Closed 72nomada closed 1 year ago
Tester | PR commit |
---|---|
@Rebits | https://github.com/wazuh/wazuh/pull/16078/commits/d6713614e13625bc857176298fbfd0259926cce6 |
OS | OS version | Deployment | Image/AMI | Notes |
---|---|---|---|---|
macOS | 12.0.1/Monterey | Vagrant | - | |
macOS | 13.2/Ventura | VMWare | - |
wazuh-manager |
wazuh-agent |
---|---|
Ubuntu Manager | macOS Agent |
The functionality of the macOS Ventura ruleset is in accordance with the expected behavior. Some of the changes implemented in this review:
These updates and refinements have contributed to the improved performance and efficacy of the macOS Ventura ruleset.
Unique IDs :green_circle:
Nothing to remarkInconsistent group and rule separator :yellow_circle:
The new macOS rules file separates groups from rules with a white line. This style is not fulfilled by all the rules in the repository. Which is the current standard? `````` Decoder names not clear enough :red_circle:
- **macOS_screensharingd_failure**: This decoder is used in case screensharingd authentication succeeds or fails. It should be renamed ``` 2023-01-23 03:32:42.775333-0800 localhost screensharingd[3535]: Authentication: SUCCEEDED :: User Name: macos :: Viewer Address: 192.168.56.128 :: Type: N/A 2023-01-23 03:32:35.380619-0800 localhost screensharingd[3535]: Authentication: FAILED :: User Name: macos :: Viewer Address: 192.168.56.128 :: Type: DH ``` - **macOS_loginwindow_1**: It is recommended to avoid suffix `_1` - **macOS_securityd_process1**: Same as before. Also, the suffix style is not consistent - **macOS_securityd_process1**: Same as before
Rule `89606` do not have any group :red_circle:
Rule `89606` should include `authentication_failed` and compliance-related groups. `````` macOS_screensharingd (?i)authentication.+failed Attempt to connect to screen sharing with username $(dstuser) from $(ip_address) failed. T1021 Rule 89604 contains unexpected authentication_success group :red_circle:
Rule 89604 will be triggered at user logoff. However it has specified the authentication_success group.
TCC
**Denied** :green_circle: ``` **Phase 1: Completed pre-decoding. full event: '2023-01-23 03:22:26.410246-0800 localhost tccd[1030]: [com.apple.TCC:access] Update Access Record: kTCCServiceMicrophone for us.zoom.xos to Denied at 1674472946 (2023-01-23 11:22:26 +0000)' timestamp: '2023-01-23 03:22:26.410246-0800' program_name: 'tccd' **Phase 2: Completed decoding. name: 'macOS_tccd' application: 'us.zoom.xos' service: 'kTCCServiceMicrophone' status: 'Denied' time: '11:22:26' **Phase 3: Completed filtering (rules). id: '89601' level: '5' description: 'us.zoom.xos has been denied permission to kTCCServiceMicrophone at 11:22:26.' groups: '['macOS']' firedtimes: '1' gdpr: '['IV_35.7.d']' hipaa: '['164.312.b']' mail: 'False' mitre.id: '['T1222.002']' mitre.tactic: '['Defense Evasion']' mitre.technique: '['Linux and Mac File and Directory Permissions Modification']' nist_800_53: '['AU.6']' pci_dss: '['10.6.1']' tsc: '['CC7.2', 'CC7.3']' **Alert to be generated. ``` **Allowed** :green_circle: ``` **Phase 1: Completed pre-decoding. full event: '2023-01-23 03:22:26.410246-0800 localhost tccd[1030]: [com.apple.TCC:access] Update Access Record: kTCCServiceMicrophone for us.zoom.xos to Allowed at 1674472946 (2023-01-23 11:22:26 +0000)' timestamp: '2023-01-23 03:22:26.410246-0800' program_name: 'tccd' **Phase 2: Completed decoding. name: 'macOS_tccd' application: 'us.zoom.xos' service: 'kTCCServiceMicrophone' status: 'Allowed' time: '11:22:26' **Phase 3: Completed filtering (rules). id: '89600' level: '5' description: 'us.zoom.xos has been granted permission to kTCCServiceMicrophone at 11:22:26.' groups: '['macOS']' firedtimes: '1' gdpr: '['IV_35.7.d']' hipaa: '['164.312.b']' mail: 'False' mitre.id: '['T1222.002']' mitre.tactic: '['Defense Evasion']' mitre.technique: '['Linux and Mac File and Directory Permissions Modification']' nist_800_53: '['AU.6']' pci_dss: '['10.6.1']' tsc: '['CC7.2', 'CC7.3']' **Alert to be generated. ```loginwindow :green_circle:
- **Screen Unlock** ``` root@ip-172-31-11-91:/home/qa# /var/ossec/bin/wazuh-logtest Starting wazuh-logtest v4.4.0 Type one log per line 2023-01-23 03:14:00.792511-0800 localhost loginwindow[156]: [com.apple.loginwindow.logging:Standard] -[SessionAgentNotificationCenter sendBSDNotification:forUserID:] | sendBSDNotification: com.apple.sessionagent.screenIsUnlocked, with userID:501 **Phase 1: Completed pre-decoding. full event: '2023-01-23 03:14:00.792511-0800 localhost loginwindow[156]: [com.apple.loginwindow.logging:Standard] -[SessionAgentNotificationCenter sendBSDNotification:forUserID:] | sendBSDNotification: com.apple.sessionagent.screenIsUnlocked, with userID:501' timestamp: '2023-01-23 03:14:00.792511-0800' program_name: 'loginwindow' **Phase 2: Completed decoding. name: 'macOS_loginwindow' data: 'screenIsUnlocked' userID: '501' **Phase 3: Completed filtering (rules). id: '89602' level: '3' description: 'Screen unlocked with userID:501.' groups: '['macOS', 'authentication_success']' firedtimes: '1' gdpr: '['IV_32.2']' gpg13: '['7.1', '7.2']' hipaa: '['164.312.b']' mail: 'False' mitre.id: '['T1078']' mitre.tactic: '['Defense Evasion', 'Persistence', 'Privilege Escalation', 'Initial Access']' mitre.technique: '['Valid Accounts']' nist_800_53: '['AC.7', 'AU.14']' pci_dss: '['10.2.5']' tsc: '['CC6.8', 'CC7.2', 'CC7.3']' **Alert to be generated. ``` - **Screen locked** ``` **Phase 1: Completed pre-decoding. full event: '2023-01-23 03:23:23.024641-0800 localhost loginwindow[156]: [com.apple.loginwindow.logging:Standard] -[SessionAgentNotificationCenter sendDistributedNotification:forUserID:] | sendDistributedNotification: com.apple.screenIsLocked, with userID:501' timestamp: '2023-01-23 03:23:23.024641-0800' program_name: 