Skip to content

Commit

Permalink
Merge branch '4.3'
Browse files Browse the repository at this point in the history
  • Loading branch information
@vikman90
vikman90 committed May 3, 2022
2 parents bcf1274 + bc8e0d2 commit 8b613b4
Show file tree
Hide file tree
Showing 10 changed files with 64 additions and 15 deletions.
2 changes: 2 additions & 0 deletions CHANGELOG.md
View file
Expand Up @@ -235,6 +235,7 @@ All notable changes to this project will be documented in this file.
- Added `POST /security/user/authenticate/run_as` endpoint to API bruteforce blocking system. ([#12085](https://github.com/wazuh/wazuh/pull/12085))
- Added new API endpoint to obtain summaries of agent vulnerabilities' inventory items. ([#12638](https://github.com/wazuh/wazuh/pull/12638))
- Added fields external_references, condition, title, published and updated to GET /vulnerability/{agent_id} API endpoint. ([#12727](https://github.com/wazuh/wazuh/pull/12727))
- Added the possibility to include strings in brackets in values of the `q` parameter. ([#13262](https://github.com/wazuh/wazuh/pull/13262]))

#### Changed

Expand Down Expand Up @@ -356,6 +357,7 @@ All notable changes to this project will be documented in this file.
- Updated SCA policy for CentOS 8. ([#8751](https://github.com/wazuh/wazuh/pull/8751))
- Updated SonicWall rules decoder. ([#11263](https://github.com/wazuh/wazuh/pull/11263))
- Updated SSHD ruleset. ([#11388](https://github.com/wazuh/wazuh/pull/11388))
- From file 0580-win-security_rules.xml, rules with id 60198 and 60199 are moved to file 0585-win-application_rules.xml, with rule ids 61071 and 61072 respectively. ([#8552](https://github.com/wazuh/wazuh/pull/8552))

#### Fixed

Expand Down
9 changes: 9 additions & 0 deletions framework/wazuh/tests/data/schema_cve_test.sql
View file
Expand Up @@ -78,5 +78,14 @@ VALUES ('Smokedetector', '-', 'x86', 'CVE-2019-1020011', 'PACKAGE', 'PENDING', '
'SmokeDetector intentionally does automatic deployments of updated copies of SmokeDetector without server operator authority.',
'2019-07-29', '2021-07-21');

INSERT INTO vuln_cves (name, version, architecture, cve, type, status, detection_time, severity, cvss2_score,
cvss3_score, reference, external_references, condition, title, published, updated)
VALUES ('Mozilla Firefox 53.0 (x64 en-US)', '53.0', 'x64', 'CVE-2021-38503', 'PACKAGE', 'OBSOLETE', '1623656949', 'High', 7.5, 10,
'ab712fb636baccbb7484f7b3daf5b4c0ce485960',
'["https://www.mozilla.org/security/advisories/mfsa2021-48/","https://bugzilla.mozilla.org/show_bug.cgi?id=1729517","https://lists.debian.org/debian-lts-announce/2021/12/msg00030.html"]',
'Package unfixed',
'The iframe sandbox rules were not correctly applied to XSLT stylesheets, allowing an iframe to bypass restrictions such as executing scripts or navigating the top-level frame. This vulnerability affects Firefox < 94, Thunderbird < 91.3, and Firefox ESR < 91.3.',
'2021-08-12', '2022-03-16');

INSERT INTO vuln_metadata (LAST_PARTIAL_SCAN, LAST_FULL_SCAN)
VALUES (1623656949, 1623656751);
29 changes: 17 additions & 12 deletions framework/wazuh/tests/test_vulnerability.py
View file
Expand Up @@ -39,17 +39,20 @@ def send_msg_to_wdb(msg, raw=False):


