Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Release 4.3.6 - Release Candidate 1 - E2E UX tests - File Integrity Monitoring #14266

Closed
1 task done
mcarmona99 opened this issue Jul 15, 2022 · 6 comments
Closed
1 task done

Release 4.3.6 - Release Candidate 1 - E2E UX tests - File Integrity Monitoring #14266

mcarmona99 opened this issue Jul 15, 2022 · 6 comments
Assignees
@mcarmona99
Labels
module/fim File Integrity Monitoring release test/4.3.6 Issues related to testing for 4.3.6 type/test/manual

Comments

@mcarmona99
Copy link
Contributor

mcarmona99 commented Jul 15, 2022
edited by davidjiglesias

The following issue aims to run the specified test for the current release candidate, report the results, and open new issues for any encountered errors.

Test information
Test name File Integrity Monitoring
Category File Integrity Monitoring
Deployment option Installation guide
Main release issue #14187
E2E UX tests issue #14260
Release candidate # v4.3.6 RC1

Installation procedure

  • Wazuh indexer

  • Wazuh server

  • Wazuh dashboard

  • Wazuh agent (3 agents)

    • Installation: Wazuh WUI one-liner deploy
    • OS: Windows, Ubuntu 22.04, and macOS

Test description

Test report procedure

All test results must have one of the following statuses:

Status Description
🟢 All checks passed.
🔴 There is at least one failed result.
🟡 There is at least one expected failure or skipped test and no failures.

Any failing test must be appropriately addressed with a new issue, detailing the error and the possible cause.

An extended test results report must be attached as a ZIP or TXT file. Please attach any documents, screenshots, or tables to the issue update with the results. The auditors can use this report to dig deeper into any possible failures and details.

Conclusions

All tests have been executed and the results can be found in the issue updates.

Status Test Failure type Notes
🟢 Installing the Wazuh manager, dashboard, and indexer - -
🟢 Test different FIM use cases for Windows, Linux, and macOS - -
🟢 Proof of concept test - -
🟡 Blog post References Already reported in wazuh/wazuh-documentation#5013

Auditors validation

The definition of done for this one is the validation of the conclusions and the test results from all auditors.

All checks from below must be accepted in order to close this issue.
@mcarmona99 mcarmona99 added type/test/manual release test/4.3.6 Issues related to testing for 4.3.6 labels Jul 15, 2022
@mcarmona99 mcarmona99 self-assigned this Jul 15, 2022
@mcarmona99 mcarmona99 added the module/fim File Integrity Monitoring label Jul 15, 2022
@mcarmona99 mcarmona99 mentioned this issue Jul 15, 2022
Closed
1 task
@mcarmona99
Copy link
Contributor Author

Installing the Wazuh manager, dashboard, and indexer 🟢

Hardware and operating system

Talking about the installation process, and following the Quickstart documentation section, the three components: manager, indexer, and dashboard will be installed in the same Ubuntu 22.04 instance.

Instance: Canonical, Ubuntu, 22.04 LTS, amd64 jammy image build on 2022-06-09

Following the Quickstart guide, the requirements for this test case are 4 vCPU, 8 GiB RAM, and 50 GB of storage.

Instance type: c5.xlarge - 4 vCPU, 8 GiB

# hostnamectl
 Static hostname: ip-xxx-xx-xx-xxx
       Icon name: computer-vm
         Chassis: vm
	     ...: ...
  Virtualization: amazon
Operating System: Ubuntu 22.04 LTS                
          Kernel: Linux 5.15.0-1011-aws
    Architecture: x86-64
 Hardware Vendor: Amazon EC2
  Hardware Model: c5.xlarge

Installation

Download and run the Wazuh installation assistant.

curl -sO https://packages.wazuh.com/4.3/wazuh-install.sh && sudo bash ./wazuh-install.sh -a

Note that in this case, as we want to install 4.3.6 and it is a pre-release version, we have to use use the pre-release repository. To do that, I need to edit the wazuh-install.sh script given for the current version. This is part of the script used to install Wazuh 4.3.6 + indexer + dashboard (the rest is the same as the 4.3.5 one):

wazuh-install.sh new variables 
...

readonly repogpg="https://packages.wazuh.com/key/GPG-KEY-WAZUH"
readonly repobaseurl="https://packages-dev.wazuh.com/pre-release"
readonly reporelease="stable"
readonly filebeat_wazuh_module="${repobaseurl}/filebeat/wazuh-filebeat-0.2.tar.gz"
readonly bucket="packages-dev.wazuh.com"
readonly repository="pre-release"

readonly wazuh_major="4.3"
readonly wazuh_version="4.3.6"
...

Installation, error found:

# sudo bash ./wazuh-install.sh -a
18/07/2022 08:00:33 INFO: Starting Wazuh installation assistant. Wazuh version: 4.3.6
18/07/2022 08:00:33 INFO: Verbose logging redirected to /var/log/wazuh-install.log
18/07/2022 08:00:39 INFO: Wazuh repository added.
18/07/2022 08:00:39 INFO: --- Configuration files ---
18/07/2022 08:00:39 INFO: Generating configuration files.
18/07/2022 08:00:40 INFO: Created wazuh-install-files.tar. It contains the Wazuh cluster key, certificates, and passwords necessary for installation.
18/07/2022 08:00:40 INFO: --- Wazuh indexer ---
18/07/2022 08:00:40 INFO: Starting Wazuh indexer installation.
18/07/2022 08:00:41 ERROR: Wazuh indexer installation failed.
18/07/2022 08:00:41 INFO: --- Removing existing Wazuh installation ---
18/07/2022 08:00:41 INFO: Installation cleaned. Check the /var/log/wazuh-install.log file to learn more about the issue.

Checking /var/log/wazuh-install.log:

18/07/2022 08:00:40 INFO: --- Wazuh indexer ---
18/07/2022 08:00:40 INFO: Starting Wazuh indexer installation.
Reading package lists...
Building dependency tree...
Reading state information...
E: Unable to locate package wazuh-indexer
18/07/2022 08:00:41 ERROR: Wazuh indexer installation failed.
18/07/2022 08:00:41 INFO: --- Removing existing Wazuh installation ---
18/07/2022 08:00:41 INFO: Installation cleaned. Check the /var/log/wazuh-install.log file to learn more about the issue.

The error is due to the reporelease variable. It must be unstable:

...
readonly repogpg="https://packages.wazuh.com/key/GPG-KEY-WAZUH"
readonly repobaseurl="https://packages-dev.wazuh.com/pre-release"
readonly reporelease="unstable"
readonly filebeat_wazuh_module="${repobaseurl}/filebeat/wazuh-filebeat-0.2.tar.gz"
readonly bucket="packages-dev.wazuh.com"
readonly repository="pre-release"

readonly wazuh_major="4.3"
readonly wazuh_version="4.3.6"
...

After the change and installation:

...
18/07/2022 08:40:34 INFO: Initializing Wazuh dashboard web application.
18/07/2022 08:40:35 INFO: Wazuh dashboard web application initialized.
18/07/2022 08:40:35 INFO: --- Summary ---
18/07/2022 08:40:35 INFO: You can access the web interface https://<wazuh-dashboard-ip>
    User: admin
    Password: aiLhz.ipD**Q.UE?IBKiWc0BakGPfakb
18/07/2022 08:40:35 INFO: Installation finished.

# /var/ossec/bin/wazuh-control status
wazuh-clusterd not running...
wazuh-modulesd is running...
wazuh-monitord is running...
wazuh-logcollector is running...
wazuh-remoted is running...
wazuh-syscheckd is running...
wazuh-analysisd is running...
wazuh-maild not running...
wazuh-execd is running...
wazuh-db is running...
wazuh-authd is running...
wazuh-agentlessd not running...
wazuh-integratord not running...
wazuh-dbd not running...
wazuh-csyslogd not running...
wazuh-apid is running...

Dashboard healthcheck:

image

@mcarmona99
Copy link
Contributor Author

mcarmona99 commented Jul 18, 2022
edited

Agents deployment 🟢

Using the WUI one-liner deployment.

