Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add additional check on XML parsing #20448

Merged
merged 2 commits into from
Apr 30, 2024
Merged

Add additional check on XML parsing #20448

merged 2 commits into from
Apr 30, 2024

Conversation

LucioDonda
Copy link
Member

@LucioDonda LucioDonda commented Nov 27, 2023
edited

Related issue
#16386

Description

After merging this PR there where found that some of the windows events where not correctly handled. That turn into a revert of some changes in that merge.
This PR tries to solve some of those issues without affecting any other process that make use of the XML parser.

The easiest and cleaner approach we found was simply checking if the XML starts with '<' (passing all spaces and line jumps before it)

Configuration options

Default configuration.

Logs/Alerts example

Tests

  • Compilation without warnings in every supported platform
    • Linux
    • Windows
  • Source installation
  • Package installation
  • Memory tests for Linux
    • Coverity
    • Valgrind (memcheck and descriptor leaks check)

@LucioDonda LucioDonda self-assigned this Nov 27, 2023
@vikman90 vikman90 linked an issue Nov 29, 2023 that may be closed by this pull request
Configuration validation accepting invalid format #16386
Closed
@cborla cborla changed the base branch from 4.8.0 to 4.8.1 November 29, 2023 20:45
@LucioDonda LucioDonda marked this pull request as ready for review November 29, 2023 20:46
nbertoldo
nbertoldo previously approved these changes Nov 30, 2023
View reviewed changes
Copy link
Member

@nbertoldo nbertoldo left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM!

@LucioDonda
Copy link
Member Author

Additional test:

Fixed version running on ubuntu 20 as manager and windows 10 as agent.
On both cases the installation and the start of the service disn't generate any warning or error. That didn't happened on the enrollment process either.

Example of alert after login:

** Alert 1702306968.257562: - windows,windows_security,authentication_failed,gdpr_IV_32.2,gdpr_IV_35.7.d,gpg13_7.1,hipaa_164.312.b,nist_800_53_AC.7,nist_800_53_AU.14,pci_dss_10.2.4,pci_dss_10.2.5,tsc_CC6.1,tsc_CC6.8,tsc_CC7.2,tsc_CC7.3,
2023 Dec 11 15:02:48 (vm-win10) any->EventChannel
Rule: 60122 (level 5) -> 'Logon failure - Unknown user or bad password.'
{"win":{"system":{"providerName":"Microsoft-Windows-Security-Auditing","providerGuid":"{54849625-5478-4994-a5ba-3e3b0328c30d}","eventID":"4625","version":"0","level":"0","task":"12544","opcode":"0","keywords":"0x8010000000000000","systemTime":"2023-12-11T15:02:47.9920973Z","eventRecordID":"17301","processID":"708","threadID":"7876","channel":"Security","computer":"vm-win10","severityValue":"AUDIT_FAILURE","message":"\"An account failed to log on.\r\n\r\nSubject:\r\n\tSecurity ID:\t\tS-1-5-18\r\n\tAccount Name:\t\tVM-WIN10$\r\n\tAccount Domain:\t\tWORKGROUP\r\n\tLogon ID:\t\t0x3E7\r\n\r\nLogon Type:\t\t\t2\r\n\r\nAccount For Which Logon Failed:\r\n\tSecurity ID:\t\tS-1-0-0\r\n\tAccount Name:\t\tvagrant\r\n\tAccount Domain:\t\tVM-WIN10\r\n\r\nFailure Information:\r\n\tFailure Reason:\t\tUnknown user name or bad password.\r\n\tStatus:\t\t\t0xC000006D\r\n\tSub Status:\t\t0xC000006A\r\n\r\nProcess Information:\r\n\tCaller Process ID:\t0x2dc\r\n\tCaller Process Name:\tC:\\Windows\\System32\\svchost.exe\r\n\r\nNetwork Information:\r\n\tWorkstation Name:\tVM-WIN10\r\n\tSource Network Address:\t127.0.0.1\r\n\tSource Port:\t\t0\r\n\r\nDetailed Authentication Information:\r\n\tLogon Process:\t\tUser32 \r\n\tAuthentication Package:\tNegotiate\r\n\tTransited Services:\t-\r\n\tPackage Name (NTLM only):\t-\r\n\tKey Length:\t\t0\r\n\r\nThis event is generated when a logon request fails. It is generated on the computer where access was attempted.\r\n\r\nThe Subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.\r\n\r\nThe Logon Type field indicates the kind of logon that was requested. The most common types are 2 (interactive) and 3 (network).\r\n\r\nThe Process Information fields indicate which account and process on the system requested the logon.\r\n\r\nThe Network Information fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.\r\n\r\nThe authentication information fields provide detailed information about this specific logon request.\r\n\t- Transited services indicate which intermediate services have participated in this logon request.\r\n\t- Package name indicates which sub-protocol was used among the NTLM protocols.\r\n\t- Key length indicates the length of the generated session key. This will be 0 if no session key was requested.\""},"eventdata":{"subjectUserSid":"S-1-5-18","subjectUserName":"VM-WIN10$","subjectDomainName":"WORKGROUP","subjectLogonId":"0x3e7","targetUserSid":"S-1-0-0","targetUserName":"vagrant","targetDomainName":"VM-WIN10","status":"0xc000006d","failureReason":"%%2313","subStatus":"0xc000006a","logonType":"2","logonProcessName":"User32","authenticationPackageName":"Negotiate","workstationName":"VM-WIN10","keyLength":"0","processId":"0x2dc","processName":"C:\\Windows\\System32\\svchost.exe","ipAddress":"127.0.0.1","ipPort":"0"}}}
win.system.providerName: Microsoft-Windows-Security-Auditing
win.system.providerGuid: {54849625-5478-4994-a5ba-3e3b0328c30d}
win.system.eventID: 4625
win.system.version: 0
win.system.level: 0
win.system.task: 12544
win.system.opcode: 0
win.system.keywords: 0x8010000000000000
win.system.systemTime: 2023-12-11T15:02:47.9920973Z
win.system.eventRecordID: 17301
win.system.processID: 708
win.system.threadID: 7876
win.system.channel: Security
win.system.computer: vm-win10
win.system.severityValue: AUDIT_FAILURE
win.system.message: "An account failed to log on.

