Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

FIM realtime support for macOS and BSD #16316

Open
wants to merge 7 commits into
base: master
Choose a base branch
from
Open

FIM realtime support for macOS and BSD #16316

wants to merge 7 commits into from

Conversation

mjcr99
Copy link
Member

@mjcr99 mjcr99 commented Mar 2, 2023
edited by chemamartinez

Related issue
#16229

Description

This pull request aims to integrate the libinotify-kqueue library into the Makefile of the Wazuh project, in order to enable this library functionalities to provide realtime FIM in BSD based systems and Mac OS systems.

The new dependency is covered if the uname -s shows Darwin OpenBSD FreeBSD NetBSD, in the rest of cases, the dependency is not installed since it's just used in these systems.

It's still necessary to apply some changes in order to download this dependency from the wazuh's packages warehouse, so to test this PR is mandatory to download and place manually the library in src/external/ folder. Just decompress the library and copy the folder into the mentioned one.

In order to test this new feature completely, a testing DEPS_VERSION has been created, to check the needed dependency is properly set to be downloaded and compiled while building the external dependencies. To run tests in this PR it's mandatory to set the DEPS_VERSION = 20-16226

Library dependency

The following file contains the library, previously cleaned from not necessary files, in order to make it lighter.
libinotify-kqueue.zip

Alerts/Logs

Here we have tried a simple test, creating a folder called realtime, in a mac OS 12 machine. In this folder a file prueba was created, using touch, then modified using nano and finally removed with rm. The configuration of the ossec.conf was changed by adding this line: <directories check_all="yes" realtime="yes">/Users/vagrant/realtime/ </directories>.

The expected alerts are triggered properly as soon as the mentioned changes referring to the file prueba take place.

File creation 
{
  "syscheck": {
    "uname_after": "root",
    "mtime_after": "2023-03-03T13:26:50",
    "size_after": "0",
    "gid_after": "20",
    "mode": "realtime",
    "path": "/Users/vagrant/realtime/prueba",
    "sha1_after": "da39a3ee5e6b4b0d3255bfef95601890afd80709",
    "gname_after": "staff",
    "uid_after": "0",
    "perm_after": "rw-r--r--",
    "event": "added",
    "md5_after": "d41d8cd98f00b204e9800998ecf8427e",
    "sha256_after": "e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855",
    "inode_after": 694421
  },
  "agent": {
    "ip": "10.0.2.15",
    "name": "macos12",
    "id": "007"
  },
  "manager": {
    "name": "wazuh-server"
  },
  "rule": {
    "firedtimes": 1,
    "mail": false,
    "level": 5,
    "pci_dss": [
      "11.5"
    ],
    "hipaa": [
      "164.312.c.1",
      "164.312.c.2"
    ],
    "tsc": [
      "PI1.4",
      "PI1.5",
      "CC6.1",
      "CC6.8",
      "CC7.2",
      "CC7.3"
    ],
    "description": "File added to the system.",
    "groups": [
      "ossec",
      "syscheck",
      "syscheck_entry_added",
      "syscheck_file"
    ],
    "id": "554",
    "nist_800_53": [
      "SI.7"
    ],
    "gpg13": [
      "4.11"
    ],
    "gdpr": [
      "II_5.1.f"
    ]
  },
  "decoder": {
    "name": "syscheck_new_entry"
  },
  "full_log": "File '/Users/vagrant/realtime/prueba' added\nMode: realtime\n",
  "input": {
    "type": "log"
  },
  "@timestamp": "2023-03-03T13:26:50.597Z",
  "location": "syscheck",
  "id": "1677850010.1065452",
  "timestamp": "2023-03-03T13:26:50.597+0000",
  "_id": "d66np4YBVBwdaGB_iVXv"
}

