fix 0xrawsec#123

hids/actions.go → agent/actions.go

@@ -1,4 +1,4 @@
-package hids
+package agent
 
 import (
 	"bytes"
@@ -62,14 +62,14 @@ var (
 
 type ActionHandler struct {
 	ctx                    context.Context
-	hids                   *HIDS
+	hids                   *Agent
 	queue                  *datastructs.Fifo
 	compressionQueue       *datastructs.Fifo
 	compressionLoopRunning bool
 	semJobs                semaphore.Semaphore
 }
 
-func NewActionHandler(h *HIDS) *ActionHandler {
+func NewActionHandler(h *Agent) *ActionHandler {
 	return &ActionHandler{
 		ctx:              h.ctx,
 		hids:             h,

hids/hids.go → agent/agent.go

@@ -1,4 +1,4 @@
-package hids
+package agent
 
 import (
 	"bytes"
@@ -26,9 +26,11 @@ import (
 	"github.com/0xrawsec/golang-utils/fsutil"
 	"github.com/0xrawsec/golang-utils/fsutil/fswalker"
 	"github.com/0xrawsec/golang-utils/log"
-	"github.com/0xrawsec/whids/api"
+	"github.com/0xrawsec/whids/agent/config"
+	"github.com/0xrawsec/whids/agent/sysinfo"
+	"github.com/0xrawsec/whids/api/client"
+	"github.com/0xrawsec/whids/api/server"
 	"github.com/0xrawsec/whids/event"
-	"github.com/0xrawsec/whids/hids/sysinfo"
 	"github.com/0xrawsec/whids/los"
 	"github.com/0xrawsec/whids/sysmon"
 	"github.com/0xrawsec/whids/tools"
@@ -52,8 +54,6 @@ var (
 
 	/** Private vars **/
 
-	emptyForwarderConfig = api.ForwarderConfig{}
-
 	// extensions of files to upload to manager
 	uploadExts = datastructs.NewInitSyncedSet(".gz", ".sha256")
 
@@ -62,8 +62,8 @@ var (
 	toolsDir = utils.RelativePath("Tools")
 )
 
-// HIDS structure
-type HIDS struct {
+// Agent structure
+type Agent struct {
 	sync.RWMutex // Mutex to lock the IDS when updating rules
 	ctx          context.Context
 	cancel       context.CancelFunc
@@ -75,10 +75,10 @@ type HIDS struct {
 	stats           *EventStats
 	preHooks        *HookManager
 	postHooks       *HookManager
-	forwarder       *api.Forwarder
+	forwarder       *client.Forwarder
 	channels        *datastructs.SyncedSet // Windows log channels to listen to
 	channelsSignals chan bool
-	config          *Config
+	config          *config.Agent
 	waitGroup       sync.WaitGroup
 
 	flagProcTermEn bool
@@ -101,30 +101,30 @@ type HIDS struct {
 	PrintAll bool
 }
 
-func newActionnableEngine(c *Config) (e *engine.Engine) {
+func newActionnableEngine(c *config.Agent) (e *engine.Engine) {
 	e = engine.NewEngine()
 	e.ShowActions = true
 	if c.Actions.Low != nil {
-		e.SetDefaultActions(actionLowLow, actionLowHigh, c.Actions.Low)
+		e.SetDefaultActions(config.ActionLowLow, config.ActionLowHigh, c.Actions.Low)
 	}
 	if c.Actions.Medium != nil {
-		e.SetDefaultActions(actionMediumLow, actionMediumHigh, c.Actions.Medium)
+		e.SetDefaultActions(config.ActionMediumLow, config.ActionMediumHigh, c.Actions.Medium)
 	}
 	if c.Actions.High != nil {
-		e.SetDefaultActions(actionHighLow, actionHighHigh, c.Actions.High)
+		e.SetDefaultActions(config.ActionHighLow, config.ActionHighHigh, c.Actions.High)
 	}
 	if c.Actions.Critical != nil {
-		e.SetDefaultActions(actionCriticalLow, actionCriticalHigh, c.Actions.Critical)
+		e.SetDefaultActions(config.ActionCriticalLow, config.ActionCriticalHigh, c.Actions.Critical)
 	}
 	return
 }
 