'loginwindow' **Phase 2: Completed decoding. name: 'macOS_loginwindow' **Phase 3: Completed filtering (rules). id: '89603' level: '3' description: 'Screen locked.' groups: '['macOS', 'authentication_success']' firedtimes: '1' gdpr: '['IV_32.2']' gpg13: '['7.1', '7.2']' hipaa: '['164.312.b']' mail: 'False' mitre.id: '['T1078']' mitre.tactic: '['Defense Evasion', 'Persistence', 'Privilege Escalation', 'Initial Access']' mitre.technique: '['Valid Accounts']' nist_800_53: '['AC.7', 'AU.14']' pci_dss: '['10.2.5']' tsc: '['CC6.8', 'CC7.2', 'CC7.3']' **Alert to be generated. ``` - **User logoff** ``` 2023-01-23 04:15:35.281613-0800 localhost loginwindow[156]: [com.apple.loginwindow.logging:Standard] -[SessionAgentNotificationCenter sendSystemBSDNotification:forUserID:] | sendSystemBSDNotification: com.apple.system.loginwindow.logoutNoReturn, with userID:0 **Phase 1: Completed pre-decoding. full event: '2023-01-23 04:15:35.281613-0800 localhost loginwindow[156]: [com.apple.loginwindow.logging:Standard] -[SessionAgentNotificationCenter sendSystemBSDNotification:forUserID:] | sendSystemBSDNotification: com.apple.system.loginwindow.logoutNoReturn, with userID:0' timestamp: '2023-01-23 04:15:35.281613-0800' program_name: 'loginwindow' **Phase 2: Completed decoding. name: 'macOS_loginwindow' **Phase 3: Completed filtering (rules). id: '89604' level: '3' description: 'User logoff.' groups: '['macOS', 'authentication_success']' firedtimes: '1' gdpr: '['IV_32.2']' gpg13: '['7.1', '7.2']' hipaa: '['164.312.b']' mail: 'False' mitre.id: '['T1078']' mitre.tactic: '['Defense Evasion', 'Persistence', 'Privilege Escalation', 'Initial Access']' mitre.technique: '['Valid Accounts']' nist_800_53: '['AC.7', 'AU.14']' pci_dss: '['10.2.5']' tsc: '['CC6.8', 'CC7.2', 'CC7.3']' **Alert to be generated. ``` - **User login** ``` 2023-01-23 03:23:26.355213-0800 localhost loginwindow[156]: [com.apple.loginwindow.logging:Standard] -[SessionAgentNotificationCenter doSpecialNotificationHandling:] | loginIsComplete, set session state to desktop showing **Phase 1: Completed pre-decoding. full event: '2023-01-23 03:23:26.355213-0800 localhost loginwindow[156]: [com.apple.loginwindow.logging:Standard] -[SessionAgentNotificationCenter doSpecialNotificationHandling:] | loginIsComplete, set session state to desktop showing' timestamp: '2023-01-23 03:23:26.355213-0800' program_name: 'loginwindow' **Phase 2: Completed decoding. name: 'macOS_loginwindow' **Phase 3: Completed filtering (rules). id: '89605' level: '3' description: 'User login.' groups: '['macOS', 'authentication_success']' firedtimes: '1' gdpr: '['IV_32.2']' gpg13: '['7.1', '7.2']' hipaa: '['164.312.b']' mail: 'False' mitre.id: '['T1078']' mitre.tactic: '['Defense Evasion', 'Persistence', 'Privilege Escalation', 'Initial Access']' mitre.technique: '['Valid Accounts']' nist_800_53: '['AC.7', 'AU.14']' pci_dss: '['10.2.5']' tsc: '['CC6.8', 'CC7.2', 'CC7.3']' **Alert to be generated. ```screensharing :green_circle:
- **Attempt to connect - Succeeded** ``` 2023-01-23 03:32:35.380619-0800 localhost screensharingd[3535]: Authentication: FAILED :: User Name: macos :: Viewer Address: 192.168.56.128 :: Type: DH **Phase 1: Completed pre-decoding. full event: '2023-01-23 03:32:35.380619-0800 localhost screensharingd[3535]: Authentication: FAILED :: User Name: macos :: Viewer Address: 192.168.56.128 :: Type: DH' timestamp: '2023-01-23 03:32:35.380619-0800' program_name: 'screensharingd' **Phase 2: Completed decoding. name: 'macOS_screensharingd' action: 'FAILED' dstuser: 'macos' ip_address: '192.168.56.128' type: 'DH' **Phase 3: Completed filtering (rules). id: '89606' level: '5' description: 'Attempt to connect to screen sharing with username macos from 192.168.56.128 failed.' groups: '['macOS']' firedtimes: '1' mail: 'False' mitre.id: '['T1021']' mitre.tactic: '['Lateral Movement']' mitre.technique: '['Remote Services']' **Alert to be generated. ``` - **Attempt to connect - failed** ``` 2023-01-23 03:32:42.775333-0800 localhost screensharingd[3535]: Authentication: SUCCEEDED :: User Name: macos :: Viewer Address: 192.168.56.128 :: Type: N/A **Phase 1: Completed pre-decoding. full event: '2023-01-23 03:32:42.775333-0800 localhost screensharingd[3535]: Authentication: SUCCEEDED :: User Name: macos :: Viewer Address: 192.168.56.128 :: Type: N/A' timestamp: '2023-01-23 03:32:42.775333-0800' program_name: 'screensharingd' **Phase 2: Completed decoding. name: 'macOS_screensharingd' action: 'SUCCEEDED' dstuser: 'macos' ip_address: '192.168.56.128' type: 'N/A' **Phase 3: Completed filtering (rules). id: '89607' level: '3' description: 'Attempt to connect to screen sharing with username macos from 192.168.56.128 succeeded.' groups: '['macOS', 'authentication_success']' firedtimes: '1' gdpr: '['IV_32.2']' gpg13: '['7.1', '7.2']' hipaa: '['164.312.b']' mail: 'False' mitre.id: '['T1078']' mitre.tactic: '['Defense Evasion', 'Persistence', 'Privilege Escalation', 'Initial Access']' mitre.technique: '['Valid Accounts']' nist_800_53: '['AC.7', 'AU.14']' pci_dss: '['10.2.5']' tsc: '['CC6.8', 'CC7.2', 'CC7.3']' **Alert to be generated. ```security :green_circle:
