/// <summary>
/// The actual implementation of GetEvents for the particular generator, converts audit events to security events
/// </summary>
public string GetUnameMachine()
{
try
{
this.UnameMachine = _processUtil.ExecuteBashShellCommand("uname -m").TrimEnd('\n');
}
catch (CommandExecutionFailedException ex)
{
SimpleLogger.Error($"Couldn't resolve OS architecture, error=[{ex.Error}");
throw;
}
return(this.UnameMachine);
}
/// <summary>
/// OMSBaseline custom checks configuration enabled predicate
/// </summary>
protected IEnumerable <BaselinePayload> ExecuteBaseline(string command)
{
string output = _processUtil.ExecuteBashShellCommand(command);
if (string.IsNullOrWhiteSpace(output))
{
throw new ApplicationException("attempt to run baseline scan failed");
}
BaselineScanOutput deserializedOutput = JsonConvert.DeserializeObject <BaselineScanOutput>(output);
if (!string.IsNullOrWhiteSpace(deserializedOutput.Error))
{
throw new ApplicationException($"baseline scan failed with error: {deserializedOutput.Error}");
}
else if (deserializedOutput.Results == null)
{
throw new ApplicationException($"baseline results are null");
}
deserializedOutput.Results.RemoveAll(result => result.Result == BaselineResult.ResultType.Pass || result.Result == BaselineResult.ResultType.Skip);
var payloads = deserializedOutput.Results.Select(GetPayloadFromResult);
SimpleLogger.Debug($"BaselineEventGenerator returns {payloads.Count()} payloads");
return(payloads);
}
/// <summary>
/// Create linux firewall configuration snapshot
/// </summary>
/// <returns>List of firewall configuration snapshot event, the list should contain only one element</returns>
protected override List <IEvent> GetEventsImpl()
{
var returnedEvents = new List <IEvent>();
if (!_isIptablesExist)
{
SimpleLogger.Error($"{GetType().Name}: Could not collect iptables rules");
return(returnedEvents);
}
string iptablesSaveOutput = _processUtil.ExecuteBashShellCommand(IpTablesSaveCommand) ?? string.Empty;
string[] filterTable = GetIptablesTableSection(iptablesSaveOutput, FilterTableName) ?? new string[] {};
var snapshot = IptablesChain.GetChainsFromTable(filterTable)
.SelectMany(ParseChainFromTable)
.ToArray();
if (snapshot.Length == 0)
{
//If no rules defined on the machine, send default tables
snapshot = GetDefaultTableRules();
}
returnedEvents.Add(new FirewallConfiguration(Priority, snapshot));
return(returnedEvents);
}
/// <inheritdoc />
public FirewallConfigurationSnapshotGenerator(IProcessUtil processUtil)
{
_processUtil = processUtil;
string content = _processUtil.ExecuteBashShellCommand(IpTablesExistCommand);
_isIptablesExist = !(string.IsNullOrEmpty(content));
}
/// <summary>
/// Run the baseline scan and get the results as a baseline event
/// </summary>
/// <returns>Baseline event</returns>
protected override List <IEvent> GetEventsImpl()
{
string agentDirectory = Path.GetDirectoryName(System.Reflection.Assembly.GetExecutingAssembly().Location);
string bitnessSuffix = RuntimeInformation.OSArchitecture == Architecture.Arm64 || RuntimeInformation.OSArchitecture == Architecture.X64 ? "x64" : "x86";
string output = _processUtil.ExecuteBashShellCommand(string.Format(BaselineExecCommandTemplate, agentDirectory, bitnessSuffix));
if (string.IsNullOrWhiteSpace(output))
{
throw new ApplicationException("attempt to run baseline scan failed");
}
BaselineScanOutput deserializedOutput = JsonConvert.DeserializeObject <BaselineScanOutput>(output);
if (!string.IsNullOrWhiteSpace(deserializedOutput.Error))
{
throw new ApplicationException($"baseline scan failed with error: {deserializedOutput.Error}");
}
else if (deserializedOutput.Results == null)
{
throw new ApplicationException($"baseline results are null");
}
deserializedOutput.Results.RemoveAll(result => result.Result == BaselineResult.ResultType.Pass || result.Result == BaselineResult.ResultType.Skip);
var payloads = deserializedOutput.Results.Select(GetPayloadFromResult);
SimpleLogger.Debug($"BaselineEventGenerator returns {payloads.Count()} payloads");
var ev = new OSBaseline(Priority, payloads.ToArray());
return(new List <IEvent> {
ev
});
}
/// <summary>
/// Constructor for AuditEvent
/// The constructor runs the rule prerequisites
/// </summary>
