Remove added security audit policies

wazuh · Jun 15, 2018 · e763f6b · e763f6b
1 parent fe655be
commit e763f6b
Show file tree

Hide file tree

Showing 7 changed files with 86 additions and 26 deletions.
diff --git a/src/config/syscheck-config.c b/src/config/syscheck-config.c
@@ -43,6 +43,10 @@ int dump_syscheck_entry(syscheck_config *syscheck, const char *entry, int vals,
             syscheck->dir[pl + 1] = NULL;
             os_strdup(entry, syscheck->dir[pl]);
 
+#ifdef WIN32
+            os_calloc(2, sizeof(int), syscheck->wdata.ignore);
+            memset(syscheck->wdata.ignore + pl, -1, 2 * sizeof(int));
+#endif
             os_calloc(2, sizeof(int), syscheck->opts);
             syscheck->opts[pl + 1] = 0;
             syscheck->opts[pl] = vals;
@@ -59,6 +63,11 @@ int dump_syscheck_entry(syscheck_config *syscheck, const char *entry, int vals,
             syscheck->dir[pl + 1] = NULL;
             os_strdup(entry, syscheck->dir[pl]);
 
+#ifdef WIN32
+            os_realloc(syscheck->wdata.ignore, (pl + 2) * sizeof(int),
+                       syscheck->wdata.ignore);
+            memset(syscheck->wdata.ignore + pl, -1, 2 * sizeof(int));
+#endif
             os_realloc(syscheck->opts, (pl + 2) * sizeof(int),
                        syscheck->opts);
             syscheck->opts[pl + 1] = 0;

diff --git a/src/config/syscheck-config.h b/src/config/syscheck-config.h
@@ -62,6 +62,11 @@ typedef struct whodata_evt {
 
 #ifdef WIN32
 
+typedef struct whodata {
+    OSHash *fd;        // Open file descriptors
+    int *ignore;       // List of directories whose SACL will not be restored
+} whodata;
+
 typedef struct registry {
     char *entry;
     int arch;
@@ -111,14 +116,13 @@ typedef struct _config {
     registry *registry;                         /* array of registry entries to be scanned */
     FILE *reg_fp;
     int max_fd_win_rt;
+    whodata wdata;
 #endif
 
     OSHash *fp;
 
     rtfim *realtime;
 
-    OSHash *wd_table;
-
     char *prefilter_cmd;
 
 } syscheck_config;

diff --git a/src/syscheckd/config.c b/src/syscheckd/config.c
@@ -20,7 +20,6 @@ static registry REGISTRY_EMPTY[] = { { NULL, 0 } };
 int Read_Syscheck_Config(const char *cfgfile)
 {
     int modules = 0;
-
     modules |= CSYSCHECK;
 
     syscheck.rootcheck      = 0;
@@ -38,6 +37,7 @@ int Read_Syscheck_Config(const char *cfgfile)
     syscheck.opts           = NULL;
     syscheck.realtime       = NULL;
 #ifdef WIN32
+    syscheck.wdata.fd      = NULL;
     syscheck.registry       = NULL;
     syscheck.reg_fp         = NULL;
     syscheck.max_fd_win_rt  = 0;

diff --git a/src/syscheckd/create_db.c b/src/syscheckd/create_db.c
@@ -440,7 +440,7 @@ int create_db()
         }
 
         if (syscheck.opts[i] & CHECK_WHODATA) {
-            realtime_adddir(syscheck.dir[i], 1);
+            realtime_adddir(syscheck.dir[i], i + 1);
             if (!enable_who_scan) {
                 enable_who_scan = 1;
             }

diff --git a/src/syscheckd/run_check.c b/src/syscheckd/run_check.c
@@ -90,7 +90,6 @@ void start_daemon()
     time_t prev_time_sk = 0;
     char curr_hour[12];
     struct tm *p;
-
 #ifdef INOTIFY_ENABLED
     /* To be used by select */
     struct timeval selecttime;

diff --git a/src/syscheckd/run_realtime.c b/src/syscheckd/run_realtime.c
@@ -43,9 +43,11 @@
 /* Prototypes */
 int realtime_checksumfile(const char *file_name, whodata_evt *evt) __attribute__((nonnull(1)));
 #ifdef WIN32
-int set_winsacl(const char *dir);
+void restore_sacls();
+int set_winsacl(const char *dir, int position);
 int set_privilege(HANDLE hdle, LPCTSTR privilege, int enable);
 int whodata_audit_start();
+int is_valid_sacl(PACL sacl);
 unsigned long WINAPI whodata_callback(EVT_SUBSCRIBE_NOTIFY_ACTION action, void *_void, EVT_HANDLE event);
 #endif
 
