README

MIG: Mozilla InvestiGator

MIG is Mozilla's platform for investigative surgery of remote endpoints.

⚠️ Deprecation Notice ⚠️

Mozilla is no longer maintaining the Mozilla InvestiGator (MIG) project.

Mozilla is also no longer making use of this code internally.

You are welcome to use this code as is with no warranty. Please fork it to continue development.

Quick Start w/ Docker

You can spin up a local-only MIG setup using docker. The container is not suitable for production use but lets you experiment with MIG quickly, providing a single container environment that has most of the MIG components available.

To pull from Docker Hub:

$ docker pull mozilla/mig
$ docker run -it mozilla/mig

Or, if you have the source checked out in your GOPATH you can build your own image:

$ cd $GOPATH/src/github.com/mozilla/mig
$ docker build -t mozilla/mig:latest .
$ docker run -it mozilla/mig

Once inside the container, you can use the MIG tools to query a local agent, as such:

mig@5345268590c8:~$ /go/bin/mig file -t all -path /usr/bin -sha2 5c1956eba492b2c3fffd8d3e43324b5c477c22727385be226119f7ffc24aad3f
1 agents will be targeted. ctrl+c to cancel. launching in 5 4 3 2 1 GO
Following action ID 7978299359234.
 1 / 1 [=========================================================] 100.00% 0/s4s
100.0% done in 3.029105958s
1 sent, 1 done, 1 succeeded
ed11f485244a /usr/bin/wget [lastmodified:2016-07-05 15:32:42 +0000 UTC, mode:-rwxr-xr-x, size:419080] in search 's1'
1 agent has found results

To explore the capabilities of MIG, take a look at the CheatSheet.

What is this?

MIG is composed of agents installed on all systems of an infrastructure that are be queried in real-time to investigate the file-systems, network state, memory or configuration of endpoints.

Capability Linux MacOS Windows
file inspection check check check
network inspection check check (partial)
memory inspection check check check
vuln management check (planned) (planned)
log analysis (planned) (planned) (planned)
system auditing check (planned) (planned)

Imagine it is 7am on a saturday morning, and someone just released a critical vulnerability for your favorite PHP application. The vuln is already exploited and security groups are releasing indicators of compromise (IOCs). Your weekend isn't starting great, and the thought of manually inspecting thousands of systems isn't making it any better.

MIG can help. The signature of the vulnerable PHP app (the md5 of a file, a regex, or just a filename) can be searched for across all your systems using the file module. Similarly, IOCs such as specific log entries, backdoor files with md5 and sha1/2/3 hashes, IP addresses from botnets or byte strings in processes memories can be investigated using MIG. Suddenly, your weekend is looking a lot better. And with just a few commands, thousands of systems will be remotely investigated to verify that you're not at risk.

MIG command line demo

MIG agents are designed to be lightweight, secure, and easy to deploy so you can ask your favorite sysadmins to add it to a base deployment without fear of breaking the entire production network. All parameters are built into the agent at compile time, including the list and ACLs of authorized investigators. Security is enforced using PGP keys, and even if MIG's servers are compromised, as long as our keys are safe on your investigator's laptop, no one will break into the agents.

MIG is designed to be fast, and asynchronous. It uses AMQP to distribute actions to endpoints, and relies on Go channels to prevent components from blocking. Running actions and commands are stored in a Postgresql database and on disk cache, such that the reliability of the platform doesn't depend on long-running processes.

Speed is a strong requirement. Most actions will only take a few hundreds milliseconds to run on agents. Larger ones, for example when looking for a hash in a big directory, should run in less than a minute or two. All in all, an investigation usually completes in between 10 and 300 seconds.

Privacy and security are paramount. Agents never send raw data back to the platform, but only reply to questions instead. All actions are signed by GPG keys that are not stored in the platform, thus preventing a compromise from taking over the entire infrastructure.

Technology

MIG is built in Go and uses a REST API that receives signed JSON messages distributed to agents via RabbitMQ and stored in a Postgres database.

It is:

  • Massively Distributed means Fast.
  • Simple to deploy and Cross-Platform.
  • Secured using OpenPGP.
  • Respectful of privacy by never retrieving raw data from endpoints.

Check out this 10 minutes video for a more general presentation and a demo of the console interface.

MIG youtube video

MIG was recently presented at the SANS DFIR Summit in Austin, Tx. You can watch the recording below:

Discussion

Join #mig on irc.mozilla.org (use a web client such as mibbit).

Documentation

All documentation is available in the 'doc' directory and on http://mig.mozilla.org .

Expand ▾ Collapse ▴

Documentation

Index

Constants

View Source
const (
	AgtStatusOnline    string = "online"
	AgtStatusDestroyed string = "destroyed"
	AgtStatusOffline   string = "offline"
	AgtStatusIdle      string = "idle"
)

    Various agent status values

    View Source
    const (
    	StatusSent      string = "sent"
    	StatusSuccess   string = "success"
    	StatusCancelled string = "cancelled"
    	StatusExpired   string = "expired"
    	StatusFailed    string = "failed"
    	StatusTimeout   string = "timeout"
    )

      Various command status values

      View Source
      const (
      	ExchangeToAgents     = "toagents"
      	ExchangeToSchedulers = "toschedulers"
      	QueueAgentHeartbeat  = "mig.agt.heartbeats"
      	QueueAgentResults    = "mig.agt.results"
      )

