Merge pull request #302 from step-security/rc-2

varunsh-coder · web-flow · commit d6a2170828bf · 2022-09-25T09:40:44.000-07:00
Add annotation if allowed endpoint cannot be resolved
diff --git a/agent.go b/agent.go
@@ -5,13 +5,15 @@ import (
 	"fmt"
 	"net/http"
 	"os"
+	"strings"
 	"time"
 
 	"github.com/florianl/go-nflog/v2"
 )
 
 const (
 	StepSecurityLogCorrelationPrefix = "Step Security Job Correlation ID:"
+	StepSecurityAnnotationPrefix     = "StepSecurity Harden Runner:"
 	EgressPolicyAudit                = "audit"
 	EgressPolicyBlock                = "block"
 )
@@ -109,6 +111,7 @@ func Run(ctx context.Context, configFilePath string, hostDNSServer DNSServer,
 			ipAddress, err := dnsProxy.getIPByDomain(domainName)
 			if err != nil {
 				WriteLog(fmt.Sprintf("Error resolving allowed domain %v", err))
+				WriteAnnotation(fmt.Sprintf("%s Reverting agent since allowed endpoint %s could not be resolved", StepSecurityAnnotationPrefix, strings.Trim(domainName, ".")))
 				RevertChanges(iptables, nflog, cmd, resolvdConfigPath, dockerDaemonConfigPath, dnsConfig)
 				return err
 			}
diff --git a/eventhandler.go b/eventhandler.go
@@ -49,6 +49,14 @@ func (eventHandler *EventHandler) handleFileEvent(event *Event) {
 		writeDone()
 	}
 
+	if strings.Contains(event.FileName, "daemon.json") {
+		WriteAnnotation(fmt.Sprintf("%s Overwrite detected for %s", StepSecurityAnnotationPrefix, dockerDaemonConfigPath))
+	}
+
+	if strings.Contains(event.FileName, "resolved.conf") {
+		WriteAnnotation(fmt.Sprintf("%s Overwrite detected for %s", StepSecurityAnnotationPrefix, resolvedConfigPath))
+	}
+
 	// Uncomment to log file writes (only uncomment in INT env)
 	// WriteLog(fmt.Sprintf("file write %s, syscall %s", event.FileName, event.Syscall))
 
diff --git a/main.go b/main.go
@@ -17,9 +17,7 @@ func main() {
 	ctx, cancel := context.WithCancel(ctx)
 
 	signalChan := make(chan os.Signal, 1)
-	signal.Notify(signalChan, os.Kill, syscall.SIGHUP)
-
-	c := &config{}
+	signal.Notify(signalChan, syscall.SIGINT, syscall.SIGTERM)
 
 	defer func() {
 		signal.Stop(signalChan)
@@ -29,15 +27,8 @@ func main() {
 	go func() {
 		for {
 			select {
-			case s := <-signalChan:
-				switch s {
-				case syscall.SIGHUP:
-					c.init(agentConfigFilePath)
-				case os.Interrupt:
-					WriteLog("got os.kill")
-					cancel()
-					os.Exit(1)
-				}
+			case <-signalChan:
+				WriteAnnotation(fmt.Sprintf("%s Received SIGTERM signal", StepSecurityAnnotationPrefix))
 			case <-ctx.Done():
 				WriteLog("called ctx.Done()")
 				os.Exit(1)
diff --git a/procmon_linux.go b/procmon_linux.go
@@ -6,14 +6,15 @@ package main
 import (
 	"fmt"
 
+	"io/ioutil"
+	"os"
+	"strings"
+
 	"github.com/elastic/go-libaudit/v2"
 	"github.com/elastic/go-libaudit/v2/auparse"
 	"github.com/elastic/go-libaudit/v2/rule"
 	"github.com/elastic/go-libaudit/v2/rule/flags"
 	"github.com/pkg/errors"
-	"io/ioutil"
-	"os"
-	"strings"
 )
 
 func (p *ProcessMonitor) MonitorProcesses(errc chan error) {
@@ -69,6 +70,26 @@ func (p *ProcessMonitor) MonitorProcesses(errc chan error) {
 
 	WriteLog("Agent file monitor added")
 
+	r, _ = flags.Parse(fmt.Sprintf("-w %s -p w -k %s", dockerDaemonConfigPath, fileMonitorTag))
+	actualBytes, _ = rule.Build(r)
+
+	if err = client.AddRule(actualBytes); err != nil {
+		WriteLog(fmt.Sprintf("failed to add audit rule for dockerDaemonConfigPath %v", err))
+		errc <- errors.Wrap(err, "failed to add audit rule")
+	}
+
+	WriteLog("Docker's daemon.json file monitor added")
+
+	r, _ = flags.Parse(fmt.Sprintf("-w %s -p w -k %s", resolvedConfigPath, fileMonitorTag))
+	actualBytes, _ = rule.Build(r)
+
+	if err = client.AddRule(actualBytes); err != nil {
+		WriteLog(fmt.Sprintf("failed to add audit rule for resolvedConfigPath %v", err))
+		errc <- errors.Wrap(err, "failed to add audit rule")
+	}
+
+	WriteLog("Systemd's resolved.conf file monitor added")
+
 	// syscall connect
 	r, _ = flags.Parse(fmt.Sprintf("-a exit,always -S connect -k %s", netMonitorTag))
 
diff --git a/release-monitor.yml b/release-monitor.yml
@@ -7,7 +7,7 @@ release-process:
     - artifact: agent_{{.Version}}_linux_amd64.tar.gz
       binary: agent
       build-command: go build -trimpath -ldflags="-s -w -X main.version={{.Version}} -X main.commit={{.FullCommit}} -X main.date=123"
-      go-version: 1.17.12      
+      go-version: 1.17.13      
   pipeline:
     github-action:
       repo: step-security/agent
