Merge pull request #90 from step-security/int

Add logging

Author: varunsh-coder

agent.go

@@ -5,6 +5,7 @@ import (
 	"fmt"
 	"net/http"
 	"os"
+	"sync"
 	"time"
 
 	"github.com/florianl/go-nflog/v2"
@@ -46,6 +47,8 @@ type IPTables interface {
 	ClearChain(table, chain string) error
 }
 
+var fileMutex sync.Mutex
+
 // Run the agent
 // TODO: move all inputs into a struct
 func Run(ctx context.Context, configFilePath string, hostDNSServer DNSServer,
@@ -90,6 +93,23 @@ func Run(ctx context.Context, configFilePath string, hostDNSServer DNSServer,
 
 	dnsConfig := DnsConfig{}
 
+	var ipAddressEndpoints []ipAddressEndpoint
+	if config.EgressPolicy == EgressPolicyBlock {
+		endpoints := addImplicitEndpoints(config.Endpoints)
+		for _, endpoint := range endpoints {
+			// this will cause domain, IP mapping to be cached
+			ipAddress, err := dnsProxy.getIPByDomain(endpoint.domainName)
+			if err != nil {
+				writeLog(fmt.Sprintf("Error resolving allowed domain %v", err))
+				RevertChanges(iptables, nflog, cmd, resolvdConfigPath, dockerDaemonConfigPath, dnsConfig)
+				return err
+			}
+
+			// create list of ip address to be added to firewall
+			ipAddressEndpoints = append(ipAddressEndpoints, ipAddressEndpoint{ipAddress: ipAddress, port: fmt.Sprintf("%d", endpoint.port)})
+		}
+	}
+
 	// Change DNS config on host, causes processes to use agent's DNS proxy
 	if err := dnsConfig.SetDNSServer(cmd, resolvdConfigPath, tempDir); err != nil {
 		writeLog(fmt.Sprintf("Error setting DNS server %v", err))
@@ -130,7 +150,6 @@ func Run(ctx context.Context, configFilePath string, hostDNSServer DNSServer,
 
 		writeLog("added audit rules")
 	} else if config.EgressPolicy == EgressPolicyBlock {
-		var ipAddressEndpoints []ipAddressEndpoint
 
 		writeLog(fmt.Sprintf("Allowed domains:%v", config.Endpoints))
 
@@ -143,19 +162,6 @@ func Run(ctx context.Context, configFilePath string, hostDNSServer DNSServer,
 
 		// Start network monitor
 		go netMonitor.MonitorNetwork(nflog, errc) // listens for NFLOG messages
-		endpoints := addImplicitEndpoints(config.Endpoints)
-		for _, endpoint := range endpoints {
-			// this will cause domain, IP mapping to be cached
-			ipAddress, err := dnsProxy.getIPByDomain(endpoint.domainName)
-			if err != nil {
-				writeLog(fmt.Sprintf("Error resolving allowed domain %v", err))
-				RevertChanges(iptables, nflog, cmd, resolvdConfigPath, dockerDaemonConfigPath, dnsConfig)
-				return err
-			}
-
-			// create list of ip address to be added to firewall
-			ipAddressEndpoints = append(ipAddressEndpoints, ipAddressEndpoint{ipAddress: ipAddress, port: fmt.Sprintf("%d", endpoint.port)})
-		}
 
 		if err := addBlockRulesForGitHubHostedRunner(ipAddressEndpoints); err != nil {
 			writeLog(fmt.Sprintf("Error setting firewall for allowed domains %v", err))
@@ -212,6 +218,9 @@ func RevertChanges(iptables *Firewall, nflog AgentNflogger,
 }
 
 func writeLog(message string) {
+	fileMutex.Lock()
+	defer fileMutex.Unlock()
+
 	f, _ := os.OpenFile("/home/agent/agent.log",
 		os.O_APPEND|os.O_CREATE|os.O_WRONLY, 0644)
 

dnsproxy.go

@@ -108,6 +108,8 @@ func (proxy *DNSProxy) getIPByDomain(domain string) (string, error) {
 		if answer.Type == 1 {
 			proxy.Cache.Set(domain, answer.Data)
 
+			go writeLog(fmt.Sprintf("domain resolved: %s, ip address: %s", domain, answer.Data))
+
 			go proxy.ApiClient.sendDNSRecord(proxy.CorrelationId, proxy.Repo, domain, answer.Data)
 
 			return answer.Data, nil

netmon.go

@@ -2,6 +2,7 @@ package main
 
 import (
 	"context"
+	"fmt"
 	"sync"
 	"time"
 
@@ -94,6 +95,10 @@ func (netMonitor *NetworkMonitor) handlePacket(attrs nflog.Attribute) {
 			if isSYN {
 				netMonitor.ApiClient.sendNetConnection(netMonitor.CorrelationId, netMonitor.Repo,
 					ipv4.DstIP.String(), port, netMonitor.Status, timestamp, Tool{Name: Unknown, SHA256: Unknown})
+
+				if netMonitor.Status == "Dropped" {
+					go writeLog(fmt.Sprintf("ip address dropped: %s", ipv4.DstIP.String()))
+				}
 			}
 		}
 		netMonitor.netMutex.Unlock()