- **Session created** ``` 2023-01-23 02:58:08.982811-0800 localhost securityd[129]: [com.apple.securityd:SecServer] 0x7fae6a51b400 Session 100012 created, uid:-1 sessionId:100012 **Phase 1: Completed pre-decoding. full event: '2023-01-23 02:58:08.982811-0800 localhost securityd[129]: [com.apple.securityd:SecServer] 0x7fae6a51b400 Session 100012 created, uid:-1 sessionId:100012' timestamp: '2023-01-23 02:58:08.982811-0800' program_name: 'securityd' **Phase 2: Completed decoding. name: 'macOS_securityd_process' sessionId: '100012' uid: '1' **Phase 3: Completed filtering (rules). id: '89608' level: '3' description: 'Session 100012 has been created.' groups: '['macOS']' firedtimes: '1' gdpr: '['IV_35.7.d']' hipaa: '['164.312.b']' mail: 'False' nist_800_53: '['AU.6']' pci_dss: '['10.6.1']' tsc: '['CC7.2', 'CC7.3']' **Alert to be generated. ``` - **Session destroyed** ``` 2023-01-23 03:26:38.517706-0800 localhost securityd[129]: [com.apple.securityd:SecServer] 0x7fae6a535710 Session 3495 destroyed **Phase 1: Completed pre-decoding. full event: '2023-01-23 03:26:38.517706-0800 localhost securityd[129]: [com.apple.securityd:SecServer] 0x7fae6a535710 Session 3495 destroyed' timestamp: '2023-01-23 03:26:38.517706-0800' program_name: 'securityd' **Phase 2: Completed decoding. name: 'macOS_securityd_process' sessionId: '3495' **Phase 3: Completed filtering (rules). id: '89609' level: '3' description: 'Session 3495 has been destroyed.' groups: '['macOS']' firedtimes: '1' gdpr: '['IV_35.7.d']' hipaa: '['164.312.b']' mail: 'False' nist_800_53: '['AU.6']' pci_dss: '['10.6.1']' tsc: '['CC7.2', 'CC7.3']' **Alert to be generated. ```
TCCD rules/decoders :red_circle:
TCCD decoders do not gather correctly application, service, status, or time in case of System update access record. **Logtest** ``` 2023-04-04 12:31:27.528499-0300 localhost tccd[5778]: [com.apple.TCC:access] Update Access Record: kTCCServiceLiverpool for com.apple.syncdefaultsd to Allowed (System Set) (v1) at 1680622287 (2023-04-04 15:31:27 +0000) **Phase 1: Completed pre-decoding. full event: '2023-04-04 12:31:27.528499-0300 localhost tccd[5778]: [com.apple.TCC:access] Update Access Record: kTCCServiceLiverpool for com.apple.syncdefaultsd to Allowed (System Set) (v1) at 1680622287 (2023-04-04 15:31:27 +0000)' timestamp: '2023-04-04 12:31:27.528499-0300' program_name: 'tccd' **Phase 2: Completed decoding. name: 'macOS_tccd' **Phase 3: Completed filtering (rules). id: '89600' level: '5' description: ' has been granted permission to at .' groups: '['macOS']' firedtimes: '1' gdpr: '['IV_35.7.d']' hipaa: '['164.312.b']' mail: 'False' mitre.id: '['T1222.002']' mitre.tactic: '['Defense Evasion']' mitre.technique: '['Linux and Mac File and Directory Permissions Modification']' nist_800_53: '['AU.6']' pci_dss: '['10.6.1']' tsc: '['CC7.2', 'CC7.3']' **Alert to be generated. --- 2023-04-04 12:31:27.528499-0300 localhost tccd[5778]: [com.apple.TCC:access] Update Access Record: kTCCServiceLiverpool for com.apple.syncdefaultsd to Denied (System Set) (v1) at 1680622287 (2023-04-04 15:31:27 +0000) **Phase 1: Completed pre-decoding. full event: '2023-04-04 12:31:27.528499-0300 localhost tccd[5778]: [com.apple.TCC:access] Update Access Record: kTCCServiceLiverpool for com.apple.syncdefaultsd to Denied (System Set) (v1) at 1680622287 (2023-04-04 15:31:27 +0000)' timestamp: '2023-04-04 12:31:27.528499-0300' program_name: 'tccd' **Phase 2: Completed decoding. name: 'macOS_tccd' **Phase 3: Completed filtering (rules). id: '89601' level: '5' description: ' has been denied permission to at .' groups: '['macOS']' firedtimes: '1' gdpr: '['IV_35.7.d']' hipaa: '['164.312.b']' mail: 'False' mitre.id: '['T1222.002']' mitre.tactic: '['Defense Evasion']' mitre.technique: '['Linux and Mac File and Directory Permissions Modification']' nist_800_53: '['AU.6']' pci_dss: '['10.6.1']' tsc: '['CC7.2', 'CC7.3']' **Alert to be generated. ``` > **Note** > For testing this decoders/rules it has been used the following events ``` 2023-04-04 12:31:27.528499-0300 localhost tccd[5778]: [com.apple.TCC:access] Update Access Record: kTCCServiceLiverpool for com.apple.syncdefaultsd to Allowed (System Set) (v1) at 1680622287 (2023-04-04 15:31:27 +0000) 2023-04-04 12:31:27.543450-0300 localhost tccd[5778]: [com.apple.TCC:access] Update Access Record: kTCCServiceLiverpool for com.apple.identityservicesd to Allowed (System Set) (v1) at 1680622287 (2023-04-04 15:31:27 +0000) 2023-04-04 12:31:27.547973-0300 localhost tccd[5778]: [com.apple.TCC:access] Update Access Record: kTCCServiceLiverpool for com.apple.securityd to Allowed (System Set) (v1) at 1680622287 (2023-04-04 15:31:27 +0000) 2023-04-04 12:31:27.547973-0300 localhost tccd[5778]: [com.apple.TCC:access] Update Access Record: kTCCServiceLiverpool for com.apple.securityd to Denied (System Set) (v1) at 1680622287 (2023-04-04 15:31:27 +0000) ```Login Windows :red_circle:
The PR defined four Login Windows rules: `89602`, `89603`, `89604` and `89605`. - `89602` :yellow_circle: : Rule work as expected for real events. Also, all fields are gathered correctly. However the data name is too generic. We should rename it to fit better this value. - `89603` :yellow_circle: : This rule work as expected. However no fields were decoded by the decoder in this case. Why in this case we don't get the userID? - `89604` :green_circle: : Rule work as expected - `89605` :red_circle:: In the environment, proposed event was never triggered. Instead, the following was produced: ``` 2023-01-23 03:23:26.355213-0800 localhost loginwindow[156]: [com.apple.loginwindow.logging:Standard] -[SessionAgentNotificationCenter sendSystemBSDNotification:forUserID:] | sendSystemBSDNotification: com.apple.system.loginwindow.loginINitiated, with userID: 501 ``` In addition, why we dont have any rule about authentication failure?ScreenSharing :green_circle :
The PR defined four Login Windows rules: `89606` and `89607`. - `89606` :green_circle: : Rule work as expected - `89607` :green_circle: : Rule work as expectedSecurityd :red_circle:
The PR defined four Login Windows rules: `89608` and `89609`. - `89608` :red_circle: It is not expected in all cases the `-` before the uid value. This condition make the decoder not gathering the sessionID and the uid ``` 2023-04-04 14:28:51.146384-0300 localhost securityd[122]: [com.apple.securityd:SecServer] 0x7f9289a19240 Session 71803 created, uid:501 sessionId:71803 --- **Phase 1: Completed pre-decoding. full event: '2023-04-04 14:28:51.146384-0300 localhost securityd[122]: [com.apple.securityd:SecServer] 0x7f9289a19240 Session 71803 created, uid:501 sessionId:71803' timestamp: '2023-04-04 14:28:51.146384-0300' program_name: 'securityd' **Phase 2: Completed decoding. name: 'macOS_securityd_process' **Phase 3: Completed filtering (rules). id: '89608' level: '3' description: 'Session has been created.' groups: '['macOS']' firedtimes: '1' gdpr: '['IV_35.7.d']' hipaa: '['164.312.b']' mail: 'False' nist_800_53: '['AU.6']' pci_dss: '['10.6.1']' tsc: '['CC7.2', 'CC7.3']' **Alert to be generated ``` In addition, for each new session created, two events are triggered: ``` 2023-01-23 02:58:08.982811-0800 localhost securityd[129]: [com.apple.securityd:SecServer] 0x7fae6a51b400 Session 100012 created, uid:-1 sessionId:100012 ``` and ``` 2023-01-23 02:58:08.982811-0800 localhost securityd[129]: Session 100012 created ``` So, for the same security event (new session), triggers two times rule 89608 (one of them without the uid decoded value). We should be more precise and avoid the `Session` event. - `89609` :red_circle: Similarly to `89608` both events are generated when a session is destroyed: ``` 2023-01-23 03:26:38.517706-0800 localhost securityd[129]: [com.apple.securityd:SecServer] 0x7fae6a535710 Session 3495 destroyed ``` and ``` 2023-01-23 03:26:38.517706-0800 localhost securityd[129]: Session 3495 destroyed ``` We should be more precise and avoid the `Session ` event.
YYYY-MM-DD HH:mm:ss.ssssss+hh:mm
timestamp formatWorked in ruleset testing. The deployed environment was provided without UI. This has made it impossible to replicate some of the security events. However, some issues were detected https://github.com/wazuh/wazuh-qa/issues/3855#issuecomment-1423123415. Pending meeting with @72nomada about some changes and how to provide a new environment with UI.
First review cycle: https://github.com/wazuh/wazuh-qa/issues/3855#issuecomment-1423123415
Tester | PR commit |
---|---|
@Rebits | https://github.com/wazuh/wazuh/pull/16078/commits/fd022e7407d2ef47834e7ad781557c9292dfdc3a |
Inconsistent group and rule separator :yellow_circle:
We should standardize this for future rules: ``` The new macOS rules file separates groups from rules with a white line. This style is not fulfilled by all the rules in the repository. Which is the current standard? ```Decoder names not clear enough :green_circle:
Decoders names were renamed satisfactorily.
Rule `89604` contains unexpected authentication_success group :green_circle:
The unexpected group was removed correctly.Rule `89606` do not have any group :green_circle:
Rule now includes expected groups: ```authentication_failed,gdpr_IV_35.7.d,gdpr_IV_32.2,gpg13_7.1,hipaa_164.312.b,invalid_login,nist_800_53_AU.14,nist_800_53_AC.7,nist_800_53_AU.6,pci_dss_10.2.4,pci_dss_10.2.5,pci_dss_10.6.1,tsc_CC6.1,tsc_CC6.8,tsc_CC7.2,tsc_CC7.3, ```
TCCD :green_circle:
### **Update Access Record** :green_circle: **Allow (System Update)** ``` *Phase 1: Completed pre-decoding. full event: '2023-04-11 12:45:54.381431-0200 localhost tccd[162]: [com.apple.TCC:access] Update Access Record: kTCCServiceAccessibility for com.teamviewer.TeamViewer to Allowed (System Set) (v1) at 1681209954 (2023-04-11 10:45:54 +0000)' timestamp: '2023-04-11 12:45:54.381431-0200' program_name: 'tccd' **Phase 2: Completed decoding. name: 'macOS_tccd' application: 'com.teamviewer.TeamViewer' service: 'kTCCServiceAccessibility' status: 'Allowed' time: '10:45:54' **Phase 3: Completed filtering (rules). id: '89600' level: '5' description: 'com.teamviewer.TeamViewer has been granted permission to kTCCServiceAccessibility at 10:45:54.' groups: '['macOS']' firedtimes: '1' gdpr: '['IV_35.7.d']' hipaa: '['164.312.b']' mail: 'False' mitre.id: '['T1222.002']' mitre.tactic: '['Defense Evasion']' mitre.technique: '['Linux and Mac File and Directory Permissions Modification']' nist_800_53: '['AU.6']' pci_dss: '['10.6.1']' tsc: '['CC7.2', 'CC7.3']' **Alert to be generated. ``` **Denied (System Update)** ``` 2023-04-11 12:45:06.245643-0200 localhost tccd[162]: [com.apple.TCC:access] Update Access Record: kTCCServiceScreenCapture for com.teamviewer.TeamViewer to Denied (System Set) (v1) at 1681209906 (2023-04-11 10:45:06 +0000) **Phase 1: Completed pre-decoding. full event: '2023-04-11 12:45:06.245643-0200 localhost tccd[162]: [com.apple.TCC:access] Update Access Record: kTCCServiceScreenCapture for com.teamviewer.TeamViewer to Denied (System Set) (v1) at 1681209906 (2023-04-11 10:45:06 +0000)' timestamp: '2023-04-11 12:45:06.245643-0200' program_name: 'tccd' **Phase 2: Completed decoding. name: 'macOS_tccd' application: 'com.teamviewer.TeamViewer' service: 'kTCCServiceScreenCapture' status: 'Denied' time: '10:45:06' **Phase 3: Completed filtering (rules). id: '89601' level: '5' description: 'com.teamviewer.TeamViewer has been denied permission to kTCCServiceScreenCapture at 10:45:06.' groups: '['macOS']' firedtimes: '1' gdpr: '['IV_35.7.d']' hipaa: '['164.312.b']' mail: 'False' mitre.id: '['T1222.002']' mitre.tactic: '['Defense Evasion']' mitre.technique: '['Linux and Mac File and Directory Permissions Modification']' nist_800_53: '['AU.6']' pci_dss: '['10.6.1']' tsc: '['CC7.2', 'CC7.3']' **Alert to be generated. ```LoginWindow :red_circle:
### **Screen unlocked** :green_circle: ``` 2023-01-23 03:14:00.792511-0800 localhost loginwindow[156]: [com.apple.loginwindow.logging:Standard] -[SessionAgentNotificationCenter sendBSDNotification:forUserID:] | sendBSDNotification: com.apple.sessionagent.screenIsUnlocked, with userID:501 **Phase 1: Completed pre-decoding. full event: '2023-01-23 03:14:00.792511-0800 localhost loginwindow[156]: [com.apple.loginwindow.logging:Standard] -[SessionAgentNotificationCenter