macOS Ruleset

[72nomada]

Target version	Related issue	Related PR
4.4.1	https://github.com/wazuh/wazuh/issues/15567	https://github.com/wazuh/wazuh/pull/16078

Description

This PR improves the current Ruleset by adding the decoder/rules to manage and alert from analyzing the logs collected from macOS 13.0 Ventura system.

Configuration options

The Wazuh agent on macOS systems would require the following addition to the ossec.conf file:

<localfile>
  <location>macos</location>
  <log_format>macos</log_format>
  <query type="trace,log,activity" level="info">(process == "sudo") or (process == "sshd") or (process == "tccd") or (message contains "SessionAgentNotificationCenter") or (process == "screensharingd" and message contains "Authentication") or (process == "securityd" and eventMessage contains "Session" and subsystem == "com.apple.securityd")</query>
</localfile>

Logs/Alerts example

Sample log: 2023-01-23 03:25:25.058668-0800 localhost tccd[155]: [com.apple.TCC:access] Update Access Record: kTCCServiceScreenCapture for com.apple.screensharing.agent to Allowed at 1674473125 (2023-01-23 11:25:25 +0000) CodeReq: None Indirect : Unused

Alert:

**Messages:
    INFO: (7202): Session initialized with token '8e353892'

**Phase 1: Completed pre-decoding.
    full event: '2023-01-23 03:25:25.058668-0800 localhost tccd[155]: [com.apple.TCC:access] Update Access Record: kTCCServiceScreenCapture for com.apple.screensharing.agent to Allowed at 1674473125 (2023-01-23 11:25:25 +0000) CodeReq: None Indirect : Unused'
    timestamp: '2023-01-23 03:25:25.058668-0800'
    program_name: 'tccd'

**Phase 2: Completed decoding.
    name: 'macOS_tccd'
    application: 'com.apple.screensharing.agent'
    service: 'kTCCServiceScreenCapture'
    status: 'Allowed'
    time: '11:25:25'

**Phase 3: Completed filtering (rules).
    id: '110001'
    level: '5'
    description: 'com.apple.screensharing.agent has been granted permission to kTCCServiceScreenCapture at 11:25:25'
    groups: '["macOS"]'
    firedtimes: '1'
    gdpr: '["IV_35.7.d"]'
    hipaa: '["164.312.b"]'
    mail: 'false'
    mitre.id: '["T1222.002"]'
    mitre.tactic: '["Defense Evasion"]'
    mitre.technique: '["Linux and Mac File and Directory Permissions Modification"]'
    nist_800_53: '["AU.6"]'
    pci_dss: '["10.6.1"]'
    tsc: '["CC7.2","CC7.3"]'
**Alert to be generated. 

Tests

• Compilation without warnings in every supported platform

  • [ ] MAC OS X

• [ ] Source installation

• [ ] Package installation

• [ ] Source upgrade

• [ ] Package upgrade

• [ ] Review logs syntax and correct language

• [ ] QA templates contemplate the added capabilities

• Memory tests for macOS

  • [ ] Scan-build report
  • [ ] Leaks
  • [ ] AddressSanitizer

• [ ] Retrocompatibility with older Wazuh versions
• [ ] Working on cluster environments
• [ ] Configuration on demand reports new parameters
• [ ] The data flow works as expected (agent-manager-api-app)
• [ ] Added unit tests (for new features)
• [ ] Stress test for affected components

• Decoder/Rule tests
  • [ ] Added unit testing files ".ini"
  • [ ] runtests.py executed without errors

[Rebits]

Tester review

Tester	PR commit
@Rebits	https://github.com/wazuh/wazuh/pull/16078/commits/d6713614e13625bc857176298fbfd0259926cce6

Testing environment

OS	OS version	Deployment	Image/AMI	Notes
macOS	12.0.1/Monterey	Vagrant	-
macOS	13.2/Ventura	VMWare	-

Tested packages

wazuh-manager	wazuh-agent
Ubuntu Manager	macOS Agent

Status

• [x] In progress
• [x] Pending Review
• [x] QA Manager approved (@juliamagan )
• [x] Development team leader approved (@72nomada )

Conclusion :green_circle:

The functionality of the macOS Ventura ruleset is in accordance with the expected behavior. Some of the changes implemented in this review:

• Renamed decoders/rules to adhere to standard naming conventions.
• Integrated missing groups into relevant rules.
• Eliminated incorrect groups from certain rules.
• Rectified TCCD decoders to effectively capture application, service, status, and time.
• Modified target events to prevent duplicate alerts for identical security events.
• Added a default macOS localfile block.
• Enhanced loginwindows decoders to accurately capture userID.
• Addressed and resolved issues with ruleset test cases.
• Adjusted securityd rules to exclude events with negative IDs.
• Enhanced some rules descriptions.
• Change target events for login and logoff to avoid they trigger when screen is locked/unlocked

These updates and refinements have contributed to the improved performance and efficacy of the macOS Ventura ruleset.

[Rebits]

Testing results :red_circle:

Manager upgrade :green_circle:

The upgrade works as expected. New decoders and rules were included with the right permissions. ``` root@ip-172-31-15-142:/home/qa# /var/ossec/bin/wazuh-control info WAZUH_VERSION="v4.3.10" WAZUH_REVISION="40323" WAZUH_TYPE="server" root@ip-172-31-15-142:/home/qa# ls /var/ossec/ruleset/decoders/0580-macos_decoders.xml ls: cannot access '/var/ossec/ruleset/decoders/0580-macos_decoders.xml': No such file or directory root@ip-172-31-15-142:/home/qa# apt-get install wazuh-manager_4.4.0-0.commitd671361_amd64.deb Reading package lists... Done Building dependency tree... Done Reading state information... Done E: Unable to locate package wazuh-manager_4.4.0-0.commitd671361_amd64.deb E: Couldn't find any package by glob 'wazuh-manager_4.4.0-0.commitd671361_amd64.deb' E: Couldn't find any package by regex 'wazuh-manager_4.4.0-0.commitd671361_amd64.deb' root@ip-172-31-15-142:/home/qa# apt-get install ./wazuh-manager_4.4.0-0.commitd671361_amd64.deb Reading package lists... Done Building dependency tree... Done Reading state information... Done Note, selecting 'wazuh-manager' instead of './wazuh-manager_4.4.0-0.commitd671361_amd64.deb' The following packages were automatically installed and are no longer required: libpython2-dev libpython2.7 libpython2.7-dev linux-image-5.13.0-1021-aws linux-modules-5.13.0-1021-aws python2-dev python2.7-dev Use 'sudo apt autoremove' to remove them. The following packages will be upgraded: wazuh-manager 1 upgraded, 0 newly installed, 0 to remove and 219 not upgraded. Need to get 0 B/122 MB of archives. After this operation, 6,979 kB of additional disk space will be used. Get:1 /home/qa/wazuh-manager_4.4.0-0.commitd671361_amd64.deb wazuh-manager amd64 4.4.0-0.commitd671361 [122 MB] (Reading database ... 138895 files and directories currently installed.) Preparing to unpack .../wazuh-manager_4.4.0-0.commitd671361_amd64.deb ... Unpacking wazuh-manager (4.4.0-0.commitd671361) over (4.3.10-1) ... Setting up wazuh-manager (4.4.0-0.commitd671361) ... Scanning processes... Scanning linux images... Running kernel seems to be up-to-date. No services need to be restarted. No containers need to be restarted. No user sessions are running outdated binaries. No VM guests are running outdated hypervisor (qemu) binaries on this host. N: Download is performed unsandboxed as root as file '/home/qa/wazuh-manager_4.4.0-0.commitd671361_amd64.deb' couldn't be accessed by user '_apt'. - pkgAcquire::Run (13: Permission denied) root@ip-172-31-15-142:/home/qa# ls -la /var/ossec/ruleset/decoders/0580-macos_decoders.xml -rw-r----- 1 root wazuh 1547 Feb 3 10:46 /var/ossec/ruleset/decoders/0580-macos_decoders.xml ```

Review logs syntax and correct language :red_circle:

Unique IDs :green_circle:

Nothing to remark

Inconsistent group and rule separator :yellow_circle:

The new macOS rules file separates groups from rules with a white line. This style is not fulfilled by all the rules in the repository. Which is the current standard? ``` ```

Decoder names not clear enough :red_circle:

- **macOS_screensharingd_failure**: This decoder is used in case screensharingd authentication succeeds or fails. It should be renamed ``` 2023-01-23 03:32:42.775333-0800 localhost screensharingd[3535]: Authentication: SUCCEEDED :: User Name: macos :: Viewer Address: 192.168.56.128 :: Type: N/A 2023-01-23 03:32:35.380619-0800 localhost screensharingd[3535]: Authentication: FAILED :: User Name: macos :: Viewer Address: 192.168.56.128 :: Type: DH ``` - **macOS_loginwindow_1**: It is recommended to avoid suffix `_1` - **macOS_securityd_process1**: Same as before. Also, the suffix style is not consistent - **macOS_securityd_process1**: Same as before

Rules contains expected groups :red_circle:

Rule `89606` do not have any group :red_circle:

Rule `89606` should include `authentication_failed` and compliance-related groups. ``` macOS_screensharingd (?i)authentication.+failed Attempt to connect to screen sharing with username $(dstuser) from $(ip_address) failed. T1021 ```

Rule 89604 contains unexpected authentication_success group :red_circle:

Rule 89604 will be triggered at user logoff. However it has specified the authentication_success group.

