From 32983deba4a4064cda76c2b097bdcf3b9558046d Mon Sep 17 00:00:00 2001 From: Stephen Watt Date: Mon, 2 Oct 2017 16:11:36 -0400 Subject: [PATCH] Merged with latest commits to master. --- README.md | 24 +++++++++++++++++ sgfw/dns.go | 27 ++++++++++++++----- sgfw/ipc.go | 2 +- sgfw/policy.go | 9 ++++--- sgfw/prompt.go | 4 +-- sgfw/socks_server_chain.go | 10 ++++--- .../subgraph/go-procsnitch/socket.go | 4 +-- 7 files changed, 63 insertions(+), 17 deletions(-) diff --git a/README.md b/README.md index ce62ff0..f88f994 100644 --- a/README.md +++ b/README.md @@ -20,6 +20,30 @@ _Application firewalls_ cannot prevent all malicious code from connecting to the Sophisticated malicious code can subvert the _allowed_ connections to bypass the firewall. However, the firewall may alert the user of connection attempts by less sophisticated malicious code. +The configuration settings for Subgraph Firewall are stored in /etc/sgfw. + +From /etc/sgfw/sgfw.conf: + +Log level specifies the level of verbosity of logging: + + LogLevel = "NOTICE" + +Log redaction this tells SGFW to write destination hostnames to system logs, or not: + + LogRedact = true / false + +PromptExpanded controls the level of detail in the prompt: + + PromptExpanded = true / false + +PromptExpert enables or disables "export mode": + + PromptExpert = true / false + +Specifies the default rule action: + + DefaultAction = "SESSION" + Read more in the [Subgraph OS Handbook](https://subgraph.com/sgos-handbook/sgos_handbook.shtml#monitoring-outgoing-connections-with-subgraph-firewall). diff --git a/sgfw/dns.go b/sgfw/dns.go index 05df439..974ed22 100644 --- a/sgfw/dns.go +++ b/sgfw/dns.go @@ -69,7 +69,9 @@ func (dc *dnsCache) processDNS(pkt *nfqueue.NFQPacket) { pinfo, _ = findProcessForPacket(pkt, true, procsnitch.MATCH_LOOSEST) if pinfo == nil { - log.Warningf("Skipping attempted DNS cache entry for process that can't be found: %v -> %v\n", q.Name, dns.answer) + if !FirewallConfig.LogRedact { + log.Warningf("Skipping attempted DNS cache entry for process that can't be found: %v -> %v\n", q.Name, dns.answer) + } return } } @@ -77,7 +79,11 @@ func (dc *dnsCache) processDNS(pkt *nfqueue.NFQPacket) { dc.processRecordAddress(q.Name, dns.answer, pinfo.Pid) return } - log.Infof("Unhandled DNS message: %v", dns) + if !FirewallConfig.LogRedact { + log.Infof("Unhandled DNS message: %v", dns) + } else { + log.Infof("Unhandled DNS message [redacted]") + } } @@ -118,7 +124,11 @@ func (dc *dnsCache) processRecordAddress(name string, answers []dnsRR, pid int) case *dnsRR_CNAME: // Not that exotic; just ignore it default: - log.Warningf("Unexpected RR type in answer section of A response: %v", rec) + if !FirewallConfig.LogRedact { + log.Warningf("Unexpected RR type in answer section of A response: %v", rec) + } else { + log.Warningf("Unexpected RR type in answer section of A response: [redacted]") + } } if aBytes == nil { @@ -134,7 +144,8 @@ func (dc *dnsCache) processRecordAddress(name string, answers []dnsRR, pid int) if pid < 0 { pid = 0 } - log.Noticef("______ Adding to dns map: %s: %s -> pid %d", name, ip, pid) + +// log.Noticef("______ Adding to dns map: %s: %s -> pid %d", name, ip, pid) _, ok := dc.ipMap[pid] if !ok { @@ -169,8 +180,10 @@ func (dc *dnsCache) Lookup(ip net.IP, pid int) string { // log.Noticef("XXX: LOOKUP on %v / %v = %v, ttl = %v / %v\n", pid, ip.String(), entry.name, entry.ttl, entry.exp) return entry.name } else { - log.Warningf("Skipping expired per-pid (%d) DNS cache entry: %s -> %s / exp. %v (%ds)\n", + if !FirewallConfig.LogRedact { + log.Warningf("Skipping expired per-pid (%d) DNS cache entry: %s -> %s / exp. %v (%ds)\n", pid, ip.String(), entry.name, entry.exp, entry.ttl) + } } } } @@ -182,8 +195,10 @@ func (dc *dnsCache) Lookup(ip net.IP, pid int) string { str = entry.name // log.Noticef("XXX: LOOKUP on %v / 0 RETURNING %v, ttl = %v / %v\n", ip.String(), str, entry.ttl, entry.exp) } else { - log.Warningf("Skipping expired global DNS cache entry: %s -> %s / exp. %v (%ds)\n", + if !FirewallConfig.LogRedact { + log.Warningf("Skipping expired global DNS cache entry: %s -> %s / exp. %v (%ds)\n", ip.String(), entry.name, entry.exp, entry.ttl) + } } } diff --git