-// NewHIDS creates a new HIDS object from configuration
-func NewHIDS(c *Config) (h *HIDS, err error) {
+// NewAgent creates a new Agent object from configuration
+func NewAgent(c *config.Agent) (h *Agent, err error) {
 
 	ctx, cancel := context.WithCancel(context.Background())
 
-	h = &HIDS{
+	h = &Agent{
 		ctx:             ctx,
 		cancel:          cancel,
 		scheduler:       crony.NewWithContext(ctx),
@@ -167,7 +167,7 @@ func NewHIDS(c *Config) (h *HIDS, err error) {
 	}
 
 	// loading forwarder config
-	if h.forwarder, err = api.NewForwarder(h.ctx, h.config.FwdConfig); err != nil {
+	if h.forwarder, err = client.NewForwarder(h.ctx, h.config.FwdConfig); err != nil {
 		return
 	}
 
@@ -193,11 +193,11 @@ func NewHIDS(c *Config) (h *HIDS, err error) {
 
 /** Private Methods **/
 
-func (h *HIDS) initEnvVariables() {
+func (h *Agent) initEnvVariables() {
 	os.Setenv(los.PathEnvVar, los.BuildPathEnv(los.GetPathEnv(), toolsDir))
 }
 
-func (h *HIDS) initDB() (err error) {
+func (h *Agent) initDB() (err error) {
 
 	if err = h.db.Create(&tools.Tool{}, sod.DefaultSchema); err != nil {
 		return
@@ -206,7 +206,7 @@ func (h *HIDS) initDB() (err error) {
 	return
 }
 
-func (h *HIDS) initEventProvider() {
+func (h *Agent) initEventProvider() {
 
 	// parses the providers and init filters
 	for _, sprov := range h.config.EtwConfig.UnifiedProviders() {
@@ -226,7 +226,7 @@ func (h *HIDS) initEventProvider() {
 
 }
 
-func (h *HIDS) initHooks(advanced bool) {
+func (h *Agent) initHooks(advanced bool) {
 	// We enable those hooks anyway since it is needed to skip
 	// events generated by WHIDS process. These ar very light hooks
 	h.preHooks.Hook(hookSelfGUID, fltProcessCreate)
@@ -253,7 +253,7 @@ func (h *HIDS) initHooks(advanced bool) {
 	}
 }
 
-func (h *HIDS) update(force bool) (last error) {
+func (h *Agent) update(force bool) (last error) {
 	var reloadRules, reloadContainers bool
 
 	// check that we are connected to any manager
@@ -347,7 +347,7 @@ func (h *HIDS) update(force bool) (last error) {
 }
 
 // rules needs to be updated with the new ones available in manager
-func (h *HIDS) needsRulesUpdate() bool {
+func (h *Agent) needsRulesUpdate() bool {
 	var err error
 	var oldSha256, sha256 string
 	_, rulesSha256Path := h.config.RulesConfig.RulesPaths()
@@ -373,15 +373,15 @@ func (h *HIDS) needsRulesUpdate() bool {
 }
 
 // returns true if a container needs to be updated
-func (h *HIDS) needsIoCsUpdate() bool {
+func (h *Agent) needsIoCsUpdate() bool {
 	var localSha256, remoteSha256 string
 
 	// Don't need update if not connected to a manager
 	if !h.config.IsForwardingEnabled() {
 		return false
 	}
 
-	container := api.IoCContainerName
+	container := server.IoCContainerName
 	_, locContSha256Path := h.containerPaths(container)
 
