Merged with latest commits to master.

shw_dev
Stephen Watt 7 years ago
parent 35e7b07e43
commit 32983deba4

@ -20,6 +20,30 @@ _Application firewalls_ cannot prevent all malicious code from connecting to the
Sophisticated malicious code can subvert the _allowed_ connections to bypass the firewall.
However, the firewall may alert the user of connection attempts by less sophisticated malicious code.
The configuration settings for Subgraph Firewall are stored in /etc/sgfw.
From /etc/sgfw/sgfw.conf:
Log level specifies the level of verbosity of logging:
LogLevel = "NOTICE"
Log redaction this tells SGFW to write destination hostnames to system logs, or not:
LogRedact = true / false
PromptExpanded controls the level of detail in the prompt:
PromptExpanded = true / false
PromptExpert enables or disables "export mode":
PromptExpert = true / false
Specifies the default rule action:
DefaultAction = "SESSION"
Read more in the [Subgraph OS Handbook](https://subgraph.com/sgos-handbook/sgos_handbook.shtml#monitoring-outgoing-connections-with-subgraph-firewall).

@ -69,7 +69,9 @@ func (dc *dnsCache) processDNS(pkt *nfqueue.NFQPacket) {
pinfo, _ = findProcessForPacket(pkt, true, procsnitch.MATCH_LOOSEST)
if pinfo == nil {
if !FirewallConfig.LogRedact {
log.Warningf("Skipping attempted DNS cache entry for process that can't be found: %v -> %v\n", q.Name, dns.answer)
}
return
}
}
@ -77,7 +79,11 @@ func (dc *dnsCache) processDNS(pkt *nfqueue.NFQPacket) {
dc.processRecordAddress(q.Name, dns.answer, pinfo.Pid)
return
}
if !FirewallConfig.LogRedact {
log.Infof("Unhandled DNS message: %v", dns)
} else {
log.Infof("Unhandled DNS message [redacted]")
}
}
@ -118,7 +124,11 @@ func (dc *dnsCache) processRecordAddress(name string, answers []dnsRR, pid int)
case *dnsRR_CNAME:
// Not that exotic; just ignore it
default:
if !FirewallConfig.LogRedact {
log.Warningf("Unexpected RR type in answer section of A response: %v", rec)
} else {
log.Warningf("Unexpected RR type in answer section of A response: [redacted]")
}
}
if aBytes == nil {
@ -134,7 +144,8 @@ func (dc *dnsCache) processRecordAddress(name string, answers []dnsRR, pid int)
if pid < 0 {
pid = 0
}
log.Noticef("______ Adding to dns map: %s: %s -> pid %d", name, ip, pid)
// log.Noticef("______ Adding to dns map: %s: %s -> pid %d", name, ip, pid)
_, ok := dc.ipMap[pid]
if !ok {
@ -169,11 +180,13 @@ func (dc *dnsCache) Lookup(ip net.IP, pid int) string {
// log.Noticef("XXX: LOOKUP on %v / %v = %v, ttl = %v / %v\n", pid, ip.String(), entry.name, entry.ttl, entry.exp)
return entry.name
} else {
if !FirewallConfig.LogRedact {
log.Warningf("Skipping expired per-pid (%d) DNS cache entry: %s -> %s / exp. %v (%ds)\n",
pid, ip.String(), entry.name, entry.exp, entry.ttl)
}
}
}
}
str := ""
entry, ok := dc.ipMap[0][ip.String()]
@ -182,10 +195,12 @@ func (dc *dnsCache) Lookup(ip net.IP, pid int) string {
str = entry.name
// log.Noticef("XXX: LOOKUP on %v / 0 RETURNING %v, ttl = %v / %v\n", ip.String(), str, entry.ttl, entry.exp)
} else {
if !FirewallConfig.LogRedact {
log.Warningf("Skipping expired global DNS cache entry: %s -> %s / exp. %v (%ds)\n",
ip.String(), entry.name, entry.exp, entry.ttl)
}
}
}
//log.Noticef("XXX: LOOKUP on %v / 0 RETURNING %v\n", ip.String(), str)
return str

@ -5,10 +5,10 @@ import (
"errors"
"fmt"
"net"
"sync"
"os"
"strconv"
"strings"
"sync"
"github.com/subgraph/oz/ipc"
)

