Skip to content

Improve XML validation with custom XML entities#4783

Merged
crd1985 merged 4 commits into3.12from
dev-improve-xml-validator
Mar 30, 2020
Merged

Improve XML validation with custom XML entities#4783
crd1985 merged 4 commits into3.12from
dev-improve-xml-validator

Conversation

@vicferpoy
Copy link
Contributor

@vicferpoy vicferpoy commented Mar 25, 2020

Hello team, this closes #4767 .

We found that our XML validator was failing with directories such as:

<directories>c:\</directories>

This was due to the function that replaces XML entities before trying to validate the file, replacing every \< for <, resulting in << for the case above.

The solution was to add the character \ as a new XML entity. In addition to that, I refactored the code to include more custom XML entities in the future (if needed) using a simple python dict.

Before the fix

root@0b8daa62b61d:/# curl -u foo:bar -k -X POST -H 'Content-type: application/xml' -d @copy.conf "https://127.0.0.1:55000/manager/files?path=etc/ossec.conf&pretty&overwrite=true"
{
   "error": 1113,
   "message": "XML syntax error"
}

After the fix

root@0b8daa62b61d:/# curl -u foo:bar -k -X POST -H 'Content-type: application/xml' -d @copy.conf "https://127.0.0.1:55000/manager/files?path=etc/ossec.conf&pretty&overwrite=true"
{
   "error": 0,
   "data": "File updated successfully"
}

Regards.

@vicferpoy vicferpoy requested a review from crd1985 March 25, 2020 12:51
@vicferpoy vicferpoy self-assigned this Mar 25, 2020
@wazuhci
Copy link
Contributor

wazuhci commented Mar 30, 2020

The stress test has been launched. The charts will be posted when they are ready.
I will use the following configuration:

General

Stress test parameters:

  • Manager system: centos
  • Launch CentOS agent: true
  • Launch Ubuntu agent: true
  • Launch Windows agent: true
  • Test duration: 60
  • Scan frequency: 10
  • Modules to test:
    • logcollector: true
    • syscheck: true
    • rootcheck: true
    • sca: true
    • osquery: true
    • syscollector: true
    • active-response: true
    • azure-logs: true
    • cis-cat: true
    • docker-listener: true
    • open-scap: true
    • vulnerability-detector: false
  • FIM special test: None
  • FIM sleep: 300
  • FIM max files: 25000
  • SCA sleep: 30
  • SCA max registers: 5000
  • Docker image name: hello-world
  • Docker sleep: 5
  • Docker jobs: 10
  • Logcollector special test: None
  • Logcollector max files: 50000
  • Logcollector creation sleep: 300
  • Logcollector write files: 1000
  • Logcollector write sleep: 10
  • Vuln sleep: 60
  • Authd port: 1515
  • Syscollector package: imagemagick.app
  • Syscollector package version: 7.0.8.48

Regards!.

@wazuhci
Copy link
Contributor

wazuhci commented Mar 30, 2020

Analysis_dynamic_valgrind logcollector analysis:

Commit: 32706c2a733134ab5e0437dd3a32cd95f13931db
Parameters: track-origins=yes leak-check=full keep-stacktraces=alloc-and-free track-fds=yes num-callers=20 show-leak-kinds=definite,indirect
Agent config: ossec.conf
Agent logs: ossec.log
Coverage:

Lines executed:31.40% of 1860

Coverage report detail: coverage-report-summary
Valgrind result: Analysis_dynamic_valgrind-v3.12.0-B907.log

@wazuhci
Copy link
Contributor

wazuhci commented Mar 30, 2020

Analysis_dynamic_valgrind syscheckd analysis:

Commit: 32706c2a733134ab5e0437dd3a32cd95f13931db
Parameters: track-origins=yes leak-check=full keep-stacktraces=alloc-and-free track-fds=yes num-callers=20 show-leak-kinds=definite,indirect
Agent config: ossec.conf
Agent logs: ossec.log
Coverage:

Lines executed:26.50% of 2996

Coverage report detail: coverage-report-summary
Valgrind result: Analysis_dynamic_valgrind-v3.12.0-B908.log

