feat(veinmind-trace): complete code

chaitin · Jul 23, 2023 · 8b45a1c · 8b45a1c
1 parent b2a777d
commit 8b45a1c
Show file tree

Hide file tree

Showing 19 changed files with 361 additions and 185 deletions.
diff --git a/.github/workflows/veinmind-build.yml b/.github/workflows/veinmind-build.yml
@@ -22,6 +22,7 @@ jobs:
           veinmind-weakpass,
           veinmind-webshell,
           veinmind-minio,
+          veinmind-trace
         ]
         path: [ ./plugins/go/ ]
         include:

diff --git a/.github/workflows/veinmind-package.yml b/.github/workflows/veinmind-package.yml
@@ -91,6 +91,10 @@ jobs:
         with:
           name: veinmind-backdoor-amd64
           path: ./
+      - uses: actions/download-artifact@v3
+        with:
+          name: veinmind-trace-amd64
+          path: ./
       - uses: actions/download-artifact@v3
         with:
           name: veinmind-minio-amd64
@@ -113,10 +117,11 @@ jobs:
           mv veinmind-escape_${{env.CI_GOOS}}_${{env.CI_GOARCH}} veinmind-escape  
           mv veinmind-privilege-escalation_${{env.CI_GOOS}}_${{env.CI_GOARCH}} veinmind-privilege-escalation 
           mv veinmind-minio_${{env.CI_GOOS}}_${{env.CI_GOARCH}} veinmind-minio  
+          mv veinmind-trace_${{env.CI_GOOS}}_${{env.CI_GOARCH}} veinmind-trace  
           mv ./plugins/python/veinmind-history ./veinmind-history
           rm -rf ./veinmind-runner && mv veinmind-runner_${{env.CI_GOOS}}_${{env.CI_GOARCH}} veinmind-runner
           chmod +x veinmind-runner veinmind-malicious veinmind-vuln veinmind-webshell veinmind-backdoor veinmind-unsafe-mount veinmind-log4j2 veinmind-weakpass veinmind-iac veinmind-sensitive  veinmind-basic veinmind-escape veinmind-privilege-escalation
-          tar cvzf veinmind-runner.tar.gz veinmind-runner veinmind-malicious veinmind-vuln veinmind-webshell veinmind-minio veinmind-backdoor \
+          tar cvzf veinmind-runner.tar.gz veinmind-runner veinmind-malicious veinmind-vuln veinmind-webshell veinmind-minio veinmind-backdoor veinmind-trace \
           veinmind-unsafe-mount veinmind-log4j2 veinmind-weakpass veinmind-iac veinmind-sensitive  veinmind-basic veinmind-escape veinmind-privilege-escalation \
           ./veinmind-history
       - uses: actions/upload-artifact@v3

diff --git a/.github/workflows/veinmind-push.yml b/.github/workflows/veinmind-push.yml
@@ -58,6 +58,7 @@ jobs:
           veinmind-weakpass,
           veinmind-webshell,
           veinmind-minio,
+          veinmind-trace
         ]
         path: [ ./plugins/go/ ]
     name: ${{ matrix.plugin }}

diff --git a/plugins/go/veinmind-trace/Dockerfile b/plugins/go/veinmind-trace/Dockerfile
@@ -1,4 +1,4 @@
-FROM veinmind/go1.18:1.9.21-bullseye as builder
+FROM veinmind/go1.18:1.9.42-bullseye as builder
 WORKDIR /build
 COPY .. .
 RUN make build
@@ -8,7 +8,7 @@ WORKDIR /build
 COPY --from=builder /build/veinmind-trace .
 RUN sed -i 's/dl-cdn.alpinelinux.org/mirrors.aliyun.com/g' /etc/apk/repositories && apk add upx && upx -9 veinmind-trace
 
-FROM veinmind/base:1.9.21-bullseye as release
+FROM veinmind/base:1.9.42-bullseye as release
 WORKDIR /tool
 COPY --from=compresser /build/veinmind-trace .
 RUN echo "#!/bin/bash\n\n./veinmind-trace \$*" > /tool/entrypoint.sh && chmod +x /tool/entrypoint.sh && chmod +x /tool/veinmind-trace

diff --git a/plugins/go/veinmind-trace/README.en.md b/plugins/go/veinmind-trace/README.en.md
diff --git a/plugins/go/veinmind-trace/README.md b/plugins/go/veinmind-trace/README.md
@@ -5,16 +5,80 @@ veinmind-trace 是由长亭科技自研的一款容器安全检测工具
 </p>
 
