path: root/cmd/silentct-mon
diff options
Diffstat (limited to 'cmd/silentct-mon')
4 files changed, 264 insertions, 0 deletions
diff --git a/cmd/silentct-mon/examples.help2man b/cmd/silentct-mon/examples.help2man
new file mode 100644
index 0000000..7a1e8fc
--- /dev/null
+++ b/cmd/silentct-mon/examples.help2man
@@ -0,0 +1,38 @@
+A basic configuration is shown below.
+ {
+ "monitor": [
+ {
+ "bootstrap_at": "2024-05-16T00:00:00Z",
+ "wildcard": "example.org",
+ "excludes": [
+ "test"
+ ]
+ }
+ ],
+ "nodes": [
+ {
+ "name": "example.org",
+ "secret": "sikritpassword",
+ "url": "https://www.example.org/silent-ct/allowlist",
+ "issues": [
+ "example.org",
+ "www.example.org"
+ ]
+ }
+ ]
+ }
+Bootstrap a new monitor in a non-existent directory:
+.B $ silentct-mon -b -d ~/.local/lib/silent-ct -f ~/.config/silent-ct/config.json
+Run the monitor continuously:
+.B $ silentct-mon -d ~/.local/lib/silent-ct -f ~/.config/silent-ct/config.json
+.B -v DEBUG
+to see what's happening underneath the hood.
diff --git a/cmd/silentct-mon/main.go b/cmd/silentct-mon/main.go
new file mode 100644
index 0000000..2d070fb
--- /dev/null
+++ b/cmd/silentct-mon/main.go
@@ -0,0 +1,222 @@
+package main
+import (
+ "context"
+ "errors"
+ "flag"
+ "fmt"
+ "log"
+ "os"
+ "os/signal"
+ "strings"
+ "sync"
+ "syscall"
+ "time"
+ "rgdd.se/silent-ct/internal/feedback"
+ "rgdd.se/silent-ct/internal/flagopt"
+ "rgdd.se/silent-ct/internal/ioutil"
+ "rgdd.se/silent-ct/internal/logger"
+ "rgdd.se/silent-ct/internal/manager"
+ "rgdd.se/silent-ct/internal/monitor"
+ "rgdd.se/silent-ct/pkg/policy"
+const usage = `
+silentct-mon is a tool that monitors Certificate Transparency logs. The tool
+can operate silently, which means there need not be any output unless a
+certificate is possibly mis-issued. This requires use of the silentct-mac
+utility on the trusted systems that legitimately request certificates.
+The same list of Certificate Transparency logs as Google Chrome is used. This
+list can be overridden in the silentct-mon configuration file.
+Usage: silentct-mon [Options] -d DIRECTORY -f POLICY-FILE
+ -b, --bootstrap Initializes a new state directory (Default: false)
+ -c, --contact A string that helps log operators know who you are (Default: "")
+ -d, --directory Path to a directory where all state will be stored
+ -w, --num-workers Number of parallel workers to fetch each log with (Default: 1)
+ -o, --output-file File that all output will be written to (Default: stdout)
+ -e, --please-exit Toggle to only run until up-to-date (Default: false)
+ -f, --policy-file Path to the monitor's policy file in JSON format
+ -p, --pull-interval How often nodes are pulled for certificates (Default: 15m)
+ -v, --verbosity Leveled logging output (default: NOTICE)
+type config struct {
+ // Options
+ verbosity string
+ bootstrap bool
+ contact string
+ directory string
+ pleaseExit bool
+ policyFile string
+ outputFile string
+ pullInterval time.Duration
+ numWorkers uint
+ // Extracted
+ log *logger.Logger
+ policy policy.Policy
+func configure(cmd string, args []string) (cfg config, err error) {
+ fs := flag.NewFlagSet(cmd, flag.ContinueOnError)
+ fs.Usage = func() {}
+ flagopt.BoolOpt(fs, &cfg.bootstrap, "bootstrap", "b", false)
+ flagopt.StringOpt(fs, &cfg.contact, "contact", "c", "")
+ flagopt.StringOpt(fs, &cfg.directory, "directory", "d", "")
+ flagopt.UintOpt(fs, &cfg.numWorkers, "num-workers", "w", 1)
+ flagopt.StringOpt(fs, &cfg.outputFile, "output-file", "o", "")
+ flagopt.BoolOpt(fs, &cfg.pleaseExit, "please-exit", "e", false)
+ flagopt.StringOpt(fs, &cfg.policyFile, "policy-file", "f", "")
+ flagopt.DurationOpt(fs, &cfg.pullInterval, "pull-interval", "p", 15*time.Minute)
+ flagopt.StringOpt(fs, &cfg.verbosity, "verbosity", "v", logger.LevelNotice.String())
