Skip to content

Linux Endpoint which tracks and logs all incoming and outgoing TCP and UDP connections along with the name of the process and who owns the process

License

Notifications You must be signed in to change notification settings

alisle/ZeroTrust-Track

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

35 Commits
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 

Repository files navigation

ZeroTrust-Track

Build Status License

Linux Agent which tracks and logs all incoming and outgoing TCP and UDP connections along with the name of the process and who owns the process. ZeroTrust-Track is a userspace tool and doesn't require the installation of any propriety kernel modules. It leverages the iptables ip_conntrack module.

Currently it supports output to TCP and UDP Syslog, ElasticSearch and output to the ZeroTrust Server.

Installation

Deb

To install download the deb package and run:

dpkg -i zerotrust*.deb

Configuration

By default the configuration is kept in /etc/zerotrust/config.yaml

The settings are

  • name Defines the human readable name you want to give the agent, if you don't provide one, a girls name will be given to the agent.
  • uuid Defines the UUID for this agent, if you don't provide one a random UUID will be generated.
  • directory Defines the data directory which the agent will use, typically this is set to /usr/share/zerotrust
  • outputs Defines where the output should be sent.
    • syslog For syslog output
      • Localhost To output straight to the local syslog
      • TCP For TCP Syslog output
      • UDP For UDP Syslog output
    • elasticsearch For ES output, you have to provide the ES URL Plus the index, for instance: "http://my.elasticserch.node.zerotrust.com:9200/my_index"
    • zerotrust_endpoint To pipe to the zerotrust Server, provide the URL for your zerotrust Server.
  • filters Defines the connections which zerotrust-Track should not report on.
    • non_process_connections - By setting this to false, you will catch all connections, including multicast. This can be noisy and not particularly useful.

    • dns_requests - By setting this to false, you will get all DNS look ups on 53 and 5353, this can be very noisy.

    • zerotrust_track_connections - By setting this to false we will report on connections which the zerotrust-Track daemon makes, if you have an output defined which is network based (i.e. ES, TCP, UDP Syslog) this can create a infinite loop of reporting =)

Example of Output

Open Connection - When a connection is opened the following output is given, the hash is derived by the properties of the connection and can be matched to the corresponding close.

{
  "uuid":"b2f0281d-da73-4116-8639-8a1c693511b0",
  "agent":"b15da2a9-67dd-446c-82ce-9512174bc16f",
  "hash" : 950265093776986234,
  "timestamp" : "2018-10-22T10:40:34.763563458+00:00",
  "protocol" : "TCP",
  "source" : "172.16.144.102",
  "destination" : "104.197.3.80",
  "source_port" : 59325,
  "destination_port" : 80,
  "username" : "root",
  "uid" : 0,
  "program_details" : {
    "inode" : 631905,
    "pid" : 656,
    "process_name" : "NetworkManager",
    "command_line" : [
      "/usr/sbin/NetworkManager",
      "--no-daemon"
    ]
  }
}

Close Connection

{
  "uuid":"b2f0281d-da73-4116-8639-8a1c693511b0",
  "agent":"b15da2a9-67dd-446c-82ce-9512174bc16f",
  "hash" : 1334410269481100237,
  "timestamp" : "2018-10-22T10:07:36.651838320+00:00",
  "protocol" : "TCP",
  "source" : "172.16.144.102",
  "destination" : "104.198.143.177",
  "source_port" : 50351,
  "destination_port" : 80
}

Notes

In order for ZeroTrust-Track to work, it requires the ip_conntrack module to be loaded. This is added by default.

As ZeroTrust-Track does NOT run as root by default, it requires the following capabilities to run: cap_sys_ptrace, cap_net_admin, cap_dac_read_search

These can be set by using

setcap 'cap_sys_ptrace,cap_net_admin,cap_dac_read_search=+ep' /usr/sbin/zerotrust-track

Again this is done by default during the install.

Issues

Please be aware this is a early version of a new project, please keep this in mind while deploying.

On ubuntu 18.xx conntrack will not work without first using iptables, in order to enable conntrack you will need to add a iptables rule. For instance:

 sudo iptables -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT

And this should fix the issue.

About

Linux Endpoint which tracks and logs all incoming and outgoing TCP and UDP connections along with the name of the process and who owns the process

Topics

Resources

License

Code of conduct

Stars

Watchers

Forks

Packages

No packages published