 ## 功能特性
+
 + 快速扫描容器中的异常进程:
-  1. 隐藏进程(mount -o bind方式)
-  2. 反弹shell的进程
-  3. 带有挖矿、黑客工具、可疑进程名的进程
-  4. 包含 Ptrace 的进程
-+ 快速扫描容器中的异常文件系统: 
-  1. 敏感目录权限异常
-  2. cdk 工具利用痕迹检测
-+ 快速扫描容器中的异常用户: 
-  1. uid=0 的非root账户
-  2. gid=0 的非root账户
-  3. uid相同的用户
-+ 支持`containerd`/`dockerd`容器运行时
+    1. 隐藏进程(mount -o bind方式)
+    2. 反弹shell的进程
+    3. 带有挖矿、黑客工具、可疑进程名的进程
+    4. 包含 Ptrace 的进程
++ 快速扫描容器中的异常文件系统:
+    1. 敏感目录权限异常
+    2. cdk 工具利用痕迹检测
++ 快速扫描容器中的异常用户:
+    1. uid=0 的非root账户
+    2. uid相同的用户
++ 支持`containerd`/`dockerd`容器运行时
+
+## 兼容性
+
+- linux/amd64
+- linux/386
+- linux/arm64
+
+## 使用方式
+
+### 基于可执行文件
+
+请先安装`libveinmind`，安装方法可以参考[官方文档](https://github.com/chaitin/libveinmind)
+
+#### Makefile 一键命令
+
+```
+make run ARG="scan xxx"
+```
+
+#### 自行编译可执行文件进行扫描
+
+编译可执行文件
+
+```
+make build
+```
+
+运行可执行文件进行扫描
+
+```
+chmod +x veinmind-trace && ./veinmind-trace scan xxx 
+```
+
+### 基于平行容器模式
+
+确保机器上安装了`docker`以及`docker-compose`
+
+#### Makefile 一键命令
+
+```
+make run.docker ARG="scan xxxx"
+```
+
+#### 自行构建镜像进行扫描
+
+构建`veinmind-trace`镜像
+
+```
+make build.docker
+```
+
+运行容器进行扫描
+
+```
+docker run --rm -it --mount 'type=bind,source=/,target=/host,readonly,bind-propagation=rslave' veinmind-trace scan xxx
+```
+
+## 使用
+
+1. 扫描本地所有镜像
+
+```
+./veinmind-trace scan container
+```
diff --git a/plugins/go/veinmind-trace/cmd/cli.go b/plugins/go/veinmind-trace/cmd/cli.go
@@ -2,12 +2,16 @@ package main
 
 import (
 	"os"
+	"time"
 
 	api "github.com/chaitin/libveinmind/go"
 	"github.com/chaitin/libveinmind/go/cmd"
 	"github.com/chaitin/libveinmind/go/plugin"
 	"github.com/chaitin/libveinmind/go/plugin/log"
 	"github.com/chaitin/veinmind-common-go/service/report"
+	"github.com/chaitin/veinmind-common-go/service/report/event"
+
+	"github.com/chaitin/veinmind-tools/plugins/go/veinmind-trace/pkg/analyzer"
 )
 
 var reportService = &report.Service{}
@@ -32,30 +36,33 @@ func scanContainer(c *cmd.Command, container api.Container) error {
 			log.Error(err)
 		}
 	}()
-	// 1
 
-	// 2. check process
-	//analyzer.ScanProcesses(container)
+	result := make([]*event.TraceEvent, 0)
+	for _, a := range analyzer.Group {
+		a.Scan(container)
+		result = append(result, a.Result()...)
+	}
 
