
netlinkProcmon "github.com/evilsocket/opensnitch/daemon/netlink/procmon"
Use ebpf program to find PID of new connections. (#397) * Use ebpf program to find PID of new connections. before running the branch you have to compile ebpf_prog/opensnitch.c opensnitch.c is an eBPF program. Compilation requires getting kernel source. cd opensnitch wget https://github.com/torvalds/linux/archive/v5.8.tar.gz tar -xf v5.8.tar.gz patch linux-5.8/tools/lib/bpf/bpf_helpers.h < ebpf_prog/file.patch cp ebpf_prog/opensnitch.c ebpf_prog/Makefile linux-5.8/samples/bpf cd linux-5.8 && yes "" | make oldconfig && make prepare && make headers_install # (1 min) cd samples/bpf && make objdump -h opensnitch.o #you should see many section, number 1 should be called kprobe/tcp_v4_connect llvm-strip -g opensnitch.o #remove debug info sudo cp opensnitch.o /etc/opensnitchd cd ../../../daemon --opensnitchd expects to find opensnitch.o in /etc/opensnitchd/ --start opensnitchd with: opensnitchd -rules-path /etc/opensnitchd/rules -process-monitor-method ebpf Co-authored-by: themighty1 <you@example.com> Co-authored-by: Gustavo Iñiguez Goia <gooffy1@gmail.com>
2021-04-05 09:28:16 +00:00
"github.com/evilsocket/opensnitch/daemon/procmon"
"github.com/evilsocket/opensnitch/daemon/procmon/audit"
"github.com/evilsocket/opensnitch/daemon/procmon/ebpf"
)
var (
allow to filter connections by process checksum Now you can create rules to filter processes by checksum. Only md5 is available at the moment. There's a global configuration option that you can use to enable or disable this feature, from the config file or from the Preferences dialog. As part of this feature there have been more changes: - New proc monitor method (PROCESS CONNECTOR) that listens for exec/exit events from the kernel. This feature depends on CONFIG_PROC_EVENTS kernel option. - Only one cache of active processes for ebpf and proc monitor methods. More info and details: #413.
2023-09-22 00:36:26 +02:00
cacheMonitorsRunning = false
netlinkProcmonRunning = false
ctx, cancelTasks = context.WithCancel(context.Background())
Use ebpf program to find PID of new connections. (#397) * Use ebpf program to find PID of new connections. before running the branch you have to compile ebpf_prog/opensnitch.c opensnitch.c is an eBPF program. Compilation requires getting kernel source. cd opensnitch wget https://github.com/torvalds/linux/archive/v5.8.tar.gz tar -xf v5.8.tar.gz patch linux-5.8/tools/lib/bpf/bpf_helpers.h < ebpf_prog/file.patch cp ebpf_prog/opensnitch.c ebpf_prog/Makefile linux-5.8/samples/bpf cd linux-5.8 && yes "" | make oldconfig && make prepare && make headers_install # (1 min) cd samples/bpf && make objdump -h opensnitch.o #you should see many section, number 1 should be called kprobe/tcp_v4_connect llvm-strip -g opensnitch.o #remove debug info sudo cp opensnitch.o /etc/opensnitchd cd ../../../daemon --opensnitchd expects to find opensnitch.o in /etc/opensnitchd/ --start opensnitchd with: opensnitchd -rules-path /etc/opensnitchd/rules -process-monitor-method ebpf Co-authored-by: themighty1 <you@example.com> Co-authored-by: Gustavo Iñiguez Goia <gooffy1@gmail.com>
2021-04-05 09:28:16 +00:00
)
allow to filter connections by process checksum Now you can create rules to filter processes by checksum. Only md5 is available at the moment. There's a global configuration option that you can use to enable or disable this feature, from the config file or from the Preferences dialog. As part of this feature there have been more changes: - New proc monitor method (PROCESS CONNECTOR) that listens for exec/exit events from the kernel. This feature depends on CONFIG_PROC_EVENTS kernel option. - Only one cache of active processes for ebpf and proc monitor methods. More info and details: #413.