Subject:
	Security ID:		S-1-5-18
	Account Name:		VM-WIN10$
	Account Domain:		WORKGROUP
	Logon ID:		0x3E7

Logon Type:			2

Account For Which Logon Failed:
	Security ID:		S-1-0-0
	Account Name:		vagrant
	Account Domain:		VM-WIN10

Failure Information:
	Failure Reason:		Unknown user name or bad password.
	Status:			0xC000006D
	Sub Status:		0xC000006A

Process Information:
	Caller Process ID:	0x2dc
	Caller Process Name:	C:\Windows\System32\svchost.exe

Network Information:
	Workstation Name:	VM-WIN10
	Source Network Address:	127.0.0.1
	Source Port:		0

Detailed Authentication Information:
	Logon Process:		User32 
	Authentication Package:	Negotiate
	Transited Services:	-
	Package Name (NTLM only):	-
	Key Length:		0

This event is generated when a logon request fails. It is generated on the computer where access was attempted.

The Subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.

The Logon Type field indicates the kind of logon that was requested. The most common types are 2 (interactive) and 3 (network).

The Process Information fields indicate which account and process on the system requested the logon.

The Network Information fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.

The authentication information fields provide detailed information about this specific logon request.
	- Transited services indicate which intermediate services have participated in this logon request.
	- Package name indicates which sub-protocol was used among the NTLM protocols.
	- Key length indicates the length of the generated session key. This will be 0 if no session key was requested."
win.eventdata.subjectUserSid: S-1-5-18
win.eventdata.subjectUserName: VM-WIN10$
win.eventdata.subjectDomainName: WORKGROUP
win.eventdata.subjectLogonId: 0x3e7
win.eventdata.targetUserSid: S-1-0-0
win.eventdata.targetUserName: vagrant
win.eventdata.targetDomainName: VM-WIN10
win.eventdata.status: 0xc000006d
win.eventdata.failureReason: %%2313
win.eventdata.subStatus: 0xc000006a
win.eventdata.logonType: 2
win.eventdata.logonProcessName: User32
win.eventdata.authenticationPackageName: Negotiate
win.eventdata.workstationName: VM-WIN10
win.eventdata.keyLength: 0
win.eventdata.processId: 0x2dc
win.eventdata.processName: C:\Windows\System32\svchost.exe
win.eventdata.ipAddress: 127.0.0.1
win.eventdata.ipPort: 0

