anvilsecure / dawgmon
Licence: BSD-3-Clause License
dawg the hallway monitor - monitor operating system changes and analyze introduced attack surface when installing software
Stars: ✭ 52
Labels
Projects that are alternatives of or similar to dawgmon
I3 Gaps Deb
Tool to create and install Debian (or Ubuntu) packages of i3-gaps.
Stars: ✭ 236 (+353.85%)
Mutual labels: debian, ubuntu
ExDeMon
A general purpose metrics monitor implemented with Apache Spark. Kafka source, Elastic sink, aggregate metrics, different analysis, notifications, actions, live configuration update, missing metrics, ...
Stars: ✭ 19 (-63.46%)
Mutual labels: monitoring-application, monitoring-tool
Kvm Install Vm
Bash script to build local virtual machines using KVM/libvirt and cloud-init.
Stars: ✭ 248 (+376.92%)
Mutual labels: debian, ubuntu
Mindforger Repository
MindForger documentation repository.
Stars: ✭ 221 (+325%)
Mutual labels: debian, ubuntu
InstallOS
Network reinstallation of the Linux system.
Stars: ✭ 34 (-34.62%)
Mutual labels: debian, ubuntu
Deb Simple
A lightweight, bare-bones apt repository server
Stars: ✭ 222 (+326.92%)
Mutual labels: debian, ubuntu
ansible-dnsmasq
Ansible role to set up Dnsmasq in Debian-like systems
Stars: ✭ 18 (-65.38%)
Mutual labels: debian, ubuntu
Packer Build
Packer Automated VM Image and Vagrant Box Builds
Stars: ✭ 199 (+282.69%)
Mutual labels: debian, ubuntu
sublime-patcher
Bash script for patching/cracking Sublime Text on Linux
Stars: ✭ 20 (-61.54%)
Mutual labels: debian, ubuntu
assimilation-official
This is the official main repository for the Assimilation project
Stars: ✭ 47 (-9.62%)
Mutual labels: monitoring-application, monitoring-tool
Mtprotoproxyinstaller
One-click script to install MTProto Proxy server on CentOS, Ubuntu and Debian
Stars: ✭ 216 (+315.38%)
Mutual labels: debian, ubuntu
intellij-idea-ultimate
Unofficial .deb packages of IntelliJ IDEA Ultimate Edition. This is a mirror of https://gitlab.com/mmk2410/intellij-idea-ultimate
Stars: ✭ 16 (-69.23%)
Mutual labels: debian, ubuntu
Howdy
🛡️ Windows Hello™ style facial authentication for Linux
Stars: ✭ 3,237 (+6125%)
Mutual labels: debian, ubuntu
Termite Style
Simple script to change color-schemes and fonts for Termite.
Stars: ✭ 224 (+330.77%)
Mutual labels: debian, ubuntu
Lamp
Install LAMP(Linux + Apache + MySQL/MariaDB + PHP ) for CentOS/Debian/Ubuntu
Stars: ✭ 2,456 (+4623.08%)
Mutual labels: debian, ubuntu
Iptables Boilerplate
rock solid default firewall-rules for webhosts
Stars: ✭ 249 (+378.85%)
Mutual labels: debian, ubuntu
Rpi Pxe Server
setup a Raspberry Pi as an PXE-Server
Stars: ✭ 197 (+278.85%)
Mutual labels: debian, ubuntu
gochanges
**[ARCHIVED]** website changes tracker 🔍
Stars: ✭ 12 (-76.92%)
Mutual labels: monitoring-application, monitoring-tool
pi-encrypted-boot-ssh
🔑 Raspberry Pi Encrypted Boot with Remote SSH
Stars: ✭ 96 (+84.62%)
Mutual labels: ubuntu, secure
dawgmon - Dawg the Hallway Monitor SUMMARY The name of this tool is based upon an episode (season 10, episode 10) of South Park in which Cartman is Dawg the Hallway Monitor patrolling the hallways of his school. It's a tool which helps one to monitor changes which have taken place on a Linux-based system since the previous time the tool was ran. One way to use it is to use something like the included sample cronjob to run dawgmon on a regular interval and email the results to the system administrator. This can help with identifying machines upon which nefarious things are happening and monitor who's installing what and where. Please note that any serious kernel backdoor will easily be able to hide itself from this tool and as such it's just one added tool in one's toolkit but it should not relied upon for full security monitoring of Linux machines. It's just one extra option in one's toolbox. The other way it's useful is by generating a baseline before installing a piece of software. Then after installing this piece of software one will run the tool again and then it's easy to see which changes were made on the system. An example after