Skip to content

Add the check condition to SCA stored data#3631

Merged
chemamartinez merged 15 commits into3.11from
issue-3598
Sep 25, 2019
Merged

Add the check condition to SCA stored data#3631
chemamartinez merged 15 commits into3.11from
issue-3598

Conversation

@carlocas
Copy link

@carlocas carlocas commented Jul 8, 2019
edited
Loading

Related issue
3598

Description

The purpose of this PR is that the field condition of the module sca, should be stored in the database.

Tests

  • Compilation without warnings in every supported platform
    • Linux
    • Windows
    • MAC OS X
  • Source installation
  • Source upgrade
  • Memory tests
    • Valgrind report for affected components
      • wazuh-modulesd
==12099== HEAP SUMMARY:
==12099==     in use at exit: 3,277 bytes in 39 blocks
==12099==   total heap usage: 3,290 allocs, 3,251 frees, 1,134,512 bytes allocated
==12099== 
==12099== LEAK SUMMARY:
==12099==    definitely lost: 0 bytes in 0 blocks
==12099==    indirectly lost: 0 bytes in 0 blocks
==12099==      possibly lost: 0 bytes in 0 blocks
==12099==    still reachable: 3,277 bytes in 39 blocks
==12099==         suppressed: 0 bytes in 0 blocks
==12099== Reachable blocks (those to which a pointer was found) are not shown.
==12099== To see them, rerun with: --leak-check=full --show-leak-kinds=all
==12099== 
==12099== For counts of detected and suppressed errors, rerun with: -v
==12099== ERROR SUMMARY: 0 errors from 0 contexts (suppressed: 0 from 0)
  • wazuh-analysisd
==16672== LEAK SUMMARY:
==16672==    definitely lost: 100 bytes in 9 blocks
==16672==    indirectly lost: 0 bytes in 0 blocks
==16672==      possibly lost: 0 bytes in 0 blocks
==16672==    still reachable: 12,296 bytes in 295 blocks
==16672==         suppressed: 0 bytes in 0 blocks
==16672== Reachable blocks (those to which a pointer was found) are not shown.
==16672== To see them, rerun with: --leak-check=full --show-leak-kinds=all
==16672== 
==16672== For counts of detected and suppressed errors, rerun with: -v
==16672== ERROR SUMMARY: 5 errors from 5 contexts (suppressed: 0 from 0)
  • wazuh-db
==11115== HEAP SUMMARY:
==11115==     in use at exit: 8,344 bytes in 2 blocks
==11115==   total heap usage: 32 allocs, 30 frees, 64,140 bytes allocated
==11115== 
==11115== LEAK SUMMARY:
==11115==    definitely lost: 0 bytes in 0 blocks
==11115==    indirectly lost: 0 bytes in 0 blocks
==11115==      possibly lost: 0 bytes in 0 blocks
==11115==    still reachable: 8,344 bytes in 2 blocks
==11115==         suppressed: 0 bytes in 0 blocks
==11115== Reachable blocks (those to which a pointer was found) are not shown.
==11115== To see them, rerun with: --leak-check=full --show-leak-kinds=all
==11115== 
==11115== For counts of detected and suppressed errors, rerun with: -v
==11115== ERROR SUMMARY: 0 errors from 0 contexts (suppressed: 0 from 0)

  • No error found with scan-build

  • No error found with address-sanitizer

  • Custom tests

    • Check if the field condition is show in the database
      Now, in the database show the following message:
CREATE TABLE sca_check (   scan_id INTEGER REFERENCES sca_scan_info (id),   id INTEGER PRIMARY KEY,   policy_id TEXT REFERENCES sca_policy (id),   title TEXT,   description TEXT,   rationale TEXT,   remediation TEXT,   file TEXT,   process TEXT,   directory TEXT,   registry TEXT,   command TEXT,   `references` TEXT,   result TEXT,   `status` TEXT,   reason TEXT, condition TEXT);
CREATE INDEX policy_id_index ON sca_check (policy_id);

"timestamp": "2019-07-15T10:40:01.218+0200",
  "rule": {
    "level": 3,
    "description": "System audit for web-related vulnerabilities: Web exploits: '.yop' is an uncommon file name inside htdocs - Possible compromise",
    "id": "19009",
    "firedtimes": 5,
    "mail": false,
    "groups": [
      "sca"
    ],
    "gdpr": [
      "IV_35.7.d"
    ]
  },
  "agent": {
    "id": "000",
    "name": "host"
  },
  "manager": {
    "name": "host"
  },
  "id": "1563180001.8174",
  "decoder": {
    "name": "sca"
  },
  "data": {
    "sca": {
      "type": "check",
      "scan_id": "1237957229",
      "policy": "System audit for web-related vulnerabilities",
      "check": {
        "id": "1004",
        "title": "Web exploits: '.yop' is an uncommon file name inside htdocs - Possible compromise",
        "compliance": {
          "pci_dss": "6.5, 6.6, 11.4"
        },
        "condition": "any",
        "directory": [
          "/var/www",
          "/var/htdocs",
          "/home/httpd",
          "/usr/local/apache",
          "/usr/local/apache2",
          "/usr/local/www"
        ],
        "status": "Not applicable",
        "reason": "Could not open '/var/www': No such file or directory"
      }
    }
  },
  "location": "sca"
  • Check if the field condition is shown when we upgrade the manager and the agent.
    First, we obtain a message output from the database of version 3.9.
928022162|5041|cis_debian|Ensure root is the only UID 0 account|Any account with UID 0 has superuser privileges on the system.|This access must be limited to only the default root account and only from the system console. Administrative access must be through an unprivileged account using an approved mechanism as noted in Item 5.6 Ensure access to the su command is restricted.|Remove any users other than root with UID 0 or assign them a new UID if appropriate.|/etc/passwd||||||passed|

