{"id":27088956,"url":"https://github.com/devops-works/egress-auditor","last_synced_at":"2025-04-06T06:36:46.055Z","repository":{"id":55067240,"uuid":"457103363","full_name":"devops-works/egress-auditor","owner":"devops-works","description":"Audit your egress connections and finally populate this OUTPUT chain !","archived":false,"fork":false,"pushed_at":"2025-03-20T15:31:06.000Z","size":123,"stargazers_count":9,"open_issues_count":0,"forks_count":1,"subscribers_count":4,"default_branch":"master","last_synced_at":"2025-03-20T16:31:59.644Z","etag":null,"topics":[],"latest_commit_sha":null,"homepage":null,"language":"Go","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":null,"status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/devops-works.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":null,"code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2022-02-08T21:04:56.000Z","updated_at":"2025-03-20T15:31:08.000Z","dependencies_parsed_at":"2024-06-19T17:54:32.252Z","dependency_job_id":null,"html_url":"https://github.com/devops-works/egress-auditor","commit_stats":{"total_commits":27,"total_committers":1,"mean_commits":27.0,"dds":0.0,"last_synced_commit":"ae3b09c50bf342e7ab2388883db62bd6a521e2aa"},"previous_names":[],"tags_count":6,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/devops-works%2Fegress-auditor","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/devops-works%2Fegress-auditor/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/devops-works%2Fegress-auditor/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/devops-works%2Fegress-auditor/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/devops-works","download_url":"https://codeload.github.com/devops-works/egress-auditor/tar.gz/refs/heads/master","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":247445686,"owners_count":20939953,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":[],"created_at":"2025-04-06T06:36:45.536Z","updated_at":"2025-04-06T06:36:46.031Z","avatar_url":"https://github.com/devops-works.png","language":"Go","readme":"# egress-auditor\n\negress-auditor will monitor new outbound connections and generate appropriate\niptables rules (or logs, or ... depending on [output plugin](#outputs)).\n\nConnections can be detected using several [methods](#inputs).\n\nThe goal is to audit what connections your system need to establish outside,\nand this tool can help in several scenarios:\n\n- audit egress connections and automatically display required iptables rules to\n  allow these connections;\n\n- when rules are in place, log all egress connections just before they are\n  dropped by the chain (explicitly or by the default policy) and send alerts\n  based on loki queries for instance\n\n- let only connections be established if they are initiated by specific\n  processes (TDB, requires nfqueue)\n\nThis is early alpha stuff.\n\n## Quick start\n\n```bash\n# add an iptable rules on OUTPUT to send new connections to NFLOG\nsudo iptables -I OUTPUT -m state --state NEW -p tcp -j NFLOG --nflog-group 100\ngo build . \n# start egress-auditor using the nflog input and the same group id used in iptables\nsudo ./egress-auditor -i nflog -I nflog:group:100 -o iptables -O iptables:verbose:2\negress-auditor is running... press ctrl-c to stop\nnew TCP connection 192.168.1.229:60166 -\u003e 146.148.13.123:443(https) by curl\n^C # \u003c- Ctrl+C pressed here\n# [nflog] Line generated for curl running as ubuntu with command \"curl https://www.devops.works\"\n# [nflog] Parent of this process was bash running as ubuntu\niptables -I OUTPUT -d 146.148.13.123 -p tcp -m tcp --dport 443 -j ACCEPT -m comment --comment \"curl\"\n```\n\nIf you use `nftables`, you can set-up nflog target like so:\n\n```bash\nnft insert rule filter output ct state new log group 100 accept\nnft insert rule ip6 filter output ct state new log group 100 accept\n```\n\n## Usage\n\nSee `-h` for help, and `-l` for the list of input/output plugins.\n\nIn a nutshell, inputs are added using `-i`, outputs using `-o`.\n\nIf a plugin needs an option, they are passed using `-I` for inputs and `-O` for\noutputs. For those options, the required format is\n`pluginame:optionname:optionvalue`.\n\nFor instance, to set verbosity to 2 for the iptables output plugin, the proper\ninvocation is:\n\n```\n... -O iptables:verbose:2\n```\n\nOf course, this implies the iptables output module has been loaded using `-o\niptables` in the same CLI. \n\nThe `-R` option can be used to hide `egress-auditor` and it's arguments from\n`ps` output. This allows for more sneaky auditing, preventing someone to spot\nthe program too easily and kill it.\n\nFor instance, when running:\n\n```\nsudo ./egress-auditor -R '[loop25]' ...\n```\n\na call to `ps auwx | grep egress | grep -v grep` won't return any results,\nsince the process has been renamed to `[loop25]` (and hangs out with its other\nloop kernel-threads friends). \n\n## Building\n\n```\ngo build .\n```\n\nIf you're lazy and do not want to type `sudo` when running `egress-auditor`,\nyou can give it some capabilities:\n\n```\nsudo setcap 'cap_net_admin=+ep' ./egress-auditor \n```\n\n## Loki stack\n\nIf you want to play with egress captured logs in loki, you can start a\ndocker-compose stack in the _misc directory, then point egress-auditor at loki.\n\n```\ncd _misc\ndocker-compose up -d\ncd ..\nsudo iptables -I OUTPUT -m state --state NEW -p tcp -j NFLOG --nflog-group 100\nsudo ./egress-auditor -i nflog -I nflog:group:100 -o loki -O loki:url:http://127.0.0.1:3100 -O loki:labels:test=true,lokirules=yes,fizz=buzz\n```\n\nThen :\n\n- [login](http://localhost:3333/) with `admin:admin`,\n- create a [datasource](http://localhost:3333/datasources) with type 'Loki' and\n  URL `http://loki:3100`\n- click save and test, and got to the Explore panel to start playing, using\n  this query for instance: `sum by (process) (rate({destport=\"443\"} [1m]))`\n\n![Grafana Explore](_misc/grafana.png \"Grana Explore\")\n\nPlease note that loging to a remote Loki server might generate log lines for\nLoki itself. You might want to prevent this trafic to be matched in the NFLOG\nrule.\n\n## Available modules\n\nRun `egress-auditor -l` to get an up to date list and their options.\n\n### Inputs\n\n- [x] nflog: captures using nflog iptable target\n- [x] nfqueue (+ auto-allow using process filters)\n- [ ] pcap (device + file, no proc info for the latter)\n- [ ] ebpf\n\n### Outputs\n\n- [x] iptables\n- [x] loki\n- [ ] json (file + stdout)\n\n## Caveats\n\n- supports only TCP for now\n- use `-I nflog:allow-loopback:true` to consider loopback directed traffic\n- when using nflog, originating process might not be found for really short\n  lived connections\n\n## TODO\n\n- UDP\n- PTR lookups on destination ?\n- pass down a logger to prevent logging mess\n- `-C` : how many cnx to capture before bailing out\n- `-t`: duration to capture before exiting\n- `-debug`\n\n## Licence\n\nMIT\n\nContributions welcome.\n","funding_links":[],"categories":[],"sub_categories":[],"project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fdevops-works%2Fegress-auditor","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fdevops-works%2Fegress-auditor","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fdevops-works%2Fegress-auditor/lists"}