Merged with latest commits to master.

7 years ago · 32983deba4
parent 35e7b07e43
commit 32983deba4
7 changed files with 63 additions and 17 deletions
--- a/README.md
+++ b/README.md
@ -20,6 +20,30 @@ _Application firewalls_ cannot prevent all malicious code from connecting to the
 Sophisticated malicious code can subvert the _allowed_ connections to bypass the firewall.
 However, the firewall may alert the user of connection attempts by less sophisticated malicious code.

+The configuration settings for Subgraph Firewall are stored in /etc/sgfw.
+
+From /etc/sgfw/sgfw.conf:
+
+Log level specifies the level of verbosity of logging:
+
+		LogLevel = "NOTICE"
+
+Log redaction this tells SGFW to write destination hostnames to system logs, or not:
+
+		LogRedact = true / false
+
+PromptExpanded controls the level of detail in the prompt:
+
+		PromptExpanded = true / false
+
+PromptExpert enables or disables "export mode":
+
+		PromptExpert = true / false
+
+Specifies the default rule action:
+
+		DefaultAction = "SESSION"
+
 Read more in the [Subgraph OS Handbook](https://subgraph.com/sgos-handbook/sgos_handbook.shtml#monitoring-outgoing-connections-with-subgraph-firewall).


--- a/sgfw/dns.go
+++ b/sgfw/dns.go
@ -69,7 +69,9 @@ func (dc *dnsCache) processDNS(pkt *nfqueue.NFQPacket) {
 			pinfo, _ = findProcessForPacket(pkt, true, procsnitch.MATCH_LOOSEST)

 			if pinfo == nil {
-				log.Warningf("Skipping attempted DNS cache entry for process that can't be found: %v -> %v\n", q.Name, dns.answer)
+				if !FirewallConfig.LogRedact {
+					log.Warningf("Skipping attempted DNS cache entry for process that can't be found: %v -> %v\n", q.Name, dns.answer)
+				}
 				return
 			}
 		}
@ -77,7 +79,11 @@ func (dc *dnsCache) processDNS(pkt *nfqueue.NFQPacket) {
 		dc.processRecordAddress(q.Name, dns.answer, pinfo.Pid)
 		return
 	}
-	log.Infof("Unhandled DNS message: %v", dns)
+	if !FirewallConfig.LogRedact {
+		log.Infof("Unhandled DNS message: %v", dns)
+	} else {
+		log.Infof("Unhandled DNS message [redacted]")
+	}

 }

@ -118,7 +124,11 @@ func (dc *dnsCache) processRecordAddress(name string, answers []dnsRR, pid int)
 		case *dnsRR_CNAME:
 			// Not that exotic; just ignore it
 		default:
-			log.Warningf("Unexpected RR type in answer section of A response: %v", rec)
+			if !FirewallConfig.LogRedact {
+				log.Warningf("Unexpected RR type in answer section of A response: %v", rec)
+			} else {
+				log.Warningf("Unexpected RR type in answer section of A response: [redacted]")
+			}
 		}

 		if aBytes == nil {
@ -134,7 +144,8 @@ func (dc *dnsCache) processRecordAddress(name string, answers []dnsRR, pid int)
 		if pid < 0 {
 			pid = 0
 		}
-		log.Noticef("______ Adding to dns map: %s: %s -> pid %d", name, ip, pid)
+
+//		log.Noticef("______ Adding to dns map: %s: %s -> pid %d", name, ip, pid)

 		_, ok := dc.ipMap[pid]
 		if !ok {
@ -169,8 +180,10 @@ func (dc *dnsCache) Lookup(ip net.IP, pid int) string {
 				// log.Noticef("XXX: LOOKUP on %v / %v = %v, ttl = %v / %v\n", pid, ip.String(), entry.name, entry.ttl, entry.exp)
 				return entry.name
 			} else {
-				log.Warningf("Skipping expired per-pid (%d) DNS cache entry: %s -> %s / exp. %v (%ds)\n",
+				if !FirewallConfig.LogRedact {
+					log.Warningf("Skipping expired per-pid (%d) DNS cache entry: %s -> %s / exp. %v (%ds)\n",
 					pid, ip.String(), entry.name, entry.exp, entry.ttl)
+				}
 			}
 		}
 	}
@ -182,8 +195,10 @@ func (dc *dnsCache) Lookup(ip net.IP, pid int) string {
 			str = entry.name
 			// log.Noticef("XXX: LOOKUP on %v / 0 RETURNING %v, ttl = %v / %v\n", ip.String(), str, entry.ttl, entry.exp)
 		} else {
-			log.Warningf("Skipping expired global DNS cache entry: %s -> %s / exp. %v (%ds)\n",
+			if !FirewallConfig.LogRedact {
+				log.Warningf("Skipping expired global DNS cache entry: %s -> %s / exp. %v (%ds)\n",
 				ip.String(), entry.name, entry.exp, entry.ttl)
+			}
 		}
 	}

--- a/sgfw/ipc.go
+++ b/sgfw/ipc.go
@ -5,10 +5,10 @@ import (
 	"errors"
 	"fmt"
 	"net"
+	"sync"
 	"os"
 	"strconv"
 	"strings"
-	"sync"

