Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Improve Windows permissions compare in FIM #9765

Merged
merged 15 commits into from Nov 12, 2021
Merged

Improve Windows permissions compare in FIM #9765

merged 15 commits into from Nov 12, 2021

Conversation

jotacarma90
Copy link
Member

@jotacarma90 jotacarma90 commented Aug 19, 2021
edited

Related issue
#8575

Description

This PR closes the epic issue in which we solve a false positive related to how FIM compares Windows ACL permissions.
The problem occurs when a lookup operation on a SID fails, then FIM reports a change in the file.
Finally, the solution has been to change the format in which we stored the Windows permissions, from a string to a JSON. We have also improved the way they were compared, to avoid false positives, so that changes to the file are only reported when the content of ACL changes (and not when only the username has been changed)

This PR unifies multiple issues and PRs:

Issue PR
Load FIM inventory permissions as JSON -
Adapt syscheck event validator on permission format change wazuh/wazuh-qa#1541
Improve FIM Windows permissions check #9249
Refactor FIM message to hold Windows permissions as JSON #9162
Format Windows permissions in FIM inventory -

Tests

  • Compilation without warnings in every supported platform
    • Linux
    • Windows
  • Source installation
  • Review logs syntax and correct language
  • Memory tests for Linux
    • Scan-build report
    • Coverity
    • Valgrind (memcheck and descriptor leaks check)
    • AddressSanitizer
    • threadSanitizer
  • Memory tests for Windows
    • Scan-build report
    • Coverity

@jotacarma90 jotacarma90 linked an issue Aug 19, 2021 that may be closed by this pull request
FIM alerts of owner change when LookupAccountSid fails #8575
Closed
JoseAntonioMHerrera
JoseAntonioMHerrera previously approved these changes Aug 23, 2021
View reviewed changes
Copy link
Contributor

@JoseAntonioMHerrera JoseAntonioMHerrera left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM!

@jotacarma90 jotacarma90 marked this pull request as ready for review August 24, 2021 08:18
@CPAlejandro CPAlejandro mentioned this pull request Sep 8, 2021
Closed
@antoniomanuelfr antoniomanuelfr dismissed stale reviews from JoseAntonioMHerrera and themself via 52637f6 September 16, 2021 08:39
@jotacarma90 jotacarma90 force-pushed the 8575-fim-win-perms-improvement branch from 37ad10b to 59a0375 Compare October 5, 2021 10:21
jotacarma90 and others added 12 commits October 6, 2021 16:22
@jotacarma90
Change how to Windows agent process permissions of a file, from char …
63d90c0 
…to cJSON
@jotacarma90
Changes in fim_fetch_attributes_state to maintain compatibility with …
a10c2da 
…old agents
@jotacarma90
Changed format for registry permissions from string to json
95521a2
@Molter73 @jotacarma90
Refactor Windows permission functions
a983431 
Refactors functions related to retrieving permissions in Windows in order to simplify usage and remove duplicated code.
@Molter73 @jotacarma90
Fix UTs broken by Windows permission refactor
3f662c0
@Molter73 @jotacarma90
Added UTs for decode_win_acl_json
d53c50c
@Molter73 @jotacarma90
Refactored perm_json_to_old_format
0b3b2a5 
Added some more UTs for changes associated with Windows permissions being in JSON format
@Molter73 @jotacarma90
Fix problems with new JSON Windows permissions
093290a 
Fix NULL derreferences in decode_ace_json and perm_json_to_old_format.
Fix a memory leak in fim_registry_get_key_data.
Silenced a false positive NULL derreference on lf->fields reported by scan-build.
@Molter73 @jotacarma90
Save JSON permissions into agent DB
a69c3c4 
Added the required code for wazuh_db to properly save a file/registry permissions when it is formatted as JSON.
Added unit tests for the new code.
@Molter73 @jotacarma90
Improve Windows permission comparison
62eff12 
Makes comparison of Windows permissions independent of the user name associated with a given ACE.
@Molter73 @jotacarma90
Stop events on user name change when AD fails
d288190 
If AD fails to solve a SID to a user name, prevent FIM from triggering alerts.
@jotacarma90
Load FIM perm field as JSON (#10158)
f4c5219 
* Try to load FIM perm field as JSON