Upgrade the manager and check the message. We can see that the field condition is now visible.

928022162|5041|cis_debian|Ensure root is the only UID 0 account|Any account with UID 0 has superuser privileges on the system.|This access must be limited to only the default root account and only from the system console. Administrative access must be through an unprivileged account using an approved mechanism as noted in Item 5.6 Ensure access to the su command is restricted.|Remove any users other than root with UID 0 or assign them a new UID if appropriate.|/etc/passwd||||||passed|||any

Connect an agent with the version 3.9 and, check if the field ´condition´ is shown.

1510267933|6574|cis_rhel7|Disable standard boot services - NetFS Enabled||||||/etc/rc.d/rc2.d,/etc/rc.d/rc3.d,/etc/rc.d/rc4.d,/etc/rc.d/rc5.d||||passed|||

The space to the field is empty, now upgrade the agent, and check if the database has been updated.

1585019112|6574|cis_rhel7|Disable standard boot services - NetFS Enabled||||||/etc/rc.d/rc2.d,/etc/rc.d/rc3.d,/etc/rc.d/rc4.d,/etc/rc.d/rc5.d||||passed|||any

@carlocas carlocas self-assigned this Jul 12, 2019
@carlocas carlocas changed the title the field condition is show in the event Add the check condition to SCA stored data Jul 15, 2019
@chemamartinez chemamartinez self-requested a review July 17, 2019 13:58
chemamartinez
chemamartinez suggested changes Jul 18, 2019
View reviewed changes
extensions/elasticsearch/6.x/wazuh-template.json Outdated
"check.rationale": {
"type": "text"
},
"check.condition": {
Copy link
Contributor

@chemamartinez chemamartinez Jul 18, 2019

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This field is inside the oscap block, it has no relation to SCA but the integration with OpenSCAP.

extensions/elasticsearch/7.x/wazuh-template.json Outdated
"check.rationale": {
"type": "text"
},
"check.condition": {
Copy link
Contributor

@chemamartinez chemamartinez Jul 18, 2019

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This field is inside the oscap block, it has no relation to SCA but the integration with OpenSCAP.

chemamartinez
chemamartinez suggested changes Jul 18, 2019
View reviewed changes
@JuantAldea JuantAldea self-requested a review September 9, 2019 11:13
@JuantAldea JuantAldea added module/sca Security Configuration Assessment module and removed module/sca Security Configuration Assessment module labels Sep 9, 2019
JuantAldea
JuantAldea suggested changes Sep 9, 2019
View reviewed changes
JuantAldea
JuantAldea suggested changes Sep 10, 2019
View reviewed changes
JuantAldea
JuantAldea suggested changes Sep 10, 2019
View reviewed changes
JuantAldea
JuantAldea suggested changes Sep 11, 2019
View reviewed changes
Copy link
Contributor

@JuantAldea JuantAldea left a comment
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Revert the commits in which the whole code is reformatted file an apply the format changes only to he lines that were affected by this PR, as it was requested. Whole file changes are dangerous as they are likely to produce unncesary conflicts.

image

@JuantAldea JuantAldea changed the base branch from 3.11 to 3.10 September 11, 2019 12:53
@JuantAldea JuantAldea changed the base branch from 3.10 to 3.11 September 11, 2019 12:53
@carlocas carlocas requested a review from JuantAldea September 12, 2019 11:53
@JuantAldea JuantAldea changed the base branch from 3.11 to 3.10 September 13, 2019 12:19
@JuantAldea JuantAldea changed the base branch from 3.10 to 3.11 September 13, 2019 12:22
JuantAldea
JuantAldea suggested changes Sep 13, 2019
View reviewed changes
Copy link
Contributor

@JuantAldea JuantAldea left a comment
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Review previously requested changes. Review the current diff as well; it performs unwated changes. Always review the differences before adding files to a commit.

@carlocas carlocas requested a review from JuantAldea September 17, 2019 11:39
JuantAldea
JuantAldea suggested changes Sep 18, 2019
View reviewed changes
Copy link
Contributor

@JuantAldea JuantAldea left a comment
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The addition of the condition field to the message was removed in [1]. Please fix & test.