        Various constants that indicate exchange and queue names used in RabbitMQ

        View Source
        const (
        	PermSearch = 1 << iota
        	PermAction
        	PermActionCreate
        	PermCommand
        	PermAgent
        	PermDashboard
        	PermLoader
        	PermLoaderStatus
        	PermLoaderExpect
        	PermLoaderKey
        	PermLoaderNew
        	PermManifest
        	PermManifestSign
        	PermManifestNew
        	PermManifestStatus
        	PermManifestLoaders
        	PermInvestigator
        	PermInvestigatorCreate
        	PermInvestigatorUpdate
        )

          Permissions that can be assigned to investigators

          View Source
          const (
          	StatusActiveInvestigator   string = "active"
          	StatusDisabledInvestigator string = "disabled"
          )

            Possible status values for an investigator

            View Source
            const ActionVersion uint16 = 2

              ActionVersion is the version of the syntax that is expected

              View Source
              const LoaderHashedKeyLength = 32

                LoaderHashedKeyLength is the length of the hashed loader key in the database

                View Source
                const LoaderKeyLength = 32

                  LoaderKeyLength is the length of the loader key

                  View Source
                  const LoaderPrefixAndKeyLength = 40

                    LoaderPrefixAndKeyLength is the key length for a loader key including the prefix

                    View Source
                    const LoaderPrefixLength = 8

                      LoaderPrefixLength is the length of the loader prefix

                      View Source
                      const LoaderSaltLength = 16

                        LoaderSaltLength is the length of the salt applied to loader keys

                        Variables

                        View Source
                        var BundleDictionary = map[string][]BundleDictionaryEntry{
                        	"linux":   bundleEntryLinux,
                        	"darwin":  bundleEntryDarwin,
                        	"windows": bundleEntryWindows,
                        }

                          BundleDictionary maps GOOS platform names to specific bundle entry values

                          View Source
                          var PermSets = []string{"PermManifest", "PermLoader", "PermAdmin"}

                            PermSets describes permission sets that can be applied; note default is omitted as this is currently always applied

                            View Source
                            var Version = ""

                              Version can be set at compile time to indicate the version of MIG components. You'd typically want to set this during install using flags such as -ldflags "-X github.com/mozilla/mig.Version=20170913-0.06824ce0.dev" when calling the go build tools.

                              Functions

                              func GenID

                              func GenID() float64

                                GenID returns a float64 ID number that is unique to this process. The ID is initialized at the number of seconds since MIG's creation date, shifted 16 bits to the right and incremented by one every time a new ID is requested. The resulting value must fit in 53 bits of precision provided by the float64 type.

                                func GenerateLoaderKey

                                func GenerateLoaderKey() string

                                  GenerateLoaderKey will generate a new loader key value

                                  func GenerateLoaderPrefix

                                  func GenerateLoaderPrefix() string

                                    GenerateLoaderPrefix will generate a new loader prefix value

                                    func ProcessLog

                                    func ProcessLog(logctx Logging, l Log) (stop bool, err error)

                                      ProcessLog receives events and performs logging and evaluation of the log severity level, in the event of an emergency level entry stop will be true

                                      func RandAPIKeyString

                                      func RandAPIKeyString(length int) string

                                        RandAPIKeyString is used for prefix and key generation, and just returns a random string consisting of alphanumeric characters of length characters long

                                        func ValidateLoaderKey

                                        func ValidateLoaderKey(key string) error

                                          ValidateLoaderKey validates a loader key, returns nil if it is valid

                                          func ValidateLoaderPrefix

                                          func ValidateLoaderPrefix(prefix string) error

                                            ValidateLoaderPrefix validates a loader prefix value, returns nil if it is valid

                                            func ValidateLoaderPrefixAndKey

                                            func ValidateLoaderPrefixAndKey(pk string) error

                                              ValidateLoaderPrefixAndKey validates a loader key that includes the prefix

                                              Types

                                              type ACL

                                              type ACL map[string]struct {
                                              	MinimumWeight int
                                              	Investigators map[string]struct {
                                              		Fingerprint string
                                              		Weight      int
                                              	}
                                              }

                                                ACL defines an access control list used by the agent to determine what investigators can call a given module. The key in this map is the module name, and can be "default" in which case this element will be used if no key for a given module exists.

                                                The value includes a minimum weight to authorize the request, and a map of investigators with the key of the map being the name of the investigator, and the value storing the PGP fingerprint of the investigators key and the weight that investigator has.

                                                type Action

                                                type Action struct {
                                                	ID             float64        `json:"id"`
                                                	Name           string         `json:"name"`
                                                	Target         string         `json:"target"`
                                                	Description    Description    `json:"description,omitempty"`
                                                	Threat         Threat         `json:"threat,omitempty"`
                                                	ValidFrom      time.Time      `json:"validfrom"`
                                                	ExpireAfter    time.Time      `json:"expireafter"`
                                                	Operations     []Operation    `json:"operations"`
                                                	PGPSignatures  []string       `json:"pgpsignatures"`
                                                	Investigators  []Investigator `json:"investigators,omitempty"`
                                                	Status         string         `json:"status,omitempty"`
                                                	StartTime      time.Time      `json:"starttime,omitempty"`
                                                	FinishTime     time.Time      `json:"finishtime,omitempty"`
                                                	LastUpdateTime time.Time      `json:"lastupdatetime,omitempty"`
                                                	Counters       ActionCounters `json:"counters,omitempty"`
                                                	SyntaxVersion  uint16         `json:"syntaxversion,omitempty"`
                                                }

                                                  Action is the json object that is created by an investigator and provided to the MIG platform. It must be PGP signed.

