added big brother event auditor
This commit is contained in:
		
							parent
							
								
									bb87bc192e
								
							
						
					
					
						commit
						47e69bab99
					
				
					 5 changed files with 107 additions and 8 deletions
				
			
		|  | @ -1,12 +1,12 @@ | ||||||
| #!/usr/bin/env python3 | #!/usr/bin/env python3 | ||||||
| ''' | """ | ||||||
|     Onionr - Private P2P Communication |     Onionr - Private P2P Communication | ||||||
| 
 | 
 | ||||||
|     This file initializes Onionr when ran to be a daemon or with commands |     This file initializes Onionr when ran to be a daemon or with commands | ||||||
| 
 | 
 | ||||||
|     Run with 'help' for usage. |     Run with 'help' for usage. | ||||||
| ''' | """ | ||||||
| ''' | """ | ||||||
|     This program is free software: you can redistribute it and/or modify |     This program is free software: you can redistribute it and/or modify | ||||||
|     it under the terms of the GNU General Public License as published by |     it under the terms of the GNU General Public License as published by | ||||||
|     the Free Software Foundation, either version 3 of the License, or |     the Free Software Foundation, either version 3 of the License, or | ||||||
|  | @ -19,7 +19,7 @@ | ||||||
| 
 | 
 | ||||||
|     You should have received a copy of the GNU General Public License |     You should have received a copy of the GNU General Public License | ||||||
|     along with this program.  If not, see <https://www.gnu.org/licenses/>. |     along with this program.  If not, see <https://www.gnu.org/licenses/>. | ||||||
| ''' | """ | ||||||
| 
 | 
 | ||||||
| # Set the user's locale for encoding reasons | # Set the user's locale for encoding reasons | ||||||
| import locale # noqa | import locale # noqa | ||||||
|  | @ -37,8 +37,12 @@ except ModuleNotFoundError as e: | ||||||
|     print('Onionr needs ' + str(e) + ' installed') |     print('Onionr needs ' + str(e) + ' installed') | ||||||
| 
 | 
 | ||||||
| # Onionr imports | # Onionr imports | ||||||
| from etc import onionrvalues # For different Onionr related constants such as versions | 
 | ||||||
| import onionrsetup as setup | # For different Onionr related constants such as versions | ||||||
|  | from etc import onionrvalues # noqa | ||||||
|  | 
 | ||||||
|  | import onionrexceptions # noqa | ||||||
|  | import onionrsetup as setup # noqa | ||||||
| 
 | 
 | ||||||
| min_ver = onionrvalues.MIN_PY_VERSION | min_ver = onionrvalues.MIN_PY_VERSION | ||||||
| 
 | 
 | ||||||
|  | @ -51,10 +55,20 @@ if sys.version_info[0] == 2 or sys.version_info[1] < min_ver: | ||||||
| from utils import createdirs | from utils import createdirs | ||||||
| createdirs.create_dirs() | createdirs.create_dirs() | ||||||
| 
 | 
 | ||||||
| from onionrcommands import parser | import bigbrother # noqa | ||||||
| from onionrplugins import onionrevents as events | from onionrcommands import parser # noqa | ||||||
|  | from onionrplugins import onionrevents as events # noqa | ||||||
| 
 | 
 | ||||||
| setup.setup_config() | setup.setup_config() | ||||||
|  | 
 | ||||||
|  | import config # noqa | ||||||
|  | 
 | ||||||
|  | if config.get('advanced.security_auditing', True): | ||||||
|  |     try: | ||||||
|  |         bigbrother.enable_ministries() | ||||||
|  |     except onionrexceptions.PythonVersion: | ||||||
|  |         pass | ||||||
|  | 
 | ||||||
| setup.setup_default_plugins() | setup.setup_default_plugins() | ||||||
| 
 | 
 | ||||||
| 
 | 
 | ||||||
|  |  | ||||||
							
								
								
									
										43
									
								
								src/bigbrother/__init__.py
									
										
									
									
									
										Normal file
									
								
							
							
						
						
									
										43
									
								
								src/bigbrother/__init__.py
									
										
									
									
									
