Syslog source (#500)

* Add syslog source * only load cert/key with tls * Cleanup * Linting Co-authored-by: Bill Rich <bill.rich@trufflesec.com>
trufflesecurity · May 4, 2022 · c78120e · c78120e
1 parent 62bb3c5
commit c78120e
Show file tree

Hide file tree

Showing 12 changed files with 1,048 additions and 182 deletions.
diff --git a/README.md b/README.md
@@ -96,6 +96,7 @@ TruffleHog has a sub-command for each source of data that you may want to scan:
 - gitlab
 - S3
 - filesystem
+- syslog
 - file and stdin (coming soon)
 
 Each subcommand can have options that you can see with the `-h` flag provided to the sub command:

diff --git a/go.mod b/go.mod
@@ -13,8 +13,10 @@ require (
 	github.com/aws/aws-sdk-go v1.44.4
 	github.com/aws/aws-sdk-go-v2/credentials v1.12.0
 	github.com/aws/aws-sdk-go-v2/service/sts v1.16.4
+  github.com/bill-rich/go-syslog v0.0.0-20220413021637-49edb52a574c
 	github.com/bitfinexcom/bitfinex-api-go v0.0.0-20210608095005-9e0b26f200fb
 	github.com/bradleyfalzon/ghinstallation/v2 v2.0.4
+	github.com/crewjam/rfc5424 v0.1.0
 	github.com/envoyproxy/protoc-gen-validate v0.6.7
 	github.com/fatih/color v1.13.0
 	github.com/felixge/fgprof v0.9.2

diff --git a/go.sum b/go.sum
@@ -116,6 +116,8 @@ github.com/aws/aws-sdk-go-v2/service/sts v1.16.4/go.mod h1:lfSYenAXtavyX2A1LsVig
 github.com/aws/smithy-go v1.11.2 h1:eG/N+CcUMAvsdffgMvjMKwfyDzIkjM6pfxMJ8Mzc6mE=
 github.com/aws/smithy-go v1.11.2/go.mod h1:3xHYmszWVx2c0kIwQeEVf9uSm4fYZt67FBJnwub1bgM=
 github.com/bgentry/speakeasy v0.1.0/go.mod h1:+zsyZBPWlz7T6j88CTgSN5bM796AkVf0kBD4zp0CCIs=
+github.com/bill-rich/go-syslog v0.0.0-20220413021637-49edb52a574c h1:tSME5FDS02qQll3JYodI6RZR/g4EKOHApGv1wMZT+Z0=
+github.com/bill-rich/go-syslog v0.0.0-20220413021637-49edb52a574c/go.mod h1:+sCc6hztur+oZCLOsNk6wCCy+GLrnSNHSRmTnnL+8iQ=
 github.com/bitfinexcom/bitfinex-api-go v0.0.0-20210608095005-9e0b26f200fb h1:9v7Bzlg+1EBYi2IYcUmOwHReBEfqBbYIj3ZCi9cIe1Q=
 github.com/bitfinexcom/bitfinex-api-go v0.0.0-20210608095005-9e0b26f200fb/go.mod h1:EkOqCuelvo7DY8vCOoZ09p7pHvAK9B1PHI9GeM4Rdxc=
 github.com/bketelsen/crypt v0.0.4/go.mod h1:aI6NrJ0pMGgvZKL1iVgXLnfIFJtfV+bKCoqOes/6LfM=
@@ -141,6 +143,8 @@ github.com/coreos/go-semver v0.3.0/go.mod h1:nnelYz7RCh+5ahJtPPxZlU+153eP4D4r3Ee
 github.com/coreos/go-systemd/v22 v22.3.2/go.mod h1:Y58oyj3AT4RCenI/lSvhwexgC+NSVTIJ3seZv2GcEnc=
 github.com/cpuguy83/go-md2man/v2 v2.0.0/go.mod h1:maD7wRr/U5Z6m/iR4s+kqSMx2CaBsrgA7czyZG/E6dU=
 github.com/creack/pty v1.1.9/go.mod h1:oKZEueFk5CKHvIhNR5MUki03XCEU+Q6VDXinZuGJ33E=
+github.com/crewjam/rfc5424 v0.1.0 h1:MSeXJm22oKovLzWj44AHwaItjIMUMugYGkEzfa831H8=
+github.com/crewjam/rfc5424 v0.1.0/go.mod h1:RCi9M3xHVOeerf6ULZzqv2xOGRO/zYaVUeRyPnBW3gQ=
 github.com/davecgh/go-spew v1.1.0/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
 github.com/davecgh/go-spew v1.1.1 h1:vj9j/u1bqnvCEfJOwUhtlOARqs3+rkHYY13jYWTU97c=
 github.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=