This proves that these alerts are being triggered by processing the XML events without any problem and that both ossec.conf are being read and used for a simple execution without problems.

cborla
cborla previously approved these changes Jan 5, 2024
View reviewed changes
Copy link
Member

@cborla cborla left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM!

nmkoremblum
nmkoremblum suggested changes Jan 8, 2024
View reviewed changes
src/os_xml/os_xml.c Outdated Show resolved Hide resolved
src/os_xml/os_xml.c Outdated Show resolved Hide resolved
src/os_xml/os_xml.c Outdated Show resolved Hide resolved
@LucioDonda LucioDonda dismissed stale reviews from cborla and nbertoldo via 63813ed January 8, 2024 15:11
nmkoremblum
nmkoremblum previously approved these changes Jan 8, 2024
View reviewed changes
Copy link
Contributor

@nmkoremblum nmkoremblum left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@LucioDonda LucioDonda force-pushed the 16386-additional-xml-validation branch from 63813ed to a7bfade Compare January 9, 2024 11:56
@vikman90 vikman90 changed the base branch from 4.8.1 to 4.9.0 April 4, 2024 09:29
@LucioDonda LucioDonda force-pushed the 16386-additional-xml-validation branch from 682b9aa to b4fd843 Compare April 25, 2024 13:20
@cborla cborla force-pushed the 16386-additional-xml-validation branch 5 times, most recently from 60cd79b to fb07206 Compare April 26, 2024 20:53
@vikman90 vikman90 mentioned this pull request Apr 29, 2024
Closed
@vikman90
Copy link
Member

Failing checks

Scan build / scan-build-macos-agent

Testing DLL search order to prevent hijack / check_dll_on_windows

Ignoring it, it's a flaky-test.

@vikman90 vikman90 force-pushed the 16386-additional-xml-validation branch from fb07206 to cfd1cab Compare April 29, 2024 09:40
cborla
cborla approved these changes Apr 29, 2024
View reviewed changes
Copy link
Member

@cborla cborla left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@LucioDonda
Copy link
Member Author

LucioDonda commented Apr 29, 2024
edited

Testing

Bearing in mind that we have modified the xml parser, by running the manager and the agent we are using the parser to read, both of them, the `ossec.conf' file to start the services with the required values. In the next examples it can be seen also some alerts. This means that the parser has been successfully used to match events with decoders and rules (both of which use the parser). Although this is a simple test, in upcoming pre-release stages we will be able to check specific alerts like in the E2E emotet test (where we originally found this parsing problem).

Manager 🟢

Details

Info

root@kinetic:/var/ossec/bin# cat /etc/*release
DISTRIB_ID=Ubuntu
DISTRIB_RELEASE=22.10
DISTRIB_CODENAME=kinetic
DISTRIB_DESCRIPTION="Ubuntu 22.10"
PRETTY_NAME="Ubuntu 22.10"
NAME="Ubuntu"
VERSION_ID="22.10"
VERSION="22.10 (Kinetic Kudu)"
VERSION_CODENAME=kinetic
ID=ubuntu
ID_LIKE=debian
HOME_URL="https://www.ubuntu.com/"
SUPPORT_URL="https://help.ubuntu.com/"
BUG_REPORT_URL="https://bugs.launchpad.net/ubuntu/"
PRIVACY_POLICY_URL="https://www.ubuntu.com/legal/terms-and-policies/privacy-policy"
UBUNTU_CODENAME=kinetic
LOGO=ubuntu-logo
root@kinetic:/var/ossec/bin# ./wazuh-control info
WAZUH_VERSION="v4.9.0"
WAZUH_REVISION="40900"
WAZUH_TYPE="server"