										Normal file
									
								
							|  | @ -0,0 +1,43 @@ | ||||||
|  | """ | ||||||
|  |     Onionr - Private P2P Communication | ||||||
|  | 
 | ||||||
|  |     Processes interpreter hook events to detect security leaks | ||||||
|  | """ | ||||||
|  | import sys | ||||||
|  | from typing import Iterable | ||||||
|  | 
 | ||||||
|  | from onionrexceptions import PythonVersion | ||||||
|  | from . import ministry | ||||||
|  | """ | ||||||
|  |     This program is free software: you can redistribute it and/or modify | ||||||
|  |     it under the terms of the GNU General Public License as published by | ||||||
|  |     the Free Software Foundation, either version 3 of the License, or | ||||||
|  |     (at your option) any later version. | ||||||
|  | 
 | ||||||
|  |     This program is distributed in the hope that it will be useful, | ||||||
|  |     but WITHOUT ANY WARRANTY; without even the implied warranty of | ||||||
|  |     MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the | ||||||
|  |     GNU General Public License for more details. | ||||||
|  | 
 | ||||||
|  |     You should have received a copy of the GNU General Public License | ||||||
|  |     along with this program.  If not, see <https://www.gnu.org/licenses/>. | ||||||
|  | """ | ||||||
|  | 
 | ||||||
|  | 
 | ||||||
|  | def _auditing_supported(): | ||||||
|  |     try: | ||||||
|  |         sys.audit | ||||||
|  |         sys.addaudithook | ||||||
|  |     except AttributeError: | ||||||
|  |         raise PythonVersion('Auditing not supported interpreter') | ||||||
|  | 
 | ||||||
|  | 
 | ||||||
|  | def sys_hook_entrypoint(event, info): | ||||||
|  |     if event == 'socket.connect': | ||||||
|  |         ministry.ofcommunication.detect_socket_leaks(info) | ||||||
|  | 
 | ||||||
|  | 
 | ||||||
|  | def enable_ministries(disable_hooks: Iterable = []): | ||||||
|  |     """Enable auditors""" | ||||||
|  |     _auditing_supported()  # raises PythonVersion exception if <3.8 | ||||||
|  |     sys.addaudithook(sys_hook_entrypoint) | ||||||
							
								
								
									
										1
									
								
								src/bigbrother/ministry/__init__.py
									
										
									
									
									
										Normal file
									
								
							
							
						
						
									
										1
									
								
								src/bigbrother/ministry/__init__.py
									
										
									
									
									
										Normal file
									
								
							|  | @ -0,0 +1 @@ | ||||||
|  | from . import ofcommunication | ||||||
							
								
								
									
										38
									
								
								src/bigbrother/ministry/ofcommunication.py
									
										
									
									
									
										Normal file
									
								
							
							
						
						
									
										38
									
								
								src/bigbrother/ministry/ofcommunication.py
									
										
									
									
									
										Normal file
									
								
							|  | @ -0,0 +1,38 @@ | ||||||
|  | """ | ||||||
|  |     Onionr - Private P2P Communication | ||||||
|  | 
 | ||||||
|  |     Ensure sockets don't get made to non localhost | ||||||
|  | """ | ||||||
|  | import ipaddress | ||||||
|  | 
 | ||||||
|  | import logger | ||||||
|  | """ | ||||||
|  |     This program is free software: you can redistribute it and/or modify | ||||||
|  |     it under the terms of the GNU General Public License as published by | ||||||
|  |     the Free Software Foundation, either version 3 of the License, or | ||||||
|  |     (at your option) any later version. | ||||||
|  | 
 | ||||||
|  |     This program is distributed in the hope that it will be useful, | ||||||
|  |     but WITHOUT ANY WARRANTY; without even the implied warranty of | ||||||
|  |     MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the | ||||||
|  |     GNU General Public License for more details. | ||||||
|  | 
 | ||||||
|  |     You should have received a copy of the GNU General Public License | ||||||
|  |     along with this program.  If not, see <https://www.gnu.org/licenses/>. | ||||||
|  | """ | ||||||
|  | 
 | ||||||
|  | 
 | ||||||
|  | def detect_socket_leaks(socket_event): | ||||||
|  |     """is called by the big brother broker whenever | ||||||
|  |     a socket connection happens. | ||||||
|  |     raises exception & logs if not to loopback | ||||||
|  |     """ | ||||||
|  |     ip_address = socket_event[1][0] | ||||||
|  | 
 | ||||||
|  |     # validate is valid ip address (no hostname, etc) | ||||||
|  |     # raises valueerror if not | ||||||
|  |     ipaddress.ip_address(ip_address) | ||||||
|  | 
 | ||||||
|  |     if not ip_address.startswith('127'): | ||||||
|  |         logger.warn(f'Conn made to {ip_address} outside of Tor/similar') | ||||||
|  |         raise ValueError('Conn to non loopback IP, this is a privacy concern!') | ||||||
|  | @ -104,3 +104,6 @@ class MissingAddress(Exception): | ||||||
| 
 | 
 | ||||||
| class ContactDeleted(Exception): | class ContactDeleted(Exception): | ||||||
|     pass |     pass | ||||||
|  | 
 | ||||||
|  | class PythonVersion(Exception): | ||||||
|  |     pass | ||||||
|  |  | ||||||
		Loading…
	
	Add table
		Add a link
		
	
		Reference in a new issue