-	// if you want display at runner report, you should send your result to report event
-	//reportEvent := &event.Event{
-	//	BasicInfo: &event.BasicInfo{
-	//		ID:         container.ID(), // container id info
-	//		Object:     event.NewObject(container),
-	//		Time:       time.Now(),           // report time, usually use time.Now
-	//		Level:      event.None,           // report event level
-	//		DetectType: event.Container,      // report scan object type
-	//		AlertType:  event.BasicContainer, // report alert type, we provide some clearly types of security events,
-	//		EventType:  event.Info,           // report event type: Risk/Invasion/Info
-	//	},
-	//	DetailInfo: &event.DetailInfo{
-	//		//  add report detail data in there
-	//	},
-	//}
-	//err = reportService.Client.Report(reportEvent)
-	//if err != nil {
-	//	return err
-	//}
+	for _, e := range result {
+		reportEvent := &event.Event{
+			BasicInfo: &event.BasicInfo{
+				ID:         container.ID(), // container id info
+				Object:     event.NewObject(container),
+				Time:       time.Now(),      // report time, usually use time.Now
+				Level:      e.Level,         // report event level
+				DetectType: event.Container, // report scan object type
+				AlertType:  event.TraceRisk, // report alert type, we provide some clearly types of security events,
+				EventType:  event.Risk,      // report event type: Risk/Invasion/Info
+			},
+			DetailInfo: &event.DetailInfo{
+				AlertDetail: e,
+			},
+		}
+		err := reportService.Client.Report(reportEvent)
+		if err != nil {
+			log.Error(err)
+		}
+	}
 
 	return nil
 }

diff --git a/plugins/go/veinmind-trace/go.mod b/plugins/go/veinmind-trace/go.mod
@@ -4,5 +4,6 @@ go 1.16
 
 require (
 	github.com/chaitin/libveinmind v1.5.6
-	github.com/chaitin/veinmind-common-go v1.4.4
+	github.com/chaitin/veinmind-common-go v1.4.6
+	github.com/stretchr/testify v1.7.4
 )
diff --git a/plugins/go/veinmind-trace/go.sum b/plugins/go/veinmind-trace/go.sum
@@ -167,8 +167,8 @@ github.com/cespare/xxhash/v2 v2.1.2/go.mod h1:VGX0DQ3Q6kWi7AoAeZDth3/j3BFtOZR5XL
 github.com/chaitin/libveinmind v1.5.2/go.mod h1:TXLYL6GeSAQ7pQ5IxPG4Tp0DuB1QvPPFhqdOjyiWxVU=
 github.com/chaitin/libveinmind v1.5.6 h1:fyNq142a+uOfYZ68GTzElFXVB0dtEXvs+ffwk24+Vfg=
 github.com/chaitin/libveinmind v1.5.6/go.mod h1:TXLYL6GeSAQ7pQ5IxPG4Tp0DuB1QvPPFhqdOjyiWxVU=
-github.com/chaitin/veinmind-common-go v1.4.4 h1:3oAXapZCH2nbNHjBuxX5zNChK4v4r+/SrbxCCTyCkL0=
-github.com/chaitin/veinmind-common-go v1.4.4/go.mod h1:+dshrlmHiBtRV7ATyObBIg3SZoffpNCr1PdahT1LUQo=
+github.com/chaitin/veinmind-common-go v1.4.6 h1:MJI05QVs89WB3TwXA4T//f4FX5olLQrG5+Ycqb9POSI=
+github.com/chaitin/veinmind-common-go v1.4.6/go.mod h1:+dshrlmHiBtRV7ATyObBIg3SZoffpNCr1PdahT1LUQo=
 github.com/checkpoint-restore/go-criu/v4 v4.1.0/go.mod h1:xUQBLp4RLc5zJtWY++yjOoMoB5lihDt7fai+75m+rGw=
 github.com/checkpoint-restore/go-criu/v5 v5.0.0/go.mod h1:cfwC0EG7HMUenopBsUf9d89JlCLQIfgVcNsNN0t6T2M=
 github.com/checkpoint-restore/go-criu/v5 v5.3.0/go.mod h1:E/eQpaFtUKGOOSEBZgmKAcn+zUUwWxqcaKZlF54wK8E=

diff --git a/plugins/go/veinmind-trace/pkg/analyzer/analyzer.go b/plugins/go/veinmind-trace/pkg/analyzer/analyzer.go
@@ -1,5 +1,13 @@
 package analyzer
 
+import (
+	api "github.com/chaitin/libveinmind/go"
+	"github.com/chaitin/veinmind-common-go/service/report/event"
+)
+
+var Group = make([]Analyzer, 0)
+
 type Analyzer interface {
-	Scan()
+	Scan(container api.Container)
+	Result() []*event.TraceEvent
 }