Digital code signatures for process, file and dll events #733
Conversation
|
In order to review this, I'd like to see some data examples from the Mac and Windows platforms. I tried viewing some on both, and I'd like to confirm how they map with what you're proposing here. Perhaps I'm way off track, please correct me if that's the case :-) Mac OSchecking the code signature for Safari.app: In this case, the best candidate I see for Not sure about Windowschecking the code signature for the IE executable:
And: In the Windows case, I don't see a signer name. Unless that would be "Copyright" (doesn't sound right to me)?
|
|
re: trusted/status -- those don't exist in the file, but have to be evaluated by the client. for example, the Elastic Endpoint calls several Windows APIs to verify that a signature is cryptographically correct, and then there are additional steps to validate the trust level of the certificate. we get a message as a result "trusted", "noSignature", "untrustedRoot", "badDigest", etc depending on the error message. we typically check for trusted or noSignature and signer. having |
|
For the PowerShell command there should be a lot more fields that aren't being shown. That screenshot is actually PE data, not signer information. You'd have to click on the "Digital Signatures" tab. That would show this: Sigcheck is the most analogous tool to codesign for windows. That output looks like this, which also mixes in some PE metadata: Here's its output with a broken signature: |
|
Thanks for the pointers. Pretty awesome, how I skipped right over the "Digital Signatures" tab, there 😂 🤦♂ @elasticmachine, run elasticsearch-ci/docs |
|
I just realized that Python interprets the YAML Can you remove the examples for now? This is the only place in ECS where we give examples for boolean fields. So props for being thorough here, but we'll fix that small issue separately :-) |
|
@elasticmachine, run elasticsearch-ci/docs |
There was a problem hiding this comment.
Thanks for adjusting the boolean examples. Looks better now.
I have a few adjustments I think are needed, and a potential can of worms again 😬
Unless we address the can of worms, this is pretty close to being ready, though :-) On top of each comment below as todo's
- don't forget to merge master to get rid of the conflict on the CSV file
Thanks Ross!
schemas/code_signature.yml
Outdated
| expected: | ||
| - file | ||
| - process | ||
| # - dll |
There was a problem hiding this comment.
Let's merge this PR before DLL as well, and add this reuse of code_signature via the DLL PR (#679) as well.
schemas/code_signature.yml
Outdated
| description: > | ||
| Boolean to capture if a signature is present. | ||
|
|
||
| This should only populated if the signature was checked. |
There was a problem hiding this comment.
This should only populated if the signature was checked.
Why? Isn't this overloading the definition of code_signature.exists? Whether a signature exists is orthogonal to whether its validity has been assessed, IMO.
The ternary approach would make more sense on code_signature.valid, though:
- haven't checked validity:
code_signature.validis absent - checked validity, good:
code_signature.valid=true - checked validity, bad:
code_signature.valid=false
Or am I missing something?
If you agree, we should adjust the definitions of valid and exists accordingly.
| - name: code_signature | ||
| title: Code Signature | ||
| group: 2 | ||
| description: These fields contain information about binary code signatures. |
There was a problem hiding this comment.
What about a shorter short definition, and a more fleshed out full definition?
| description: These fields contain information about binary code signatures. | |
| description: These fields contain information about code signatures for various forms of executable code, such as executables, libraries or scripts. | |
| short: Information about binary code signatures. |
And the above begs the question: will we be wanting to track signatures other than code signatures? If so, do we want to discuss whether this field set should be named signature instead? Happy to close that can of worms immediately, if you think it's an unlikely hypothetical ;-)
There was a problem hiding this comment.
i thought about that, and the big downside I came up with is that the word "signature" is often used like "rule", so I didn't want to potentially clobber up a namespace that may be used.
I definitely want something shorter than code_signature, because process.code_signature.valid is lengthy
There was a problem hiding this comment.
I think we should stick with code_signature, then. Are you good with that?
schemas/code_signature.yml
Outdated
| description: > | ||
| Boolean to capture if a signature is present. | ||
|
|
||
| This should only populated if the signature was checked. |
There was a problem hiding this comment.
| This should only populated if the signature was checked. | |
| This should only be populated if the signature was checked. |
|
I spotted two more small details, which should be fixed. Once fixed, and if you're good with sticking with the name |
|
I had another thought... Would it make sense to just include this within |
|
@rw-access Well PE is named really Windows-specific. And code signatures are expected on Mac OS as well. So I'd rather keep them separate. |
rw-access
changed the title
Co-Authored-By: Mathieu Martin <mathieu.martin@elastic.co>
- code_signature (elastic#733) - second entry for elastic#739 in the schema section, mentioning the addition of `process.parent.hash` Also adjusted the wording of elastic#731 and elastic#747.
Closes #681
I'm not 100% sold on anything yet. I think there may be room to break out this x.509 information into a separate field set. Ideally in a way that's still intuitive enough in naming. This information is pretty sparsely populated by most endpoint solutions. It's typically just signature status -- valid y/n, trusted y/n, etc. as well as the name of the signer (subject name).