Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Added the ignores of type 'os_regex' in the request of the configurat… #3617

Merged
merged 4 commits into from Jul 4, 2019
Merged

Added the ignores of type 'os_regex' in the request of the configurat… #3617

merged 4 commits into from Jul 4, 2019

Conversation

bah07
Copy link
Contributor

@bah07 bah07 commented Jul 3, 2019

Related issue
#3611

Description

Added the ignores of type 'os_regex' in the request of the configuration on demand of Rootcheck and Syscheck modules.

Configuration options

## Syscheck
    <!-- File types to ignore -->
    <ignore type="sregex">^/proc</ignore>
    <ignore type="sregex">.log$|.swp$</ignore>
    <ignore type="sregex">^/sys</ignore>
    <ignore type="sregex">.jpg$|.swf$|.mp4</ignore>

...

## Rootcheck
    <ignore>/etc/group</ignore>
    <ignore>/etc/shadow</ignore>
    <ignore type="sregex">^/etc</ignore>
    <ignore type="sregex">$.conf</ignore>
    <ignore type="sregex">$.log|^/usr/sbin</ignore>

Checked with empty configuration,

Logs/Alerts example

The JSON output in Windows and Linux agent. Windows agent includes os_regex type ignores in registry entries:

Linux

...

         "ignore": [
            "/etc/mtab",
            "/etc/hosts.deny",
            "/etc/mail/statistics",
            "/etc/random-seed",
            "/etc/random.seed",
            "/etc/adjtime",
            "/etc/httpd/logs",
            "/etc/utmpx",
            "/etc/wtmpx",
            "/etc/cups/certs",
            "/etc/dumpdates",
            "/etc/svc/volatile",
            "/sys/kernel/security",
            "/sys/kernel/debug",
            "/dev/core"
         ],
         "ignore_regex": [
            "^/proc",
            ".log$|.swp$",
            "^/sys",
            ".jpg$|.swf$|.mp4"
         ],
         "whodata": {
            "restart_audit": "yes",
            "startup_healthcheck": "yes"
         }
      }
   }
}

Windows agent

...

            {
               "entry": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnceEx",
               "arch": "32bit"
            },
            {
               "entry": "HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Services\\ADOVMPPackage\\Final",
               "arch": "32bit"
            }
         ],
         "registry_ignore_regex": [
            {
               "entry": "\\Enum$",
               "arch": "32bit"
            }
         ]
      }
   }
}

Rootcheck

         "ignore": [
            "/etc/group",
            "/etc/shadow"
         ],
         "ignore_sregex": [
            "^/etc",
            "$.conf",
            "$.log|^/usr/sbin"
         ]

Tests

Valgrind Report

==1728== 
==1728== LEAK SUMMARY:
==1728==    definitely lost: 0 bytes in 0 blocks
==1728==    indirectly lost: 0 bytes in 0 blocks
==1728==      possibly lost: 544 bytes in 2 blocks
==1728==    still reachable: 2,103,548 bytes in 44,661 blocks
==1728==         suppressed: 0 bytes in 0 blocks
==1728== 
==1728== For counts of detected and suppressed errors, rerun with: -v
==1728== ERROR SUMMARY: 2 errors from 2 contexts (suppressed: 0 from 0)
  • Compilation without warnings in every supported platform
    • Linux
    • Windows
    • MAC OS X
  • Source installation
  • Package installation
  • Source upgrade
  • Package upgrade
  • Memory tests
    • Valgrind report for affected components
    • CPU impact
    • RAM usage impact
  • Retrocompatibility with older Wazuh versions
  • Working on cluster environments
  • Configuration on demand reports new parameters
  • Review logs syntax and correct language
  • QA templates contemplate the added capabilities

@bah07 bah07 requested review from snaow and vikman90 July 3, 2019 17:30
@bah07 bah07 changed the base branch from master to 3.9 July 3, 2019 17:31
vikman90
vikman90 approved these changes Jul 3, 2019
View reviewed changes
Copy link
Member

@vikman90 vikman90 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM!

@pablotr9 pablotr9 mentioned this pull request Jul 4, 2019
Closed
12 tasks
@bah07 bah07 requested a review from vikman90 July 4, 2019 16:24
@bah07 bah07 merged commit 7464a4e into 3.9 Jul 4, 2019
@bah07 bah07 deleted the fix-3611-conf-ondemand branch July 4, 2019 16:28
@crolopez crolopez mentioned this pull request Jul 8, 2019
Merged
11 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@vikman90 vikman90 vikman90 approved these changes

@snaow snaow Awaiting requested review from snaow

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
2 participants
@bah07 @vikman90