Wazuh Status

root@kinetic:/var/ossec/bin# systemctl status wazuh-manager.service 
● wazuh-manager.service - Wazuh manager
     Loaded: loaded (/etc/systemd/system/wazuh-manager.service; enabled; preset: enabled)
     Active: active (running) since Mon 2024-04-29 11:46:57 -03; 4h 14min ago
      Tasks: 201 (limit: 11783)
     Memory: 748.3M
        CPU: 1min 15.444s
     CGroup: /system.slice/wazuh-manager.service
             ├─14769 /var/ossec/framework/python/bin/python3 /var/ossec/api/scripts/wazuh-apid.py
             ├─14808 /var/ossec/bin/wazuh-authd
             ├─14821 /var/ossec/bin/wazuh-db
             ├─14843 /var/ossec/bin/wazuh-execd
             ├─14854 /var/ossec/bin/wazuh-analysisd
             ├─14863 /var/ossec/bin/wazuh-syscheckd
             ├─14876 /var/ossec/bin/wazuh-remoted
             ├─14996 /var/ossec/bin/wazuh-logcollector
             ├─15012 /var/ossec/bin/wazuh-monitord
             ├─15015 /var/ossec/framework/python/bin/python3 /var/ossec/api/scripts/wazuh-apid.py
             ├─15018 /var/ossec/framework/python/bin/python3 /var/ossec/api/scripts/wazuh-apid.py
             ├─15021 /var/ossec/framework/python/bin/python3 /var/ossec/api/scripts/wazuh-apid.py
             └─15033 /var/ossec/bin/wazuh-modulesd

Apr 29 11:46:52 kinetic env[14713]: Started wazuh-analysisd...
Apr 29 11:46:52 kinetic env[14713]: Started wazuh-syscheckd...
Apr 29 11:46:53 kinetic env[14713]: Started wazuh-remoted...
Apr 29 11:46:53 kinetic env[14713]: Started wazuh-logcollector...
root@kinetic:/var/ossec/bin# ./wazuh-control status
wazuh-clusterd not running...
wazuh-modulesd is running...
wazuh-monitord is running...
wazuh-logcollector is running...
wazuh-remoted is running...
wazuh-syscheckd is running...
wazuh-analysisd is running...
wazuh-maild not running...
wazuh-execd is running...
wazuh-db is running...
wazuh-authd is running...
wazuh-agentlessd not running...
wazuh-integratord not running...
wazuh-dbd not running...
wazuh-csyslogd not running...
wazuh-apid is running...

Enrollment Status

root@kinetic:/var/ossec/bin# ./manage_agents -l

Available agents: 
   ID: 001, Name: jammy, IP: any

Linux Agent 🟢

Details

Info

root@jammy:/home/vagrant#  cat /etc/*release
DISTRIB_ID=Ubuntu
DISTRIB_RELEASE=22.04
DISTRIB_CODENAME=jammy
DISTRIB_DESCRIPTION="Ubuntu 22.04.3 LTS"
PRETTY_NAME="Ubuntu 22.04.3 LTS"
NAME="Ubuntu"
VERSION_ID="22.04"
VERSION="22.04.3 LTS (Jammy Jellyfish)"
VERSION_CODENAME=jammy
ID=ubuntu
ID_LIKE=debian
HOME_URL="https://www.ubuntu.com/"
SUPPORT_URL="https://help.ubuntu.com/"
BUG_REPORT_URL="https://bugs.launchpad.net/ubuntu/"
PRIVACY_POLICY_URL="https://www.ubuntu.com/legal/terms-and-policies/privacy-policy"
UBUNTU_CODENAME=jammy
root@jammy:/var/ossec/bin# ./wazuh-control info
WAZUH_VERSION="v4.9.0"
WAZUH_REVISION="40900"
WAZUH_TYPE="agent"

Status

root@jammy:/var/ossec/bin# systemctl status wazuh-agent.service 
● wazuh-agent.service - Wazuh agent
     Loaded: loaded (/lib/systemd/system/wazuh-agent.service; disabled; vendor preset: enabled)
     Active: active (running) since Mon 2024-04-29 17:50:30 UTC; 1h 22min ago
    Process: 59800 ExecStart=/usr/bin/env /var/ossec/bin/wazuh-control start (code=exited, status=0/SUCCESS)
      Tasks: 38 (limit: 11792)
     Memory: 605.6M
        CPU: 22.772s
     CGroup: /system.slice/wazuh-agent.service
             ├─60463 /var/ossec/bin/wazuh-execd
             ├─60474 /var/ossec/bin/wazuh-agentd
             ├─60488 /var/ossec/bin/wazuh-syscheckd
             ├─60501 /var/ossec/bin/wazuh-logcollector
             └─60515 /var/ossec/bin/wazuh-modulesd

