Skip to content

Audit key options#1882

Merged
albertomn86 merged 9 commits into3.7from
dev-audit-keys
Nov 16, 2018
Merged

Audit key options#1882
albertomn86 merged 9 commits into3.7from
dev-audit-keys

Conversation

@bah07
Copy link
Copy Markdown
Contributor

@bah07 bah07 commented Nov 14, 2018
edited
Loading

Related issues:

Added two new options to manage audit events:

  • This is the key with which the rules generated by FIM will be created. Field deleted

<audit_key>wazuh_fim</audit_key>

  • With this option, you can add the keys of other rules generated manually or by other methods. This way you can monitor directories with Audit that have other associated rules. FIM will filter the audit events looking for these keys.

<audit_extra_key></audit_extra_key>

The way these keys are displayed in the audit log varies depending on the characters entered. If you enter the character (whitespace) or "(double quote) the key will be generated in hexadecimal. It will also do so when the decimal value of the character is greater than 126 (extended ASCII).

Tests:

Audit allows inserting spaces inside the keys, so the spaces inserted inside the field <audit_extra_key> will be part of the key.

  • Generate a key for FIM with a string containing spaces, double quotes or a character above 126 and check that FIM monitors his directories correctly.
  • Generate keys with those characters by means of auditctl -w and introduce those string in the option <audit_extra_key></audit_extra_key>. Check that alerts of these directories appear. Check that the event generated in audit.log was generated with the key created by auditctl and not with the key=wazuh_fim.
  • Check that there are no Whodata alerts for directories that are being monitored only by frequency and that have associated audit rules.

@bah07 bah07 added the module/fim File Integrity Monitoring label Nov 14, 2018
@bah07 bah07 requested a review from albertomn86 November 14, 2018 16:49
@bah07 bah07 mentioned this pull request Nov 14, 2018
Merged
@bah07
Copy link
Copy Markdown
Contributor Author

bah07 commented Nov 15, 2018

The included fields have been redesigned to add external audit keys.

A tag has been created for the options of Whodata and within it the rest of options will be added, among them audit_extra_key.

Finally the configuration will be the following one:

<!-- Audit keys -->
<syscheck>
...
  <whodata>
    <audit_extra_key>auditkey1,auditkey2</audit_extra_key>
  </whodata>
...
</syscheck>

@albertomn86 albertomn86 merged commit 1b18146 into 3.7 Nov 16, 2018
@albertomn86 albertomn86 deleted the dev-audit-keys branch November 16, 2018 18:32
@bah07 bah07 mentioned this pull request Nov 21, 2018
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

1 more reviewer

@albertomn86 albertomn86 albertomn86 approved these changes

Reviewers whose approvals may not affect merge requirements

Assignees

@albertomn86 albertomn86

Labels

module/fim File Integrity Monitoring

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@bah07 @albertomn86