search

facebookincubator / TTPForge

The TTPForge is a Cybersecurity Framework for developing, automating, and executing attacker Tactics, Techniques, and Procedures (TTPs).
MIT License
337 stars 33 forks source link

💡 [REQUEST] - When SIGTERM is received, perform all required clean up steps before exiting #476

Closed inesusvet closed 8 months ago

inesusvet commented 10 months ago

Implementation PR

No response

Reference Issues

No response

Summary

In case of a long-running TTP, the operator might want to stop the process in the middle. This might be done by sending a SIGTERM signal to the ttpforge process. This might be beneficial to perform the clean up procedures for all the steps executed successfully.

Basic Example

Consider the following TTP file

name: Create a secret file and sleep for a day
description: |
  Emulates a TTP which might run for a long time
steps:
  - name: Setup
    inline: |
      echo "cakeisalie!" > secret
    cleanup:
      inline: |
        rm secret
  - name: Sleep
    inline: |
      sleep 86400

When the ttpforge process is stopped via SIGINT or SIGTERM, the clean up for the first step is not performed which leaves an artifact.

Drawbacks

The clean up procedures might be faulty or take significant time to run. This might prevent ttpforge from exiting in corner-cases

Unresolved questions

Another option is to run clean up procedures even for the currently running step. This might be helpful in case when a new process is started on a remote host and ttpforge waits for some message from it. In case of shutting down, the remote process might be killed by the clean up procedure for this step.

d3sch41n commented 10 months ago

Thanks so much for writing up this issue! Gonna pick this up when I get back from leave in early February :)