                                                  func ActionFromFile

                                                  func ActionFromFile(path string) (Action, error)

                                                    ActionFromFile reads an action from a local file on the file system and returns a mig.Action structure

                                                    func (Action) IndentedString

                                                    func (a Action) IndentedString() (string, error)

                                                      IndentedString returns an indented JSON string representing the action suitable for display

                                                      func (Action) PrintCounters

                                                      func (a Action) PrintCounters()

                                                        PrintCounters prints the counters of an action to stderr

                                                        func (Action) Sign

                                                        func (a Action) Sign(keyid string, secring io.Reader) (sig string, err error)

                                                          Sign computes and returns the GPG signature of a MIG action in its stringified form

                                                          func (Action) String

                                                          func (a Action) String() (str string, err error)

                                                            concatenates Action components into a string

                                                            func (Action) ToTempFile

                                                            func (a Action) ToTempFile() (filename string, err error)

                                                              ToTempFile writes an action into a generated temporary file and returns its filename

                                                              func (Action) Validate

                                                              func (a Action) Validate() (err error)

                                                                Validate verifies that the Action received contained all the necessary fields, and returns an error when it doesn't.

                                                                func (Action) VerifyACL

                                                                func (a Action) VerifyACL(acl ACL, keyring io.Reader, onlyVerifyPubKey bool) (err error)

                                                                  VerifyACL validates that an action has been issued by investigators that have adequate permissions to execute the action. It takes a look at each operation included in the action and verifies the signatures in the action against the agents ACL.

                                                                  func (Action) VerifySignatures

                                                                  func (a Action) VerifySignatures(keyring io.Reader) (err error)

                                                                    VerifySignatures verifies that the Action contains valid signatures from known investigators. It does not verify permissions.

                                                                    type ActionCounters

                                                                    type ActionCounters struct {
                                                                    	Sent      int `json:"sent,omitempty"`
                                                                    	Done      int `json:"done,omitempty"`
                                                                    	InFlight  int `json:"inflight,omitempty"`
                                                                    	Success   int `json:"success,omitempty"`
                                                                    	Cancelled int `json:"cancelled,omitempty"`
                                                                    	Expired   int `json:"expired,omitempty"`
                                                                    	Failed    int `json:"failed,omitempty"`
                                                                    	TimeOut   int `json:"timeout,omitempty"`
                                                                    }

                                                                      ActionCounters are counters used to track the completion of an action

                                                                      type Agent

                                                                      type Agent struct {
                                                                      	ID              float64           `json:"id,omitempty"`
                                                                      	Name            string            `json:"name"`
                                                                      	QueueLoc        string            `json:"queueloc"`
                                                                      	Mode            string            `json:"mode"`
                                                                      	Version         string            `json:"version,omitempty"`
                                                                      	PID             int               `json:"pid,omitempty"`
                                                                      	LoaderName      string            `json:"loadername,omitempty"`
                                                                      	StartTime       time.Time         `json:"starttime,omitempty"`
                                                                      	DestructionTime time.Time         `json:"destructiontime,omitempty"`
                                                                      	HeartBeatTS     time.Time         `json:"heartbeatts,omitempty"`
                                                                      	RefreshTS       time.Time         `json:"refreshts,omitempty"`
                                                                      	Status          string            `json:"status,omitempty"`
                                                                      	Authorized      bool              `json:"authorized,omitempty"`
                                                                      	Env             AgentEnv          `json:"environment,omitempty"`
                                                                      	Tags            map[string]string `json:"tags,omitempty"`
                                                                      }

                                                                        Agent stores the description of an agent and serves as a canvas for heartbeat messages

                                                                        type AgentEnv

                                                                        type AgentEnv struct {
                                                                        	Init      string      `json:"init,omitempty"`
                                                                        	Ident     string      `json:"ident,omitempty"`
                                                                        	OS        string      `json:"os,omitempty"`
                                                                        	Arch      string      `json:"arch,omitempty"`
                                                                        	IsProxied bool        `json:"isproxied"`
                                                                        	Proxy     string      `json:"proxy,omitempty"`
                                                                        	Addresses []string    `json:"addresses,omitempty"`
                                                                        	PublicIP  string      `json:"publicip,omitempty"`
                                                                        	AWS       AgentEnvAWS `json:"aws,omitempty"`
                                                                        	Modules   []string    `json:"modules,omitempty"`
                                                                        }

                                                                          AgentEnv stores basic information of the endpoint

                                                                          type AgentEnvAWS

                                                                          type AgentEnvAWS struct {
                                                                          	InstanceID   string `json:"instanceid,omitempty"`
                                                                          	LocalIPV4    string `json:"localipv4,omitempty"`
                                                                          	AMIID        string `json:"amiid,omitempty"`
                                                                          	InstanceType string `json:"instancetype,omitempty"`
                                                                          }

