Self-Healing System — Agent Tidak Bisa Mati
Sistem berlapis yang memastikan agent tetap hidup meski diserang, dihapus, atau server direstart.
RawonGuard agent dirancang dengan prinsip zero single point of failure. Setiap mekanisme ketahanan berdiri sendiri — jika satu lapisan gagal, lapisan berikutnya mengambil alih secara otomatis tanpa intervensi operator.
Recovery Time Targets
| Metrik | Target | |--------|--------| | Recovery modul crash | <5 detik (goroutine supervisor) | | Binary restore dari backup | <30 detik (inotify + RestoreFromBackup) | | Service restart oleh recovery watchdog | <60 detik | | Trace cron | 0 (tidak ada entry yang mencurigakan) |
Layers Overview
Layer 1–7 — Stealth
- Process name masquerade
- /proc PID hiding (mount bind)
- File hiding (LD_PRELOAD)
- systemd-sysconf camouflage
- Anti-forensic shell
- Zero-trace installer
- Goroutine crash recovery
Layer 8–9 — Self-Heal
- Binary backup stealthy + chattr +i
- Auto-restore jika binary dihapus
- Watchdog integrity check SHA-256
- Anti-tamper inotify realtime
- Recovery service (tanpa cron)
- Federated watchdog coverage
Layer 10 — Persist
- systemctl enable (auto-start)
- systemd-conf-recover.service
- OpenRC (Alpine/Gentoo)
- SysVinit init.d + update-rc.d
- rc.local universal fallback
- Semua idempoten & auto-detect
Skenario Serangan
Skenario 1 — Kill Process
Serangan: kill -9 <pid> / systemctl stop
- systemd restart otomatis (<3s) —
Restart=always RestartSec=3di unit file — service naik kembali - Jika systemd juga di-disable: Recovery service loop (60s) —
systemd-conf-recover.servicedeteksi mati →systemctl start
Skenario 2 — Hapus Binary
Serangan: rm -rf /path/svc-daemon
- inotify detect IN_DELETE (<1s) —
antitamper.gotriggerRestoreFromBackup() - Jika inotify terlambat: Watchdog SHA-256 check (30s) — Hash kosong → restore dari backup otomatis
Skenario 3 — Hapus Backup
Serangan: rm -rf /var/lib/systemd/coredump/.XXXX
- chattr +i → Operation not permitted — File backup immutable, rm gagal meski sebagai root
- Jika chattr di-bypass: InitBackup() re-create dalam 10 menit — Loop backup buat ulang di lokasi alternatif berikutnya
Skenario 4 — Server Restart
Serangan: reboot / shutdown -r
- systemd auto-start setelah boot —
WantedBy=multi-user.target— agent start sebelum login prompt - Server non-systemd: OpenRC / init.d / rc.local — Auto-detect init system saat install
Timeline Recovery
| Waktu | Event | Detail |
|-------|-------|--------|
| T+0s | Serangan terjadi | Threat actor kill process, hapus binary, atau stop service |
| T+0s–1s | inotify trigger | antitamper.go terima IN_DELETE → RestoreFromBackup() |
| T+3s | systemd Restart=always | Jika proses mati karena kill, systemd restart dalam RestartSec=3 |
| T+5s | Goroutine supervisor | Modul crash → runModule() recover + restart in-process |
| T+30s | Watchdog integrity check | checkBinaryIntegrity() — hash kosong → restore backup |
| T+60s | Recovery service loop | systemd-conf-recover.service cek primary service |
| T+max 60s | Agent kembali hidup penuh | Semua modul aktif: heartbeat, watcher, terminal, tunnel |
Source Map
| File | Fungsi | Mekanisme |
|------|--------|-----------|
| guard/backup.go | InitBackup() RestoreFromBackup() | Binary backup stealthy + chattr +i immutable |
| guard/resurrect.go | StartResurrect() ensureRecoveryService() | systemd-conf-recover.service watchdog, tanpa cron |
| guard/persist.go | EnsurePersistence() | OpenRC / init.d / rc.local untuk non-systemd |
| guard/antitamper.go | handleTamper() | inotify IN_DELETE → restore binary realtime |
| guard/watchdog.go | checkBinaryIntegrity() | SHA-256 hash check setiap 30s, restore jika hilang |
| main.go | runModule() | Goroutine supervisor, recover() + restart 5s |
| agent/install.sh | systemctl enable | Register semua persistence layer saat install |