/// <summary> /// The actual implementation of GetEvents for the particular generator, converts audit events to security events /// </summary> public string GetUnameMachine() { try { this.UnameMachine = _processUtil.ExecuteBashShellCommand("uname -m").TrimEnd('\n'); } catch (CommandExecutionFailedException ex) { SimpleLogger.Error($"Couldn't resolve OS architecture, error=[{ex.Error}"); throw; } return(this.UnameMachine); }
/// <summary> /// OMSBaseline custom checks configuration enabled predicate /// </summary> protected IEnumerable <BaselinePayload> ExecuteBaseline(string command) { string output = _processUtil.ExecuteBashShellCommand(command); if (string.IsNullOrWhiteSpace(output)) { throw new ApplicationException("attempt to run baseline scan failed"); } BaselineScanOutput deserializedOutput = JsonConvert.DeserializeObject <BaselineScanOutput>(output); if (!string.IsNullOrWhiteSpace(deserializedOutput.Error)) { throw new ApplicationException($"baseline scan failed with error: {deserializedOutput.Error}"); } else if (deserializedOutput.Results == null) { throw new ApplicationException($"baseline results are null"); } deserializedOutput.Results.RemoveAll(result => result.Result == BaselineResult.ResultType.Pass || result.Result == BaselineResult.ResultType.Skip); var payloads = deserializedOutput.Results.Select(GetPayloadFromResult); SimpleLogger.Debug($"BaselineEventGenerator returns {payloads.Count()} payloads"); return(payloads); }
/// <summary> /// Create linux firewall configuration snapshot /// </summary> /// <returns>List of firewall configuration snapshot event, the list should contain only one element</returns> protected override List <IEvent> GetEventsImpl() { var returnedEvents = new List <IEvent>(); if (!_isIptablesExist) { SimpleLogger.Error($"{GetType().Name}: Could not collect iptables rules"); return(returnedEvents); } string iptablesSaveOutput = _processUtil.ExecuteBashShellCommand(IpTablesSaveCommand) ?? string.Empty; string[] filterTable = GetIptablesTableSection(iptablesSaveOutput, FilterTableName) ?? new string[] {}; var snapshot = IptablesChain.GetChainsFromTable(filterTable) .SelectMany(ParseChainFromTable) .ToArray(); if (snapshot.Length == 0) { //If no rules defined on the machine, send default tables snapshot = GetDefaultTableRules(); } returnedEvents.Add(new FirewallConfiguration(Priority, snapshot)); return(returnedEvents); }
/// <inheritdoc /> public FirewallConfigurationSnapshotGenerator(IProcessUtil processUtil) { _processUtil = processUtil; string content = _processUtil.ExecuteBashShellCommand(IpTablesExistCommand); _isIptablesExist = !(string.IsNullOrEmpty(content)); }
/// <summary> /// Run the baseline scan and get the results as a baseline event /// </summary> /// <returns>Baseline event</returns> protected override List <IEvent> GetEventsImpl() { string agentDirectory = Path.GetDirectoryName(System.Reflection.Assembly.GetExecutingAssembly().Location); string bitnessSuffix = RuntimeInformation.OSArchitecture == Architecture.Arm64 || RuntimeInformation.OSArchitecture == Architecture.X64 ? "x64" : "x86"; string output = _processUtil.ExecuteBashShellCommand(string.Format(BaselineExecCommandTemplate, agentDirectory, bitnessSuffix)); if (string.IsNullOrWhiteSpace(output)) { throw new ApplicationException("attempt to run baseline scan failed"); } BaselineScanOutput deserializedOutput = JsonConvert.DeserializeObject <BaselineScanOutput>(output); if (!string.IsNullOrWhiteSpace(deserializedOutput.Error)) { throw new ApplicationException($"baseline scan failed with error: {deserializedOutput.Error}"); } else if (deserializedOutput.Results == null) { throw new ApplicationException($"baseline results are null"); } deserializedOutput.Results.RemoveAll(result => result.Result == BaselineResult.ResultType.Pass || result.Result == BaselineResult.ResultType.Skip); var payloads = deserializedOutput.Results.Select(GetPayloadFromResult); SimpleLogger.Debug($"BaselineEventGenerator returns {payloads.Count()} payloads"); var ev = new OSBaseline(Priority, payloads.ToArray()); return(new List <IEvent> { ev }); }
