-
Notifications
You must be signed in to change notification settings - Fork 1.5k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add additional check on XML parsing #20448
Conversation
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM!
Additional test: Fixed version running on ubuntu 20 as manager and windows 10 as agent. Example of alert after login:
This proves that these alerts are being triggered by processing the XML events without any problem and that both |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM!
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM
63813ed
to
a7bfade
Compare
682b9aa
to
b4fd843
Compare
60cd79b
to
fb07206
Compare
Failing checksScan build / scan-build-macos-agentTesting DLL search order to prevent hijack / check_dll_on_windowsIgnoring it, it's a flaky-test. |
fb07206
to
cfd1cab
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM
TestingBearing in mind that we have modified the xml parser, by running the manager and the agent we are using the parser to read, both of them, the `ossec.conf' file to start the services with the required values. In the next examples it can be seen also some alerts. This means that the parser has been successfully used to match events with decoders and rules (both of which use the parser). Although this is a simple test, in upcoming pre-release stages we will be able to check specific alerts like in the E2E emotet test (where we originally found this parsing problem). Manager 🟢Details
Inforoot@kinetic:/var/ossec/bin# cat /etc/*release
DISTRIB_ID=Ubuntu
DISTRIB_RELEASE=22.10
DISTRIB_CODENAME=kinetic
DISTRIB_DESCRIPTION="Ubuntu 22.10"
PRETTY_NAME="Ubuntu 22.10"
NAME="Ubuntu"
VERSION_ID="22.10"
VERSION="22.10 (Kinetic Kudu)"
VERSION_CODENAME=kinetic
ID=ubuntu
ID_LIKE=debian
HOME_URL="https://www.ubuntu.com/"
SUPPORT_URL="https://help.ubuntu.com/"
BUG_REPORT_URL="https://bugs.launchpad.net/ubuntu/"
PRIVACY_POLICY_URL="https://www.ubuntu.com/legal/terms-and-policies/privacy-policy"
UBUNTU_CODENAME=kinetic
LOGO=ubuntu-logo
root@kinetic:/var/ossec/bin# ./wazuh-control info
WAZUH_VERSION="v4.9.0"
WAZUH_REVISION="40900"
WAZUH_TYPE="server"
Wazuh Status
Enrollment Statusroot@kinetic:/var/ossec/bin# ./manage_agents -l
Available agents:
ID: 001, Name: jammy, IP: any
Linux Agent 🟢Details
Inforoot@jammy:/home/vagrant# cat /etc/*release
DISTRIB_ID=Ubuntu
DISTRIB_RELEASE=22.04
DISTRIB_CODENAME=jammy
DISTRIB_DESCRIPTION="Ubuntu 22.04.3 LTS"
PRETTY_NAME="Ubuntu 22.04.3 LTS"
NAME="Ubuntu"
VERSION_ID="22.04"
VERSION="22.04.3 LTS (Jammy Jellyfish)"
VERSION_CODENAME=jammy
ID=ubuntu
ID_LIKE=debian
HOME_URL="https://www.ubuntu.com/"
SUPPORT_URL="https://help.ubuntu.com/"
BUG_REPORT_URL="https://bugs.launchpad.net/ubuntu/"
PRIVACY_POLICY_URL="https://www.ubuntu.com/legal/terms-and-policies/privacy-policy"
UBUNTU_CODENAME=jammy
root@jammy:/var/ossec/bin# ./wazuh-control info
WAZUH_VERSION="v4.9.0"
WAZUH_REVISION="40900"
WAZUH_TYPE="agent" Statusroot@jammy:/var/ossec/bin# systemctl status wazuh-agent.service
● wazuh-agent.service - Wazuh agent
Loaded: loaded (/lib/systemd/system/wazuh-agent.service; disabled; vendor preset: enabled)
Active: active (running) since Mon 2024-04-29 17:50:30 UTC; 1h 22min ago
Process: 59800 ExecStart=/usr/bin/env /var/ossec/bin/wazuh-control start (code=exited, status=0/SUCCESS)
Tasks: 38 (limit: 11792)
Memory: 605.6M
CPU: 22.772s
CGroup: /system.slice/wazuh-agent.service
├─60463 /var/ossec/bin/wazuh-execd
├─60474 /var/ossec/bin/wazuh-agentd
├─60488 /var/ossec/bin/wazuh-syscheckd
├─60501 /var/ossec/bin/wazuh-logcollector
└─60515 /var/ossec/bin/wazuh-modulesd
Apr 29 17:50:20 jammy systemd[1]: Starting Wazuh agent...
