1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
|
# noawareness
`noawareness` is a lightweight process and network activity logger for
Linux designed for incident response, threat hunting, and postmortem
analysis.
It monitors and logs:
- Process creation and destruction.
- UID/GID changes
- `ptrace` activity
- DNS queries
- TCP session activity
It also has the capability of blocking executions with user-defined
signatures via fanotify's FAN_OPEN_EXEC_PERM feature (see "rules" for
a basic examples of rule definitions).
All output is formatted with JSON making it easy to ingest into tools
like Splunk, Elasticsearch, or your own log processors.
Warning: This project is under active development and was designed for
usage at CTFs--not production use. It's crude, incomplete, and
buggy. You've been warned.
## Building
To build, run:
````
make
```
This produces a binary named `noawareness` that can be dropped onto most
Linux systems and run as-is.
## Usage
Run `./noawareness` with apropriate flags. Example:
```sh
sudo ./noawareness -xi eth0
```
For a list of command line flags, use the `-h` option:
```
./noawareness -h
```
```
usage: ./noawareness [-h?]
-h/-? - Print this menu and exit.
-d - Daemonize. Default: no
-i <iface> - Interface to sniff
-x - Toggle promiscuous mode. Default: false
-m <bytes> - Max size of file to hash. Default: 104857600
-o <file> - Outfile for JSON output, Default: /var/log/noawareness.json.log
-O - Toggle local JSON logging. Default: false
-P <path> - Path to PID file. Default: /var/run/noawareness.pid
-r - Toggle remote logging. Default: true
-R <path> - Path to AV rule definitions. Default: rules
-s <IP> - Remote log server. Default: 127.0.0.1
-S - Toggle syslog. Default: true
-p <port> - Port of remote server. Default: 55555
-q - Toggle quiet mode. Default: false
```
## Logging
noawareness can send logs over UDP to a remote server for further
processing and ingestion into a log search engine such as Splunk or
Elasticsearch. The choice of UDP was made for simplicity. More robust
and reliable logging over TCP is in the roadmap of upcoming features.
## musl
You can statically compile `noawareness` with `musl` to run it on a wide
range of systems, including older or stripped-down Linux installs:
- Symlink Linux headers if your system uses multiarch paths (some
setups require this).
```
sudo ln -s /usr/include/linux /usr/include/x86_64-linux-musl/
sudo ln -s /usr/include/asm-generic /usr/include/x86_64-linux-musl/
sudo ln -s /usr/include/x86_64-linux-gnu/asm /usr/include/x86_64-linux-musl/
```
Optionally, sanitized kernel headers such as the ones provided by
Sabotage Linux may be used if desired (this is untested):
https://github.com/sabotage-linux/kernel-headers
See here for more detail:
https://groups.google.com/g/linux.debian.bugs.dist/c/Q2KVBy8QXYM
- Set CC to musl-gcc or whichever cross-compiler you are using:
```
CC=musl-gcc make
```
## Why?
I needed a lightweight, easy to deploy, and portable tool to track
activity on Linux boxes at CTFs. Many similar tools require excessive
dependencies, configuration, or were paywalled.
## Credits
- base64 implementation by Jouni Malinen
- The SHA256 implementation by Brad Conte: https://github.com/B-Con/crypto-algorithms
- The MD5 implementation used in this project was originally written
by RSA Data Security, Inc.
|
