keep notification for a permanently allowed rule

[drzraf]

I encountered a couple of times myself in a situation where I grant access to a specific domain to a program (lets say a language interpreter and GitHub), but I'd like to keep being notified when such accesses happen (like the audit rule in Apparmor).

The reason is related to the relationship between package-manager, language interpreter and software/package repository.

Granting access to GitHub unconditionally isn't good, nor is it to grant it to Python, PHP, node, ...
But when composer (node, ...) runs, that's what opensnitch asks for: the underlying language interpreter.
Moreover GitHub or pypi may host malware too given the importance the domain.

While I can grant the interpreter the access, I'd feel safer if I kept being notified about future access that would happen when I'm not expecting them. (Granted that if a malware exploiting the PHP->gist.github.com rule will get the job done, but at least could I know it sooner or could it catch my attention)

[gustavo-iniguez-goya]

Hi @drzraf ,

I agree, allowing interpreters unconditionally can be dangerous. Instead what I do is allowing interpreters by path and cmdline (and maybe dest port) if I have a script that is running periodically or if I execute it on a regular basis.

Apart from that, I don't allow language interpreters by default.

Regarding the notifications, we will need a new feature to alert when a rule matches. It could show a desktop notification, invoke a webhook, send an email, etc... There're some things already implemented (like displaying notifications when there're kernel errors, etc), but we need to add it to the rules part.

Something like:

{
  "created": "...",
  "name": "...",
  "alerts": [
   {
      "type": "desktop",
      "title": "...",
      "body": "...",
      "limits": { "hits": "10", "timespan": "10m" , ... }
   }
  ] 
}