2023-09-22 00:36:26 +02:00
// List of errors that this package may return.
const (
NoError = iota
ProcFsErr
AuditdErr
EbpfErr
EbpfEventsErr
)
// Error wraps the type of error with its message
type Error struct {
What int
Msg error
}
func startProcMonitors() {
if netlinkProcmonRunning == false {
ctx, cancelTasks = context.WithCancel(context.Background())
for i := 0; i < 4; i++ {
go procmon.MonitorProcEvents(ctx.Done())
}
go netlinkProcmon.ProcEventsMonitor(ctx.Done())
netlinkProcmonRunning = true
}
}
func stopProcMonitors() {
if netlinkProcmonRunning {
cancelTasks()
netlinkProcmonRunning = false
}
}
improved process monitor method (re)configuring - Fixed reloading process monitor method if the configuration changes on disk. This can occur in two situations: 1) if it's changed from the UI, 2) if the user changes it manually. - Ensure that we don't crash if there's an error changing the method and ebpf is active. - When changing monitor method to ebpf and it fails to start, stop it anyway. It helps cleaning up kprobes and avoiding the error "cannot write...: file exists".
2021-09-04 21:18:22 +02:00
allow to filter connections by process checksum Now you can create rules to filter processes by checksum. Only md5 is available at the moment. There's a global configuration option that you can use to enable or disable this feature, from the config file or from the Preferences dialog. As part of this feature there have been more changes: - New proc monitor method (PROCESS CONNECTOR) that listens for exec/exit events from the kernel. This feature depends on CONFIG_PROC_EVENTS kernel option. - Only one cache of active processes for ebpf and proc monitor methods. More info and details: #413.
2023-09-22 00:36:26 +02:00
// ReconfigureMonitorMethod configures a new method for parsing connections.
allow to configure ebpf modules path Now it's possible to configure eBPF modules path from the default-config.json file: "Ebpf": { "ModulesPath": "..." } If the option is not provided, or if it's empty, we'll keep loading from the default directories: - /usr/local/lib/opensnitchd/ebpf - /usr/lib/opensnitchd/ebpf - /etc/opensnitchd/ebpf (deprecated, will be removed in the future). Closes #928
2023-12-22 23:27:18 +01:00
func ReconfigureMonitorMethod(newMonitorMethod, ebpfModulesPath string) *Error {
improved process monitor method (re)configuring - Fixed reloading process monitor method if the configuration changes on disk. This can occur in two situations: 1) if it's changed from the UI, 2) if the user changes it manually. - Ensure that we don't crash if there's an error changing the method and ebpf is active. - When changing monitor method to ebpf and it fails to start, stop it anyway. It helps cleaning up kprobes and avoiding the error "cannot write...: file exists".
2021-09-04 21:18:22 +02:00
if procmon.GetMonitorMethod() == newMonitorMethod {
return nil
}
oldMethod := procmon.GetMonitorMethod()
fixed monitor methods initialization When using proc as monitor method, the ProcsEventsMonitor was not being initialized.
2023-09-30 20:49:42 +02:00
if oldMethod == "" {
oldMethod = procmon.MethodProc
}
improved process monitor method (re)configuring - Fixed reloading process monitor method if the configuration changes on disk. This can occur in two situations: 1) if it's changed from the UI, 2) if the user changes it manually. - Ensure that we don't crash if there's an error changing the method and ebpf is active. - When changing monitor method to ebpf and it fails to start, stop it anyway. It helps cleaning up kprobes and avoiding the error "cannot write...: file exists".
2021-09-04 21:18:22 +02:00
End()
procmon.SetMonitorMethod(newMonitorMethod)
// if the new monitor method fails to start, rollback the change and exit
// without saving the configuration. Otherwise we can end up with the wrong
// monitor method configured and saved to file.
allow to configure ebpf modules path Now it's possible to configure eBPF modules path from the default-config.json file: "Ebpf": { "ModulesPath": "..." } If the option is not provided, or if it's empty, we'll keep loading from the default directories: - /usr/local/lib/opensnitchd/ebpf - /usr/lib/opensnitchd/ebpf - /etc/opensnitchd/ebpf (deprecated, will be removed in the future). Closes #928
2023-12-22 23:27:18 +01:00
err := Init(ebpfModulesPath)
allow to filter connections by process checksum Now you can create rules to filter processes by checksum. Only md5 is available at the moment. There's a global configuration option that you can use to enable or disable this feature, from the config file or from the Preferences dialog. As part of this feature there have been more changes: - New proc monitor method (PROCESS CONNECTOR) that listens for exec/exit events from the kernel. This feature depends on CONFIG_PROC_EVENTS kernel option. - Only one cache of active processes for ebpf and proc monitor methods. More info and details: #413.