Apr 29 17:50:20 jammy env[59800]: Starting Wazuh v4.9.0...
Apr 29 17:50:20 jammy env[59800]: Started wazuh-execd...
Apr 29 17:50:23 jammy env[59800]: Started wazuh-agentd...
Apr 29 17:50:24 jammy env[59800]: Started wazuh-syscheckd...
Apr 29 17:50:27 jammy env[59800]: Started wazuh-logcollector...
Apr 29 17:50:28 jammy env[59800]: Started wazuh-modulesd...
Apr 29 17:50:30 jammy env[59800]: Completed.
Apr 29 17:50:30 jammy systemd[1]: Started Wazuh agent.
root@jammy:/var/ossec/bin# ./wazuh-control status
wazuh-modulesd is running...
wazuh-logcollector is running...
wazuh-syscheckd is running...
wazuh-agentd is running...
wazuh-execd is running...
root@jammy:/var/ossec/bin# cat /var/ossec/logs/ossec.log | grep "Valid key received" -C 5
2024/04/29 17:50:20 wazuh-agentd: INFO: Started (pid: 59830).
2024/04/29 17:50:20 wazuh-agentd: INFO: Requesting a key from server: 192.168.56.129
2024/04/29 17:50:20 wazuh-agentd: INFO: No authentication password provided
2024/04/29 17:50:20 wazuh-agentd: INFO: Using agent name as: jammy
2024/04/29 17:50:20 wazuh-agentd: INFO: Waiting for server reply
2024/04/29 17:50:20 wazuh-agentd: INFO: Valid key received
2024/04/29 17:50:20 wazuh-agentd: INFO: Waiting 20 seconds before server connection
2024/04/29 17:50:23 wazuh-syscheckd: INFO: Started (pid: 59843).
2024/04/29 17:50:23 wazuh-syscheckd: INFO: (6003): Monitoring path: '/bin', with options 'size | permissions | owner | group | mtime | inode | hash_md5 | hash_sha1 | hash_sha256 | scheduled'.
2024/04/29 17:50:23 wazuh-syscheckd: INFO: (6003): Monitoring path: '/boot', with options 'size | permissions | owner | group | mtime | inode | hash_md5 | hash_sha1 | hash_sha256 | scheduled'.
2024/04/29 17:50:23 wazuh-syscheckd: INFO: (6003): Monitoring path: '/etc', with options 'size | permissions | owner | group | mtime | inode | hash_md5 | hash_sha1 | hash_sha256 | scheduled'.
Alerts on the managerroot@kinetic:/var/ossec/bin# cat /var/ossec/logs/alerts/alerts.log | grep "(jammy)" | wc -l
195 Alerts Examples:** Alert 1714413085.54804: - ossec,pci_dss_10.6.1,gpg13_10.1,gdpr_IV_35.7.d,hipaa_164.312.b,nist_800_53_AU.6,tsc_CC7.2,tsc_CC7.3,
2024 Apr 29 14:51:25 (jammy) any->wazuh-agent
Rule: 501 (level 3) -> 'New wazuh agent connected.'
ossec: Agent started: 'jammy->any'.
** Alert 1714413085.55069: - ossec,rootcheck,pci_dss_10.6.1,gdpr_IV_35.7.d,
2024 Apr 29 14:51:25 (jammy) any->rootcheck
Rule: 510 (level 7) -> 'Host-based anomaly detection event (rootcheck).'
Trojaned version of file '/bin/diff' detected. Signature used: 'bash|^/bin/sh|file\.h|proc\.h|/dev/[^n]|^/bin/.*sh' (Generic).
title: Trojaned version of file detected.
file: /bin/diff
** Alert 1714413085.55448: - ossec,rootcheck,pci_dss_10.6.1,gdpr_IV_35.7.d,
2024 Apr 29 14:51:25 (jammy) any->rootcheck
Rule: 510 (level 7) -> 'Host-based anomaly detection event (rootcheck).'
