Descriptions/doc and log when https starts

4b0da779 · Jose Carlos Luna Duran · 68f0a923 · 4b0da779 · 4b0da779 · 4b0da779
Commit 4b0da779 authored 11 months ago by Jose Carlos Luna Duran
--- a/README.md
+++ b/README.md
@@ -64,6 +64,11 @@ Gocanary is a single binary that accepts command line options. Gocanary also rea
 It is intended to be run as `root` (to be able to bind to default DNS and WEB ports) and will drop privileges to `nobody` and sandbox file access using landlock (https://docs.kernel.org/userspace-api/landlock.html)
 Alternatively can be run as nonroot and changing the different ports, and then using iptables/nftables to redirect traffic to it.

+For generating a self-signed certificate:
+```bash
+openssl req -new -newkey rsa:4096 -days 3650 -nodes -keyout cert.key -out cert.pem  -x509 -subj "/C=CH/ST=GE/L=Geneva/O=CERN/CN=localhost.cern.ch"
+```
+


 ```

--- a/alert/alert.go
+++ b/alert/alert.go
@@ -56,8 +56,8 @@ func Initialize(slackhook string, silenceSeconds uint16) {
 	syslogger = sysl
 }

+// Send a slack message
 func PostSlackHook(message string) {
-
 	if time.Since(lastNotifTime).Seconds() < float64(config.silenceSeconds) {
 		lastNotifTime = time.Now()
 		return
@@ -97,6 +97,7 @@ func PostSlackHook(message string) {
 	log.Printf("Slack Response StatusCode: %d", resp.StatusCode)
 }

+// Handler for HTTP canary alerts
 func HTTPAlert(canaryinfo HTTPCanary, alertType string) {
 	if alertType == "log" || alertType == "all" {
 		slog.Info("token-alert",
@@ -123,6 +124,7 @@ func HTTPAlert(canaryinfo HTTPCanary, alertType string) {
 	}
 }

+// Handler for DNS canary alerts
 func DNSAlert(canaryinfo DNSCanary, alertType string) {
 	if alertType == "log" || alertType == "all" {
 		slog.Info("token-alert",

--- a/main.go
+++ b/main.go
@@ -55,6 +55,7 @@ func runCanary(cmd *cobra.Command, args []string) {

 	//Drop to nobody and LandLock
 	harden.DropPrivs()
+	slog.Debug("LandLocking")
 	harden.LandLock(binPath)

 	// Block forever if any server is running

--- a/server/dns/dns.go
+++ b/server/dns/dns.go
@@ -49,6 +49,7 @@ func checkAndAlert(q dns.Question, w dns.ResponseWriter, r *dns.Msg) {

 // Builds the A record, can be NXDOMAIN or a fixed answer from config
 func buildAnswer(q dns.Question, m *dns.Msg) {
+	log.Printf("hello3	")
 	//Fixed answer
 	if serverConfig.AnswerWith != "" {
 		rr, err := dns.NewRR(fmt.Sprintf("%s A %s", q.Name, serverConfig.AnswerWith))
@@ -66,6 +67,7 @@ func buildAnswer(q dns.Question, m *dns.Msg) {
 	}
 }

+// Handle all DNS queries
 func handleDNS(w dns.ResponseWriter, r *dns.Msg) {
 	m := new(dns.Msg)
 	m.SetReply(r)
@@ -87,7 +89,7 @@ func handleDNS(w dns.ResponseWriter, r *dns.Msg) {
 	}
 }

-// bind and port num
+// DNS server proto udp
 func StartUDPListener(bindAddr string) {
 	server := &dns.Server{Addr: bindAddr, Net: "udp"}
 	log.Printf("Starting UDP DNS server on %s", bindAddr)
@@ -98,6 +100,7 @@ func StartUDPListener(bindAddr string) {
 	}()
 }

+// DNS server proto tcp
 func StartTCPListener(bindAddr string) {
 	serverTCP := &dns.Server{Addr: bindAddr, Net: "tcp"}
 	log.Printf("Starting TCP DNS server on %s", bindAddr)
@@ -108,7 +111,7 @@ func StartTCPListener(bindAddr string) {
 	}()
 }

-// bind ip and port num
+// Start the two types of DNS server
 func Start(runConfig DNSServerConfig) {
 	serverConfig = runConfig
 	dns.HandleFunc(".", handleDNS)

--- a/server/http/http.go
+++ b/server/http/http.go
@@ -132,7 +132,7 @@ func StartHTTPS(config HTTPSServerConfig) {

 	// Start HTTPS server
 	go func() {
-
+		log.Printf("Starting HTTPS server on %s", config.BindAddr)
 		if err := http.ListenAndServeTLS(config.BindAddr, config.CertFile, config.CertKeyFile, mux); err != nil {
 			log.Fatalf("HTTPS server failed: %s", err)
 		}

--- a/server/utils.go
+++ b/server/utils.go
@@ -8,6 +8,7 @@ import (
 	"net"
 )

+// Returns the public IP by creating a socket to a well known ip
 func getOutboundIPv4() net.IP {
 	conn, err := net.Dial("udp", "8.8.8.8:80")
 	if err != nil {
@@ -20,6 +21,7 @@ func getOutboundIPv4() net.IP {
 	return localAddr.IP
 }

+// Returns a bind string based on the public IP and the port given as a parameter
 func GetBindAddr(bindAddr string, port uint16) string {
 	if bindAddr != "" {
 		return fmt.Sprintf("%s:%d", bindAddr, port)

--- a/utils/harden/harden.go
+++ b/utils/harden/harden.go
@@ -12,6 +12,7 @@ import (

 var switchToUser = "nobody"

+// Show current capabilities of the running process
 func ShowCaps() {
 	caps, err := capability.NewPid(0)
 	if err != nil {
@@ -25,6 +26,7 @@ func ShowCaps() {

 }

+// As soon as possible drop root capabilities only to be able to bind and change user/group
 func MinCapabilities() {
 	// Keep the ability to bind to lower ports and drop privs
 	// NewPid(0) means current process
@@ -44,6 +46,7 @@ func MinCapabilities() {
 	log.Printf("now: %+v", caps)
 }

+// Drop to another user/group and clean supplementary groups
 func DropRoot() {
 	userInfo, err := user.Lookup(switchToUser)
 	if err != nil {
@@ -77,6 +80,7 @@ func DropRoot() {
 	}
 }

+// Locks this process to be able to read/write on certain file/paths
 func LandLock(extraPath string) {
 	err := landlock.V4.BestEffort().RestrictPaths(
 		landlock.RODirs("/etc"),
@@ -90,6 +94,7 @@ func LandLock(extraPath string) {
 	}
 }

+// If root drop privs to another user
 func DropPrivs() {
 	if syscall.Geteuid() == 0 {
 		DropRoot()