@vicferpoy vicferpoy force-pushed the dev-improve-xml-validator branch from 32706c2 to 7c9da98 Compare March 30, 2020 09:41
@wazuhci
Copy link
Contributor

wazuhci commented Mar 30, 2020

The stress test has been launched. The charts will be posted when they are ready.
I will use the following configuration:

General

Stress test parameters:

  • Manager system: centos
  • Launch CentOS agent: true
  • Launch Ubuntu agent: true
  • Launch Windows agent: true
  • Test duration: 60
  • Scan frequency: 10
  • Modules to test:
    • logcollector: true
    • syscheck: true
    • rootcheck: true
    • sca: true
    • osquery: true
    • syscollector: true
    • active-response: true
    • azure-logs: true
    • cis-cat: true
    • docker-listener: true
    • open-scap: true
    • vulnerability-detector: false
  • FIM special test: None
  • FIM sleep: 300
  • FIM max files: 25000
  • SCA sleep: 30
  • SCA max registers: 5000
  • Docker image name: hello-world
  • Docker sleep: 5
  • Docker jobs: 10
  • Logcollector special test: None
  • Logcollector max files: 50000
  • Logcollector creation sleep: 300
  • Logcollector write files: 1000
  • Logcollector write sleep: 10
  • Vuln sleep: 60
  • Authd port: 1515
  • Syscollector package: imagemagick.app
  • Syscollector package version: 7.0.8.48

Regards!.

@wazuhci
Copy link
Contributor

wazuhci commented Mar 30, 2020

Analysis_dynamic_valgrind logcollector analysis:

Commit: 7c9da98
Parameters: track-origins=yes leak-check=full keep-stacktraces=alloc-and-free track-fds=yes num-callers=20 show-leak-kinds=definite,indirect
Agent config: ossec.conf
Agent logs: ossec.log
Coverage:

Lines executed:31.40% of 1860

Coverage report detail: coverage-report-summary
Valgrind result: Analysis_dynamic_valgrind-v3.12.0-B915.log

@wazuhci
Copy link
Contributor

wazuhci commented Mar 30, 2020

Analysis_dynamic_valgrind syscheckd analysis:

Commit: 7c9da98
Parameters: track-origins=yes leak-check=full keep-stacktraces=alloc-and-free track-fds=yes num-callers=20 show-leak-kinds=definite,indirect
Agent config: ossec.conf
Agent logs: ossec.log
Coverage:

Lines executed:26.50% of 2996

Coverage report detail: coverage-report-summary
Valgrind result: Analysis_dynamic_valgrind-v3.12.0-B916.log

@crd1985 crd1985 merged commit b72473f into 3.12 Mar 30, 2020
@crd1985 crd1985 deleted the dev-improve-xml-validator branch March 30, 2020 10:37
@wazuhci
Copy link
Contributor

wazuhci commented Mar 30, 2020

The stress test has been launched. The charts will be posted when they are ready.
I will use the following configuration:

General

Stress test parameters:

  • Manager system: centos
  • Launch CentOS agent: true
  • Launch Ubuntu agent: true
  • Launch Windows agent: true
  • Test duration: 60
  • Scan frequency: 10
  • Modules to test:
    • logcollector: true
    • syscheck: true
    • rootcheck: true
    • sca: true
    • osquery: true
    • syscollector: true
    • active-response: true
    • azure-logs: true
    • cis-cat: true
    • docker-listener: true
    • open-scap: true
    • vulnerability-detector: false
  • FIM special test: None
  • FIM sleep: 300
  • FIM max files: 25000
  • SCA sleep: 30
  • SCA max registers: 5000
  • Docker image name: hello-world
  • Docker sleep: 5
  • Docker jobs: 10
  • Logcollector special test: None
  • Logcollector max files: 50000
  • Logcollector creation sleep: 300
  • Logcollector write files: 1000
  • Logcollector write sleep: 10
  • Vuln sleep: 60
  • Authd port: 1515
  • Syscollector package: imagemagick.app
  • Syscollector package version: 7.0.8.48

Regards!.

@vicferpoy vicferpoy mentioned this pull request Apr 23, 2020
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

1 more reviewer

@crd1985 crd1985 crd1985 approved these changes

Reviewers whose approvals may not affect merge requirements

Assignees

@vicferpoy vicferpoy

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@vicferpoy @wazuhci @crd1985