Ossec.log

File modification 
{
  "syscheck": {
    "size_before": "0",
    "uname_after": "root",
    "mtime_after": "2023-03-03T13:26:55",
    "size_after": "2",
    "gid_after": "20",
    "md5_before": "d41d8cd98f00b204e9800998ecf8427e",
    "sha256_before": "e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855",
    "mtime_before": "2023-03-03T13:26:50",
    "mode": "realtime",
    "path": "/Users/vagrant/realtime/prueba",
    "sha1_after": "a9fcd54b25e7e863d72cd47c08af46e61b74b561",
    "changed_attributes": [
      "size",
      "mtime",
      "md5",
      "sha1",
      "sha256"
    ],
    "gname_after": "staff",
    "uid_after": "0",
    "perm_after": "rw-r--r--",
    "event": "modified",
    "md5_after": "9a8ad92c50cae39aa2c5604fd0ab6d8c",
    "sha1_before": "da39a3ee5e6b4b0d3255bfef95601890afd80709",
    "sha256_after": "092fcfbbcfca3b5be7ae1b5e58538e92c35ab273ae13664fed0d67484c8e78a6",
    "inode_after": 694421
  },
  "agent": {
    "ip": "10.0.2.15",
    "name": "macos12",
    "id": "007"
  },
  "manager": {
    "name": "wazuh-server"
  },
  "rule": {
    "mail": false,
    "level": 7,
    "pci_dss": [
      "11.5"
    ],
    "hipaa": [
      "164.312.c.1",
      "164.312.c.2"
    ],
    "tsc": [
      "PI1.4",
      "PI1.5",
      "CC6.1",
      "CC6.8",
      "CC7.2",
      "CC7.3"
    ],
    "description": "Integrity checksum changed.",
    "groups": [
      "ossec",
      "syscheck",
      "syscheck_entry_modified",
      "syscheck_file"
    ],
    "nist_800_53": [
      "SI.7"
    ],
    "gdpr": [
      "II_5.1.f"
    ],
    "firedtimes": 1,
    "mitre": {
      "technique": [
        "Stored Data Manipulation"
      ],
      "id": [
        "T1565.001"
      ],
      "tactic": [
        "Impact"
      ]
    },
    "id": "550",
    "gpg13": [
      "4.11"
    ]
  },
  "decoder": {
    "name": "syscheck_integrity_changed"
  },
  "full_log": "File '/Users/vagrant/realtime/prueba' modified\nMode: realtime\nChanged attributes: size,mtime,md5,sha1,sha256\nSize changed from '0' to '2'\nOld modification time was: '1677850010', now it is '1677850015'\nOld md5sum was: 'd41d8cd98f00b204e9800998ecf8427e'\nNew md5sum is : '9a8ad92c50cae39aa2c5604fd0ab6d8c'\nOld sha1sum was: 'da39a3ee5e6b4b0d3255bfef95601890afd80709'\nNew sha1sum is : 'a9fcd54b25e7e863d72cd47c08af46e61b74b561'\nOld sha256sum was: 'e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855'\nNew sha256sum is : '092fcfbbcfca3b5be7ae1b5e58538e92c35ab273ae13664fed0d67484c8e78a6'\n",
  "input": {
    "type": "log"
  },
  "@timestamp": "2023-03-03T13:26:55.187Z",
  "location": "syscheck",
  "id": "1677850015.1066148",
  "timestamp": "2023-03-03T13:26:55.187+0000",
  "_id": "eK6np4YBVBwdaGB_iVXv"
}
File deletion 
{
  "syscheck": {
    "uname_after": "root",
    "mtime_after": "2023-03-03T13:26:55",
    "size_after": "2",
    "gid_after": "20",
    "mode": "realtime",
    "path": "/Users/vagrant/realtime/prueba",
    "sha1_after": "a9fcd54b25e7e863d72cd47c08af46e61b74b561",
    "gname_after": "staff",
    "uid_after": "0",
    "perm_after": "rw-r--r--",
    "event": "deleted",
    "md5_after": "9a8ad92c50cae39aa2c5604fd0ab6d8c",
    "sha256_after": "092fcfbbcfca3b5be7ae1b5e58538e92c35ab273ae13664fed0d67484c8e78a6",
    "inode_after": 694421
  },
  "agent": {
    "ip": "10.0.2.15",
    "name": "macos12",
    "id": "007"
  },
  "manager": {
    "name": "wazuh-server"
  },
  "rule": {
    "mail": false,
    "level": 7,
    "pci_dss": [
      "11.5"
    ],
    "hipaa": [
      "164.312.c.1",
      "164.312.c.2"
    ],
    "tsc": [
      "PI1.4",
      "PI1.5",
      "CC6.1",
      "CC6.8",
      "CC7.2",
      "CC7.3"
    ],
    "description": "File deleted.",
    "groups": [
      "ossec",
      "syscheck",
      "syscheck_entry_deleted",
      "syscheck_file"
    ],
    "nist_800_53": [
      "SI.7"
    ],
    "gdpr": [
      "II_5.1.f"
    ],
    "firedtimes": 1,
    "mitre": {
      "technique": [
        "File Deletion",
        "Data Destruction"
      ],
      "id": [
        "T1070.004",
        "T1485"
      ],
      "tactic": [
        "Defense Evasion",
        "Impact"
      ]
    },
    "id": "553",
    "gpg13": [
      "4.11"
    ]
  },
  "decoder": {
    "name": "syscheck_deleted"
  },
  "full_log": "File '/Users/vagrant/realtime/prueba' deleted\nMode: realtime\n",
  "input": {
    "type": "log"
  },
  "@timestamp": "2023-03-03T13:26:58.313Z",
  "location": "syscheck",
  "id": "1677850018.1067386",
  "timestamp": "2023-03-03T13:26:58.313+0000",
  "_id": "ea6np4YBVBwdaGB_iVXv"
}