 	"github.com/subgraph/oz/ipc"
 )
--- a/sgfw/policy.go
+++ b/sgfw/policy.go
@ -298,7 +298,6 @@ func (p *Policy) processPacket(pkt *nfqueue.NFQPacket, timestamp time.Time, pinf
 	}*/

 	name := p.fw.dns.Lookup(dstip, pinfo.Pid)
-	log.Infof("Lookup(%s): %s", dstip.String(), name)

 	if !FirewallConfig.LogRedact {
 		log.Infof("Lookup(%s): %s", dstip.String(), name)
@ -475,8 +474,12 @@ func (p *Policy) filterPending(rule *Rule) {
 				pc.acceptTLSOnly()
 			} else {
 				srcs := pc.src().String() + ":" + strconv.Itoa(int(pc.srcPort()))
-				log.Warningf("DENIED outgoing connection attempt by %s from %s %s -> %s:%d (user prompt) %v",
-					pc.procInfo().ExePath, pc.proto(), srcs, pc.dst(), pc.dstPort, rule.rtype)
+				dests := STR_REDACTED
+				if !FirewallConfig.LogRedact {
+					dests = fmt.Sprintf("%s%d",pc.dst(), pc.dstPort)
+				}
+				log.Warningf("DENIED outgoing connection attempt by %s from %s %s -> %s (user prompt) %v",
+					pc.procInfo().ExePath, pc.proto(), srcs, dests, rule.rtype)
 				pc.drop()
 			}
 		} else {
--- a/sgfw/prompt.go
+++ b/sgfw/prompt.go
@ -328,7 +328,7 @@ func (p *prompter) processConnection(pc pendingConnection) {
 		r.mode = RULE_MODE_PERMANENT
 		policy.fw.saveRules()
 	}
-	log.Warningf("Prompt returning rule: %v", tempRule)
+	//log.Warningf("Prompt returning rule: %v", tempRule)
 	dbusp.alertRule("sgfw prompt added new rule")
 }

@ -434,7 +434,7 @@ func (p *prompter) nextConnection() (pendingConnection, bool) {
 						r.mode = RULE_MODE_PERMANENT
 						policy.fw.saveRules()
 					}
-					log.Warningf("Prompt returning rule: %v", tempRule)
+					//log.Warningf("Prompt returning rule: %v", tempRule)
 					dbusp.alertRule("sgfw prompt added new rule")
 				}

--- a/sgfw/socks_server_chain.go
+++ b/sgfw/socks_server_chain.go
@ -445,16 +445,20 @@ func (c *socksChainSession) handleConnect(tls bool) {
 func (c *socksChainSession) forwardTraffic(tls bool) {
 	if tls == true {
 		err := TLSGuard(c.clientConn, c.upstreamConn, c.req.Addr.addrStr)
+		dest := STR_REDACTED
+	        if !FirewallConfig.LogRedact {
+			dest = c.req.Addr.addrStr
+		}

 		if err != nil {
 			if c.pinfo.Sandbox != "" {
-				log.Errorf("TLSGuard violation: Dropping traffic from %s (sandbox: %s) to %s: %v", c.pinfo.ExePath, c.pinfo.Sandbox, c.req.Addr.addrStr, err)
+				log.Errorf("TLSGuard violation: Dropping traffic from %s (sandbox: %s) to %s: %v", c.pinfo.ExePath, c.pinfo.Sandbox, dest, err)
 			} else {
-				log.Errorf("TLSGuard violation: Dropping traffic from %s (un-sandboxed) to %s: %v", c.pinfo.ExePath, c.req.Addr.addrStr, err)
+				log.Errorf("TLSGuard violation: Dropping traffic from %s (unsandboxed) to %s: %v", c.pinfo.ExePath, dest, err)
 			}
 			return
 		} else {
-			log.Notice("TLSGuard approved certificate presented for connection to: ", c.req.Addr.addrStr)
+			log.Notice("TLSGuard approved certificate presented for connection to: ", dest)
 		}
 	}

--- a/vendor/github.com/subgraph/go-procsnitch/socket.go
+++ b/vendor/github.com/subgraph/go-procsnitch/socket.go
@ -125,7 +125,7 @@ func findUDPSocketAll(srcAddr net.IP, srcPort uint16, dstAddr net.IP, dstPort ui
 				*/

 				if (ss.local.port == srcPort) && addrMatchesAny(ss.local.ip) && addrMatchesAny(ss.remote.ip) {
-					fmt.Printf("Loose match for UDP socket bound to *:%d\n", ss.local.port)
+					// fmt.Printf("Loose match for UDP socket bound to *:%d\n", ss.local.port)
 					return true
 				} else if ss.remote.ip.Equal(dstAddr) && ss.local.port == srcPort && ss.local.ip.Equal(srcAddr) {
 					return true
@ -157,7 +157,7 @@ func findUDPSocketAll(srcAddr net.IP, srcPort uint16, dstAddr net.IP, dstPort ui
 							}

 							if ss.local.ip.Equal(ifip) {
-								fmt.Printf("Matched on UDP socket bound to %v:%d\n", ifip, srcPort)
+								// fmt.Printf("Matched on UDP socket bound to %v:%d\n", ifip, srcPort)
 								return true
 							}