                                                                            AgentEnvAWS stores AWS specific agent environment values

                                                                            type AgentsStats

                                                                            type AgentsStats struct {
                                                                            	Timestamp             time.Time           `json:"timestamp"`
                                                                            	OnlineAgents          float64             `json:"onlineagents"`
                                                                            	OnlineAgentsByVersion []AgentsVersionsSum `json:"onlineagentsbyversion"`
                                                                            	OnlineEndpoints       float64             `json:"onlineendpoints"`
                                                                            	IdleAgents            float64             `json:"idleagents"`
                                                                            	IdleAgentsByVersion   []AgentsVersionsSum `json:"idleagentsbyversion"`
                                                                            	IdleEndpoints         float64             `json:"idleendpoints"`
                                                                            	NewEndpoints          float64             `json:"newendpoints"`
                                                                            	MultiAgentsEndpoints  float64             `json:"multiagentsendpoints"`
                                                                            	DisappearedEndpoints  float64             `json:"disappearedendpoints"`
                                                                            	FlappingEndpoints     float64             `json:"flappingendpoints"`
                                                                            }

                                                                              AgentsStats stores information about the global MIG environment, primarily used in command line tools and the API/scheduler

                                                                              type AgentsVersionsSum

                                                                              type AgentsVersionsSum struct {
                                                                              	Version string  `json:"version"`
                                                                              	Count   float64 `json:"count"`
                                                                              }

                                                                                AgentsVersionsSum stores information on the count of agents at a specific version level, primarily used in command line tools and the API/scheduler

                                                                                type BundleDictionaryEntry

                                                                                type BundleDictionaryEntry struct {
                                                                                	Name   string
                                                                                	Path   string
                                                                                	SHA256 string
                                                                                	Perm   os.FileMode
                                                                                }

                                                                                  BundleDictionaryEntry is used to map tokens within the loader manifest to objects on the file system. We don't allow specification of an exact path for interrogation or manipulation in the manifest. This results in some restrictions but hardens the loader against making unauthorized changes to the file system.

                                                                                  func GetHostBundle

                                                                                  func GetHostBundle() ([]BundleDictionaryEntry, error)

                                                                                    GetHostBundle returns the correct BundleDictionaryEntry given the platform the code is executing on

                                                                                    func HashBundle

                                                                                      HashBundle populates a slice of BundleDictionaryEntrys, adding the SHA256 checksums from the file system

                                                                                      type Command

                                                                                      type Command struct {
                                                                                      	ID     float64 `json:"id"`
                                                                                      	Action Action  `json:"action"`
                                                                                      	Agent  Agent   `json:"agent"`
                                                                                      
                                                                                      	// Status can be one of:
                                                                                      	// sent: the command has been sent by the scheduler to the agent
                                                                                      	// success: the command has successfully ran on the agent and been returned to the scheduler
                                                                                      	// cancelled: the command has been cancelled by the investigator
                                                                                      	// expired: the command has been expired by the scheduler
                                                                                      	// failed: the command has failed on the agent and been returned to the scheduler
                                                                                      	// timeout: module execution has timed out, and the agent returned the command to the scheduler
                                                                                      	Status string `json:"status"`
                                                                                      
                                                                                      	Results    []modules.Result `json:"results"`
                                                                                      	StartTime  time.Time        `json:"starttime"`
                                                                                      	FinishTime time.Time        `json:"finishtime"`
                                                                                      }

                                                                                        Command describes an action as applied to a single agent, and will include results

                                                                                        func CmdFromFile

                                                                                        func CmdFromFile(path string) (cmd Command, err error)

                                                                                          CmdFromFile reads a command from a local file on the file system and return the mig.Command structure

                                                                                          type Description

                                                                                          type Description struct {
                                                                                          	Author   string  `json:"author,omitempty"`
                                                                                          	Email    string  `json:"email,omitempty"`
                                                                                          	URL      string  `json:"url,omitempty"`
                                                                                          	Revision float64 `json:"revision,omitempty"`
                                                                                          }

                                                                                            Description is a simple object that contains detail about the action's author, and it's revision.

                                                                                            type Investigator

                                                                                            type Investigator struct {
                                                                                            	ID             float64   `json:"id,omitempty"`
                                                                                            	Name           string    `json:"name"`
                                                                                            	PGPFingerprint string    `json:"pgpfingerprint"`
                                                                                            	PublicKey      []byte    `json:"publickey,omitempty"`
                                                                                            	PrivateKey     []byte    `json:"privatekey,omitempty"`
                                                                                            	Status         string    `json:"status"`
                                                                                            	CreatedAt      time.Time `json:"createdat"`
                                                                                            	LastModified   time.Time `json:"lastmodified"`
                                                                                            	APIKey         string    `json:"apikey,omitempty"`
                                                                                            
                                                                                            	Permissions InvestigatorPerms `json:"permissions"`
                                                                                            }

                                                                                              Investigator describes a single MIG investigator

                                                                                              func (*Investigator) CheckPermission

                                                                                              func (i *Investigator) CheckPermission(pv int64) bool

                                                                                                CheckPermission validates if an investigator has given permission pv

                                                                                                type InvestigatorAPIAuthHelper

                                                                                                type InvestigatorAPIAuthHelper struct {
                                                                                                	ID     float64 // Investigator ID
                                                                                                	APIKey []byte  // Key hash
                                                                                                	Salt   []byte  // Key salt
                                                                                                }

                                                                                                  InvestigatorAPIAuthHelper is a small struct used to pass information between the database and the API, and is used primarily for authorizing requests using API keys.

