{"id":13510857,"url":"https://github.com/anvilsecure/dawgmon","last_synced_at":"2025-07-09T23:32:12.443Z","repository":{"id":62566967,"uuid":"102987513","full_name":"anvilsecure/dawgmon","owner":"anvilsecure","description":"dawg the hallway monitor - monitor operating system changes and analyze introduced attack surface when installing software","archived":false,"fork":false,"pushed_at":"2019-11-14T14:43:26.000Z","size":74,"stargazers_count":55,"open_issues_count":0,"forks_count":8,"subscribers_count":6,"default_branch":"master","last_synced_at":"2025-06-30T21:48:04.451Z","etag":null,"topics":["analyzer","attack","debian","linux","monitoring-application","monitoring-tool","python","python3","secure","security-scanner","security-tools","surface","ubuntu"],"latest_commit_sha":null,"homepage":"https://anvilsecure.com","language":"Python","has_issues":false,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"other","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/anvilsecure.png","metadata":{"files":{"readme":"README","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null}},"created_at":"2017-09-09T22:01:35.000Z","updated_at":"2025-03-22T10:31:03.000Z","dependencies_parsed_at":"2022-11-03T16:30:31.163Z","dependency_job_id":null,"html_url":"https://github.com/anvilsecure/dawgmon","commit_stats":null,"previous_names":["anvilventures/dawgmon"],"tags_count":0,"template":false,"template_full_name":null,"purl":"pkg:github/anvilsecure/dawgmon","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/anvilsecure%2Fdawgmon","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/anvilsecure%2Fdawgmon/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/anvilsecure%2Fdawgmon/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/anvilsecure%2Fdawgmon/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/anvilsecure","download_url":"https://codeload.github.com/anvilsecure/dawgmon/tar.gz/refs/heads/master","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/anvilsecure%2Fdawgmon/sbom","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":264505254,"owners_count":23618909,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["analyzer","attack","debian","linux","monitoring-application","monitoring-tool","python","python3","secure","security-scanner","security-tools","surface","ubuntu"],"created_at":"2024-08-01T02:01:56.762Z","updated_at":"2025-07-09T23:32:12.150Z","avatar_url":"https://github.com/anvilsecure.png","language":"Python","readme":"dawgmon - Dawg the Hallway Monitor\n\nSUMMARY\n\nThe name of this tool is based upon an episode (season 10, episode 10) of South\nPark in which Cartman is Dawg the Hallway Monitor patrolling the hallways of\nhis school.  It's a tool which helps one to monitor changes which have taken\nplace on a Linux-based system since the previous time the tool was ran. \n\nOne way to use it is to use something like the included sample cronjob to run\ndawgmon on a regular interval and email the results to the system\nadministrator. This can help with identifying machines upon which nefarious\nthings are happening and monitor who's installing what and where. Please note\nthat any serious kernel backdoor will easily be able to hide itself from this\ntool and as such it's just one added tool in one's toolkit but it should not\nrelied upon for full security monitoring of Linux machines. It's just one extra\noption in one's toolbox.\n\nThe other way it's useful is by generating a baseline before installing a piece\nof software. Then after installing this piece of software one will run the tool\nagain and then it's easy to see which changes were made on the system. An\nexample after establishing a baseline and then installing virtualbox on a\nmachine might yield something like this:\n\n# ./dawgmon -gfA\n1 change detected (0 warnings)            \n+ systemd property NNames changed from 259 to 261\n# apt install virtualbox-5.1\n[...]\n# ./dawgmon -gfA\n33 changes detected (0 warnings)          \n+ size of file /etc/group changed from 937 to 954\n+ file /etc/group got modified on 2017-09-14 19:29:51.804811 +0200\n+ size of file /etc/group- changed from 934 to 937\n+ file /etc/group- got modified on 2017-09-14 19:29:14.000000 +0200\n+ file /etc/gshadow got modified on 2017-09-14 19:29:51.812811 +0200\n+ size of file /etc/gshadow- changed from 777 to 794\n+ size of file /etc/mailcap changed from 40777 to 41063\n+ file /etc/mailcap got modified on 2017-09-14 19:29:51.632812 +0200\n+ file /etc/systemd/system/multi-user.target.wants/vboxautostart-service.service got created (owner=root, group=root, perm=lrwxrwxrwx, size=49)\n+ file /etc/systemd/system/multi-user.target.wants/vboxballoonctrl-service.service got created (owner=root, group=root, perm=lrwxrwxrwx, size=51)\n+ file /etc/systemd/system/multi-user.target.wants/vboxdrv.service got created (owner=root, group=root, perm=lrwxrwxrwx, size=35)\n+ file /etc/systemd/system/multi-user.target.wants/vboxweb-service.service got created (owner=root, group=root, perm=lrwxrwxrwx, size=43)\n+ file /etc/udev/rules.d/60-vboxdrv.rules got created (owner=root, group=root, perm=-rw-r--r--, size=747)\n+ group vboxusers added\n+ package virtualbox-5.1 is to be installed\n+ suid binary /usr/lib/virtualbox/VBoxHeadless got created (owner=root, group=root, perm=-r-s--x--x, size=158304)\n+ suid binary /usr/lib/virtualbox/VBoxNetAdpCtl got created (owner=root, group=root, perm=-r-s--x--x, size=23144)\n+ suid binary /usr/lib/virtualbox/VBoxNetDHCP got created (owner=root, group=root, perm=-r-s--x--x, size=158304)\n+ suid binary /usr/lib/virtualbox/VBoxNetNAT got created (owner=root, group=root, perm=-r-s--x--x, size=158304)\n+ suid binary /usr/lib/virtualbox/VBoxSDL got created (owner=root, group=root, perm=-r-s--x--x, size=158296)\n+ suid binary /usr/lib/virtualbox/VBoxVolInfo got created (owner=root, group=root, perm=-r-s--x--x, size=10472)\n+ suid binary /usr/lib/virtualbox/VirtualBox got created (owner=root, group=root, perm=-r-s--x--x, size=158304)\n+ i-node for listening UNIX socket /run/systemd/private changed from 3428734 to 3452848\n+ systemd property NInstalledJobs changed from 8392199 to 3238035463\n+ systemd property NNames changed from 261 to 263\n+ systemd unit file vboxautostart-service.service added\n+ systemd unit file vboxballoonctrl-service.service added\n+ systemd unit file vboxdrv.service added\n+ systemd unit file vboxweb-service.service added\n+ systemd unit 'vboxautostart-service.service' added\n+ systemd unit 'vboxballoonctrl-service.service' added\n+ systemd unit 'vboxdrv.service' added\n+ systemd unit 'vboxweb-service.service' added\n\nThe above helps with now doing a thorough security review of virtualbox. The\ninstalled suid binaries are obvious points of entry and the run services are\ninteresting.