diff --git a/agent.go b/agent.go index 5c26893..acee4eb 100644 --- a/agent.go +++ b/agent.go @@ -80,6 +80,7 @@ func Run(ctx context.Context, configFilePath string, hostDNSServer DNSServer, InitGlobalFeatureFlags(config.APIURL, apiclient) WriteLog("initialized global feature flags") WriteLog("\n") + globalFlags := GetGlobalFeatureFlags() globalBlocklistResponse, err := apiclient.getGlobalBlocklist() globalBlocklist := NewGlobalBlocklist(globalBlocklistResponse) @@ -253,6 +254,7 @@ func Run(ctx context.Context, configFilePath string, hostDNSServer DNSServer, Pids: getPidsOfInterest(), Files: []string{}, EnforceReadBlock: false, + EnforceKillBlock: !globalFlags.DisableKillEnforcement, ApiConf: &armour.ApiConf{ APIURL: config.APIURL, Repo: config.Repo, diff --git a/global_feature_flags.go b/global_feature_flags.go index f760a73..81201aa 100644 --- a/global_feature_flags.go +++ b/global_feature_flags.go @@ -14,6 +14,7 @@ type GlobalFeatureFlags struct { AgentType string `json:"agent_type"` EnableArmour bool `json:"enable_armour"` EnableCustomDetectionRules bool `json:"enable_custom_detection_rules"` + DisableKillEnforcement bool `json:"disable_kill_enforcement,omitempty"` } // GlobalFeatureFlagManager manages fetching and caching of global feature flags. diff --git a/netmon.go b/netmon.go index 6188a90..44edcee 100644 --- a/netmon.go +++ b/netmon.go @@ -104,11 +104,18 @@ func (netMonitor *NetworkMonitor) handlePacket(attrs nflog.Attribute) { cacheKey := fmt.Sprintf("%s:%s:%s", ipv4Address, port, status) _, found := ipAddresses[cacheKey] - if !found { - ipAddresses[cacheKey] = true + if found { + netMonitor.netMutex.Unlock() + return + } + ipAddresses[cacheKey] = true + netMonitor.netMutex.Unlock() + + if isSYN || isUDP { + if status == "Dropped" { + + if ipv4Address != StepSecuritySinkHoleIPAddress { // Sinkhole IP address will be covered by DNS block - if isSYN || isUDP { - if status == "Dropped" { netMonitor.ApiClient.sendNetConnection(netMonitor.CorrelationId, netMonitor.Repo, ipv4Address, port, "", status, matchedPolicy, reason, timestamp, Tool{Name: Unknown, SHA256: Unknown}) @@ -116,15 +123,13 @@ func (netMonitor *NetworkMonitor) handlePacket(attrs nflog.Attribute) { if reason != "" { logMessage = fmt.Sprintf("%s, reason: %s", logMessage, reason) } + go WriteLog(logMessage) - if ipv4Address != StepSecuritySinkHoleIPAddress { // Sinkhole IP address will be covered by DNS block - go WriteAnnotation(fmt.Sprintf("StepSecurity Harden Runner: Traffic to IP Address %s was blocked", ipv4Address)) - } + go WriteAnnotation(fmt.Sprintf("StepSecurity Harden Runner: Traffic to IP Address %s was blocked", ipv4Address)) } } } - netMonitor.netMutex.Unlock() } }