Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Adapt registry synchronization mechanism #8143

Merged
merged 5 commits into from Apr 16, 2021
Merged

Adapt registry synchronization mechanism #8143

merged 5 commits into from Apr 16, 2021

Conversation

antoniomanuelfr
Copy link
Contributor

@antoniomanuelfr antoniomanuelfr commented Apr 7, 2021
edited

Related issue
#7836

This PR aims to fix the sync mechanism between the windows agent and the manager when the values contained in a key start with :. Now when a key or value contains a :, it's scaped and when the synchronization is performed, these values are unescaped again.

Closes #7836

Configuration options

 <syscheck>

    <disabled>no</disabled>

    <!-- Frequency that syscheck is executed default every 12 hours -->
    <frequency>2</frequency>
    <windows_registry arch="both">HKEY_LOCAL_MACHINE\Software\random_key</windows_registry>

    <!-- Database synchronization settings -->
    <synchronization>
      <enabled>yes</enabled>
      <interval>1m</interval>
      <max_interval>1h</max_interval>
      <max_eps>10</max_eps>
    </synchronization>
  </syscheck>

Logs/Alerts example

The synchronization messages now are correctly decoded:

2021/04/07 13:44:22 wazuh-agent[848] run_check.c:82 at fim_send_sync_msg(): DEBUG: (6317): Sending integrity control message: {"component":"fim_registry","type":"state","data":{"path":"HKEY_LOCAL_MACHINE\\Software\\random_key","arch":"[x64]","timestamp":1617799462,"attributes":{"type":"registry_key","perm":"Usuarios (allowed): read_control|read_data|read_ea|write_ea, Usuarios (allowed): generic_read, Administradores (allowed): delete|read_control|write_dac|write_owner|read_data|write_data|append_data|read_ea|write_ea|execute, Administradores (allowed): generic_all, SYSTEM (allowed): delete|read_control|write_dac|write_owner|read_data|write_data|append_data|read_ea|write_ea|execute, SYSTEM (allowed): generic_all, CREATOR OWNER (allowed): generic_all","uid":"S-1-5-32-544","user_name":"Administradores","gid":"S-1-5-21-3527455827-79240758-596275861-513","group_name":"","mtime":1617722229,"checksum":"b31b92d3ab7006c014dd562b228f5859932c1027"},"version":"2.0"}}
2021/04/07 13:44:22 wazuh-agent[848] run_check.c:82 at fim_send_sync_msg(): DEBUG: (6317): Sending integrity control message: {"component":"fim_registry","type":"state","data":{"timestamp":1617799462,"path":"HKEY_LOCAL_MACHINE\\Software\\random_key","arch":"[x64]","value_name":":thisisatest","attributes":{"type":"registry_value","value_type":"REG_SZ","size":1,"hash_md5":"d41d8cd98f00b204e9800998ecf8427e","hash_sha1":"da39a3ee5e6b4b0d3255bfef95601890afd80709","hash_sha256":"e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855","checksum":"4ca7b88b201728c31afb691707c41d35a984317d"},"version":"2.0"}}
2021/04/07 13:44:22 wazuh-agent[848] run_check.c:82 at fim_send_sync_msg(): DEBUG: (6317): Sending integrity control message: {"component":"fim_registry","type":"state","data":{"path":"HKEY_LOCAL_MACHINE\\Software\\random_key\\:newkey:","arch":"[x64]","timestamp":1617799462,"attributes":{"type":"registry_key","perm":"Usuarios (allowed): read_control|read_data|read_ea|write_ea, Usuarios (allowed): generic_read, Administradores (allowed): delete|read_control|write_dac|write_owner|read_data|write_data|append_data|read_ea|write_ea|execute, Administradores (allowed): generic_all, SYSTEM (allowed): delete|read_control|write_dac|write_owner|read_data|write_data|append_data|read_ea|write_ea|execute, SYSTEM (allowed): generic_all, CREATOR OWNER (allowed): generic_all","uid":"S-1-5-32-544","user_name":"Administradores","gid":"S-1-5-21-3527455827-79240758-596275861-513","group_name":"","mtime":1617797960,"checksum":"99db959b54481ab4ec2f0b5906edb703254c6958"},"version":"2.0"}}
2021/04/07 13:44:22 wazuh-agent[848] run_check.c:82 at fim_send_sync_msg(): DEBUG: (6317): Sending integrity control message: {"component":"fim_registry","type":"state","data":{"timestamp":1617799462,"path":"HKEY_LOCAL_MACHINE\\Software\\random_key\\:newkey:","arch":"[x64]","value_name":":sdaf","attributes":{"type":"registry_value","value_type":"REG_SZ","size":12,"hash_md5":"c31e41940cd12cf9b24b0e528ab955bc","hash_sha1":"2b487009fe43ee00158ba4c05b201d2702f30881","hash_sha256":"b897e454e5dac59345d6b879207383d6e196d01df9d09cb711671f7680a8b8c9","checksum":"85c2868e366cdd87bbb67daa95ad10f75a6f7e19"},"version":"2.0"}}
2021/04/07 13:44:22 wazuh-agent[848] run_check.c:82 at fim_send_sync_msg(): DEBUG: (6317): Sending integrity control message: {"component":"fim_registry","type":"state","data":{"timestamp":1617799462,"path":"HKEY_LOCAL_MACHINE\\Software\\random_key\\:newkey:","arch":"[x64]","value_name":"asdfasdfads","attributes":{"type":"registry_value","value_type":"REG_SZ","size":1,"hash_md5":"d41d8cd98f00b204e9800998ecf8427e","hash_sha1":"da39a3ee5e6b4b0d3255bfef95601890afd80709","hash_sha256":"e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855","checksum":"4ca7b88b201728c31afb691707c41d35a984317d"},"version":"2.0"}}
2021/04/07 13:44:25 wazuh-agent[848] create_db.c:128 at fim_scan(): INFO: (6008): File integrity monitoring scan started.

