Up until now some error and warning messages were only logged out to the
system, not allowing the user know what was happening under the hood.
Now the following events are notified:
- eBPF related errors.
- netfilter queue errors.
- configuration errors.
WIP, we'll keep improving it and build new features on top of this one.
Added more options to match connections against packets metainformation:
skuid, skgid, l4proto, protocol
Fixed setting mark on packets via meta (although it results in an error
-> [invalid type]).
If the table family where we're adding a daddr/saddr is inet, we need to
specify the protocol of the IP being added.
Otherwise, listing the rules they appear as:
@nh,128,32 3232235777 accept
instead of: daddr 192.168.1.111 accept
seen here: #704
- Get cmdline arguments from kernel along with the absolute path to the
binary.
If the cmdline has more than 20 arguments, or one of the arguments is
longer than 256 bytes, get it from ProcFS.
- Improved stopping ebpf monitor method.
Improved process detections by monitoring new processes execution.
It allow us to know the path of a process before a socket is opened.
Closes#617
Other improvements:
- If we fail to retrieve the path of a process, then we'll use the comm
name of the connection/process.
- Better kernel connections detection.
- If debugfs is not loaded, we'll try to mount it, to allow to use
eBPF monitor method.
Future work (help wanted):
- Extract command line arguments from the kernel (sys_execve, or mm
struct).
- Monitor other functions (execveat, clone*, fork, etc).
- Send these events to the server (GUI), and display all the commands
an application has executed.
Under heavy network traffic load, writing to a remote syslog fails with
a timeout. Under this situation the connection didn't recover from that
state, blocking other connections.
To ensure that we continue working normally, as well as keep sending
events to syslog:
- Set a max timeout when writing to a remote syslog.
- Restart the connection with the server, if there're more than 10
errors.
With these fixes along with few other changes, writing to remote syslog
is more reliable, it works as expected.
We need to find the root cause of this behavior, and further test it
(#638).
Now you can send events to syslog, local or remote.
This feature was requested here #638
This feature allows you to integrate opensnitch with your SIEM. Take a
look at the above discussion to see examples with
syslog-ng+promtail+loki+grafana.
There's only one logger implemented (syslog), but it should be easily
expandable to add more type of loggers (elastic, etc).
The event format can be CSV or RFC5424. It sould also be easy to add
more formats.
- Allow to configure stats workers. They were hardcoded to 4.
- Added ability to add a description to the rules.
- Display the description field on the Rules view, and remove the internal
fields (operator, operator_data, etc).
- Added DB migrations.
- Improved rules' executable path field tooltip (#661).
Closes#652#466
- Bump nftable version to depend on latest version with fixes.
- Include opensnitch-dns.o eBPF object when creating the deb package.
- Replaced Suggests by Recommends, to install addtional but not
essential packages (like python3-pyasnc, and others).
- Added python3-grpcio, python3-protobuf and python3-slugify as
dependencies.
For systems without these packages, we'll use the old debian/ dir.
* Allow to configure firewall rules from the GUI (WIP)
New features:
- Configure and list system firewall rules from the GUI (nftables).
- Configure chains' policies.
- Add simple rules to allow incoming ports.
- Add simple rules to exclude apps (ports) from being intercepted.
This feature is only available for nftables. iptables is still supported,
you can add rules to the configuration file and they'll be loaded, but
you can't configure them from the GUI.
More information: #592
The eBPF cache is meant mainly for certain applications that
establish 2-4 new connections in under 1-2 seconds. Thus, a cache of 1
minute per item was too much, 10-20 seconds is enough.
Also, check old items every minute to keep the number of items low.
We were not deleting our rules correctly on exit if another fw tool had
added rules to the nftables tables. This problem caused to detect that
our rules were not added, so we added them again.
When using DoT or DoH opensnitch cannot intercept the dns packets.
Therefore the UI always shows IP addresses instead of hostnames. To fix
this issue an ebpf (uprobe) filter was created to hook getaddrinfo and
gethostbyname calls.
In order to be independent of libbcc an additional module was added to
ebpf_prog. Without libbcc the libc function offsets must be resolved
manually. In order to find the loaded glibc version some cgo code was
added.
There are two issues when connecting to the GUI via TCP on localhost:
- Sometimes when the daemon is launched with the GUI already running, the
notifications channel is not established.
* Give 10 seconds to connect, if it timeouts, disconnect everything
and try to reconnect again.
- After some time the notifications channel is closed from the server
side (i.e., the GUI), and it is not restablished.
* Forcefully disconnect everything, and let it reconnect again.
Both issues should be investigated further to find the root problem.
