Wildcard support in Windows registers

[GabrielEValenzuela]

Related issue
Closes #14321

This PR aims to add a new feature within the Syscheck module which is the possibility to use wildcard (also called metacharacters) to specify many windows registers at once. The asterisk * is replaced by any number of characters in a registry name, and the question mark ? is replaced by any single character.

Description of the new feature

When parsing the path composition provided in the osse.conf file, the different parts of the path are split using the two wildcard options * or ? as delimiters.
Subsequently, the Windows API is used, where the records of a root key and a (possibly null) subkey are listed and the complete new paths are assembled, which will then be monitored by FIM. It is important to clarify that this solution is **case sensitive.

Important note
According with this code section

wazuh/src/syscheckd/src/registry/registry.c

Lines 364 to 380 in 78bbd9f

	/* Verify valid root tree */
	if (strncmp(full_key, "HKEY_LOCAL_MACHINE", 18) == 0) {
	*root_key_handle = HKEY_LOCAL_MACHINE;
	root_key_length = 18;
	} else if (strncmp(full_key, "HKEY_CLASSES_ROOT", 17) == 0) {
	*root_key_handle = HKEY_CLASSES_ROOT;
	root_key_length = 17;
	} else if (strncmp(full_key, "HKEY_CURRENT_CONFIG", 19) == 0) {
	*root_key_handle = HKEY_CURRENT_CONFIG;
	root_key_length = 19;
	} else if (strncmp(full_key, "HKEY_USERS", 10) == 0) {
	*root_key_handle = HKEY_USERS;
	root_key_length = 10;
	} else {
	*root_key_handle = NULL;
	return -1;
	}

Only the root keys: HKEY_LOCAL_MACHINE, HKEY_CLASSES_ROOT, HKEY_CURRENT_CONFIG, HKEY_USERS are valid root keys for monitoring and will work well with the current feature.

Example of configuration and tests

🟢 Combine three possibles cases

Configuration

  <syscheck>

    <disabled>no</disabled>

    <!-- Frequency that syscheck is executed default every 12 hours -->
    <frequency>43200</frequency>

    <!-- Testing registers. Win10x64. -->
    <windows_registry arch="both">HKEY_LOCAL_MACHINE\*\D????????</windows_registry>
    <windows_registry arch="both">HKEY_CURRENT_CONFIG\S?????\*</windows_registry>
    <windows_registry arch="both">HKEY_CURRENT_USER\Software\*</windows_registry>
    <windows_registry arch="both">HKEY_CURRENT_CONFIG\S?????</windows_registry>
    <windows_registry arch="both">HKEY_CURRENT_USER\Con??</windows_registry> <!-- Invalid register. No match-->
    <windows_registry arch="both">HKEY_CURRENT_USER\Environment\*</windows_registry> <!-- Invalid register. No match-->
    <windows_registry arch="both">HKEY\*</windows_registry> <!-- Invalid register. Wrong HKEY -->
  </syscheck>