Trojaned version of file '/usr/bin/diff' detected. Signature used: 'bash|^/bin/sh|file\.h|proc\.h|/dev/[^n]|^/bin/.*sh' (Generic).
title: Trojaned version of file detected.
file: /usr/bin/diff
** Alert 1714413087.55835: - sca,gdpr_IV_35.7.d,pci_dss_2.2,nist_800_53_CM.1,tsc_CC7.1,tsc_CC7.2,
2024 Apr 29 14:51:27 (jammy) any->sca
Rule: 19007 (level 7) -> 'CIS Ubuntu Linux 22.04 LTS Benchmark v1.0.0.: Ensure /tmp is a separate partition.'
{"type":"check","id":1782925229,"policy":"CIS Ubuntu Linux 22.04 LTS Benchmark v1.0.0.","policy_id":"cis_ubuntu22-04","check":{"id":28500,"title":"Ensure /tmp is a separate partition.","description":"The /tmp directory is a world-writable directory used for temporary storage by all users and some applications.","rationale":"Making /tmp its own file system allows an administrator to set additional mount options such as the noexec option on the mount, making /tmp useless for an attacker to install executable code. It would also prevent an attacker from establishing a hard link to a system setuid program and wait for it to be updated. Once the program was updated, the hard link would be broken and the attacker would have his own copy of the program. If the program happened to have a security vulnerability, the attacker could continue to exploit the known flaw. This can be accomplished by either mounting tmpfs to /tmp, or creating a separate partition for /tmp.","remediation":"First ensure that systemd is correctly configured to ensure that /tmp will be mounted at boot time. # systemctl unmask tmp.mount For specific configuration requirements of the /tmp mount for your environment, modify /etc/fstab or tmp.mount. Example of /etc/fstab configured tmpfs file system with specific mount options: tmpfs /tmp 0 tmpfs defaults,rw,nosuid,nodev,noexec,relatime,size=2G 0 Example of tmp.mount configured tmpfs file system with specific mount options: [Unit] Description=Temporary Directory /tmp ConditionPathIsSymbolicLink=!/tmp DefaultDependencies=no Conflicts=umount.target Before=local-fs.target umount.target After=swap.target [Mount] What=tmpfs Where=/tmp Type=tmpfs.","compliance":{"cis":"1.1.2.1","cis_csc_v8":"3.3","cis_csc_v7":"14.6","cmmc_v2.0":"AC.L1-3.1.1,AC.L1-3.1.2,AC.L2-3.1.3,AC.L2-3.1.5,MP.L2-3.8.2","hipaa":"164.308(a)(3)(i),164.308(a)(3)(ii)(A),164.312(a)(1)","iso_27001-2013":"A.9.1.1","mitre_mitigations":"M1022","mitre_tactics":"TA0005","mitre_techniques":"T1499,T1499.001","nist_sp_800-53":"AC-5,AC-6","pci_dss_v3.2.1":"7.1,7.1.1,7.1.2,7.1.3","pci_dss_v4.0":"1.3.1,7.1","soc_2":"CC5.2,CC6.1"},"rules":["c:findmnt --kernel /tmp -> r:\\s*/tmp\\s","c:systemctl is-enabled tmp.mount -> r:generated|enabled"],"condition":"all","references":"https://www.freedesktop.org/wiki/Software/systemd/APIFileSystems/,https://www.freedesktop.org/software/systemd/man/systemd-fstab-generator.html","command":"findmnt --kernel /tmp","result":"failed"}}
sca.type: check
sca.scan_id: 1782925229
sca.policy: CIS Ubuntu Linux 22.04 LTS Benchmark v1.0.0.
sca.check.id: 28500
sca.check.title: Ensure /tmp is a separate partition.
sca.check.description: The /tmp directory is a world-writable directory used for temporary storage by all users and some applications.
sca.check.rationale: Making /tmp its own file system allows an administrator to set additional mount options such as the noexec option on the mount, making /tmp useless for an attacker to install executable code. It would also prevent an attacker from establishing a hard link to a system setuid program and wait for it to be updated. Once the program was updated, the hard link would be broken and the attacker would have his own copy of the program. If the program happened to have a security vulnerability, the attacker could continue to exploit the known flaw. This can be accomplished by either mounting tmpfs to /tmp, or creating a separate partition for /tmp.
sca.check.remediation: First ensure that systemd is correctly configured to ensure that /tmp will be mounted at boot time. # systemctl unmask tmp.mount For specific configuration requirements of the /tmp mount for your environment, modify /etc/fstab or tmp.mount. Example of /etc/fstab configured tmpfs file system with specific mount options: tmpfs /tmp 0 tmpfs defaults,rw,nosuid,nodev,noexec,relatime,size=2G 0 Example of tmp.mount configured tmpfs file system with specific mount options: [Unit] Description=Temporary Directory /tmp ConditionPathIsSymbolicLink=!/tmp DefaultDependencies=no Conflicts=umount.target Before=local-fs.target umount.target After=swap.target [Mount] What=tmpfs Where=/tmp Type=tmpfs.