[1] 0380f0e#diff-2165ce07f2be8171c9b24ef5042646a0L2587

chemamartinez
chemamartinez suggested changes Sep 24, 2019
View reviewed changes
extensions/elasticsearch/7.x/wazuh-template.json Outdated
"remediation": {
"type": "keyword"
},
"condition": {
Copy link
Contributor

@chemamartinez chemamartinez Sep 24, 2019

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Remove this field from the template as well.

extensions/elasticsearch/6.x/wazuh-template.json Outdated
}
}
},
"condition": {
Copy link
Contributor

@chemamartinez chemamartinez Sep 24, 2019

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Remove this field from the template, the condition field won't be shown as an alert field, same as rule.

src/analysisd/decoders/security_configuration_assessment.c
cJSON **policy_id, cJSON **command, cJSON **rules);
static int CheckPoliciesJSON(cJSON *event, cJSON **policies);
static int CheckDumpJSON(cJSON *event, cJSON **elements_sent, cJSON **policy_id, cJSON **scan_id);
static void FillCheckEventInfo(Eventinfo *lf, cJSON *scan_id, cJSON *id, cJSON *name, cJSON *title, cJSON *description,
Copy link
Contributor

@chemamartinez chemamartinez Sep 24, 2019

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Don't add condition to the alert. So, it is not needed to pass it to this function.

src/analysisd/decoders/security_configuration_assessment.c
if (result){
if(strcmp(wdb_response,result->valuestring)) {
FillCheckEventInfo(lf,scan_id,id,name,title,description,rationale,remediation,compliance,reference,file,directory,process,registry,result,status,reason,wdb_response,command);
FillCheckEventInfo(lf, scan_id, id,name, title, description, rationale, remediation,
Copy link
Contributor

@chemamartinez chemamartinez Sep 24, 2019

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Same as above, remove condition from this call.

src/analysisd/decoders/security_configuration_assessment.c
} else if (status && status->valuestring) {
if(strcmp(wdb_response, status->valuestring)) {
FillCheckEventInfo(lf,scan_id,id,name,title,description,rationale,remediation,compliance,reference,file,directory,process,registry,result,status,reason,wdb_response,command);
FillCheckEventInfo(lf, scan_id, id,name, title, description, rationale, remediation,
Copy link
Contributor

@chemamartinez chemamartinez Sep 24, 2019

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Same as above, remove condition from this call.

src/analysisd/decoders/security_configuration_assessment.c
if (result) {
if(strcmp(wdb_response,result->valuestring)) {
FillCheckEventInfo(lf,scan_id,id,name,title,description,rationale,remediation,compliance,reference,file,directory,process,registry,result,status,reason,NULL,command);
FillCheckEventInfo(lf, scan_id, id, name, title, description, rationale, remediation,
Copy link
Contributor

@chemamartinez chemamartinez Sep 24, 2019

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Same as above, remove condition from this call.

src/analysisd/decoders/security_configuration_assessment.c
} else if (status && status->valuestring) {
if(strcmp(wdb_response, status->valuestring)) {
FillCheckEventInfo(lf,scan_id,id,name,title,description,rationale,remediation,compliance,reference,file,directory,process,registry,result,status,reason,NULL,command);
FillCheckEventInfo(lf, scan_id, id, name, title, description, rationale,
Copy link
Contributor

@chemamartinez chemamartinez Sep 24, 2019

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Same as above, remove condition from this call.

src/analysisd/decoders/security_configuration_assessment.c
}

static void FillCheckEventInfo(Eventinfo *lf,cJSON *scan_id,cJSON *id,cJSON *name,cJSON *title,cJSON *description,cJSON *rationale,cJSON *remediation,cJSON *compliance,cJSON *reference,cJSON *file,cJSON *directory,cJSON *process,cJSON *registry,cJSON *result,cJSON *status,cJSON *reason,char *old_result,cJSON *command) {
static void FillCheckEventInfo(Eventinfo *lf, cJSON *scan_id, cJSON *id, cJSON *name, cJSON *title, cJSON *description,
Copy link
Contributor

@chemamartinez chemamartinez Sep 24, 2019

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Same as above, remove condition from this call.

src/analysisd/decoders/security_configuration_assessment.c Outdated
}

if (condition){
fillData(lf, "sca.check.condition", condition->valuestring);
Copy link
Contributor

@chemamartinez chemamartinez Sep 24, 2019

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Don't call fillData() for condition. It only has to be added to the DB.

@chemamartinez chemamartinez merged commit be303c9 into 3.11 Sep 25, 2019
@chemamartinez chemamartinez deleted the issue-3598 branch September 25, 2019 10:22
@chemamartinez chemamartinez mentioned this pull request Sep 25, 2019
Closed
@chemamartinez chemamartinez mentioned this pull request Oct 22, 2019
Closed
@pablotr9 pablotr9 mentioned this pull request Oct 24, 2019
Open
chemamartinez added a commit that referenced this pull request Nov 15, 2019
@chemamartinez
Add changelog #3631
b859e84
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

2 more reviewers

@JuantAldea JuantAldea JuantAldea approved these changes

@chemamartinez chemamartinez chemamartinez approved these changes

Reviewers whose approvals may not affect merge requirements

Assignees

@carlocas carlocas

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@carlocas @JuantAldea @chemamartinez