Skip to content

Commit

Permalink
Endpoint configuration implemented in admin API
Browse files Browse the repository at this point in the history
  • Loading branch information
qjerome committed Jul 27, 2022
1 parent 2305403 commit 684e11c
Show file tree
Hide file tree
Showing 20 changed files with 2,682 additions and 2,057 deletions.
166 changes: 85 additions & 81 deletions .github/coverage/coverage.txt

Large diffs are not rendered by default.

2 changes: 1 addition & 1 deletion agent/agent.go
Original file line number Diff line number Diff line change
Expand Up @@ -167,7 +167,7 @@ func NewAgent(c *config.Agent) (h *Agent, err error) {
}

// loading forwarder config
if h.forwarder, err = client.NewForwarder(h.ctx, h.config.FwdConfig); err != nil {
if h.forwarder, err = client.NewForwarder(h.ctx, &h.config.FwdConfig); err != nil {
return
}

Expand Down
20 changes: 10 additions & 10 deletions agent/config/canary.go
Original file line number Diff line number Diff line change
Expand Up @@ -6,19 +6,19 @@ import (

// Canary configuration
type Canary struct {
HideFiles bool `toml:"hide-files" comment:"Flag to set to hide files"`
HideDirectories bool `toml:"hide-dirs" comment:"Flag to set to hide directories"`
SetAuditACL bool `toml:"set-audit-acl" comment:"Set Audit ACL to the canary directories, sub-directories and files to generate File System audit events\n https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-file-system"`
Directories []string `toml:"directories" comment:"Directories where canary files will be created"`
Files []string `toml:"files" comment:"Canary files to monitor. Files will be created if not existing"`
Delete bool `toml:"delete" comment:"Whether to delete or not the canary files when service stops"`
HideFiles bool `json:"hide-files" toml:"hide-files" comment:"Flag to set to hide files"`
HideDirectories bool `json:"hide-dirs" toml:"hide-dirs" comment:"Flag to set to hide directories"`
SetAuditACL bool `json:"set-audit-acl" toml:"set-audit-acl" comment:"Set Audit ACL to the canary directories, sub-directories and files to generate File System audit events\n https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-file-system"`
Directories []string `json:"directories" toml:"directories" comment:"Directories where canary files will be created"`
Files []string `json:"files" toml:"files" comment:"Canary files to monitor. Files will be created if not existing"`
Delete bool `json:"delete" toml:"delete" comment:"Whether to delete or not the canary files when service stops"`
createdDir *datastructs.SyncedSet
}

// Canaries structure holding canary configuration
type Canaries struct {
Enable bool `toml:"enable" comment:"Enable canary files management"`
Actions []string `toml:"actions" comment:"Actions to apply when a canary file is touched"`
Whitelist []string `toml:"whitelist" comment:"Process images being allowed to touch the canaries"`
Canaries []*Canary `toml:"group" comment:"Canary files to create at every run"`
Enable bool `json:"enable" toml:"enable" comment:"Enable canary files management"`
Actions []string `json:"actions" toml:"actions" comment:"Actions to apply when a canary file is touched"`
Whitelist []string `json:"whitelist" toml:"whitelist" comment:"Process images being allowed to touch the canaries"`
Canaries []*Canary `json:"group" toml:"group" comment:"Canary files to create at every run"`
}
71 changes: 35 additions & 36 deletions agent/config/config.go
Original file line number Diff line number Diff line change
Expand Up @@ -27,33 +27,33 @@ var (
)

type Actions struct {
AvailableActions []string `toml:"available-actions" commented:"true" comment:"List of available actions (here as a memo for easier configuration, but it is not used in any way by the engine)"`
Low []string `toml:"low" comment:"Default actions to be taken when event criticality is in [1; 4]"`
Medium []string `toml:"medium" comment:"Default actions to be taken when event criticality is in [5; 7]"`
High []string `toml:"high" comment:"Default actions to be taken when event criticality is in [8; 9]"`
Critical []string `toml:"critical" comment:"Default actions to be taken when event criticality is 10"`
AvailableActions []string `json:"available-actions" toml:"available-actions" commented:"true" comment:"List of available actions (here as a memo for easier configuration, but it is not used in any way by the engine)"`
Low []string `json:"low" toml:"low" comment:"Default actions to be taken when event criticality is in [1; 4]"`
Medium []string `json:"medium" toml:"medium" comment:"Default actions to be taken when event criticality is in [5; 7]"`
High []string `json:"high" toml:"high" comment:"Default actions to be taken when event criticality is in [8; 9]"`
Critical []string `json:"critical" toml:"critical" comment:"Default actions to be taken when event criticality is 10"`
}