Ubuntu 22.04 🟢

curl -so wazuh-agent-4.3.6.deb https://packages.wazuh.com/4.x/apt/pool/main/w/wazuh-agent/wazuh-agent_4.3.6-1_amd64.deb && sudo WAZUH_MANAGER='x.x.x.x' WAZUH_AGENT_GROUP='default' dpkg -i ./wazuh-agent-4.3.6.deb

This is the command provided by the Wazuh UI. It won't work as the repository must be https://packages-dev/(...)/pre-release/(...)

# curl -so wazuh-agent-4.3.6.deb https://packages.wazuh.com/4.x/apt/pool/main/w/wazuh-agent/wazuh-agent_4.3.6-1_amd64.deb && sudo WAZUH_MANAGER='x.x.x.x' WAZUH_AGENT_GROUP='default' dpkg -i ./wazuh-agent-4.3.6.deb
dpkg-deb: error: './wazuh-agent-4.3.6.deb' is not a Debian format archive
dpkg: error processing archive ./wazuh-agent-4.3.6.deb (--install):
 dpkg-deb --control subprocess returned error exit status 2
Errors were encountered while processing:
 ./wazuh-agent-4.3.6.deb

After changing to the proper repo:

# curl -so wazuh-agent-4.3.6.deb https://packages-dev.wazuh.com/pre-release/apt/pool/main/w/wazuh-agent/wazuh-agent_4.3.6-1_amd64.deb && sudo WAZUH_MANAGER='x.x.x.x WAZUH_AGENT_GROUP='default' dpkg -i ./wazuh-agent-4.3.6.deb
Selecting previously unselected package wazuh-agent.
(Reading database ... 63612 files and directories currently installed.)
Preparing to unpack ./wazuh-agent-4.3.6.deb ...
Unpacking wazuh-agent (4.3.6-1) ...
Setting up wazuh-agent (4.3.6-1) ...

Agent properly installed:

image

@mcarmona99
Copy link
Contributor Author

mcarmona99 commented Jul 18, 2022
edited

Windows 7 🟢

One-liner:

Invoke-WebRequest -Uri https://packages.wazuh.com/4.x/windows/wazuh-agent-4.3.6-1.msi -OutFile ${env:tmp}\wazuh-agent-4.3.6.msi; msiexec.exe /i ${env:tmp}\wazuh-agent-4.3.6.msi /q WAZUH_MANAGER='x.x.x.x' WAZUH_REGISTRATION_SERVER='x.x.x.x' WAZUH_AGENT_GROUP='default'

As in the other cases, the URL needs to be changed:

Invoke-WebRequest -Uri https://packages-dev.wazuh.com/pre-relase/windows/wazuh-agent-4.3.6-1.msi -OutFile ${env:tmp}\wazuh-agent-4.3.6.msi; msiexec.exe /i ${env:tmp}\wazuh-agent-4.3.6.msi /q WAZUH_MANAGER='x.x.x.x' WAZUH_REGISTRATION_SERVER='x.x.x.x' WAZUH_AGENT_GROUP='default'

Error found. I cannot install with the one-liner due to the fact that I am using Windows 7, which includes PowerShell v1.0 and v3.0 or greater is needed.

image

image

Therefore, I will use the Windows installer: https://documentation.wazuh.com/current/installation-guide/wazuh-agent/wazuh-agent-package-windows.html

Again, the documentation page includes a link to the 4.3.5 package. I will use the pre-release repository.

https://packages-dev.wazuh.com/pre-release/windows/wazuh-agent-4.3.6-1.msi

.\wazuh-agent-4.3.5-1.msi /q WAZUH_MANAGER="10.0.0.2"
NET START WazuhSvc

image

image

MacOS 10.14 🟢

One-liner:

curl -so wazuh-agent-4.3.6.pkg https://packages-dev.wazuh.com/pre-release/macos/wazuh-agent-4.3.6-1.pkg && sudo launchctl setenv WAZUH_MANAGER 'x.x.x.x' WAZUH_AGENT_GROUP 'default' && sudo installer -pkg ./wazuh-agent-4.3.6.pkg -target /

This time, I updated the URL before trying to deploy the agent to use the pre-release package.

Starting the agent:

sudo /Library/Ossec/bin/wazuh-control start

image

Agents review:

image

@mcarmona99
Copy link
Contributor Author

mcarmona99 commented Jul 20, 2022
edited

Test different FIM use cases for Windows, Linux, and macOS

1. MacOS X 🟢

1.1. whodata ⚪

whodata is not supported for macOS agents

1.2. report_changes 🟢

Added the following line to the syscheck configuration and changed the syscheck frequency to 10.:

<directories report_changes="yes">/test_fim</directories>

Add /test_fim/test_fim_report.txt, alert generated:

{"timestamp":"2022-07-20T09:20:45.763+0000","rule":{"level":5,"description":"File added to the system.","id":"554","firedtimes":18,"mail":false,"groups":["ossec","syscheck","syscheck_entry_added","syscheck_file"],"pci_dss":["11.5"],"gpg13":["4.11"],"gdpr":["II_5.1.f"],"hipaa":["164.312.c.1","164.312.c.2"],"nist_800_53":["SI.7"],"tsc":["PI1.4","PI1.5","CC6.1","CC6.8","CC7.2","CC7.3"]},"agent":{"id":"003","name":"macos1014","ip":"10.0.2.15"},"manager":{"name":"ip-172-31-89-174"},"id":"1658308845.269012","full_log":"File '/test_fim/test_fim_report.txt' added\nMode: scheduled\n","syscheck":{"path":"/test_fim/test_fim_report.txt","mode":"scheduled","size_after":"0","perm_after":"rw-r--r--","uid_after":"0","gid_after":"0","md5_after":"d41d8cd98f00b204e9800998ecf8427e","sha1_after":"da39a3ee5e6b4b0d3255bfef95601890afd80709","sha256_after":"e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855","uname_after":"root","gname_after":"wheel","mtime_after":"2022-07-20T09:20:40","inode_after":533696,"event":"added"},"decoder":{"name":"syscheck_new_entry"},"location":"syscheck"}

Modify /test_fim/test_fim_report.txt, alert generated (changes properly reported):

{"timestamp":"2022-07-20T09:21:38.200+0000","rule":{"level":7,"description":"Integrity checksum changed.","id":"550","mitre":{"id":["T1565.001"],"tactic":["Impact"],"technique":["Stored Data Manipulation"]},"firedtimes":3,"mail":false,"groups":["ossec","syscheck","syscheck_entry_modified","syscheck_file"],"pci_dss":["11.5"],"gpg13":["4.11"],"gdpr":["II_5.1.f"],"hipaa":["164.312.c.1","164.312.c.2"],"nist_800_53":["SI.7"],"tsc":["PI1.4","PI1.5","CC6.1","CC6.8","CC7.2","CC7.3"]},"agent":{"id":"003","name":"macos1014","ip":"10.0.2.15"},"manager":{"name":"ip-172-31-89-174"},"id":"1658308898.269708","full_log":"File '/test_fim/test_fim_report.txt' modified\nMode: scheduled\nChanged attributes: size,mtime,inode,md5,sha1,sha256\nSize changed from '0' to '24'\nOld modification time was: '1658308840', now it is '1658308883'\nOld inode was: '533696', now it is '534152'\nOld md5sum was: 'd41d8cd98f00b204e9800998ecf8427e'\nNew md5sum is : '96fe445f0f6dea9395b874ef3243298d'\nOld sha1sum was: 'da39a3ee5e6b4b0d3255bfef95601890afd80709'\nNew sha1sum is : 'a1d649d9a80deba385b5e21cf6b17687e24a4ff7'\nOld sha256sum was: 'e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855'\nNew sha256sum is : '57d19ae7363cb8ffcdf251a2e99904dc7cd89fc6139770770a8a315a7454116a'\n","syscheck":{"path":"/test_fim/test_fim_report.txt","mode":"scheduled","size_before":"0","size_after":"24","perm_after":"rw-r--r--","uid_after":"0","gid_after":"0","md5_before":"d41d8cd98f00b204e9800998ecf8427e","md5_after":"96fe445f0f6dea9395b874ef3243298d","sha1_before":"da39a3ee5e6b4b0d3255bfef95601890afd80709","sha1_after":"a1d649d9a80deba385b5e21cf6b17687e24a4ff7","sha256_before":"e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855","sha256_after":"57d19ae7363cb8ffcdf251a2e99904dc7cd89fc6139770770a8a315a7454116a","uname_after":"root","gname_after":"wheel","mtime_before":"2022-07-20T09:20:40","mtime_after":"2022-07-20T09:21:23","inode_before":533696,"inode_after":534152,"diff":"0a1\n> Testing report changes!\n","changed_attributes":["size","mtime","inode","md5","sha1","sha256"],"event":"modified"},"decoder":{"name":"syscheck_integrity_changed"},"location":"syscheck"}

image

Remove /test_fim/test_fim_report.txt, alert generated:

