@panguard-ai/panguard-guard 0.1.0

package/dist/response/process-killer.js

@@ -0,0 +1,230 @@
+/**
+ * Process Killer - Terminate processes with child cleanup and safety checks
+ * 程序終止器 - 終止程序（含子程序清理與安全檢查）
+ *
+ * Features:
+ * - Kill process and all child processes (process tree)
+ * - Protected process list (never kill system-critical processes)
+ * - SIGTERM first, SIGKILL after timeout
+ * - Cross-platform support
+ *
+ * @module @panguard-ai/panguard-guard/response/process-killer
+ */
+import { execFile } from 'node:child_process';
+import { platform } from 'node:os';
+import { createLogger } from '@panguard-ai/core';
+const logger = createLogger('panguard-guard:process-killer');
+/** Protected system processes that must never be killed / 不可終止的系統程序 */
+const PROTECTED_PROCESSES = new Set([
+    // Unix/Linux
+    'init',
+    'systemd',
+    'launchd',
+    'sshd',
+    'cron',
+    'atd',
+    'journald',
+    'udevd',
+    'dbus-daemon',
+    'NetworkManager',
+    'login',
+    'getty',
+    // macOS
+    'loginwindow',
+    'WindowServer',
+    'kernel_task',
+    'mds',
+    'mds_stores',
+    'coreaudiod',
+    'diskarbitrationd',
+    'configd',
+    // Windows
+    'explorer.exe',
+    'svchost.exe',
+    'csrss.exe',
+    'lsass.exe',
+    'services.exe',
+    'winlogon.exe',
+    'wininit.exe',
+    'smss.exe',
+    'System',
+    'dwm.exe',
+    // Self
+    'panguard-guard',
+    'node',
+]);
+/** Protected PIDs / 受保護的 PID */
+const PROTECTED_PIDS = new Set([0, 1]);
+/**
+ * Process Killer with safety checks and tree killing
+ * 程序終止器（含安全檢查與程序樹終止）
+ */
+export class ProcessKiller {
+    additionalProtected;
+    constructor(additionalProtectedProcesses = []) {
+        this.additionalProtected = new Set(additionalProtectedProcesses);
+    }
+    /** Check if process name is protected / 檢查程序名稱是否受保護 */
+    isProtected(nameOrPid) {
+        if (typeof nameOrPid === 'number') {
+            return PROTECTED_PIDS.has(nameOrPid) || nameOrPid === process.pid;
+        }
+        return PROTECTED_PROCESSES.has(nameOrPid) || this.additionalProtected.has(nameOrPid);
+    }
+    /**
+     * Kill a process and optionally its children
+     * 終止程序（可選終止子程序）
+     */
+    async kill(pid, options = {}) {
+        const { processName, killChildren = true, gracePeriodMs = 3000 } = options;
+        // Safety: protected PID check
+        if (PROTECTED_PIDS.has(pid) || pid === process.pid) {
+            return {
+                pid,
+                processName,
+                success: false,
+                message: `PID ${pid} is protected and cannot be killed`,
+                childrenKilled: 0,
+            };
+        }
+        // Safety: protected process name check
