We will take a stab at it this week and see what we can uncover All the best
Grant On Friday, February 24, 2017 at 12:32:02 PM UTC-5, dan (ddpbsd) wrote: > > Any Windows users want to take a look at this? > > On Thu, Feb 23, 2017 at 11:42 PM, Jahchan, Georges J. > <gjah...@compucenter.org <javascript:>> wrote: > > I am using the eventchannel format. Eventlog provides no useful > information > > for logs other than the three basics: Application, Security and System. > > > > If confirmed, this is a significant bug that impacts the integrity of > all > > deployments of Windows agents, as far as I can determine at minimum on > > Windows 10, other versions are TBD. > > > > I unfortunately do not have at hand other versions of Windows to test > with, > > in order to determine whether it is an issue related to the agent that > > therefore impacts all Windows deployments, or a less serious issue that > is > > specific to Windows 10. > > > > IMHO the agent code needs to be thoroughly debugged, as: > > i) some events are forwarded correctly; > > ii) some have field names removed (which makes it very difficult to > decode > > for any information other than what is in the OSSEC header); and > > iii) some have important security information completely chopped off the > > message, that is in addition to missing field labels. > > > > On Windows 10, I can confirm (not an exhaustive list): > > i) The integrity of event IDs 4624, 4625, 4634, 4656~4663, 4688, 4689 > is > > preserved. > > ii) Event IDs 5140 and 4703 are forwarded without field labels (there > are > > certainly others). > > iii) Eventchannel logs other than the three standard event logs have no > > field labels, and are emptied of important security content. > > > > Steps to reproduce on any recent flavor of Windows: > > > > 1) From the Group Policy Editor turn on AppLocker in Audit mode, and > > temporarily turn on all auditing in Security. > > > > 2) Configure the agent to collect AppLocker logs (This is for Windows > 10, > > the log names differ for Windows 7): > > > > In /var/ossec/etc/shared/agent.conf > > > > <agent_config name="AgentName"> > > <localfile> > > <log_format>eventchannel</log_format> > > <location>Microsoft-Windows-AppLocker/EXE and DLL</location> > > </localfile> > > <localfile> > > <log_format>eventchannel</log_format> > > <location>Microsoft-Windows-AppLocker/MSI and Script</location> > > </localfile> > > <localfile> > > <log_format>eventchannel</log_format> > > <location>Microsoft-Windows-AppLocker/Packaged > app-Deployment</location> > > </localfile> > > <localfile> > > <log_format>eventchannel</log_format> > > <location>Microsoft-Windows-AppLocker/Packaged > app-execution</location> > > </localfile> > > </agent_config> > > > > 3) Set the Windows agent to debug mode in internal_options.conf in the > > ossec-agent installation directory. > > > > 4) Restart the agent (net stop "OSSEC HIDS" then net start "OSSEC HIDS", > or > > use the agent control GUI, or Services .msc to bounce the agent). > > > > 5) Examine events in the ossec.log file inside the OSSEC-agent > installation > > directory. > > > > -- > > > > --- > > You received this message because you are subscribed to the Google > Groups > > "ossec-list" group. > > To unsubscribe from this group and stop receiving emails from it, send > an > > email to ossec-list+...@googlegroups.com <javascript:>. > > For more options, visit https://groups.google.com/d/optout. > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.