/// <summary> /// Constructor for AuditEvent /// The constructor runs the rule prerequisites /// </summary> protected AuditEventGeneratorBase(IProcessUtil processUtil) { _processUtil = processUtil; foreach (string rule in AuditRulesPrerequisites) { string command = $"sudo auditctl {rule}"; try { _processUtil.ExecuteBashShellCommand(command); } catch (CommandExecutionFailedException ex) { if (ex.Error == AuditctlRuleAlreadyDefinedText) { SimpleLogger.Debug("rule already defined: " + command); } else { throw; } } } //establish checkpoint ExecuteAusearchWithFallback(); }
/// <summary> /// Create linux firewall configuration snapshot /// </summary> /// <returns>List of firewall configuration snapshot event, the list should contain only one element</returns> protected override List <IEvent> GetEventsImpl() { var returnedEvents = new List <IEvent>(); if (!_isIptablesExist) { SimpleLogger.Warning($"{GetType().Name}: Iptables does not exist on this device"); returnedEvents.Add(new FirewallConfiguration(Priority)); return(returnedEvents); } string iptablesSaveOutput = _processUtil.ExecuteBashShellCommand(IpTablesSaveCommand); if (string.IsNullOrEmpty(iptablesSaveOutput)) { SimpleLogger.Warning( $"{GetType().Name}: Can't get Iptables data, check permission or iptables is not configured on this machine"); returnedEvents.Add(new FirewallConfiguration(Priority)); return(returnedEvents); } string[] filterTable = GetIptablesTableSection(iptablesSaveOutput, FilterTableName); var snapshot = IptablesChain.GetChainsFromTable(filterTable ?? new string[] {}) .SelectMany(ParseChainFromTable) .ToArray(); returnedEvents.Add(new FirewallConfiguration(Priority, snapshot)); return(returnedEvents); }
/// <summary> /// Generates a LocalUser snapshot /// The event payload is array of OS registered users, /// each user has its own payload entity which contains /// the user's username, userid, group ids and group names /// </summary> /// <returns>List of local users snapshot event, the list should contain only one element</returns> protected override List <IEvent> GetEventsImpl() { string groupsFileContent = _processUtil.ExecuteBashShellCommand(GetGroupListCommand); string passwdFileContent = _processUtil.ExecuteBashShellCommand(GetUsersListCommand); var users = LocalUsersParser.ListAllLocalUsersFromContent(groupsFileContent, passwdFileContent); var localUsersPayloads = GeneratePayloadsFromLocalUsers(users); SimpleLogger.Debug($"BaselineEventGenerator returns {localUsersPayloads.Count()} payloads"); return(new List <IEvent> { new LocalUsers( priority: Priority, payloads: localUsersPayloads) }); }
private string ExecuteAusearchWithFallback() { try { return(_processUtil.ExecuteBashShellCommand(GetAusearchCommand(isFallBack: false), AusearchErrorHandler)); } catch (CommandExecutionFailedException ex) { if (ex.ExitCode == AusearchInvalidCheckpointData || ex.ExitCode == AusearchCheckpointProcessingError || ex.ExitCode == AusearchCheckpointEventNotFoundInLog) { return(_processUtil.ExecuteBashShellCommand(GetAusearchCommand(isFallBack: true), AusearchErrorHandler)); } throw; } }
/// <inheritdoc /> public ProcessCreationEventGenerator(IProcessUtil processUtil) : base(processUtil) { executableHash = new Dictionary <string, string>(); string searchResultsString = processUtil.ExecuteBashShellCommand(searchIntegrityRuleCommand); IEnumerable <string> searchResults = searchResultsString.Split("----", StringSplitOptions.RemoveEmptyEntries); IEnumerable <AuditEvent> auditEvents = searchResults.Select(AuditEvent.ParseFromAusearchLine); foreach (AuditEvent auditEvent in auditEvents) { updateExecutablesDictonary(auditEvent); } }
/// <summary> /// Read the netsat output /// Create an event that conatins all the open ports in state LISTEN (UDP and TCP) /// </summary> /// <returns>List of open ports event</returns> protected override List <IEvent> GetEventsImpl() { //Run netstat and parse the output const string netstatCommand = "netstat -ln"; string content = _processUtil.ExecuteBashShellCommand(netstatCommand); List <ListeningPortsPayload> payloads = NetstatUtils.ParseNetstatListeners(content, LocalAddressColumnNumber, RemoteAddressColumnNumber); SimpleLogger.Debug($"NetstatEventGenerator returns {payloads.Count} payloads"); var openPorts = new ListeningPorts(Priority, payloads.ToArray()); return(new List <IEvent>() { openPorts }); }