// Dump structure definition
type Dump struct {
Dir string `toml:"dir" comment:"Directory used to store dumps"`
MaxDumps int `toml:"max-dumps" comment:"Maximum number of dumps per process"` // maximum number of dump per GUID
Compression bool `toml:"compression" comment:"Enable dumps compression"`
DumpUntracked bool `toml:"dump-untracked" comment:"Dumps untracked process. Untracked processes are missing\n enrichment information and may generate unwanted dumps"` // whether or not we should dump untracked processes, if true it would create many FPs
Dir string `json:"dir" toml:"dir" comment:"Directory used to store dumps"`
MaxDumps int `json:"max-dumps" toml:"max-dumps" comment:"Maximum number of dumps per process"` // maximum number of dump per GUID
Compression bool `json:"compression" toml:"compression" comment:"Enable dumps compression"`
DumpUntracked bool `json:"dump-untracked" toml:"dump-untracked" comment:"Dumps untracked process. Untracked processes are missing\n enrichment information and may generate unwanted dumps"` // whether or not we should dump untracked processes, if true it would create many FPs
}

// Sysmon holds Sysmon related configuration
type Sysmon struct {
Bin string `toml:"bin" comment:"Path to Sysmon binary"`
ArchiveDirectory string `toml:"archive-directory" comment:"Path to Sysmon Archive directory"`
CleanArchived bool `toml:"clean-archived" comment:"Delete files older than 5min archived by Sysmon"`
Bin string `json:"bin" toml:"bin" comment:"Path to Sysmon binary"`
ArchiveDirectory string `json:"archive-directory" toml:"archive-directory" comment:"Path to Sysmon Archive directory"`
CleanArchived bool `json:"clean-archived" toml:"clean-archived" comment:"Delete files older than 5min archived by Sysmon"`
}

// Rules holds rules configuration
type Rules struct {
RulesDB string `toml:"rules-db" comment:"Path to Gene rules database"`
ContainersDB string `toml:"containers-db" comment:"Path to Gene rules containers\n (c.f. Gene documentation)"`
UpdateInterval time.Duration `toml:"update-interval" comment:"Update interval at which rules should be pulled from manager\n NB: only applies if a manager server is configured"`
RulesDB string `json:"rules-db" toml:"rules-db" comment:"Path to Gene rules database"`
ContainersDB string `json:"containers-db" toml:"containers-db" comment:"Path to Gene rules containers\n (c.f. Gene documentation)"`
UpdateInterval time.Duration `json:"update-interval" toml:"update-interval" comment:"Update interval at which rules should be pulled from manager\n NB: only applies if a manager server is configured"`
}

func (c *Rules) RulesPaths() (path, sha256Path string) {
Expand All @@ -64,9 +64,9 @@ func (c *Rules) RulesPaths() (path, sha256Path string) {

// Audit holds Windows audit configuration
type Audit struct {
Enable bool `toml:"enable" comment:"Enable following Audit Policies or not"`
AuditPolicies []string `toml:"audit-policies" comment:"Audit Policies to enable (c.f. auditpol /get /category:* /r)"`
AuditDirs []string `toml:"audit-dirs" comment:"Set Audit ACL to directories, sub-directories and files to generate File System audit events\n https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-file-system)"`
Enable bool `json:"enable" toml:"enable" comment:"Enable following Audit Policies or not"`
AuditPolicies []string `json:"audit-policies" toml:"audit-policies" comment:"Audit Policies to enable (c.f. auditpol /get /category:* /r)"`
AuditDirs []string `json:"audit-dirs" toml:"audit-dirs" comment:"Set Audit ACL to directories, sub-directories and files to generate File System audit events\n https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-file-system)"`
}

// Configure configures the desired audit policies
Expand Down Expand Up @@ -111,23 +111,22 @@ func (c *Audit) Restore() {