+ if err = fs.Parse(args); err != nil {
+ return cfg, err
+ }
+ // Options
+ if cfg.directory == "" {
+ return cfg, fmt.Errorf("directory is a required option")
+ }
+ if cfg.numWorkers == 0 || cfg.numWorkers >= 4 {
+ return cfg, fmt.Errorf("number of workers must be in [1, 4)")
+ }
+ output := os.Stdout
+ if cfg.outputFile != "" {
+ if output, err = os.OpenFile(cfg.outputFile, os.O_WRONLY|os.O_CREATE|os.O_APPEND, 0644); err != nil {
+ return cfg, fmt.Errorf("failed to open output file: %v", err)
+ }
+ }
+ if cfg.policyFile == "" {
+ return cfg, fmt.Errorf("policy file is a required option")
+ }
+ if err := ioutil.ReadJSON(cfg.policyFile, &cfg.policy); err != nil {
+ return cfg, err
+ }
+ if len(cfg.policy.Monitor) == 0 {
+ return cfg, fmt.Errorf("policy: need at least one wildcard to monitor")
+ }
+ lv, err := logger.NewLevel(cfg.verbosity)
+ if err != nil {
+ return cfg, fmt.Errorf("invalid verbosity: %v", err)
+ }
+ cfg.log = logger.New(logger.Config{Level: lv, File: output})
+ // Arguments
+ if len(fs.Args()) != 0 {
+ return cfg, fmt.Errorf("trailing arguments are not permitted")
+ }
+ return cfg, nil
+func main() {
+ cfg, err := configure(os.Args[0], os.Args[1:])
+ if err != nil {
+ if errors.Is(err, flag.ErrHelp) {
+ fmt.Fprintf(os.Stdout, "%s", usage[1:])
+ os.Exit(0)
+ }
+ if !strings.Contains(err.Error(), "flag provided but not defined") {
+ fmt.Fprintf(os.Stdout, "%v\n", err)
+ }
+ os.Exit(1)
+ }
+ feventCh := make(chan []feedback.Event)
+ defer close(feventCh)
+ mconfigCh := make(chan monitor.MonitoredLog)
+ defer close(mconfigCh)
+ meventCh := make(chan monitor.Event)
+ defer close(meventCh)
+ errorCh := make(chan error)
+ defer close(errorCh)
+ mgr, err := manager.New(manager.Config{
+ Policy: cfg.policy,
+ Bootstrap: cfg.bootstrap,
+ Directory: cfg.directory,
+ Logger: cfg.log,
+ AlertDelay: cfg.pullInterval * 3 / 2,
+ }, feventCh, meventCh, mconfigCh, errorCh)
+ if err != nil {
+ cfg.log.Dief("manager: %v\n", err)
+ }
+ mon, err := monitor.New(monitor.Config{
+ Matcher: &cfg.policy.Monitor,
+ Logger: cfg.log,
+ Contact: cfg.contact,
+ NumWorkers: cfg.numWorkers,
+ }, meventCh, mconfigCh, errorCh)
+ if err != nil {
+ cfg.log.Dief("monitor: %v\n", err)
+ }
+ fb, err := feedback.New(feedback.Config{
+ Policy: cfg.policy,
+ Logger: cfg.log,
+ PullInterval: cfg.pullInterval,
+ }, feventCh)
+ if err != nil {
+ cfg.log.Dief("feedback: %v\n", err)
+ }
+ if cfg.bootstrap {
+ os.Exit(0)
+ }
+ if cfg.pleaseExit {
+ cfg.log.Dief("the --please-exit option is not supported yet\n")
+ }
+ var wg sync.WaitGroup
+ ctx, cancel := context.WithCancel(context.Background())
+ wg.Add(1)
+ go func() {
+ defer wg.Done()
+ defer cancel()
+ await(ctx)
+ }()
+ wg.Add(1)
+ go func() {
+ defer wg.Done()
+ defer cancel()
+ mon.RunForever(ctx)
+ }()
+ wg.Add(1)
+ go func() {
+ defer wg.Done()
+ defer cancel()
+ fb.RunForever(ctx)
+ }()
+ os.Exit(func() int {
+ defer wg.Wait()
+ defer cancel()
+ if err := mgr.Run(ctx); err != nil {
+ log.Fatalf("manager: %v\n", err)
+ return 1
+ }
+ return 0
+ }())
+func await(ctx context.Context) {
+ sigs := make(chan os.Signal, 1)
+ defer close(sigs)
+ signal.Notify(sigs, syscall.SIGINT, syscall.SIGTERM)
+ select {
+ case <-sigs:
+ case <-ctx.Done():
+ }
diff --git a/cmd/silentct-mon/name.help2man b/cmd/silentct-mon/name.help2man
new file mode 100644
index 0000000..a4edcc1
--- /dev/null
+++ b/cmd/silentct-mon/name.help2man
@@ -0,0 +1,2 @@
+silentct-mon - monitor Certificate Transparency logs
diff --git a/cmd/silentct-mon/see-also.help2man b/cmd/silentct-mon/see-also.help2man
new file mode 100644
index 0000000..d4b9782
--- /dev/null
+++ b/cmd/silentct-mon/see-also.help2man
@@ -0,0 +1,2 @@
+.BR silentct-mac (1)