a/sgfw/ipc.go b/sgfw/ipc.go index 06f599c..18c5441 100644 --- a/sgfw/ipc.go +++ b/sgfw/ipc.go @@ -5,10 +5,10 @@ import ( "errors" "fmt" "net" + "sync" "os" "strconv" "strings" - "sync" "github.com/subgraph/oz/ipc" ) diff --git a/sgfw/policy.go b/sgfw/policy.go index 7d642f0..4f144c4 100644 --- a/sgfw/policy.go +++ b/sgfw/policy.go @@ -298,7 +298,6 @@ func (p *Policy) processPacket(pkt *nfqueue.NFQPacket, timestamp time.Time, pinf }*/ name := p.fw.dns.Lookup(dstip, pinfo.Pid) - log.Infof("Lookup(%s): %s", dstip.String(), name) if !FirewallConfig.LogRedact { log.Infof("Lookup(%s): %s", dstip.String(), name) @@ -475,8 +474,12 @@ func (p *Policy) filterPending(rule *Rule) { pc.acceptTLSOnly() } else { srcs := pc.src().String() + ":" + strconv.Itoa(int(pc.srcPort())) - log.Warningf("DENIED outgoing connection attempt by %s from %s %s -> %s:%d (user prompt) %v", - pc.procInfo().ExePath, pc.proto(), srcs, pc.dst(), pc.dstPort, rule.rtype) + dests := STR_REDACTED + if !FirewallConfig.LogRedact { + dests = fmt.Sprintf("%s%d",pc.dst(), pc.dstPort) + } + log.Warningf("DENIED outgoing connection attempt by %s from %s %s -> %s (user prompt) %v", + pc.procInfo().ExePath, pc.proto(), srcs, dests, rule.rtype) pc.drop() } } else { diff --git a/sgfw/prompt.go b/sgfw/prompt.go index d3efd09..55c378c 100644 --- a/sgfw/prompt.go +++ b/sgfw/prompt.go @@ -328,7 +328,7 @@ func (p *prompter) processConnection(pc pendingConnection) { r.mode = RULE_MODE_PERMANENT policy.fw.saveRules() } - log.Warningf("Prompt returning rule: %v", tempRule) + //log.Warningf("Prompt returning rule: %v", tempRule) dbusp.alertRule("sgfw prompt added new rule") } @@ -434,7 +434,7 @@ func (p *prompter) nextConnection() (pendingConnection, bool) { r.mode = RULE_MODE_PERMANENT policy.fw.saveRules() } - log.Warningf("Prompt returning rule: %v", tempRule) + //log.Warningf("Prompt returning rule: %v", tempRule) dbusp.alertRule("sgfw prompt added new rule") } diff --git a/sgfw/socks_server_chain.go b/sgfw/socks_server_chain.go index ad597dc..5c1483f 100644 --- a/sgfw/socks_server_chain.go +++ b/sgfw/socks_server_chain.go @@ -445,16 +445,20 @@ func (c *socksChainSession) handleConnect(tls bool) { func (c *socksChainSession) forwardTraffic(tls bool) { if tls == true { err := TLSGuard(c.clientConn, c.upstreamConn, c.req.Addr.addrStr) + dest := STR_REDACTED + if !FirewallConfig.LogRedact { + dest = c.req.Addr.addrStr + } if err != nil { if c.pinfo.Sandbox != "" { - log.Errorf("TLSGuard violation: Dropping traffic from %s (sandbox: %s) to %s: %v", c.pinfo.ExePath, c.pinfo.Sandbox, c.req.Addr.addrStr, err) + log.Errorf("TLSGuard violation: Dropping traffic from %s (sandbox: %s) to %s: %v", c.pinfo.ExePath, c.pinfo.Sandbox, dest, err) } else { - log.Errorf("TLSGuard violation: Dropping traffic from %s (un-sandboxed) to %s: %v", c.pinfo.ExePath, c.req.Addr.addrStr, err) + log.Errorf("TLSGuard violation: Dropping traffic from %s (unsandboxed) to %s: %v", c.pinfo.ExePath, dest, err) } return } else { - log.Notice("TLSGuard approved certificate presented for connection to: ", c.req.Addr.addrStr) + log.Notice("TLSGuard approved certificate presented for connection to: ", dest) } } diff --git a/vendor/github.com/subgraph/go-procsnitch/socket.go b/vendor/github.com/subgraph/go-procsnitch/socket.go index a5d838f..102b5b7 100644 --- a/vendor/github.com/subgraph/go-procsnitch/socket.go +++ b/vendor/github.com/subgraph/go-procsnitch/socket.go @@ -125,7 +125,7 @@ func findUDPSocketAll(srcAddr net.IP, srcPort uint16, dstAddr net.IP, dstPort ui */ if (ss.local.port == srcPort) && addrMatchesAny(ss.local.ip) && addrMatchesAny(ss.remote.ip) { - fmt.Printf("Loose match for UDP socket bound to *:%d\n", ss.local.port) + // fmt.Printf("Loose match for UDP socket bound to *:%d\n", ss.local.port) return true } else if ss.remote.ip.Equal(dstAddr) && ss.local.port == srcPort && ss.local.ip.Equal(srcAddr) { return true @@ -157,7 +157,7 @@ func findUDPSocketAll(srcAddr net.IP, srcPort uint16, dstAddr net.IP, dstPort ui } if ss.local.ip.Equal(ifip) { - fmt.Printf("Matched on UDP socket bound to %v:%d\n", ifip, srcPort) + // fmt.Printf("Matched on UDP socket bound to %v:%d\n", ifip, srcPort) return true }