2023-09-22 00:36:26 +02:00
if err.What > NoError {
log.Error("Reconf() -> Init() error: %v", err)
improved process monitor method (re)configuring - Fixed reloading process monitor method if the configuration changes on disk. This can occur in two situations: 1) if it's changed from the UI, 2) if the user changes it manually. - Ensure that we don't crash if there's an error changing the method and ebpf is active. - When changing monitor method to ebpf and it fails to start, stop it anyway. It helps cleaning up kprobes and avoiding the error "cannot write...: file exists".
2021-09-04 21:18:22 +02:00
procmon.SetMonitorMethod(oldMethod)
return err
}
return nil
}
Use ebpf program to find PID of new connections. (#397) * Use ebpf program to find PID of new connections. before running the branch you have to compile ebpf_prog/opensnitch.c opensnitch.c is an eBPF program. Compilation requires getting kernel source. cd opensnitch wget https://github.com/torvalds/linux/archive/v5.8.tar.gz tar -xf v5.8.tar.gz patch linux-5.8/tools/lib/bpf/bpf_helpers.h < ebpf_prog/file.patch cp ebpf_prog/opensnitch.c ebpf_prog/Makefile linux-5.8/samples/bpf cd linux-5.8 && yes "" | make oldconfig && make prepare && make headers_install # (1 min) cd samples/bpf && make objdump -h opensnitch.o #you should see many section, number 1 should be called kprobe/tcp_v4_connect llvm-strip -g opensnitch.o #remove debug info sudo cp opensnitch.o /etc/opensnitchd cd ../../../daemon --opensnitchd expects to find opensnitch.o in /etc/opensnitchd/ --start opensnitchd with: opensnitchd -rules-path /etc/opensnitchd/rules -process-monitor-method ebpf Co-authored-by: themighty1 <you@example.com> Co-authored-by: Gustavo Iñiguez Goia <gooffy1@gmail.com>
2021-04-05 09:28:16 +00:00
// End stops the way of parsing new connections.
func End() {
allow to filter connections by process checksum Now you can create rules to filter processes by checksum. Only md5 is available at the moment. There's a global configuration option that you can use to enable or disable this feature, from the config file or from the Preferences dialog. As part of this feature there have been more changes: - New proc monitor method (PROCESS CONNECTOR) that listens for exec/exit events from the kernel. This feature depends on CONFIG_PROC_EVENTS kernel option. - Only one cache of active processes for ebpf and proc monitor methods. More info and details: #413.
2023-09-22 00:36:26 +02:00
stopProcMonitors()
Use ebpf program to find PID of new connections. (#397) * Use ebpf program to find PID of new connections. before running the branch you have to compile ebpf_prog/opensnitch.c opensnitch.c is an eBPF program. Compilation requires getting kernel source. cd opensnitch wget https://github.com/torvalds/linux/archive/v5.8.tar.gz tar -xf v5.8.tar.gz patch linux-5.8/tools/lib/bpf/bpf_helpers.h < ebpf_prog/file.patch cp ebpf_prog/opensnitch.c ebpf_prog/Makefile linux-5.8/samples/bpf cd linux-5.8 && yes "" | make oldconfig && make prepare && make headers_install # (1 min) cd samples/bpf && make objdump -h opensnitch.o #you should see many section, number 1 should be called kprobe/tcp_v4_connect llvm-strip -g opensnitch.o #remove debug info sudo cp opensnitch.o /etc/opensnitchd cd ../../../daemon --opensnitchd expects to find opensnitch.o in /etc/opensnitchd/ --start opensnitchd with: opensnitchd -rules-path /etc/opensnitchd/rules -process-monitor-method ebpf Co-authored-by: themighty1 <you@example.com> Co-authored-by: Gustavo Iñiguez Goia <gooffy1@gmail.com>
2021-04-05 09:28:16 +00:00
if procmon.MethodIsAudit() {
audit.Stop()
} else if procmon.MethodIsEbpf() {
ebpf.Stop()
}
}
// Init starts parsing connections using the method specified.