// Agent structure
type Agent struct {
//Channels []string `toml:"channels" comment:"Windows log channels to listen to. Either channel names\n can be used (i.e. Microsoft-Windows-Sysmon/Operational) or aliases"`
DatabasePath string `toml:"db-path" comment:"Path to local database root directory"`
CritTresh int `toml:"criticality-treshold" comment:"Dumps/forward only events above criticality threshold\n or filtered events (i.e. Gene filtering rules)"`
EnableHooks bool `toml:"en-hooks" comment:"Enable enrichment hooks and dump hooks"`
EnableFiltering bool `toml:"en-filters" comment:"Enable event filtering (log filtered events, not only alerts)\n See documentation: https://github.com/0xrawsec/gene"`
Logfile string `toml:"logfile" comment:"Logfile used to log messages generated by the engine"` // for WHIDS log messages (not alerts)
LogAll bool `toml:"log-all" comment:"Log any incoming event passing through the engine"` // log all events to logfile (used for debugging)
Endpoint bool `toml:"endpoint" comment:"True if current host is the endpoint on which logs are generated\n Example: turn this off if running on a WEC"`
EtwConfig *Etw `toml:"etw" comment:"ETW configuration"`
FwdConfig *config.Forwarder `toml:"forwarder" comment:"Forwarder configuration"`
Sysmon *Sysmon `toml:"sysmon" comment:"Sysmon related settings"`
Actions *Actions `toml:"actions" comment:"Default actions to apply to events, depending on their criticality"`
Dump *Dump `toml:"dump" comment:"Dump related settings"`
Report *Report `toml:"reporting" comment:"Reporting related settings"`
RulesConfig *Rules `toml:"rules" comment:"Gene rules related settings\n Gene repo: https://github.com/0xrawsec/gene\n Gene rules repo: https://github.com/0xrawsec/gene-rules"`
AuditConfig *Audit `toml:"audit" comment:"Windows auditing configuration"`
CanariesConfig *Canaries `toml:"canaries" comment:"Canary files configuration"`
DatabasePath string `json:"db-path" toml:"db-path" comment:"Path to local database root directory"`
CritTresh int `json:"criticality-treshold" toml:"criticality-treshold" comment:"Dumps/forward only events above criticality threshold\n or filtered events (i.e. Gene filtering rules)" `
EnableHooks bool `json:"en-hooks" toml:"en-hooks" comment:"Enable enrichment hooks and dump hooks"`
EnableFiltering bool `json:"en-filters" toml:"en-filters" comment:"Enable event filtering (log filtered events, not only alerts)\n See documentation: https://github.com/0xrawsec/gene" `
Logfile string `json:"logfile" toml:"logfile" comment:"Logfile used to log messages generated by the engine"` // for WHIDS log messages (not alerts)
LogAll bool `json:"log-all" toml:"log-all" comment:"Log any incoming event passing through the engine" ` // log all events to logfile (used for debugging)
Endpoint bool `json:"endpoint" toml:"endpoint" comment:"True if current host is the endpoint on which logs are generated\n Example: turn this off if running on a WEC"`
EtwConfig Etw `json:"etw" toml:"etw" comment:"ETW configuration"`
FwdConfig config.Forwarder `json:"forwarder" toml:"forwarder" comment:"Forwarder configuration"`
Sysmon Sysmon `json:"sysmon" toml:"sysmon" comment:"Sysmon related settings"`
Actions Actions `json:"actions" toml:"actions" comment:"Default actions to apply to events, depending on their criticality"`
Dump Dump `json:"dump" toml:"dump" comment:"Dump related settings"`
Report Report `json:"report" toml:"reporting" comment:"Reporting related settings"`
RulesConfig Rules `json:"rules" toml:"rules" comment:"Gene rules related settings\n Gene repo: https://github.com/0xrawsec/gene\n Gene rules repo: https://github.com/0xrawsec/gene-rules"`
AuditConfig Audit `json:"audit" toml:"audit" comment:"Windows auditing configuration"`
CanariesConfig Canaries `json:"canaries" toml:"canaries" comment:"Canary files configuration"`
}

// LoadsHIDSConfig loads a HIDS configuration from a file
Expand All @@ -144,7 +143,7 @@ func LoadsHIDSConfig(path string) (c Agent, err error) {

// IsForwardingEnabled returns true if a forwarder is actually configured to forward logs
func (c *Agent) IsForwardingEnabled() bool {
return *c.FwdConfig != emptyForwarderConfig && !c.FwdConfig.Local
return c.FwdConfig != emptyForwarderConfig && !c.FwdConfig.Local
}

// Prepare creates directory used in the config if not existing
Expand Down
6 changes: 3 additions & 3 deletions agent/config/etw.go
Original file line number Diff line number Diff line change
Expand Up @@ -2,7 +2,7 @@ package config

type Etw struct {
// set as private not to support it officially as Microsoft-Windows-Kernel-File generates too many events
enTraceFile bool `toml:"trace-files" comment:"Enable file read/write events via an optimized Microsoft-Windows-Kernel-File provider"`
Providers []string `toml:"providers" comment:"ETW providers to enable in the EDR autologger setting"`
Traces []string `toml:"traces" comment:"Additional ETW traces to retrieve events"`
enTraceFile bool `json:"trace-files" toml:"trace-files" comment:"Enable file read/write events via an optimized Microsoft-Windows-Kernel-File provider"`
Providers []string `json:"providers" toml:"providers" comment:"ETW providers to enable in the EDR autologger setting"`
Traces []string `json:"traces" toml:"traces" comment:"Additional ETW traces to retrieve events"`
}
10 changes: 5 additions & 5 deletions agent/config/reports.go
Original file line number Diff line number Diff line change
Expand Up @@ -63,7 +63,7 @@ var (

