├── .gitignore
├── LICENSE
├── Makefile
├── README.md
├── base32.c
├── base32.h
└── canaryfy.c


/.gitignore:
--------------------------------------------------------------------------------
1 | canaryfy
2 | tags
3 | .*.swp
4 | 
5 | 


--------------------------------------------------------------------------------
/LICENSE:
--------------------------------------------------------------------------------
 1 | Copyright (c) 2015, Thinkst Applied Research
 2 | All rights reserved.
 3 | 
 4 | Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met:
 5 | 
 6 | 1. Redistributions of source code must retain the above copyright notice, this list of conditions and the following disclaimer.
 7 | 
 8 | 2. Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the following disclaimer in the documentation and/or other materials provided with the distribution.
 9 | 
10 | 3. Neither the name of the copyright holder nor the names of its contributors may be used to endorse or promote products derived from this software without specific prior written permission.
11 | 
12 | THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
13 | 


--------------------------------------------------------------------------------
/Makefile:
--------------------------------------------------------------------------------
1 | CC = gcc
2 | CFLAGS = 
3 | LIBS = -lm 
4 | #DEFINES="-DLOWPID"
5 | #DEFINES="-DDEBUG"
6 | 
7 | all: 
8 | 	$(CC) $(CFLAGS) $(DEFINES) -o canaryfy canaryfy.c base32.c $(LIBS)
9 | 


--------------------------------------------------------------------------------
/README.md:
--------------------------------------------------------------------------------
 1 | Canaryfy
 2 | =============
 3 | by Thinkst Applied Research
 4 | 
 5 | Overview
 6 | --------
 7 | Canaryfy is an example Linux file read monitor. It watches individual files or files in directories, and triggers a [Canarytoken](http://canarytokens.org/) when a read occurs. It relies on the inotify(7) API for firing on file reads.
 8 | 
 9 | Building
10 | ------------
11 | Run `make` which will compile to a `canaryfy` binary.
12 | 
13 | To get the version which searches for a low PID, uncomment the DEFINES line with `-DLOWPID` in the Makefile.
14 | 
15 | 
16 | Installation
17 | ------------
18 | Move the binary to an unexpected location (e.g. `/var/lib/mailmain/bin/bouncer`).
19 | 
20 | Execution
21 | ---------
22 | ```canaryfy <process_name> <dns_canarytoken> <path> [ <path> ,]```
23 | where 
24 | * `process_name` is what will appear in the `ps` listing. e.g. '[kswapd1]'
25 | * `dns_canarytoken` is a new token from [Canarytoken](http://canarytokens.org).
26 | * `path` is a full path to a file or directory
27 | 
28 | 