allow to configure ebpf modules path Now it's possible to configure eBPF modules path from the default-config.json file: "Ebpf": { "ModulesPath": "..." } If the option is not provided, or if it's empty, we'll keep loading from the default directories: - /usr/local/lib/opensnitchd/ebpf - /usr/lib/opensnitchd/ebpf - /etc/opensnitchd/ebpf (deprecated, will be removed in the future). Closes #928
2023-12-22 23:27:18 +01:00
func Init(ebpfModulesPath string) (errm *Error) {
allow to filter connections by process checksum Now you can create rules to filter processes by checksum. Only md5 is available at the moment. There's a global configuration option that you can use to enable or disable this feature, from the config file or from the Preferences dialog. As part of this feature there have been more changes: - New proc monitor method (PROCESS CONNECTOR) that listens for exec/exit events from the kernel. This feature depends on CONFIG_PROC_EVENTS kernel option. - Only one cache of active processes for ebpf and proc monitor methods. More info and details: #413.
2023-09-22 00:36:26 +02:00
errm = &Error{}
Use ebpf program to find PID of new connections. (#397) * Use ebpf program to find PID of new connections. before running the branch you have to compile ebpf_prog/opensnitch.c opensnitch.c is an eBPF program. Compilation requires getting kernel source. cd opensnitch wget https://github.com/torvalds/linux/archive/v5.8.tar.gz tar -xf v5.8.tar.gz patch linux-5.8/tools/lib/bpf/bpf_helpers.h < ebpf_prog/file.patch cp ebpf_prog/opensnitch.c ebpf_prog/Makefile linux-5.8/samples/bpf cd linux-5.8 && yes "" | make oldconfig && make prepare && make headers_install # (1 min) cd samples/bpf && make objdump -h opensnitch.o #you should see many section, number 1 should be called kprobe/tcp_v4_connect llvm-strip -g opensnitch.o #remove debug info sudo cp opensnitch.o /etc/opensnitchd cd ../../../daemon --opensnitchd expects to find opensnitch.o in /etc/opensnitchd/ --start opensnitchd with: opensnitchd -rules-path /etc/opensnitchd/rules -process-monitor-method ebpf Co-authored-by: themighty1 <you@example.com> Co-authored-by: Gustavo Iñiguez Goia <gooffy1@gmail.com>
2021-04-05 09:28:16 +00:00
if cacheMonitorsRunning == false {
go procmon.CacheCleanerTask()
cacheMonitorsRunning = true
}
if procmon.MethodIsEbpf() {
allow to configure ebpf modules path Now it's possible to configure eBPF modules path from the default-config.json file: "Ebpf": { "ModulesPath": "..." } If the option is not provided, or if it's empty, we'll keep loading from the default directories: - /usr/local/lib/opensnitchd/ebpf - /usr/lib/opensnitchd/ebpf - /etc/opensnitchd/ebpf (deprecated, will be removed in the future). Closes #928
2023-12-22 23:27:18 +01:00
err := ebpf.Start(ebpfModulesPath)
Use ebpf program to find PID of new connections. (#397) * Use ebpf program to find PID of new connections. before running the branch you have to compile ebpf_prog/opensnitch.c opensnitch.c is an eBPF program. Compilation requires getting kernel source. cd opensnitch wget https://github.com/torvalds/linux/archive/v5.8.tar.gz tar -xf v5.8.tar.gz patch linux-5.8/tools/lib/bpf/bpf_helpers.h < ebpf_prog/file.patch cp ebpf_prog/opensnitch.c ebpf_prog/Makefile linux-5.8/samples/bpf cd linux-5.8 && yes "" | make oldconfig && make prepare && make headers_install # (1 min) cd samples/bpf && make objdump -h opensnitch.o #you should see many section, number 1 should be called kprobe/tcp_v4_connect llvm-strip -g opensnitch.o #remove debug info sudo cp opensnitch.o /etc/opensnitchd cd ../../../daemon --opensnitchd expects to find opensnitch.o in /etc/opensnitchd/ --start opensnitchd with: opensnitchd -rules-path /etc/opensnitchd/rules -process-monitor-method ebpf Co-authored-by: themighty1 <you@example.com> Co-authored-by: Gustavo Iñiguez Goia <gooffy1@gmail.com>
2021-04-05 09:28:16 +00:00
if err == nil {
log.Info("Process monitor method ebpf")
allow to filter connections by process checksum Now you can create rules to filter processes by checksum. Only md5 is available at the moment. There's a global configuration option that you can use to enable or disable this feature, from the config file or from the Preferences dialog. As part of this feature there have been more changes: - New proc monitor method (PROCESS CONNECTOR) that listens for exec/exit events from the kernel. This feature depends on CONFIG_PROC_EVENTS kernel option. - Only one cache of active processes for ebpf and proc monitor methods. More info and details: #413.