{"timestamp":"2022-07-20T09:22:11.479+0000","rule":{"level":7,"description":"File deleted.","id":"553","mitre":{"id":["T1070.004","T1485"],"tactic":["Defense Evasion","Impact"],"technique":["File Deletion","Data Destruction"]},"firedtimes":7,"mail":false,"groups":["ossec","syscheck","syscheck_entry_deleted","syscheck_file"],"pci_dss":["11.5"],"gpg13":["4.11"],"gdpr":["II_5.1.f"],"hipaa":["164.312.c.1","164.312.c.2"],"nist_800_53":["SI.7"],"tsc":["PI1.4","PI1.5","CC6.1","CC6.8","CC7.2","CC7.3"]},"agent":{"id":"003","name":"macos1014","ip":"10.0.2.15"},"manager":{"name":"ip-172-31-89-174"},"id":"1658308931.271044","full_log":"File '/test_fim/test_fim_report.txt' deleted\nMode: scheduled\n","syscheck":{"path":"/test_fim/test_fim_report.txt","mode":"scheduled","size_after":"24","perm_after":"rw-r--r--","uid_after":"0","gid_after":"0","md5_after":"96fe445f0f6dea9395b874ef3243298d","sha1_after":"a1d649d9a80deba385b5e21cf6b17687e24a4ff7","sha256_after":"57d19ae7363cb8ffcdf251a2e99904dc7cd89fc6139770770a8a315a7454116a","uname_after":"root","gname_after":"wheel","mtime_after":"2022-07-20T09:21:23","inode_after":534152,"event":"deleted"},"decoder":{"name":"syscheck_deleted"},"location":"syscheck"}

WUI:

image

1.3. Inventory of files 🟢

image

2. Ubuntu 🟢

Added the following configuration to test whodata and report_changes:

<directories whodata="yes">/test_fim</directories>
<directories report_changes="yes" realtime="yes">/test_fim_report</directories>

Agent restarted.

2.1. whodata 🟢

The audit information was properly added to the alerts.

Add /test_fim/test_fim_whodata.txt, alert generated:

{"timestamp":"2022-07-20T09:41:13.913+0000","rule":{"level":5,"description":"File added to the system.","id":"554","firedtimes":19,"mail":false,"groups":["ossec","syscheck","syscheck_entry_added","syscheck_file"],"pci_dss":["11.5"],"gpg13":["4.11"],"gdpr":["II_5.1.f"],"hipaa":["164.312.c.1","164.312.c.2"],"nist_800_53":["SI.7"],"tsc":["PI1.4","PI1.5","CC6.1","CC6.8","CC7.2","CC7.3"]},"agent":{"id":"001","name":"ip-172-31-83-150","ip":"172.31.83.150"},"manager":{"name":"ip-172-31-89-174"},"id":"1658310073.291868","full_log":"File '/test_fim/test_fim_whodata.txt' added\nMode: whodata\n","syscheck":{"path":"/test_fim/test_fim_whodata.txt","mode":"whodata","size_after":"8","perm_after":"rw-r--r--","uid_after":"0","gid_after":"0","md5_after":"ddce269a1e3d054cae349621c198dd52","sha1_after":"7893883873a705aec69e2942901f20d7b1e28dec","sha256_after":"13550350a8681c84c861aac2e5b440161c2b33a3e4f302ac680ca5b686de48de","uname_after":"root","gname_after":"root","mtime_after":"2022-07-20T09:41:13","inode_after":774148,"event":"added","audit":{"user":{"id":"0","name":"root"},"process":{"id":"18573","name":"/usr/bin/vim.basic","cwd":"/home/ubuntu","parent_name":"/usr/bin/bash","parent_cwd":"/home/ubuntu","ppid":"13228"},"group":{"id":"0","name":"root"},"login_user":{"id":"1000","name":"ubuntu"},"effective_user":{"id":"0","name":"root"}}},"decoder":{"name":"syscheck_new_entry"},"location":"syscheck"}

Modify /test_fim/test_fim_whodata.txt, alert generated:

{"timestamp":"2022-07-20T09:42:57.832+0000","rule":{"level":7,"description":"Integrity checksum changed.","id":"550","mitre":{"id":["T1565.001"],"tactic":["Impact"],"technique":["Stored Data Manipulation"]},"firedtimes":9,"mail":false,"groups":["ossec","syscheck","syscheck_entry_modified","syscheck_file"],"pci_dss":["11.5"],"gpg13":["4.11"],"gdpr":["II_5.1.f"],"hipaa":["164.312.c.1","164.312.c.2"],"nist_800_53":["SI.7"],"tsc":["PI1.4","PI1.5","CC6.1","CC6.8","CC7.2","CC7.3"]},"agent":{"id":"001","name":"ip-172-31-83-150","ip":"172.31.83.150"},"manager":{"name":"ip-172-31-89-174"},"id":"1658310177.317724","full_log":"File '/test_fim/test_fim_whodata.txt' modified\nMode: whodata\nChanged attributes: size,mtime,inode,md5,sha1,sha256\nSize changed from '10' to '23'\nOld modification time was: '1658310154', now it is '1658310176'\nOld inode was: '774149', now it is '774148'\nOld md5sum was: 'e014eec264bf3fe62ed76e03eec9ed4f'\nNew md5sum is : '36b12c2575a3f9fdd633615b1c62430e'\nOld sha1sum was: '8b08c91a23f15386d4af2b8139f9bbd77106e3e5'\nNew sha1sum is : 'e75296c39cecbde158e1ec6f6ea6ea3e8f02d9c2'\nOld sha256sum was: '4aa70a3106d3d12bbfab684460a21fa3b781ba8c72ea078599490dcb2a42b7a3'\nNew sha256sum is : 'dad4dba748cd3d653c1de9cb6102a36ff4aae1e7ccdb3e59cc4ad2b266fff00b'\n","syscheck":{"path":"/test_fim/test_fim_whodata.txt","mode":"whodata","size_before":"10","size_after":"23","perm_after":"rw-r--r--","uid_after":"0","gid_after":"0","md5_before":"e014eec264bf3fe62ed76e03eec9ed4f","md5_after":"36b12c2575a3f9fdd633615b1c62430e","sha1_before":"8b08c91a23f15386d4af2b8139f9bbd77106e3e5","sha1_after":"e75296c39cecbde158e1ec6f6ea6ea3e8f02d9c2","sha256_before":"4aa70a3106d3d12bbfab684460a21fa3b781ba8c72ea078599490dcb2a42b7a3","sha256_after":"dad4dba748cd3d653c1de9cb6102a36ff4aae1e7ccdb3e59cc4ad2b266fff00b","uname_after":"root","gname_after":"root","mtime_before":"2022-07-20T09:42:34","mtime_after":"2022-07-20T09:42:56","inode_before":774149,"inode_after":774148,"changed_attributes":["size","mtime","inode","md5","sha1","sha256"],"event":"modified","audit":{"user":{"id":"0","name":"root"},"process":{"id":"18586","name":"/usr/bin/vim.basic","cwd":"/home/ubuntu","parent_name":"/usr/bin/bash","parent_cwd":"/home/ubuntu","ppid":"13228"},"group":{"id":"0","name":"root"},"login_user":{"id":"1000","name":"ubuntu"},"effective_user":{"id":"0","name":"root"}}},"decoder":{"name":"syscheck_integrity_changed"},"location":"syscheck"}

