Auditing probe for webservers
This tool is based on IoVisor/bcc and need a Linux 4.6+ kernel, headers.
The probe runs on webservers and sends events to a collector daemon ( hindsight <https://github.com/mozilla-services/hindsight>) or hekad <https://github.com/mozilla-services/heka> for example).
- Linux 4.6+
- Kernels image and headers (
linux-image-andlinux-headers-) - Libbcc and python-bcc from https://github.com/iovisor/bcc
- Python 3.4
The probes listens events from uid > 1000 (normal users):
- file write operations :
__sys_open - TCP connect (80, 443, 25) :
__tcp_v4_connect - UDP packets sent (Dos) :
- Server socket listen:
__inet_listen - Command execution :
__sys_execve
- timestamp : nanosecond
- event : FILE_WRITE, FILE_READ, TCP_CONN, UDP_PKT, SOCK_LISTEN, EXEC
- host : hostname
- uid
- gid
- pid
- namespace
- process_name
- cwd : current working directory of the process
- fields :
- src_addr / dst_addr / src_port / dst_port
- filename, filepath
- ...
Install for the current user:
$ python setup.py install --user
Run the application:
$ python -m wgap --help
Run the test suite:
$ py.test test/
Build documentation:
$ cd doc && make html
Deploy the application in a self-contained Virtualenv environment:
$ python deploy.py /path/to/apps $ cd /path/to/apps/ && wgap/bin/cli --help