General Tests

  • Compilation without warnings in every supported platform
    • Linux
    • MAC OS X
  • Source installation
  • Package installation
  • Source upgrade
  • Package upgrade
  • Review logs syntax and correct language
  • QA templates contemplate the added capabilities
  • Memory tests for macOS
    • Scan-build report
    • Leaks
    • AddressSanitizer
  • Retrocompatibility with older Wazuh versions
  • Working on cluster environments
  • Configuration on demand reports new parameters
  • The data flow works as expected (agent-manager-api-app)
  • Decoder/Rule tests
    • Added unit testing files ".ini"
    • runtests.py executed without errors

@mjcr99 mjcr99 added module/fim File Integrity Monitoring platform/macos platform/bsd module/fim/realtime File Integrity Monitoring realtime engine labels Mar 2, 2023
@mjcr99 mjcr99 force-pushed the 16226-fim-realtime-support-for-macos-and-bsd branch from 6a04f82 to 2c84e29 Compare March 2, 2023 21:50
@mjcr99 mjcr99 changed the title 16226 fim realtime support for macos and bsd FIM realtime support for macos and bsd Mar 3, 2023
@mjcr99 mjcr99 changed the base branch from 4.5 to master March 3, 2023 08:58
@mjcr99 mjcr99 linked an issue Mar 3, 2023 that may be closed by this pull request
FIM realtime support for macOS and BSD #16226
Open
@mjcr99 mjcr99 changed the title FIM realtime support for macos and bsd FIM realtime support for macOS and bsd Mar 3, 2023
@mjcr99 mjcr99 changed the title FIM realtime support for macOS and bsd FIM realtime support for macOS and BSD Mar 3, 2023
@chemamartinez chemamartinez self-requested a review March 8, 2023 14:44
@mjcr99 mjcr99 marked this pull request as ready for review March 14, 2023 09:36
chemamartinez
chemamartinez previously approved these changes Mar 17, 2023
View reviewed changes
Copy link
Contributor

@chemamartinez chemamartinez left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@jotacarma90 jotacarma90 force-pushed the 16226-fim-realtime-support-for-macos-and-bsd branch from fc6c1bb to 0804898 Compare April 19, 2023 08:01
@jotacarma90 jotacarma90 force-pushed the 16226-fim-realtime-support-for-macos-and-bsd branch from 0804898 to aa08d1e Compare May 16, 2023 13:11
@jotacarma90 jotacarma90 force-pushed the 16226-fim-realtime-support-for-macos-and-bsd branch from aa08d1e to 2c29c9b Compare June 1, 2023 09:26
@jotacarma90 jotacarma90 force-pushed the 16226-fim-realtime-support-for-macos-and-bsd branch from 2c29c9b to dd0b2e4 Compare July 5, 2023 15:15
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@chemamartinez chemamartinez chemamartinez left review comments

At least 1 approving review is required to merge this pull request.

Assignees
No one assigned
Labels
module/fim/realtime File Integrity Monitoring realtime engine module/fim File Integrity Monitoring platform/bsd platform/macos
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

FIM realtime support for macOS and BSD
2 participants
@mjcr99 @chemamartinez