shw-merge
xSmurf 7 years ago
commit c61a85800f

@ -20,6 +20,30 @@ _Application firewalls_ cannot prevent all malicious code from connecting to the
Sophisticated malicious code can subvert the _allowed_ connections to bypass the firewall.
However, the firewall may alert the user of connection attempts by less sophisticated malicious code.
The configuration settings for Subgraph Firewall are stored in /etc/sgfw.
From /etc/sgfw/sgfw.conf:
Log level specifies the level of verbosity of logging:
LogLevel = "NOTICE"
Log redaction this tells SGFW to write destination hostnames to system logs, or not:
LogRedact = true / false
PromptExpanded controls the level of detail in the prompt:
PromptExpanded = true / false
PromptExpert enables or disables "export mode":
PromptExpert = true / false
Specifies the default rule action:
DefaultAction = "SESSION"
Read more in the [Subgraph OS Handbook](https://subgraph.com/sgos-handbook/sgos_handbook.shtml#monitoring-outgoing-connections-with-subgraph-firewall).

@ -5,13 +5,8 @@ fw-daemon:
fw-prompt:
scope returned by new rules is bad (always set to process)
more nesting for similar prompts (by application, pid, target host, etc)
Each duplicate prompt needs to be expandable into individual items
gnome-shell:
Start using new async DBus methods

@ -69,7 +69,9 @@ func (dc *dnsCache) processDNS(pkt *nfqueue.NFQPacket) {
pinfo, _ = findProcessForPacket(pkt, true, procsnitch.MATCH_LOOSEST)
if pinfo == nil {
if !FirewallConfig.LogRedact {
log.Warningf("Skipping attempted DNS cache entry for process that can't be found: %v -> %v\n", q.Name, dns.answer)
}
return
}
}
@ -77,7 +79,11 @@ func (dc *dnsCache) processDNS(pkt *nfqueue.NFQPacket) {
dc.processRecordAddress(q.Name, dns.answer, pinfo.Pid)
return
}
if !FirewallConfig.LogRedact {
log.Infof("Unhandled DNS message: %v", dns)
} else {
log.Infof("Unhandled DNS message [redacted]")
}
}
@ -118,7 +124,11 @@ func (dc *dnsCache) processRecordAddress(name string, answers []dnsRR, pid int)
case *dnsRR_CNAME:
// Not that exotic; just ignore it
default:
if !FirewallConfig.LogRedact {
log.Warningf("Unexpected RR type in answer section of A response: %v", rec)
} else {
log.Warningf("Unexpected RR type in answer section of A response: [redacted]")
}
}
if aBytes == nil {
@ -134,7 +144,8 @@ func (dc *dnsCache) processRecordAddress(name string, answers []dnsRR, pid int)
if pid < 0 {
pid = 0
}
log.Noticef("______ Adding to dns map: %s: %s -> pid %d", name, ip, pid)
// log.Noticef("______ Adding to dns map: %s: %s -> pid %d", name, ip, pid)
_, ok := dc.ipMap[pid]
if !ok {
@ -169,11 +180,13 @@ func (dc *dnsCache) Lookup(ip net.IP, pid int) string {
// log.Noticef("XXX: LOOKUP on %v / %v = %v, ttl = %v / %v\n", pid, ip.String(), entry.name, entry.ttl, entry.exp)
return entry.name
} else {
if !FirewallConfig.LogRedact {
log.Warningf("Skipping expired per-pid (%d) DNS cache entry: %s -> %s / exp. %v (%ds)\n",
pid, ip.String(), entry.name, entry.exp, entry.ttl)
}
}
}
}
str := ""
entry, ok := dc.ipMap[0][ip.String()]
@ -182,10 +195,12 @@ func (dc *dnsCache) Lookup(ip net.IP, pid int) string {
str = entry.name
// log.Noticef("XXX: LOOKUP on %v / 0 RETURNING %v, ttl = %v / %v\n", ip.String(), str, entry.ttl, entry.exp)
} else {
if !FirewallConfig.LogRedact {
log.Warningf("Skipping expired global DNS cache entry: %s -> %s / exp. %v (%ds)\n",
ip.String(), entry.name, entry.exp, entry.ttl)
}
}
}
//log.Noticef("XXX: LOOKUP on %v / 0 RETURNING %v\n", ip.String(), str)
return str

@ -5,6 +5,7 @@ import (
"errors"
"fmt"
"net"
"sync"
"os"
"strconv"
"strings"

