Danny Rosseau / file-canary · GitLab
gitlab.com
GitLab.com

I wrote a dead simple file canary tool that will install an eBPF program that drops all outgoing packets if a canary is touched. I wrote this in response to the current trend of supply chain attacks that try to harvest credentials

  • BetterDev@programming.dev
    1·
    3 hours ago

    This is really cool. I appreciate you sharing it. I’m currently building out my homelab to try out various softwares and scenarios, and one of the things I’m worried about is malicious software sneaking in, and compromising my LAN.

    In the case that something does, this essentiallyy provides a tripwire which leaves all the evidence intact while stopping the bleed (unless it has a VM escape, but that’s another story).

    In any case, this is very useful and I’m really glad you made it. Thanks!

    • MonkderVierte@lemmy.zip
      1·
      2 hours ago

      This should definitely not be run on a server unless you really know what you’re doing. You will lose all connectivity and you will never be able to get it back by normal means!

    • lemmyuser@programming.devOP
      1·
      2 hours ago

      Yes you can -send-sigstop to SIGSTOP the process and then do whatever you’d like on your -on-touched-exe such as attach via ptrace, dump all memory, etc. My current one will send a notification and dump the memory of the offending process.

      Definitely pay attention to the warning about running this on a server. With a KVM attached in a home lab you should be able to easily recover I guess. I think you could also set yourself up a little UDP service to SIGUSR1 the daemon since incoming packets are not dropped, but I haven’t tested that.