Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Changes to FIM sync messages for Windows registries #2773

Closed
jotacarma90 opened this issue Apr 7, 2022 · 1 comment
Closed

Changes to FIM sync messages for Windows registries #2773

jotacarma90 opened this issue Apr 7, 2022 · 1 comment
Labels
feature/fim level/task Task issue type/bug

Comments

@jotacarma90
Copy link
Member

jotacarma90 commented Apr 7, 2022
edited
Loading

Description

Hello team,
Due to some improvements we are making in the performance of the FIMDB development with DBSync, we are going to introduce some changes in the sync messages of the Windows registries. Until now, two different synchronizations were made in Windows, one for the files and another one for the registries + values (using a view of the DB joining the two tables).

Related issue:
wazuh/wazuh#13033

PR:
wazuh/wazuh#13097

For efficiency reasons, we have separated the registries and values, so now there will be 3 different synchronizations. In addition to this, we have changed the indexes used for the registries, now we will use a hash to avoid problems with the allowed symbols in the names of registries and values.

Changes in sync messages

  • Field component changed, in registry keys is fim_registry_key, in key values is fim_registry_value.
  • Now the index used is a hash formed by the fields arch, registry path and value name.
  • New field path containing the registry path.
  • version upgraded from 2 to 3.

Key values

From this:
2022/02/27 18:47:40 wazuh-agent[1732] run_check.c:108 at fim_send_sync_state(): DEBUG: (6317): Sending integrity control message: {"component":"fim_registry","data":{"arch":"[x32]","attributes":{"checksum":"920b517a949aec0a6fa91b0556f0a60503058fbb","hash_md5":"d41d8cd98f00b204e9800998ecf8427e","hash_sha1":"da39a3ee5e6b4b0d3255bfef95601890afd80709","hash_sha256":"e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855","size":0,"type":"registry_value","value_type":"REG_UNKNOWN"},"index":"HKEY_LOCAL_MACHINE\\Security\\SAM\\Domains\\Account\\Aliases\\Names\\HelpLibraryUpdaters","timestamp":1645984059,"value_name":"","version":2},"type":"state"}

To this:
2022/02/27 18:04:05 wazuh-agent[2300] run_check.c:108 at fim_send_sync_state(): DEBUG: (6317): Sending integrity control message: {"component":"fim_registry_value","data":{"arch":"[x32]","attributes":{"checksum":"920b517a949aec0a6fa91b0556f0a60503058fbb","hash_md5":"d41d8cd98f00b204e9800998ecf8427e","hash_sha1":"da39a3ee5e6b4b0d3255bfef95601890afd80709","hash_sha256":"e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855","size":0,"type":"registry_value","value_type":"REG_UNKNOWN"},"index":"00a7ee53218b25b5364c8773f37a38c93eae3880","path":"HKEY_LOCAL_MACHINE\\Security\\SAM\\Domains\\Account\\Aliases\\Names\\HelpLibraryUpdaters","timestamp":1645981428,"value_name":"","version":3},"type":"state"}

Registry keys

From this:
2022/02/27 18:48:01 wazuh-agent[1732] run_check.c:108 at fim_send_sync_state(): DEBUG: (6317): Sending integrity control message: {"component":"fim_registry","data":{"arch":"[x32]","attributes":{"checksum":"6853b29eef33ff39d8b63911673cf7b078f95485","gid":"0","group_name":"SYSTEM","mtime":1645882878,"perm":"{\"S-1-5-32-544\":{\"name\":\"Administradores\",\"allowed\":[\"delete\",\"read_control\",\"write_dac\",\"write_owner\",\"read_data\",\"write_data\",\"append_data\",\"read_ea\",\"write_ea\",\"execute\"]},\"S-1-5-18\":{\"name\":\"SYSTEM\",\"allowed\":[\"delete\",\"read_control\",\"write_dac\",\"write_owner\",\"read_data\",\"write_data\",\"append_data\",\"read_ea\",\"write_ea\",\"execute\"]}}","type":"registry_key","uid":"0","user_name":"Administradores"},"index":"HKEY_LOCAL_MACHINE\\Security\\SAM\\Domains\\Account\\Aliases\\000003EB","timestamp":1645984060,"version":2},"type":"state"}

To this:
2022/02/27 18:04:05 wazuh-agent[2300] run_check.c:108 at fim_send_sync_state(): DEBUG: (6317): Sending integrity control message: {"component":"fim_registry_key","data":{"arch":"[x32]","attributes":{"checksum":"6853b29eef33ff39d8b63911673cf7b078f95485","gid":"0","group_name":"SYSTEM","mtime":1645882878,"perm":"{\"S-1-5-32-544\":{\"name\":\"Administradores\",\"allowed\":[\"delete\",\"read_control\",\"write_dac\",\"write_owner\",\"read_data\",\"write_data\",\"append_data\",\"read_ea\",\"write_ea\",\"execute\"]},\"S-1-5-18\":{\"name\":\"SYSTEM\",\"allowed\":[\"delete\",\"read_control\",\"write_dac\",\"write_owner\",\"read_data\",\"write_data\",\"append_data\",\"read_ea\",\"write_ea\",\"execute\"]}}","type":"registry_key","uid":"0","user_name":"Administradores"},"index":"ff03d79932df0148efa6a066552badf25ea9c466","path":"HKEY_LOCAL_MACHINE\\Security\\SAM\\Domains\\Account\\Aliases\\000003EB","timestamp":1645981428,"version":3},"type":"state"}
@Deblintrake09 Deblintrake09 mentioned this issue Apr 19, 2022
Closed
4 tasks
@wazuhci wazuhci moved this to Triage in Release 4.6.0 Jul 21, 2023
@roronoasins roronoasins mentioned this issue Jul 21, 2023
Closed
1 task
@Rebits
Copy link
Member

Rebits commented Aug 1, 2023

Solved #2728

@Rebits Rebits closed this as completed Aug 1, 2023
@wazuhci wazuhci moved this from Triage to Done in Release 4.6.0 Aug 1, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
feature/fim level/task Task issue type/bug
Projects
No open projects
Release 4.6.0
Status: Done
Milestone
No milestone
Development

No branches or pull requests
5 participants
@damarisg @Rebits @roronoasins @davidjiglesias @jotacarma90