🟢 Start agent with new feature

2023/06/16 07:29:18 wazuh-agent[6060] syscheck-config.c:627 at read_reg(): DEBUG: (6372): Starting configuration for Windows registry wildcards.
2023/06/16 07:29:18 wazuh-agent[6060] syscheck-config.c:629 at read_reg(): DEBUG: (6373): Expanding entry 'HKEY_LOCAL_MACHINE\*\D????????' to 'HKEY_LOCAL_MACHINE\HARDWARE\DEVICEMAP' to monitor FIM events.
2023/06/16 07:29:18 wazuh-agent[6060] syscheck-config.c:641 at read_reg(): DEBUG: (6374): Wildcard configuration successfully completed.
2023/06/16 07:29:18 wazuh-agent[6060] syscheck-config.c:627 at read_reg(): DEBUG: (6372): Starting configuration for Windows registry wildcards.
2023/06/16 07:29:18 wazuh-agent[6060] syscheck-config.c:629 at read_reg(): DEBUG: (6373): Expanding entry 'HKEY_CURRENT_CONFIG\S?????\*' to 'HKEY_CURRENT_CONFIG\System\CurrentControlSet' to monitor FIM events.
2023/06/16 07:29:18 wazuh-agent[6060] syscheck-config.c:641 at read_reg(): DEBUG: (6374): Wildcard configuration successfully completed.
2023/06/16 07:29:18 wazuh-agent[6060] syscheck-config.c:627 at read_reg(): DEBUG: (6372): Starting configuration for Windows registry wildcards.
2023/06/16 07:29:18 wazuh-agent[6060] syscheck-config.c:629 at read_reg(): DEBUG: (6373): Expanding entry 'HKEY_CURRENT_USER\Software\*' to 'HKEY_CURRENT_USER\Software\Classes' to monitor FIM events.
2023/06/16 07:29:18 wazuh-agent[6060] syscheck-config.c:629 at read_reg(): DEBUG: (6373): Expanding entry 'HKEY_CURRENT_USER\Software\*' to 'HKEY_CURRENT_USER\Software\Microsoft' to monitor FIM events.
2023/06/16 07:29:18 wazuh-agent[6060] syscheck-config.c:629 at read_reg(): DEBUG: (6373): Expanding entry 'HKEY_CURRENT_USER\Software\*' to 'HKEY_CURRENT_USER\Software\Policies' to monitor FIM events.
2023/06/16 07:29:18 wazuh-agent[6060] syscheck-config.c:641 at read_reg(): DEBUG: (6374): Wildcard configuration successfully completed.
2023/06/16 07:29:18 wazuh-agent[6060] syscheck-config.c:627 at read_reg(): DEBUG: (6372): Starting configuration for Windows registry wildcards.
2023/06/16 07:29:18 wazuh-agent[6060] syscheck-config.c:629 at read_reg(): DEBUG: (6373): Expanding entry 'HKEY_CURRENT_CONFIG\S?????' to 'HKEY_CURRENT_CONFIG\System' to monitor FIM events.
2023/06/16 07:29:18 wazuh-agent[6060] syscheck-config.c:641 at read_reg(): DEBUG: (6374): Wildcard configuration successfully completed.
2023/06/16 07:29:18 wazuh-agent[6060] syscheck_op.c:1197 at w_switch_root_key(): DEBUG: Invalid value of root Handle to Registry Key.