@@ -394,17 +396,18 @@ int realtime_win32read(win32rtfim *rtlocald)
     return (0);
 }
 
+// In Windows the whodata parameter contains the directory position + 1 to be able to reference it
 int realtime_adddir(const char *dir, int whodata)
 {
     char wdchar[260 + 1];
     win32rtfim *rtlocald;
 
     if (whodata) {
-        if (!syscheck.wdata && whodata_audit_start()) {
+        if (!syscheck.wdata.fd && whodata_audit_start()) {
             return -1;
         }
 
-        if (set_winsacl(dir)) {
+        if (set_winsacl(dir, whodata - 1)) {
             merror("Unable to add directory to whodata monitoring: '%s'.", dir);
             return 0;
         }
@@ -459,15 +462,15 @@ int realtime_adddir(const char *dir, int whodata)
     return (1);
 }
 
-int set_winsacl(const char *dir) {
+int set_winsacl(const char *dir, int position) {
     static LPCTSTR priv = "SeSecurityPrivilege";
+    static char *trustee = "Everyone";
 	DWORD result = 0;
 	PACL old_sacl = NULL, new_sacl = NULL;
 	PSECURITY_DESCRIPTOR security_descriptor = NULL;
 	EXPLICIT_ACCESS entry_access;
 	HANDLE hdle;
-
-    // Code for expand the obj dir
+    int retval = 1;
 
 	if (!OpenProcessToken(GetCurrentProcess(), TOKEN_ADJUST_PRIVILEGES, &hdle)) {
 		merror("OpenProcessToken() failed. Error '%lu'.", GetLastError());
@@ -481,46 +484,87 @@ int set_winsacl(const char *dir) {
 
 	if (result = GetNamedSecurityInfo(dir, SE_FILE_OBJECT, SACL_SECURITY_INFORMATION, NULL, NULL, NULL, &old_sacl, &security_descriptor), result != ERROR_SUCCESS) {
 		merror("GetNamedSecurityInfo() failed. Error '%ld'", result);
-        goto error;
+        goto end;
 	}
 
+    // Check if the sacl has what the whodata scanner needs
+    if (is_valid_sacl(old_sacl)) {
+        syscheck.wdata.ignore[position] = 1;
+        mdebug2("It is not necessary to configure the SACL of '%s'.", dir);
+        retval = 0;
+        goto end;
+    }
+
 	// Configure the new ACE
 	SecureZeroMemory(&entry_access, sizeof(EXPLICIT_ACCESS));
-	entry_access.grfAccessPermissions = GENERIC_WRITE;
+	entry_access.grfAccessPermissions = FILE_WRITE_DATA;
 	entry_access.grfAccessMode = SET_AUDIT_SUCCESS;
 	entry_access.grfInheritance = SUB_CONTAINERS_AND_OBJECTS_INHERIT;
 	entry_access.Trustee.TrusteeForm = TRUSTEE_IS_NAME;
-	entry_access.Trustee.ptstrName = "Everyone";
+	entry_access.Trustee.ptstrName = trustee;
 
 	// Create a new ACL with the ACE
 	if (result = SetEntriesInAcl(1, &entry_access, old_sacl, &new_sacl), result != ERROR_SUCCESS) {
 		merror("SetEntriesInAcl() failed. Error: '%lu'", result);
-        goto error;
+        goto end;
 	}
 
 	// Set the SACL
 	if (result = SetNamedSecurityInfo((char *) dir, SE_FILE_OBJECT, SACL_SECURITY_INFORMATION, NULL, NULL, NULL, new_sacl), result != ERROR_SUCCESS) {
 		merror("SetNamedSecurityInfo() failed. Error: '%lu'", result);
-		goto error;
+        goto end;
 	}
 
 	// Disable the privilege
 	if (set_privilege(hdle, priv, 0)) {
 		merror("Failed to disable the privilege. Error '%lu'.", GetLastError());
-		return 1;
+        goto end;
 	}
 
 	CloseHandle(hdle);
-	return 0;
-error:
+	retval = 0;
+end:
     if (security_descriptor) {
         LocalFree((HLOCAL)security_descriptor);
     }
 
