Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

FIM - filenames are not correctly represented if they are not UTF-8 characters #13896

Open
CamiRomero opened this issue Jun 16, 2022 · 0 comments
Labels
module/fim File Integrity Monitoring reporter/qa QA Team: Reporting possible bug type/bug Something isn't working

Comments

@CamiRomero
Copy link

Wazuh version Component Install type Install method Platform
4.3.4 FIM Manager Packages/Sources CentOS-8
4.3.4 FIM Agent Packages/Sources Windows

Description

When a filename to monitor contains a not UTF-8 character, the log generated by FIM represents the character by Unicode.

Evidences

2022/06/15 12:21:03 wazuh-agent[3964] run_check.c:127 at send_syscheck_msg(): DEBUG: (6321): Sending FIM event: {"type":"event","data":{"path":"c:\\users\\vagrant\\desktop\\testing\\t鳴ing.txt","version":2,"mode":"realtime","type":"added","timestamp":1655320863,"attributes":{"type":"file","size":7,"perm":{"S-1-5-18":{"name":"SYSTEM","allowed":["delete","read_control","write_dac","write_owner","synchronize","read_data","write_data","append_data","read_ea","write_ea","execute","read_attributes","write_attributes"]},"S-1-5-32-544":{"name":"Administrators","allowed":["delete","read_control","write_dac","write_owner","synchronize","read_data","write_data","append_data","read_ea","write_ea","execute","read_attributes","write_attributes"]},"S-1-5-21-2235609361-411536120-1667373876-1000":{"name":"vagrant","allowed":["delete","read_control","write_dac","write_owner","synchronize","read_data","write_data","append_data","read_ea","write_ea","execute","read_attributes","write_attributes"]}},"uid":"S-1-5-21-2235609361-411536120-1667373876-1000","user_name":"vagrant","inode":0,"mtime":1655320863,"hash_md5":"21114e455446eff85f6f428d821d1500","hash_sha1":"253ae0e08d38051b52507dd3eaea4800172dc321","hash_sha256":"0bc25dea8bbd7550b8295308081fbd197e8798358fd939934e43c5f1ce4cefbe","attributes":"ARCHIVE","checksum":"c4adb71836f1703a56d0a55364b7e82be5bb32fe"}}}

And the alert in manager shows:

** Alert 1655395869.1367930: - ossec,syscheck,syscheck_entry_added,syscheck_file,pci_dss_11.5,gpg13_4.11,gdpr_II_5.1.f,hipaa_164.312.c.1,hipaa_164.312.c.2,nist_800_53_SI.7,tsc_PI1.4,tsc_PI1.5,tsc_CC6.1,tsc_CC6.8,tsc_CC7.2,tsc_CC7.3,
2022 Jun 16 16:11:09 (WIN-JLGVA4CR4VI) any->syscheck
Rule: 554 (level 5) -> 'File added to the system.'
File 'c:\users\vagrant\desktop\testing\t�sting.txt' added
Mode: realtime

Attributes:
 - Size: 7
 - Permissions: SYSTEM (allowed): DELETE|READ_CONTROL|WRITE_DAC|WRITE_OWNER|SYNCHRONIZE|READ_DATA|WRITE_DATA|APPEND_DATA|READ_EA|WRITE_EA|EXECUTE|READ_ATTRIBUTES|WRITE_ATTRIBUTES, Administrators (allowed): DELETE|READ_CONTROL|WRITE_DAC|WRITE_OWNER|SYNCHRONIZE|READ_DATA|WRITE_DATA|APPEND_DATA|READ_EA|WRITE_EA|EXECUTE|READ_ATTRIBUTES|WRITE_ATTRIBUTES, vagrant (allowed): DELETE|READ_CONTROL|WRITE_DAC|WRITE_OWNER|SYNCHRONIZE|READ_DATA|WRITE_DATA|APPEND_DATA|READ_EA|WRITE_EA|EXECUTE|READ_ATTRIBUTES|WRITE_ATTRIBUTES
 - Date: Wed Jun 15 19:21:03 2022
 - Inode: 0
 - User: vagrant (S-1-5-21-2235609361-411536120-1667373876-1000)
 - MD5: 21114e455446eff85f6f428d821d1500
 - SHA1: 253ae0e08d38051b52507dd3eaea4800172dc321
 - SHA256: 0bc25dea8bbd7550b8295308081fbd197e8798358fd939934e43c5f1ce4cefbe
 - File attributes: ARCHIVE

Steps to reproduce

  1. Modify C:\Program Files (x86)\ossec-agent\local_internal_options.conf:
 syscheck.debug=2
  1. Edit C:\Program Files (x86)\ossec-agent\ossec.conf adding:
<directories check_all="yes" realtime="yes">DIRECTORY_TO_MONITOR</directories>
  1. Create the directory to monitor:
mkdir DIRECTORY_TO_MONITOR
  1. Restart the agent in order to apply the changes
  2. Create a file with a name that does not contain UTF-8 characters in the folder under scanning.
Example name: tésting.txt

Current Result: filenames are not correctly represented if they are not UTF-8 characters

Expected Result: filenames should be correctly represented if they are not UTF-8 characters

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
module/fim File Integrity Monitoring reporter/qa QA Team: Reporting possible bug type/bug Something isn't working
Projects
None yet
Development

No branches or pull requests

1 participant