Apr 29 17:50:20 jammy systemd[1]: Starting Wazuh agent...
Apr 29 17:50:20 jammy env[59800]: Starting Wazuh v4.9.0...
Apr 29 17:50:20 jammy env[59800]: Started wazuh-execd...
Apr 29 17:50:23 jammy env[59800]: Started wazuh-agentd...
Apr 29 17:50:24 jammy env[59800]: Started wazuh-syscheckd...
Apr 29 17:50:27 jammy env[59800]: Started wazuh-logcollector...
Apr 29 17:50:28 jammy env[59800]: Started wazuh-modulesd...
Apr 29 17:50:30 jammy env[59800]: Completed.
Apr 29 17:50:30 jammy systemd[1]: Started Wazuh agent.
root@jammy:/var/ossec/bin# ./wazuh-control status
wazuh-modulesd is running...
wazuh-logcollector is running...
wazuh-syscheckd is running...
wazuh-agentd is running...
wazuh-execd is running...
root@jammy:/var/ossec/bin# cat /var/ossec/logs/ossec.log | grep "Valid key received" -C 5
2024/04/29 17:50:20 wazuh-agentd: INFO: Started (pid: 59830).
2024/04/29 17:50:20 wazuh-agentd: INFO: Requesting a key from server: 192.168.56.129
2024/04/29 17:50:20 wazuh-agentd: INFO: No authentication password provided
2024/04/29 17:50:20 wazuh-agentd: INFO: Using agent name as: jammy
2024/04/29 17:50:20 wazuh-agentd: INFO: Waiting for server reply
2024/04/29 17:50:20 wazuh-agentd: INFO: Valid key received
2024/04/29 17:50:20 wazuh-agentd: INFO: Waiting 20 seconds before server connection
2024/04/29 17:50:23 wazuh-syscheckd: INFO: Started (pid: 59843).
2024/04/29 17:50:23 wazuh-syscheckd: INFO: (6003): Monitoring path: '/bin', with options 'size | permissions | owner | group | mtime | inode | hash_md5 | hash_sha1 | hash_sha256 | scheduled'.
2024/04/29 17:50:23 wazuh-syscheckd: INFO: (6003): Monitoring path: '/boot', with options 'size | permissions | owner | group | mtime | inode | hash_md5 | hash_sha1 | hash_sha256 | scheduled'.
2024/04/29 17:50:23 wazuh-syscheckd: INFO: (6003): Monitoring path: '/etc', with options 'size | permissions | owner | group | mtime | inode | hash_md5 | hash_sha1 | hash_sha256 | scheduled'.

Alerts on the manager

root@kinetic:/var/ossec/bin# cat /var/ossec/logs/alerts/alerts.log | grep "(jammy)" | wc -l
195

Alerts Examples:

** Alert 1714413085.54804: - ossec,pci_dss_10.6.1,gpg13_10.1,gdpr_IV_35.7.d,hipaa_164.312.b,nist_800_53_AU.6,tsc_CC7.2,tsc_CC7.3,
2024 Apr 29 14:51:25 (jammy) any->wazuh-agent
Rule: 501 (level 3) -> 'New wazuh agent connected.'
ossec: Agent started: 'jammy->any'.

** Alert 1714413085.55069: - ossec,rootcheck,pci_dss_10.6.1,gdpr_IV_35.7.d,
2024 Apr 29 14:51:25 (jammy) any->rootcheck
Rule: 510 (level 7) -> 'Host-based anomaly detection event (rootcheck).'
Trojaned version of file '/bin/diff' detected. Signature used: 'bash|^/bin/sh|file\.h|proc\.h|/dev/[^n]|^/bin/.*sh' (Generic).
title: Trojaned version of file detected.
file: /bin/diff

** Alert 1714413085.55448: - ossec,rootcheck,pci_dss_10.6.1,gdpr_IV_35.7.d,
2024 Apr 29 14:51:25 (jammy) any->rootcheck
Rule: 510 (level 7) -> 'Host-based anomaly detection event (rootcheck).'
Trojaned version of file '/usr/bin/diff' detected. Signature used: 'bash|^/bin/sh|file\.h|proc\.h|/dev/[^n]|^/bin/.*sh' (Generic).
title: Trojaned version of file detected.
file: /usr/bin/diff