🟢 Add new registry

2023/01/09 14:47:46 wazuh-agent[9580] run_check.c:127 at send_syscheck_msg(): DEBUG: (6321): Sending FIM event: {"type":"event","data":{"path":"HKEY_CURRENT_CONFIG\\Software\\NEW_KEY","version":2,"mode":"scheduled","type":"added","arch":"[x64]","timestamp":1673297266,"attributes":{"type":"registry_key","perm":{"S-1-5-32-545":{"name":"Usuarios","allowed":["read_control","read_data","read_ea","write_ea"]},"S-1-5-32-544":{"name":"Administradores","allowed":["delete","read_control","write_dac","write_owner","read_data","write_data","append_data","read_ea","write_ea","execute"]},"S-1-5-18":{"name":"SYSTEM","allowed":["delete","read_control","write_dac","write_owner","read_data","write_data","append_data","read_ea","write_ea","execute"]},"S-1-3-0":{"name":"CREATOR OWNER","allowed":["delete","read_control","write_dac","write_owner","read_data","write_data","append_data","read_ea","write_ea","execute"]},"S-1-15-2-1":{"name":"ALL APPLICATION PACKAGES","allowed":["read_control","read_data","read_ea","write_ea"]},"S-1-15-3-1024-1065365936-1281604716-3511738428-1654721687-432734479-3232135806-4053264122-3456934681":{"allowed":["read_control","read_data","read_ea","write_ea"]}},"uid":"S-1-5-32-544","user_name":"Administradores","gid":"S-1-5-21-2535345508-762786813-1329944505-513","group_name":"Ninguno","mtime":1673297255,"checksum":"a2bdd12a4d134836bd767f83345275399ce2bc2c"}}}
2023/01/09 14:47:46 wazuh-agent[9580] run_check.c:127 at send_syscheck_msg(): DEBUG: (6321): Sending FIM event: {"type":"event","data":{"path":"HKEY_CURRENT_CONFIG\\Software\\NEW_KEY","version":2,"mode":"scheduled","type":"added","arch":"[x64]","value_name":"NEW_VALUE","timestamp":1673297266,"attributes":{"type":"registry_value","value_type":"REG_BINARY","size":0,"hash_md5":"d41d8cd98f00b204e9800998ecf8427e","hash_sha1":"da39a3ee5e6b4b0d3255bfef95601890afd80709","hash_sha256":"e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855","checksum":"38fdd1d295687fa298dbda6732232ee58c309cb4"}}}
2023/01/09 14:47:48 wazuh-agent[9580] run_check.c:127 at send_syscheck_msg(): DEBUG: (6321): Sending FIM event: {"type":"event","data":{"path":"HKEY_CURRENT_CONFIG\\Software\\NEW_KEY","version":2,"mode":"scheduled","type":"added","arch":"[x32]","timestamp":1673297268,"attributes":{"type":"registry_key","perm":{"S-1-5-32-545":{"name":"Usuarios","allowed":["read_control","read_data","read_ea","write_ea"]},"S-1-5-32-544":{"name":"Administradores","allowed":["delete","read_control","write_dac","write_owner","read_data","write_data","append_data","read_ea","write_ea","execute"]},"S-1-5-18":{"name":"SYSTEM","allowed":["delete","read_control","write_dac","write_owner","read_data","write_data","append_data","read_ea","write_ea","execute"]},"S-1-3-0":{"name":"CREATOR OWNER","allowed":["delete","read_control","write_dac","write_owner","read_data","write_data","append_data","read_ea","write_ea","execute"]},"S-1-15-2-1":{"name":"ALL APPLICATION PACKAGES","allowed":["read_control","read_data","read_ea","write_ea"]},"S-1-15-3-1024-1065365936-1281604716-3511738428-1654721687-432734479-3232135806-4053264122-3456934681":{"allowed":["read_control","read_data","read_ea","write_ea"]}},"uid":"S-1-5-32-544","user_name":"Administradores","gid":"S-1-5-21-2535345508-762786813-1329944505-513","group_name":"Ninguno","mtime":1673297255,"checksum":"a2bdd12a4d134836bd767f83345275399ce2bc2c"}}}
2023/01/09 14:47:48 wazuh-agent[9580] run_check.c:127 at send_syscheck_msg(): DEBUG: (6321): Sending FIM event: {"type":"event","data":{"path":"HKEY_CURRENT_CONFIG\\Software\\NEW_KEY","version":2,"mode":"scheduled","type":"added","arch":"[x32]","value_name":"NEW_VALUE","timestamp":1673297268,"attributes":{"type":"registry_value","value_type":"REG_BINARY","size":0,"hash_md5":"d41d8cd98f00b204e9800998ecf8427e","hash_sha1":"da39a3ee5e6b4b0d3255bfef95601890afd80709","hash_sha256":"e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855","checksum":"38fdd1d295687fa298dbda6732232ee58c309cb4"}}}

