Skip to content

Fixed Audit bug with recursive directories deleted#4831

Merged
bah07 merged 9 commits into3.13from
4729-fix-audit-bug
Apr 30, 2020
Merged

Fixed Audit bug with recursive directories deleted#4831
bah07 merged 9 commits into3.13from
4729-fix-audit-bug

Conversation

@jotacarma90
Copy link
Member

@jotacarma90 jotacarma90 commented Apr 2, 2020

Related issue
#4729

Description

A bug in audit caused that when a directory was deleted recursively, the path displayed was incorrect (it belonged to the current working directory instead of the deleted file).
It has been fixed by using the inode that audit gives us. Making a call to the database and consulting the path we are looking for.

Logs/Alerts example

As we can see, a wrong path is given in audit log:

type=SYSCALL msg=audit(1585323592.674:11135): arch=c000003e syscall=263 success=yes exit=0 a0=4 a1=55d6c3d0ba88 a2=0 a3=7fc68f355ca0 items=2 ppid=2129 pid=15222 auid=1000 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=3 comm="rm" exe="/usr/bin/rm" key="wazuh_fim"
type=CWD msg=audit(1585323592.674:11135): cwd="/home/vagrant"
type=PATH msg=audit(1585323592.674:11135): item=0 name="/home/vagrant" inode=786437 dev=fd:00 mode=040755 ouid=0 ogid=0 rdev=00:00 nametype=PARENT cap_fp=0 cap_fi=0 cap_fe=0 cap_fver=0
type=PATH msg=audit(1585323592.674:11135): item=1 name="hola" inode=786439 dev=fd:00 mode=0100644 ouid=0 ogid=0 rdev=00:00 nametype=DELETE cap_fp=0 cap_fi=0 cap_fe=0 cap_fver=0
type=PROCTITLE msg=audit(1585323592.674:11135): proctitle=726D002D7266002F746573746469722F646972312F646972322F646972332F

Tests

  • Compilation without warnings in every supported platform
    • Linux
    • Windows
    • MAC OS X
  • Source installation
  • Package installation
  • Source upgrade
  • Package upgrade
  • Review logs syntax and correct language
  • QA templates contemplate the added capabilities
  • Memory tests for Linux
    • Scan-build report
    • Coverity
    • Valgrind (memcheck and descriptor leaks check)
    • Dr. Memory
    • AddressSanitizer
  • Memory tests for Windows
    • Scan-build report
    • Coverity
    • Dr. Memory
  • Memory tests for macOS
    • Scan-build report
    • Leaks
    • AddressSanitizer
  • Retrocompatibility with older Wazuh versions
  • Working on cluster environments
  • Configuration on demand reports new parameters
  • The data flow works as expected (agent-manager-api-app)
  • Added unit tests (for new features)
  • Stress test for affected components

@jotacarma90 jotacarma90 added type/bug Something isn't working core/fim/audit labels Apr 2, 2020
@jotacarma90 jotacarma90 requested a review from bah07 April 2, 2020 14:54
@jotacarma90 jotacarma90 self-assigned this Apr 2, 2020
@jotacarma90 jotacarma90 mentioned this pull request Apr 2, 2020
Closed
@jotacarma90 jotacarma90 linked an issue Apr 2, 2020 that may be closed by this pull request
FIM: incorrect audit path in alerts #4729
Closed
@wazuhci
Copy link
Contributor

wazuhci commented Apr 2, 2020

The stress test has been launched. The charts will be posted when they are ready.
I will use the following configuration:

General

Stress test parameters:

  • Manager system: centos
  • Launch CentOS agent: true
  • Launch Ubuntu agent: true
  • Launch Windows agent: true
  • Test duration: 60
  • Scan frequency: 10
  • Modules to test:
    • logcollector: true
    • syscheck: true
    • rootcheck: true
    • sca: true
    • osquery: true
    • syscollector: true
    • active-response: true
    • azure-logs: true
    • cis-cat: true
    • docker-listener: true
    • open-scap: true
    • vulnerability-detector: false
  • FIM special test: None
  • FIM sleep: 300
  • FIM max files: 25000
  • SCA sleep: 30
  • SCA max registers: 5000
  • Docker image name: hello-world
  • Docker sleep: 5
  • Docker jobs: 10
  • Logcollector special test: None
  • Logcollector max files: 50000
  • Logcollector creation sleep: 300
  • Logcollector write files: 1000
  • Logcollector write sleep: 10
  • Vuln sleep: 60
  • Authd port: 1515
  • Syscollector package: imagemagick.app
  • Syscollector package version: 7.0.8.48

Regards!.

@wazuhci
Copy link
Contributor

wazuhci commented Apr 2, 2020

Analysis_dynamic_valgrind logcollector analysis:

Commit: 4448563
Parameters: track-origins=yes leak-check=full keep-stacktraces=alloc-and-free track-fds=yes num-callers=20 show-leak-kinds=definite,indirect
Agent config: ossec.conf
Agent logs: ossec.log
Coverage:

Lines executed:31.41% of 1859

Coverage report detail: coverage-report-summary
Valgrind result: Analysis_dynamic_valgrind-v3.12.1-B1051.log

@wazuhci
Copy link
Contributor

wazuhci commented Apr 2, 2020

Analysis_dynamic_valgrind syscheckd analysis:

Commit: 4448563
Parameters: track-origins=yes leak-check=full keep-stacktraces=alloc-and-free track-fds=yes num-callers=20 show-leak-kinds=definite,indirect
Agent config: ossec.conf
Agent logs: ossec.log
Coverage:

Lines executed:26.43% of 3004

Coverage report detail: coverage-report-summary
Valgrind result: Analysis_dynamic_valgrind-v3.12.1-B1052.log

@wazuhci
Copy link
Contributor

wazuhci commented Apr 2, 2020

Stress/Leaks test results

Windows Agent ID0

CentOS Manager ID0

CentOS Agent ID1

Ubuntu Agent ID0

@Molter73 Molter73 self-requested a review April 8, 2020 11:05
@bah07 bah07 added the FIM label Apr 15, 2020
@jotacarma90 jotacarma90 changed the base branch from 3.12 to dev-fim-sprint110 April 17, 2020 08:26
@jotacarma90 jotacarma90 changed the base branch from dev-fim-sprint110 to 3.12 April 17, 2020 11:45
@jotacarma90 jotacarma90 changed the base branch from 3.12 to dev-fim-sprint110 April 17, 2020 11:46
@jotacarma90 jotacarma90 removed FIM type/bug Something isn't working labels Apr 20, 2020
@Lopuiz Lopuiz changed the base branch from dev-fim-sprint110 to 3.12 April 24, 2020 06:45
@bah07 bah07 changed the base branch from 3.12 to 3.13 April 29, 2020 13:01
bah07
bah07 approved these changes Apr 29, 2020
View reviewed changes
Copy link
Contributor

@bah07 bah07 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM!

@bah07 bah07 merged commit 3c85014 into 3.13 Apr 30, 2020
@bah07 bah07 deleted the 4729-fix-audit-bug branch April 30, 2020 12:02
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@Molter73 Molter73 Awaiting requested review from Molter73

1 more reviewer

@bah07 bah07 bah07 approved these changes

Reviewers whose approvals may not affect merge requirements

Assignees

@jotacarma90 jotacarma90

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

FIM: incorrect audit path in alerts

4 participants

@jotacarma90 @wazuhci @bah07 @Molter73