sendBSDNotification:forUserID:] | sendBSDNotification: com.apple.sessionagent.screenIsUnlocked, with userID:501' timestamp: '2023-01-23 03:14:00.792511-0800' program_name: 'loginwindow' **Phase 2: Completed decoding. name: 'macOS_loginwindow' userID: '501' **Phase 3: Completed filtering (rules). id: '89602' level: '3' description: 'Screen unlocked with userID:501.' groups: '['macOS', 'authentication_success']' firedtimes: '1' gdpr: '['IV_32.2']' gpg13: '['7.1', '7.2']' hipaa: '['164.312.b']' mail: 'False' mitre.id: '['T1078']' mitre.tactic: '['Defense Evasion', 'Persistence', 'Privilege Escalation', 'Initial Access']' mitre.technique: '['Valid Accounts']' nist_800_53: '['AC.7', 'AU.14']' pci_dss: '['10.2.5']' tsc: '['CC6.8', 'CC7.2', 'CC7.3']' **Alert to be generated. ``` ### **Screen locked** :red_circle: Desired events do not match new regex `sendBSDNotification: \w+.\w+.\w+.screenIsLocked` included in https://github.com/wazuh/wazuh/commit/129838db70ffb218024042823eab56a8358e38a6. This also will make runtest fails. ``` 2023-01-23 03:23:23.024641-0800 localhost loginwindow[156]: [com.apple.loginwindow.logging:Standard] -[SessionAgentNotificationCenter sendDistributedNotification:forUserID:] | sendDistributedNotification: com.apple.screenIsLocked, with userID:501 **Phase 1: Completed pre-decoding. full event: '2023-01-23 03:23:23.024641-0800 localhost loginwindow[156]: [com.apple.loginwindow.logging:Standard] -[SessionAgentNotificationCenter sendDistributedNotification:forUserID:] | sendDistributedNotification: com.apple.screenIsLocked, with userID:501' timestamp: '2023-01-23 03:23:23.024641-0800' program_name: 'loginwindow' **Phase 2: Completed decoding. name: 'macOS_loginwindow' ``` ### **Logoff** :green_circle: ``` 2023-04-04 22:45:23.876866-0200 localhost loginwindow[167]: [com.apple.loginwindow.logging:Standard] -[SessionAgentNotificationCenter sendBSDNotification:forUserID:] | sendBSDNotification: com.apple.loginwindow.logoutNoReturn, with userID:501 **Phase 1: Completed pre-decoding. full event: '2023-04-04 22:45:23.876866-0200 localhost loginwindow[167]: [com.apple.loginwindow.logging:Standard] -[SessionAgentNotificationCenter sendBSDNotification:forUserID:] | sendBSDNotification: com.apple.loginwindow.logoutNoReturn, with userID:501' timestamp: '2023-04-04 22:45:23.876866-0200' program_name: 'loginwindow' **Phase 2: Completed decoding. name: 'macOS_loginwindow' userID: '501' **Phase 3: Completed filtering (rules). id: '89604' level: '3' description: 'User logoff.' groups: '['macOS']' firedtimes: '1' gdpr: '['IV_32.2']' hipaa: '['164.312.b']' mail: 'False' mitre.id: '['T1078']' mitre.tactic: '['Defense Evasion', 'Persistence', 'Privilege Escalation', 'Initial Access']' mitre.technique: '['Valid Accounts']' nist_800_53: '['AC.7', 'AU.14']' pci_dss: '['10.2.5']' tsc: '['CC6.8', 'CC7.2', 'CC7.3']' **Alert to be generated. ``` ### **Login** :green_circle: Expected event is correct. ``` 2023-04-06 12:03:53.272073-0200 localhost loginwindow[163]: [com.apple.loginwindow.logging:Standard] -[SessionAgentNotificationCenter doSpecialNotificationHandling:] | loginIsComplete, set session state to desktop showing **Phase 1: Completed pre-decoding. full event: '2023-04-06 12:03:53.272073-0200 localhost loginwindow[163]: [com.apple.loginwindow.logging:Standard] -[SessionAgentNotificationCenter doSpecialNotificationHandling:] | loginIsComplete, set session state to desktop showing' timestamp: '2023-04-06 12:03:53.272073-0200' program_name: 'loginwindow' **Phase 2: Completed decoding. name: 'macOS_loginwindow' **Phase 3: Completed filtering (rules). id: '89605' level: '3' description: 'User login.' groups: '['macOS', 'authentication_success']' firedtimes: '1' gdpr: '['IV_32.2']' gpg13: '['7.1', '7.2']' hipaa: '['164.312.b']' mail: 'False' mitre.id: '['T1078']' mitre.tactic: '['Defense Evasion', 'Persistence', 'Privilege Escalation', 'Initial Access']' mitre.technique: '['Valid Accounts']' nist_800_53: '['AC.7', 'AU.14']' pci_dss: '['10.2.5']' tsc: '['CC6.8', 'CC7.2', 'CC7.3']' **Alert to be generated. ``` SecurityD :red_circle:
### **Session created** :red_circle: Negative uid is still a posibility. The decoder should allow positive and negative uid. In addition new decoder make runtest fails ``` 2023-01-23 02:58:08.982811-0800 localhost securityd[129]: [com.apple.securityd:SecServer] 0x7fae6a51b400 Session 100012 created, uid:-1 sessionId:100012 **Phase 1: Completed pre-decoding. full event: '2023-01-23 02:58:08.982811-0800 localhost securityd[129]: [com.apple.securityd:SecServer] 0x7fae6a51b400 Session 100012 created, uid:-1 sessionId:100012' timestamp: '2023-01-23 02:58:08.982811-0800' program_name: 'securityd' **Phase 2: Completed decoding. name: 'macOS_securityd' sessionId: '100012' uid: '1' ``` ### **Session destroyed** :green_circle: ``` 2023-01-23 03:26:38.517706-0800 localhost securityd[129]: [com.apple.securityd:SecServer] 0x7fae6a535710 Session 3495 destroyed **Phase 1: Completed pre-decoding. full event: '2023-01-23 03:26:38.517706-0800 localhost securityd[129]: [com.apple.securityd:SecServer] 0x7fae6a535710 Session 3495 destroyed' timestamp: '2023-01-23 03:26:38.517706-0800' program_name: 'securityd' **Phase 2: Completed decoding. name: 'macOS_securityd' sessionId: '3495' **Phase 3: Completed filtering (rules). id: '89609' level: '3' description: 'Session 3495 has been destroyed.' groups: '['macOS']' firedtimes: '1' gdpr: '['IV_35.7.d']' hipaa: '['164.312.b']' mail: 'False' nist_800_53: '['AU.6']' pci_dss: '['10.6.1']' tsc: '['CC7.2', 'CC7.3']' **Alert to be generated ```
If we change the events for which we expect to trigger rules we need to change the cases presented in the ruleset/testing/tests/macos.ini
file. Otherwise, the tests will fail.