protected AuditEventGeneratorBase(IProcessUtil processUtil)
{
_processUtil = processUtil;
foreach (string rule in AuditRulesPrerequisites)
{
string command = $"sudo auditctl {rule}";
try
{
_processUtil.ExecuteBashShellCommand(command);
}
catch (CommandExecutionFailedException ex)
{
if (ex.Error == AuditctlRuleAlreadyDefinedText)
{
SimpleLogger.Debug("rule already defined: " + command);
}
else
{
throw;
}
}
}
//establish checkpoint
ExecuteAusearchWithFallback();
}
/// <summary>
/// Create linux firewall configuration snapshot
/// </summary>
/// <returns>List of firewall configuration snapshot event, the list should contain only one element</returns>
protected override List <IEvent> GetEventsImpl()
{
var returnedEvents = new List <IEvent>();
if (!_isIptablesExist)
{
SimpleLogger.Warning($"{GetType().Name}: Iptables does not exist on this device");
returnedEvents.Add(new FirewallConfiguration(Priority));
return(returnedEvents);
}
string iptablesSaveOutput = _processUtil.ExecuteBashShellCommand(IpTablesSaveCommand);
if (string.IsNullOrEmpty(iptablesSaveOutput))
{
SimpleLogger.Warning(
$"{GetType().Name}: Can't get Iptables data, check permission or iptables is not configured on this machine");
returnedEvents.Add(new FirewallConfiguration(Priority));
return(returnedEvents);
}
string[] filterTable = GetIptablesTableSection(iptablesSaveOutput, FilterTableName);
var snapshot = IptablesChain.GetChainsFromTable(filterTable ?? new string[] {})
.SelectMany(ParseChainFromTable)
.ToArray();
returnedEvents.Add(new FirewallConfiguration(Priority, snapshot));
return(returnedEvents);
}
/// <summary>
/// Generates a LocalUser snapshot
/// The event payload is array of OS registered users,
/// each user has its own payload entity which contains
/// the user's username, userid, group ids and group names
/// </summary>
/// <returns>List of local users snapshot event, the list should contain only one element</returns>
protected override List <IEvent> GetEventsImpl()
{
string groupsFileContent = _processUtil.ExecuteBashShellCommand(GetGroupListCommand);
string passwdFileContent = _processUtil.ExecuteBashShellCommand(GetUsersListCommand);
var users = LocalUsersParser.ListAllLocalUsersFromContent(groupsFileContent, passwdFileContent);
var localUsersPayloads = GeneratePayloadsFromLocalUsers(users);
SimpleLogger.Debug($"BaselineEventGenerator returns {localUsersPayloads.Count()} payloads");
return(new List <IEvent>
{
new LocalUsers(
priority: Priority,
payloads: localUsersPayloads)
});
}
private string ExecuteAusearchWithFallback()
{
try
{
return(_processUtil.ExecuteBashShellCommand(GetAusearchCommand(isFallBack: false), AusearchErrorHandler));
}
catch (CommandExecutionFailedException ex)
{
if (ex.ExitCode == AusearchInvalidCheckpointData ||
ex.ExitCode == AusearchCheckpointProcessingError ||
ex.ExitCode == AusearchCheckpointEventNotFoundInLog)
{
return(_processUtil.ExecuteBashShellCommand(GetAusearchCommand(isFallBack: true), AusearchErrorHandler));
}
throw;
}
}
/// <inheritdoc />
public ProcessCreationEventGenerator(IProcessUtil processUtil) : base(processUtil)
{
executableHash = new Dictionary <string, string>();
string searchResultsString = processUtil.ExecuteBashShellCommand(searchIntegrityRuleCommand);
IEnumerable <string> searchResults = searchResultsString.Split("----", StringSplitOptions.RemoveEmptyEntries);
IEnumerable <AuditEvent> auditEvents = searchResults.Select(AuditEvent.ParseFromAusearchLine);
foreach (AuditEvent auditEvent in auditEvents)
{
updateExecutablesDictonary(auditEvent);
}
}
/// <summary>
/// Read the netsat output
/// Create an event that conatins all the open ports in state LISTEN (UDP and TCP)
/// </summary>
/// <returns>List of open ports event</returns>
protected override List <IEvent> GetEventsImpl()
{
//Run netstat and parse the output
const string netstatCommand = "netstat -ln";
string content = _processUtil.ExecuteBashShellCommand(netstatCommand);
List <ListeningPortsPayload> payloads = NetstatUtils.ParseNetstatListeners(content, LocalAddressColumnNumber, RemoteAddressColumnNumber);
SimpleLogger.Debug($"NetstatEventGenerator returns {payloads.Count} payloads");
var openPorts = new ListeningPorts(Priority, payloads.ToArray());
return(new List <IEvent>()
{
openPorts
});
}