diff --git a/main.go b/main.go
@@ -81,6 +81,13 @@ var (
 	s3ScanSecret   = s3Scan.Flag("secret", "S3 secret used to authenticate.").String()
 	s3ScanCloudEnv = s3Scan.Flag("cloud-environment", "Use IAM credentials in cloud environment.").Bool()
 	s3ScanBuckets  = s3Scan.Flag("bucket", "Name of S3 bucket to scan. You can repeat this flag.").Strings()
+
+	syslogScan     = cli.Command("syslog", "Scan syslog")
+	syslogAddress  = syslogScan.Flag("address", "Address and port to listen on for syslog. Example: 127.0.0.1:514").String()
+	syslogProtocol = syslogScan.Flag("protocol", "Protocol to listen on. udp or tcp").String()
+	syslogTLSCert  = syslogScan.Flag("cert", "Path to TLS cert.").String()
+	syslogTLSKey   = syslogScan.Flag("key", "Path to TLS key.").String()
+	syslogFormat   = syslogScan.Flag("format", "Log format. Can be rfc3164 or rfc5424").String()
 )
 
 func init() {
@@ -204,6 +211,11 @@ func run(state overseer.State) {
 		if err != nil {
 			logrus.WithError(err).Fatal("Failed to scan S3.")
 		}
+	case syslogScan.FullCommand():
+		err := e.ScanSyslog(ctx, *syslogAddress, *syslogProtocol, *syslogTLSCert, *syslogTLSKey, *syslogFormat, *concurrency)
+		if err != nil {
+			logrus.WithError(err).Fatal("Failed to scan syslog.")
+		}
 	}
 
 	if !*jsonLegacy && !*jsonOut {

diff --git a/pkg/engine/syslog.go b/pkg/engine/syslog.go
@@ -0,0 +1,57 @@
+package engine
+
+import (
+	"context"
+	"github.com/go-errors/errors"
+	"github.com/sirupsen/logrus"
+	"google.golang.org/protobuf/proto"
+	"google.golang.org/protobuf/types/known/anypb"
+	"os"
+
+	"github.com/trufflesecurity/trufflehog/v3/pkg/pb/sourcespb"
+	"github.com/trufflesecurity/trufflehog/v3/pkg/sources/syslog"
+)
+
+func (e *Engine) ScanSyslog(ctx context.Context, address, protocol, certPath, keyPath, format string, concurrency int) error {
+	connection := &sourcespb.Syslog{
+		Protocol:      protocol,
+		ListenAddress: address,
+		Format:        format,
+	}
+
+	if certPath != "" && keyPath != "" {
+		cert, err := os.ReadFile(certPath)
+		if err != nil {
+			return errors.WrapPrefix(err, "could not open TLS cert file", 0)
+		}
+		connection.TlsCert = string(cert)
+
+		key, err := os.ReadFile(keyPath)
+		if err != nil {
+			return errors.WrapPrefix(err, "could not open TLS key file", 0)
+		}
+		connection.TlsKey = string(key)
+	}
+
+	var conn anypb.Any
+	err := anypb.MarshalFrom(&conn, connection, proto.MarshalOptions{})
+	if err != nil {
+		return errors.WrapPrefix(err, "error unmarshalling connection", 0)
+	}
+	source := syslog.Source{}
+	err = source.Init(ctx, "trufflehog - syslog", 0, 0, false, &conn, concurrency)
+	source.InjectConnection(connection)
+	if err != nil {
+		logrus.WithError(err).Error("failed to initialize syslog source")
+		return err
+	}
+
+	go func() {
+		err := source.Chunks(ctx, e.ChunksChan())
+		if err != nil {
+			logrus.WithError(err).Fatal("could not scan syslog")
+		}
+		close(e.ChunksChan())
+	}()
+	return nil
+}