Improved process detections by monitoring new processes execution.
It allow us to know the path of a process before a socket is opened.
Closes#617
Other improvements:
- If we fail to retrieve the path of a process, then we'll use the comm
name of the connection/process.
- Better kernel connections detection.
- If debugfs is not loaded, we'll try to mount it, to allow to use
eBPF monitor method.
Future work (help wanted):
- Extract command line arguments from the kernel (sys_execve, or mm
struct).
- Monitor other functions (execveat, clone*, fork, etc).
- Send these events to the server (GUI), and display all the commands
an application has executed.
When loading and setting the query limit configured, it was causing to
fire an unwanted combobox event, resulting in a DB query without limits,
which in turns with a lot of events was causing slowdowns when displaying
the events window.
We were using insert() and append() to add rules to the list of rules.
However these methods are only available on protobuf => 3.8.0
In order to have a better user experience, we'll use extend() instead of
append(). If insert() is available, then we'll use it. This way the
users won't have to install manually a newer protobuf version.
Note: using extend() instead of insert() means that the rule won't be
added on top of all the rules of that chain. If a user with an older
protobuf version (<= 3.8.0) adds a rule, it'll be added to the bottom of
the list, and maybe there're other rules that take precedence.
In order to display icons on the GUI, we use the Icon Naming
Specification defined by freedesktop [0].
However these icons are not always available due to several reasons.
In this situation until now, we have relied on the Qt's built-in
icons [1].
It has worked fine until Fedora 36/Gnome 4x, where even some built-in Qt
icons are missing (SP_VistaShield in particular).
Since Gnome uses symbolic icons [2], falling back to these icons when
the original one doesn't load, helps to display the missing icon.
These icons have the same name than the ones defined by freedesktop, but
with "-symbolic" as a suffix.
Tested on u16, u18, pop22.04, tumbleweed 15.3, f36, devuan/debian 11
(lxqt, unity, gnome3/4, kde).
If you think that there's a better way of handling this situation,
please, open an issue or submit a PR with a fix.
[0] https://specifications.freedesktop.org/icon-naming-spec/icon-naming-spec-latest.html
[1] https://doc.qt.io/qtforpython-5/PySide2/QtWidgets/QStyle.html#PySide2.QtWidgets.PySide2.QtWidgets.QStyle.StandardPixmap
[2] https://wiki.ubuntu.com/SymbolicIcons
Under heavy network traffic load, writing to a remote syslog fails with
a timeout. Under this situation the connection didn't recover from that
state, blocking other connections.
To ensure that we continue working normally, as well as keep sending
events to syslog:
- Set a max timeout when writing to a remote syslog.
- Restart the connection with the server, if there're more than 10
errors.
With these fixes along with few other changes, writing to remote syslog
is more reliable, it works as expected.
We need to find the root cause of this behavior, and further test it
(#638).
Now you can send events to syslog, local or remote.
This feature was requested here #638
This feature allows you to integrate opensnitch with your SIEM. Take a
look at the above discussion to see examples with
syslog-ng+promtail+loki+grafana.
There's only one logger implemented (syslog), but it should be easily
expandable to add more type of loggers (elastic, etc).
The event format can be CSV or RFC5424. It sould also be easy to add
more formats.
- Allow to configure stats workers. They were hardcoded to 4.
- Added ability to add a description to the rules.
- Display the description field on the Rules view, and remove the internal
fields (operator, operator_data, etc).
- Added DB migrations.
- Improved rules' executable path field tooltip (#661).
Closes#652#466
- Bump nftable version to depend on latest version with fixes.
- Include opensnitch-dns.o eBPF object when creating the deb package.
- Replaced Suggests by Recommends, to install addtional but not
essential packages (like python3-pyasnc, and others).
- Added python3-grpcio, python3-protobuf and python3-slugify as
dependencies.
For systems without these packages, we'll use the old debian/ dir.
* Allow to configure firewall rules from the GUI (WIP)
New features:
- Configure and list system firewall rules from the GUI (nftables).
- Configure chains' policies.
- Add simple rules to allow incoming ports.
- Add simple rules to exclude apps (ports) from being intercepted.
This feature is only available for nftables. iptables is still supported,
you can add rules to the configuration file and they'll be loaded, but
you can't configure them from the GUI.
More information: #592
On light themes, the systray icon was barely visible. With the new
icons:
- on dark themes should be pretty similar to what we already had.
- on light themes they are much more distinguishables now.
Closes: #643, #339
The eBPF cache is meant mainly for certain applications that
establish 2-4 new connections in under 1-2 seconds. Thus, a cache of 1
minute per item was too much, 10-20 seconds is enough.
Also, check old items every minute to keep the number of items low.
- Improved user experience, by remembering rows selection when going
back from a detail view. Fixes#620.
- Fixed Users' view query (it didn't list user's connections
correctly and it wasn't efficient).
We were not deleting our rules correctly on exit if another fw tool had
added rules to the nftables tables. This problem caused to detect that
our rules were not added, so we added them again.
Restore rules' columns properly after:
- double clicking on the Rules column of the main tab -> and then
clicking on the back button.
- clicking on the Temporary/Permanent items of the Rules tab.
- clicking on a Rule and going back again to the list of rules.
Misc:
- Disallow double-clicks when entering into a detail view from the
Events tab.
- Removed extra/repeated columns adjusting.
Closes#619
When using DoT or DoH opensnitch cannot intercept the dns packets.
Therefore the UI always shows IP addresses instead of hostnames. To fix
this issue an ebpf (uprobe) filter was created to hook getaddrinfo and
gethostbyname calls.
In order to be independent of libbcc an additional module was added to
ebpf_prog. Without libbcc the libc function offsets must be resolved
manually. In order to find the loaded glibc version some cgo code was
added.
