Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add tags for FIM directories and registries #1096

Merged
merged 8 commits into from
Aug 20, 2018
Merged

Add tags for FIM directories and registries #1096

merged 8 commits into from
Aug 20, 2018

Conversation

chemamartinez
Copy link
Contributor

@chemamartinez chemamartinez commented Aug 13, 2018
edited
Loading

This PR adds a new attribute called tags for monitored directories and registries as follows:

<!-- Directories -->
<directories check_all="yes" whodata="yes" tags="whodata-folder, test_tag">/root/whodata-syscheck</directories>

<!-- Windows registry -->
<windows_registry tags="services-registry">HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services</windows_registry>

These tags are separated by commas, and they are included in the alert fields:

Plain alert

** Alert 1534149464.85834: - ossec,syscheck,pci_dss_11.5,gpg13_4.11,gdpr_II_5.1.f,
2018 Aug 13 10:37:44 ubuntu18->syscheck
Rule: 550 (level 7) -> 'Integrity checksum changed.'
Integrity checksum changed for: '/root/whodata-syscheck/file'
Size changed from '0' to '5'
Old md5sum was: 'd41d8cd98f00b204e9800998ecf8427e'
New md5sum is : 'd8e8fca2dc0f896fd7cb4cb0031ba249'
Old sha1sum was: 'da39a3ee5e6b4b0d3255bfef95601890afd80709'
New sha1sum is : '4e1243bd22c66e76c2ba9eddc1f91394e57f9f83'
Old sha256sum was: 'e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855'
New sha256sum is : 'f2ca1bb6c7e907d06dafe4687e579fce76b37e4e93b7605022da52e6ccc26fd2'
(Audit) User: 'root (0)'
(Audit) Login user: 'root (0)'
(Audit) Effective user: 'root (0)'
(Audit) Group: 'root (0)'
(Audit) Process id: '1881'
(Audit) Process name: '/bin/bash'

Attributes:
 - Size: 5
 - Permissions: 100644
 - Date: Mon Aug 13 10:37:43 2018
 - Inode: 1180095
 - User: root (0)
 - Group: root (0)
 - MD5: d8e8fca2dc0f896fd7cb4cb0031ba249
 - SHA1: 4e1243bd22c66e76c2ba9eddc1f91394e57f9f83
 - SHA256: f2ca1bb6c7e907d06dafe4687e579fce76b37e4e93b7605022da52e6ccc26fd2

Tags:
 - whodata-folder
 - test_tag

JSON alert

...
"syscheck": {
    "path": "/root/whodata-syscheck/file",
    "size_before": "0",
    "size_after": "5",
    "perm_after": "100644",
    "uid_after": "0",
    "gid_after": "0",
    "md5_before": "d41d8cd98f00b204e9800998ecf8427e",
    "md5_after": "d8e8fca2dc0f896fd7cb4cb0031ba249",
    "sha1_before": "da39a3ee5e6b4b0d3255bfef95601890afd80709",
    "sha1_after": "4e1243bd22c66e76c2ba9eddc1f91394e57f9f83",
    "sha256_before": "e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855",
    "sha256_after": "f2ca1bb6c7e907d06dafe4687e579fce76b37e4e93b7605022da52e6ccc26fd2",
    "uname_after": "root",
    "gname_after": "root",
    "mtime_before": "2018-08-10T16:02:27",
    "mtime_after": "2018-08-13T10:37:43",
    "inode_after": 1180095,
    "tags": [
      "whodata-folder",
      "test_tag"
    ],
    "event": "modified",
    "audit": {
      "user": {
        "id": "0",
        "name": "root"
      },
      "group": {
        "id": "0",
        "name": "root"
      },
      "proccess": {
        "id": "1881",
        "name": "/bin/bash",
        "ppid": "1808"
      }
...

It is necessary to include the new attribute in the Syscheck reference before merging this PR.

@chemamartinez chemamartinez added type/enhancement New feature or request module/fim File Integrity Monitoring needs documentation labels Aug 13, 2018
chemamartinez added a commit that referenced this pull request Aug 13, 2018
@chemamartinez
Update changelog #1096
28dd99e
@chemamartinez chemamartinez mentioned this pull request Aug 13, 2018
Closed
@vikman90 vikman90 changed the base branch from 3.5 to 3.6 August 17, 2018 05:42
vikman90
vikman90 requested changes Aug 17, 2018
View reviewed changes
Copy link
Member

@vikman90 vikman90 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

A file like this would break the tag chain: my file<!other tag,

CHANGELOG.md Outdated
@@ -1,6 +1,12 @@
# Change Log
All notable changes to this project will be documented in this file.

## [v3.5.1]
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Change version to 3.6.0

src/analysisd/decoders/syscheck.c Outdated

/* Every syscheck message must be in the following format:
* checksum filename
* checksum filename<!optional_tag>
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We should put the tags after the checksum.

@vikman90 vikman90 assigned albertomn86 and unassigned vikman90 Aug 20, 2018
@albertomn86 albertomn86 merged commit b5f936f into 3.6 Aug 20, 2018
albertomn86 pushed a commit that referenced this pull request Aug 20, 2018
@chemamartinez @albertomn86
Update changelog #1096
3729560
@albertomn86 albertomn86 deleted the dev-fim-tags branch August 20, 2018 11:30
@albertomn86 albertomn86 mentioned this pull request Aug 20, 2018
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@vikman90 vikman90 vikman90 requested changes

@albertomn86 albertomn86 albertomn86 approved these changes

Assignees

@albertomn86 albertomn86

Labels
module/fim File Integrity Monitoring type/enhancement New feature or request
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@chemamartinez @vikman90 @albertomn86