🟢 Modify an existenting value

2023/01/09 14:50:07 wazuh-agent[9580] run_check.c:127 at send_syscheck_msg(): DEBUG: (6321): Sending FIM event: {"type":"event","data":{"path":"HKEY_CURRENT_CONFIG\\Software\\NEW_KEY","version":2,"mode":"scheduled","type":"modified","arch":"[x64]","timestamp":1673297407,"attributes":{"type":"registry_key","perm":{"S-1-5-32-545":{"name":"Usuarios","allowed":["read_control","read_data","read_ea","write_ea"]},"S-1-5-32-544":{"name":"Administradores","allowed":["delete","read_control","write_dac","write_owner","read_data","write_data","append_data","read_ea","write_ea","execute"]},"S-1-5-18":{"name":"SYSTEM","allowed":["delete","read_control","write_dac","write_owner","read_data","write_data","append_data","read_ea","write_ea","execute"]},"S-1-3-0":{"name":"CREATOR OWNER","allowed":["delete","read_control","write_dac","write_owner","read_data","write_data","append_data","read_ea","write_ea","execute"]},"S-1-15-2-1":{"name":"ALL APPLICATION PACKAGES","allowed":["read_control","read_data","read_ea","write_ea"]},"S-1-15-3-1024-1065365936-1281604716-3511738428-1654721687-432734479-3232135806-4053264122-3456934681":{"allowed":["read_control","read_data","read_ea","write_ea"]}},"uid":"S-1-5-32-544","user_name":"Administradores","gid":"S-1-5-21-2535345508-762786813-1329944505-513","group_name":"Ninguno","mtime":1673297340,"checksum":"14c2865a3d456c0896fc0bffbacecd18d25ce710"},"changed_attributes":["mtime"],"old_attributes":{"type":"registry_key","perm":{"S-1-5-32-545":{"name":"Usuarios","allowed":["read_control","read_data","read_ea","write_ea"]},"S-1-5-32-544":{"name":"Administradores","allowed":["delete","read_control","write_dac","write_owner","read_data","write_data","append_data","read_ea","write_ea","execute"]},"S-1-5-18":{"name":"SYSTEM","allowed":["delete","read_control","write_dac","write_owner","read_data","write_data","append_data","read_ea","write_ea","execute"]},"S-1-3-0":{"name":"CREATOR OWNER","allowed":["delete","read_control","write_dac","write_owner","read_data","write_data","append_data","read_ea","write_ea","execute"]},"S-1-15-2-1":{"name":"ALL APPLICATION PACKAGES","allowed":["read_control","read_data","read_ea","write_ea"]},"S-1-15-3-1024-1065365936-1281604716-3511738428-1654721687-432734479-3232135806-4053264122-3456934681":{"allowed":["read_control","read_data","read_ea","write_ea"]}},"uid":"S-1-5-32-544","user_name":"Administradores","gid":"S-1-5-21-2535345508-762786813-1329944505-513","group_name":"Ninguno","mtime":1673297255,"checksum":"a2bdd12a4d134836bd767f83345275399ce2bc2c"}}}
2023/01/09 14:50:07 wazuh-agent[9580] run_check.c:127 at send_syscheck_msg(): DEBUG: (6321): Sending FIM event: {"type":"event","data":{"path":"HKEY_CURRENT_CONFIG\\Software\\NEW_KEY","version":2,"mode":"scheduled","type":"modified","arch":"[x64]","value_name":"NEW_VALUE","timestamp":1673297407,"attributes":{"type":"registry_value","value_type":"REG_BINARY","size":1,"hash_md5":"d3d9446802a44259755d38e6d163e820","hash_sha1":"b1d5781111d84f7b3fe45a0852e59758cd7a87e5","hash_sha256":"4a44dc15364204a80fe80e9039455cc1608281820fe2b24f1e5233ade6af1dd5","checksum":"a6905d73e33bd3c3e46fed5750448838df05a2aa"},"changed_attributes":["size","md5","sha1","sha256"],"old_attributes":{"type":"registry_value","value_type":"REG_BINARY","size":0,"hash_md5":"d41d8cd98f00b204e9800998ecf8427e","hash_sha1":"da39a3ee5e6b4b0d3255bfef95601890afd80709","hash_sha256":"e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855","checksum":"38fdd1d295687fa298dbda6732232ee58c309cb4"}}}
