Categorygithub.com/cowsecurity/custom-rce-agent
modulepackage
0.0.0-20250118205019-0e7d113cfe82
Repository: https://github.com/cowsecurity/custom-rce-agent.git
Documentation: pkg.go.dev
Overview
Versions
1
Dependencies
16
Dependents
2
Files
512 SLOC

# README

RCE Agent

Build and Tests Go Report Card Go Reference

rce-agent is a gRPC-based Remote Command Execution (RCE) client and server. The server (or "agent") runs on a remote host and executes a whitelist of shell commands specified in a file. The client calls the agent to execute whitelist commands. TLS is used to secure and authenticate both client and server.

rce-agent replaces SSH and other methods of remote code execution. There are no passwords—only TLS certificates—and commands are limited to a whitelist. This eliminates the need for SSH keys, passwords, or forwarding.

RCE Agent diagram

This package is meant to be integrated into your code. The rce.Client and rce.Server objects do all the heavy lifting so your client and agent code can focus on their domain-specific logic. See example/ for example code.

RCE Agent is also meant to be used with your private certificate authority (CA) for TLS-encrypted communication and mutual authentication of client and agent. (Setting up a private CA is beyond the scope of this project, but we highly suggest you use one!) Normally, only the client verifies the server's TLS certificate (cert). For additional security, your code should use rce.TLSFiles to create Go tls.Config which makes the server (agent) verify the client's cert, too.

# Packages

Package cmd provides command file specs and structures used by an rce.Server.
No description provided by the author
Package rce is a generated protocol buffer package.

# Functions

NewClient makes a new Client.
NewServer makes a new Server that listens on laddr and runs the whitelist of commands.
No description provided by the author

# Constants

No description provided by the author

# Variables

ConnectBackoffMaxDelay configures the dialer to use the provided maximum delay when backing off after failed connection attempts.
ConnectTimeout describes the total timeout for establishing a client connection to the rceagent server.
ErrCommandNotAllowed is safeguard error returned by the internal gRPC server when ServerConfig.AllowedCommands is nil and ServerConfig.AllowAnyCommand is false.
ErrInvalidServerConfigAllowAnyCommand is returned by Server.StartServer() when ServerConfig.AllowAnyCommand is true but ServerConfig.AllowedCommands is non-nil.
ErrInvalidServerConfigDisableSecurity is returned by Server.StartServer() when ServerConfig.AllowAnyCommand is true and ServerConfig.TLS is nil but ServerConfig.DisableSecurity is false.
KeepaliveTime is the interval at which the client sends keepalive probes to the server.
KeepaliveTimeout is the amount of time the client waits to receive a response from the server after a keepalive probe.

# Structs

ServerConfig configures a Server.
TLSFiles represents the TLS files necessary to create a tls.Config.

# Interfaces

A Client calls a remote agent (server) to execute commands.
A Server executes a whitelist of commands when called by clients.

# Type aliases

New type for command interception.