Remove /test_fim/test_fim_whodata.txt, alert generated:

{"timestamp":"2022-07-20T09:43:19.837+0000","rule":{"level":7,"description":"File deleted.","id":"553","mitre":{"id":["T1070.004","T1485"],"tactic":["Defense Evasion","Impact"],"technique":["File Deletion","Data Destruction"]},"firedtimes":8,"mail":false,"groups":["ossec","syscheck","syscheck_entry_deleted","syscheck_file"],"pci_dss":["11.5"],"gpg13":["4.11"],"gdpr":["II_5.1.f"],"hipaa":["164.312.c.1","164.312.c.2"],"nist_800_53":["SI.7"],"tsc":["PI1.4","PI1.5","CC6.1","CC6.8","CC7.2","CC7.3"]},"agent":{"id":"001","name":"ip-172-31-83-150","ip":"172.31.83.150"},"manager":{"name":"ip-172-31-89-174"},"id":"1658310199.330648","full_log":"File '/test_fim/test_fim_whodata.txt' deleted\nMode: whodata\n","syscheck":{"path":"/test_fim/test_fim_whodata.txt","mode":"whodata","size_after":"23","perm_after":"rw-r--r--","uid_after":"0","gid_after":"0","md5_after":"36b12c2575a3f9fdd633615b1c62430e","sha1_after":"e75296c39cecbde158e1ec6f6ea6ea3e8f02d9c2","sha256_after":"dad4dba748cd3d653c1de9cb6102a36ff4aae1e7ccdb3e59cc4ad2b266fff00b","uname_after":"root","gname_after":"root","mtime_after":"2022-07-20T09:42:56","inode_after":774148,"event":"deleted","audit":{"user":{"id":"0","name":"root"},"process":{"id":"18589","name":"/usr/bin/rm","cwd":"/home/ubuntu","parent_name":"/usr/bin/bash","parent_cwd":"/home/ubuntu","ppid":"13228"},"group":{"id":"0","name":"root"},"login_user":{"id":"1000","name":"ubuntu"},"effective_user":{"id":"0","name":"root"}}},"decoder":{"name":"syscheck_deleted"},"location":"syscheck"}

2.2. report_changes 🟢

Add /test_fim_report/test_fim_report.txt, alert generated:

{"timestamp":"2022-07-20T09:44:05.419+0000","rule":{"level":5,"description":"File added to the system.","id":"554","firedtimes":20,"mail":false,"groups":["ossec","syscheck","syscheck_entry_added","syscheck_file"],"pci_dss":["11.5"],"gpg13":["4.11"],"gdpr":["II_5.1.f"],"hipaa":["164.312.c.1","164.312.c.2"],"nist_800_53":["SI.7"],"tsc":["PI1.4","PI1.5","CC6.1","CC6.8","CC7.2","CC7.3"]},"agent":{"id":"001","name":"ip-172-31-83-150","ip":"172.31.83.150"},"manager":{"name":"ip-172-31-89-174"},"id":"1658310245.331688","full_log":"File '/test_fim_report/test_fim_report.txt' added\nMode: realtime\n","syscheck":{"path":"/test_fim_report/test_fim_report.txt","mode":"realtime","size_after":"4","perm_after":"rw-r--r--","uid_after":"0","gid_after":"0","md5_after":"9cd599a3523898e6a12e13ec787da50a","sha1_after":"389cc6b7ae5a659383eab5dfc253764eccf84732","sha256_after":"7aa7a5359173d05b63cfd682e3c38487f3cb4f7f1d60659fe59fab1505977d4c","uname_after":"root","gname_after":"root","mtime_after":"2022-07-20T09:44:05","inode_after":774148,"event":"added"},"decoder":{"name":"syscheck_new_entry"},"location":"syscheck"}

Modify /test_fim_report/test_fim_report.txt, alert generated (changes properly reported):

{"timestamp":"2022-07-20T09:44:25.277+0000","rule":{"level":7,"description":"Integrity checksum changed.","id":"550","mitre":{"id":["T1565.001"],"tactic":["Impact"],"technique":["Stored Data Manipulation"]},"firedtimes":12,"mail":false,"groups":["ossec","syscheck","syscheck_entry_modified","syscheck_file"],"pci_dss":["11.5"],"gpg13":["4.11"],"gdpr":["II_5.1.f"],"hipaa":["164.312.c.1","164.312.c.2"],"nist_800_53":["SI.7"],"tsc":["PI1.4","PI1.5","CC6.1","CC6.8","CC7.2","CC7.3"]},"agent":{"id":"001","name":"ip-172-31-83-150","ip":"172.31.83.150"},"manager":{"name":"ip-172-31-89-174"},"id":"1658310265.343771","full_log":"File '/test_fim_report/test_fim_report.txt' modified\nMode: realtime\nChanged attributes: size,mtime,inode,md5,sha1,sha256\nSize changed from '4' to '23'\nOld modification time was: '1658310245', now it is '1658310265'\nOld inode was: '774148', now it is '774149'\nOld md5sum was: '9cd599a3523898e6a12e13ec787da50a'\nNew md5sum is : '95c428a28d5634e485e63c6e38c86ead'\nOld sha1sum was: '389cc6b7ae5a659383eab5dfc253764eccf84732'\nNew sha1sum is : '0a4e72679ce2bbf5907d91c2b713d99f2c8a9f0e'\nOld sha256sum was: '7aa7a5359173d05b63cfd682e3c38487f3cb4f7f1d60659fe59fab1505977d4c'\nNew sha256sum is : '5a93405a9e5b232f16a8bac6c38ab5a88084183db0a498d0bc0b5fc9de2dd494'\n","syscheck":{"path":"/test_fim_report/test_fim_report.txt","mode":"realtime","size_before":"4","size_after":"23","perm_after":"rw-r--r--","uid_after":"0","gid_after":"0","md5_before":"9cd599a3523898e6a12e13ec787da50a","md5_after":"95c428a28d5634e485e63c6e38c86ead","sha1_before":"389cc6b7ae5a659383eab5dfc253764eccf84732","sha1_after":"0a4e72679ce2bbf5907d91c2b713d99f2c8a9f0e","sha256_before":"7aa7a5359173d05b63cfd682e3c38487f3cb4f7f1d60659fe59fab1505977d4c","sha256_after":"5a93405a9e5b232f16a8bac6c38ab5a88084183db0a498d0bc0b5fc9de2dd494","uname_after":"root","gname_after":"root","mtime_before":"2022-07-20T09:44:05","mtime_after":"2022-07-20T09:44:25","inode_before":774148,"inode_after":774149,"diff":"1c1\n< new\n---\n> testing report_changes\n","changed_attributes":["size","mtime","inode","md5","sha1","sha256"],"event":"modified"},"decoder":{"name":"syscheck_integrity_changed"},"location":"syscheck"}

Remove /test_fim_report/test_fim_report.txt, alert generated:

{"timestamp":"2022-07-20T09:44:54.206+0000","rule":{"level":7,"description":"File deleted.","id":"553","mitre":{"id":["T1070.004","T1485"],"tactic":["Defense Evasion","Impact"],"technique":["File Deletion","Data Destruction"]},"firedtimes":9,"mail":false,"groups":["ossec","syscheck","syscheck_entry_deleted","syscheck_file"],"pci_dss":["11.5"],"gpg13":["4.11"],"gdpr":["II_5.1.f"],"hipaa":["164.312.c.1","164.312.c.2"],"nist_800_53":["SI.7"],"tsc":["PI1.4","PI1.5","CC6.1","CC6.8","CC7.2","CC7.3"]},"agent":{"id":"001","name":"ip-172-31-83-150","ip":"172.31.83.150"},"manager":{"name":"ip-172-31-89-174"},"id":"1658310294.357065","full_log":"File '/test_fim_report/test_fim_report.txt' deleted\nMode: realtime\n","syscheck":{"path":"/test_fim_report/test_fim_report.txt","mode":"realtime","size_after":"23","perm_after":"rw-r--r--","uid_after":"0","gid_after":"0","md5_after":"95c428a28d5634e485e63c6e38c86ead","sha1_after":"0a4e72679ce2bbf5907d91c2b713d99f2c8a9f0e","sha256_after":"5a93405a9e5b232f16a8bac6c38ab5a88084183db0a498d0bc0b5fc9de2dd494","uname_after":"root","gname_after":"root","mtime_after":"2022-07-20T09:44:25","inode_after":774149,"event":"deleted"},"decoder":{"name":"syscheck_deleted"},"location":"syscheck"}

WUI:

image

2.3. Inventory of files 🟢

image

3. Windows 🟢

Added the following configuration to test whodata and report_changes:

<directories whodata="yes">C:\Windows\testfim</directories>
<directories report_changes="yes" realtime="yes">C:\Windows\testfimreport</directories>

Agent restarted.