Decoder/Rule tests - Proposed macOS events :green_circle:

TCC

**Denied** :green_circle: ``` **Phase 1: Completed pre-decoding. full event: '2023-01-23 03:22:26.410246-0800 localhost tccd[1030]: [com.apple.TCC:access] Update Access Record: kTCCServiceMicrophone for us.zoom.xos to Denied at 1674472946 (2023-01-23 11:22:26 +0000)' timestamp: '2023-01-23 03:22:26.410246-0800' program_name: 'tccd' **Phase 2: Completed decoding. name: 'macOS_tccd' application: 'us.zoom.xos' service: 'kTCCServiceMicrophone' status: 'Denied' time: '11:22:26' **Phase 3: Completed filtering (rules). id: '89601' level: '5' description: 'us.zoom.xos has been denied permission to kTCCServiceMicrophone at 11:22:26.' groups: '['macOS']' firedtimes: '1' gdpr: '['IV_35.7.d']' hipaa: '['164.312.b']' mail: 'False' mitre.id: '['T1222.002']' mitre.tactic: '['Defense Evasion']' mitre.technique: '['Linux and Mac File and Directory Permissions Modification']' nist_800_53: '['AU.6']' pci_dss: '['10.6.1']' tsc: '['CC7.2', 'CC7.3']' **Alert to be generated. ``` **Allowed** :green_circle: ``` **Phase 1: Completed pre-decoding. full event: '2023-01-23 03:22:26.410246-0800 localhost tccd[1030]: [com.apple.TCC:access] Update Access Record: kTCCServiceMicrophone for us.zoom.xos to Allowed at 1674472946 (2023-01-23 11:22:26 +0000)' timestamp: '2023-01-23 03:22:26.410246-0800' program_name: 'tccd' **Phase 2: Completed decoding. name: 'macOS_tccd' application: 'us.zoom.xos' service: 'kTCCServiceMicrophone' status: 'Allowed' time: '11:22:26' **Phase 3: Completed filtering (rules). id: '89600' level: '5' description: 'us.zoom.xos has been granted permission to kTCCServiceMicrophone at 11:22:26.' groups: '['macOS']' firedtimes: '1' gdpr: '['IV_35.7.d']' hipaa: '['164.312.b']' mail: 'False' mitre.id: '['T1222.002']' mitre.tactic: '['Defense Evasion']' mitre.technique: '['Linux and Mac File and Directory Permissions Modification']' nist_800_53: '['AU.6']' pci_dss: '['10.6.1']' tsc: '['CC7.2', 'CC7.3']' **Alert to be generated. ```

loginwindow :green_circle:

- **Screen Unlock** ``` root@ip-172-31-11-91:/home/qa# /var/ossec/bin/wazuh-logtest Starting wazuh-logtest v4.4.0 Type one log per line 2023-01-23 03:14:00.792511-0800 localhost loginwindow[156]: [com.apple.loginwindow.logging:Standard] -[SessionAgentNotificationCenter sendBSDNotification:forUserID:] | sendBSDNotification: com.apple.sessionagent.screenIsUnlocked, with userID:501 **Phase 1: Completed pre-decoding. full event: '2023-01-23 03:14:00.792511-0800 localhost loginwindow[156]: [com.apple.loginwindow.logging:Standard] -[SessionAgentNotificationCenter sendBSDNotification:forUserID:] | sendBSDNotification: com.apple.sessionagent.screenIsUnlocked, with userID:501' timestamp: '2023-01-23 03:14:00.792511-0800' program_name: 'loginwindow' **Phase 2: Completed decoding. name: 'macOS_loginwindow' data: 'screenIsUnlocked' userID: '501' **Phase 3: Completed filtering (rules). id: '89602' level: '3' description: 'Screen unlocked with userID:501.' groups: '['macOS', 'authentication_success']' firedtimes: '1' gdpr: '['IV_32.2']' gpg13: '['7.1', '7.2']' hipaa: '['164.312.b']' mail: 'False' mitre.id: '['T1078']' mitre.tactic: '['Defense Evasion', 'Persistence', 'Privilege Escalation', 'Initial Access']' mitre.technique: '['Valid Accounts']' nist_800_53: '['AC.7', 'AU.14']' pci_dss: '['10.2.5']' tsc: '['CC6.8', 'CC7.2', 'CC7.3']' **Alert to be generated. ``` - **Screen locked** ``` **Phase 1: Completed pre-decoding. full event: '2023-01-23 03:23:23.024641-0800 localhost loginwindow[156]: [com.apple.loginwindow.logging:Standard] -[SessionAgentNotificationCenter sendDistributedNotification:forUserID:] | sendDistributedNotification: com.apple.screenIsLocked, with userID:501' timestamp: '2023-01-23 03:23:23.024641-0800' program_name: 'loginwindow' **Phase 2: Completed decoding. name: 'macOS_loginwindow' **Phase 3: Completed filtering (rules). id: '89603' level: '3' description: 'Screen locked.' groups: '['macOS', 'authentication_success']' firedtimes: '1' gdpr: '['IV_32.2']' gpg13: '['7.1', '7.2']' hipaa: '['164.312.b']' mail: 'False' mitre.id: '['T1078']' mitre.tactic: '['Defense Evasion', 'Persistence', 'Privilege Escalation', 'Initial Access']' mitre.technique: '['Valid Accounts']' nist_800_53: '['AC.7', 'AU.14']' pci_dss: '['10.2.5']' tsc: '['CC6.8', 'CC7.2', 'CC7.3']' **Alert to be generated. ``` - **User logoff** ``` 2023-01-23 04:15:35.281613-0800 localhost loginwindow[156]: [com.apple.loginwindow.logging:Standard] -[SessionAgentNotificationCenter sendSystemBSDNotification:forUserID:] | sendSystemBSDNotification: com.apple.system.loginwindow.logoutNoReturn, with userID:0 **Phase 1: Completed pre-decoding. full event: '2023-01-23 04:15:35.281613-0800 localhost loginwindow[156]: [com.apple.loginwindow.logging:Standard] -[SessionAgentNotificationCenter sendSystemBSDNotification:forUserID:] | sendSystemBSDNotification: com.apple.system.loginwindow.logoutNoReturn, with userID:0' timestamp: '2023-01-23 04:15:35.281613-0800' program_name: 'loginwindow' **Phase 2: Completed decoding. name: 'macOS_loginwindow' **Phase 3: Completed filtering (rules). id: '89604' level: '3' description: 'User logoff.' groups: '['macOS', 'authentication_success']' firedtimes: '1' gdpr: '['IV_32.2']' gpg13: '['7.1', '7.2']' hipaa: '['164.312.b']' mail: 'False' mitre.id: '['T1078']' mitre.tactic: '['Defense Evasion', 'Persistence', 'Privilege Escalation', 'Initial Access']' mitre.technique: '['Valid Accounts']' nist_800_53: '['AC.7', 'AU.14']' pci_dss: '['10.2.5']' tsc: '['CC6.8', 'CC7.2', 'CC7.3']' **Alert to be generated. ``` - **User login** ``` 2023-01-23 03:23:26.355213-0800 localhost loginwindow[156]: [com.apple.loginwindow.logging:Standard] -[SessionAgentNotificationCenter doSpecialNotificationHandling:] | loginIsComplete, set session state to desktop showing **Phase 1: Completed pre-decoding. full event: '2023-01-23 03:23:26.355213-0800 localhost loginwindow[156]: [com.apple.loginwindow.logging:Standard] -[SessionAgentNotificationCenter doSpecialNotificationHandling:] | loginIsComplete, set session state to desktop showing' timestamp: '2023-01-23 03:23:26.355213-0800' program_name: 'loginwindow' **Phase 2: Completed decoding. name: 'macOS_loginwindow' **Phase 3: Completed filtering (rules). id: '89605' level: '3' description: 'User login.' groups: '['macOS', 'authentication_success']' firedtimes: '1' gdpr: '['IV_32.2']' gpg13: '['7.1', '7.2']' hipaa: '['164.312.b']' mail: 'False' mitre.id: '['T1078']' mitre.tactic: '['Defense Evasion', 'Persistence', 'Privilege Escalation', 'Initial Access']' mitre.technique: '['Valid Accounts']' nist_800_53: '['AC.7', 'AU.14']' pci_dss: '['10.2.5']' tsc: '['CC6.8', 'CC7.2', 'CC7.3']' **Alert to be generated. ```

screensharing :green_circle:

- **Attempt to connect - Succeeded** ``` 2023-01-23 03:32:35.380619-0800 localhost screensharingd[3535]: Authentication: FAILED :: User Name: macos :: Viewer Address: 192.168.56.128 :: Type: DH **Phase 1: Completed pre-decoding. full event: '2023-01-23 03:32:35.380619-0800 localhost screensharingd[3535]: Authentication: FAILED :: User Name: macos :: Viewer Address: 192.168.56.128 :: Type: DH' timestamp: '2023-01-23 03:32:35.380619-0800' program_name: 'screensharingd' **Phase 2: Completed decoding. name: 'macOS_screensharingd' action: 'FAILED' dstuser: 'macos' ip_address: '192.168.56.128' type: 'DH' **Phase 3: Completed filtering (rules). id: '89606' level: '5' description: 'Attempt to connect to screen sharing with username macos from 192.168.56.128 failed.' groups: '['macOS']' firedtimes: '1' mail: 'False' mitre.id: '['T1021']' mitre.tactic: '['Lateral Movement']' mitre.technique: '['Remote Services']' **Alert to be generated. ``` - **Attempt to connect - failed** ``` 2023-01-23 03:32:42.775333-0800 localhost screensharingd[3535]: Authentication: SUCCEEDED :: User Name: macos :: Viewer Address: 192.168.56.128 :: Type: N/A **Phase 1: Completed pre-decoding. full event: '2023-01-23 03:32:42.775333-0800 localhost screensharingd[3535]: Authentication: SUCCEEDED :: User Name: macos :: Viewer Address: 192.168.56.128 :: Type: N/A' timestamp: '2023-01-23 03:32:42.775333-0800' program_name: 'screensharingd' **Phase 2: Completed decoding. name: 'macOS_screensharingd' action: 'SUCCEEDED' dstuser: 'macos' ip_address: '192.168.56.128' type: 'N/A' **Phase 3: Completed filtering (rules). id: '89607' level: '3' description: 'Attempt to connect to screen sharing with username macos from 192.168.56.128 succeeded.' groups: '['macOS', 'authentication_success']' firedtimes: '1' gdpr: '['IV_32.2']' gpg13: '['7.1', '7.2']' hipaa: '['164.312.b']' mail: 'False' mitre.id: '['T1078']' mitre.tactic: '['Defense Evasion', 'Persistence', 'Privilege Escalation', 'Initial Access']' mitre.technique: '['Valid Accounts']' nist_800_53: '['AC.7', 'AU.14']' pci_dss: '['10.2.5']' tsc: '['CC6.8', 'CC7.2', 'CC7.3']' **Alert to be generated. ```

security :green_circle:

- **Session created** ``` 2023-01-23 02:58:08.982811-0800 localhost securityd[129]: [com.apple.securityd:SecServer] 0x7fae6a51b400 Session 100012 created, uid:-1 sessionId:100012 **Phase 1: Completed pre-decoding. full event: '2023-01-23 02:58:08.982811-0800 localhost securityd[129]: [com.apple.securityd:SecServer] 0x7fae6a51b400 Session 100012 created, uid:-1 sessionId:100012' timestamp: '2023-01-23 02:58:08.982811-0800' program_name: 'securityd' **Phase 2: Completed decoding. name: 'macOS_securityd_process' sessionId: '100012' uid: '1' **Phase 3: Completed filtering (rules). id: '89608' level: '3' description: 'Session 100012 has been created.' groups: '['macOS']' firedtimes: '1' gdpr: '['IV_35.7.d']' hipaa: '['164.312.b']' mail: 'False' nist_800_53: '['AU.6']' pci_dss: '['10.6.1']' tsc: '['CC7.2', 'CC7.3']' **Alert to be generated. ``` - **Session destroyed** ``` 2023-01-23 03:26:38.517706-0800 localhost securityd[129]: [com.apple.securityd:SecServer] 0x7fae6a535710 Session 3495 destroyed **Phase 1: Completed pre-decoding. full event: '2023-01-23 03:26:38.517706-0800 localhost securityd[129]: [com.apple.securityd:SecServer] 0x7fae6a535710 Session 3495 destroyed' timestamp: '2023-01-23 03:26:38.517706-0800' program_name: 'securityd' **Phase 2: Completed decoding. name: 'macOS_securityd_process' sessionId: '3495' **Phase 3: Completed filtering (rules). id: '89609' level: '3' description: 'Session 3495 has been destroyed.' groups: '['macOS']' firedtimes: '1' gdpr: '['IV_35.7.d']' hipaa: '['164.312.b']' mail: 'False' nist_800_53: '['AU.6']' pci_dss: '['10.6.1']' tsc: '['CC7.2', 'CC7.3']' **Alert to be generated. ```

RFC 3339 Timestamp with positive offset are not correctly decoded :yellow_circle:

**Already reported in https://github.com/wazuh/wazuh/issues/15669** macOS ULS format uses a timestamp to comply with the RFC 3339 format, replacing the ISO 8601 T separator with whitespace as follows: `YYYY-MM-DD HH:mm:ss.ssssss±hh:mm` > *Note*: The ISO 8601 common format is `YYYY-MM-DDTHH:mm:ss.ssssss±hh:mm`. Analysisd parse these timestamps when the offset is negative ``` 2023-02-08 16:46:25.709629-0100 localhost tccd[155]: [com.apple.TCC:access] REPLY: (0) function=TCCAccessCopyInformationForBundle, msgID=745.83 **Phase 1: Completed pre-decoding. full event: '2023-02-08 16:46:25.709629-0100 localhost tccd[155]: [com.apple.TCC:access] REPLY: (0) function=TCCAccessCopyInformationForBundle, msgID=745.83' timestamp: '2023-02-08 16:46:25.709629-0100' program_name: 'tccd' **Phase 2: Completed decoding. name: 'macOS_tccd' ``` However, fails when the timestamp is negative ``` **Phase 1: Completed pre-decoding. full event: '2023-02-08 16:46:25.709629+0100 localhost tccd[155]: [com.apple.TCC:access] REPLY: (0) function=TCCAccessCopyInformationForBundle, msgID=745.83' **Phase 2: Completed decoding. No decoder matched. ``` This condition makes no alert triggers for macOS when this offset is positive > **Note** > Currently we have not included any test that checks this case. It is recommended to add if proceed different timestamp format cases to the analysisd `test_predecoder_stage` test.

Ruleset Testing :red_circle:

TCCD rules/decoders :red_circle:

TCCD decoders do not gather correctly application, service, status, or time in case of System update access record. **Logtest** ``` 2023-04-04 12:31:27.528499-0300 localhost tccd[5778]: [com.apple.TCC:access] Update Access Record: kTCCServiceLiverpool for com.apple.syncdefaultsd to Allowed (System Set) (v1) at 1680622287 (2023-04-04 15:31:27 +0000) **Phase 1: Completed pre-decoding. full event: '2023-04-04 12:31:27.528499-0300 localhost tccd[5778]: [com.apple.TCC:access] Update Access Record: kTCCServiceLiverpool for com.apple.syncdefaultsd to Allowed (System Set) (v1) at 1680622287 (2023-04-04 15:31:27 +0000)' timestamp: '2023-04-04 12:31:27.528499-0300' program_name: 'tccd' **Phase 2: Completed decoding. name: 'macOS_tccd' **Phase 3: Completed filtering (rules). id: '89600' level: '5' description: ' has been granted permission to at .' groups: '['macOS']' firedtimes: '1' gdpr: '['IV_35.7.d']' hipaa: '['164.312.b']' mail: 'False' mitre.id: '['T1222.002']' mitre.tactic: '['Defense Evasion']' mitre.technique: '['Linux and Mac File and Directory Permissions Modification']' nist_800_53: '['AU.6']' pci_dss: '['10.6.1']' tsc: '['CC7.2', 'CC7.3']' **Alert to be generated. --- 2023-04-04 12:31:27.528499-0300 localhost tccd[5778]: [com.apple.TCC:access] Update Access Record: kTCCServiceLiverpool for com.apple.syncdefaultsd to Denied (System Set) (v1) at 1680622287 (2023-04-04 15:31:27 +0000) **Phase 1: Completed pre-decoding. full event: '2023-04-04 12:31:27.528499-0300 localhost tccd[5778]: [com.apple.TCC:access] Update Access Record: kTCCServiceLiverpool for com.apple.syncdefaultsd to Denied (System Set) (v1) at 1680622287 (2023-04-04 15:31:27 +0000)' timestamp: '2023-04-04 12:31:27.528499-0300' program_name: 'tccd' **Phase 2: Completed decoding. name: 'macOS_tccd' **Phase 3: Completed filtering (rules). id: '89601' level: '5' description: ' has been denied permission to at .' groups: '['macOS']' firedtimes: '1' gdpr: '['IV_35.7.d']' hipaa: '['164.312.b']' mail: 'False' mitre.id: '['T1222.002']' mitre.tactic: '['Defense Evasion']' mitre.technique: '['Linux and Mac File and Directory Permissions Modification']' nist_800_53: '['AU.6']' pci_dss: '['10.6.1']' tsc: '['CC7.2', 'CC7.3']' **Alert to be generated. ``` > **Note** > For testing this decoders/rules it has been used the following events ``` 2023-04-04 12:31:27.528499-0300 localhost tccd[5778]: [com.apple.TCC:access] Update Access Record: kTCCServiceLiverpool for com.apple.syncdefaultsd to Allowed (System Set) (v1) at 1680622287 (2023-04-04 15:31:27 +0000) 2023-04-04 12:31:27.543450-0300 localhost tccd[5778]: [com.apple.TCC:access] Update Access Record: kTCCServiceLiverpool for com.apple.identityservicesd to Allowed (System Set) (v1) at 1680622287 (2023-04-04 15:31:27 +0000) 2023-04-04 12:31:27.547973-0300 localhost tccd[5778]: [com.apple.TCC:access] Update Access Record: kTCCServiceLiverpool for com.apple.securityd to Allowed (System Set) (v1) at 1680622287 (2023-04-04 15:31:27 +0000) 2023-04-04 12:31:27.547973-0300 localhost tccd[5778]: [com.apple.TCC:access] Update Access Record: kTCCServiceLiverpool for com.apple.securityd to Denied (System Set) (v1) at 1680622287 (2023-04-04 15:31:27 +0000) ```

Login Windows :red_circle:

The PR defined four Login Windows rules: `89602`, `89603`, `89604` and `89605`. - `89602` :yellow_circle: : Rule work as expected for real events. Also, all fields are gathered correctly. However the data name is too generic. We should rename it to fit better this value. - `89603` :yellow_circle: : This rule work as expected. However no fields were decoded by the decoder in this case. Why in this case we don't get the userID? - `89604` :green_circle: : Rule work as expected - `89605` :red_circle:: In the environment, proposed event was never triggered. Instead, the following was produced: ``` 2023-01-23 03:23:26.355213-0800 localhost loginwindow[156]: [com.apple.loginwindow.logging:Standard] -[SessionAgentNotificationCenter sendSystemBSDNotification:forUserID:] | sendSystemBSDNotification: com.apple.system.loginwindow.loginINitiated, with userID: 501 ``` In addition, why we dont have any rule about authentication failure?