2023-09-22 00:36:26 +02:00
return errm
}
// ebpf main module loaded, we can use ebpf
// XXX: this will have to be rewritten when we'll have more events (bind, listen, etc)
if err.What == ebpf.EventsNotAvailable {
log.Info("Process monitor method ebpf")
log.Warning("opensnitch-procs.o not available: %s", err.Msg)
startProcMonitors()
return errm
Use ebpf program to find PID of new connections. (#397) * Use ebpf program to find PID of new connections. before running the branch you have to compile ebpf_prog/opensnitch.c opensnitch.c is an eBPF program. Compilation requires getting kernel source. cd opensnitch wget https://github.com/torvalds/linux/archive/v5.8.tar.gz tar -xf v5.8.tar.gz patch linux-5.8/tools/lib/bpf/bpf_helpers.h < ebpf_prog/file.patch cp ebpf_prog/opensnitch.c ebpf_prog/Makefile linux-5.8/samples/bpf cd linux-5.8 && yes "" | make oldconfig && make prepare && make headers_install # (1 min) cd samples/bpf && make objdump -h opensnitch.o #you should see many section, number 1 should be called kprobe/tcp_v4_connect llvm-strip -g opensnitch.o #remove debug info sudo cp opensnitch.o /etc/opensnitchd cd ../../../daemon --opensnitchd expects to find opensnitch.o in /etc/opensnitchd/ --start opensnitchd with: opensnitchd -rules-path /etc/opensnitchd/rules -process-monitor-method ebpf Co-authored-by: themighty1 <you@example.com> Co-authored-by: Gustavo Iñiguez Goia <gooffy1@gmail.com>
2021-04-05 09:28:16 +00:00
}
improved process monitor method (re)configuring - Fixed reloading process monitor method if the configuration changes on disk. This can occur in two situations: 1) if it's changed from the UI, 2) if the user changes it manually. - Ensure that we don't crash if there's an error changing the method and ebpf is active. - When changing monitor method to ebpf and it fails to start, stop it anyway. It helps cleaning up kprobes and avoiding the error "cannot write...: file exists".
2021-09-04 21:18:22 +02:00
// we need to stop this method even if it has failed to start, in order to clean up the kprobes
// It helps with the error "cannot write...kprobe_events: file exists".
ebpf.Stop()
allow to filter connections by process checksum Now you can create rules to filter processes by checksum. Only md5 is available at the moment. There's a global configuration option that you can use to enable or disable this feature, from the config file or from the Preferences dialog. As part of this feature there have been more changes: - New proc monitor method (PROCESS CONNECTOR) that listens for exec/exit events from the kernel. This feature depends on CONFIG_PROC_EVENTS kernel option. - Only one cache of active processes for ebpf and proc monitor methods. More info and details: #413.