\n\nAnother example run which correctly detects TCP ports opening and closing:\n\n# ./dawgmon -gfA\n0 changes detected (0 warnings)           \n# nc -l -p 4455 \u0026\n[1] 12489\n# ./dawgmon -gfA\n1 change detected (0 warnings)            \n+ port 4455 tcp opened\n# fg\nnc -l -p 4455\n^C\n# ./dawgmon -gfA\n1 change detected (0 warnings)            \n+ port 4455 tcp closed\n# \n\nThe tool is not meant for complete accuracy. There are very serious\nrecommendations normally to not rely on the output of GNU core-utils such as ls\nfor tool input. In other words; one should rarely build tools to parse and rely\non this type of output as it can change all the time. Realistically the output\nof these tools is relatively stable as a lot of people and automatic tools\nalready rely on their outputs for all kinds of purposes.\n\nHowever the tradeoff for dawgmon is the following; we would need to implement a\nlot of logic to do file system monitoring ourselves, build complex binaries\nthat include libraries to do the parsing and monitoring of block devices, the\nnetwork interfaces and what not more. This will also make the tool way more\ncomplex and less maintainable. On projects right now one can add a new command\nincluding change detection in very little time as the main dawgmon tool already\ntakes care of caching, executing the command and then supplying the previous\nand current output when running a comparision to a command implementation. This\nmeans that on time-constrained projects one can very quickly add a new command\nand run analysises including those new commands.\n\nA command can be added by simply inheriting from the Command class. This class\nis defined in commands/__init__.py. That file contains also the master list of\ncommands (and the order in which they're executed when doing a full analysis).\nThen the properties like 'name', 'shell', 'command' and 'desc' will have to be\nset and two methods 'parse()' and 'compare()' will have to be implemented.\nEnough commands are included to get a good idea on how to implement and add new\nones. \n\n\nUSAGE\n\nFor best results run the tool as root. For help type -h/--help and for version\ninformation type -v/--version.\n\nA main action will always have to be specified. These actions are:\n-A: analyze the system\n-C: compare cache entries\n-E: list available commands\n-L: list cache entries\n\n# runs an analysis\ndawgmon -A\n\n# runs an analysis but only with a few commands\ndawgmon -A -e list_suids -e list_tcpudp_ports\n\n# shows the list of available commands\ndawgmon -E\n\n# shows available cache entries for comparison\ndawgmon -L\n\n# compare old cache entry 3 with new cache entry 5\ndawgmon -C 3 5\n\nFurther options to help with the analysis are:\n\n-d: show debug output\n-e: execute a specific command (can be used multiple times)\n-f: force a run without warning about running as root\n-g: colorize the output\n-l: location of the database cache to use\n-m: maximum amount of cache entries to allow in cache (if cache has more\nentries than this amount it will truncate the database) \n-t: do not output timestamp information per detected anomaly.\n\nFor more usage information run the tool with -h.\n\n\nLIMITATIONS\n\nThe tool parses output of commandline tools and relies on GNU core-utils\nspecific options for some of it.  There's no specific reason why this tool and\nthe command implementations cannot be quickly ported to other operating systems\nsuch as the BSD's but right now no Operating System detection is taking place\nnor is there a classification of commands based on Operating System support\nbeing done. That would have to be implemented first.\n\nRegarding the finding of pipes, UNIX sockets, files in /boot, /etc and more one\nshould note that the usage of -xdev passed to 'find' means that not all\nfilesystems mounted under the start directory will be traversed. This means\nthat for example /boot will be properly scanned but /boot/efi might not be.\nSome smarter approach will have to be used here in the future.\n\nThe timestamps when doing a current analysis might be a bit confusing. By\ndefault a timestamp for a warning, normal or debug anomaly message will be the\ntimestamp of its generation time (as can be seen in commands/__init__.py). The\nanomalies are generated after a full commandline scan has been done. So the\noutput upon which this detection works was generated earlier and subsequently\nthe timestamps for individual anomalies show a time after the time of the scan.\nWhen comparing cache entries the timestamp of the scan is being used to output\nthe time at which the detection happend as that makes logically simply more\nsense.\n\n\nABOUT\n\nAll rights reserved. Copyright (C) 2017-2019 by Anvil Ventures Inc.\nFor licensing information see LICENSE.\nFor more information contact Vincent Berg \u003cgvb@anvilventures.com\u003e\n\nTo find updated source code or to contribute patches go to the following URL:\nhttps://github.com/anvilventures/dawgmon/\n","funding_links":[],"categories":["Python","ubuntu"],"sub_categories":[],"project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fanvilsecure%2Fdawgmon","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fanvilsecure%2Fdawgmon","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fanvilsecure%2Fdawgmon/lists"}