Security probes are lightweight processes that know how to run tests.
1. Configure the process
The first few lines of a probe set environment variables that direct the probe.
- PRELUDE_DIR is an ephemeral directory which stores the tests before they run.
- PRELUDE_SLEEP is the number of seconds to sleep after running a series of tests.
- PRELUDE_CA is the location where probes expect tests to come from.
#!/bin/bash
PRELUDE_DIR=".vst"
PRELUDE_SLEEP=${PRELUDE_SLEEP:=14440}
PRELUDE_CA="prelude-account-prod-us-west-1.s3.amazonaws.com"
api="https://api.preludesecurity.com"
dos=$(uname -s)-$(uname -m)
while :
do
exe=$PRELUDE_DIR/$(openssl rand -hex 5)
location=$(curl -sfL -w %{url_effective} --create-dirs -o $exe -H "token: ${PRELUDE_TOKEN}" -H "dos: ${dos}" -H "dat: ${dat}" -H "version: 1.0" $api)
test=$(echo $location | grep -o '[0-9a-f]\{8\}-[0-9a-f]\{4\}-[0-9a-f]\{4\}-[0-9a-f]\{4\}-[0-9a-f]\{12\}' | head -n 1)
if [ $test ];then
ca=$(echo $location | sed -e 's|^[^/]*//||' -e 's|/.*$||')
if [ "$PRELUDE_CA" == "$ca" ];then
echo "[P] Running $test [$exe]"
chmod +x $exe && $exe
code=$?
dat="${test}:$([[ -f $exe ]] && echo $code || echo 127)"
fi
elif [[ "$location" == *"upgrade"* ]];then
echo "[P] Upgrade required" && exit 1
else
rm -r $PRELUDE_DIR
unset dat
sleep $PRELUDE_SLEEP
fi
done
2. Download the tests
Probes start by creating a randomly-named file in the PRELUDE_DIR. An API request is then made to write a security test into the file (-o). This request includes a DOS header, which is a combination of platform and architecture, which is used to locate a test that is coded specifically for this type of endpoint.
#!/bin/bash
PRELUDE_DIR=".vst"
PRELUDE_SLEEP=${PRELUDE_SLEEP:=14440}
PRELUDE_CA="prelude-account-prod-us-west-1.s3.amazonaws.com"
api="https://api.preludesecurity.com"
dos=$(uname -s)-$(uname -m)
while :
do
exe=$PRELUDE_DIR/$(openssl rand -hex 5)
location=$(curl -sfL -w %{url_effective} --create-dirs -o $exe -H "token: ${PRELUDE_TOKEN}" -H "dos: ${dos}" -H "dat: ${dat}" -H "version: 1.0" $api)
test=$(echo $location | grep -o '[0-9a-f]\{8\}-[0-9a-f]\{4\}-[0-9a-f]\{4\}-[0-9a-f]\{4\}-[0-9a-f]\{12\}' | head -n 1)
if [ $test ];then
ca=$(echo $location | sed -e 's|^[^/]*//||' -e 's|/.*$||')
if [ "$PRELUDE_CA" == "$ca" ];then
echo "[P] Running $test [$exe]"
chmod +x $exe && $exe
code=$?
dat="${test}:$([[ -f $exe ]] && echo $code || echo 127)"
fi
elif [[ "$location" == *"upgrade"* ]];then
echo "[P] Upgrade required" && exit 1
else
rm -r $PRELUDE_DIR
unset dat
sleep $PRELUDE_SLEEP
fi
done
3. Is there a test?
When a probe downloads a test, the response URL is evaluated. If a valid UUID is in the URI, the probe knows it has a test.
#!/bin/bash
PRELUDE_DIR=".vst"
PRELUDE_SLEEP=${PRELUDE_SLEEP:=14440}
PRELUDE_CA="prelude-account-prod-us-west-1.s3.amazonaws.com"
api="https://api.preludesecurity.com"
dos=$(uname -s)-$(uname -m)
while :
do
exe=$PRELUDE_DIR/$(openssl rand -hex 5)
location=$(curl -sfL -w %{url_effective} --create-dirs -o $exe -H "token: ${PRELUDE_TOKEN}" -H "dos: ${dos}" -H "dat: ${dat}" -H "version: 1.0" $api)
test=$(echo $location | grep -o '[0-9a-f]\{8\}-[0-9a-f]\{4\}-[0-9a-f]\{4\}-[0-9a-f]\{4\}-[0-9a-f]\{12\}' | head -n 1)
if [ $test ];then
ca=$(echo $location | sed -e 's|^[^/]*//||' -e 's|/.*$||')
if [ "$PRELUDE_CA" == "$ca" ];then
echo "[P] Running $test [$exe]"
chmod +x $exe && $exe
code=$?
dat="${test}:$([[ -f $exe ]] && echo $code || echo 127)"
fi
elif [[ "$location" == *"upgrade"* ]];then
echo "[P] Upgrade required" && exit 1
else
rm -r $PRELUDE_DIR
unset dat
sleep $PRELUDE_SLEEP
fi
done
4. Safety check
The response URL is then checked against the PRELUDE_CA. The probe will only execute tests that come from a verified location.