2023-09-22 00:36:26 +02:00
errm.What = err.What
errm.Msg = err.Msg
Use ebpf program to find PID of new connections. (#397) * Use ebpf program to find PID of new connections. before running the branch you have to compile ebpf_prog/opensnitch.c opensnitch.c is an eBPF program. Compilation requires getting kernel source. cd opensnitch wget https://github.com/torvalds/linux/archive/v5.8.tar.gz tar -xf v5.8.tar.gz patch linux-5.8/tools/lib/bpf/bpf_helpers.h < ebpf_prog/file.patch cp ebpf_prog/opensnitch.c ebpf_prog/Makefile linux-5.8/samples/bpf cd linux-5.8 && yes "" | make oldconfig && make prepare && make headers_install # (1 min) cd samples/bpf && make objdump -h opensnitch.o #you should see many section, number 1 should be called kprobe/tcp_v4_connect llvm-strip -g opensnitch.o #remove debug info sudo cp opensnitch.o /etc/opensnitchd cd ../../../daemon --opensnitchd expects to find opensnitch.o in /etc/opensnitchd/ --start opensnitchd with: opensnitchd -rules-path /etc/opensnitchd/rules -process-monitor-method ebpf Co-authored-by: themighty1 <you@example.com> Co-authored-by: Gustavo Iñiguez Goia <gooffy1@gmail.com>
2021-04-05 09:28:16 +00:00
log.Warning("error starting ebpf monitor method: %v", err)
allow to filter connections by process checksum Now you can create rules to filter processes by checksum. Only md5 is available at the moment. There's a global configuration option that you can use to enable or disable this feature, from the config file or from the Preferences dialog. As part of this feature there have been more changes: - New proc monitor method (PROCESS CONNECTOR) that listens for exec/exit events from the kernel. This feature depends on CONFIG_PROC_EVENTS kernel option. - Only one cache of active processes for ebpf and proc monitor methods. More info and details: #413.
2023-09-22 00:36:26 +02:00
Use ebpf program to find PID of new connections. (#397) * Use ebpf program to find PID of new connections. before running the branch you have to compile ebpf_prog/opensnitch.c opensnitch.c is an eBPF program. Compilation requires getting kernel source. cd opensnitch wget https://github.com/torvalds/linux/archive/v5.8.tar.gz tar -xf v5.8.tar.gz patch linux-5.8/tools/lib/bpf/bpf_helpers.h < ebpf_prog/file.patch cp ebpf_prog/opensnitch.c ebpf_prog/Makefile linux-5.8/samples/bpf cd linux-5.8 && yes "" | make oldconfig && make prepare && make headers_install # (1 min) cd samples/bpf && make objdump -h opensnitch.o #you should see many section, number 1 should be called kprobe/tcp_v4_connect llvm-strip -g opensnitch.o #remove debug info sudo cp opensnitch.o /etc/opensnitchd cd ../../../daemon --opensnitchd expects to find opensnitch.o in /etc/opensnitchd/ --start opensnitchd with: opensnitchd -rules-path /etc/opensnitchd/rules -process-monitor-method ebpf Co-authored-by: themighty1 <you@example.com> Co-authored-by: Gustavo Iñiguez Goia <gooffy1@gmail.com>
2021-04-05 09:28:16 +00:00
} else if procmon.MethodIsAudit() {
allow to filter connections by process checksum Now you can create rules to filter processes by checksum. Only md5 is available at the moment. There's a global configuration option that you can use to enable or disable this feature, from the config file or from the Preferences dialog. As part of this feature there have been more changes: - New proc monitor method (PROCESS CONNECTOR) that listens for exec/exit events from the kernel. This feature depends on CONFIG_PROC_EVENTS kernel option. - Only one cache of active processes for ebpf and proc monitor methods. More info and details: #413.
2023-09-22 00:36:26 +02:00
auditConn, err := audit.Start()
Use ebpf program to find PID of new connections. (#397) * Use ebpf program to find PID of new connections. before running the branch you have to compile ebpf_prog/opensnitch.c opensnitch.c is an eBPF program. Compilation requires getting kernel source. cd opensnitch wget https://github.com/torvalds/linux/archive/v5.8.tar.gz tar -xf v5.8.tar.gz patch linux-5.8/tools/lib/bpf/bpf_helpers.h < ebpf_prog/file.patch cp ebpf_prog/opensnitch.c ebpf_prog/Makefile linux-5.8/samples/bpf cd linux-5.8 && yes "" | make oldconfig && make prepare && make headers_install # (1 min) cd samples/bpf && make objdump -h opensnitch.o #you should see many section, number 1 should be called kprobe/tcp_v4_connect llvm-strip -g opensnitch.o #remove debug info sudo cp opensnitch.o /etc/opensnitchd cd ../../../daemon --opensnitchd expects to find opensnitch.o in /etc/opensnitchd/ --start opensnitchd with: opensnitchd -rules-path /etc/opensnitchd/rules -process-monitor-method ebpf Co-authored-by: themighty1 <you@example.com> Co-authored-by: Gustavo Iñiguez Goia <gooffy1@gmail.com>
2021-04-05 09:28:16 +00:00
if err == nil {
log.Info("Process monitor method audit")
go audit.Reader(auditConn, (chan<- audit.Event)(audit.EventChan))
allow to filter connections by process checksum Now you can create rules to filter processes by checksum. Only md5 is available at the moment. There's a global configuration option that you can use to enable or disable this feature, from the config file or from the Preferences dialog. As part of this feature there have been more changes: - New proc monitor method (PROCESS CONNECTOR) that listens for exec/exit events from the kernel. This feature depends on CONFIG_PROC_EVENTS kernel option. - Only one cache of active processes for ebpf and proc monitor methods. More info and details: #413.