3.1. whodata 🟢

The audit information was properly added to the alerts.

Add /testfim/testfimwhodata.txt, alert generated:

{"timestamp":"2022-07-20T09:52:29.977+0000","rule":{"level":5,"description":"File added to the system.","id":"554","firedtimes":23,"mail":false,"groups":["ossec","syscheck","syscheck_entry_added","syscheck_file"],"pci_dss":["11.5"],"gpg13":["4.11"],"gdpr":["II_5.1.f"],"hipaa":["164.312.c.1","164.312.c.2"],"nist_800_53":["SI.7"],"tsc":["PI1.4","PI1.5","CC6.1","CC6.8","CC7.2","CC7.3"]},"agent":{"id":"002","name":"IE8WIN7","ip":"10.0.2.15"},"manager":{"name":"ip-172-31-89-174"},"id":"1658310749.383688","full_log":"File 'c:\\windows\\testfim\\testfimwhodata.txt' added\nMode: whodata\n","syscheck":{"path":"c:\\windows\\testfim\\testfimwhodata.txt","mode":"whodata","size_after":"7","win_perm_after":[{"name":"SYSTEM","allowed":["DELETE","READ_CONTROL","WRITE_DAC","WRITE_OWNER","SYNCHRONIZE","READ_DATA","WRITE_DATA","APPEND_DATA","READ_EA","WRITE_EA","EXECUTE","READ_ATTRIBUTES","WRITE_ATTRIBUTES"]},{"name":"Administrators","allowed":["DELETE","READ_CONTROL","WRITE_DAC","WRITE_OWNER","SYNCHRONIZE","READ_DATA","WRITE_DATA","APPEND_DATA","READ_EA","WRITE_EA","EXECUTE","READ_ATTRIBUTES","WRITE_ATTRIBUTES"]},{"name":"Users","allowed":["READ_CONTROL","SYNCHRONIZE","READ_DATA","READ_EA","EXECUTE","READ_ATTRIBUTES"]}],"uid_after":"S-1-5-32-544","md5_after":"08986fb9059ed98b356daa00a6ba618b","sha1_after":"26e3c6510938577e33e1ad5d29fd403ac38be60e","sha256_after":"5f5d43a37cd2fcecc8e9f07901c26074af4afdff0d42e271aa7254c86654f817","attrs_after":["ARCHIVE"],"uname_after":"Administrators","mtime_after":"2022-07-20T09:52:24","event":"added","audit":{"user":{"id":"S-1-5-21-1716914095-909560446-1177810406-1000","name":"IEUser"},"process":{"id":"3432","name":"C:\\Windows\\System32\\dllhost.exe"}}},"decoder":{"name":"syscheck_new_entry"},"location":"syscheck"}

Modify /test_fim/test_fim_whodata.txt, alert generated:

{"timestamp":"2022-07-20T09:53:31.983+0000","rule":{"level":7,"description":"Integrity checksum changed.","id":"550","mitre":{"id":["T1565.001"],"tactic":["Impact"],"technique":["Stored Data Manipulation"]},"firedtimes":16,"mail":false,"groups":["ossec","syscheck","syscheck_entry_modified","syscheck_file"],"pci_dss":["11.5"],"gpg13":["4.11"],"gdpr":["II_5.1.f"],"hipaa":["164.312.c.1","164.312.c.2"],"nist_800_53":["SI.7"],"tsc":["PI1.4","PI1.5","CC6.1","CC6.8","CC7.2","CC7.3"]},"agent":{"id":"002","name":"IE8WIN7","ip":"10.0.2.15"},"manager":{"name":"ip-172-31-89-174"},"id":"1658310811.384936","full_log":"File 'c:\\windows\\testfim\\testfimwhodata.txt' modified\nMode: whodata\nChanged attributes: size,mtime,md5,sha1,sha256\nSize changed from '7' to '19'\nOld modification time was: '1658310744', now it is '1658310800'\nOld md5sum was: '08986fb9059ed98b356daa00a6ba618b'\nNew md5sum is : '383fe686dd5afb8712cd9f78a89c6214'\nOld sha1sum was: '26e3c6510938577e33e1ad5d29fd403ac38be60e'\nNew sha1sum is : '53c7f9771e3683fcf371ad06c6443c1f4d433dd1'\nOld sha256sum was: '5f5d43a37cd2fcecc8e9f07901c26074af4afdff0d42e271aa7254c86654f817'\nNew sha256sum is : 'f5443b9d7d06bd94109766e988a7a0d0bf3d7cb09494d967a2de4a2b42c652c9'\n","syscheck":{"path":"c:\\windows\\testfim\\testfimwhodata.txt","mode":"whodata","size_before":"7","size_after":"19","win_perm_after":[{"name":"SYSTEM","allowed":["DELETE","READ_CONTROL","WRITE_DAC","WRITE_OWNER","SYNCHRONIZE","READ_DATA","WRITE_DATA","APPEND_DATA","READ_EA","WRITE_EA","EXECUTE","READ_ATTRIBUTES","WRITE_ATTRIBUTES"]},{"name":"Administrators","allowed":["DELETE","READ_CONTROL","WRITE_DAC","WRITE_OWNER","SYNCHRONIZE","READ_DATA","WRITE_DATA","APPEND_DATA","READ_EA","WRITE_EA","EXECUTE","READ_ATTRIBUTES","WRITE_ATTRIBUTES"]},{"name":"Users","allowed":["READ_CONTROL","SYNCHRONIZE","READ_DATA","READ_EA","EXECUTE","READ_ATTRIBUTES"]}],"uid_after":"S-1-5-32-544","md5_before":"08986fb9059ed98b356daa00a6ba618b","md5_after":"383fe686dd5afb8712cd9f78a89c6214","sha1_before":"26e3c6510938577e33e1ad5d29fd403ac38be60e","sha1_after":"53c7f9771e3683fcf371ad06c6443c1f4d433dd1","sha256_before":"5f5d43a37cd2fcecc8e9f07901c26074af4afdff0d42e271aa7254c86654f817","sha256_after":"f5443b9d7d06bd94109766e988a7a0d0bf3d7cb09494d967a2de4a2b42c652c9","attrs_after":["ARCHIVE"],"uname_after":"Administrators","mtime_before":"2022-07-20T09:52:24","mtime_after":"2022-07-20T09:53:20","changed_attributes":["size","mtime","md5","sha1","sha256"],"event":"modified","audit":{"user":{"id":"S-1-5-21-1716914095-909560446-1177810406-1000","name":"IEUser"},"process":{"id":"3696","name":"C:\\Windows\\System32\\dllhost.exe"}}},"decoder":{"name":"syscheck_integrity_changed"},"location":"syscheck"}

Remove /test_fim/test_fim_whodata.txt, alert generated:

{"timestamp":"2022-07-20T09:54:03.969+0000","rule":{"level":7,"description":"File deleted.","id":"553","mitre":{"id":["T1070.004","T1485"],"tactic":["Defense Evasion","Impact"],"technique":["File Deletion","Data Destruction"]},"firedtimes":10,"mail":false,"groups":["ossec","syscheck","syscheck_entry_deleted","syscheck_file"],"pci_dss":["11.5"],"gpg13":["4.11"],"gdpr":["II_5.1.f"],"hipaa":["164.312.c.1","164.312.c.2"],"nist_800_53":["SI.7"],"tsc":["PI1.4","PI1.5","CC6.1","CC6.8","CC7.2","CC7.3"]},"agent":{"id":"002","name":"IE8WIN7","ip":"10.0.2.15"},"manager":{"name":"ip-172-31-89-174"},"id":"1658310843.386728","full_log":"File 'c:\\windows\\testfim\\testfimwhodata.txt' deleted\nMode: whodata\n","syscheck":{"path":"c:\\windows\\testfim\\testfimwhodata.txt","mode":"whodata","size_after":"19","win_perm_after":[{"name":"SYSTEM","allowed":["DELETE","READ_CONTROL","WRITE_DAC","WRITE_OWNER","SYNCHRONIZE","READ_DATA","WRITE_DATA","APPEND_DATA","READ_EA","WRITE_EA","EXECUTE","READ_ATTRIBUTES","WRITE_ATTRIBUTES"]},{"name":"Administrators","allowed":["DELETE","READ_CONTROL","WRITE_DAC","WRITE_OWNER","SYNCHRONIZE","READ_DATA","WRITE_DATA","APPEND_DATA","READ_EA","WRITE_EA","EXECUTE","READ_ATTRIBUTES","WRITE_ATTRIBUTES"]},{"name":"Users","allowed":["READ_CONTROL","SYNCHRONIZE","READ_DATA","READ_EA","EXECUTE","READ_ATTRIBUTES"]}],"uid_after":"S-1-5-32-544","md5_after":"383fe686dd5afb8712cd9f78a89c6214","sha1_after":"53c7f9771e3683fcf371ad06c6443c1f4d433dd1","sha256_after":"f5443b9d7d06bd94109766e988a7a0d0bf3d7cb09494d967a2de4a2b42c652c9","attrs_after":["ARCHIVE"],"uname_after":"Administrators","mtime_after":"2022-07-20T09:53:20","event":"deleted","audit":{"user":{"id":"S-1-5-21-1716914095-909560446-1177810406-1000","name":"IEUser"},"process":{"id":"2372","name":"C:\\Windows\\System32\\dllhost.exe"}}},"decoder":{"name":"syscheck_deleted"},"location":"syscheck"}

3.2. report_changes 🟢

Add /testfimreport/testfimreport.txt, alert generated:

{"timestamp":"2022-07-20T09:55:10.405+0000","rule":{"level":5,"description":"File added to the system.","id":"554","firedtimes":25,"mail":false,"groups":["ossec","syscheck","syscheck_entry_added","syscheck_file"],"pci_dss":["11.5"],"gpg13":["4.11"],"gdpr":["II_5.1.f"],"hipaa":["164.312.c.1","164.312.c.2"],"nist_800_53":["SI.7"],"tsc":["PI1.4","PI1.5","CC6.1","CC6.8","CC7.2","CC7.3"]},"agent":{"id":"002","name":"IE8WIN7","ip":"10.0.2.15"},"manager":{"name":"ip-172-31-89-174"},"id":"1658310910.389218","full_log":"File 'c:\\windows\\testfimreport\\testfimreport.txt' added\nMode: realtime\n","syscheck":{"path":"c:\\windows\\testfimreport\\testfimreport.txt","mode":"realtime","size_after":"19","win_perm_after":[{"name":"SYSTEM","allowed":["DELETE","READ_CONTROL","WRITE_DAC","WRITE_OWNER","SYNCHRONIZE","READ_DATA","WRITE_DATA","APPEND_DATA","READ_EA","WRITE_EA","EXECUTE","READ_ATTRIBUTES","WRITE_ATTRIBUTES"]},{"name":"Administrators","allowed":["DELETE","READ_CONTROL","WRITE_DAC","WRITE_OWNER","SYNCHRONIZE","READ_DATA","WRITE_DATA","APPEND_DATA","READ_EA","WRITE_EA","EXECUTE","READ_ATTRIBUTES","WRITE_ATTRIBUTES"]},{"name":"Users","allowed":["READ_CONTROL","SYNCHRONIZE","READ_DATA","READ_EA","EXECUTE","READ_ATTRIBUTES"]}],"uid_after":"S-1-5-32-544","md5_after":"383fe686dd5afb8712cd9f78a89c6214","sha1_after":"53c7f9771e3683fcf371ad06c6443c1f4d433dd1","sha256_after":"f5443b9d7d06bd94109766e988a7a0d0bf3d7cb09494d967a2de4a2b42c652c9","attrs_after":["ARCHIVE"],"uname_after":"Administrators","mtime_after":"2022-07-20T09:55:03","event":"added"},"decoder":{"name":"syscheck_new_entry"},"location":"syscheck"}

Modify /testfimreport/testfimreport.txt, alert generated (changes properly reported):

{"timestamp":"2022-07-20T09:56:02.859+0000","rule":{"level":7,"description":"Integrity checksum changed.","id":"550","mitre":{"id":["T1565.001"],"tactic":["Impact"],"technique":["Stored Data Manipulation"]},"firedtimes":17,"mail":false,"groups":["ossec","syscheck","syscheck_entry_modified","syscheck_file"],"pci_dss":["11.5"],"gpg13":["4.11"],"gdpr":["II_5.1.f"],"hipaa":["164.312.c.1","164.312.c.2"],"nist_800_53":["SI.7"],"tsc":["PI1.4","PI1.5","CC6.1","CC6.8","CC7.2","CC7.3"]},"agent":{"id":"002","name":"IE8WIN7","ip":"10.0.2.15"},"manager":{"name":"ip-172-31-89-174"},"id":"1658310962.390359","full_log":"File 'c:\\windows\\testfimreport\\testfimreport.txt' modified\nMode: realtime\nChanged attributes: size,mtime,md5,sha1,sha256\nSize changed from '19' to '25'\nOld modification time was: '1658310903', now it is '1658310956'\nOld md5sum was: '383fe686dd5afb8712cd9f78a89c6214'\nNew md5sum is : 'a2e160ae1ad7e954cafe33ef06c96497'\nOld sha1sum was: '53c7f9771e3683fcf371ad06c6443c1f4d433dd1'\nNew sha1sum is : '0ffade3ee84f916c71e16d9e95aceaa1b3dd6cb9'\nOld sha256sum was: 'f5443b9d7d06bd94109766e988a7a0d0bf3d7cb09494d967a2de4a2b42c652c9'\nNew sha256sum is : '5621738a24045f4492637cac7b2c54955441f61af86e295ea873193a82420b7d'\n","syscheck":{"path":"c:\\windows\\testfimreport\\testfimreport.txt","mode":"realtime","size_before":"19","size_after":"25","win_perm_after":[{"name":"SYSTEM","allowed":["DELETE","READ_CONTROL","WRITE_DAC","WRITE_OWNER","SYNCHRONIZE","READ_DATA","WRITE_DATA","APPEND_DATA","READ_EA","WRITE_EA","EXECUTE","READ_ATTRIBUTES","WRITE_ATTRIBUTES"]},{"name":"Administrators","allowed":["DELETE","READ_CONTROL","WRITE_DAC","WRITE_OWNER","SYNCHRONIZE","READ_DATA","WRITE_DATA","APPEND_DATA","READ_EA","WRITE_EA","EXECUTE","READ_ATTRIBUTES","WRITE_ATTRIBUTES"]},{"name":"Users","allowed":["READ_CONTROL","SYNCHRONIZE","READ_DATA","READ_EA","EXECUTE","READ_ATTRIBUTES"]}],"uid_after":"S-1-5-32-544","md5_before":"383fe686dd5afb8712cd9f78a89c6214","md5_after":"a2e160ae1ad7e954cafe33ef06c96497","sha1_before":"53c7f9771e3683fcf371ad06c6443c1f4d433dd1","sha1_after":"0ffade3ee84f916c71e16d9e95aceaa1b3dd6cb9","sha256_before":"f5443b9d7d06bd94109766e988a7a0d0bf3d7cb09494d967a2de4a2b42c652c9","sha256_after":"5621738a24045f4492637cac7b2c54955441f61af86e295ea873193a82420b7d","attrs_after":["ARCHIVE"],"uname_after":"Administrators","mtime_before":"2022-07-20T09:55:03","mtime_after":"2022-07-20T09:55:56","diff":"< \n< modified\n---\n> \n> report changes\n","changed_attributes":["size","mtime","md5","sha1","sha256"],"event":"modified"},"decoder":{"name":"syscheck_integrity_changed"},"location":"syscheck"}