                                                                                                  type InvestigatorPerms

                                                                                                  type InvestigatorPerms struct {
                                                                                                  	Search             bool `json:"search"`
                                                                                                  	Action             bool `json:"action"`
                                                                                                  	ActionCreate       bool `json:"action_create"`
                                                                                                  	Command            bool `json:"command"`
                                                                                                  	Agent              bool `json:"agent"`
                                                                                                  	Dashboard          bool `json:"dashboard"`
                                                                                                  	Loader             bool `json:"loader"`
                                                                                                  	LoaderStatus       bool `json:"loader_status"`
                                                                                                  	LoaderExpect       bool `json:"loader_expect"`
                                                                                                  	LoaderKey          bool `json:"loader_key"`
                                                                                                  	LoaderNew          bool `json:"loader_new"`
                                                                                                  	Manifest           bool `json:"manifest"`
                                                                                                  	ManifestSign       bool `json:"manifest_sign"`
                                                                                                  	ManifestStatus     bool `json:"manifest_status"`
                                                                                                  	ManifestNew        bool `json:"manifest_new"`
                                                                                                  	ManifestLoaders    bool `json:"manifest_loaders"`
                                                                                                  	Investigator       bool `json:"investigator"`
                                                                                                  	InvestigatorCreate bool `json:"investigator_create"`
                                                                                                  	InvestigatorUpdate bool `json:"investigator_update"`
                                                                                                  }

                                                                                                    InvestigatorPerms describes permissions assigned to an investigator

                                                                                                    func (*InvestigatorPerms) AdminSet

                                                                                                    func (ip *InvestigatorPerms) AdminSet()

                                                                                                      AdminSet sets administrative permissions on the investigator

                                                                                                      func (*InvestigatorPerms) DefaultSet

                                                                                                      func (ip *InvestigatorPerms) DefaultSet()

                                                                                                        DefaultSet sets a default set of permissions on the investigator

                                                                                                        func (*InvestigatorPerms) FromMask

                                                                                                        func (ip *InvestigatorPerms) FromMask(mask int64)

                                                                                                          FromMask converts a permission bit mask into a boolean permission set

                                                                                                          func (*InvestigatorPerms) FromSetList

                                                                                                          func (ip *InvestigatorPerms) FromSetList(sl []string) error

                                                                                                            FromSetList applies permission sets in slice sl to the investigator

                                                                                                            func (*InvestigatorPerms) LoaderSet

                                                                                                            func (ip *InvestigatorPerms) LoaderSet()

                                                                                                              LoaderSet sets loader related permissions on the investigator

                                                                                                              func (*InvestigatorPerms) ManifestSet

                                                                                                              func (ip *InvestigatorPerms) ManifestSet()

                                                                                                                ManifestSet sets manifest related permissions on the investigator

                                                                                                                func (*InvestigatorPerms) ToDescriptive

                                                                                                                func (ip *InvestigatorPerms) ToDescriptive() string

                                                                                                                  ToDescriptive converts an existing boolean permission set to a descriptive string, used primarily in mig-console for summarizing permissions assigned to an investigator

                                                                                                                  func (*InvestigatorPerms) ToMask

                                                                                                                  func (ip *InvestigatorPerms) ToMask() (ret int64)

                                                                                                                    ToMask converts a boolean permission set to a permission bit mask

                                                                                                                    type LoaderAuthDetails

                                                                                                                    type LoaderAuthDetails struct {
                                                                                                                    	ID   float64
                                                                                                                    	Hash []byte
                                                                                                                    	Salt []byte
                                                                                                                    }

                                                                                                                      LoaderAuthDetails is a small helper type used primarily during the loader authentication process between the API and database code, temporarily stores authentication information

                                                                                                                      func (*LoaderAuthDetails) Validate

                                                                                                                      func (lad *LoaderAuthDetails) Validate() error

                                                                                                                        Validate validates a LoaderAuthDetails type

                                                                                                                        type LoaderEntry

                                                                                                                        type LoaderEntry struct {
                                                                                                                        	ID        float64   `json:"id"`        // Loader ID
                                                                                                                        	Name      string    `json:"name"`      // Loader name
                                                                                                                        	Prefix    string    `json:"prefix"`    // Loader key prefix
                                                                                                                        	Key       string    `json:"key"`       // Loader key (only populated during creation)
                                                                                                                        	AgentName string    `json:"agentname"` // Loader environment, agent name
                                                                                                                        	LastSeen  time.Time `json:"lastseen"`  // Last time loader was used
                                                                                                                        	Enabled   bool      `json:"enabled"`   // Loader entry is active
                                                                                                                        	ExpectEnv string    `json:"expectenv"` // Expected environment
                                                                                                                        }

                                                                                                                          LoaderEntry describes a loader entry stored in the database

                                                                                                                          func (*LoaderEntry) Validate

                                                                                                                          func (le *LoaderEntry) Validate() (err error)

                                                                                                                            Validate validates a loader entry

                                                                                                                            type Log

                                                                                                                            type Log struct {
                                                                                                                            	OpID, ActionID, CommandID float64
                                                                                                                            	Sev, Desc                 string
                                                                                                                            	Priority                  syslog.Priority
                                                                                                                            }

                                                                                                                              Log defines a log entry

                                                                                                                              func (Log) Alert

                                                                                                                              func (l Log) Alert() (mlog Log)

                                                                                                                                Alert sets Log entry level to alert

                                                                                                                                func (Log) Crit

                                                                                                                                func (l Log) Crit() (mlog Log)

                                                                                                                                  Crit sets Log entry level to critical

                                                                                                                                  func (Log) Debug

                                                                                                                                  func (l Log) Debug() (mlog Log)