establishing a baseline and then installing virtualbox on a machine might yield something like this: # ./dawgmon -gfA 1 change detected (0 warnings) + systemd property NNames changed from 259 to 261 # apt install virtualbox-5.1 [...] # ./dawgmon -gfA 33 changes detected (0 warnings) + size of file /etc/group changed from 937 to 954 + file /etc/group got modified on 2017-09-14 19:29:51.804811 +0200 + size of file /etc/group- changed from 934 to 937 + file /etc/group- got modified on 2017-09-14 19:29:14.000000 +0200 + file /etc/gshadow got modified on 2017-09-14 19:29:51.812811 +0200 + size of file /etc/gshadow- changed from 777 to 794 + size of file /etc/mailcap changed from 40777 to 41063 + file /etc/mailcap got modified on 2017-09-14 19:29:51.632812 +0200 + file /etc/systemd/system/multi-user.target.wants/vboxautostart-service.service got created (owner=root, group=root, perm=lrwxrwxrwx, size=49) + file /etc/systemd/system/multi-user.target.wants/vboxballoonctrl-service.service got created (owner=root, group=root, perm=lrwxrwxrwx, size=51) + file /etc/systemd/system/multi-user.target.wants/vboxdrv.service got created (owner=root, group=root, perm=lrwxrwxrwx, size=35) + file /etc/systemd/system/multi-user.target.wants/vboxweb-service.service got created (owner=root, group=root, perm=lrwxrwxrwx, size=43) + file /etc/udev/rules.d/60-vboxdrv.rules got created (owner=root, group=root, perm=-rw-r--r--, size=747) + group vboxusers added + package virtualbox-5.1 is to be installed + suid binary /usr/lib/virtualbox/VBoxHeadless got created (owner=root, group=root, perm=-r-s--x--x, size=158304) + suid binary /usr/lib/virtualbox/VBoxNetAdpCtl got created (owner=root, group=root, perm=-r-s--x--x, size=23144) + suid binary /usr/lib/virtualbox/VBoxNetDHCP got created (owner=root, group=root, perm=-r-s--x--x, size=158304) + suid binary /usr/lib/virtualbox/VBoxNetNAT got created (owner=root, group=root, perm=-r-s--x--x, size=158304) + suid binary /usr/lib/virtualbox/VBoxSDL got created (owner=root, group=root, perm=-r-s--x--x, size=158296) + suid binary /usr/lib/virtualbox/VBoxVolInfo got created (owner=root, group=root, perm=-r-s--x--x, size=10472) + suid binary /usr/lib/virtualbox/VirtualBox got created (owner=root, group=root, perm=-r-s--x--x, size=158304) + i-node for listening UNIX socket /run/systemd/private changed from 3428734 to 3452848 + systemd property NInstalledJobs changed from 8392199 to 3238035463 + systemd property NNames changed from 261 to 263 + systemd unit file vboxautostart-service.service added + systemd unit file vboxballoonctrl-service.service added + systemd unit file vboxdrv.service added + systemd unit file vboxweb-service.service added + systemd unit 'vboxautostart-service.service' added + systemd unit 'vboxballoonctrl-service.service' added + systemd unit 'vboxdrv.service' added + systemd unit 'vboxweb-service.service' added The above helps with now doing a thorough security review of virtualbox. The installed suid binaries are obvious points of entry and the run services are interesting. Another example run which correctly detects TCP ports opening and closing: # ./dawgmon -gfA 0 changes detected (0 warnings) # nc -l -p 4455 & [1] 12489 # ./dawgmon -gfA 1 change detected (0 warnings) + port 4455 tcp opened # fg nc -l -p 4455 ^C # ./dawgmon -gfA 1 change detected (0 warnings) + port 4455 tcp closed # The tool is not meant for complete accuracy. There are very serious recommendations normally to not rely on the output of GNU core-utils such as ls for tool input. In other words; one should rarely build tools to parse and rely on this type of output as it can change all the time. Realistically the output of these tools is relatively stable as a lot of people and automatic tools already rely on their outputs for all kinds of purposes. However the tradeoff for dawgmon is the following; we would need to implement a lot of logic to do file system monitoring ourselves, build complex binaries that include libraries to do the parsing and monitoring of block devices, the