From e00c57fa7d0d38eceb339174be5367427fe5d13f Mon Sep 17 00:00:00 2001 From: Varun Sharma Date: Wed, 27 Apr 2022 21:57:40 -0700 Subject: [PATCH 01/14] Update procmon_linux.go --- procmon_linux.go | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/procmon_linux.go b/procmon_linux.go index 4d5a1bc..e6f4a7e 100644 --- a/procmon_linux.go +++ b/procmon_linux.go @@ -48,7 +48,7 @@ func (p *ProcessMonitor) MonitorProcesses(errc chan error) { WriteLog("Rules deleted") // files modified in working directory - r, _ := flags.Parse(fmt.Sprintf("-w %s -p wa -k %s", "/home/runner", fileMonitorTag)) + r, _ := flags.Parse(fmt.Sprintf("-w %s -p w -k %s", "/home/runner", fileMonitorTag)) actualBytes, _ := rule.Build(r) @@ -59,7 +59,7 @@ func (p *ProcessMonitor) MonitorProcesses(errc chan error) { WriteLog("File monitor added") - r, _ = flags.Parse(fmt.Sprintf("-w %s -p wa -k %s", "/home/agent", fileMonitorTag)) + r, _ = flags.Parse(fmt.Sprintf("-w %s -p w -k %s", "/home/agent", fileMonitorTag)) actualBytes, _ = rule.Build(r) if err = client.AddRule(actualBytes); err != nil { From ef0ce19efe5d36e1eeedabeea076103b9d08ec56 Mon Sep 17 00:00:00 2001 From: Varun Sharma Date: Thu, 28 Apr 2022 07:05:53 -0700 Subject: [PATCH 02/14] Modify write rule --- eventhandler.go | 2 ++ procmon_linux.go | 2 +- 2 files changed, 3 insertions(+), 1 deletion(-) diff --git a/eventhandler.go b/eventhandler.go index 470e30d..fed9550 100644 --- a/eventhandler.go +++ b/eventhandler.go @@ -48,6 +48,8 @@ func (eventHandler *EventHandler) handleFileEvent(event *Event) { writeDone() } + WriteLog(fmt.Sprintf("file write %s, syscall %s", event.FileName, event.Syscall)) + _, found := eventHandler.ProcessFileMap[event.Pid] fileType := "" if !found { diff --git a/procmon_linux.go b/procmon_linux.go index e6f4a7e..24ab263 100644 --- a/procmon_linux.go +++ b/procmon_linux.go @@ -48,7 +48,7 @@ func (p *ProcessMonitor) MonitorProcesses(errc chan error) { WriteLog("Rules deleted") // files modified in working directory - r, _ := flags.Parse(fmt.Sprintf("-w %s -p w -k %s", "/home/runner", fileMonitorTag)) + r, _ := flags.Parse(fmt.Sprintf("-a exit,always -F path=%s -F perm=wa -S openat -S rename -S renameat -k %s", "/home/runner", fileMonitorTag)) actualBytes, _ := rule.Build(r) From fb80dbcf69819bb7740a7e9100dbe1051efd943b Mon Sep 17 00:00:00 2001 From: Varun Sharma Date: Thu, 28 Apr 2022 07:14:42 -0700 Subject: [PATCH 03/14] Update procmon_linux.go --- procmon_linux.go | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/procmon_linux.go b/procmon_linux.go index 24ab263..faac54a 100644 --- a/procmon_linux.go +++ b/procmon_linux.go @@ -48,7 +48,7 @@ func (p *ProcessMonitor) MonitorProcesses(errc chan error) { WriteLog("Rules deleted") // files modified in working directory - r, _ := flags.Parse(fmt.Sprintf("-a exit,always -F path=%s -F perm=wa -S openat -S rename -S renameat -k %s", "/home/runner", fileMonitorTag)) + r, _ := flags.Parse(fmt.Sprintf("-a exit,always -F dir=%s -F perm=wa -k %s", "/home/runner", fileMonitorTag)) actualBytes, _ := rule.Build(r) From 9a45efba64057772c610edbc3043e02fe03a3d84 Mon Sep 17 00:00:00 2001 From: Varun Sharma Date: Thu, 28 Apr 2022 07:40:21 -0700 Subject: [PATCH 04/14] Update procmon_linux.go --- procmon_linux.go | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/procmon_linux.go b/procmon_linux.go index faac54a..fdbcefd 100644 --- a/procmon_linux.go +++ b/procmon_linux.go @@ -48,7 +48,7 @@ func (p *ProcessMonitor) MonitorProcesses(errc chan error) { WriteLog("Rules deleted") // files modified in working directory - r, _ := flags.Parse(fmt.Sprintf("-a exit,always -F dir=%s -F perm=wa -k %s", "/home/runner", fileMonitorTag)) + r, _ := flags.Parse(fmt.Sprintf("-a exit,always -F dir=%s -F perm=wa -S open -S openat -S rename -S renameat -k %s", "/home/runner", fileMonitorTag)) actualBytes, _ := rule.Build(r) From ca0fbd96a3af72c2dd1685eb0dbc59576a6c3506 Mon Sep 17 00:00:00 2001 From: Varun Sharma Date: Thu, 28 Apr 2022 09:51:17 -0700 Subject: [PATCH 05/14] Update eventhandler.go --- eventhandler.go | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/eventhandler.go b/eventhandler.go index fed9550..6c954bf 100644 --- a/eventhandler.go +++ b/eventhandler.go @@ -48,7 +48,8 @@ func (eventHandler *EventHandler) handleFileEvent(event *Event) { writeDone() } - WriteLog(fmt.Sprintf("file write %s, syscall %s", event.FileName, event.Syscall)) + // Uncomment to log file writes (only uncomment in INT env) + // WriteLog(fmt.Sprintf("file write %s, syscall %s", event.FileName, event.Syscall)) _, found := eventHandler.ProcessFileMap[event.Pid] fileType := "" @@ -68,7 +69,7 @@ func (eventHandler *EventHandler) handleFileEvent(event *Event) { } } - if isSourceCodeFile(event.FileName) && !isSyscallExcluded(event.Syscall) { + if isSourceCodeFile(event.FileName) { _, found = eventHandler.SourceCodeMap[event.FileName] if !found { eventHandler.SourceCodeMap[event.FileName] = append(eventHandler.SourceCodeMap[event.FileName], event) From 5fcb95c6e6d4b9c90a265979285aed9500142052 Mon Sep 17 00:00:00 2001 From: Varun Sharma Date: Thu, 28 Apr 2022 10:00:33 -0700 Subject: [PATCH 06/14] Update eventhandler.go --- eventhandler.go | 8 -------- 1 file changed, 8 deletions(-) diff --git a/eventhandler.go b/eventhandler.go index 6c954bf..389ec7e 100644 --- a/eventhandler.go +++ b/eventhandler.go @@ -94,14 +94,6 @@ func (eventHandler *EventHandler) handleFileEvent(event *Event) { eventHandler.fileMutex.Unlock() } -func isSyscallExcluded(syscall string) bool { - if syscall == "chmod" || syscall == "unlink" || syscall == "unlinkat" { - return true - } - - return false -} - func isSourceCodeFile(fileName string) bool { ext := path.Ext(fileName) // https://docs.github.com/en/get-started/learning-about-github/github-language-support From 2001d36b82285e96d18d4ca8a65cb52bdc3aca64 Mon Sep 17 00:00:00 2001 From: Varun Sharma Date: Sun, 1 May 2022 08:17:25 -0700 Subject: [PATCH 07/14] Update eventhandler.go --- eventhandler.go | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/eventhandler.go b/eventhandler.go index 389ec7e..7323e59 100644 --- a/eventhandler.go +++ b/eventhandler.go @@ -85,7 +85,12 @@ func (eventHandler *EventHandler) handleFileEvent(event *Event) { if isFromDifferentProcess { eventHandler.SourceCodeMap[event.FileName] = append(eventHandler.SourceCodeMap[event.FileName], event) if !strings.Contains(event.FileName, "node_modules/") { // node_modules folder has overwrites by design, even has .cs files in some cases. Need a better way