@pytest.mark.parametrize('params, field_name, expected_items', [
({}, 'cve', ['CVE-2019-1020016', 'CVE-2019-1020014', 'CVE-2019-1020018', 'CVE-2019-1020019', 'CVE-2019-1020011']),
({}, 'cve', ['CVE-2019-1020016', 'CVE-2019-1020014', 'CVE-2019-1020018', 'CVE-2019-1020019', 'CVE-2021-38503',
'CVE-2019-1020011']),
({'limit': 2}, 'cve', ['CVE-2019-1020016', 'CVE-2019-1020014']),
({'offset': 4, 'limit': 1}, 'cve', ['CVE-2019-1020011']),
({'offset': 5, 'limit': 1}, 'cve', ['CVE-2019-1020011']),
({'sort': parse_api_param('+name', 'sort')}, 'name', ['Ash-aio', 'Credential Helpers', 'Discourse',
'Invenio-previewer', 'Smokedetector']),
({'sort': parse_api_param('-name', 'sort')}, 'name', ['Smokedetector', 'Invenio-previewer', 'Discourse',
'Credential Helpers', 'Ash-aio']),
'Invenio-previewer', 'Mozilla Firefox 53.0 (x64 en-US)',
'Smokedetector']),
({'sort': parse_api_param('-name', 'sort')}, 'name', ['Smokedetector', 'Mozilla Firefox 53.0 (x64 en-US)',
'Invenio-previewer', 'Discourse', 'Credential Helpers',
'Ash-aio']),
({'sort': parse_api_param('+cve', 'sort')}, 'cve', ['CVE-2019-1020011', 'CVE-2019-1020014', 'CVE-2019-1020016',
'CVE-2019-1020018', 'CVE-2019-1020019']),
({'sort': parse_api_param('-cve', 'sort')}, 'cve', ['CVE-2019-1020019', 'CVE-2019-1020018', 'CVE-2019-1020016',
'CVE-2019-1020014', 'CVE-2019-1020011']),
'CVE-2019-1020018', 'CVE-2019-1020019', 'CVE-2021-38503']),
({'sort': parse_api_param('-cve', 'sort')}, 'cve', ['CVE-2021-38503', 'CVE-2019-1020019', 'CVE-2019-1020018',
'CVE-2019-1020016', 'CVE-2019-1020014', 'CVE-2019-1020011']),
({'search': parse_api_param('PowerPC', 'search')}, 'cve', ['CVE-2019-1020018']),
({'search': parse_api_param('x86', 'search')}, 'cve', ['CVE-2019-1020016', 'CVE-2019-1020014', 'CVE-2019-1020011']),
({'search': parse_api_param('-x86', 'search')}, 'cve', ['CVE-2019-1020018', 'CVE-2019-1020019']),
Expand All @@ -60,11 +63,11 @@ def send_msg_to_wdb(msg, raw=False):
({'filters': {'version': '0.1.0', 'architecture': 'ARM'}}, 'cve', ['CVE-2019-1020019']),
({'filters': {'cve': 'CVE-2019-1020016'}}, 'cve', ['CVE-2019-1020016']),
({'filters': {'cve': 'CVE-2019-1020016', 'architecture': 'ARM'}}, 'cve', []),
({'filters': {'status': 'OBSOLETE'}}, 'cve', ['CVE-2019-1020016', 'CVE-2019-1020014']),
({'filters': {'status': 'OBSOLETE'}}, 'cve', ['CVE-2019-1020016', 'CVE-2019-1020014', 'CVE-2021-38503']),
({'filters': {'status': 'VALID'}}, 'cve', ['CVE-2019-1020018', 'CVE-2019-1020019']),
({'filters': {'status': 'PENDING'}}, 'cve', ['CVE-2019-1020011']),
({'filters': {'type': 'OS'}}, 'cve', ['CVE-2019-1020016', 'CVE-2019-1020018', 'CVE-2019-1020019']),
({'filters': {'type': 'PACKAGE'}}, 'cve', ['CVE-2019-1020014', 'CVE-2019-1020011']),
({'filters': {'type': 'PACKAGE'}}, 'cve', ['CVE-2019-1020014', 'CVE-2021-38503', 'CVE-2019-1020011']),
({'q': 'name=Ash-aio;version>1.5'}, 'cve', ['CVE-2019-1020016']),
({'q': 'name=Ash-aio;version>2.5'}, 'cve', []),
({'q': 'architecture=ARM,architecture=PowerPC'}, 'cve', ['CVE-2019-1020018', 'CVE-2019-1020019']),
Expand All @@ -73,7 +76,9 @@ def send_msg_to_wdb(msg, raw=False):
({'q': 'condition!=Package unfixed'}, 'cve', []),
({'q': 'published>2019-07-28;updated<2019-08-31'}, 'cve', ['CVE-2019-1020016', 'CVE-2019-1020019']),
({'q': 'title~docker-credential-helpers before 0.6.3'}, 'cve', ['CVE-2019-1020014']),
({'select': ['architecture'], 'distinct': False}, 'architecture', ['x86', 'x86', 'PowerPC', 'ARM', 'x86']),
({'q': 'name=Mozilla Firefox 53.0 (x64 en-US)'}, 'cve', ['CVE-2021-38503']),
({'q': '(name=Mozilla Firefox 53.0 (x64 en-US),version!=53.0);architecture=x64'}, 'cve', ['CVE-2021-38503']),
({'select': ['architecture'], 'distinct': False}, 'architecture', ['x86', 'x86', 'PowerPC', 'ARM', 'x64', 'x86']),
({'select': ['architecture'], 'distinct': True}, 'architecture', ['x86', 'PowerPC', 'ARM']),
])
@patch('wazuh.core.utils.path.exists', return_value=True)
Expand Down Expand Up @@ -132,5 +137,5 @@ def test_vulnerability_get_inventory_summary(socket_mock, send_mock, exists_mock