* Update core/syscheck unit tests
@CamiRomero CamiRomero mentioned this pull request Oct 6, 2021
Merged
6 tasks
@jotacarma90 jotacarma90 force-pushed the 8575-fim-win-perms-improvement branch from 59a0375 to f4c5219 Compare October 6, 2021 14:51
@chemamartinez
Copy link
Contributor

chemamartinez commented Nov 10, 2021
edited

Found several memory issues reported by valgrind while running the added unit tests:

test_analysisd_syscheck

==22754== 400 (96 direct, 304 indirect) bytes in 1 blocks are definitely lost in loss record 6 of 10
==22754==    at 0x483DD99: calloc (in /usr/lib/x86_64-linux-gnu/valgrind/vgpreload_memcheck-amd64-linux.so)
==22754==    by 0x3721DB: OSHash_Create (hash_op.c:28)
==22754==    by 0x1E88A4: fim_init (syscheck.c:141)
==22754==    by 0x1AAF86: setup_fim_data_win_perms (test_analysisd_syscheck.c:394)
==22754==    by 0x50E5422: cmocka_run_one_test_or_fixture (in /usr/local/lib/libcmocka.so.0.7.0)
==22754==    by 0x50E6335: _cmocka_run_group_tests (in /usr/local/lib/libcmocka.so.0.7.0)
==22754==    by 0x1C38BD: main (test_analysisd_syscheck.c:3796)

test_syscheck_op

Conditional jumps

==22809== Conditional jump or move depends on uninitialised value(s)
==22809==    at 0x496A4E3: cJSON_CreateNumber (in /var/ossec/lib/libwazuhext.so)
==22809==    by 0x1B9BE5: test_decode_win_acl_json_multiple_aces (test_syscheck_op.c:2449)
==22809==    by 0x50E5322: cmocka_run_one_test_or_fixture (in /usr/local/lib/libcmocka.so.0.7.0)
==22809==    by 0x50E6366: _cmocka_run_group_tests (in /usr/local/lib/libcmocka.so.0.7.0)
==22809==    by 0x1BFE4A: main (test_syscheck_op.c:4486)
==22809==  Uninitialised value was created by a stack allocation
==22809==    at 0x1B9970: test_decode_win_acl_json_multiple_aces (test_syscheck_op.c:2414)

Memory leaks

==22809== 64 bytes in 1 blocks are definitely lost in loss record 1 of 2
==22809==    at 0x483B7F3: malloc (in /usr/lib/x86_64-linux-gnu/valgrind/vgpreload_memcheck-amd64-linux.so)
==22809==    by 0x4968B7D: cJSON_New_Item.isra.2 (in /var/ossec/lib/libwazuhext.so)
==22809==    by 0x496A82F: cJSON_CreateObject (in /var/ossec/lib/libwazuhext.so)
==22809==    by 0x1B96B1: test_decode_win_acl_json_empty_acl (test_syscheck_op.c:2380)
==22809==    by 0x50E5322: cmocka_run_one_test_or_fixture (in /usr/local/lib/libcmocka.so.0.7.0)
==22809==    by 0x50E6366: _cmocka_run_group_tests (in /usr/local/lib/libcmocka.so.0.7.0)
==22809==    by 0x1BFE4A: main (test_syscheck_op.c:4486)
==22809==
==22809== 64 bytes in 1 blocks are definitely lost in loss record 2 of 2
==22809==    at 0x483B7F3: malloc (in /usr/lib/x86_64-linux-gnu/valgrind/vgpreload_memcheck-amd64-linux.so)
==22809==    by 0x4968B7D: cJSON_New_Item.isra.2 (in /var/ossec/lib/libwazuhext.so)
==22809==    by 0x496A82F: cJSON_CreateObject (in /var/ossec/lib/libwazuhext.so)
==22809==    by 0x1B9A10: test_decode_win_acl_json_multiple_aces (test_syscheck_op.c:2430)
==22809==    by 0x50E5322: cmocka_run_one_test_or_fixture (in /usr/local/lib/libcmocka.so.0.7.0)
==22809==    by 0x50E6366: _cmocka_run_group_tests (in /usr/local/lib/libcmocka.so.0.7.0)
==22809==    by 0x1BFE4A: main (test_syscheck_op.c:4486)

Apart from the ones appearing in the master branch which are already solved at #9099. The ones above are newly added so they have to be fixed before merging this pull request.

Update

Fixed at b77bafe

chemamartinez
chemamartinez previously approved these changes Nov 10, 2021
View reviewed changes
@chemamartinez chemamartinez merged commit 3f505e8 into master Nov 12, 2021
@chemamartinez chemamartinez deleted the 8575-fim-win-perms-improvement branch November 12, 2021 08:27
@alromeros alromeros mentioned this pull request Nov 30, 2021
Merged
5 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@chemamartinez chemamartinez chemamartinez approved these changes

@antoniomanuelfr antoniomanuelfr antoniomanuelfr left review comments

@JoseAntonioMHerrera JoseAntonioMHerrera JoseAntonioMHerrera left review comments

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

FIM alerts of owner change when LookupAccountSid fails
5 participants
@jotacarma90 @chemamartinez @antoniomanuelfr @JoseAntonioMHerrera @Molter73