New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Improve Windows permissions compare in FIM #9765
Conversation
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM!
52637f6
63bfb28
to
52637f6
Compare
37ad10b
to
59a0375
Compare
Refactors functions related to retrieving permissions in Windows in order to simplify usage and remove duplicated code.
Added some more UTs for changes associated with Windows permissions being in JSON format
Fix NULL derreferences in decode_ace_json and perm_json_to_old_format. Fix a memory leak in fim_registry_get_key_data. Silenced a false positive NULL derreference on lf->fields reported by scan-build.
Added the required code for wazuh_db to properly save a file/registry permissions when it is formatted as JSON. Added unit tests for the new code.
Makes comparison of Windows permissions independent of the user name associated with a given ACE.
If AD fails to solve a SID to a user name, prevent FIM from triggering alerts.
* Try to load FIM perm field as JSON * Update core/syscheck unit tests
59a0375
to
f4c5219
Compare
Found several memory issues reported by test_analysisd_syscheck
test_syscheck_op Conditional jumps
Memory leaks
Apart from the ones appearing in the master branch which are already solved at #9099. The ones above are newly added so they have to be fixed before merging this pull request. Update Fixed at b77bafe |
Description
This PR closes the epic issue in which we solve a false positive related to how FIM compares Windows ACL permissions.
The problem occurs when a lookup operation on a SID fails, then FIM reports a change in the file.
Finally, the solution has been to change the format in which we stored the Windows permissions, from a string to a JSON. We have also improved the way they were compared, to avoid false positives, so that changes to the file are only reported when the content of ACL changes (and not when only the username has been changed)
This PR unifies multiple issues and PRs:
Tests