Skip to content

Latest commit

 

History

History
76 lines (49 loc) · 2.96 KB

README.md

File metadata and controls

76 lines (49 loc) · 2.96 KB

EndpointSecurityAgent

Dependencies

You must install clamav-devel in order to run this project.

Project scope

1. Agent Architecture:

  • Core Service: This is the main process that runs in the background, monitoring system activity.
  • Configuration Module: Manages the configuration settings for the agent (e.g., policies, monitoring intervals).
  • Communication Module: Handles communication with a central server, if any, for updates, logging, and alerts.
  • Plugins/Modules: Modular components that monitor specific aspects of the system (e.g., file system, network activity).

2. Features:

File Integrity Monitoring:

Monitor specific directories or files for changes using file hashing. Trigger alerts on unauthorized changes. Go libraries to consider: crypto/sha256 for hashing, os for file operations.

Process Monitoring:

Continuously monitor running processes.
Detect and alert on suspicious or unauthorized processes.
Go libraries to consider: os/exec for process listings.

Network Monitoring:

Monitor outgoing and incoming network connections.
Detect connections to known malicious IPs or unusual traffic patterns.
Go libraries to consider: net for network operations.

Log Monitoring:

Monitor system logs for suspicious entries.
Go libraries to consider: native file reading capabilities or third-party log parsing libraries.

System Health Check:

Monitor CPU, memory, disk space, and other system metrics.
Alert if metrics cross certain thresholds.
Go libraries to consider: runtime for basic metrics, or third-party libraries for detailed system monitoring.

3. Alerting:

Generate alerts for detected anomalies or policy violations. Send alerts to a central server, log them locally, or even send them via email or other communication methods.

4. Updates:

The agent should be able to receive updates for configurations, threat intelligence, or even binary updates. Implement a secure mechanism for updates to ensure the agent isn't compromised via this vector.

5. Security:

Ensure the agent itself is secure. Consider encrypting sensitive data. Regularly audit the code and consider penetration testing. Use Go's native capabilities for secure communications (e.g., crypto/tls).

6. Deployment & Management:

The agent should be easy to deploy across multiple machines. Consider a command & control (C2) server for centralized management, configuration, and updates.

7. Cross-Platform Support:

One of the challenges with endpoint agents is supporting multiple OSes. Design your agent to be modular to support different OS-specific monitoring modules.

Challenges:

Performance: The agent should have minimal impact on system performance.
Stealth: Malicious actors may attempt to detect or disable the agent.
False Positives: Ensure the agent doesn't generate excessive false alerts, which can lead to alert fatigue.