#!/bin/bash
PRELUDE_DIR=".vst"
PRELUDE_SLEEP=${PRELUDE_SLEEP:=14440}
PRELUDE_CA="prelude-account-prod-us-west-1.s3.amazonaws.com"
api="https://api.preludesecurity.com"
dos=$(uname -s)-$(uname -m)
while :
do
exe=$PRELUDE_DIR/$(openssl rand -hex 5)
location=$(curl -sfL -w %{url_effective} --create-dirs -o $exe -H "token: ${PRELUDE_TOKEN}" -H "dos: ${dos}" -H "dat: ${dat}" -H "version: 1.0" $api)
test=$(echo $location | grep -o '[0-9a-f]\{8\}-[0-9a-f]\{4\}-[0-9a-f]\{4\}-[0-9a-f]\{4\}-[0-9a-f]\{12\}' | head -n 1)
if [ $test ];then
ca=$(echo $location | sed -e 's|^[^/]*//||' -e 's|/.*$||')
if [ "$PRELUDE_CA" == "$ca" ];then
echo "[P] Running $test [$exe]"
chmod +x $exe && $exe
code=$?
dat="${test}:$([[ -f $exe ]] && echo $code || echo 127)"
fi
elif [[ "$location" == *"upgrade"* ]];then
echo "[P] Upgrade required" && exit 1
else
rm -r $PRELUDE_DIR
unset dat
sleep $PRELUDE_SLEEP
fi
done
5. Run the test
The probe marks the test as an executable and runs it, capturing the exit code. The probe then constructs a dat, which is the "data" that is sent back to the API. The dat contains the test UUID and the exit code. No other telemetry is sent off the endpoint.
#!/bin/bash
PRELUDE_DIR=".vst"
PRELUDE_SLEEP=${PRELUDE_SLEEP:=14440}
PRELUDE_CA="prelude-account-prod-us-west-1.s3.amazonaws.com"
api="https://api.preludesecurity.com"
dos=$(uname -s)-$(uname -m)
while :
do
exe=$PRELUDE_DIR/$(openssl rand -hex 5)
location=$(curl -sfL -w %{url_effective} --create-dirs -o $exe -H "token: ${PRELUDE_TOKEN}" -H "dos: ${dos}" -H "dat: ${dat}" -H "version: 1.0" $api)
test=$(echo $location | grep -o '[0-9a-f]\{8\}-[0-9a-f]\{4\}-[0-9a-f]\{4\}-[0-9a-f]\{4\}-[0-9a-f]\{12\}' | head -n 1)
if [ $test ];then
ca=$(echo $location | sed -e 's|^[^/]*//||' -e 's|/.*$||')
if [ "$PRELUDE_CA" == "$ca" ];then
echo "[P] Running $test [$exe]"
chmod +x $exe && $exe
code=$?
dat="${test}:$([[ -f $exe ]] && echo $code || echo 127)"
fi
elif [[ "$location" == *"upgrade"* ]];then
echo "[P] Upgrade required" && exit 1
else
rm -r $PRELUDE_DIR
unset dat
sleep $PRELUDE_SLEEP
fi
done
6. Automatic upgrades
If the response URL contains the word "upgrade", the probe stops itself. Probe installers act as process supervisors, so it will restart automatically - pulling down the latest version of the probe by default.
#!/bin/bash
PRELUDE_DIR=".vst"
PRELUDE_SLEEP=${PRELUDE_SLEEP:=14440}
PRELUDE_CA="prelude-account-prod-us-west-1.s3.amazonaws.com"
api="https://api.preludesecurity.com"
dos=$(uname -s)-$(uname -m)
while :
do
exe=$PRELUDE_DIR/$(openssl rand -hex 5)
location=$(curl -sfL -w %{url_effective} --create-dirs -o $exe -H "token: ${PRELUDE_TOKEN}" -H "dos: ${dos}" -H "dat: ${dat}" -H "version: 1.0" $api)
test=$(echo $location | grep -o '[0-9a-f]\{8\}-[0-9a-f]\{4\}-[0-9a-f]\{4\}-[0-9a-f]\{4\}-[0-9a-f]\{12\}' | head -n 1)
if [ $test ];then
ca=$(echo $location | sed -e 's|^[^/]*//||' -e 's|/.*$||')
if [ "$PRELUDE_CA" == "$ca" ];then
echo "[P] Running $test [$exe]"
chmod +x $exe && $exe
code=$?
dat="${test}:$([[ -f $exe ]] && echo $code || echo 127)"
fi
elif [[ "$location" == *"upgrade"* ]];then
echo "[P] Upgrade required" && exit 1
else
rm -r $PRELUDE_DIR
unset dat
sleep $PRELUDE_SLEEP
fi
done
7. Wrapping up
Probes run tests in a loop, as they're returned from the API. Once all tests are complete, the probe removes the PRELUDE_DIR, resets the dat and goes to sleep. Once it wakes up, it will start the loop all over.
#!/bin/bash
PRELUDE_DIR=".vst"
PRELUDE_SLEEP=${PRELUDE_SLEEP:=14440}
PRELUDE_CA="prelude-account-prod-us-west-1.s3.amazonaws.com"
api="https://api.preludesecurity.com"
dos=$(uname -s)-$(uname -m)
while :
do
exe=$PRELUDE_DIR/$(openssl rand -hex 5)
location=$(curl -sfL -w %{url_effective} --create-dirs -o $exe -H "token: ${PRELUDE_TOKEN}" -H "dos: ${dos}" -H "dat: ${dat}" -H "version: 1.0" $api)
test=$(echo $location | grep -o '[0-9a-f]\{8\}-[0-9a-f]\{4\}-[0-9a-f]\{4\}-[0-9a-f]\{4\}-[0-9a-f]\{12\}' | head -n 1)
if [ $test ];then
ca=$(echo $location | sed -e 's|^[^/]*//||' -e 's|/.*$||')
if [ "$PRELUDE_CA" == "$ca" ];then
echo "[P] Running $test [$exe]"
chmod +x $exe && $exe
code=$?
dat="${test}:$([[ -f $exe ]] && echo $code || echo 127)"
fi
elif [[ "$location" == *"upgrade"* ]];then
echo "[P] Upgrade required" && exit 1
else
rm -r $PRELUDE_DIR
unset dat
sleep $PRELUDE_SLEEP
fi
done