I am using the eventchannel format. Eventlog provides no useful information for logs other than the three basics: Application, Security and System.
If confirmed, this is a significant bug that impacts the integrity of
all deployments of Windows agents, as far as I can determine at minimum
on Windows 10, other versions are TBD.
I unfortunately do not have at hand other versions of Windows to test
with, in order to determine whether it is an issue related to the agent
that therefore impacts all Windows deployments, or a less serious issue
that is specific to Windows 10.
IMHO the agent code needs to be thoroughly debugged, as:
i) some events are forwarded correctly;
ii) some have field names removed (which makes it very difficult to
decode for any information other than what is in the OSSEC header); and
iii) some have important security information completely chopped off the
message, that is in addition to missing field labels.
On Windows 10, I can confirm (not an exhaustive list):
i) The integrity of event IDs 4624, 4625, 4634, 4656~4663, 4688, 4689
is preserved.
ii) Event IDs 5140 and 4703 are forwarded /without/ field labels (there
are certainly others).
iii) Eventchannel logs other than the three standard event logs have no
field labels, /and/ are emptied of important security content.
_Steps to reproduce on any recent flavor of Windows_:
1) From the Group Policy Editor turn on AppLocker in Audit mode, and
temporarily turn on all auditing in Security.
2) Configure the agent to collect AppLocker logs (This is for Windows
10, the log names differ for Windows 7):
In/var/ossec/etc/shared/agent.conf
<agent_config name="AgentName">
<localfile>
<log_format>eventchannel</log_format>
<location>Microsoft-Windows-AppLocker/EXE and DLL</location>
</localfile>
<localfile>
<log_format>eventchannel</log_format>
<location>Microsoft-Windows-AppLocker/MSI and Script</location>
</localfile>
<localfile>
<log_format>eventchannel</log_format>
<location>Microsoft-Windows-AppLocker/Packaged
app-Deployment</location>
</localfile>
<localfile>
<log_format>eventchannel</log_format>
<location>Microsoft-Windows-AppLocker/Packaged app-execution</location>
</localfile>
</agent_config>
3) Set the Windows agent to debug mode in internal_options.conf in the
ossec-agent installation directory.
4) Restart the agent (net stop "OSSEC HIDS" then net start "OSSEC HIDS",
or use the agent control GUI, or Services .msc to bounce the agent).
5) Examine events in the ossec.log file inside the OSSEC-agent
installation directory.
--
---
You received this message because you are subscribed to the Google Groups
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
smime.p7s
Description: S/MIME Cryptographic Signature
