ebwi11 / agentsmith-hids Goto Github PK
View Code? Open in Web Editor NEWBy Kprobe technology Open Source Host-based Intrusion Detection System(HIDS), from E_Bwill.
License: GNU General Public License v2.0
By Kprobe technology Open Source Host-based Intrusion Detection System(HIDS), from E_Bwill.
License: GNU General Public License v2.0
可以参考以下项目
https://github.com/slackhq/go-audit
打patch的方式容易引起系统不稳定, 系统原生自带的auditd不是更稳定? go-auditd也是可以通过netlink的方式获取到以上信息.
dmesg 结果:
[38272942.059519] smith: loading out-of-tree module taints kernel.
[38272942.065264] smith: module verification failed: signature and/or required key missing - tainting kernel
[38272942.066388] smith: Unknown symbol __check_object_size (err 0)
[38273001.870752] smith: Unknown symbol __check_object_size (err 0)
[38273178.720850] smith: Unknown symbol __check_object_size (err 0)
[38273997.969412] smith: Unknown symbol __check_object_size (err 0)
AgentSmith-HIDS 的定位就是一款轻量级,高性能的情报采集工具,首先可以检测如:反弹shell,执行可以命令,下载恶意程序,一些Rootkit等等NIDS的死角。其次可以和NIDS/CMDB完成联动,达到:PID+PPID+nodename+cmdline+cwd+user+exe+TCP/UDP五元组+部分协议的原始数据+业务相关信息+FW_RULE+NIDS/HIDS规则ID+威胁情报信息的联动效果。
初步看了下代码
https://github.com/DianrongSecurity/AgentSmith-HIDS/blob/master/agent/src/main.rs#L84
目前agent大致逻辑是解析syscall直接发送到kafka
这个目前elastic已经有一个类似的项目叫auditbeat,实现的也是类似效果
https://www.elastic.co/guide/en/beats/auditbeat/current/auditbeat-installation.html
相关建议
参考链接
(该issue是AgentSmith-HIDS作者所提,旨在能和大家保持一定的沟通,听取反馈,长期有效)
最后,个人以为,把README读完再进行提问应该是对他人时间的起码的尊重,你认为呢?
项目涉及c,rust,一点注释也没有,阅读难度太大
小型金创团队,亟需一套安全框架。
kretprobe是跟踪流,有阻断功能吗,可通过返回值来实现吗?
1、hook方式兼容性和稳定性太弱了,哪怕你换成ftrace方式也不错。
2、agent是需要考虑兼容性的,采用golang的话golang本身是需要epoll等接口支持的,所以你这样就得放弃一部分系统平台了。这块建议用C来做。
目前正在进行AgentSmith内核模块使用krpbe重构用来替换先前的Hook Syscall功能。
代码位于:https://github.com/EBWi11/AgentSmith-HIDS/tree/master/syshook/kprobe
预期兼容kernel >= 2.6.32的Linux
好像驱动不兼容Ubuntu,make编译出错
版本信息:
Linux version 4.4.0-116-generic (buildd@lgw01-amd64-021) (gcc version 5.4.0 20160609 (Ubuntu 5.4.0-6ubuntu1~16.04.9) ) #140-Ubuntu SMP Mon Feb 12 21:23:04 UTC 2018
由于 hook的是系统调用,wrk是web的benchmark工具,个人觉得不能很好的反映实际对系统影响
我们这边测试 audit由于会filter系统调用,相关影响和应用产生的系统调用次数有关,每秒20次系统调用的话,会有5%的延迟增加,
测试方法
从/dev/zero中读取500个字节数据并写入到/dev/null中,循环执行1亿次(也就是100M):
dd if=/dev/zero of=/dev/null bs=500 count=100M
该脚本会产生大约2亿次系统调用(read 1亿次,write 1亿次)。
测试目标 | 总耗时(s) | 延迟影响 | 平均耗时(μs) |
---|---|---|---|
不加任何事件监听 | 42.3224 | 0.2116 | |
auditd | 47.6929 | +12.68% | 0.2385 |
另外你们是怎么做agent资源控制的?避免影响机器上的业务?
具体思路可以参考以下文章
AgentSmith-HIDS的HeartBeat方案在未知情况下会出现HeartBeat线程退出的情况,难以稳定复现,正在全力排查
A declarative, efficient, and flexible JavaScript library for building user interfaces.
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google ❤️ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.