Remove /test_fim_report/test_fim_report.txt, alert generated:

{"timestamp":"2022-07-20T09:56:25.227+0000","rule":{"level":7,"description":"File deleted.","id":"553","mitre":{"id":["T1070.004","T1485"],"tactic":["Defense Evasion","Impact"],"technique":["File Deletion","Data Destruction"]},"firedtimes":11,"mail":false,"groups":["ossec","syscheck","syscheck_entry_deleted","syscheck_file"],"pci_dss":["11.5"],"gpg13":["4.11"],"gdpr":["II_5.1.f"],"hipaa":["164.312.c.1","164.312.c.2"],"nist_800_53":["SI.7"],"tsc":["PI1.4","PI1.5","CC6.1","CC6.8","CC7.2","CC7.3"]},"agent":{"id":"002","name":"IE8WIN7","ip":"10.0.2.15"},"manager":{"name":"ip-172-31-89-174"},"id":"1658310985.392098","full_log":"File 'c:\\windows\\testfimreport\\testfimreport.txt' deleted\nMode: realtime\n","syscheck":{"path":"c:\\windows\\testfimreport\\testfimreport.txt","mode":"realtime","size_after":"25","win_perm_after":[{"name":"SYSTEM","allowed":["DELETE","READ_CONTROL","WRITE_DAC","WRITE_OWNER","SYNCHRONIZE","READ_DATA","WRITE_DATA","APPEND_DATA","READ_EA","WRITE_EA","EXECUTE","READ_ATTRIBUTES","WRITE_ATTRIBUTES"]},{"name":"Administrators","allowed":["DELETE","READ_CONTROL","WRITE_DAC","WRITE_OWNER","SYNCHRONIZE","READ_DATA","WRITE_DATA","APPEND_DATA","READ_EA","WRITE_EA","EXECUTE","READ_ATTRIBUTES","WRITE_ATTRIBUTES"]},{"name":"Users","allowed":["READ_CONTROL","SYNCHRONIZE","READ_DATA","READ_EA","EXECUTE","READ_ATTRIBUTES"]}],"uid_after":"S-1-5-32-544","md5_after":"a2e160ae1ad7e954cafe33ef06c96497","sha1_after":"0ffade3ee84f916c71e16d9e95aceaa1b3dd6cb9","sha256_after":"5621738a24045f4492637cac7b2c54955441f61af86e295ea873193a82420b7d","attrs_after":["ARCHIVE"],"uname_after":"Administrators","mtime_after":"2022-07-20T09:55:56","event":"deleted"},"decoder":{"name":"syscheck_deleted"},"location":"syscheck"}

WUI:

image

3.3. Inventory of files 🟢

image

@mcarmona99
Copy link
Contributor Author

Proof of concept test 🟢

Check that these use cases still work for the current release under test:
https://documentation.wazuh.com/current/proof-of-concept-guide/poc-file-integrity-monitoring.html

Configuration 🟢

Added configurations to the Ubuntu agent and Windows agent.

Agents restarted properly.

Query the alerts 🟢

Steps to generate the alerts: Create, remove, or modify a file in the monitored directories.

UBUNTU: files created, removed, and modified in

  • /usr/bin
  • /etc/cron*
  • /home (recursion_level="2")

whodata working (/usr/bin) ✔️

image

image

tags working (/etc/cron.d) ✔️
report_changes working (/etc/cron.d) ✔️
wildcard working (/etc/cron.d) ✔️

image

image

image

recursion_level working (/home/ubuntu/example_home) ✔️

image

image

WINDOWS: file created, removed, and modified in

  • C:\Wazuh

Alerts (JSON):

{"timestamp":"2022-07-20T10:19:34.995+0000","rule":{"level":5,"description":"File added to the system.","id":"554","firedtimes":7,"mail":false,"groups":["ossec","syscheck","syscheck_entry_added","syscheck_file"],"pci_dss":["11.5"],"gpg13":["4.11"],"gdpr":["II_5.1.f"],"hipaa":["164.312.c.1","164.312.c.2"],"nist_800_53":["SI.7"],"tsc":["PI1.4","PI1.5","CC6.1","CC6.8","CC7.2","CC7.3"]},"agent":{"id":"002","name":"IE8WIN7","ip":"10.0.2.15"},"manager":{"name":"ip-172-31-89-174"},"id":"1658312374.618753","full_log":"File 'c:\\wazuh\\example.txt' added\nMode: whodata\n","syscheck":{"path":"c:\\wazuh\\example.txt","mode":"whodata","size_after":"2","win_perm_after":[{"name":"Administrators","allowed":["DELETE","READ_CONTROL","WRITE_DAC","WRITE_OWNER","SYNCHRONIZE","READ_DATA","WRITE_DATA","APPEND_DATA","READ_EA","WRITE_EA","EXECUTE","READ_ATTRIBUTES","WRITE_ATTRIBUTES"]},{"name":"SYSTEM","allowed":["DELETE","READ_CONTROL","WRITE_DAC","WRITE_OWNER","SYNCHRONIZE","READ_DATA","WRITE_DATA","APPEND_DATA","READ_EA","WRITE_EA","EXECUTE","READ_ATTRIBUTES","WRITE_ATTRIBUTES"]},{"name":"Users","allowed":["READ_CONTROL","SYNCHRONIZE","READ_DATA","READ_EA","EXECUTE","READ_ATTRIBUTES"]},{"name":"Authenticated Users","allowed":["DELETE","READ_CONTROL","SYNCHRONIZE","READ_DATA","WRITE_DATA","APPEND_DATA","READ_EA","WRITE_EA","EXECUTE","READ_ATTRIBUTES","WRITE_ATTRIBUTES"]}],"uid_after":"S-1-5-21-1716914095-909560446-1177810406-1000","md5_after":"154e9119b643212869c49c863b92ee0e","sha1_after":"b5fad4dc567bd3a1f97ec8cf207d7ff327378f8f","sha256_after":"d0dce0f3710349b4195cd769073b782839b73d828bfd0827777fe0e9e13e3d6f","attrs_after":["ARCHIVE"],"uname_after":"IEUser","mtime_after":"2022-07-20T10:19:34","event":"added","audit":{"user":{"id":"S-1-5-21-1716914095-909560446-1177810406-1000","name":"IEUser"},"process":{"id":"3536","name":"C:\\Windows\\System32\\notepad.exe"}}},"decoder":{"name":"syscheck_new_entry"},"location":"syscheck"}