** Alert 1714413087.55835: - sca,gdpr_IV_35.7.d,pci_dss_2.2,nist_800_53_CM.1,tsc_CC7.1,tsc_CC7.2,
2024 Apr 29 14:51:27 (jammy) any->sca
Rule: 19007 (level 7) -> 'CIS Ubuntu Linux 22.04 LTS Benchmark v1.0.0.: Ensure /tmp is a separate partition.'
{"type":"check","id":1782925229,"policy":"CIS Ubuntu Linux 22.04 LTS Benchmark v1.0.0.","policy_id":"cis_ubuntu22-04","check":{"id":28500,"title":"Ensure /tmp is a separate partition.","description":"The /tmp directory is a world-writable directory used for temporary storage by all users and some applications.","rationale":"Making /tmp its own file system allows an administrator to set additional mount options such as the noexec option on the mount, making /tmp useless for an attacker to install executable code. It would also prevent an attacker from establishing a hard link to a system setuid program and wait for it to be updated. Once the program was updated, the hard link would be broken and the attacker would have his own copy of the program. If the program happened to have a security vulnerability, the attacker could continue to exploit the known flaw. This can be accomplished by either mounting tmpfs to /tmp, or creating a separate partition for /tmp.","remediation":"First ensure that systemd is correctly configured to ensure that /tmp will be mounted at boot time. # systemctl unmask tmp.mount For specific configuration requirements of the /tmp mount for your environment, modify /etc/fstab or tmp.mount. Example of /etc/fstab configured tmpfs file system with specific mount options: tmpfs /tmp 0 tmpfs defaults,rw,nosuid,nodev,noexec,relatime,size=2G 0 Example of tmp.mount configured tmpfs file system with specific mount options: [Unit] Description=Temporary Directory /tmp ConditionPathIsSymbolicLink=!/tmp DefaultDependencies=no Conflicts=umount.target Before=local-fs.target umount.target After=swap.target [Mount] What=tmpfs Where=/tmp Type=tmpfs.","compliance":{"cis":"1.1.2.1","cis_csc_v8":"3.3","cis_csc_v7":"14.6","cmmc_v2.0":"AC.L1-3.1.1,AC.L1-3.1.2,AC.L2-3.1.3,AC.L2-3.1.5,MP.L2-3.8.2","hipaa":"164.308(a)(3)(i),164.308(a)(3)(ii)(A),164.312(a)(1)","iso_27001-2013":"A.9.1.1","mitre_mitigations":"M1022","mitre_tactics":"TA0005","mitre_techniques":"T1499,T1499.001","nist_sp_800-53":"AC-5,AC-6","pci_dss_v3.2.1":"7.1,7.1.1,7.1.2,7.1.3","pci_dss_v4.0":"1.3.1,7.1","soc_2":"CC5.2,CC6.1"},"rules":["c:findmnt --kernel /tmp -> r:\\s*/tmp\\s","c:systemctl is-enabled tmp.mount -> r:generated|enabled"],"condition":"all","references":"https://www.freedesktop.org/wiki/Software/systemd/APIFileSystems/,https://www.freedesktop.org/software/systemd/man/systemd-fstab-generator.html","command":"findmnt --kernel /tmp","result":"failed"}}
sca.type: check
sca.scan_id: 1782925229
sca.policy: CIS Ubuntu Linux 22.04 LTS Benchmark v1.0.0.
sca.check.id: 28500
sca.check.title: Ensure /tmp is a separate partition.
sca.check.description: The /tmp directory is a world-writable directory used for temporary storage by all users and some applications.
sca.check.rationale: Making /tmp its own file system allows an administrator to set additional mount options such as the noexec option on the mount, making /tmp useless for an attacker to install executable code. It would also prevent an attacker from establishing a hard link to a system setuid program and wait for it to be updated. Once the program was updated, the hard link would be broken and the attacker would have his own copy of the program. If the program happened to have a security vulnerability, the attacker could continue to exploit the known flaw. This can be accomplished by either mounting tmpfs to /tmp, or creating a separate partition for /tmp.
sca.check.remediation: First ensure that systemd is correctly configured to ensure that /tmp will be mounted at boot time. # systemctl unmask tmp.mount For specific configuration requirements of the /tmp mount for your environment, modify /etc/fstab or tmp.mount. Example of /etc/fstab configured tmpfs file system with specific mount options: tmpfs /tmp 0 tmpfs defaults,rw,nosuid,nodev,noexec,relatime,size=2G 0 Example of tmp.mount configured tmpfs file system with specific mount options: [Unit] Description=Temporary Directory /tmp ConditionPathIsSymbolicLink=!/tmp DefaultDependencies=no Conflicts=umount.target Before=local-fs.target umount.target After=swap.target [Mount] What=tmpfs Where=/tmp Type=tmpfs.
sca.check.compliance.cis: 1.1.2.1
sca.check.compliance.cis_csc_v8: 3.3
sca.check.compliance.cis_csc_v7: 14.6
sca.check.compliance.cmmc_v2.0: AC.L1-3.1.1,AC.L1-3.1.2,AC.L2-3.1.3,AC.L2-3.1.5,MP.L2-3.8.2
sca.check.compliance.hipaa: 164.308(a)(3)(i),164.308(a)(3)(ii)(A),164.312(a)(1)
sca.check.compliance.iso_27001-2013: A.9.1.1
sca.check.compliance.mitre_mitigations: M1022
sca.check.compliance.mitre_tactics: TA0005
sca.check.compliance.mitre_techniques: T1499,T1499.001
sca.check.compliance.nist_sp_800-53: AC-5,AC-6
sca.check.compliance.pci_dss_v3.2.1: 7.1,7.1.1,7.1.2,7.1.3
sca.check.compliance.pci_dss_v4.0: 1.3.1,7.1
sca.check.compliance.soc_2: CC5.2,CC6.1
sca.check.references: https://www.freedesktop.org/wiki/Software/systemd/APIFileSystems/,https://www.freedesktop.org/software/systemd/man/systemd-fstab-generator.html
sca.check.command: ["findmnt --kernel /tmp"]
sca.check.result: failed