# Check that result is sorted by count values
result = get_inventory_summary(agent_list=[agent_id], field=field, limit=limit)
assert result['data'][field] == {'High': 2}, f'Expected "High" to be the severity with the most entries based on ' \
assert result['data'][field] == {'High': 3}, f'Expected "High" to be the severity with the most entries based on ' \
'our testing database'
6 changes: 6 additions & 0 deletions ruleset/rules/0085-pam_rules.xml
View file
Expand Up @@ -34,6 +34,9 @@
<if_sid>5500</if_sid>
<match>authentication failure; logname=</match>
<description>PAM: User login failed.</description>
<mitre>
<id>T1110.001</id>
</mitre>
<group>authentication_failed,pci_dss_10.2.4,pci_dss_10.2.5,gpg13_7.8,gdpr_IV_35.7.d,gdpr_IV_32.2,hipaa_164.312.b,nist_800_53_AU.14,nist_800_53_AC.7,tsc_CC6.1,tsc_CC6.8,tsc_CC7.2,tsc_CC7.3,</group>
</rule>

Expand Down Expand Up @@ -110,6 +113,9 @@
<if_sid>5556</if_sid>
<match>password check failed </match>
<description>unix_chkpwd: Password check failed.</description>
<mitre>
<id>T1110.001</id>
</mitre>
<group>authentication_failed,pci_dss_10.2.4,pci_dss_10.2.5,gpg13_4.3,gdpr_IV_35.7.d,gdpr_IV_32.2,hipaa_164.312.b,nist_800_53_AU.14,nist_800_53_AC.7,tsc_CC6.1,tsc_CC6.8,tsc_CC7.2,tsc_CC7.3,</group>
</rule>

Expand Down
8 changes: 7 additions & 1 deletion ruleset/rules/0095-sshd_rules.xml
View file
Expand Up @@ -91,7 +91,9 @@
<match>illegal user|invalid user</match>
<description>sshd: Attempt to login using a non-existent user</description>
<mitre>
<id>T1110</id>
<id>T1110.001</id>
<id>T1021.004</id>
<id>T1078</id>
</mitre>
<group>authentication_failed,gdpr_IV_35.7.d,gdpr_IV_32.2,gpg13_7.1,hipaa_164.312.b,invalid_login,nist_800_53_AU.14,nist_800_53_AC.7,nist_800_53_AU.6,pci_dss_10.2.4,pci_dss_10.2.5,pci_dss_10.6.1,tsc_CC6.1,tsc_CC6.8,tsc_CC7.2,tsc_CC7.3,</group>
</rule>
Expand Down Expand Up @@ -455,6 +457,10 @@
<if_sid>5700,5716</if_sid>
<match>Failed password|Failed keyboard|authentication error</match>
<description>sshd: authentication failed.</description>
<mitre>
<id>T1110.001</id>
<id>T1021.004</id>
</mitre>
<group>authentication_failed,gdpr_IV_35.7.d,gdpr_IV_32.2,gpg13_7.1,hipaa_164.312.b,nist_800_53_AU.14,nist_800_53_AC.7,pci_dss_10.2.4,pci_dss_10.2.5,tsc_CC6.1,tsc_CC6.8,tsc_CC7.2,tsc_CC7.3,</group>
</rule>

