You must install clamav-devel in order to run this project.
- Core Service: This is the main process that runs in the background, monitoring system activity.
- Configuration Module: Manages the configuration settings for the agent (e.g., policies, monitoring intervals).
- Communication Module: Handles communication with a central server, if any, for updates, logging, and alerts.
- Plugins/Modules: Modular components that monitor specific aspects of the system (e.g., file system, network activity).
File Integrity Monitoring:
Monitor specific directories or files for changes using file hashing. Trigger alerts on unauthorized changes. Go libraries to consider: crypto/sha256 for hashing, os for file operations.
Continuously monitor running processes.
Detect and alert on suspicious or unauthorized processes.
Go libraries to consider: os/exec for process listings.
Monitor outgoing and incoming network connections.
Detect connections to known malicious IPs or unusual traffic patterns.
Go libraries to consider: net for network operations.
Monitor system logs for suspicious entries.
Go libraries to consider: native file reading capabilities or third-party log parsing libraries.
Monitor CPU, memory, disk space, and other system metrics.
Alert if metrics cross certain thresholds.
Go libraries to consider: runtime for basic metrics, or third-party libraries for detailed system monitoring.
Generate alerts for detected anomalies or policy violations. Send alerts to a central server, log them locally, or even send them via email or other communication methods.
The agent should be able to receive updates for configurations, threat intelligence, or even binary updates. Implement a secure mechanism for updates to ensure the agent isn't compromised via this vector.
Ensure the agent itself is secure. Consider encrypting sensitive data. Regularly audit the code and consider penetration testing. Use Go's native capabilities for secure communications (e.g., crypto/tls).
The agent should be easy to deploy across multiple machines. Consider a command & control (C2) server for centralized management, configuration, and updates.
One of the challenges with endpoint agents is supporting multiple OSes. Design your agent to be modular to support different OS-specific monitoring modules.
Performance: The agent should have minimal impact on system performance.
Stealth: Malicious actors may attempt to detect or disable the agent.
False Positives: Ensure the agent doesn't generate excessive false alerts, which can lead to alert fatigue.