                                                                                                                                    Debug sets log entry level to debug

                                                                                                                                    func (Log) Emerg

                                                                                                                                    func (l Log) Emerg() (mlog Log)

                                                                                                                                      Emerg sets Log entry level to emergency

                                                                                                                                      func (Log) Err

                                                                                                                                      func (l Log) Err() (mlog Log)

                                                                                                                                        Err sets Log entry level to error

                                                                                                                                        func (Log) Info

                                                                                                                                        func (l Log) Info() (mlog Log)

                                                                                                                                          Info sets Log entry level to info

                                                                                                                                          func (Log) Notice

                                                                                                                                          func (l Log) Notice() (mlog Log)

                                                                                                                                            Notice sets Log entry level to notice

                                                                                                                                            func (Log) Warning

                                                                                                                                            func (l Log) Warning() (mlog Log)

                                                                                                                                              Warning sets Log entry level to warning

                                                                                                                                              type Logging

                                                                                                                                              type Logging struct {
                                                                                                                                              	// configuration
                                                                                                                                              	Mode, Level, File, Host, Protocol, Facility string
                                                                                                                                              	Port                                        int
                                                                                                                                              	MaxFileSize                                 int64
                                                                                                                                              	// contains filtered or unexported fields
                                                                                                                                              }

                                                                                                                                                Logging stores the attributes needed to perform the logging

                                                                                                                                                func InitLogger

                                                                                                                                                func InitLogger(origLogctx Logging, progname string) (logctx Logging, err error)

                                                                                                                                                  InitLogger prepares the context for logging based on the configuration in Logging

                                                                                                                                                  func (Logging) Destroy

                                                                                                                                                  func (logctx Logging) Destroy()

                                                                                                                                                    Destroy can be used to indicate no further logging with the given logging context will take place

                                                                                                                                                    type ManifestEntry

                                                                                                                                                    type ManifestEntry struct {
                                                                                                                                                    	Name   string `json:"name"`   // Corresponds to a bundle name
                                                                                                                                                    	SHA256 string `json:"sha256"` // SHA256 of entry
                                                                                                                                                    }

                                                                                                                                                      ManifestEntry describes an individual file element within a manifest

                                                                                                                                                      type ManifestFetchResponse

                                                                                                                                                      type ManifestFetchResponse struct {
                                                                                                                                                      	Data []byte `json:"data"`
                                                                                                                                                      }

                                                                                                                                                        ManifestFetchResponse is the response to a manifest object fetch

                                                                                                                                                        type ManifestParameters

                                                                                                                                                        type ManifestParameters struct {
                                                                                                                                                        	AgentIdentifier Agent  `json:"agent"`  // Agent context information
                                                                                                                                                        	Object          string `json:"object"` // Object being requested
                                                                                                                                                        }

                                                                                                                                                          ManifestParameters are sent from the loader to the API as part of a manifest request.

                                                                                                                                                          func (*ManifestParameters) Validate

                                                                                                                                                          func (m *ManifestParameters) Validate() error

                                                                                                                                                            Validate validetes a ManifestParameters type for correct formatting

                                                                                                                                                            func (*ManifestParameters) ValidateFetch

                                                                                                                                                            func (m *ManifestParameters) ValidateFetch() error

                                                                                                                                                              ValidateFetch validates the parameters included in a manifest request with an object fetch component

                                                                                                                                                              type ManifestRecord

                                                                                                                                                              type ManifestRecord struct {
                                                                                                                                                              	ID         float64   `json:"id"`                // Manifest record ID
                                                                                                                                                              	Name       string    `json:"name"`              // The name of the manifest record
                                                                                                                                                              	Content    string    `json:"content,omitempty"` // Full data contents of record
                                                                                                                                                              	Timestamp  time.Time `json:"timestamp"`         // Record timestamp
                                                                                                                                                              	Status     string    `json:"status"`            // Record status
                                                                                                                                                              	Target     string    `json:"target"`            // Targetting parameters for record
                                                                                                                                                              	Signatures []string  `json:"signatures"`        // Signatures applied to the record
                                                                                                                                                              }

                                                                                                                                                                ManifestRecord describes a manifest record stored within the MIG database

                                                                                                                                                                func (*ManifestRecord) ContentFromFile

                                                                                                                                                                func (m *ManifestRecord) ContentFromFile(path string) (err error)

                                                                                                                                                                  ContentFromFile loads manifest content from a file on the file system (a gzip'd tar file), primarily utilized by mig-console during manifest creation operations

                                                                                                                                                                  func (*ManifestRecord) FileFromContent

                                                                                                                                                                  func (m *ManifestRecord) FileFromContent(path string) (err error)

                                                                                                                                                                    FileFromContent writes manifest content to a file on the file system

                                                                                                                                                                    func (*ManifestRecord) ManifestObject

                                                                                                                                                                    func (m *ManifestRecord) ManifestObject(obj string) ([]byte, error)

                                                                                                                                                                      ManifestObject returns the requested file object as a gzip compressed byte slice from the manifest record

                                                                                                                                                                      func (*ManifestRecord) ManifestResponse

                                                                                                                                                                      func (m *ManifestRecord) ManifestResponse() (ManifestResponse, error)

                                                                                                                                                                        ManifestResponse converts a manifest record into a manifest response

                                                                                                                                                                        func (*ManifestRecord) Sign

                                                                                                                                                                        func (m *ManifestRecord) Sign(keyid string, secring io.Reader) (sig string, err error)

