Documentation
¶
Index ¶
- func ProcessBlockedEvents(rd *ringbuf.Reader, configMgr *config.Manager, ...)
- type AuditEvent
- type AuditEventType
- type AuditLogger
- func (a *AuditLogger) Close() error
- func (a *AuditLogger) IsAuditMode() bool
- func (a *AuditLogger) LogConnectionAllowed(srcIP, dstIP, hostname string, dstPort uint16, process string, pid uint32, ...) error
- func (a *AuditLogger) LogConnectionBlocked(srcIP, dstIP, hostname string, dstPort uint16, process string, pid uint32) error
- func (a *AuditLogger) LogDNSBlocked(domain string) error
- func (a *AuditLogger) LogEvent(event AuditEvent) error
- func (a *AuditLogger) LogExistingConnection(ip, hostname, matchedRule string, allowed bool, autoAllowedType string) error
- func (a *AuditLogger) LogProtocolBlocked(srcIP, dstIP, hostname, protocol, process string, pid uint32) error
- func (a *AuditLogger) SetAuditMode(auditMode bool)
- type BpfBlockedEvent
- type FirewallUpdater
- type NotificationTracker
- type StateMachineClient
Constants ¶
This section is empty.
Variables ¶
This section is empty.
Functions ¶
func ProcessBlockedEvents ¶
func ProcessBlockedEvents(rd *ringbuf.Reader, configMgr *config.Manager, notificationTracker *NotificationTracker, auditLogger *AuditLogger, fw FirewallUpdater, logger *slog.Logger)
ProcessBlockedEvents processes blocked connection events
Types ¶
type AuditEvent ¶
type AuditEvent struct {
Timestamp time.Time `json:"timestamp"`
EventType AuditEventType `json:"event_type"`
SrcIP string `json:"src_ip,omitempty"`
DstIP string `json:"dst_ip,omitempty"`
DstHostname string `json:"dst_hostname,omitempty"`
DstPort uint16 `json:"dst_port,omitempty"`
Protocol string `json:"protocol,omitempty"`
Process string `json:"process,omitempty"`
PID uint32 `json:"pid,omitempty"`
MatchedRule string `json:"matched_rule,omitempty"`
AutoAllowedType string `json:"auto_allowed_type,omitempty"`
WouldDeny bool `json:"would_deny"` // true in audit mode (would have been denied)
Blocked bool `json:"blocked"` // true in enforce mode (actually blocked)
}
AuditEvent represents a network event for audit logging
type AuditEventType ¶
type AuditEventType string
AuditEventType represents the type of audit event
const ( EventConnectionBlocked AuditEventType = "connection_blocked" EventConnectionAllowed AuditEventType = "connection_allowed" EventProtocolBlocked AuditEventType = "protocol_blocked" EventDNSBlocked AuditEventType = "dns_blocked" EventExistingConnection AuditEventType = "existing_connection" )
type AuditLogger ¶
type AuditLogger struct {
// contains filtered or unexported fields
}
AuditLogger writes audit events to a JSON file (one event per line)
func NewAuditLogger ¶
func NewAuditLogger(path string, auditMode bool) (*AuditLogger, error)
NewAuditLogger creates a new audit logger that writes to the specified file
func (*AuditLogger) Close ¶
func (a *AuditLogger) Close() error
Close flushes pending writes and closes the audit log file
func (*AuditLogger) IsAuditMode ¶
func (a *AuditLogger) IsAuditMode() bool
IsAuditMode returns true if running in audit mode
func (*AuditLogger) LogConnectionAllowed ¶
func (a *AuditLogger) LogConnectionAllowed(srcIP, dstIP, hostname string, dstPort uint16, process string, pid uint32, autoAllowedType string) error
LogConnectionAllowed logs an allowed TCP connection event
func (*AuditLogger) LogConnectionBlocked ¶
func (a *AuditLogger) LogConnectionBlocked(srcIP, dstIP, hostname string, dstPort uint16, process string, pid uint32) error
LogConnectionBlocked logs a blocked connection event
func (*AuditLogger) LogDNSBlocked ¶
func (a *AuditLogger) LogDNSBlocked(domain string) error
LogDNSBlocked logs a blocked DNS query
func (*AuditLogger) LogEvent ¶
func (a *AuditLogger) LogEvent(event AuditEvent) error
LogEvent writes an audit event to the log file
func (*AuditLogger) LogExistingConnection ¶
func (a *AuditLogger) LogExistingConnection(ip, hostname, matchedRule string, allowed bool, autoAllowedType string) error
LogExistingConnection logs a pre-existing connection that was found at startup
func (*AuditLogger) LogProtocolBlocked ¶
func (a *AuditLogger) LogProtocolBlocked(srcIP, dstIP, hostname, protocol, process string, pid uint32) error
LogProtocolBlocked logs a blocked protocol event
func (*AuditLogger) SetAuditMode ¶
func (a *AuditLogger) SetAuditMode(auditMode bool)
SetAuditMode updates the audit mode flag at runtime.
type BpfBlockedEvent ¶
type BpfBlockedEvent struct {
IpVersion uint8
Allowed uint8
Pad1 [2]uint8
SrcIp uint32 // IPv4 (used when IpVersion == 4)
DstIp uint32 // IPv4 (used when IpVersion == 4)
SrcPort uint16
DstPort uint16
SrcIp6 [16]byte // IPv6 (used when IpVersion == 6)
DstIp6 [16]byte // IPv6 (used when IpVersion == 6)
Timestamp uint64
Pid uint32
Pad2 uint32
}
BpfBlockedEvent matches the struct in tcbpf.c
type FirewallUpdater ¶
type FirewallUpdater interface {
AddIP(ip net.IP, action config.Action, ports []config.Port) (bool, error)
}
FirewallUpdater allows the event processor to dynamically add IPs to the firewall when lazy reverse DNS reveals a blocked IP belongs to an allowed hostname.
type NotificationTracker ¶
type NotificationTracker struct {
// contains filtered or unexported fields
}
NotificationTracker ensures we only send one notification per unique destination
func NewNotificationTracker ¶
func NewNotificationTracker(smClient StateMachineClient, logger *slog.Logger) *NotificationTracker
NewNotificationTracker creates a new notification tracker
func (*NotificationTracker) SendNotification ¶
func (n *NotificationTracker) SendNotification(hostname, ip string, port uint16)
SendNotification sends a block notification for each unique destination
Source Files