2023/01/09 14:50:07 wazuh-agent[9580] run_check.c:127 at send_syscheck_msg(): DEBUG: (6321): Sending FIM event: {"type":"event","data":{"path":"HKEY_CURRENT_CONFIG\\Software\\NEW_KEY","version":2,"mode":"scheduled","type":"modified","arch":"[x32]","timestamp":1673297407,"attributes":{"type":"registry_key","perm":{"S-1-5-32-545":{"name":"Usuarios","allowed":["read_control","read_data","read_ea","write_ea"]},"S-1-5-32-544":{"name":"Administradores","allowed":["delete","read_control","write_dac","write_owner","read_data","write_data","append_data","read_ea","write_ea","execute"]},"S-1-5-18":{"name":"SYSTEM","allowed":["delete","read_control","write_dac","write_owner","read_data","write_data","append_data","read_ea","write_ea","execute"]},"S-1-3-0":{"name":"CREATOR OWNER","allowed":["delete","read_control","write_dac","write_owner","read_data","write_data","append_data","read_ea","write_ea","execute"]},"S-1-15-2-1":{"name":"ALL APPLICATION PACKAGES","allowed":["read_control","read_data","read_ea","write_ea"]},"S-1-15-3-1024-1065365936-1281604716-3511738428-1654721687-432734479-3232135806-4053264122-3456934681":{"allowed":["read_control","read_data","read_ea","write_ea"]}},"uid":"S-1-5-32-544","user_name":"Administradores","gid":"S-1-5-21-2535345508-762786813-1329944505-513","group_name":"Ninguno","mtime":1673297340,"checksum":"14c2865a3d456c0896fc0bffbacecd18d25ce710"},"changed_attributes":["mtime"],"old_attributes":{"type":"registry_key","perm":{"S-1-5-32-545":{"name":"Usuarios","allowed":["read_control","read_data","read_ea","write_ea"]},"S-1-5-32-544":{"name":"Administradores","allowed":["delete","read_control","write_dac","write_owner","read_data","write_data","append_data","read_ea","write_ea","execute"]},"S-1-5-18":{"name":"SYSTEM","allowed":["delete","read_control","write_dac","write_owner","read_data","write_data","append_data","read_ea","write_ea","execute"]},"S-1-3-0":{"name":"CREATOR OWNER","allowed":["delete","read_control","write_dac","write_owner","read_data","write_data","append_data","read_ea","write_ea","execute"]},"S-1-15-2-1":{"name":"ALL APPLICATION PACKAGES","allowed":["read_control","read_data","read_ea","write_ea"]},"S-1-15-3-1024-1065365936-1281604716-3511738428-1654721687-432734479-3232135806-4053264122-3456934681":{"allowed":["read_control","read_data","read_ea","write_ea"]}},"uid":"S-1-5-32-544","user_name":"Administradores","gid":"S-1-5-21-2535345508-762786813-1329944505-513","group_name":"Ninguno","mtime":1673297255,"checksum":"a2bdd12a4d134836bd767f83345275399ce2bc2c"}}}
2023/01/09 14:50:07 wazuh-agent[9580] run_check.c:127 at send_syscheck_msg(): DEBUG: (6321): Sending FIM event: {"type":"event","data":{"path":"HKEY_CURRENT_CONFIG\\Software\\NEW_KEY","version":2,"mode":"scheduled","type":"modified","arch":"[x32]","value_name":"NEW_VALUE","timestamp":1673297407,"attributes":{"type":"registry_value","value_type":"REG_BINARY","size":1,"hash_md5":"d3d9446802a44259755d38e6d163e820","hash_sha1":"b1d5781111d84f7b3fe45a0852e59758cd7a87e5","hash_sha256":"4a44dc15364204a80fe80e9039455cc1608281820fe2b24f1e5233ade6af1dd5","checksum":"a6905d73e33bd3c3e46fed5750448838df05a2aa"},"changed_attributes":["size","md5","sha1","sha256"],"old_attributes":{"type":"registry_value","value_type":"REG_BINARY","size":0,"hash_md5":"d41d8cd98f00b204e9800998ecf8427e","hash_sha1":"da39a3ee5e6b4b0d3255bfef95601890afd80709","hash_sha256":"e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855","checksum":"38fdd1d295687fa298dbda6732232ee58c309cb4"}}}