And the manager database is updated correctly:

root@ubuntumanager:/var/ossec/queue/db# sqlite3 015.db "select full_path from fim_entry"
[x64] HKEY_LOCAL_MACHINE\Software\random_key:
[x64] HKEY_LOCAL_MACHINE\Software\random_key:\:thisisatest
[x64] HKEY_LOCAL_MACHINE\Software\random_key\\:newkey\::
[x64] HKEY_LOCAL_MACHINE\Software\random_key\\:newkey\::\:sdaf
[x64] HKEY_LOCAL_MACHINE\Software\random_key\\:newkey\::asdfasdfads
root@ubuntumanager:/var/ossec/queue/db#

Tests

  • Compilation without warnings in every supported platform
    • Linux
    • Windows
  • Source installation
  • Source upgrade
  • Memory tests for Linux
    • Scan-build report
    • Coverity
    • Valgrind (memcheck and descriptor leaks check)
    • Dr. Memory
    • AddressSanitizer
  • Memory tests for Windows
    • Scan-build report
    • Coverity
    • Dr. Memory

@antoniomanuelfr antoniomanuelfr added module/fim File Integrity Monitoring module/fim/registry File Integrity Monitoring registries labels Apr 7, 2021
@antoniomanuelfr antoniomanuelfr self-assigned this Apr 7, 2021
@antoniomanuelfr antoniomanuelfr linked an issue Apr 7, 2021 that may be closed by this pull request
The agent on Windows has crashed #7836
Closed
@antoniomanuelfr antoniomanuelfr marked this pull request as ready for review April 9, 2021 08:10
@antoniomanuelfr antoniomanuelfr mentioned this pull request Apr 12, 2021
Merged
6 tasks
@antoniomanuelfr antoniomanuelfr force-pushed the 7836-fix-registry-sync branch 2 times, most recently from 401cbae to 0f0e870 Compare April 13, 2021 08:39
Fix Solaris error after changes in windows registry sync.
0f0e870 
- This commit also adds missing version fields in JSON events.
@antoniomanuelfr
Copy link
Contributor Author

antoniomanuelfr commented Apr 13, 2021
edited

These are the result of the integration test executed in Jenkins:

agent_windows_html_report_test_integration_B1607_20210413085941.zip
agent_ubuntu_html_report_test_integration_B1607_20210413085941.zip
agent_centos_html_report_test_integration_B1607_20210413085941.zip
agent_macos_html_report_test_integration_B1611_20210413153605.zip
agent_solaris_html_report_test_integration_B1611_20210413153605.zip

There are two failures in windows, but not related to the changes introduced in this PR.

  • test_max_eps_on_start failed because FIM couldn't remove the DB file.
  • test_file_size_default this test failed because of a timeout in the fixture wait_for_fim_start and did not collected any log.

I have executed both tests locally with success.

@antoniomanuelfr antoniomanuelfr marked this pull request as draft April 16, 2021 07:24
@antoniomanuelfr antoniomanuelfr force-pushed the 7836-fix-registry-sync branch 2 times, most recently from d373c01 to 14368c2 Compare April 16, 2021 09:58
@antoniomanuelfr antoniomanuelfr marked this pull request as ready for review April 16, 2021 10:00
vikman90
vikman90 requested changes Apr 16, 2021
View reviewed changes
src/wazuh_db/wdb_fim.c Outdated Show resolved Hide resolved
src/shared/integrity_op.c Outdated Show resolved Hide resolved
Avoid error message when FIM sync messages without "version"
323937f 
- This commit also changes the type of the version attribute from string to number.
@vikman90 vikman90 merged commit 4ea260e into 4.2 Apr 16, 2021
@vikman90 vikman90 deleted the 7836-fix-registry-sync branch April 16, 2021 15:40
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@vikman90 vikman90 vikman90 approved these changes

@jotacarma90 jotacarma90 jotacarma90 approved these changes

Assignees

@antoniomanuelfr antoniomanuelfr

Labels
module/fim/registry File Integrity Monitoring registries module/fim File Integrity Monitoring
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

The agent on Windows has crashed
3 participants
@antoniomanuelfr @vikman90 @jotacarma90