Expand Down
4 changes: 4 additions & 0 deletions ruleset/rules/0580-win-security_rules.xml
View file
Expand Up @@ -238,6 +238,10 @@
<field name="win.system.eventID">^529$|^4625$</field>
<options>no_full_log</options>
<description>Logon failure - Unknown user or bad password.</description>
<mitre>
<id>T1078</id>
<id>T1531</id>
</mitre>
<group>authentication_failed,gdpr_IV_32.2,gdpr_IV_35.7.d,gpg13_7.1,hipaa_164.312.b,nist_800_53_AC.7,nist_800_53_AU.14,pci_dss_10.2.4,pci_dss_10.2.5,tsc_CC6.1,tsc_CC6.8,tsc_CC7.2,tsc_CC7.3,</group>
</rule>

Expand Down
5 changes: 4 additions & 1 deletion src/client-agent/buffer.c
View file
Expand Up @@ -235,7 +235,10 @@ void *dispatch_buffer(__attribute__((unused)) void * arg){

gettime(&ts1);
time_sub(&ts1, &ts0);
delay(&ts1);

if (ts1.tv_sec >= 0) {
delay(&ts1);
}
}
}

Expand Down
2 changes: 1 addition & 1 deletion src/error_messages/error_messages.h
View file
Expand Up @@ -450,7 +450,7 @@
#define FIM_ERROR_WHODATA_AUDIT_SUPPORT "(6620): Audit support not built. Whodata is not available."
#define FIM_ERROR_WHODATA_EVENTCHANNEL "(6621): Event Channel subscription could not be made. Whodata scan is disabled."
#define FIM_ERROR_WHODATA_RESTORE_POLICIES "(6622): There is no backup of audit policies. Policies will not be restored."

#define FIM_ERROR_WHODATA_UNINITIALIZED "(6623): Trying to monitor '%s' in who-data mode, but who-data is not initialized."

#define FIM_ERROR_WHODATA_NOTFIND_DIRPOS "(6625): The '%s' file does not have an associated directory."
#define FIM_ERROR_WHODATA_HANDLER_REMOVE "(6626): The handler '%s' could not be removed from the whodata hash table."
Expand Down
9 changes: 9 additions & 0 deletions src/syscheckd/main.c
View file
Expand Up @@ -294,6 +294,15 @@ int main(int argc, char **argv)
dir_it->options |= REALTIME_ACTIVE;
}
}

OSList_foreach(node_it, syscheck.wildcards) {
dir_it = node_it->data;
if (dir_it->options & WHODATA_ACTIVE) {
dir_it->options &= ~WHODATA_ACTIVE;
dir_it->options |= REALTIME_ACTIVE;
}
}

w_mutex_lock(&syscheck.fim_realtime_mutex);
if (syscheck.realtime == NULL) {
realtime_start();
Expand Down
5 changes: 5 additions & 0 deletions src/syscheckd/whodata/audit_rule_handling.c
View file
Expand Up @@ -32,6 +32,11 @@ static void _add_whodata_directory(const char *path) {
OSListNode *node;
whodata_directory_t *directory;

if (whodata_directories == NULL) {
merror(FIM_ERROR_WHODATA_UNINITIALIZED, path);
return;
}

// Search for duplicates
for (node = OSList_GetFirstNode(whodata_directories); node != NULL;
node = OSList_GetNextNode(whodata_directories)) {
Expand Down

0 comments on commit 8b613b4

Please sign in to comment.