Regarding the system events (securityd), after talking with @72nomada , for now, we are going to ignore the system event in this case. We will consider them in a future rework of the ruleset
Tester | PR commit |
---|---|
@Rebits | https://github.com/wazuh/wazuh/pull/16078/commits/6a5924302189d5523149729c1b5f15f826b4629b |
Tester | PR commit |
---|---|
@Rebits | https://github.com/wazuh/wazuh/pull/16078/commits/eaaa5b84aaa125a7ed6ffe873cc1425ad921c564 |
.
at the end of 89603 description :yellow_circle: Tester | PR commit |
---|---|
@Rebits | https://github.com/wazuh/wazuh/pull/16078/commits/fff9c3d77a959b260533ad38ea03ee4aef391694 |
Final approve is blocked until PR checks are finished and passed.
.
at the end of 89603 description :green_circle: It has been detected that no macOS ULS logs monitoring configuration is used by default. This could be confusing for the users because it is challenging to know which query is required to filter the events expected for the new ruleset correctly. After a meeting with @72nomada and @ooniagbi we have concluded to include this default configuration in the macOS agent
In order to perform the final testing it is required this fix. Until this PR is merged, this issue is blocked
Tester | PR commit |
---|---|
@Rebits | https://github.com/wazuh/wazuh/pull/16078/commits/803f1cc314d2ad8626ed6acf14c3ffea0e640592 |
Blocked until https://github.com/wazuh/wazuh/issues/16751macOS Monterrey: ossec.conf
`````` 10.0.0.2 1514 tcp darwin, darwin21, darwin21.1 10 60 yes aes no 5000 500 no yes yes yes yes yes yes yes 43200 etc/shared/rootkit_files.txt etc/shared/rootkit_trojans.txt yes yes yes /var/log/osquery/osqueryd.results.log /etc/osquery/osquery.conf yes no 1h yes yes yes yes yes yes yes 10 yes yes 12h yes no 43200 yes /etc,/usr/bin,/usr/sbin /bin,/sbin /etc/mtab /etc/hosts.deny /etc/mail/statistics /etc/random-seed /etc/random.seed /etc/adjtime /etc/httpd/logs /etc/utmpx /etc/wtmpx /etc/cups/certs /etc/dumpdates /etc/svc/volatile .log$|.swp$ /etc/ssl/private.key yes yes yes yes 10 100 yes 5m 1h 10 full_command netstat -an | awk '{if ((/^(tcp|udp)/) && ($4 != "*.*") && ($5 == "*.*")) {print $1" "$4" "$5}}' | sort -u netstat listening ports 360 no etc/wpk_root.pem yes plain
It has been detected during the E2E testing some issues:
These behaviors were fixed in https://github.com/wazuh/wazuh/pull/16078/commits/28a53e96487b9b9a7e26dcd016aba5df0f1c6708). However, it is required proper testing.
Tester | PR commit |
---|---|
@Rebits | https://github.com/wazuh/wazuh/pull/16078/commits/a7ac96760f4a2cbccf9fad90f411e37cb302cfb0 |
macOS Ventura :green_circle:
Expected localfile was correctly added: `````` macOS log command is correctly monitoring: ``` 2023/04/27 13:00:30 wazuh-logcollector: INFO: (1604): Monitoring macOS logs with: /usr/bin/log stream --style syslog --type activity --type log --type trace --level info --predicate (process == "sudo") or (process == "sessionlogoutd" and message contains "logout is complete.") or (process == "sshd") or (process == "tccd" and message contains "Update Access Record") or (message contains "SessionAgentNotificationCenter") or (process == "screensharingd" and message contains "Authentication") or (process == "securityd" and eventMessage contains "Session" and subsystem == "com.apple.securityd"). ``` No error or warnings were detected in the agent macos macos (process == "sudo") or (process == "sessionlogoutd" and message contains "logout is complete.") or (process == "sshd") or (process == "tccd" and message contains "Update Access Record") or (message contains "SessionAgentNotificationCenter") or (process == "screensharingd" and message contains "Authentication") or (process == "securityd" and eventMessage contains "Session" and subsystem == "com.apple.securityd") macOS Monterey :green_circle:
Expected localfile was correctly added: `````` macOS log command is correctly monitoring: ``` 2023/04/27 13:36:28 wazuh-logcollector: INFO: (1604): Monitoring macOS logs with: /usr/bin/log stream --style syslog --type activity --type log --type trace --level info --predicate (process == "sudo") or (process == "sessionlogoutd" and message contains "logout is complete.") or (process == "sshd") or (process == "tccd" and message contains "Update Access Record") or (message contains "SessionAgentNotificationCenter") or (process == "screensharingd" and message contains "Authentication") or (process == "securityd" and eventMessage contains "Session" and subsystem == "com.apple.securityd"). ``` No error or warnings were detected in the agent macos macos (process == "sudo") or (process == "sessionlogoutd" and message contains "logout is complete.") or (process == "sshd") or (process == "tccd" and message contains "Update Access Record") or (message contains "SessionAgentNotificationCenter") or (process == "screensharingd" and message contains "Authentication") or (process == "securityd" and eventMessage contains "Session" and subsystem == "com.apple.securityd") macOS Catalina :green_circle:
Expected localfile was correctly added: `````` macOS log command is correctly monitoring: ``` 2023/04/27 04:38:04 wazuh-logcollector: INFO: (1604): Monitoring macOS logs with: /usr/bin/log stream --style syslog --type activity --type log --type trace --level info --predicate (process == "sudo") or (process == "sessionlogoutd" and message contains "logout is complete.") or (process == "sshd") or (process == "tccd" and message contains "Update Access Record") or (message contains "SessionAgentNotificationCenter") or (process == "screensharingd" and message contains "Authentication") or (process == "securityd" and eventMessage contains "Session" and subsystem == "com.apple.securityd"). ``` macos macos (process == "sudo") or (process == "sessionlogoutd" and message contains "logout is complete.") or (process == "sshd") or (process == "tccd" and message contains "Update Access Record") or (message contains "SessionAgentNotificationCenter") or (process == "screensharingd" and message contains "Authentication") or (process == "securityd" and eventMessage contains "Session" and subsystem == "com.apple.securityd")
Login
``` {"timestamp":"2023-04-27T12:18:07.327+0000","rule":{"level":3,"description":"User login.","id":"89605","mitre":{"id":["T1078"],"tactic":["Defense Evasion","Persistence","Privilege Escalation","Initial Access"],"technique":["Valid Accounts"]},"firedtimes":1,"mail":false,"groups":["macOS","authentication_success"],"gdpr":["IV_32.2"],"gpg13":["7.1","7.2"],"hipaa":["164.312.b"],"nist_800_53":["AC.7","AU.14"],"pci_dss":["10.2.5"],"tsc":["CC6.8","CC7.2","CC7.3"]},"agent":{"id":"004","name":"jal.local","ip":"FE80:0000:0000:0000:9C19:22FF:FE0B:FF5E"},"manager":{"name":"ip-172-31-25-129"},"id":"1682597887.1205421","full_log":"2023-04-27 14:18:03.291495+0200 localhost loginwindow[54283]: [com.apple.loginwindow.logging:Standard] -[SessionAgentNotificationCenter sendDistributedNotification:forUserID:] | sendDistributedNotification: com.apple.sessionDidLogin, with userID:501","predecoder":{"program_name":"loginwindow","timestamp":"2023-04-27 14:18:03.291495+0200"},"decoder":{"name":"macOS_loginwindow"},"data":{"userID":"501"},"location":"macos"} ```Log off
``` {"timestamp":"2023-04-27T12:17:51.207+0000","rule":{"level":3,"description":"User logoff.","id":"89604","mitre":{"id":["T1078"],"tactic":["Defense Evasion","Persistence","Privilege Escalation","Initial Access"],"technique":["Valid Accounts"]},"firedtimes":1,"mail":false,"groups":["macOS"],"gdpr":["IV_32.2"],"hipaa":["164.312.b"],"nist_800_53":["AC.7","AU.14"],"pci_dss":["10.2.5"],"tsc":["CC6.8","CC7.2","CC7.3"]},"agent":{"id":"004","name":"jal.local","ip":"FE80:0000:0000:0000:9C19:22FF:FE0B:FF5E"},"manager":{"name":"ip-172-31-25-129"},"id":"1682597871.1204942","full_log":"2023-04-27 14:17:46.639541+0200 localhost sessionlogoutd[54237]: (loginsupport) [com.apple.sessionlogoutd:SLOD_General] -[SessionLogoutd continueLogoutAfterDelayOptionsComplete]:456: sessionlogoutd telling session agent, logout is complete.","predecoder":{"program_name":"sessionlogoutd","timestamp":"2023-04-27 14:17:46.639541+0200"},"decoder":{"name":"macOS_sessionlogoutd"},"location":"macos"} ```Screen Locked
``` {"timestamp":"2023-04-27T12:16:41.150+0000","rule":{"level":3,"description":"Screen locked with userID:501.","id":"89603","mitre":{"id":["T1078"],"tactic":["Defense Evasion","Persistence","Privilege Escalation","Initial Access"],"technique":["Valid Accounts"]},"firedtimes":1,"mail":false,"groups":["macOS","authentication_success"],"gdpr":["IV_32.2"],"gpg13":["7.1","7.2"],"hipaa":["164.312.b"],"nist_800_53":["AC.7","AU.14"],"pci_dss":["10.2.5"],"tsc":["CC6.8","CC7.2","CC7.3"]},"agent":{"id":"004","name":"jal.local","ip":"FE80:0000:0000:0000:9C19:22FF:FE0B:FF5E"},"manager":{"name":"ip-172-31-25-129"},"id":"1682597801.1203279","full_log":"2023-04-27 14:16:39.338178+0200 localhost loginwindow[165]: [com.apple.loginwindow.logging:Standard] -[SessionAgentNotificationCenter sendBSDNotification:forUserID:] | sendBSDNotification: com.apple.sessionagent.screenIsLocked, with userID:501","predecoder":{"program_name":"loginwindow","timestamp":"2023-04-27 14:16:39.338178+0200"},"decoder":{"name":"macOS_loginwindow"},"data":{"userID":"501"},"location":"macos"} ```Screen Unlocked
``` {"timestamp":"2023-04-27T12:17:29.178+0000","rule":{"level":3,"description":"Screen unlocked with userID:501.","id":"89602","mitre":{"id":["T1078"],"tactic":["Defense Evasion","Persistence","Privilege Escalation","Initial Access"],"technique":["Valid Accounts"]},"firedtimes":1,"mail":false,"groups":["macOS","authentication_success"],"gdpr":["IV_32.2"],"gpg13":["7.1","7.2"],"hipaa":["164.312.b"],"nist_800_53":["AC.7","AU.14"],"pci_dss":["10.2.5"],"tsc":["CC6.8","CC7.2","CC7.3"]},"agent":{"id":"004","name":"jal.local","ip":"FE80:0000:0000:0000:9C19:22FF:FE0B:FF5E"},"manager":{"name":"ip-172-31-25-129"},"id":"1682597849.1204388","full_log":"2023-04-27 14:17:22.687780+0200 localhost loginwindow[165]: [com.apple.loginwindow.logging:Standard] -[SessionAgentNotificationCenter sendBSDNotification:forUserID:] | sendBSDNotification: com.apple.sessionagent.screenIsUnlocked, with userID:501","predecoder":{"program_name":"loginwindow","timestamp":"2023-04-27 14:17:22.687780+0200"},"decoder":{"name":"macOS_loginwindow"},"data":{"userID":"501"},"location":"macos"} ```Update Access Record
