From 032d21de14b29499f64a1d9100062c68131f2390 Mon Sep 17 00:00:00 2001 From: Jatin <84621253+h0x0er@users.noreply.github.com> Date: Fri, 3 Jul 2026 15:41:06 +0530 Subject: [PATCH 1/2] don't net-conn event for sinkhole-ip as this was causing issue in generation of dummyNetworkEvent incase a domain was blocked. enabled setting to protect agent from getting killed --- agent.go | 7 +++++++ global_feature_flags.go | 1 + netmon.go | 19 +++++++++++-------- 3 files changed, 19 insertions(+), 8 deletions(-) diff --git a/agent.go b/agent.go index 5c26893..07c1d4a 100644 --- a/agent.go +++ b/agent.go @@ -80,6 +80,7 @@ func Run(ctx context.Context, configFilePath string, hostDNSServer DNSServer, InitGlobalFeatureFlags(config.APIURL, apiclient) WriteLog("initialized global feature flags") WriteLog("\n") + globalFlags := GetGlobalFeatureFlags() globalBlocklistResponse, err := apiclient.getGlobalBlocklist() globalBlocklist := NewGlobalBlocklist(globalBlocklistResponse) @@ -253,6 +254,12 @@ func Run(ctx context.Context, configFilePath string, hostDNSServer DNSServer, Pids: getPidsOfInterest(), Files: []string{}, EnforceReadBlock: false, + EnforceKillBlock: func() bool { + if globalFlags.DisableKillEnforcement { + return false + } + return true + }(), ApiConf: &armour.ApiConf{ APIURL: config.APIURL, Repo: config.Repo, diff --git a/global_feature_flags.go b/global_feature_flags.go index f760a73..81201aa 100644 --- a/global_feature_flags.go +++ b/global_feature_flags.go @@ -14,6 +14,7 @@ type GlobalFeatureFlags struct { AgentType string `json:"agent_type"` EnableArmour bool `json:"enable_armour"` EnableCustomDetectionRules bool `json:"enable_custom_detection_rules"` + DisableKillEnforcement bool `json:"disable_kill_enforcement,omitempty"` } // GlobalFeatureFlagManager manages fetching and caching of global feature flags. diff --git a/netmon.go b/netmon.go index 6188a90..b0be672 100644 --- a/netmon.go +++ b/netmon.go @@ -109,16 +109,19 @@ func (netMonitor *NetworkMonitor) handlePacket(attrs nflog.Attribute) { if isSYN || isUDP { if status == "Dropped" { - netMonitor.ApiClient.sendNetConnection(netMonitor.CorrelationId, netMonitor.Repo, - ipv4Address, port, "", status, matchedPolicy, reason, timestamp, Tool{Name: Unknown, SHA256: Unknown}) - - logMessage := fmt.Sprintf("ip address dropped: %s", ipv4Address) - if reason != "" { - logMessage = fmt.Sprintf("%s, reason: %s", logMessage, reason) - } - go WriteLog(logMessage) if ipv4Address != StepSecuritySinkHoleIPAddress { // Sinkhole IP address will be covered by DNS block + + netMonitor.ApiClient.sendNetConnection(netMonitor.CorrelationId, netMonitor.Repo, + ipv4Address, port, "", status, matchedPolicy, reason, timestamp, Tool{Name: Unknown, SHA256: Unknown}) + + logMessage := fmt.Sprintf("ip address dropped: %s", ipv4Address) + if reason != "" { + logMessage = fmt.Sprintf("%s, reason: %s", logMessage, reason) + } + + go WriteLog(logMessage) + go WriteAnnotation(fmt.Sprintf("StepSecurity Harden Runner: Traffic to IP Address %s was blocked", ipv4Address)) } } From 1cfaccb13a680215b4d0a7fa8c8af6b02dca53bf Mon Sep 17 00:00:00 2001 From: Jatin <84621253+h0x0er@users.noreply.github.com> Date: Fri, 3 Jul 2026 16:08:09 +0530 Subject: [PATCH 2/2] resovled comments --- agent.go | 7 +------ netmon.go | 32 +++++++++++++++++--------------- 2 files changed, 18 insertions(+), 21 deletions(-) diff --git a/agent.go b/agent.go index 07c1d4a..acee4eb 100644 --- a/agent.go +++ b/agent.go @@ -254,12 +254,7 @@ func Run(ctx context.Context, configFilePath string, hostDNSServer DNSServer, Pids: getPidsOfInterest(), Files: []string{}, EnforceReadBlock: false, - EnforceKillBlock: func() bool { - if globalFlags.DisableKillEnforcement { - return false - } - return true - }(), + EnforceKillBlock: !globalFlags.DisableKillEnforcement, ApiConf: &armour.ApiConf{ APIURL: config.APIURL, Repo: config.Repo, diff --git a/netmon.go b/netmon.go index b0be672..44edcee 100644 --- a/netmon.go +++ b/netmon.go @@ -104,30 +104,32 @@ func (netMonitor *NetworkMonitor) handlePacket(attrs nflog.Attribute) { cacheKey := fmt.Sprintf("%s:%s:%s", ipv4Address, port, status) _, found := ipAddresses[cacheKey] - if !found { - ipAddresses[cacheKey] = true + if found { + netMonitor.netMutex.Unlock() + return + } + ipAddresses[cacheKey] = true + netMonitor.netMutex.Unlock() - if isSYN || isUDP { - if status == "Dropped" { + if isSYN || isUDP { + if status == "Dropped" { - if ipv4Address != StepSecuritySinkHoleIPAddress { // Sinkhole IP address will be covered by DNS block + if ipv4Address != StepSecuritySinkHoleIPAddress { // Sinkhole IP address will be covered by DNS block - netMonitor.ApiClient.sendNetConnection(netMonitor.CorrelationId, netMonitor.Repo, - ipv4Address, port, "", status, matchedPolicy, reason, timestamp, Tool{Name: Unknown, SHA256: Unknown}) + netMonitor.ApiClient.sendNetConnection(netMonitor.CorrelationId, netMonitor.Repo, + ipv4Address, port, "", status, matchedPolicy, reason, timestamp, Tool{Name: Unknown, SHA256: Unknown}) - logMessage := fmt.Sprintf("ip address dropped: %s", ipv4Address) - if reason != "" { - logMessage = fmt.Sprintf("%s, reason: %s", logMessage, reason) - } + logMessage := fmt.Sprintf("ip address dropped: %s", ipv4Address) + if reason != "" { + logMessage = fmt.Sprintf("%s, reason: %s", logMessage, reason) + } - go WriteLog(logMessage) + go WriteLog(logMessage) - go WriteAnnotation(fmt.Sprintf("StepSecurity Harden Runner: Traffic to IP Address %s was blocked", ipv4Address)) - } + go WriteAnnotation(fmt.Sprintf("StepSecurity Harden Runner: Traffic to IP Address %s was blocked", ipv4Address)) } } } - netMonitor.netMutex.Unlock() } }