Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

FIM System tests: 0203 - Whodata #528

Closed
jm404 opened this issue Feb 24, 2020 · 4 comments
Closed

FIM System tests: 0203 - Whodata #528

jm404 opened this issue Feb 24, 2020 · 4 comments
Assignees
@jm404
Milestone
Sprint 107 - DevOps

Comments

@jm404
Copy link
Contributor

jm404 commented Feb 24, 2020
edited
Loading

Objective

This issue's aim is to implement scenario 203 - Whodata as specified in #493.

Configuration

Tests

Automated tests

Manual tests

Conclusions

The alerts were not properly generated in Linux Agents even using different creation methods.

The alerts were properly, generated, modified and deleted in Windows agents. Removing root folder or removing files with shift+del generates fewer alerts than expected

Regards,
Jose M
@jm404 jm404 added this to the Sprint 107 - DevOps milestone Feb 24, 2020
@jm404 jm404 self-assigned this Feb 24, 2020
@jm404 jm404 mentioned this issue Feb 24, 2020
Closed
15 tasks
@jm404
Copy link
Contributor Author

jm404 commented Feb 24, 2020
edited
Loading

Configurations

  • File generation configuration
{
    "root_folder":"/opt/fim_testing", (and C:\fim_testing for Windows)
    "recursion_level": 3,
    "folder_length": 5,
    "file_length": 5,
    "file_size_specifications":[
        { "size": 10240, "amount": 4000},
        { "size": 524288, "amount": 500},
        { "size": 1048576, "amount": 500},
        { "size": 10485760, "amount": 10}
    ]
}
  • Linux Agents (Centos 7 in this test)
.
.
.
  <!-- File integrity monitoring -->
  <syscheck>
    <disabled>no</disabled>

    <!-- Frequency that syscheck is executed default every 12 hours -->
    <frequency>43200</frequency>

    <scan_on_start>yes</scan_on_start>

    <!-- Directories to check  (perform all possible verifications) -->
    <directories>/etc,/usr/bin,/usr/sbin</directories>
    <directories>/bin,/sbin,/boot</directories>
    <directories check_all="yes" whodata="yes">/opt/fim_testing</directories>
.
.
.
  • Windows Agents
.
.
.
  <!-- File integrity monitoring -->
  <syscheck>

    <disabled>no</disabled>

    <!-- Frequency that syscheck is executed default every 12 hours -->
    <frequency>43200</frequency>

    <!-- Default files to be monitored. -->
    <directories recursion_level="320" check_all="yes" whodata="yes">C:\fim_testing</directories>
    <directories recursion_level="0" restrict="regedit.exe$|system.ini$|win.ini$">%WINDIR%</directories>

.
.
.

@jm404
Copy link
Contributor Author

jm404 commented Feb 24, 2020
edited
Loading

Test create files on Centos 7 Agent

Auditctl configuration

[root@serv-test-centos-1 vagrant]# auditctl -l
-w /opt/fim_testing -p wa -k wazuh_fim

Files generated and related audit logs:

[root@serv-test-centos-1 vagrant]# find /opt/fim_testing/ -type f | wc -l
5010
[root@serv-test-centos-1 vagrant]# cat /var/log/audit/audit.log | grep /opt/fim_testing/ | wc -l
5104

Wazuh test audit using automated scripts

[root@serv-test-manager-centos-1 vagrant]# cat /var/ossec/logs/alerts/alerts.json | grep /opt/fim_testing/isjbv | grep added | wc -l
5010
[root@serv-test-manager-centos-1 vagrant]# cat /var/ossec/logs/alerts/alerts.json | grep /opt/fim_testing/isjbv | grep added | grep audit | wc -l
166

Manual tests

[root@serv-test-centos-1 vagrant]# for i in {1..1000}; do touch /opt/fim_testing/file_${i} ; done
[root@serv-test-centos-1 vagrant]# ls /opt/fim_testing/ | grep file_ | wc -l
1000
[root@serv-test-centos-1 vagrant]# cat /var/log/audit/audit.log | grep /opt/fim_testing/file_ | wc -l
1000

The manager shows less alerts than it should (1000):

[root@serv-test-manager-centos-1 vagrant]# cat /var/ossec/logs/alerts/alerts.json | grep /opt/fim_testing/file_ | grep added | grep audit | wc -l
148

Adding files with content

[root@serv-test-centos-1 vagrant]# for i in {1..1000}; do echo "testing" > /opt/fim_testing/file_with_content_${i} ; done
[root@serv-test-centos-1 vagrant]# cat /var/log/audit/audit.log | grep /opt/fim_testing/file_with_content_ | wc -l
1000
[root@serv-test-centos-1 vagrant]# cat /var/log/audit/audit.log | grep /opt/fim_testing/file_with_content_ | wc -l
1000