+        if (processName &&
+            (PROTECTED_PROCESSES.has(processName) || this.additionalProtected.has(processName))) {
+            return {
+                pid,
+                processName,
+                success: false,
+                message: `Process "${processName}" is protected`,
+                childrenKilled: 0,
+            };
+        }
+        let childrenKilled = 0;
+        // Kill children first if requested
+        if (killChildren) {
+            try {
+                const children = await this.getChildPIDs(pid);
+                for (const childPid of children) {
+                    try {
+                        process.kill(childPid, 'SIGTERM');
+                        childrenKilled++;
+                    }
+                    catch {
+                        // Child may have already exited
+                    }
+                }
+            }
+            catch {
+                // Failed to get children, continue with parent
+            }
+        }
+        // SIGTERM first (graceful)
+        try {
+            process.kill(pid, 'SIGTERM');
+        }
+        catch (err) {
+            const msg = err instanceof Error ? err.message : String(err);
+            if (err.code === 'ESRCH') {
+                return {
+                    pid,
+                    processName,
+                    success: true,
+                    message: 'Process already exited',
+                    childrenKilled,
+                };
+            }
+            return {
+                pid,
+                processName,
+                success: false,
+                message: `SIGTERM failed: ${msg}`,
+                childrenKilled,
+            };
+        }
+        // Wait for graceful exit, then SIGKILL if still alive
+        const isAlive = await this.waitForExit(pid, gracePeriodMs);
+        if (isAlive) {
+            try {
+                process.kill(pid, 'SIGKILL');
+                logger.info(`SIGKILL sent to PID ${pid} after grace period`);
+            }
+            catch {
+                // Process may have exited between check and kill
+            }
+        }
+        logger.info(`Killed process PID ${pid}${processName ? ` (${processName})` : ''}, ${childrenKilled} children terminated`);
+        return {
+            pid,
+            processName,
+            success: true,
+            message: `Process PID ${pid} terminated (${childrenKilled} children also killed)`,
+            childrenKilled,
+        };
+    }
+    /**
+     * Get child PIDs of a process / 取得程序的子 PID
+     */
+    async getChildPIDs(parentPid) {
+        const os = platform();
+        try {
+            if (os === 'win32') {