Software Design Document

SDD Report

Introduction

Wildcards provide a shorthand for specifying sets of files with similar names.
An asterisk * is replaced by any number of characters in a filename. For example, ae* would match aegis, aerie, aeon, etc. if those files were in the same directory.
And, a question ? mark is replaced by any single character (so h?p matches hop and hip, but not help).

This support was already implemented for directories but not for Windows registers. This solution has been
designed, in an effort to create a necessary feature to FIM that is open for extensions; this document describes the implementation of this one.
Not only does this document describe the software already created, it is also intended to enforce compatibility of future modifications or add–ons.

Algortihm Overview

The algorithm consists in the input of a path provided by the ossec.conf file which is checked to see if it has a wildcard or not.
Subsequently, a copy of this path is created so as not to alter the original and three cases are analyzed:

• Combination case: Both wildcards are present in the path, expanding first the asterisks and then the question marks.

• Asterisk case: All possible records are analyzed.

• Question mark case: All possible records matching the original path are analyzed.

Once the copy of the original path is created, it is divided into two parts taking the wildcard as the inflection point. The first part extracts the root key and possible sub key. The second part is concatenated with the result of the query that uses the Windows API to obtain all possible values.
For the case of the question mark, the Windows API is also used which has support for finding the matches of two paths.

This can be summarized in the following sequence diagram:

Y deterministic finite state machine (FSM) diagram.

S0 -> Enter expansion function
S1 -> Check if there is a wildcard
S2 -> There is a wildcard and it is a *
S3 -> There is a wildcard and it is a ?
S4 -> There is no wildcard, return result
S5 -> Extract the rootkey and the subkey needed to fetch the remaining keys
S6 -> Reassemble the path and add to the result those that meet the wildcard
S7 -> Extracts the rootkey and the subkey needed to fetch the remaining keys
S8 -> Reassemble the path and add to the result those keys that comply with the wildcard

Conclusión

The proposed solution is based on the use of API functions previously used in the project, testing with 90% code coverage and analyzing with CLANG with positive results.
It is available for future improvements, fixes and/or comments from the management team and the community.

---

• Compilation without warnings in every supported platform
  • Linux
  • Windows
  • MAC OS X
• Source installation
• Package installation
• Source upgrade
• Package upgrade
• Review logs syntax and correct language
• QA templates contemplate the added capabilities

• Memory tests for Linux
  • Scan-build report
  • Coverity
    • Results of build ID: 542569

  Analysis Summary:
    New defects found: 28
    Defects eliminated: 109

Fixed bugs from previous Coverity run: #15852 (review) - fda2d26

• Memory tests for Windows
  • Scan-build report && coverage
    Coverage and ScanBuild reports
  • Dr. Memory

• Retrocompatibility with older Wazuh versions
• Working on cluster environments
• Configuration on demand reports new parameters
• The data flow works as expected (agent-manager-api-app)
• Added unit tests (for new features)
• Stress test for affected components

[MarcelKemp]

After the changes, please also check the UTs.

[MarcelKemp]

LGTM!

[vikman90]

@GabrielEValenzuela @MarcelKemp I've found the following defect in the code:

** CID 321729:    (RESOURCE_LEAK)
/config/syscheck-config.c: 639 in read_reg()
/config/syscheck-config.c: 653 in read_reg()


________________________________________________________________________________________________________
*** CID 321729:    (RESOURCE_LEAK)
/config/syscheck-config.c: 639 in read_reg()
633                         dump_syscheck_registry(syscheck, *paths_wildcard, opts, restrict_key, restrict_value, recursion_level, tag, ARCH_32BIT, tmp_diff_size);
634                     } else {
635                         dump_syscheck_registry(syscheck, *paths_wildcard, opts, restrict_key, restrict_value, recursion_level, tag, arch, tmp_diff_size);
636                     }
637                     paths_wildcard++;
638                 }
>>>     CID 321729:    (RESOURCE_LEAK)
>>>     Overwriting "paths_wildcard" in "paths_wildcard = start_vector" leaks the storage that "paths_wildcard" points to.
639                 paths_wildcard = start_vector;
640                 free_strarray(paths_wildcard);
641                 mdebug1(FIM_WILDCARDS_REGISTERS_FINALIZE);
642             } else {
643                 /* Add new entry */
644                 if (arch == ARCH_BOTH) {
/config/syscheck-config.c: 653 in read_reg()
647                 } else {
648                     dump_syscheck_registry(syscheck, tmp_entry, opts, restrict_key, restrict_value, recursion_level, tag, arch, tmp_diff_size);
649                 }
650             }
651             /* Next entry */
652             free(entry[i]);
>>>     CID 321729:    (RESOURCE_LEAK)
>>>     Variable "paths_wildcard" going out of scope leaks the storage it points to.
653         }
654         free(entry);
655     
656         retval = 1;
657     clean_reg:
658         os_free(tag);

Please review it and fix that if applicable.
Cheers!