@ -298,7 +298,6 @@ func (p *Policy) processPacket(pkt *nfqueue.NFQPacket, timestamp time.Time, pinf
}*/
name := p.fw.dns.Lookup(dstip, pinfo.Pid)
log.Infof("Lookup(%s): %s", dstip.String(), name)
if !FirewallConfig.LogRedact {
log.Infof("Lookup(%s): %s", dstip.String(), name)
@ -475,8 +474,12 @@ func (p *Policy) filterPending(rule *Rule) {
pc.acceptTLSOnly()
} else {
srcs := pc.src().String() + ":" + strconv.Itoa(int(pc.srcPort()))
log.Warningf("DENIED outgoing connection attempt by %s from %s %s -> %s:%d (user prompt) %v",
pc.procInfo().ExePath, pc.proto(), srcs, pc.dst(), pc.dstPort, rule.rtype)
dests := STR_REDACTED
if !FirewallConfig.LogRedact {
dests = fmt.Sprintf("%s%d",pc.dst(), pc.dstPort)
}
log.Warningf("DENIED outgoing connection attempt by %s from %s %s -> %s (user prompt) %v",
pc.procInfo().ExePath, pc.proto(), srcs, dests, rule.rtype)
pc.drop()
}
} else {

@ -328,7 +328,7 @@ func (p *prompter) processConnection(pc pendingConnection) {
r.mode = RULE_MODE_PERMANENT
policy.fw.saveRules()
}
log.Warningf("Prompt returning rule: %v", tempRule)
//log.Warningf("Prompt returning rule: %v", tempRule)
dbusp.alertRule("sgfw prompt added new rule")
}
@ -434,7 +434,7 @@ func (p *prompter) nextConnection() (pendingConnection, bool) {
r.mode = RULE_MODE_PERMANENT
policy.fw.saveRules()
}
log.Warningf("Prompt returning rule: %v", tempRule)
//log.Warningf("Prompt returning rule: %v", tempRule)
dbusp.alertRule("sgfw prompt added new rule")
}

@ -445,16 +445,20 @@ func (c *socksChainSession) handleConnect(tls bool) {
func (c *socksChainSession) forwardTraffic(tls bool) {
if tls == true {
err := TLSGuard(c.clientConn, c.upstreamConn, c.req.Addr.addrStr)
dest := STR_REDACTED
if !FirewallConfig.LogRedact {
dest = c.req.Addr.addrStr
}
if err != nil {
if c.pinfo.Sandbox != "" {
log.Errorf("TLSGuard violation: Dropping traffic from %s (sandbox: %s) to %s: %v", c.pinfo.ExePath, c.pinfo.Sandbox, c.req.Addr.addrStr, err)
log.Errorf("TLSGuard violation: Dropping traffic from %s (sandbox: %s) to %s: %v", c.pinfo.ExePath, c.pinfo.Sandbox, dest, err)
} else {
log.Errorf("TLSGuard violation: Dropping traffic from %s (un-sandboxed) to %s: %v", c.pinfo.ExePath, c.req.Addr.addrStr, err)
log.Errorf("TLSGuard violation: Dropping traffic from %s (unsandboxed) to %s: %v", c.pinfo.ExePath, dest, err)
}
return
} else {
log.Notice("TLSGuard approved certificate presented for connection to: ", c.req.Addr.addrStr)
log.Notice("TLSGuard approved certificate presented for connection to: ", dest)
}
}

@ -125,7 +125,7 @@ func findUDPSocketAll(srcAddr net.IP, srcPort uint16, dstAddr net.IP, dstPort ui
*/
if (ss.local.port == srcPort) && addrMatchesAny(ss.local.ip) && addrMatchesAny(ss.remote.ip) {
fmt.Printf("Loose match for UDP socket bound to *:%d\n", ss.local.port)
// fmt.Printf("Loose match for UDP socket bound to *:%d\n", ss.local.port)
return true
} else if ss.remote.ip.Equal(dstAddr) && ss.local.port == srcPort && ss.local.ip.Equal(srcAddr) {
return true
@ -157,7 +157,7 @@ func findUDPSocketAll(srcAddr net.IP, srcPort uint16, dstAddr net.IP, dstPort ui
}
if ss.local.ip.Equal(ifip) {
fmt.Printf("Matched on UDP socket bound to %v:%d\n", ifip, srcPort)
// fmt.Printf("Matched on UDP socket bound to %v:%d\n", ifip, srcPort)
return true
}

Loading…
Cancel
Save