2023-09-22 00:36:26 +02:00
return &Error{AuditdErr, err}
Use ebpf program to find PID of new connections. (#397) * Use ebpf program to find PID of new connections. before running the branch you have to compile ebpf_prog/opensnitch.c opensnitch.c is an eBPF program. Compilation requires getting kernel source. cd opensnitch wget https://github.com/torvalds/linux/archive/v5.8.tar.gz tar -xf v5.8.tar.gz patch linux-5.8/tools/lib/bpf/bpf_helpers.h < ebpf_prog/file.patch cp ebpf_prog/opensnitch.c ebpf_prog/Makefile linux-5.8/samples/bpf cd linux-5.8 && yes "" | make oldconfig && make prepare && make headers_install # (1 min) cd samples/bpf && make objdump -h opensnitch.o #you should see many section, number 1 should be called kprobe/tcp_v4_connect llvm-strip -g opensnitch.o #remove debug info sudo cp opensnitch.o /etc/opensnitchd cd ../../../daemon --opensnitchd expects to find opensnitch.o in /etc/opensnitchd/ --start opensnitchd with: opensnitchd -rules-path /etc/opensnitchd/rules -process-monitor-method ebpf Co-authored-by: themighty1 <you@example.com> Co-authored-by: Gustavo Iñiguez Goia <gooffy1@gmail.com>
2021-04-05 09:28:16 +00:00
}
allow to filter connections by process checksum Now you can create rules to filter processes by checksum. Only md5 is available at the moment. There's a global configuration option that you can use to enable or disable this feature, from the config file or from the Preferences dialog. As part of this feature there have been more changes: - New proc monitor method (PROCESS CONNECTOR) that listens for exec/exit events from the kernel. This feature depends on CONFIG_PROC_EVENTS kernel option. - Only one cache of active processes for ebpf and proc monitor methods. More info and details: #413.
2023-09-22 00:36:26 +02:00
errm.What = AuditdErr
errm.Msg = err
Use ebpf program to find PID of new connections. (#397) * Use ebpf program to find PID of new connections. before running the branch you have to compile ebpf_prog/opensnitch.c opensnitch.c is an eBPF program. Compilation requires getting kernel source. cd opensnitch wget https://github.com/torvalds/linux/archive/v5.8.tar.gz tar -xf v5.8.tar.gz patch linux-5.8/tools/lib/bpf/bpf_helpers.h < ebpf_prog/file.patch cp ebpf_prog/opensnitch.c ebpf_prog/Makefile linux-5.8/samples/bpf cd linux-5.8 && yes "" | make oldconfig && make prepare && make headers_install # (1 min) cd samples/bpf && make objdump -h opensnitch.o #you should see many section, number 1 should be called kprobe/tcp_v4_connect llvm-strip -g opensnitch.o #remove debug info sudo cp opensnitch.o /etc/opensnitchd cd ../../../daemon --opensnitchd expects to find opensnitch.o in /etc/opensnitchd/ --start opensnitchd with: opensnitchd -rules-path /etc/opensnitchd/rules -process-monitor-method ebpf Co-authored-by: themighty1 <you@example.com> Co-authored-by: Gustavo Iñiguez Goia <gooffy1@gmail.com>
2021-04-05 09:28:16 +00:00
log.Warning("error starting audit monitor method: %v", err)
}
allow to filter connections by process checksum Now you can create rules to filter processes by checksum. Only md5 is available at the moment. There's a global configuration option that you can use to enable or disable this feature, from the config file or from the Preferences dialog. As part of this feature there have been more changes: - New proc monitor method (PROCESS CONNECTOR) that listens for exec/exit events from the kernel. This feature depends on CONFIG_PROC_EVENTS kernel option. - Only one cache of active processes for ebpf and proc monitor methods. More info and details: #413.