Windows Agent 🟢

Details

Info

image

Status

image

Alerts

root@kinetic:/var/ossec/bin# cat /var/ossec/logs/alerts/alerts.log | grep "(WIN-PJCK32G1EDD)" | wc -l
373
root@kinetic:/var/ossec/bin# cat /var/ossec/logs/alerts/alerts.log | grep "(WIN-PJCK32G1EDD)" | grep EventChannel | wc -l
5
** Alert 1714426488.2130124: - windows,windows_application,
2024 Apr 29 18:34:48 (WIN-PJCK32G1EDD) any->EventChannel
Rule: 60642 (level 3) -> 'Software protection service scheduled successfully.'
{"win":{"system":{"providerName":"Microsoft-Windows-Security-SPP","providerGuid":"{E23B33B0-C8C9-472C-A5F9-F2BDFEA0F156}","eventSourceName":"Software Protection Platform Service","eventID":"16384","version":"0","level":"4","task":"0","opcode":"0","keywords":"0x80000000000000","systemTime":"2024-04-30T11:51:22.7802386Z","eventRecordID":"1191","processID":"0","threadID":"0","channel":"Application","computer":"WIN-PJCK32G1EDD","severityValue":"INFORMATION","message":"\"Successfully scheduled Software Protection service for re-start at 2024-07-26T11:42:22Z. Reason: RulesEngine.\""},"eventdata":{"data":"2024-07-26T11:42:22Z, RulesEngine"}}}
win.system.providerName: Microsoft-Windows-Security-SPP
win.system.providerGuid: {E23B33B0-C8C9-472C-A5F9-F2BDFEA0F156}
win.system.eventSourceName: Software Protection Platform Service
win.system.eventID: 16384
win.system.version: 0
win.system.level: 4
win.system.task: 0
win.system.opcode: 0
win.system.keywords: 0x80000000000000
win.system.systemTime: 2024-04-30T11:51:22.7802386Z
win.system.eventRecordID: 1191
win.system.processID: 0
win.system.threadID: 0
win.system.channel: Application
win.system.computer: WIN-PJCK32G1EDD
win.system.severityValue: INFORMATION
win.system.message: "Successfully scheduled Software Protection service for re-start at 2024-07-26T11:42:22Z. Reason: RulesEngine."
win.eventdata.data: 2024-07-26T11:42:22Z, RulesEngine

@vikman90 vikman90 merged commit 1d8ed30 into 4.9.0 Apr 30, 2024
62 checks passed
@vikman90 vikman90 deleted the 16386-additional-xml-validation branch April 30, 2024 08:01
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@vikman90 vikman90 vikman90 approved these changes

@cborla cborla cborla approved these changes

@nmkoremblum nmkoremblum nmkoremblum left review comments

@nbertoldo nbertoldo Awaiting requested review from nbertoldo

Assignees

@LucioDonda LucioDonda

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Configuration validation accepting invalid format
5 participants
@LucioDonda @vikman90 @cborla @nmkoremblum @nbertoldo