Some people has asked where they can change the daemon configuration.
As we can't change it from the GUI yet, and we're providing deb
packages, we need to distribute a default config.
That way the users will see it and will be able to customize it.
auditd events provides the parent pid of a process which has created
a connection. If we don't find the socket inode under the pid of the
process, use the ppid.
This is normally the case when systemd-* spawns a new process which
creates a new connection.
mozilla/libaudit-go does not support i386/arm/etc, and we were using it
only for parsing audit messages.
So do not use it and parse raw messages directly. WIP.
Use auditd events to keep a list of PIDs which open sockets, reading
them from the audisp af_unix plugin.
- Install auditd and audisp-plugins
- Enable the af_unix plugin (/etc/audisp-plugin/af_unix, active = yes)
- Start opensnitch with -process-monitor-method audit.
If the choosen method is audit but it's not active or not installed,
it'll fallback to /proc anyway.
If it's properly configured, a debug trace will be written to the logs:
"PID found via audit events ..."
Until now OpenSnitch used ftrace(debugfs) to search for running
processes (PIDs) and obtain the process path.
On some systems, this filesystem is not mounted or available, so we have
to rely on /proc.
After several weeks of use, I think that it's faster and more accurate
the 2nd method, search pids/cmdlines in /proc. So we offer the user to
choose which one to use.
If we can't communicate with the server (UI), apply the default
configured action. For example, if the UI is doing too much work and it
reaches the timeout, or if there's a programming error (python exception
for instance).
Sometimes the INPUT rule for to queue DNS responses was not deleted.
The code has also been reorganized.
And a minor tweak to make an if{} more idiomatic.
man sock_diag:
"If the nlmsg_flags field of the struct nlmsghdr header has the
NLM_F_DUMP flag set, it means that a list of sockets is being
requested; otherwise it is a query about an individual socket."
If for some reason a Regex type rule can not be parsed, opensnitchd
panics and exit. We drop regex.MustCompile() in favor of
regex.Compile(), and in case of failure we just drop the packet.
In either case, the daemon should not panic but it should not received
an invalid rule either, specially from the UI.
Closes#4
Processes with active connections are the most likely to be the latest
modified ones in /proc, thus sort cache pids by time speeds up pids cache
searching. From several ms to us.
When parsing /proc/<pid>/fd/ looking for sockets, latest
modified/created descriptors are the most likely to have
generated connections.
This way we decrease the parsing time, system load and speed up process name
retrieval.
Added 30s, 5m, 15m, 30m and 1h timeout options to deny or allow
connections.
It helps to avoid repetitive new connection dialogs, while at the same
time it allows you to deny/allow a connection for a short period of time,
and apply the default for the rest.