to handle that - WriteAnnotation(fmt.Sprintf("StepSecurity Harden Runner: Source code overwritten %s syscall: %s by %s", event.FileName, event.Syscall, event.Exe)) + checksum, err := getProgramChecksum(event.Exe) + if err != nil { + WriteAnnotation(fmt.Sprintf("StepSecurity Harden Runner: Source code overwritten %s syscall: %s by %s", event.FileName, event.Syscall, event.Exe)) + } else { + WriteAnnotation(fmt.Sprintf("StepSecurity Harden Runner: Source code overwritten %s syscall: %s by %s [%s]", event.FileName, event.Syscall, event.Exe, checksum)) + } } } } From cfa29584818222d30fb771281be037e619b0d3e9 Mon Sep 17 00:00:00 2001 From: Varun Sharma Date: Sun, 1 May 2022 08:41:33 -0700 Subject: [PATCH 08/14] Update eventhandler.go --- eventhandler.go | 38 ++++++++++++++++++++++---------------- 1 file changed, 22 insertions(+), 16 deletions(-) diff --git a/eventhandler.go b/eventhandler.go index 7323e59..477e947 100644 --- a/eventhandler.go +++ b/eventhandler.go @@ -18,17 +18,18 @@ import ( ) type EventHandler struct { - CorrelationId string - Repo string - ApiClient *ApiClient - DNSProxy *DNSProxy - ProcessConnectionMap map[string]bool - ProcessFileMap map[string]bool - ProcessMap map[string]*Process - SourceCodeMap map[string][]*Event - netMutex sync.RWMutex - fileMutex sync.RWMutex - procMutex sync.RWMutex + CorrelationId string + Repo string + ApiClient *ApiClient + DNSProxy *DNSProxy + ProcessConnectionMap map[string]bool + ProcessFileMap map[string]bool + ProcessMap map[string]*Process + SourceCodeMap map[string][]*Event + FileOverwriteCounterMap map[string]int // to count file overwrites by an exe + netMutex sync.RWMutex + fileMutex sync.RWMutex + procMutex sync.RWMutex } var classAPrivateSubnet, classBPrivateSubnet, classCPrivateSubnet, loopBackSubnet, ipv6LinkLocalSubnet, ipv6LocalSubnet *net.IPNet @@ -85,11 +86,16 @@ func (eventHandler *EventHandler) handleFileEvent(event *Event) { if isFromDifferentProcess { eventHandler.SourceCodeMap[event.FileName] = append(eventHandler.SourceCodeMap[event.FileName], event) if !strings.Contains(event.FileName, "node_modules/") { // node_modules folder has overwrites by design, even has .cs files in some cases. Need a better way to handle that - checksum, err := getProgramChecksum(event.Exe) - if err != nil { - WriteAnnotation(fmt.Sprintf("StepSecurity Harden Runner: Source code overwritten %s syscall: %s by %s", event.FileName, event.Syscall, event.Exe)) - } else { - WriteAnnotation(fmt.Sprintf("StepSecurity Harden Runner: Source code overwritten %s syscall: %s by %s [%s]", event.FileName, event.Syscall, event.Exe, checksum)) + counter, found := eventHandler.FileOverwriteCounterMap[event.Exe] + if found && counter < 3 { + checksum, err := getProgramChecksum(event.Exe) + if err != nil { + WriteAnnotation(fmt.Sprintf("StepSecurity Harden Runner: Source code overwritten %s syscall: %s by %s", event.FileName, event.Syscall, event.Exe)) + } else { + WriteAnnotation(fmt.Sprintf("StepSecurity Harden Runner: Source code overwritten %s syscall: %s by %s [%s]", event.FileName, event.Syscall, event.Exe, checksum)) + } + + eventHandler.FileOverwriteCounterMap[event.Exe]++ } } } From bcf08b9a73d8ba0d6ae15314b46e7df55da1afb5 Mon Sep 17 00:00:00 2001 From: Varun Sharma Date: Sun, 1 May 2022 08:49:09 -0700 Subject: [PATCH 09/14] Update procmon_linux.go --- procmon_linux.go | 1 + 1 file changed, 1 insertion(+) diff --git a/procmon_linux.go b/procmon_linux.go index fdbcefd..44dabb1 100644 --- a/procmon_linux.go +++ b/procmon_linux.go @@ -118,6 +118,7 @@ func (p *ProcessMonitor) receive(r *libaudit.AuditClient) error { eventHandler.ProcessFileMap = make(map[string]bool) eventHandler.SourceCodeMap = make(map[string][]*Event) eventHandler.ProcessMap = make(map[string]*Process) + eventHandler.FileOverwriteCounterMap = make(map[string]int) for { rawEvent, err := r.Receive(false) From 3927b6d10872fb7ed4ac405adb720c9a83d1e2c5 Mon Sep 17 00:00:00 2001 From: Varun Sharma Date: Sun, 1 May 2022 08:53:54 -0700 Subject: [PATCH 10/14] Update eventhandler.go --- eventhandler.go | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/eventhandler.go b/eventhandler.go index 477e947..b21535e 100644 --- a/eventhandler.go +++ b/eventhandler.go @@ -87,7 +87,7 @@ func (eventHandler *EventHandler) handleFileEvent(event *Event) { eventHandler.SourceCodeMap[event.FileName] = append(eventHandler.SourceCodeMap[event.FileName], event) if !strings.Contains(event.FileName, "node_modules/") { // node_modules folder has overwrites by design, even has .cs files in some cases. Need a better way to handle that counter, found := eventHandler.FileOverwriteCounterMap[event.Exe] - if found && counter < 3 { + if !found || counter < 3 { checksum, err := getProgramChecksum(event.Exe) if err != nil { WriteAnnotation(fmt.Sprintf("StepSecurity Harden Runner: Source code overwritten %s syscall: %s by %s", event.FileName, event.Syscall, event.Exe)) From 2e6558a20862113e53080fdb8c4ed63eb7107cb5 Mon Sep 17 00:00:00 2001 From: Varun Sharma Date: Sun, 1 May 2022 11:11:55 -0700 Subject: [PATCH 11/14] Update eventhandler.go --- eventhandler.go | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/eventhandler.go b/eventhandler.go index b21535e..49ec5d1 100644 --- a/eventhandler.go +++ b/eventhandler.go @@ -90,9 +90,9 @@ func (eventHandler *EventHandler) handleFileEvent(event *Event) { if !found || counter < 3 { checksum, err := getProgramChecksum(event.Exe) if err != nil { - WriteAnnotation(fmt.Sprintf("StepSecurity Harden Runner: Source code overwritten %s syscall: %s by %s", event.FileName, event.Syscall, event.Exe)) + WriteAnnotation(fmt.Sprintf("StepSecurity Harden Runner: Source code overwritten %s syscall: %s by exe: %s", event.FileName, event.Syscall, event.Exe)) } else { - WriteAnnotation(fmt.Sprintf("StepSecurity Harden Runner: Source code overwritten %s syscall: %s by %s [%s]", event.FileName, event.Syscall, event.Exe, checksum)) + WriteAnnotation(fmt.Sprintf("StepSecurity Harden Runner: Source code overwritten %s syscall: %s by exe: %s [%s]", event.FileName, event.Syscall, event.Exe, checksum)) } eventHandler.FileOverwriteCounterMap[event.Exe]++ From bd8bab1f129686666e98ad16739420e2aa018bdc Mon Sep 17 00:00:00 2001 From: Varun Sharma Date: Sun, 1 May 2022 11:20:06 -0700 Subject: [PATCH 12/14] Update eventhandler.go --- eventhandler.go | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/eventhandler.go b/eventhandler.go index 49ec5d1..44ee4d3 100644 --- a/eventhandler.go +++ b/eventhandler.go @@ -90,9 +90,9 @@ func (eventHandler *EventHandler) handleFileEvent(event *Event) { if !found || counter < 3 { checksum, err := getProgramChecksum(event.Exe) if err != nil { - WriteAnnotation(fmt.Sprintf("StepSecurity Harden Runner: Source code overwritten %s syscall: %s by exe: %s", event.FileName, event.Syscall, event.Exe)) + WriteAnnotation(fmt.Sprintf("StepSecurity Harden Runner: Source code overwritten file: %s syscall: %s by exe: %s", event.FileName, event.Syscall, event.Exe)) } else { - WriteAnnotation(fmt.Sprintf("StepSecurity Harden Runner: Source code overwritten %s syscall: %s by exe: %s [%s]", event.FileName, event.Syscall, event.Exe, checksum)) + WriteAnnotation(fmt.Sprintf("StepSecurity Harden Runner: Source code overwritten file: %s syscall: %s by exe: %s [%s]", event.FileName, event.Syscall, event.Exe, checksum)) } eventHandler.FileOverwriteCounterMap[event.Exe]++ From b2310b8992f10d5e3fecd3f132ce8a1d04ee99e6 Mon Sep 17 00:00:00 2001 From: Varun Sharma Date: Sun, 1 May 2022 15:48:43 -0700 Subject: [PATCH 13/14] Update eventhandler.go --- eventhandler.go | 1 + 1 file changed, 1 insertion(+) diff --git a/eventhandler.go b/eventhandler.go index 44ee4d3..5ae18c9 100644 --- a/eventhandler.go +++ b/eventhandler.go @@ -92,6 +92,7 @@ func (eventHandler *EventHandler) handleFileEvent(event *Event) { if err != nil { WriteAnnotation(fmt.Sprintf("StepSecurity Harden Runner: Source code overwritten file: %s syscall: %s by exe: %s", event.FileName, event.Syscall, event.Exe)) } else { + WriteLog(fmt.Sprintf("[Source code overwritten] file: %s syscall: %s by exe: %s [%s] Timestamp: %s", event.FileName, event.Syscall, event.Exe, checksum, event.Timestamp)) WriteAnnotation(fmt.Sprintf("StepSecurity Harden Runner: Source code overwritten file: %s syscall: %s by exe: %s [%s]", event.FileName, event.Syscall, event.Exe, checksum)) } From b6d5904150b57a3b886dc7026a42579228cd60fd Mon Sep 17 00:00:00 2001 From: Varun Sharma Date: Sun, 1 May 2022 16:06:49 -0700 Subject: [PATCH 14/14] Update eventhandler.go --- eventhandler.go | 6 ++---- 1 file changed, 2 insertions(+), 4 deletions(-) diff --git a/eventhandler.go b/eventhandler.go index 5ae18c9..4a6fada 100644 --- a/eventhandler.go +++ b/eventhandler.go @@ -89,11 +89,9 @@ func (eventHandler *EventHandler) handleFileEvent(event *Event) { counter, found := eventHandler.FileOverwriteCounterMap[event.Exe] if !found || counter < 3 { checksum, err := getProgramChecksum(event.Exe) - if err != nil { + if err == nil { + WriteLog(fmt.Sprintf("[Source code overwritten] file: %s syscall: %s by exe: %s [%s] Timestamp: %s", event.FileName, event.Syscall, event.Exe, checksum, event.Timestamp.Format("2006-01-02T15:04:05.999999999Z"))) WriteAnnotation(fmt.Sprintf("StepSecurity Harden Runner: Source code overwritten file: %s syscall: %s by exe: %s", event.FileName, event.Syscall, event.Exe)) - } else { - WriteLog(fmt.Sprintf("[Source code overwritten] file: %s syscall: %s by exe: %s [%s] Timestamp: %s", event.FileName, event.Syscall, event.Exe, checksum, event.Timestamp)) - WriteAnnotation(fmt.Sprintf("StepSecurity Harden Runner: Source code overwritten file: %s syscall: %s by exe: %s [%s]", event.FileName, event.Syscall, event.Exe, checksum)) } eventHandler.FileOverwriteCounterMap[event.Exe]++