{"timestamp":"2022-07-20T10:19:55.026+0000","rule":{"level":7,"description":"Integrity checksum changed.","id":"550","mitre":{"id":["T1565.001"],"tactic":["Impact"],"technique":["Stored Data Manipulation"]},"firedtimes":7,"mail":false,"groups":["ossec","syscheck","syscheck_entry_modified","syscheck_file"],"pci_dss":["11.5"],"gpg13":["4.11"],"gdpr":["II_5.1.f"],"hipaa":["164.312.c.1","164.312.c.2"],"nist_800_53":["SI.7"],"tsc":["PI1.4","PI1.5","CC6.1","CC6.8","CC7.2","CC7.3"]},"agent":{"id":"002","name":"IE8WIN7","ip":"10.0.2.15"},"manager":{"name":"ip-172-31-89-174"},"id":"1658312395.620164","full_log":"File 'c:\\wazuh\\example.txt' modified\nMode: whodata\nChanged attributes: size,mtime,md5,sha1,sha256\nSize changed from '2' to '7'\nOld modification time was: '1658312374', now it is '1658312394'\nOld md5sum was: '154e9119b643212869c49c863b92ee0e'\nNew md5sum is : 'ae2b1fca515949e5d54fb22b8ed95575'\nOld sha1sum was: 'b5fad4dc567bd3a1f97ec8cf207d7ff327378f8f'\nNew sha1sum is : 'dc724af18fbdd4e59189f5fe768a5f8311527050'\nOld sha256sum was: 'd0dce0f3710349b4195cd769073b782839b73d828bfd0827777fe0e9e13e3d6f'\nNew sha256sum is : 'cf80cd8aed482d5d1527d7dc72fceff84e6326592848447d2dc0b0e87dfc9a90'\n","syscheck":{"path":"c:\\wazuh\\example.txt","mode":"whodata","size_before":"2","size_after":"7","win_perm_after":[{"name":"Administrators","allowed":["DELETE","READ_CONTROL","WRITE_DAC","WRITE_OWNER","SYNCHRONIZE","READ_DATA","WRITE_DATA","APPEND_DATA","READ_EA","WRITE_EA","EXECUTE","READ_ATTRIBUTES","WRITE_ATTRIBUTES"]},{"name":"SYSTEM","allowed":["DELETE","READ_CONTROL","WRITE_DAC","WRITE_OWNER","SYNCHRONIZE","READ_DATA","WRITE_DATA","APPEND_DATA","READ_EA","WRITE_EA","EXECUTE","READ_ATTRIBUTES","WRITE_ATTRIBUTES"]},{"name":"Users","allowed":["READ_CONTROL","SYNCHRONIZE","READ_DATA","READ_EA","EXECUTE","READ_ATTRIBUTES"]},{"name":"Authenticated Users","allowed":["DELETE","READ_CONTROL","SYNCHRONIZE","READ_DATA","WRITE_DATA","APPEND_DATA","READ_EA","WRITE_EA","EXECUTE","READ_ATTRIBUTES","WRITE_ATTRIBUTES"]}],"uid_after":"S-1-5-21-1716914095-909560446-1177810406-1000","md5_before":"154e9119b643212869c49c863b92ee0e","md5_after":"ae2b1fca515949e5d54fb22b8ed95575","sha1_before":"b5fad4dc567bd3a1f97ec8cf207d7ff327378f8f","sha1_after":"dc724af18fbdd4e59189f5fe768a5f8311527050","sha256_before":"d0dce0f3710349b4195cd769073b782839b73d828bfd0827777fe0e9e13e3d6f","sha256_after":"cf80cd8aed482d5d1527d7dc72fceff84e6326592848447d2dc0b0e87dfc9a90","attrs_after":["ARCHIVE"],"uname_after":"IEUser","mtime_before":"2022-07-20T10:19:34","mtime_after":"2022-07-20T10:19:54","diff":"< hI\n---\n> testing\n","changed_attributes":["size","mtime","md5","sha1","sha256"],"event":"modified","audit":{"user":{"id":"S-1-5-21-1716914095-909560446-1177810406-1000","name":"IEUser"},"process":{"id":"3104","name":"C:\\Windows\\System32\\notepad.exe"}}},"decoder":{"name":"syscheck_integrity_changed"},"location":"syscheck"}


{"timestamp":"2022-07-20T10:20:36.970+0000","rule":{"level":7,"description":"File deleted.","id":"553","mitre":{"id":["T1070.004","T1485"],"tactic":["Defense Evasion","Impact"],"technique":["File Deletion","Data Destruction"]},"firedtimes":6,"mail":false,"groups":["ossec","syscheck","syscheck_entry_deleted","syscheck_file"],"pci_dss":["11.5"],"gpg13":["4.11"],"gdpr":["II_5.1.f"],"hipaa":["164.312.c.1","164.312.c.2"],"nist_800_53":["SI.7"],"tsc":["PI1.4","PI1.5","CC6.1","CC6.8","CC7.2","CC7.3"]},"agent":{"id":"002","name":"IE8WIN7","ip":"10.0.2.15"},"manager":{"name":"ip-172-31-89-174"},"id":"1658312436.622152","full_log":"File 'c:\\wazuh\\example.txt' deleted\nMode: whodata\n","syscheck":{"path":"c:\\wazuh\\example.txt","mode":"whodata","size_after":"7","win_perm_after":[{"name":"Administrators","allowed":["DELETE","READ_CONTROL","WRITE_DAC","WRITE_OWNER","SYNCHRONIZE","READ_DATA","WRITE_DATA","APPEND_DATA","READ_EA","WRITE_EA","EXECUTE","READ_ATTRIBUTES","WRITE_ATTRIBUTES"]},{"name":"SYSTEM","allowed":["DELETE","READ_CONTROL","WRITE_DAC","WRITE_OWNER","SYNCHRONIZE","READ_DATA","WRITE_DATA","APPEND_DATA","READ_EA","WRITE_EA","EXECUTE","READ_ATTRIBUTES","WRITE_ATTRIBUTES"]},{"name":"Users","allowed":["READ_CONTROL","SYNCHRONIZE","READ_DATA","READ_EA","EXECUTE","READ_ATTRIBUTES"]},{"name":"Authenticated Users","allowed":["DELETE","READ_CONTROL","SYNCHRONIZE","READ_DATA","WRITE_DATA","APPEND_DATA","READ_EA","WRITE_EA","EXECUTE","READ_ATTRIBUTES","WRITE_ATTRIBUTES"]}],"uid_after":"S-1-5-21-1716914095-909560446-1177810406-1000","md5_after":"ae2b1fca515949e5d54fb22b8ed95575","sha1_after":"dc724af18fbdd4e59189f5fe768a5f8311527050","sha256_after":"cf80cd8aed482d5d1527d7dc72fceff84e6326592848447d2dc0b0e87dfc9a90","attrs_after":["ARCHIVE"],"uname_after":"IEUser","mtime_after":"2022-07-20T10:19:54","event":"deleted","audit":{"user":{"id":"S-1-5-21-1716914095-909560446-1177810406-1000","name":"IEUser"},"process":{"id":"2104","name":"C:\\Windows\\explorer.exe"}}},"decoder":{"name":"syscheck_deleted"},"location":"syscheck"}

Alerts (WUI):

image

@mcarmona99
Copy link
Contributor Author

Blogpost 🟡

I have used the Ubuntu agent to replicate the use case.

Check that this blog post is still valid for the current release under test (suggest changes otherwise):
https://wazuh.com/blog/preventing-and-detecting-ransomware-with-wazuh/

Step 1: Prepare the test environment 🟢

/home/vagrant/test directory created.

Agent configuration:

<syscheck>
<directories check_all="yes" whodata="yes">/home/vagrant/test</directories>
</syscheck>

Agent restarted and ransomware file downloaded:

# service wazuh-agent restart
# wget https://wazuh.com/resources/blog/detect-ransomware-with-wazuh/wazuh-ransomware-poc.py
...
Saving to: ‘wazuh-ransomware-poc.py’

wazuh-ransomware-poc.py            100%[================================================================>]   3.48K  --.-KB/s    in 0s      

2022-07-20 10:26:43 (66.0 MB/s) - ‘wazuh-ransomware-poc.py’ saved [3559/3559]

The files have been downloaded:

# ls -lRh /home/vagrant/test/ | wc -l
242

And the alerts generated:

image

Step 2: Simulating the attack 🟢

# python3 wazuh-ransomware-poc.py attack

Wazuh successfully detected the events that are generated during the attack in this simulation.

image

File deleted alert example:

image

Monitoring Wazuh alerts and setting up triggers 🟡

The blogpost uses Opendistro references instead of Opensearch. Already reported in wazuh/wazuh-documentation#5013. Apart from the already reported issue, the link https://opendistro.github.io/for-elasticsearch/features/alerting.html shown in the blog post shows an empty page.

Apart from these issues, the monitor can be set easily in the OpenSearch Plugins > Alerting section of the WUI.

Added events monitor preview:

image

Monitor created and working (events added):

image

Monitor created and working (events deleted):

image

Monitors:

image

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@mcarmona99 mcarmona99

Labels
module/fim File Integrity Monitoring release test/4.3.6 Issues related to testing for 4.3.6 type/test/manual
Projects
No open projects
Release 4.3.6
Status: Done
Milestone
No milestone
Development

No branches or pull requests
2 participants
@davidjiglesias @mcarmona99