// OSQuery holds configuration about OSQuery tool
type OSQuery struct {
Tables []string `toml:"tables" comment:"OSQuery tables to add to the report"`
Tables []string `json:"tables" toml:"tables" comment:"OSQuery tables to add to the report"`
}

// PrepareCommands builds up osquery commands
Expand All @@ -84,10 +84,10 @@ func (c *OSQuery) PrepareCommands() (cmds []ReportCommand) {

// Report holds report configuration
type Report struct {
EnableReporting bool `toml:"en-reporting" comment:"Enables IR reporting"`
OSQuery OSQuery `toml:"osquery" comment:"OSQuery configuration"`
Commands []ReportCommand `toml:"commands" comment:"Commands to execute in addition to the OSQuery ones" commented:"true"`
CommandTimeout time.Duration `toml:"timeout" comment:"Timeout after which every command expires (to prevent too long commands)"`
EnableReporting bool `json:"en-reporting" toml:"en-reporting" comment:"Enables IR reporting"`
OSQuery OSQuery `json:"osquery" toml:"osquery" comment:"OSQuery configuration"`
Commands []ReportCommand `json:"commands" toml:"commands" comment:"Commands to execute in addition to the OSQuery ones" commented:"true"`
CommandTimeout time.Duration `json:"timeout" toml:"timeout" comment:"Timeout after which every command expires (to prevent too long commands)"`
}

// PrepareCommands builds up all commands to run
Expand Down
18 changes: 9 additions & 9 deletions agent/defaults.go
Original file line number Diff line number Diff line change
Expand Up @@ -14,13 +14,13 @@ func BuildDefaultConfig(root string) *config.Agent {
logDir := filepath.Join(root, "Logs")

return &config.Agent{
RulesConfig: &config.Rules{
RulesConfig: config.Rules{
RulesDB: filepath.Join(root, "Database", "Rules"),
ContainersDB: filepath.Join(root, "Database", "Containers"),
UpdateInterval: 60 * time.Second,
},

FwdConfig: &clientConfig.Forwarder{
FwdConfig: clientConfig.Forwarder{
Local: true,
Client: clientConfig.Client{
MaxUploadSize: api.DefaultMaxUploadSize,
Expand All @@ -30,7 +30,7 @@ func BuildDefaultConfig(root string) *config.Agent {
RotationInterval: time.Hour * 5,
},
},
EtwConfig: &config.Etw{
EtwConfig: config.Etw{
Providers: []string{
"Microsoft-Windows-Sysmon",
"Microsoft-Windows-Windows Defender",
Expand All @@ -39,25 +39,25 @@ func BuildDefaultConfig(root string) *config.Agent {
},
Traces: []string{"Eventlog-Security"},
},
Sysmon: &config.Sysmon{
Sysmon: config.Sysmon{
Bin: "C:\\Windows\\Sysmon64.exe",
ArchiveDirectory: "C:\\Sysmon\\",
CleanArchived: true,
},
Actions: &config.Actions{
Actions: config.Actions{
AvailableActions: AvailableActions,
Low: []string{},
Medium: []string{"brief", "filedump", "regdump"},
High: []string{"report", "filedump", "regdump"},
Critical: []string{"report", "filedump", "regdump", "memdump"},
},
Dump: &config.Dump{
Dump: config.Dump{
Dir: filepath.Join(root, "Dumps"),
Compression: true,
MaxDumps: 4,
DumpUntracked: false,
},
Report: &config.Report{
Report: config.Report{
EnableReporting: false,
OSQuery: config.OSQuery{
Tables: []string{"processes", "services", "scheduled_tasks", "drivers", "startup_items", "process_open_sockets"}},
Expand All @@ -69,10 +69,10 @@ func BuildDefaultConfig(root string) *config.Agent {
}},
CommandTimeout: 60 * time.Second,
},
AuditConfig: &config.Audit{
AuditConfig: config.Audit{
AuditPolicies: []string{"File System"},
},
CanariesConfig: &config.Canaries{
CanariesConfig: config.Canaries{
Enable: false,
Canaries: []*config.Canary{
{
Expand Down
2 changes: 1 addition & 1 deletion agent/hook_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -138,7 +138,7 @@ func TestHooks(t *testing.T) {
defer os.RemoveAll(tmp)

c := BuildDefaultConfig(tmp)
c.Actions = &config.Actions{
c.Actions = config.Actions{
AvailableActions: AvailableActions,
Low: []string{},
Medium: []string{},
Expand Down
Loading

0 comments on commit 684e11c

Please sign in to comment.