+    if (old_sacl) {
+        LocalFree((HLOCAL)old_sacl);
+    }
+
     if (new_sacl) {
         LocalFree((HLOCAL)new_sacl);
     }
-    return 1;
+    return retval;
+}
+
+int is_valid_sacl(PACL sacl) {
+    int i;
+    ACCESS_ALLOWED_ACE *ace;
+    static PSID everyone_sid = NULL;
+    SID_IDENTIFIER_AUTHORITY world_auth = SECURITY_WORLD_SID_AUTHORITY;
+    static unsigned short inherit_flag = CONTAINER_INHERIT_ACE | OBJECT_INHERIT_ACE; //SUB_CONTAINERS_AND_OBJECTS_INHERIT
+
+    if (!everyone_sid) {
+        if (!AllocateAndInitializeSid(&world_auth, 1, SECURITY_WORLD_RID, 0, 0, 0, 0, 0, 0, 0, &everyone_sid)) {
+            merror("Could not obtain the sid of Everyone. Error '%lu'.", GetLastError());
+            return 0;
+        }
+    }
+
+    for (i = 0; i < sacl->AceCount; i++) {
+        if (!GetAce(sacl, i, (LPVOID*)&ace)) {
+            merror("Could not extract the ACE information. Error: '%lu'.", GetLastError());
+            return 0;
+        }
+        if ((ace->Header.AceFlags & inherit_flag) && // Check folder and subfolders
+            (ace->Header.AceFlags & SUCCESSFUL_ACCESS_ACE_FLAG) && // Check successful attemp
+            (ace->Mask & FILE_WRITE_DATA) && // Check write permission
+            (EqualSid((PSID)&ace->SidStart, everyone_sid))) { // Check everyone user
+            return 1;
+        }
+    }
+    return 0;
 }
 
 int set_privilege(HANDLE hdle, LPCTSTR privilege, int enable) {
@@ -558,13 +602,19 @@ int set_privilege(HANDLE hdle, LPCTSTR privilege, int enable) {
 }
 
 int run_whodata_scan() {
+    atexit(restore_sacls);
     if (!EvtSubscribe(NULL, NULL, L"Security", L"Event[(System/EventID = 4656 or System/EventID = 4663 or System/EventID = 4658)]", NULL, NULL, (EVT_SUBSCRIBE_CALLBACK)whodata_callback, EvtSubscribeToFutureEvents)) {
         merror("Event Channel subscription could not be made. Whodata scan is disabled.");
         return 1;
     }
     return 0;
 }
 
+/* Removes added security audit policies */
+void restore_sacls() {
+
+}
+
 unsigned long WINAPI whodata_callback(EVT_SUBSCRIBE_NOTIFY_ACTION action, void *_void, EVT_HANDLE event) {
     unsigned int retval;
     int result;
@@ -663,7 +713,7 @@ unsigned long WINAPI whodata_callback(EVT_SUBSCRIBE_NOTIFY_ACTION action, void *
                     path = NULL;
                     process_name = NULL;
 
-                    if (result = OSHash_Add(syscheck->wd_table, hash_id, w_evt), result != 2) {
+                    if (result = OSHash_Add(syscheck.wdata.fd, hash_id, w_evt), result != 2) {
                         if (!result) {
                             merror("The event could not be added to the whodata hash table.");
                         } else if (result == 1) {
@@ -678,7 +728,7 @@ unsigned long WINAPI whodata_callback(EVT_SUBSCRIBE_NOTIFY_ACTION action, void *
             case 4663:
                 // Check if the mask is relevant
                 if (mask) {
-                    if (w_evt = OSHash_Get(syscheck->wd_table, hash_id), w_evt) {
+                    if (w_evt = OSHash_Get(syscheck.wdata.fd, hash_id), w_evt) {
                         w_evt->mask |= mask;
                     } else {
                         // The file was opened before Wazuh started Syscheck.
@@ -687,7 +737,7 @@ unsigned long WINAPI whodata_callback(EVT_SUBSCRIBE_NOTIFY_ACTION action, void *
             break;
             // Close fd
             case 4658:
-                if (w_evt = OSHash_Delete(syscheck->wd_table, hash_id), w_evt) {
+                if (w_evt = OSHash_Delete(syscheck.wdata.fd, hash_id), w_evt) {
                     if (w_evt->mask) {
                         unsigned int mask = w_evt->mask;
                         // Valid for a file
@@ -726,8 +776,7 @@ unsigned long WINAPI whodata_callback(EVT_SUBSCRIBE_NOTIFY_ACTION action, void *
 }
 
 int whodata_audit_start() {
-    os_calloc(1, sizeof(whodata), syscheck.wdata);
-    if (syscheck->wd_table = OSHash_Create(), !syscheck->wd_table) {
+    if (syscheck.wdata.fd = OSHash_Create(), !syscheck.wdata.fd) {
         return 1;
     }
     return 0;

diff --git a/src/syscheckd/syscheck.c b/src/syscheckd/syscheck.c
@@ -70,7 +70,6 @@ int Start_win32_Syscheck()
     int debug_level = 0;
     int r = 0;
     char *cfg = DEFAULTCPATH;
-
     /* Read internal options */
     read_internal(debug_level);