--------------------------------------------------------------------------------
/base32.c:
--------------------------------------------------------------------------------
  1 | /*
  2 |  * Copyright (c) 2006-2009 Bjorn Andersson <flex@kryo.se>, Erik Ekman <yarrick@kryo.se>
  3 |  * Mostly rewritten 2009 J.A.Bezemer@opensourcepartners.nl
  4 |  *
  5 |  * Permission to use, copy, modify, and distribute this software for any
  6 |  * purpose with or without fee is hereby granted, provided that the above
  7 |  * copyright notice and this permission notice appear in all copies.
  8 |  *
  9 |  * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
 10 |  * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
 11 |  * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
 12 |  * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
 13 |  * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
 14 |  * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
 15 |  * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
 16 |  */
 17 | 
 18 | #include <stdio.h>
 19 | #include <stdlib.h>
 20 | #include <string.h>
 21 | 
 22 | //#include "base32.h"
 23 | 
 24 | static const char cb32[] = 
 25 | 	"abcdefghijklmnopqrstuvwxyz234567";
 26 | static const char cb32_ucase[] = 
 27 | 	"ABCDEFGHIJKLMNOPQRSTUVWXYZ234567";
 28 | static unsigned char rev32[256];
 29 | static int reverse_init = 0;
 30 | 
 31 | int base32_encode(char *buf, size_t *buflen, const void *data, size_t size)
 32 | /*
 33 |  * Fills *buf with max. *buflen characters, encoding size bytes of *data.
 34 |  *
 35 |  * NOTE: *buf space should be at least 1 byte _more_ than *buflen
 36 |  * to hold the trailing '\0'.
 37 |  *
 38 |  * return value    : #bytes filled in buf   (excluding \0)
 39 |  * sets *buflen to : #bytes encoded from data
 40 |  */
 41 | {
 42 | 	unsigned char *udata = (unsigned char *) data;
 43 | 	int iout = 0;	/* to-be-filled output char */
 44 | 	int iin = 0;	/* one more than last input byte that can be
 45 | 			   successfully decoded */
 46 | 
 47 | 	/* Note: Don't bother to optimize manually. GCC optimizes
 48 | 	   better(!) when using simplistic array indexing. */
 49 | 
 50 | 	while (1) {
 51 | 		if (iout >= *buflen || iin >= size)
 52 | 			break;
 53 | 		buf[iout] = cb32[((udata[iin] & 0xf8) >> 3)];
 54 | 		iout++;
 55 | 
 56 | 		if (iout >= *buflen || iin >= size) {
 57 | 			iout--; 	/* previous char is useless */
 58 | 			break;
 59 | 		}
 60 | 		buf[iout] = cb32[((udata[iin] & 0x07) << 2) |
 61 | 				  ((iin + 1 < size) ?
 62 | 				   ((udata[iin + 1] & 0xc0) >> 6) : 0)];
 63 | 		iin++;			/* 0 complete, iin=1 */
 64 | 		iout++;
 65 | 
 66 | 		if (iout >= *buflen || iin >= size)
 67 | 			break;
 68 | 		buf[iout] = cb32[((udata[iin] & 0x3e) >> 1)];
 69 | 		iout++;
 70 | 
 71 | 		if (iout >= *buflen || iin >= size) {
 72 | 			iout--;		/* previous char is useless */
 73 | 			break;
 74 | 		}
 75 | 		buf[iout] = cb32[((udata[iin] & 0x01) << 4) |
 76 | 				  ((iin + 1 < size) ?
 77 | 				   ((udata[iin + 1] & 0xf0) >> 4) : 0)];
 78 | 		iin++;			/* 1 complete, iin=2 */
 79 | 		iout++;
 80 | 
 81 | 		if (iout >= *buflen || iin >= size)
 82 | 			break;
 83 | 		buf[iout] = cb32[((udata[iin] & 0x0f) << 1) |
 84 | 				  ((iin + 1 < size) ?
 85 | 				   ((udata[iin + 1] & 0x80) >> 7) : 0)];
 86 | 		iin++;			/* 2 complete, iin=3 */
 87 | 		iout++;
 88 | 
 89 | 		if (iout >= *buflen || iin >= size)
 90 | 			break;
 91 | 		buf[iout] = cb32[((udata[iin] & 0x7c) >> 2)];
 92 | 		iout++;
 93 | 
 94 | 		if (iout >= *buflen || iin >= size) {
 95 | 			iout--;		/* previous char is useless */
 96 | 			break;
 97 | 		}
 98 | 		buf[iout] = cb32[((udata[iin] & 0x03) << 3) |
 99 | 				  ((iin + 1 < size) ?
100 | 				   ((udata[iin + 1] & 0xe0) >> 5) : 0)];
101 | 		iin++;			/* 3 complete, iin=4 */
102 | 		iout++;
103 | 
104 | 		if (iout >= *buflen || iin >= size)
105 | 			break;
106 | 		buf[iout] = cb32[((udata[iin] & 0x1f))];
107 | 		iin++;			/* 4 complete, iin=5 */
108 | 		iout++;
109 | 	}
110 | 
111 | 	buf[iout] = '\0';
112 | 
113 | 	/* store number of bytes from data that was used */
114 | 	*buflen = iin;
115 | 
116 | 	return iout;
117 | }
118 | 
119 | 
120 | 


--------------------------------------------------------------------------------
/base32.h:
--------------------------------------------------------------------------------
 1 | /*
 2 |  * Copyright (c) 2006-2009 Bjorn Andersson <flex@kryo.se>, Erik Ekman <yarrick@kryo.se>
 3 |  *
 4 |  * Permission to use, copy, modify, and distribute this software for any
 5 |  * purpose with or without fee is hereby granted, provided that the above
 6 |  * copyright notice and this permission notice appear in all copies.
 7 |  *
 8 |  * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
 9 |  * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
10 |  * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
11 |  * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
12 |  * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
13 |  * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
14 |  * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
15 |  */
16 | 
17 | #ifndef __BASE32_H__
18 | #define __BASE32_H__
19 | 
20 | int base32_encode(char *, size_t *, const void *, size_t);
21 | 
22 | #endif
23 | 