 	// means that remoteCont is also a local container
@@ -396,7 +396,7 @@ func (h *HIDS) needsIoCsUpdate() bool {
 	return localSha256 != remoteSha256
 }
 
-func (h *HIDS) fetchRulesFromManager() (err error) {
+func (h *Agent) fetchRulesFromManager() (err error) {
 	var rules, sha256 string
 
 	rulePath, sha256Path := h.config.RulesConfig.RulesPaths()
@@ -424,13 +424,13 @@ func (h *HIDS) fetchRulesFromManager() (err error) {
 }
 
 // containerPaths returns the path to the container and the path to its sha256 file
-func (h *HIDS) containerPaths(container string) (path, sha256Path string) {
+func (h *Agent) containerPaths(container string) (path, sha256Path string) {
 	path = filepath.Join(h.config.RulesConfig.ContainersDB, fmt.Sprintf("%s%s", container, containerExt))
 	sha256Path = fmt.Sprintf("%s.sha256", path)
 	return
 }
 
-func (h *HIDS) fetchIoCsFromManager() (err error) {
+func (h *Agent) fetchIoCsFromManager() (err error) {
 	var iocs []string
 	cl := h.forwarder.Client
 
@@ -449,11 +449,11 @@ func (h *HIDS) fetchIoCsFromManager() (err error) {
 	if sha256, err := cl.GetIoCsSha256(); err != nil {
 		return fmt.Errorf("failed to get IoCs sha256: %s", err)
 	} else if compSha256 != sha256 {
-		return fmt.Errorf("failed to verify container \"%s\" integrity", api.IoCContainerName)
+		return fmt.Errorf("failed to verify container \"%s\" integrity", server.IoCContainerName)
 	}
 
 	// we dump the container
-	contPath, contSha256Path := h.containerPaths(api.IoCContainerName)
+	contPath, contSha256Path := h.containerPaths(server.IoCContainerName)
 	fd, err := utils.HidsCreateFile(contPath)
 	if err != nil {
 		return err
@@ -483,7 +483,7 @@ func (h *HIDS) fetchIoCsFromManager() (err error) {
 }
 
 // loads containers found in container database directory
-func (h *HIDS) loadContainers(engine *engine.Engine) (lastErr error) {
+func (h *Agent) loadContainers(engine *engine.Engine) (lastErr error) {
 	for wi := range fswalker.Walk(h.config.RulesConfig.ContainersDB) {
 		for _, fi := range wi.Files {
 			path := filepath.Join(wi.Dirpath, fi.Name())
@@ -515,7 +515,7 @@ func (h *HIDS) loadContainers(engine *engine.Engine) (lastErr error) {
 	return
 }
 
-func (h *HIDS) updateSystemInfo() (err error) {
+func (h *Agent) updateSystemInfo() (err error) {
 	var hnew, hold string
 
 	new := sysinfo.NewSystemInfo()
@@ -543,7 +543,7 @@ need to update because Sysmon.exe (32 bit version) contains both the
 32 and 64 bit version of the tool. When Sysmon gets installed only one
 of the two versions is installed.
 */
-func (h *HIDS) updateSysmon() (err error) {
+func (h *Agent) updateSysmon() (err error) {
 	var version string
 	var si *sysmon.Info
 
@@ -589,7 +589,7 @@ func (h *HIDS) updateSysmon() (err error) {
 	return
 }
 
-func (h *HIDS) updateSysmonConfig() (err error) {
+func (h *Agent) updateSysmonConfig() (err error) {
 	var remoteSha256 string
 	var xml []byte
 	var cfg *sysmon.Config
@@ -614,7 +614,7 @@ func (h *HIDS) updateSysmonConfig() (err error) {
 			return
 		}
 
-	case api.ErrNoSysmonConfig:
+	case client.ErrNoSysmonConfig:
 		// no configuration available on the manager
 
 		log.Info("No Sysmon config found on manager, trying to use default config")
@@ -649,7 +649,7 @@ func (h *HIDS) updateSysmonConfig() (err error) {
 	return
 }
 