network interfaces and what not more. This will also make the tool way more complex and less maintainable. On projects right now one can add a new command including change detection in very little time as the main dawgmon tool already takes care of caching, executing the command and then supplying the previous and current output when running a comparision to a command implementation. This means that on time-constrained projects one can very quickly add a new command and run analysises including those new commands. A command can be added by simply inheriting from the Command class. This class is defined in commands/__init__.py. That file contains also the master list of commands (and the order in which they're executed when doing a full analysis). Then the properties like 'name', 'shell', 'command' and 'desc' will have to be set and two methods 'parse()' and 'compare()' will have to be implemented. Enough commands are included to get a good idea on how to implement and add new ones. USAGE For best results run the tool as root. For help type -h/--help and for version information type -v/--version. A main action will always have to be specified. These actions are: -A: analyze the system -C: compare cache entries -E: list available commands -L: list cache entries # runs an analysis dawgmon -A # runs an analysis but only with a few commands dawgmon -A -e list_suids -e list_tcpudp_ports # shows the list of available commands dawgmon -E # shows available cache entries for comparison dawgmon -L # compare old cache entry 3 with new cache entry 5 dawgmon -C 3 5 Further options to help with the analysis are: -d: show debug output -e: execute a specific command (can be used multiple times) -f: force a run without warning about running as root -g: colorize the output -l: location of the database cache to use -m: maximum amount of cache entries to allow in cache (if cache has more entries than this amount it will truncate the database) -t: do not output timestamp information per detected anomaly. For more usage information run the tool with -h. LIMITATIONS The tool parses output of commandline tools and relies on GNU core-utils specific options for some of it. There's no specific reason why this tool and the command implementations cannot be quickly ported to other operating systems such as the BSD's but right now no Operating System detection is taking place nor is there a classification of commands based on Operating System support being done. That would have to be implemented first. Regarding the finding of pipes, UNIX sockets, files in /boot, /etc and more one should note that the usage of -xdev passed to 'find' means that not all filesystems mounted under the start directory will be traversed. This means that for example /boot will be properly scanned but /boot/efi might not be. Some smarter approach will have to be used here in the future. The timestamps when doing a current analysis might be a bit confusing. By default a timestamp for a warning, normal or debug anomaly message will be the timestamp of its generation time (as can be seen in commands/__init__.py). The anomalies are generated after a full commandline scan has been done. So the output upon which this detection works was generated earlier and subsequently the timestamps for individual anomalies show a time after the time of the scan. When comparing cache entries the timestamp of the scan is being used to output the time at which the detection happend as that makes logically simply more sense. ABOUT All rights reserved. Copyright (C) 2017-2019 by Anvil Ventures Inc. For licensing information see LICENSE. For more information contact Vincent Berg <[email protected]> To find updated source code or to contribute patches go to the following URL: https://github.com/anvilventures/dawgmon/
Note that the project description data, including the texts, logos, images, and/or trademarks,
for each open source project belongs to its rightful owner.
If you wish to add or remove any projects, please contact us at [email protected].