Alerts on Manager:

[root@serv-test-manager-centos-1 vagrant]# cat /var/ossec/logs/alerts/alerts.json | grep /opt/fim_testing/file_with_content | grep added | grep audit | wc -l
136

@jm404
Copy link
Contributor Author

jm404 commented Feb 24, 2020
edited
Loading

Test Whodata in Windows

  • Alerts generated:

image

  • Created Alerts on Manager:
[root@serv-test-manager-centos-1 vagrant]# cat /var/ossec/logs/alerts/alerts.json | grep wkygq | grep audit | grep added | wc -l
5010
  • Example of alert
{"timestamp":"2020-02-24T20:08:05.649+0000","rule":{"level":5,"description":"File added to the system.","id":"554","firedtimes":5224,"mail":false,"groups":["ossec","syscheck"],"pci_dss":["11.5"],"gpg13":["4.11"],"gdpr":["II_5.1.f"],"hipaa":["164.312.c.1","164.312.c.2"],"nist_800_53":["SI.7"]},"agent":{"id":"001","name":"Windows","ip":"10.0.2.15"},"manager":{"name":"serv-test-manager-centos-1"},"id":"1582574885.68127132","full_log":"File 'c:\\fim_testing\\wkygq\\wabwb\\zxpqu\\vxueowip' added\nMode: whodata\n","syscheck":{"path":"c:\\fim_testing\\wkygq\\wabwb\\zxpqu\\vxueowip","size_after":"10272","win_perm_after":[{"name":"SYSTEM","allowed":["DELETE","READ_CONTROL","WRITE_DAC","WRITE_OWNER","SYNCHRONIZE","READ_DATA","WRITE_DATA","APPEND_DATA","READ_EA","WRITE_EA","EXECUTE","READ_ATTRIBUTES","WRITE_ATTRIBUTES"]},{"name":"Administrators","allowed":["DELETE","READ_CONTROL","WRITE_DAC","WRITE_OWNER","SYNCHRONIZE","READ_DATA","WRITE_DATA","APPEND_DATA","READ_EA","WRITE_EA","EXECUTE","READ_ATTRIBUTES","WRITE_ATTRIBUTES"]},{"name":"Users","allowed":["READ_CONTROL","SYNCHRONIZE","READ_DATA","READ_EA","EXECUTE","READ_ATTRIBUTES"]}],"uid_after":"S-1-5-32-544","md5_after":"a853207451718635f109f84cffc0c5e3","sha1_after":"8da2359c997eba2b4993ced4982ed9356c155420","sha256_after":"21bc89a84fab5565c4f8109f0ab76fe7b18948d071f28ca192d4bd6828b6a35e","attrs_after":["ARCHIVE"],"uname_after":"Administrators","mtime_after":"2020-02-24T20:07:06","event":"added","audit":{"user":{"id":"S-1-5-21-2360412278-3489539771-3166891753-500","name":"Administrator"},"process":{"id":"1248","name":"C:\\Python38\\python.exe"}}},"decoder":{"name":"syscheck_new_entry"},"location":"syscheck"}

Deleting root folder:

  • Deletion of root folder with shift+del
[root@serv-test-manager-centos-1 vagrant]# cat /var/ossec/logs/alerts/alerts.json | grep wkygq | grep audit | grep deleted | wc -l
239
  • Deletion of root folder with del
[root@serv-test-manager-centos-1 vagrant]# cat /var/ossec/logs/alerts/alerts.json | grep metsn | grep audit | grep deleted | wc -l
132

Deleting files

  • Deleting with del:
[root@serv-test-manager-centos-1 vagrant]# cat /var/ossec/logs/alerts/alerts.json | grep aauzscep | grep audit | grep added | wc -l
1
[root@serv-test-manager-centos-1 vagrant]# cat /var/ossec/logs/alerts/alerts.json | grep aauzscep | grep audit | grep deleted | wc -l
1
  • Deleting with shift+del:
[root@serv-test-manager-centos-1 vagrant]# cat /var/ossec/logs/alerts/alerts.json | grep aarpfpaw | grep audit | grep added | wc -l
1
[root@serv-test-manager-centos-1 vagrant]# cat /var/ossec/logs/alerts/alerts.json | grep aarpfpaw | grep audit | grep deleted | wc -l
0

@jm404 jm404 mentioned this issue Feb 25, 2020
Merged
@jm404
Copy link
Contributor Author

jm404 commented Feb 25, 2020

Done in #537

@jm404 jm404 closed this as completed Feb 25, 2020
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@jm404 jm404

Labels
None yet
Projects
None yet
Milestone
Sprint 107 - DevOps
Development

No branches or pull requests
1 participant
@jm404