-func (h *HIDS) cleanup() {
+func (h *Agent) cleanup() {
 	// Cleaning up empty dump directories if needed
 	fis, _ := ioutil.ReadDir(h.config.Dump.Dir)
 	for _, fi := range fis {
@@ -665,7 +665,7 @@ func (h *HIDS) cleanup() {
 /** Public Methods **/
 
 // IsHIDSEvent returns true if the event is generated by IDS activity
-func (h *HIDS) IsHIDSEvent(e *event.EdrEvent) bool {
+func (h *Agent) IsHIDSEvent(e *event.EdrEvent) bool {
 	if pguid, ok := e.GetString(pathSysmonParentProcessGUID); ok {
 		if pguid == h.guid {
 			return true
@@ -699,7 +699,7 @@ func (h *HIDS) IsHIDSEvent(e *event.EdrEvent) bool {
 
 // Report generate a forensic ready report (meant to be dumped)
 // this method is blocking as it runs commands and wait after those
-func (h *HIDS) Report(light bool) (r Report) {
+func (h *Agent) Report(light bool) (r Report) {
 	r.StartTime = time.Now()
 
 	// generate a report for running processes or those terminated still having one child or more
@@ -726,7 +726,7 @@ func (h *HIDS) Report(light bool) (r Report) {
 }
 
 // Run starts the WHIDS engine and waits channel listening is stopped
-func (h *HIDS) Run() {
+func (h *Agent) Run() {
 
 	// start task scheduler
 	h.scheduler.Start()
@@ -843,7 +843,7 @@ func (h *HIDS) Run() {
 }
 
 // LogStats logs whids statistics
-func (h *HIDS) LogStats() {
+func (h *Agent) LogStats() {
 	log.Infof("Time Running: %s", h.stats.SinceStart())
 	log.Infof("Count Event Scanned: %.0f", h.stats.Events())
 	log.Infof("Average Event Rate: %.2f EPS", h.stats.EPS())
@@ -852,7 +852,7 @@ func (h *HIDS) LogStats() {
 }
 
 // Stop stops the IDS
-func (h *HIDS) Stop() {
+func (h *Agent) Stop() {
 	log.Infof("Stopping HIDS")
 	// cancelling parent context
 	h.cancel()
@@ -876,7 +876,7 @@ func (h *HIDS) Stop() {
 
 	// updating autologger configuration
 	log.Infof("Updating autologger configuration")
-	if err := Autologger.Delete(); err != nil {
+	if err := config.Autologger.Delete(); err != nil {
 		log.Errorf("Failed to delete autologger: %s", err)
 	}
 
@@ -888,12 +888,12 @@ func (h *HIDS) Stop() {
 }
 
 // Wait waits the IDS to finish
-func (h *HIDS) Wait() {
+func (h *Agent) Wait() {
 	h.waitGroup.Wait()
 }
 
 // WaitWithTimeout waits the IDS to finish
-func (h *HIDS) WaitWithTimeout(timeout time.Duration) {
+func (h *Agent) WaitWithTimeout(timeout time.Duration) {
 	t := time.NewTimer(timeout)
 	go func() {
 		h.waitGroup.Wait()

hids/commands.go → agent/commands.go

@@ -1,4 +1,4 @@
-package hids
+package agent
 
 import (
 	"crypto/md5"
@@ -105,7 +105,7 @@ func (wi *WalkItem) FromWalkerWalkItem(o fswalker.WalkItem) {
 		wi.Err = o.Err.Error()
 	}
 }
-  
+
 func cmdHash(path string) (nfi FileInfo, err error) {
 	var fi fs.FileInfo
 

hids/commands_test.go → agent/commands_test.go

@@ -1,4 +1,4 @@
-package hids
+package agent
 
 import (
 	"fmt"