sca.check.compliance.cis: 1.1.2.1
sca.check.compliance.cis_csc_v8: 3.3
sca.check.compliance.cis_csc_v7: 14.6
sca.check.compliance.cmmc_v2.0: AC.L1-3.1.1,AC.L1-3.1.2,AC.L2-3.1.3,AC.L2-3.1.5,MP.L2-3.8.2
sca.check.compliance.hipaa: 164.308(a)(3)(i),164.308(a)(3)(ii)(A),164.312(a)(1)
sca.check.compliance.iso_27001-2013: A.9.1.1
sca.check.compliance.mitre_mitigations: M1022
sca.check.compliance.mitre_tactics: TA0005
sca.check.compliance.mitre_techniques: T1499,T1499.001
sca.check.compliance.nist_sp_800-53: AC-5,AC-6
sca.check.compliance.pci_dss_v3.2.1: 7.1,7.1.1,7.1.2,7.1.3
sca.check.compliance.pci_dss_v4.0: 1.3.1,7.1
sca.check.compliance.soc_2: CC5.2,CC6.1
sca.check.references: https://www.freedesktop.org/wiki/Software/systemd/APIFileSystems/,https://www.freedesktop.org/software/systemd/man/systemd-fstab-generator.html
sca.check.command: ["findmnt --kernel /tmp"]
sca.check.result: failed
Windows Agent 🟢Details
InfoStatusAlertsroot@kinetic:/var/ossec/bin# cat /var/ossec/logs/alerts/alerts.log | grep "(WIN-PJCK32G1EDD)" | wc -l
373
root@kinetic:/var/ossec/bin# cat /var/ossec/logs/alerts/alerts.log | grep "(WIN-PJCK32G1EDD)" | grep EventChannel | wc -l
5 ** Alert 1714426488.2130124: - windows,windows_application,
2024 Apr 29 18:34:48 (WIN-PJCK32G1EDD) any->EventChannel
Rule: 60642 (level 3) -> 'Software protection service scheduled successfully.'
{"win":{"system":{"providerName":"Microsoft-Windows-Security-SPP","providerGuid":"{E23B33B0-C8C9-472C-A5F9-F2BDFEA0F156}","eventSourceName":"Software Protection Platform Service","eventID":"16384","version":"0","level":"4","task":"0","opcode":"0","keywords":"0x80000000000000","systemTime":"2024-04-30T11:51:22.7802386Z","eventRecordID":"1191","processID":"0","threadID":"0","channel":"Application","computer":"WIN-PJCK32G1EDD","severityValue":"INFORMATION","message":"\"Successfully scheduled Software Protection service for re-start at 2024-07-26T11:42:22Z. Reason: RulesEngine.\""},"eventdata":{"data":"2024-07-26T11:42:22Z, RulesEngine"}}}
win.system.providerName: Microsoft-Windows-Security-SPP
win.system.providerGuid: {E23B33B0-C8C9-472C-A5F9-F2BDFEA0F156}
win.system.eventSourceName: Software Protection Platform Service
win.system.eventID: 16384
win.system.version: 0
win.system.level: 4
win.system.task: 0
win.system.opcode: 0
win.system.keywords: 0x80000000000000
win.system.systemTime: 2024-04-30T11:51:22.7802386Z
win.system.eventRecordID: 1191
win.system.processID: 0
win.system.threadID: 0
win.system.channel: Application
win.system.computer: WIN-PJCK32G1EDD
win.system.severityValue: INFORMATION
win.system.message: "Successfully scheduled Software Protection service for re-start at 2024-07-26T11:42:22Z. Reason: RulesEngine."
win.eventdata.data: 2024-07-26T11:42:22Z, RulesEngine
|
Description
After merging this PR there where found that some of the windows events where not correctly handled. That turn into a revert of some changes in that merge.
This PR tries to solve some of those issues without affecting any other process that make use of the XML parser.
The easiest and cleaner approach we found was simply checking if the XML starts with '<' (passing all spaces and line jumps before it)
Configuration options
Default configuration.
Logs/Alerts example
Tests