+                const stdout = await execFilePromise('wmic', [
+                    'process',
+                    'where',
+                    `(ParentProcessId=${parentPid})`,
+                    'get',
+                    'ProcessId',
+                ]);
+                return stdout
+                    .split('\n')
+                    .map((line) => parseInt(line.trim(), 10))
+                    .filter((pid) => !isNaN(pid) && pid !== parentPid);
+            }
+            else {
+                // Unix/macOS: use pgrep
+                const stdout = await execFilePromise('/usr/bin/pgrep', ['-P', String(parentPid)]);
+                return stdout
+                    .split('\n')
+                    .map((line) => parseInt(line.trim(), 10))
+                    .filter((pid) => !isNaN(pid));
+            }
+        }
+        catch {
+            return []; // No children or pgrep not available
+        }
+    }
+    /**
+     * Wait for process to exit, return true if still alive
+     * 等待程序退出，如果仍存活則回傳 true
+     */
+    waitForExit(pid, timeoutMs) {
+        return new Promise((resolve) => {
+            const start = Date.now();
+            const check = () => {
+                try {
+                    process.kill(pid, 0); // Signal 0 checks existence
+                    if (Date.now() - start >= timeoutMs) {
+                        resolve(true); // Still alive after timeout
+                    }
+                    else {
+                        setTimeout(check, 200);
+                    }
+                }
+                catch {
+                    resolve(false); // Process exited
+                }
+            };
+            check();
+        });
+    }
+}
+function execFilePromise(command, args) {
+    return new Promise((resolve, reject) => {
+        execFile(command, args, { timeout: 5000 }, (error, stdout) => {
+            if (error)
+                reject(error);
+            else
+                resolve(stdout);
+        });
+    });
+}
+//# sourceMappingURL=process-killer.js.map

package/dist/response/process-killer.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"process-killer.js","sourceRoot":"","sources":["../../src/response/process-killer.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;GAWG;AAEH,OAAO,EAAE,QAAQ,EAAE,MAAM,oBAAoB,CAAC;AAC9C,OAAO,EAAE,QAAQ,EAAE,MAAM,SAAS,CAAC;AACnC,OAAO,EAAE,YAAY,EAAE,MAAM,mBAAmB,CAAC;AAEjD,MAAM,MAAM,GAAG,YAAY,CAAC,+BAA+B,CAAC,CAAC;AAW7D,uEAAuE;AACvE,MAAM,mBAAmB,GAAG,IAAI,GAAG,CAAC;IAClC,aAAa;IACb,MAAM;IACN,SAAS;IACT,SAAS;IACT,MAAM;IACN,MAAM;IACN,KAAK;IACL,UAAU;IACV,OAAO;IACP,aAAa;IACb,gBAAgB;IAChB,OAAO;IACP,OAAO;IACP,QAAQ;IACR,aAAa;IACb,cAAc;IACd,aAAa;IACb,KAAK;IACL,YAAY;IACZ,YAAY;IACZ,kBAAkB;IAClB,SAAS;IACT,UAAU;IACV,cAAc;IACd,aAAa;IACb,WAAW;IACX,WAAW;IACX,cAAc;IACd,cAAc;IACd,aAAa;IACb,UAAU;IACV,QAAQ;IACR,SAAS;IACT,OAAO;IACP,gBAAgB;IAChB,MAAM;CACP,CAAC,CAAC;AAEH,gCAAgC;AAChC,MAAM,cAAc,GAAG,IAAI,GAAG,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,CAAC;AAEvC;;;GAGG;AACH,MAAM,OAAO,aAAa;IACP,mBAAmB,CAAc;IAElD,YAAY,+BAAyC,EAAE;QACrD,IAAI,CAAC,mBAAmB,GAAG,IAAI,GAAG,CAAC,4BAA4B,CAAC,CAAC;IACnE,CAAC;IAED,uDAAuD;IACvD,WAAW,CAAC,SAA0B;QACpC,IAAI,OAAO,SAAS,KAAK,QAAQ,EAAE,CAAC;YAClC,OAAO,cAAc,CAAC,GAAG,CAAC,SAAS,CAAC,IAAI,SAAS,KAAK,OAAO,CAAC,GAAG,CAAC;QACpE,CAAC;QACD,OAAO,mBAAmB,CAAC,GAAG,CAAC,SAAS,CAAC,IAAI,IAAI,CAAC,mBAAmB,CAAC,GAAG,CAAC,SAAS,CAAC,CAAC;IACvF,CAAC;IAED;;;OAGG;IACH,KAAK,CAAC,IAAI,CACR,GAAW,EACX,UAAoF,EAAE;QAEtF,MAAM,EAAE,WAAW,EAAE,YAAY,GAAG,IAAI,EAAE,aAAa,GAAG,IAAI,EAAE,GAAG,OAAO,CAAC;QAE3E,8BAA8B;QAC9B,IAAI,cAAc,CAAC,GAAG,CAAC,GAAG,CAAC,IAAI,GAAG,KAAK,OAAO,CAAC,GAAG,EAAE,CAAC;YACnD,OAAO;gBACL,GAAG;gBACH,WAAW;gBACX,OAAO,EAAE,KAAK;gBACd,OAAO,EAAE,OAAO,GAAG,oCAAoC;gBACvD,cAAc,EAAE,CAAC;aAClB,CAAC;QACJ,CAAC;QAED,uCAAuC;QACvC,IACE,WAAW;YACX,CAAC,mBAAmB,CAAC,GAAG,CAAC,WAAW,CAAC,IAAI,IAAI,CAAC,mBAAmB,CAAC,GAAG,CAAC,WAAW,CAAC,CAAC,EACnF,CAAC;YACD,OAAO;gBACL,GAAG;gBACH,WAAW;gBACX,OAAO,EAAE,KAAK;gBACd,OAAO,EAAE,YAAY,WAAW,gBAAgB;gBAChD,cAAc,EAAE,CAAC;aAClB,CAAC;QACJ,CAAC;QAED,IAAI,cAAc,GAAG,CAAC,CAAC;QAEvB,mCAAmC;QACnC,IAAI,YAAY,EAAE,CAAC;YACjB,IAAI,CAAC;gBACH,MAAM,QAAQ,GAAG,MAAM,IAAI,CAAC,YAAY,CAAC,GAAG,CAAC,CAAC;gBAC9C,KAAK,MAAM,QAAQ,IAAI,QAAQ,EAAE,CAAC;oBAChC,IAAI,CAAC;wBACH,OAAO,CAAC,IAAI,CAAC,QAAQ,EAAE,SAAS,CAAC,CAAC;wBAClC,cAAc,EAAE,CAAC;oBACnB,CAAC;oBAAC,MAAM,CAAC;wBACP,gCAAgC;oBAClC,CAAC;gBACH,CAAC;YACH,CAAC;YAAC,MAAM,CAAC;gBACP,+CAA+C;YACjD,CAAC;QACH,CAAC;QAED,2BAA2B;QAC3B,IAAI,CAAC;YACH,OAAO,CAAC,IAAI,CAAC,GAAG,EAAE,SAAS,CAAC,CAAC;QAC/B,CAAC;QAAC,OAAO,GAAG,EAAE,CAAC;YACb,MAAM,GAAG,GAAG,GAAG,YAAY,KAAK,CAAC,CAAC,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC;YAC7D,IAAK,GAA6B,CAAC,IAAI,KAAK,OAAO,EAAE,CAAC;gBACpD,OAAO;oBACL,GAAG;oBACH,WAAW;oBACX,OAAO,EAAE,IAAI;oBACb,OAAO,EAAE,wBAAwB;oBACjC,cAAc;iBACf,CAAC;YACJ,CAAC;YACD,OAAO;gBACL,GAAG;gBACH,WAAW;gBACX,OAAO,EAAE,KAAK;gBACd,OAAO,EAAE,mBAAmB,GAAG,EAAE;gBACjC,cAAc;aACf,CAAC;QACJ,CAAC;QAED,sDAAsD;QACtD,MAAM,OAAO,GAAG,MAAM,IAAI,CAAC,WAAW,CAAC,GAAG,EAAE,aAAa,CAAC,CAAC;QAC3D,IAAI,OAAO,EAAE,CAAC;YACZ,IAAI,CAAC;gBACH,OAAO,CAAC,IAAI,CAAC,GAAG,EAAE,SAAS,CAAC,CAAC;gBAC7B,MAAM,CAAC,IAAI,CAAC,uBAAuB,GAAG,qBAAqB,CAAC,CAAC;YAC/D,CAAC;YAAC,MAAM,CAAC;gBACP,iDAAiD;YACnD,CAAC;QACH,CAAC;QAED,MAAM,CAAC,IAAI,CACT,sBAAsB,GAAG,GAAG,WAAW,CAAC,CAAC,CAAC,KAAK,WAAW,GAAG,CAAC,CAAC,CAAC,EAAE,KAAK,cAAc,sBAAsB,CAC5G,CAAC;QACF,OAAO;YACL,GAAG;YACH,WAAW;YACX,OAAO,EAAE,IAAI;YACb,OAAO,EAAE,eAAe,GAAG,gBAAgB