--------------------------------------------------------------------------------
/canaryfy.c:
--------------------------------------------------------------------------------
  1 | /* Canaryfy inotifier
  2 | 
  3 |    Thinksts Applied Research
  4 | 
  5 | 
  6 |    SOooooooo hacky. GNU libc specific. Could blow up.
  7 | 
  8 |    Compile with:
  9 |    gcc  -o canaryfy canaryfy.c base32.c -lm -g
 10 | 
 11 |    Run with:
 12 | 
 13 |    ./canaryfy <new_psname> <dns_canarytoken> <path1> <path2> ... <pathN>
 14 | 
 15 |     <pathX> -- either a file or a directory. If a directory, it triggers on any file read in that dir (but not subdirs).
 16 | 
 17 | */
 18 | #include <stdio.h>
 19 | #include <stdlib.h>
 20 | #include <unistd.h>
 21 | #include <string.h>
 22 | #include <limits.h>
 23 | #include <sys/types.h>
 24 | #include <sys/inotify.h>
 25 | #include <math.h>
 26 | #include <netdb.h>
 27 | #include <assert.h>
 28 | #include <time.h>
 29 | 
 30 | #include "base32.h"
 31 | 
 32 | #define MAX_DNS_LEN 254
 33 | #define MAX_LABEL_LEN 62
 34 | #define PORT "80"
 35 | 
 36 | #define BASE32_SIZE(x) ((int)(ceil(ceil(8.0 * (x) / 5) / 8) * 8))
 37 | #define BUF_LEN (10 * (sizeof(struct inotify_event) + NAME_MAX + 1))
 38 | 
 39 | #ifdef DEBUG
 40 | #define dprintf(...) printf (__VA_ARGS__)
 41 | #else
 42 | #define dprintf(...) {}
 43 | #endif
 44 | 
 45 | char *files[256];
 46 | 
 47 | static void request_hostname(char *hostname) {
 48 |     struct addrinfo hints, *resp;
 49 |     memset(&hints, 0, sizeof(hints));
 50 |     int r = getaddrinfo(hostname, PORT, &hints, &resp);
 51 |     if (r != 0) 
 52 |         dprintf("%s\n", gai_strerror(r));
 53 |         
 54 |     dprintf("Lookup done\n");
 55 | }
 56 | 
 57 | static void build_base32_hostname(char *buf, size_t buf_size, char *file_name) {
 58 |     unsigned int plain_size, label_count;
 59 |     char *local_buf = malloc(buf_size); char *tmp = local_buf;
 60 | 
 61 |     assert(local_buf);
 62 | 
 63 |     dprintf("Buf_size = %d\n", (int) buf_size);
 64 | 
 65 |     //buffer can take buf_size hostname. how much filename fits in there after base32 conversion?
 66 |     plain_size = ceil( ((double)buf_size - 1) / 8) * 5 ;
 67 |     dprintf("base32 should take %d bytes\n", plain_size);
 68 | 
 69 |     //include space for DNS label separators '.'
 70 |     plain_size -= plain_size / MAX_LABEL_LEN; 
 71 |     dprintf("Number of dots: %d\n", plain_size / MAX_LABEL_LEN);
 72 | 
 73 |     //shrink the filename until it fits into the free space
 74 |     while (strlen(file_name) > plain_size)
 75 |         file_name++;
 76 | 
 77 |     base32_encode(local_buf, &buf_size, file_name, strlen(file_name));
 78 |     dprintf("Expected %d bytes from base32 and dot insertion. Filename length is %d back\n", plain_size, (int) strlen(file_name));
 79 | 
 80 |     label_count = 0;
 81 |     while (tmp < local_buf + strlen(local_buf) && buf < buf+buf_size){
 82 |         *buf = *tmp;
 83 |         if (++label_count > MAX_LABEL_LEN) {
 84 |            buf++;
 85 |            *buf = '.';
 86 |            label_count = 0;
 87 |         }
 88 |         buf++;
 89 |         tmp++;
 90 |     }
 91 | 
 92 |     free(local_buf);
 93 | }
 94 | 
 95 | static void process_event(struct inotify_event *i, char *token, unsigned int token_size)
 96 | {
 97 |     char *fn, *fn_shrink;
 98 |     unsigned int size;
 99 |     size_t free_space = MAX_DNS_LEN - (token_size + 1 + 3 + 1); // + 1 + 3 + 1 is for the '.L??.' in front
100 |     char hostname[MAX_DNS_LEN+1];
101 |     memset(hostname, 0, sizeof(hostname));
102 | 