                                                                                                                                                                          Sign will sign a manifest record using the indicated key ID

                                                                                                                                                                          func (*ManifestRecord) Validate

                                                                                                                                                                          func (m *ManifestRecord) Validate() (err error)

                                                                                                                                                                            Validate validates an existing manifest record

                                                                                                                                                                            type ManifestResponse

                                                                                                                                                                            type ManifestResponse struct {
                                                                                                                                                                            	LoaderName string          `json:"loader_name"`
                                                                                                                                                                            	Entries    []ManifestEntry `json:"entries"`
                                                                                                                                                                            	Signatures []string        `json:"signatures"`
                                                                                                                                                                            }

                                                                                                                                                                              ManifestResponse is the response to a standard manifest request

                                                                                                                                                                              func (*ManifestResponse) Validate

                                                                                                                                                                              func (m *ManifestResponse) Validate() error

                                                                                                                                                                                Validate validates a ManifestResponse type ensuring required content is present

                                                                                                                                                                                func (*ManifestResponse) VerifySignatures

                                                                                                                                                                                func (m *ManifestResponse) VerifySignatures(keyring io.Reader) (validcnt int, err error)

                                                                                                                                                                                  VerifySignatures verifies the signatures present in a manifest response against the keys present in keyring. It returns the number of valid unique signatures identified in the ManifestResponse.

                                                                                                                                                                                  type Operation

                                                                                                                                                                                  type Operation struct {
                                                                                                                                                                                  	Module     string      `json:"module"`
                                                                                                                                                                                  	Parameters interface{} `json:"parameters"`
                                                                                                                                                                                  
                                                                                                                                                                                  	// If WantCompressed is set in the operation, the parameters
                                                                                                                                                                                  	// will be compressed in PostAction() when the client sends the
                                                                                                                                                                                  	// action to the API. This will also result in IsCompressed being
                                                                                                                                                                                  	// marked as true, so the receiving agent knows it must decompress
                                                                                                                                                                                  	// the parameter data.
                                                                                                                                                                                  	IsCompressed   bool `json:"is_compressed,omitempty"`
                                                                                                                                                                                  	WantCompressed bool `json:"want_compressed,omitempty"`
                                                                                                                                                                                  }

                                                                                                                                                                                    Operation is an object that maps to an agent module. The parameters of the operation are passed to the module as an argument, and thus their format depends on the module itself.

                                                                                                                                                                                    func (*Operation) CompressOperationParam

                                                                                                                                                                                    func (op *Operation) CompressOperationParam() (err error)

                                                                                                                                                                                      CompressOperationParam compresses the parameters stored within an operation

                                                                                                                                                                                      func (*Operation) DecompressOperationParam

                                                                                                                                                                                      func (op *Operation) DecompressOperationParam() (err error)

                                                                                                                                                                                        DecompressOperationParam decompresses the parameters stored within an operation

                                                                                                                                                                                        type RunnerResult

                                                                                                                                                                                        type RunnerResult struct {
                                                                                                                                                                                        	Action     Action    `json:"action"`
                                                                                                                                                                                        	Commands   []Command `json:"commands"`
                                                                                                                                                                                        	EntityName string    `json:"name"`
                                                                                                                                                                                        	UsePlugin  string    `json:"plugin"`
                                                                                                                                                                                        }

                                                                                                                                                                                          RunnerResult describes results that are produced by mig-runner. This data would be consumed by mig-runner plugins.

                                                                                                                                                                                          type Threat

                                                                                                                                                                                          type Threat struct {
                                                                                                                                                                                          	Ref    string `json:"ref,omitempty"`
                                                                                                                                                                                          	Level  string `json:"level,omitempty"`
                                                                                                                                                                                          	Family string `json:"family,omitempty"`
                                                                                                                                                                                          	Type   string `json:"type,omitempty"`
                                                                                                                                                                                          }

                                                                                                                                                                                            Threat provides the investigator with details on a threat indicator if included in an action