@ -298,7 +298,6 @@ func (p *Policy) processPacket(pkt *nfqueue.NFQPacket, timestamp time.Time, pinf
}*/
name := p.fw.dns.Lookup(dstip, pinfo.Pid)
log.Infof("Lookup(%s): %s", dstip.String(), name)
if !FirewallConfig.LogRedact {
log.Infof("Lookup(%s): %s", dstip.String(), name)
@ -475,8 +474,12 @@ func (p *Policy) filterPending(rule *Rule) {
pc.acceptTLSOnly()
} else {
srcs := pc.src().String() + ":" + strconv.Itoa(int(pc.srcPort()))
log.Warningf("DENIED outgoing connection attempt by %s from %s %s -> %s:%d (user prompt) %v",
pc.procInfo().ExePath, pc.proto(), srcs, pc.dst(), pc.dstPort, rule.rtype)
dests := STR_REDACTED
if !FirewallConfig.LogRedact {
dests = fmt.Sprintf("%s%d",pc.dst(), pc.dstPort)
}
log.Warningf("DENIED outgoing connection attempt by %s from %s %s -> %s (user prompt) %v",
pc.procInfo().ExePath, pc.proto(), srcs, dests, rule.rtype)
pc.drop()
}
} else {

@ -328,7 +328,7 @@ func (p *prompter) processConnection(pc pendingConnection) {
r.mode = RULE_MODE_PERMANENT
policy.fw.saveRules()
}
log.Warningf("Prompt returning rule: %v", tempRule)
//log.Warningf("Prompt returning rule: %v", tempRule)
dbusp.alertRule("sgfw prompt added new rule")
}
@ -434,7 +434,7 @@ func (p *prompter) nextConnection() (pendingConnection, bool) {
r.mode = RULE_MODE_PERMANENT
policy.fw.saveRules()
}
log.Warningf("Prompt returning rule: %v", tempRule)
//log.Warningf("Prompt returning rule: %v", tempRule)
dbusp.alertRule("sgfw prompt added new rule")
}

@ -445,16 +445,20 @@ func (c *socksChainSession) handleConnect(tls bool) {
func (c *socksChainSession) forwardTraffic(tls bool) {
if tls == true {
err := TLSGuard(c.clientConn, c.upstreamConn, c.req.Addr.addrStr)
dest := STR_REDACTED
if !FirewallConfig.LogRedact {
dest = c.req.Addr.addrStr
}
if err != nil {
if c.pinfo.Sandbox != "" {
log.Errorf("TLSGuard violation: Dropping traffic from %s (sandbox: %s) to %s: %v", c.pinfo.ExePath, c.pinfo.Sandbox, c.req.Addr.addrStr, err)
log.Errorf("TLSGuard violation: Dropping traffic from %s (sandbox: %s) to %s: %v", c.pinfo.ExePath, c.pinfo.Sandbox, dest, err)
} else {
log.Errorf("TLSGuard violation: Dropping traffic from %s (un-sandboxed) to %s: %v", c.pinfo.ExePath, c.req.Addr.addrStr, err)
log.Errorf("TLSGuard violation: Dropping traffic from %s (unsandboxed) to %s: %v", c.pinfo.ExePath, dest, err)
}
return
} else {
log.Notice("TLSGuard approved certificate presented for connection to: ", c.req.Addr.addrStr)
log.Notice("TLSGuard approved certificate presented for connection to: ", dest)
}
}

@ -125,7 +125,7 @@ func findUDPSocketAll(srcAddr net.IP, srcPort uint16, dstAddr net.IP, dstPort ui
*/
if (ss.local.port == srcPort) && addrMatchesAny(ss.local.ip) && addrMatchesAny(ss.remote.ip) {
fmt.Printf("Loose match for UDP socket bound to *:%d\n", ss.local.port)
// fmt.Printf("Loose match for UDP socket bound to *:%d\n", ss.local.port)
return true
} else if ss.remote.ip.Equal(dstAddr) && ss.local.port == srcPort && ss.local.ip.Equal(srcAddr) {
return true
@ -157,7 +157,7 @@ func findUDPSocketAll(srcAddr net.IP, srcPort uint16, dstAddr net.IP, dstPort ui
}
if ss.local.ip.Equal(ifip) {
fmt.Printf("Matched on UDP socket bound to %v:%d\n", ifip, srcPort)
// fmt.Printf("Matched on UDP socket bound to %v:%d\n", ifip, srcPort)
return true
}

Loading…
Cancel
Save