``` {"timestamp":"2023-04-27T14:22:30.110+0000","rule":{"level":5,"description":"com.teamviewer.TeamViewer has been granted permission to kTCCServiceMicrophone at 14:22:22.","id":"89600","mitre":{"id":["T1222.002"],"tactic":["Defense Evasion"],"technique":["Linux and Mac File and Directory Permissions Modification"]},"firedtimes":3,"mail":false,"groups":["macOS"],"pci_dss":["10.6.1"],"gdpr":["IV_35.7.d"],"hipaa":["164.312.b"],"nist_800_53":["AU.6"],"tsc":["CC7.2","CC7.3"]},"agent":{"id":"001","name":"MacBook-Air-de-Mariajo.local","ip":"FE80:0000:0000:0000:C805:77FF:FEAB:886A"},"manager":{"name":"ip-172-31-25-129"},"id":"1682605350.1229055","full_log":"2023-04-27 16:22:22.162329+0200 localhost tccd[596]: [com.apple.TCC:access] Update Access Record: kTCCServiceMicrophone for com.teamviewer.TeamViewer to Allowed (System Set) (v1) at 1682605342 (2023-04-27 14:22:22 +0000)\n\t CodeReq: anchor apple generic and identifier \"com.teamviewer.TeamViewer\" and (certificate leaf[field.1.2.840.113635.100.6.1.9] /* exists */ or certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = H7UGFBUGV6)\n\t Indirect : Unused","predecoder":{"program_name":"tccd","timestamp":"2023-04-27 16:22:22.162329+0200"},"decoder":{"name":"macOS_tccd"},"data":{"status":"Allowed","service":"kTCCServiceMicrophone","application":"com.teamviewer.TeamViewer","time":"14:22:22"},"location":"macos"} --- {"timestamp":"2023-04-27T14:22:48.153+0000","rule":{"level":5,"description":"com.teamviewer.TeamViewer has been denied permission to kTCCServiceMicrophone at 14:22:41.","id":"89601","mitre":{"id":["T1222.002"],"tactic":["Defense Evasion"],"technique":["Linux and Mac File and Directory Permissions Modification"]},"firedtimes":2,"mail":false,"groups":["macOS"],"pci_dss":["10.6.1"],"gdpr":["IV_35.7.d"],"hipaa":["164.312.b"],"nist_800_53":["AU.6"],"tsc":["CC7.2","CC7.3"]},"agent":{"id":"001","name":"MacBook-Air-de-Mariajo.local","ip":"FE80:0000:0000:0000:C805:77FF:FEAB:886A"},"manager":{"name":"ip-172-31-25-129"},"id":"1682605368.1230004","full_log":"2023-04-27 16:22:41.806638+0200 localhost tccd[596]: [com.apple.TCC:access] Update Access Record: kTCCServiceMicrophone for com.teamviewer.TeamViewer to Denied (System Set) (v1) at 1682605361 (2023-04-27 14:22:41 +0000)\n\t CodeReq: anchor apple generic and identifier \"com.teamviewer.TeamViewer\" and (certificate leaf[field.1.2.840.113635.100.6.1.9] /* exists */ or certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = H7UGFBUGV6)\n\t Indirect : Unused","predecoder":{"program_name":"tccd","timestamp":"2023-04-27 16:22:41.806638+0200"},"decoder":{"name":"macOS_tccd"},"data":{"status":"Denied","service":"kTCCServiceMicrophone","application":"com.teamviewer.TeamViewer","time":"14:22:41"},"location":"macos"} ```Securityd
``` {"timestamp":"2023-04-27T14:09:14.826+0000","rule":{"level":3,"description":"Session 100016 has been created.","id":"89608","firedtimes":1,"mail":false,"groups":["macOS"],"pci_dss":["10.6.1"],"gdpr":["IV_35.7.d"],"hipaa":["164.312.b"],"nist_800_53":["AU.6"],"tsc":["CC7.2","CC7.3"]},"agent":{"id":"004","name":"jal.local","ip":"FE80:0000:0000:0000:0479:B5FF:FEC2:BC3B"},"manager":{"name":"ip-172-31-25-129"},"id":"1682604554.1223377","full_log":"2023-04-27 16:09:00.818727+0200 localhost securityd[130]: [com.apple.securityd:SecServer] 0x7fa3ed111e60 Session 100016 created, uid:501 sessionId:100016","predecoder":{"program_name":"securityd","timestamp":"2023-04-27 16:09:00.818727+0200"},"decoder":{"name":"macOS_securityd"},"data":{"uid":"501","sessionId":"100016"},"location":"macos"} ```Screen Sharing
``` {"timestamp":"2023-04-27T14:12:50.998+0000","rule":{"level":3,"description":"Attempt to connect to screen sharing with username mariajo from 192.168.10.83 succeeded.","id":"89607","mitre":{"id":["T1021","T1078"],"tactic":["Lateral Movement","Defense Evasion","Persistence","Privilege Escalation","Initial Access"],"technique":["Remote Services","Valid Accounts"]},"firedtimes":1,"mail":false,"groups":["macOS","authentication_success"],"gdpr":["IV_32.2"],"gpg13":["7.1","7.2"],"hipaa":["164.312.b"],"nist_800_53":["AC.7","AU.14"],"pci_dss":["10.2.5"],"tsc":["CC6.8","CC7.2","CC7.3"]},"agent":{"id":"001","name":"MacBook-Air-de-Mariajo.local","ip":"FE80:0000:0000:0000:C805:77FF:FEAB:886A"},"manager":{"name":"ip-172-31-25-129"},"id":"1682604770.1225287","full_log":"2023-04-27 16:12:44.040442+0200 localhost screensharingd[2492]: Authentication: SUCCEEDED :: User Name: mariajo :: Viewer Address: 192.168.10.83 :: Type: Kerberos","predecoder":{"program_name":"screensharingd","timestamp":"2023-04-27 16:12:44.040442+0200"},"decoder":{"name":"macOS_screensharingd"},"data":{"action":"SUCCEEDED","dstuser":"mariajo","ip_address":"192.168.10.83","type":"Kerberos"},"location":"macos"} ```No warning appears in the agent or manager logs during E2E testing
Previously reported warnings no longer appear in the macOS agent
Everything seems to be working properly
Description
This PR improves the current Ruleset by adding the decoder/rules to manage and alert from analyzing the logs collected from macOS 13.0 Ventura system.
Configuration options
The Wazuh agent on macOS systems would require the following addition to the
ossec.conf
file:Logs/Alerts example
Sample log:
2023-01-23 03:25:25.058668-0800 localhost tccd[155]: [com.apple.TCC:access] Update Access Record: kTCCServiceScreenCapture for com.apple.screensharing.agent to Allowed at 1674473125 (2023-01-23 11:25:25 +0000) CodeReq: None Indirect : Unused
Alert:
Tests
Compilation without warnings in every supported platform
[ ] Source installation
[ ] Package installation
[ ] Source upgrade
[ ] Package upgrade
[ ] Review logs syntax and correct language
[ ] QA templates contemplate the added capabilities
Memory tests for macOS