                                                                                                                                                                                            Directories

                                                                                                                                                                                            Path Synopsis
                                                                                                                                                                                            mig
                                                                                                                                                                                            mig is the command line tool that investigators can use to launch actions for execution by agents to retrieve/display the results of the actions.
                                                                                                                                                                                            mig is the command line tool that investigators can use to launch actions for execution by agents to retrieve/display the results of the actions.
                                                                                                                                                                                            mig-action-generator
                                                                                                                                                                                            This Source Code Form is subject to the terms of the Mozilla Public License, v.
                                                                                                                                                                                            This Source Code Form is subject to the terms of the Mozilla Public License, v.
                                                                                                                                                                                            mig-action-verifier
                                                                                                                                                                                            This Source Code Form is subject to the terms of the Mozilla Public License, v.
                                                                                                                                                                                            This Source Code Form is subject to the terms of the Mozilla Public License, v.
                                                                                                                                                                                            mig-console
                                                                                                                                                                                            This Source Code Form is subject to the terms of the Mozilla Public License, v.
                                                                                                                                                                                            This Source Code Form is subject to the terms of the Mozilla Public License, v.
                                                                                                                                                                                            This Source Code Form is subject to the terms of the Mozilla Public License, v.
                                                                                                                                                                                            This Source Code Form is subject to the terms of the Mozilla Public License, v.
                                                                                                                                                                                            agentcontext
                                                                                                                                                                                            The agentcontext package provides functionality to obtain information about the system a given agent or loader is running on.
                                                                                                                                                                                            The agentcontext package provides functionality to obtain information about the system a given agent or loader is running on.
                                                                                                                                                                                            This Source Code Form is subject to the terms of the Mozilla Public License, v.
                                                                                                                                                                                            This Source Code Form is subject to the terms of the Mozilla Public License, v.
                                                                                                                                                                                            The MIG loader is a simple bootstrapping tool for MIG.
                                                                                                                                                                                            The MIG loader is a simple bootstrapping tool for MIG.
                                                                                                                                                                                            This Source Code Form is subject to the terms of the Mozilla Public License, v.
                                                                                                                                                                                            This Source Code Form is subject to the terms of the Mozilla Public License, v.
                                                                                                                                                                                            This Source Code Form is subject to the terms of the Mozilla Public License, v.
                                                                                                                                                                                            This Source Code Form is subject to the terms of the Mozilla Public License, v.
                                                                                                                                                                                            This package implements interfaces to write modules for MIG.
                                                                                                                                                                                            This package implements interfaces to write modules for MIG.
                                                                                                                                                                                            agentdestroy
                                                                                                                                                                                            agentdestroy is a module used in the upgrade protocol to kill an agent that has been upgraded.
                                                                                                                                                                                            agentdestroy is a module used in the upgrade protocol to kill an agent that has been upgraded.
                                                                                                                                                                                            audit
                                                                                                                                                                                            Package audit implements a persistent module which can read and parse the operating system audit trail.
                                                                                                                                                                                            Package audit implements a persistent module which can read and parse the operating system audit trail.
                                                                                                                                                                                            dispatch
                                                                                                                                                                                            Package dispatch implements alert dispatching for the agent as a module.
                                                                                                                                                                                            Package dispatch implements alert dispatching for the agent as a module.
                                                                                                                                                                                            example
                                                                                                                                                                                            This is an example module.
                                                                                                                                                                                            This is an example module.
                                                                                                                                                                                            file
                                                                                                                                                                                            Package file provides functions to scan a file system as an agent module.
                                                                                                                                                                                            Package file provides functions to scan a file system as an agent module.
                                                                                                                                                                                            memory
                                                                                                                                                                                            The memory module implements scanning of the memory of processes using the Masche memory scanning package.
                                                                                                                                                                                            The memory module implements scanning of the memory of processes using the Masche memory scanning package.
                                                                                                                                                                                            netstat
                                                                                                                                                                                            netstat is a module that retrieves network information about the endpoint, such as mac addresses, local and connected IPs, listening TCP and UDP sockets and peers This Source Code Form is subject to the terms of the Mozilla Public License, v.
                                                                                                                                                                                            netstat is a module that retrieves network information about the endpoint, such as mac addresses, local and connected IPs, listening TCP and UDP sockets and peers This Source Code Form is subject to the terms of the Mozilla Public License, v.
                                                                                                                                                                                            ping
                                                                                                                                                                                            The Ping module implements icmp, tcp and udp pings/ Usage doc is online at http://mig.mozilla.org/doc/module_ping.html
                                                                                                                                                                                            The Ping module implements icmp, tcp and udp pings/ Usage doc is online at http://mig.mozilla.org/doc/module_ping.html
                                                                                                                                                                                            pkg
                                                                                                                                                                                            scribe
                                                                                                                                                                                            scribe module implementation for MIG.
                                                                                                                                                                                            scribe module implementation for MIG.
                                                                                                                                                                                            sshkey
                                                                                                                                                                                            Package sshkey implements the sshkey module in the agent
                                                                                                                                                                                            Package sshkey implements the sshkey module in the agent
                                                                                                                                                                                            timedrift
                                                                                                                                                                                            The timedrift module evaluate the local time of a target against network time retrieved using NTP.
                                                                                                                                                                                            The timedrift module evaluate the local time of a target against network time retrieved using NTP.
                                                                                                                                                                                            pgp
                                                                                                                                                                                            The PGP package is a helper around Golang's OpenPGP implementation
                                                                                                                                                                                            The PGP package is a helper around Golang's OpenPGP implementation
                                                                                                                                                                                            gpgagent
                                                                                                                                                                                            Package gpgagent interacts with the local GPG Agent.
                                                                                                                                                                                            Package gpgagent interacts with the local GPG Agent.
                                                                                                                                                                                            pinentry
                                                                                                                                                                                            Package pinentry interfaces with the pinentry(1) command to securely prompt the user for a password using whichever user interface the user is currently using.
                                                                                                                                                                                            Package pinentry interfaces with the pinentry(1) command to securely prompt the user for a password using whichever user interface the user is currently using.
                                                                                                                                                                                            runner-plugins
                                                                                                                                                                                            runner-compliance
                                                                                                                                                                                            This Source Code Form is subject to the terms of the Mozilla Public License, v.
                                                                                                                                                                                            This Source Code Form is subject to the terms of the Mozilla Public License, v.
                                                                                                                                                                                            runner-scribe
                                                                                                                                                                                            runner-scribe is a mig-runner plugin that processes results coming from automated actions and forwards the results as vulnerability events to MozDef
                                                                                                                                                                                            runner-scribe is a mig-runner plugin that processes results coming from automated actions and forwards the results as vulnerability events to MozDef
                                                                                                                                                                                            Package service provides a simple way to create a system service.
                                                                                                                                                                                            Package service provides a simple way to create a system service.