Include who-data in Syscheck for file integrity monitoring

[vikman90]

Let's make the agent capable to collect who-data for FIM events.

This feature should add this data:

• ID and name of the calling process.
• ID and name of the user running the process.
• ID and name of the group running the process (Linux only).
• Domain name (Windows only).
• ID and name of the effective user of the process (Linux only).
• ID and name of the audit user (Linux only).

Linux - Integration with Audit

• Check Auditd and configure the event socket.
• Generate and load audit rules from syscheck configuration.
• Read and parse generated events.
• Grouping events to get full path.
• Use thread to execute realtime scan with Audit.
• Keep compatibility with Inotify.
• Detect Audit rules manipulation. 92e4eaf
• Change to Inotify when Audit fails during execution.
• Set up Audit configuration on installation: 6f55626

Windows

Use SACL and EventChannel to get who-data in Windows systems.

• Render event from XML.
• Implement triggering procedure to replace real-time.
• Enable implicit real-time mode for directories with who-data enabled.
• Warn that it is not supported when trying to use with Windows XP or older.
• Limit hash table size. 91b64c9
• Queue and hash table to control deletion order. 003e55c
• Restore SACLs when exit. e763f6b
• Do not modify the SACL entry if it´s not necessary. Check everyone user, write permission, successful attempt and inherence.
• Remove deleted files from the Syscheck hash table.
• Protect the syscheck hash table from multiple simultaneous accesses.
• Mark directories with SACL modified by the user, it should not be restored. If there is any problem to monitor who-data, turn into the classic real-time mode. ac5caa3
• Allow directories.
• Allow file definitions.
• Limit monitored events to reduce noise. Evaluate the possibility of including in the XPATH query all the parent directories whose events we want to subscribe to.
• Detect System user modifications. If there is any problem to monitor who-data, turn into the classic real-time mode.
• Add user and process ID. 10b8712
• Add user and process name.
• Check successful events only. f53c84f
• Deleted files alert. bf5d3fb
• Check that the Windows audit is turned on and, if it is not, enable it. b953775
• Avoid restoring security policies that have been modified by the user.
• Add support for 32-bit systems. a52f44d
• Add hash table to ignore files that have been discarded because they are not children of monitored directories. 70b79dc
• Avoid flooding of the default logcollector configuration. 2dbc0d0
• Notify files cleaning. 28cb794
• Alert for files whose folders have been renamed.
• Add language independent auto-configuration of policies.

[vikman90]

Related issues:

• Remove Audit rules on Linux when the agent gets stopped. 6f32911
• Discard Audit events with success=no (Linux). 1a1388a
• Join Audit messages by message ID (the socket may send events in chunks). 552b4e1
• Group Audit fields relating to the path: build always the full file path. 62b0be6
• Start Audit listener thread only if who-data is enabled in Linux. d2288e3
• Make Syscheck restart Auditd if the plugin configuration changed. a95c2ee
• Discard Audit events for open if the mode is read. 6d141c1
• Fix false who-data if the event is file deletion (who-data came from the previous event). b38fb79
• Compatibility with event attributes (process ID) on 32-bit and 64-bit.
• Make Syscheck restart Auditd if the plugin configuration exists but the input socket is missing. c38a280
• Install a symbolic link for the Audit plugin configuration in the Audisp folder. 52a1e80
• Avoid adding forward slashes in the Windows path 735f7b2

[vikman90]

We should add exceptions for these events in the default configuration:

AUDIT_SUCCESS(4907): Auditing settings on object were changed.

AUDIT_SUCCESS(4703): A token right was adjusted.

AUDIT_SUCCESS(4670): Permissions on an object were changed.

AUDIT_SUCCESS(4670): An attempt was made to duplicate a handle to an object.