,cAAc,wBAAwB;YACjF,cAAc;SACf,CAAC;IACJ,CAAC;IAED;;OAEG;IACK,KAAK,CAAC,YAAY,CAAC,SAAiB;QAC1C,MAAM,EAAE,GAAG,QAAQ,EAAE,CAAC;QACtB,IAAI,CAAC;YACH,IAAI,EAAE,KAAK,OAAO,EAAE,CAAC;gBACnB,MAAM,MAAM,GAAG,MAAM,eAAe,CAAC,MAAM,EAAE;oBAC3C,SAAS;oBACT,OAAO;oBACP,oBAAoB,SAAS,GAAG;oBAChC,KAAK;oBACL,WAAW;iBACZ,CAAC,CAAC;gBACH,OAAO,MAAM;qBACV,KAAK,CAAC,IAAI,CAAC;qBACX,GAAG,CAAC,CAAC,IAAI,EAAE,EAAE,CAAC,QAAQ,CAAC,IAAI,CAAC,IAAI,EAAE,EAAE,EAAE,CAAC,CAAC;qBACxC,MAAM,CAAC,CAAC,GAAG,EAAE,EAAE,CAAC,CAAC,KAAK,CAAC,GAAG,CAAC,IAAI,GAAG,KAAK,SAAS,CAAC,CAAC;YACvD,CAAC;iBAAM,CAAC;gBACN,wBAAwB;gBACxB,MAAM,MAAM,GAAG,MAAM,eAAe,CAAC,gBAAgB,EAAE,CAAC,IAAI,EAAE,MAAM,CAAC,SAAS,CAAC,CAAC,CAAC,CAAC;gBAClF,OAAO,MAAM;qBACV,KAAK,CAAC,IAAI,CAAC;qBACX,GAAG,CAAC,CAAC,IAAI,EAAE,EAAE,CAAC,QAAQ,CAAC,IAAI,CAAC,IAAI,EAAE,EAAE,EAAE,CAAC,CAAC;qBACxC,MAAM,CAAC,CAAC,GAAG,EAAE,EAAE,CAAC,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC,CAAC;YAClC,CAAC;QACH,CAAC;QAAC,MAAM,CAAC;YACP,OAAO,EAAE,CAAC,CAAC,qCAAqC;QAClD,CAAC;IACH,CAAC;IAED;;;OAGG;IACK,WAAW,CAAC,GAAW,EAAE,SAAiB;QAChD,OAAO,IAAI,OAAO,CAAC,CAAC,OAAO,EAAE,EAAE;YAC7B,MAAM,KAAK,GAAG,IAAI,CAAC,GAAG,EAAE,CAAC;YACzB,MAAM,KAAK,GAAG,GAAG,EAAE;gBACjB,IAAI,CAAC;oBACH,OAAO,CAAC,IAAI,CAAC,GAAG,EAAE,CAAC,CAAC,CAAC,CAAC,4BAA4B;oBAClD,IAAI,IAAI,CAAC,GAAG,EAAE,GAAG,KAAK,IAAI,SAAS,EAAE,CAAC;wBACpC,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,4BAA4B;oBAC7C,CAAC;yBAAM,CAAC;wBACN,UAAU,CAAC,KAAK,EAAE,GAAG,CAAC,CAAC;oBACzB,CAAC;gBACH,CAAC;gBAAC,MAAM,CAAC;oBACP,OAAO,CAAC,KAAK,CAAC,CAAC,CAAC,iBAAiB;gBACnC,CAAC;YACH,CAAC,CAAC;YACF,KAAK,EAAE,CAAC;QACV,CAAC,CAAC,CAAC;IACL,CAAC;CACF;AAED,SAAS,eAAe,CAAC,OAAe,EAAE,IAAc;IACtD,OAAO,IAAI,OAAO,CAAC,CAAC,OAAO,EAAE,MAAM,EAAE,EAAE;QACrC,QAAQ,CAAC,OAAO,EAAE,IAAI,EAAE,EAAE,OAAO,EAAE,IAAI,EAAE,EAAE,CAAC,KAAK,EAAE,MAAM,EAAE,EAAE;YAC3D,IAAI,KAAK;gBAAE,MAAM,CAAC,KAAK,CAAC,CAAC;;gBACpB,OAAO,CAAC,MAAM,CAAC,CAAC;QACvB,CAAC,CAAC,CAAC;IACL,CAAC,CAAC,CAAC;AACL,CAAC"}

package/dist/rules/builtin-rules.d.ts

@@ -0,0 +1,12 @@
+/**
+ * Built-in Sigma detection rules shipped with Guard
+ * 內建 Sigma 偵測規則
+ *
+ * These rules provide baseline detection capability out of the box.
+ * Additional rules can be loaded from disk or fetched from Threat Cloud.
+ *
+ * @module @panguard-ai/panguard-guard/rules/builtin-rules
+ */
+import type { SigmaRule } from '@panguard-ai/core';
+export declare const BUILTIN_RULES: SigmaRule[];
+//# sourceMappingURL=builtin-rules.d.ts.map

package/dist/rules/builtin-rules.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"builtin-rules.d.ts","sourceRoot":"","sources":["../../src/rules/builtin-rules.ts"],"names":[],"mappings":"AAAA;;;;;;;;GAQG;AAEH,OAAO,KAAK,EAAE,SAAS,EAAE,MAAM,mBAAmB,CAAC;AAEnD,eAAO,MAAM,aAAa,EAAE,SAAS,EAqdpC,CAAC"}