2023-09-22 00:36:26 +02:00
startProcMonitors()
Use ebpf program to find PID of new connections. (#397) * Use ebpf program to find PID of new connections. before running the branch you have to compile ebpf_prog/opensnitch.c opensnitch.c is an eBPF program. Compilation requires getting kernel source. cd opensnitch wget https://github.com/torvalds/linux/archive/v5.8.tar.gz tar -xf v5.8.tar.gz patch linux-5.8/tools/lib/bpf/bpf_helpers.h < ebpf_prog/file.patch cp ebpf_prog/opensnitch.c ebpf_prog/Makefile linux-5.8/samples/bpf cd linux-5.8 && yes "" | make oldconfig && make prepare && make headers_install # (1 min) cd samples/bpf && make objdump -h opensnitch.o #you should see many section, number 1 should be called kprobe/tcp_v4_connect llvm-strip -g opensnitch.o #remove debug info sudo cp opensnitch.o /etc/opensnitchd cd ../../../daemon --opensnitchd expects to find opensnitch.o in /etc/opensnitchd/ --start opensnitchd with: opensnitchd -rules-path /etc/opensnitchd/rules -process-monitor-method ebpf Co-authored-by: themighty1 <you@example.com> Co-authored-by: Gustavo Iñiguez Goia <gooffy1@gmail.com>
2021-04-05 09:28:16 +00:00
// if any of the above methods have failed, fallback to proc
log.Info("Process monitor method /proc")
improved process monitor method (re)configuring - Fixed reloading process monitor method if the configuration changes on disk. This can occur in two situations: 1) if it's changed from the UI, 2) if the user changes it manually. - Ensure that we don't crash if there's an error changing the method and ebpf is active. - When changing monitor method to ebpf and it fails to start, stop it anyway. It helps cleaning up kprobes and avoiding the error "cannot write...: file exists".
2021-09-04 21:18:22 +02:00
procmon.SetMonitorMethod(procmon.MethodProc)
allow to filter connections by process checksum Now you can create rules to filter processes by checksum. Only md5 is available at the moment. There's a global configuration option that you can use to enable or disable this feature, from the config file or from the Preferences dialog. As part of this feature there have been more changes: - New proc monitor method (PROCESS CONNECTOR) that listens for exec/exit events from the kernel. This feature depends on CONFIG_PROC_EVENTS kernel option. - Only one cache of active processes for ebpf and proc monitor methods. More info and details: #413.
2023-09-22 00:36:26 +02:00
return errm
Use ebpf program to find PID of new connections. (#397) * Use ebpf program to find PID of new connections. before running the branch you have to compile ebpf_prog/opensnitch.c opensnitch.c is an eBPF program. Compilation requires getting kernel source. cd opensnitch wget https://github.com/torvalds/linux/archive/v5.8.tar.gz tar -xf v5.8.tar.gz patch linux-5.8/tools/lib/bpf/bpf_helpers.h < ebpf_prog/file.patch cp ebpf_prog/opensnitch.c ebpf_prog/Makefile linux-5.8/samples/bpf cd linux-5.8 && yes "" | make oldconfig && make prepare && make headers_install # (1 min) cd samples/bpf && make objdump -h opensnitch.o #you should see many section, number 1 should be called kprobe/tcp_v4_connect llvm-strip -g opensnitch.o #remove debug info sudo cp opensnitch.o /etc/opensnitchd cd ../../../daemon --opensnitchd expects to find opensnitch.o in /etc/opensnitchd/ --start opensnitchd with: opensnitchd -rules-path /etc/opensnitchd/rules -process-monitor-method ebpf Co-authored-by: themighty1 <you@example.com> Co-authored-by: Gustavo Iñiguez Goia <gooffy1@gmail.com>
2021-04-05 09:28:16 +00:00
}
Reference in a new issue Copy permalink