103 |     srand(time(NULL));
104 | 
105 |     if (i->len > 0) {
106 |         dprintf("file read on dir = %s/%s\n", files[i->wd-1], i->name);
107 | 
108 |         size = asprintf(&fn, "%s/%s", files[i->wd-1], i->name);
109 |         if (size == -1)
110 |              return;
111 |     } else {
112 |         dprintf("file read = %s\n", files[i->wd-1]);
113 |         size = asprintf(&fn, "%s", files[i->wd-1]);
114 |         if (size == -1)
115 |              return;
116 |     }
117 |     
118 |     dprintf("Free space is %d\n", (unsigned int) free_space);
119 | 
120 |     dprintf("filename is %s\n", fn);
121 | 
122 |     build_base32_hostname(hostname, free_space, fn);
123 | 
124 |     dprintf("base32 filename: %s (%d bytes)\n", hostname, (unsigned int) strlen(hostname));
125 | 
126 |     snprintf(hostname+strlen(hostname), sizeof(hostname)-(strlen(hostname)+1),".L%02.f.%s", ((float)rand())/RAND_MAX*99, token);
127 |     dprintf("Requesting: %s (%d bytes)\n", hostname, (unsigned int) strlen(hostname));
128 | 
129 |     request_hostname(hostname);
130 | 
131 |     free(fn);
132 | }
133 | 
134 | 
135 | int main(int argc, char *argv[])
136 | {
137 |     int inotify_fd, path, res, i;
138 |     char buf[BUF_LEN] __attribute__ ((aligned(8)));
139 |     ssize_t read_count;
140 |     char *p, ps_name[256], token[256];
141 |     struct inotify_event *event;
142 |     pid_t parent;
143 | 
144 |     if (argc < 4 || argc > 258) {
145 |         dprintf("simple_inotify name token path [ path, ... ] \n");
146 |         exit(1);
147 |     }
148 | 
149 |     strncpy(ps_name, argv[1], sizeof(ps_name) - 1);
150 |     strncpy(token,   argv[2], sizeof(token) - 1);
151 | 
152 | 
153 |     inotify_fd = inotify_init();
154 |     if (inotify_fd == -1){
155 |         dprintf("inotify_init\n");
156 |         exit(2);
157 |     }
158 | 
159 |     for (path = 3; path < argc; path++) {
160 |         int name_length = strlen(argv[path])+1;
161 |         res = inotify_add_watch(inotify_fd, argv[path], IN_ACCESS);
162 |         files[path-3] = malloc(name_length);
163 |         strncpy(files[path-3], argv[path], name_length);
164 |         memset(argv[path], '\0', name_length);
165 |         if (res == -1) {
166 |             dprintf("inotify_add_watch\n");
167 |         exit(3);
168 |         }
169 |     }
170 | 
171 |     //clear out ps listing info
172 |     for (i = 2; i >= 0; i--) 
173 |         memset(argv[i], '\0', strlen(argv[i])+1);
174 |     //wut!?!?
175 |     strcpy(argv[0], ps_name);
176 | 
177 | #ifndef DEBUG
178 |     //daemonize and search for the lowest open PID
179 |     parent = getpid();
180 |     while (1) {
181 |         if (fork())
182 |            exit(5);
183 |     setsid();
184 | 
185 | #ifdef LOWPID
186 |     if (getpid() < parent)
187 | #endif
188 |     break;
189 |     }
190 | #endif
191 | 
192 |     //launch inotify watches 
193 |     while (1){
194 |         read_count = read(inotify_fd, buf, BUF_LEN);
195 |         if (read_count == 0) {
196 |             dprintf("read() from inotify fd returned 0!\n");
197 |             exit(4);
198 |         }
199 | 
200 |         if (read_count == -1) {
201 |             dprintf("read()\n");
202 |             exit(4);
203 |         }
204 | 
205 |         for (p = buf; p < buf + read_count; ) {
206 |             event = (struct inotify_event *) p;
207 |             process_event(event, token, strlen(token));
208 |             p += sizeof(struct inotify_event) + event->len;
209 |         }
210 |     }
211 | 
212 |     exit(0);
213 | }
214 | 


--------------------------------------------------------------------------------