The purpose of this action is to audit DNS traffic from a GitHub Action workflow. The action achieves this by launching TCPDump and capturing DNS traffic. Traffic is captured in SLL2 packet format and then parsed for UDP packets. Once the packers have been captured the action can be called again with the output-file
parameter to output the data to a file on JSON format with additional metadata around the GitHub Action. From there it can be processed by sending it to a log analytics workspace or other SIEM, or uploaded as an artifact.
If the action is not called twice, the data will be output to the console as part of the post action step. Should you want to avoid that you can set the SUPRESS_DNS_AUDIT_OUTPUT
environment variable to true
in your workflow.
Name | Description | Required | Default |
---|---|---|---|
file-path | The path to the file to write the PCAP data to | true | /tmp/dns.pcap |
output-file | The path to the file to write the JSON data to | false | |
start-tcpdump | Whether or not to start tcpdump | true | true |
ex:
- name: Capture DNS traffic
uses:cds-snc/dns-audit-action@main
Then just review the Post Capture DNS Traffic
step in the logs to see the DNS traffic.
ex:
- name: Capture DNS traffic
uses:cds-snc/dns-audit-action@main
# Do other things here
- name: Write DNS traffic to file
uses: cds-snc/dns-audit-action@main
with:
output-file: dns_traffic.json
- name: Report deployment to Sentinel
uses: cds-snc/sentinel-forward-data-action@main
with:
file_name: dns_traffic.json
log_type: GitHubMetadata_CI_DNS_Queries
log_analytics_workspace_id: ${{ secrets.LOG_ANALYTICS_WORKSPACE_ID }}
log_analytics_workspace_key: ${{ secrets.LOG_ANALYTICS_WORKSPACE_KEY }}
MIT License (MIT)