ScreenSharing :green_circle :

The PR defined four Login Windows rules: `89606` and `89607`. - `89606` :green_circle: : Rule work as expected - `89607` :green_circle: : Rule work as expected

Securityd :red_circle:

The PR defined four Login Windows rules: `89608` and `89609`. - `89608` :red_circle: It is not expected in all cases the `-` before the uid value. This condition make the decoder not gathering the sessionID and the uid ``` 2023-04-04 14:28:51.146384-0300 localhost securityd[122]: [com.apple.securityd:SecServer] 0x7f9289a19240 Session 71803 created, uid:501 sessionId:71803 --- **Phase 1: Completed pre-decoding. full event: '2023-04-04 14:28:51.146384-0300 localhost securityd[122]: [com.apple.securityd:SecServer] 0x7f9289a19240 Session 71803 created, uid:501 sessionId:71803' timestamp: '2023-04-04 14:28:51.146384-0300' program_name: 'securityd' **Phase 2: Completed decoding. name: 'macOS_securityd_process' **Phase 3: Completed filtering (rules). id: '89608' level: '3' description: 'Session has been created.' groups: '['macOS']' firedtimes: '1' gdpr: '['IV_35.7.d']' hipaa: '['164.312.b']' mail: 'False' nist_800_53: '['AU.6']' pci_dss: '['10.6.1']' tsc: '['CC7.2', 'CC7.3']' **Alert to be generated ``` In addition, for each new session created, two events are triggered: ``` 2023-01-23 02:58:08.982811-0800 localhost securityd[129]: [com.apple.securityd:SecServer] 0x7fae6a51b400 Session 100012 created, uid:-1 sessionId:100012 ``` and ``` 2023-01-23 02:58:08.982811-0800 localhost securityd[129]: Session 100012 created ``` So, for the same security event (new session), triggers two times rule 89608 (one of them without the uid decoded value). We should be more precise and avoid the `Session ` event. - `89609` :red_circle: Similarly to `89608` both events are generated when a session is destroyed: ``` 2023-01-23 03:26:38.517706-0800 localhost securityd[129]: [com.apple.securityd:SecServer] 0x7fae6a535710 Session 3495 destroyed ``` and ``` 2023-01-23 03:26:38.517706-0800 localhost securityd[129]: Session 3495 destroyed ``` We should be more precise and avoid the `Session ` event.

[Rebits]

Update 08/02/2023

• Detected error in analysis with YYYY-MM-DD HH:mm:ss.ssssss+hh:mm timestamp format
• Perform basic testing regarding macOS new decoders and rules

[Rebits]

Update 13/02/2023

• Meeting with @okynos about how to deploy a Ventura environment

[Rebits]

Update 04/04/2023

Worked in ruleset testing. The deployed environment was provided without UI. This has made it impossible to replicate some of the security events. However, some issues were detected https://github.com/wazuh/wazuh-qa/issues/3855#issuecomment-1423123415. Pending meeting with @72nomada about some changes and how to provide a new environment with UI.

[Rebits]

Update 11/04/2023

First review cycle: https://github.com/wazuh/wazuh-qa/issues/3855#issuecomment-1423123415

[ooniagbi]

Update 12/04/2023

• Fix for "Decoder names not clear enough": https://github.com/wazuh/wazuh/commit/ff3d2b61da843ed738464c39e4470d74456b311c
• Fix for "Rules contains expected groups": https://github.com/wazuh/wazuh/commit/5228e3d86981db6afb7851ad109c8a8239cb6094
• Fix for "TCCD rules/decoders 🔴": https://github.com/wazuh/wazuh/commit/289d9d6a74f1698bbcf10677eddee483e0f618fb
• Fix for "TCCD rules/decoders 🔴": https://github.com/wazuh/wazuh/commit/8cdc8299a0600f75e5e32475af6a0b0487e7cebb

[ooniagbi]

Update 13/04/2023

• Fix to get user ID in rule 89603: https://github.com/wazuh/wazuh/commit/129838db70ffb218024042823eab56a8358e38a6
• Fix for 89602 🟡 generic data name
• Fix for Securityd rules

[Rebits]

Testing results :red_circle:

Tester	PR commit
@Rebits	https://github.com/wazuh/wazuh/pull/16078/commits/fd022e7407d2ef47834e7ad781557c9292dfdc3a

Review logs syntax and correct language :yellow_circle:

Inconsistent group and rule separator :yellow_circle:

We should standardize this for future rules: ``` The new macOS rules file separates groups from rules with a white line. This style is not fulfilled by all the rules in the repository. Which is the current standard? ```

Decoder names not clear enough :green_circle:

Decoders names were renamed satisfactorily.

Rules contains expected groups :green_circle:

Rule `89604` contains unexpected authentication_success group :green_circle:

The unexpected group was removed correctly.

Rule `89606` do not have any group :green_circle:

Rule now includes expected groups: ``` authentication_failed,gdpr_IV_35.7.d,gdpr_IV_32.2,gpg13_7.1,hipaa_164.312.b,invalid_login,nist_800_53_AU.14,nist_800_53_AC.7,nist_800_53_AU.6,pci_dss_10.2.4,pci_dss_10.2.5,pci_dss_10.6.1,tsc_CC6.1,tsc_CC6.8,tsc_CC7.2,tsc_CC7.3, ```

Ruleset Testing :red_circle:

TCCD :green_circle:

### **Update Access Record** :green_circle: **Allow (System Update)** ``` *Phase 1: Completed pre-decoding. full event: '2023-04-11 12:45:54.381431-0200 localhost tccd[162]: [com.apple.TCC:access] Update Access Record: kTCCServiceAccessibility for com.teamviewer.TeamViewer to Allowed (System Set) (v1) at 1681209954 (2023-04-11 10:45:54 +0000)' timestamp: '2023-04-11 12:45:54.381431-0200' program_name: 'tccd' **Phase 2: Completed decoding. name: 'macOS_tccd' application: 'com.teamviewer.TeamViewer' service: 'kTCCServiceAccessibility' status: 'Allowed' time: '10:45:54' **Phase 3: Completed filtering (rules). id: '89600' level: '5' description: 'com.teamviewer.TeamViewer has been granted permission to kTCCServiceAccessibility at 10:45:54.' groups: '['macOS']' firedtimes: '1' gdpr: '['IV_35.7.d']' hipaa: '['164.312.b']' mail: 'False' mitre.id: '['T1222.002']' mitre.tactic: '['Defense Evasion']' mitre.technique: '['Linux and Mac File and Directory Permissions Modification']' nist_800_53: '['AU.6']' pci_dss: '['10.6.1']' tsc: '['CC7.2', 'CC7.3']' **Alert to be generated. ``` **Denied (System Update)** ``` 2023-04-11 12:45:06.245643-0200 localhost tccd[162]: [com.apple.TCC:access] Update Access Record: kTCCServiceScreenCapture for com.teamviewer.TeamViewer to Denied (System Set) (v1) at 1681209906 (2023-04-11 10:45:06 +0000) **Phase 1: Completed pre-decoding. full event: '2023-04-11 12:45:06.245643-0200 localhost tccd[162]: [com.apple.TCC:access] Update Access Record: kTCCServiceScreenCapture for com.teamviewer.TeamViewer to Denied (System Set) (v1) at 1681209906 (2023-04-11 10:45:06 +0000)' timestamp: '2023-04-11 12:45:06.245643-0200' program_name: 'tccd' **Phase 2: Completed decoding. name: 'macOS_tccd' application: 'com.teamviewer.TeamViewer' service: 'kTCCServiceScreenCapture' status: 'Denied' time: '10:45:06' **Phase 3: Completed filtering (rules). id: '89601' level: '5' description: 'com.teamviewer.TeamViewer has been denied permission to kTCCServiceScreenCapture at 10:45:06.' groups: '['macOS']' firedtimes: '1' gdpr: '['IV_35.7.d']' hipaa: '['164.312.b']' mail: 'False' mitre.id: '['T1222.002']' mitre.tactic: '['Defense Evasion']' mitre.technique: '['Linux and Mac File and Directory Permissions Modification']' nist_800_53: '['AU.6']' pci_dss: '['10.6.1']' tsc: '['CC7.2', 'CC7.3']' **Alert to be generated. ```

LoginWindow :red_circle:

### **Screen unlocked** :green_circle: ``` 2023-01-23 03:14:00.792511-0800 localhost loginwindow[156]: [com.apple.loginwindow.logging:Standard] -[SessionAgentNotificationCenter sendBSDNotification:forUserID:] | sendBSDNotification: com.apple.sessionagent.screenIsUnlocked, with userID:501 **Phase 1: Completed pre-decoding. full event: '2023-01-23 03:14:00.792511-0800 localhost loginwindow[156]: [com.apple.loginwindow.logging:Standard] -[SessionAgentNotificationCenter sendBSDNotification:forUserID:] | sendBSDNotification: com.apple.sessionagent.screenIsUnlocked, with userID:501' timestamp: '2023-01-23 03:14:00.792511-0800' program_name: 'loginwindow' **Phase 2: Completed decoding. name: 'macOS_loginwindow' userID: '501' **Phase 3: Completed filtering (rules). id: '89602' level: '3' description: 'Screen unlocked with userID:501.' groups: '['macOS', 'authentication_success']' firedtimes: '1' gdpr: '['IV_32.2']' gpg13: '['7.1', '7.2']' hipaa: '['164.312.b']' mail: 'False' mitre.id: '['T1078']' mitre.tactic: '['Defense Evasion', 'Persistence', 'Privilege Escalation', 'Initial Access']' mitre.technique: '['Valid Accounts']' nist_800_53: '['AC.7', 'AU.14']' pci_dss: '['10.2.5']' tsc: '['CC6.8', 'CC7.2', 'CC7.3']' **Alert to be generated. ``` ### **Screen locked** :red_circle: Desired events do not match new regex `sendBSDNotification: \w+.\w+.\w+.screenIsLocked` included in https://github.com/wazuh/wazuh/commit/129838db70ffb218024042823eab56a8358e38a6. This also will make runtest fails. ``` 2023-01-23 03:23:23.024641-0800 localhost loginwindow[156]: [com.apple.loginwindow.logging:Standard] -[SessionAgentNotificationCenter sendDistributedNotification:forUserID:] | sendDistributedNotification: com.apple.screenIsLocked, with userID:501 **Phase 1: Completed pre-decoding. full event: '2023-01-23 03:23:23.024641-0800 localhost loginwindow[156]: [com.apple.loginwindow.logging:Standard] -[SessionAgentNotificationCenter sendDistributedNotification:forUserID:] | sendDistributedNotification: com.apple.screenIsLocked, with userID:501' timestamp: '2023-01-23 03:23:23.024641-0800' program_name: 'loginwindow' **Phase 2: Completed decoding. name: 'macOS_loginwindow' ``` ### **Logoff** :green_circle: ``` 2023-04-04 22:45:23.876866-0200 localhost loginwindow[167]: [com.apple.loginwindow.logging:Standard] -[SessionAgentNotificationCenter sendBSDNotification:forUserID:] | sendBSDNotification: com.apple.loginwindow.logoutNoReturn, with userID:501 **Phase 1: Completed pre-decoding. full event: '2023-04-04 22:45:23.876866-0200 localhost loginwindow[167]: [com.apple.loginwindow.logging:Standard] -[SessionAgentNotificationCenter sendBSDNotification:forUserID:] | sendBSDNotification: com.apple.loginwindow.logoutNoReturn, with userID:501' timestamp: '2023-04-04 22:45:23.876866-0200' program_name: 'loginwindow' **Phase 2: Completed decoding. name: 'macOS_loginwindow' userID: '501' **Phase 3: Completed filtering (rules). id: '89604' level: '3' description: 'User logoff.' groups: '['macOS']' firedtimes: '1' gdpr: '['IV_32.2']' hipaa: '['164.312.b']' mail: 'False' mitre.id: '['T1078']' mitre.tactic: '['Defense Evasion', 'Persistence', 'Privilege Escalation', 'Initial Access']' mitre.technique: '['Valid Accounts']' nist_800_53: '['AC.7', 'AU.14']' pci_dss: '['10.2.5']' tsc: '['CC6.8', 'CC7.2', 'CC7.3']' **Alert to be generated. ``` ### **Login** :green_circle: Expected event is correct. ``` 2023-04-06 12:03:53.272073-0200 localhost loginwindow[163]: [com.apple.loginwindow.logging:Standard] -[SessionAgentNotificationCenter doSpecialNotificationHandling:] | loginIsComplete, set session state to desktop showing **Phase 1: Completed pre-decoding. full event: '2023-04-06 12:03:53.272073-0200 localhost loginwindow[163]: [com.apple.loginwindow.logging:Standard] -[SessionAgentNotificationCenter doSpecialNotificationHandling:] | loginIsComplete, set session state to desktop showing' timestamp: '2023-04-06 12:03:53.272073-0200' program_name: 'loginwindow' **Phase 2: Completed decoding. name: 'macOS_loginwindow' **Phase 3: Completed filtering (rules). id: '89605' level: '3' description: 'User login.' groups: '['macOS', 'authentication_success']' firedtimes: '1' gdpr: '['IV_32.2']' gpg13: '['7.1', '7.2']' hipaa: '['164.312.b']' mail: 'False' mitre.id: '['T1078']' mitre.tactic: '['Defense Evasion', 'Persistence', 'Privilege Escalation', 'Initial Access']' mitre.technique: '['Valid Accounts']' nist_800_53: '['AC.7', 'AU.14']' pci_dss: '['10.2.5']' tsc: '['CC6.8', 'CC7.2', 'CC7.3']' **Alert to be generated. ```

SecurityD :red_circle:

### **Session created** :red_circle: Negative uid is still a posibility. The decoder should allow positive and negative uid. In addition new decoder make runtest fails ``` 2023-01-23 02:58:08.982811-0800 localhost securityd[129]: [com.apple.securityd:SecServer] 0x7fae6a51b400 Session 100012 created, uid:-1 sessionId:100012 **Phase 1: Completed pre-decoding. full event: '2023-01-23 02:58:08.982811-0800 localhost securityd[129]: [com.apple.securityd:SecServer] 0x7fae6a51b400 Session 100012 created, uid:-1 sessionId:100012' timestamp: '2023-01-23 02:58:08.982811-0800' program_name: 'securityd' **Phase 2: Completed decoding. name: 'macOS_securityd' sessionId: '100012' uid: '1' ``` ### **Session destroyed** :green_circle: ``` 2023-01-23 03:26:38.517706-0800 localhost securityd[129]: [com.apple.securityd:SecServer] 0x7fae6a535710 Session 3495 destroyed **Phase 1: Completed pre-decoding. full event: '2023-01-23 03:26:38.517706-0800 localhost securityd[129]: [com.apple.securityd:SecServer] 0x7fae6a535710 Session 3495 destroyed' timestamp: '2023-01-23 03:26:38.517706-0800' program_name: 'securityd' **Phase 2: Completed decoding. name: 'macOS_securityd' sessionId: '3495' **Phase 3: Completed filtering (rules). id: '89609' level: '3' description: 'Session 3495 has been destroyed.' groups: '['macOS']' firedtimes: '1' gdpr: '['IV_35.7.d']' hipaa: '['164.312.b']' mail: 'False' nist_800_53: '['AU.6']' pci_dss: '['10.6.1']' tsc: '['CC7.2', 'CC7.3']' **Alert to be generated ```

[ooniagbi]

• For Session created 🔴: We are ignoring events with negative uid because they are system events. That way we can focus on the user events
• For Screen locked 🔴: macOS generates several logs for a similar event, but we need to generate one alert so I chose the sendBSDNotification event because we used it in other rules.

[Rebits]

If we change the events for which we expect to trigger rules we need to change the cases presented in the ruleset/testing/tests/macos.ini file. Otherwise, the tests will fail.

Regarding the system events (securityd), after talking with @72nomada , for now, we are going to ignore the system event in this case. We will consider them in a future rework of the ruleset

[Rebits]

Tester review :red_circle:

Tester	PR commit
@Rebits	https://github.com/wazuh/wazuh/pull/16078/commits/6a5924302189d5523149729c1b5f15f826b4629b

---

macOS tests were not correctly updated :red_circle:

Regarding https://github.com/wazuh/wazuh-qa/issues/3855#issuecomment-1506756497, macOS tests still failing: ``` - [ File = ./tests/macos.ini ] --------- ........ ------------------------------------------------------------ Failed: Exit code = 1 Alert = 3 Rule = 89608 Decoder = macOS_securityd Section = Session $(sessionId) has been created line name = log 1 pass . |Component | Tested | Total | Coverage | | -------- | -------- | -------- | -------- | | Rules | 10 | 4248 | 0.24% | | Decoders | 4 | 165 | 2.42% | | File | Passed | Failed | Status | | -------- | -------- | -------- | -------- | |./tests/macos.ini | 9 | 1 | ❌ | Failing tests summary: ---------------------------------------- Failed test: log 1 pass Summary: Hit a different rule. Expected: 89608. Got: | | Expected | Result | |------ | ------ | ------ | |Decoder | macOS_securityd | macOS_securityd | |Rule | 89608 | | |Level | 3 | | ```

[ooniagbi]

Fixed: https://github.com/wazuh/wazuh/commit/7782c878415879ce40d90a8fb4f94f06dde9c5e8

[Rebits]

Tester review :red_circle:

Tester	PR commit
@Rebits	https://github.com/wazuh/wazuh/pull/16078/commits/eaaa5b84aaa125a7ed6ffe873cc1425ad921c564

macOS tests :green_circle:

``` root@all-in-one-ubuntu:/home/vagrant/wazuh/ruleset/testing# python2 ./runtests.py -t tests/macos.ini - [ File = ./tests/macos.ini ] --------- .......... |Component | Tested | Total | Coverage | | -------- | -------- | -------- | -------- | | Rules | 10 | 4248 | 0.24% | | Decoders | 4 | 165 | 2.42% | | File | Passed | Failed | Status | | -------- | -------- | -------- | -------- | |./tests/macos.ini | 10 | 0 | ✅ | ```

Securityd Decoder :red_circle:

Securityd decoder was not updated according to the new rule, so uid and sessionID are not correctly gathered: ``` 2023-04-04 14:28:51.146384-0300 localhost securityd[122]: [com.apple.securityd:SecServer] 0x7f9289a19240 Session 71803 created, uid:501 sessionId:71803 **Phase 1: Completed pre-decoding. full event: '2023-04-04 14:28:51.146384-0300 localhost securityd[122]: [com.apple.securityd:SecServer] 0x7f9289a19240 Session 71803 created, uid:501 sessionId:71803' timestamp: '2023-04-04 14:28:51.146384-0300' program_name: 'securityd' **Phase 2: Completed decoding. name: 'macOS_securityd' **Phase 3: Completed filtering (rules). id: '89608' level: '3' description: 'Session has been created.' groups: '['macOS']' firedtimes: '1' gdpr: '['IV_35.7.d']' hipaa: '['164.312.b']' mail: 'False' nist_800_53: '['AU.6']' pci_dss: '['10.6.1']' tsc: '['CC7.2', 'CC7.3']' **Alert to be generated. ``` Expected decoder: ``` macOS_securityd [com.apple.securityd:SecServer] \S+ Session \d+ created, uid:(\d+) sessionId:(\d+) uid, sessionId ```

Missing . at the end of 89603 description :yellow_circle:

Expected: ``` macOS_loginwindow sendBSDNotification: \w+.\w+.\w+.screenIsLocked Screen locked with userID:$(userID). T1078 authentication_success,gdpr_IV_32.2,gpg13_7.1,gpg13_7.2,hipaa_164.312.b,nist_800_53_AC.7,nist_800_53_AU.14,pci_dss_10.2.5,tsc_CC6.8,tsc_CC7.2,tsc_CC7.3, ```

Possible missing MITRE values in 89607 and 89606 :yellow_circle:

Regarding `89607` and `89606`. Should we include `T1078` and `T1021` respectively? ``` macOS_screensharingd (?i)authentication.+failed Attempt to connect to screen sharing with username $(dstuser) from $(ip_address) failed. T1021 T1078 authentication_failed,gdpr_IV_35.7.d,gdpr_IV_32.2,gpg13_7.1,hipaa_164.312.b,invalid_login,nist_800_53_AU.14,nist_800_53_AC.7,nist_800_53_AU.6,pci_dss_10.2.4,pci_dss_10.2.5,pci_dss_10.6.1,tsc_CC6.1,tsc_CC6.8,tsc_CC7.2,tsc_CC7.3, macOS_screensharingd (?i)authentication.+succeeded Attempt to connect to screen sharing with username $(dstuser) from $(ip_address) succeeded. T1021 T1078 authentication_success,gdpr_IV_32.2,gpg13_7.1,gpg13_7.2,hipaa_164.312.b,nist_800_53_AC.7,nist_800_53_AU.14,pci_dss_10.2.5,tsc_CC6.8,tsc_CC7.2,tsc_CC7.3, ```

Dashboard visualization :green_circle:


[Rebits]

Tester review :green_circle:

Tester	PR commit
@Rebits	https://github.com/wazuh/wazuh/pull/16078/commits/fff9c3d77a959b260533ad38ea03ee4aef391694

Final approve is blocked until PR checks are finished and passed.

---

Securityd Decoder :green_circle:

``` 2023-04-04 14:28:51.146384-0300 localhost securityd[122]: [com.apple.securityd:SecServer] 0x7f9289a19240 Session 71803 created, uid:501 sessionId:71803 **Phase 1: Completed pre-decoding. full event: '2023-04-04 14:28:51.146384-0300 localhost securityd[122]: [com.apple.securityd:SecServer] 0x7f9289a19240 Session 71803 created, uid:501 sessionId:71803' timestamp: '2023-04-04 14:28:51.146384-0300' program_name: 'securityd' **Phase 2: Completed decoding. name: 'macOS_securityd' sessionId: '71803' uid: '501' **Phase 3: Completed filtering (rules). id: '89608' level: '3' description: 'Session 71803 has been created.' groups: '['macOS']' firedtimes: '1' gdpr: '['IV_35.7.d']' hipaa: '['164.312.b']' mail: 'False' nist_800_53: '['AU.6']' pci_dss: '['10.6.1']' tsc: '['CC7.2', 'CC7.3']' **Alert to be generated. ```

Missing . at the end of 89603 description :green_circle:

``` 2023-04-12 01:36:42.792314-0700 localhost loginwindow[155]: [com.apple.loginwindow.logging:Standard] -[SessionAgentNotificationCenter sendBSDNotification:forUserID:] | sendBSDNotification: com.apple.sessionagent.screenIsLocked, with userID:501 **Phase 1: Completed pre-decoding. full event: '2023-04-12 01:36:42.792314-0700 localhost loginwindow[155]: [com.apple.loginwindow.logging:Standard] -[SessionAgentNotificationCenter sendBSDNotification:forUserID:] | sendBSDNotification: com.apple.sessionagent.screenIsLocked, with userID:501' timestamp: '2023-04-12 01:36:42.792314-0700' program_name: 'loginwindow' **Phase 2: Completed decoding. name: 'macOS_loginwindow' userID: '501' **Phase 3: Completed filtering (rules). id: '89603' level: '3' description: 'Screen locked with userID:501.' groups: '['macOS', 'authentication_success']' firedtimes: '1' gdpr: '['IV_32.2']' gpg13: '['7.1', '7.2']' hipaa: '['164.312.b']' mail: 'False' mitre.id: '['T1078']' mitre.tactic: '['Defense Evasion', 'Persistence', 'Privilege Escalation', 'Initial Access']' mitre.technique: '['Valid Accounts']' nist_800_53: '['AC.7', 'AU.14']' pci_dss: '['10.2.5']' tsc: '['CC6.8', 'CC7.2', 'CC7.3']' **Alert to be generated. ```

Possible missing MITRE values in 89607 and 89606 :green_circle:

Included new MITRE values.

[Rebits]

Updated 14/04/2023

It has been detected that no macOS ULS logs monitoring configuration is used by default. This could be confusing for the users because it is challenging to know which query is required to filter the events expected for the new ruleset correctly. After a meeting with @72nomada and @ooniagbi we have concluded to include this default configuration in the macOS agent

---

In order to perform the final testing it is required this fix. Until this PR is merged, this issue is blocked

[Rebits]

Tester review :red_circle:

Tester	PR commit
@Rebits	https://github.com/wazuh/wazuh/pull/16078/commits/803f1cc314d2ad8626ed6acf14c3ffea0e640592

---

macos ULS configuration is correctly set :orange_circle:

Blocked until https://github.com/wazuh/wazuh/issues/16751

macOS Monterrey: ossec.conf

```

10.0.0.2

1514 tcp darwin, darwin21, darwin21.1 10 60 yes aes no 5000 500 no yes yes yes yes yes yes yes 43200 etc/shared/rootkit_files.txt etc/shared/rootkit_trojans.txt yes yes yes /var/log/osquery/osqueryd.results.log /etc/osquery/osquery.conf yes no 1h yes yes yes yes yes yes yes 10 yes yes 12h yes no 43200 yes /etc,/usr/bin,/usr/sbin /bin,/sbin /etc/mtab /etc/hosts.deny /etc/mail/statistics /etc/random-seed /etc/random.seed /etc/adjtime /etc/httpd/logs /etc/utmpx /etc/wtmpx /etc/cups/certs /etc/dumpdates /etc/svc/volatile .log$|.swp$ /etc/ssl/private.key yes yes yes yes 10 100 yes 5m 1h 10 full_command netstat -an | awk '{if ((/^(tcp|udp)/) && ($4 != "*.*") && ($5 == "*.*")) {print $1" "$4" "$5}}' | sort -u netstat listening ports 360 no etc/wpk_root.pem yes plain ```

E2E Testing :red_circle:

It is required to ensure in the real environment that the alerts are correctly triggered. This was not possible until the https://github.com/wazuh/wazuh/pull/16530 development. For this testing we have used the following packages: - http://packages-dev.wazuh.com/warehouse/pullrequests/4.4/rpm/var/wazuh-manager-4.4.2-0.commitded072f.x86_64.rpm - http://packages-dev.wazuh.com/warehouse/pullrequests/4.4/macos/wazuh-agent-4.4.2-0.commitded072f.pkg - Login/Log Off alerts :red_circle: Logout alerts appear as expected ``` {"timestamp":"2023-04-19T05:21:32.009-0400","rule":{"level":3,"description":"User logoff.","id":"89604","mitre":{"id":["T1078"],"tactic":["Defense Evasion","Persistence","Privilege Escalation","Initial Access"],"technique":["Valid Accounts"]},"firedtimes":2,"mail":false,"groups":["macOS"],"gdpr":["IV_32.2"],"hipaa":["164.312.b"],"nist_800_53":["AC.7","AU.14"],"pci_dss":["10.2.5"],"tsc":["CC6.8","CC7.2","CC7.3"]},"agent":{"id":"001","name":"MacBook-Air-de-Mariajo.local","ip":"FE80:0000:0000:0000:C805:77FF:FEAB:886A"},"manager":{"name":"localhost.localdomain"},"id":"1681896092.627357","full_log":"2023-04-19 11:21:31.605477+0200 localhost loginwindow[6734]: [com.apple.loginwindow.logging:Standard] -[SessionAgentNotificationCenter sendSystemBSDNotification:forUserID:] | sendSystemBSDNotification: com.apple.system.loginwindow.logoutNoReturn, with userID:501","predecoder":{"program_name":"loginwindow","timestamp":"2023-04-19 11:21:31.605477+0200"},"decoder":{"name":"macOS_loginwindow"},"location":"macos"} {"timestamp":"2023-04-19T05:38:08.648-0400","rule":{"level":3,"description":"User logoff.","id":"89604","mitre":{"id":["T1078"],"tactic":["Defense Evasion","Persistence","Privilege Escalation","Initial Access"],"technique":["Valid Accounts"]},"firedtimes":3,"mail":false,"groups":["macOS"],"gdpr":["IV_32.2"],"hipaa":["164.312.b"],"nist_800_53":["AC.7","AU.14"],"pci_dss":["10.2.5"],"tsc":["CC6.8","CC7.2","CC7.3"]},"agent":{"id":"001","name":"MacBook-Air-de-Mariajo.local","ip":"FE80:0000:0000:0000:C805:77FF:FEAB:886A"},"manager":{"name":"localhost.localdomain"},"id":"1681897088.638504","full_log":"2023-04-19 11:38:02.358445+0200 localhost loginwindow[7103]: [com.apple.loginwindow.logging:Standard] -[SessionAgentNotificationCenter sendBSDNotification:forUserID:] | sendBSDNotification: com.apple.loginwindow.logoutNoReturn, with userID:501","predecoder":{"program_name":"loginwindow","timestamp":"2023-04-19 11:38:02.358445+0200"},"decoder":{"name":"macOS_loginwindow"},"data":{"userID":"501"},"location":"macos"} {"timestamp":"2023-04-19T05:38:08.652-0400","rule":{"level":3,"description":"User logoff.","id":"89604","mitre":{"id":["T1078"],"tactic":["Defense Evasion","Persistence","Privilege Escalation","Initial Access"],"technique":["Valid Accounts"]},"firedtimes":4,"mail":false,"groups":["macOS"],"gdpr":["IV_32.2"],"hipaa":["164.312.b"],"nist_800_53":["AC.7","AU.14"],"pci_dss":["10.2.5"],"tsc":["CC6.8","CC7.2","CC7.3"]},"agent":{"id":"001","name":"MacBook-Air-de-Mariajo.local","ip":"FE80:0000:0000:0000:C805:77FF:FEAB:886A"},"manager":{"name":"localhost.localdomain"},"id":"1681897088.639011","full_log":"2023-04-19 11:38:02.358534+0200 localhost loginwindow[7103]: [com.apple.loginwindow.logging:Standard] -[SessionAgentNotificationCenter sendSystemBSDNotification:forUserID:] | sendSystemBSDNotification: com.apple.system.loginwindow.logoutNoReturn, with userID:501","predecoder":{"program_name":"loginwindow","timestamp":"2023-04-19 11:38:02.358534+0200"},"decoder":{"name":"macOS_loginwindow"},"location":"macos"} ``` However, that is not the case for the User login alert: ``` [root@localhost ~]# cat /var/ossec/logs/alerts/alerts.json | grep "User login" [root@localhost ~]# ``` Reviewing the archives it seems that the event is correctly generated: ``` 2023-04-19 11:21:44.905631+0200 localhost loginwindow[7103]: [com.apple.loginwindow.logging:Standard] -[ApplicationManager loginIsComplete] | loginIsComplete returning: 0 ``` However, it seems that some issues occur in the logcollector daemon: ``` 2023/04/19 11:38:02 wazuh-logcollector: WARNING: Socket busy, discarding message. 2023/04/19 11:56:08 wazuh-agentd: ERROR: (1137): Lost connection with manager. Setting lock. 2023/04/19 11:56:08 wazuh-agentd: INFO: Closing connection to server ([192.168.10.120]:1514/tcp). 2023/04/19 11:56:08 wazuh-agentd: INFO: Trying to connect to server ([192.168.10.120]:1514/tcp). 2023/04/19 11:56:08 wazuh-agentd: ERROR: (1216): Unable to connect to '[192.168.10.120]:1514/tcp': 'Connection refused'. 2023/04/19 11:56:08 wazuh-logcollector: WARNING: Process locked due to agent is offline. Waiting for connection... ``` - Regarding `2023/04/19 11:38:02 wazuh-logcollector: WARNING: Socket busy, discarding message.`: Our testing is not intensive. It is not expected the saturation of the logcollector, could produce important missing events. It is required further research. - Regarding the lost of connection of an agent. It is possible that the session logoff produces the network gets down, producing this behavior. We need to check another way to test in a real scenario this alert.

[Rebits]

Update 19/04/2023

It has been detected during the E2E testing some issues:

---

These behaviors were fixed in https://github.com/wazuh/wazuh/pull/16078/commits/28a53e96487b9b9a7e26dcd016aba5df0f1c6708). However, it is required proper testing.

Multiple user login alerts are triggered at the same time :red_circle:

Using the current ruleset, each time a user logs in to the system, two alerts are triggered. It is suggested to change the target event to `sessionDidLogin`.

User login alert is triggered when the screen is unlocked instead of real login :red_circle:

If the screen is locked and then unlocked, a login alert is triggered. This is not the expected result. It is suggested to change the target event to `sessionDidLogin`

Multiple user logoff alerts are triggered at the same time :red_circle:

Two log-off alerts are triggered for the same event. It is suggested to change the target event to `sessionlogoutd` instead.

---

WARNING: Target 'agent' message queue is full (1024). Loglines may be lost. :red_circle:

During startup, the agent's queue gets full really fast. It is required to research this behavior due to current testing does not imply very intensive use.

WARNING: Socket busy, discarding message :red_circle:

During startup, the agent loses events. It is required to research this behavior due to current testing does not imply very intensive use.

[Rebits]

Tester review :green_circle:

Tester	PR commit
@Rebits	https://github.com/wazuh/wazuh/pull/16078/commits/a7ac96760f4a2cbccf9fad90f411e37cb302cfb0

---

Multiple user login alerts are triggered at the same time :green_circle:

Now only one alert is triggered when a login is produced.

Multiple user logoff alerts are triggered at the same time :green_circle:

Now only one alert is triggered when a log off is produced.

User login alert is triggered when the screen is unlocked instead of real login :green_circle:

Now login and log off alerts do not trigger in case of screen locking/unlocking

macos ULS configuration is correctly set :green_circle:

macOS Ventura :green_circle:

Expected localfile was correctly added: ``` macos macos (process == "sudo") or (process == "sessionlogoutd" and message contains "logout is complete.") or (process == "sshd") or (process == "tccd" and message contains "Update Access Record") or (message contains "SessionAgentNotificationCenter") or (process == "screensharingd" and message contains "Authentication") or (process == "securityd" and eventMessage contains "Session" and subsystem == "com.apple.securityd") ``` macOS log command is correctly monitoring: ``` 2023/04/27 13:00:30 wazuh-logcollector: INFO: (1604): Monitoring macOS logs with: /usr/bin/log stream --style syslog --type activity --type log --type trace --level info --predicate (process == "sudo") or (process == "sessionlogoutd" and message contains "logout is complete.") or (process == "sshd") or (process == "tccd" and message contains "Update Access Record") or (message contains "SessionAgentNotificationCenter") or (process == "screensharingd" and message contains "Authentication") or (process == "securityd" and eventMessage contains "Session" and subsystem == "com.apple.securityd"). ``` No error or warnings were detected in the agent

macOS Monterey :green_circle:

Expected localfile was correctly added: ``` macos macos (process == "sudo") or (process == "sessionlogoutd" and message contains "logout is complete.") or (process == "sshd") or (process == "tccd" and message contains "Update Access Record") or (message contains "SessionAgentNotificationCenter") or (process == "screensharingd" and message contains "Authentication") or (process == "securityd" and eventMessage contains "Session" and subsystem == "com.apple.securityd") ``` macOS log command is correctly monitoring: ``` 2023/04/27 13:36:28 wazuh-logcollector: INFO: (1604): Monitoring macOS logs with: /usr/bin/log stream --style syslog --type activity --type log --type trace --level info --predicate (process == "sudo") or (process == "sessionlogoutd" and message contains "logout is complete.") or (process == "sshd") or (process == "tccd" and message contains "Update Access Record") or (message contains "SessionAgentNotificationCenter") or (process == "screensharingd" and message contains "Authentication") or (process == "securityd" and eventMessage contains "Session" and subsystem == "com.apple.securityd"). ``` No error or warnings were detected in the agent

macOS Catalina :green_circle:

Expected localfile was correctly added: ``` macos macos (process == "sudo") or (process == "sessionlogoutd" and message contains "logout is complete.") or (process == "sshd") or (process == "tccd" and message contains "Update Access Record") or (message contains "SessionAgentNotificationCenter") or (process == "screensharingd" and message contains "Authentication") or (process == "securityd" and eventMessage contains "Session" and subsystem == "com.apple.securityd") ``` macOS log command is correctly monitoring: ``` 2023/04/27 04:38:04 wazuh-logcollector: INFO: (1604): Monitoring macOS logs with: /usr/bin/log stream --style syslog --type activity --type log --type trace --level info --predicate (process == "sudo") or (process == "sessionlogoutd" and message contains "logout is complete.") or (process == "sshd") or (process == "tccd" and message contains "Update Access Record") or (message contains "SessionAgentNotificationCenter") or (process == "screensharingd" and message contains "Authentication") or (process == "securityd" and eventMessage contains "Session" and subsystem == "com.apple.securityd"). ```

E2E Testing :green_circle:

Login

``` {"timestamp":"2023-04-27T12:18:07.327+0000","rule":{"level":3,"description":"User login.","id":"89605","mitre":{"id":["T1078"],"tactic":["Defense Evasion","Persistence","Privilege Escalation","Initial Access"],"technique":["Valid Accounts"]},"firedtimes":1,"mail":false,"groups":["macOS","authentication_success"],"gdpr":["IV_32.2"],"gpg13":["7.1","7.2"],"hipaa":["164.312.b"],"nist_800_53":["AC.7","AU.14"],"pci_dss":["10.2.5"],"tsc":["CC6.8","CC7.2","CC7.3"]},"agent":{"id":"004","name":"jal.local","ip":"FE80:0000:0000:0000:9C19:22FF:FE0B:FF5E"},"manager":{"name":"ip-172-31-25-129"},"id":"1682597887.1205421","full_log":"2023-04-27 14:18:03.291495+0200 localhost loginwindow[54283]: [com.apple.loginwindow.logging:Standard] -[SessionAgentNotificationCenter sendDistributedNotification:forUserID:] | sendDistributedNotification: com.apple.sessionDidLogin, with userID:501","predecoder":{"program_name":"loginwindow","timestamp":"2023-04-27 14:18:03.291495+0200"},"decoder":{"name":"macOS_loginwindow"},"data":{"userID":"501"},"location":"macos"} ```

Log off

``` {"timestamp":"2023-04-27T12:17:51.207+0000","rule":{"level":3,"description":"User logoff.","id":"89604","mitre":{"id":["T1078"],"tactic":["Defense Evasion","Persistence","Privilege Escalation","Initial Access"],"technique":["Valid Accounts"]},"firedtimes":1,"mail":false,"groups":["macOS"],"gdpr":["IV_32.2"],"hipaa":["164.312.b"],"nist_800_53":["AC.7","AU.14"],"pci_dss":["10.2.5"],"tsc":["CC6.8","CC7.2","CC7.3"]},"agent":{"id":"004","name":"jal.local","ip":"FE80:0000:0000:0000:9C19:22FF:FE0B:FF5E"},"manager":{"name":"ip-172-31-25-129"},"id":"1682597871.1204942","full_log":"2023-04-27 14:17:46.639541+0200 localhost sessionlogoutd[54237]: (loginsupport) [com.apple.sessionlogoutd:SLOD_General] -[SessionLogoutd continueLogoutAfterDelayOptionsComplete]:456: sessionlogoutd telling session agent, logout is complete.","predecoder":{"program_name":"sessionlogoutd","timestamp":"2023-04-27 14:17:46.639541+0200"},"decoder":{"name":"macOS_sessionlogoutd"},"location":"macos"} ```

Screen Locked

``` {"timestamp":"2023-04-27T12:16:41.150+0000","rule":{"level":3,"description":"Screen locked with userID:501.","id":"89603","mitre":{"id":["T1078"],"tactic":["Defense Evasion","Persistence","Privilege Escalation","Initial Access"],"technique":["Valid Accounts"]},"firedtimes":1,"mail":false,"groups":["macOS","authentication_success"],"gdpr":["IV_32.2"],"gpg13":["7.1","7.2"],"hipaa":["164.312.b"],"nist_800_53":["AC.7","AU.14"],"pci_dss":["10.2.5"],"tsc":["CC6.8","CC7.2","CC7.3"]},"agent":{"id":"004","name":"jal.local","ip":"FE80:0000:0000:0000:9C19:22FF:FE0B:FF5E"},"manager":{"name":"ip-172-31-25-129"},"id":"1682597801.1203279","full_log":"2023-04-27 14:16:39.338178+0200 localhost loginwindow[165]: [com.apple.loginwindow.logging:Standard] -[SessionAgentNotificationCenter sendBSDNotification:forUserID:] | sendBSDNotification: com.apple.sessionagent.screenIsLocked, with userID:501","predecoder":{"program_name":"loginwindow","timestamp":"2023-04-27 14:16:39.338178+0200"},"decoder":{"name":"macOS_loginwindow"},"data":{"userID":"501"},"location":"macos"} ```

Screen Unlocked

``` {"timestamp":"2023-04-27T12:17:29.178+0000","rule":{"level":3,"description":"Screen unlocked with userID:501.","id":"89602","mitre":{"id":["T1078"],"tactic":["Defense Evasion","Persistence","Privilege Escalation","Initial Access"],"technique":["Valid Accounts"]},"firedtimes":1,"mail":false,"groups":["macOS","authentication_success"],"gdpr":["IV_32.2"],"gpg13":["7.1","7.2"],"hipaa":["164.312.b"],"nist_800_53":["AC.7","AU.14"],"pci_dss":["10.2.5"],"tsc":["CC6.8","CC7.2","CC7.3"]},"agent":{"id":"004","name":"jal.local","ip":"FE80:0000:0000:0000:9C19:22FF:FE0B:FF5E"},"manager":{"name":"ip-172-31-25-129"},"id":"1682597849.1204388","full_log":"2023-04-27 14:17:22.687780+0200 localhost loginwindow[165]: [com.apple.loginwindow.logging:Standard] -[SessionAgentNotificationCenter sendBSDNotification:forUserID:] | sendBSDNotification: com.apple.sessionagent.screenIsUnlocked, with userID:501","predecoder":{"program_name":"loginwindow","timestamp":"2023-04-27 14:17:22.687780+0200"},"decoder":{"name":"macOS_loginwindow"},"data":{"userID":"501"},"location":"macos"} ```

Update Access Record

``` {"timestamp":"2023-04-27T14:22:30.110+0000","rule":{"level":5,"description":"com.teamviewer.TeamViewer has been granted permission to kTCCServiceMicrophone at 14:22:22.","id":"89600","mitre":{"id":["T1222.002"],"tactic":["Defense Evasion"],"technique":["Linux and Mac File and Directory Permissions Modification"]},"firedtimes":3,"mail":false,"groups":["macOS"],"pci_dss":["10.6.1"],"gdpr":["IV_35.7.d"],"hipaa":["164.312.b"],"nist_800_53":["AU.6"],"tsc":["CC7.2","CC7.3"]},"agent":{"id":"001","name":"MacBook-Air-de-Mariajo.local","ip":"FE80:0000:0000:0000:C805:77FF:FEAB:886A"},"manager":{"name":"ip-172-31-25-129"},"id":"1682605350.1229055","full_log":"2023-04-27 16:22:22.162329+0200 localhost tccd[596]: [com.apple.TCC:access] Update Access Record: kTCCServiceMicrophone for com.teamviewer.TeamViewer to Allowed (System Set) (v1) at 1682605342 (2023-04-27 14:22:22 +0000)\n\t CodeReq: anchor apple generic and identifier \"com.teamviewer.TeamViewer\" and (certificate leaf[field.1.2.840.113635.100.6.1.9] /* exists */ or certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = H7UGFBUGV6)\n\t Indirect : Unused","predecoder":{"program_name":"tccd","timestamp":"2023-04-27 16:22:22.162329+0200"},"decoder":{"name":"macOS_tccd"},"data":{"status":"Allowed","service":"kTCCServiceMicrophone","application":"com.teamviewer.TeamViewer","time":"14:22:22"},"location":"macos"} --- {"timestamp":"2023-04-27T14:22:48.153+0000","rule":{"level":5,"description":"com.teamviewer.TeamViewer has been denied permission to kTCCServiceMicrophone at 14:22:41.","id":"89601","mitre":{"id":["T1222.002"],"tactic":["Defense Evasion"],"technique":["Linux and Mac File and Directory Permissions Modification"]},"firedtimes":2,"mail":false,"groups":["macOS"],"pci_dss":["10.6.1"],"gdpr":["IV_35.7.d"],"hipaa":["164.312.b"],"nist_800_53":["AU.6"],"tsc":["CC7.2","CC7.3"]},"agent":{"id":"001","name":"MacBook-Air-de-Mariajo.local","ip":"FE80:0000:0000:0000:C805:77FF:FEAB:886A"},"manager":{"name":"ip-172-31-25-129"},"id":"1682605368.1230004","full_log":"2023-04-27 16:22:41.806638+0200 localhost tccd[596]: [com.apple.TCC:access] Update Access Record: kTCCServiceMicrophone for com.teamviewer.TeamViewer to Denied (System Set) (v1) at 1682605361 (2023-04-27 14:22:41 +0000)\n\t CodeReq: anchor apple generic and identifier \"com.teamviewer.TeamViewer\" and (certificate leaf[field.1.2.840.113635.100.6.1.9] /* exists */ or certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = H7UGFBUGV6)\n\t Indirect : Unused","predecoder":{"program_name":"tccd","timestamp":"2023-04-27 16:22:41.806638+0200"},"decoder":{"name":"macOS_tccd"},"data":{"status":"Denied","service":"kTCCServiceMicrophone","application":"com.teamviewer.TeamViewer","time":"14:22:41"},"location":"macos"} ```

Securityd

``` {"timestamp":"2023-04-27T14:09:14.826+0000","rule":{"level":3,"description":"Session 100016 has been created.","id":"89608","firedtimes":1,"mail":false,"groups":["macOS"],"pci_dss":["10.6.1"],"gdpr":["IV_35.7.d"],"hipaa":["164.312.b"],"nist_800_53":["AU.6"],"tsc":["CC7.2","CC7.3"]},"agent":{"id":"004","name":"jal.local","ip":"FE80:0000:0000:0000:0479:B5FF:FEC2:BC3B"},"manager":{"name":"ip-172-31-25-129"},"id":"1682604554.1223377","full_log":"2023-04-27 16:09:00.818727+0200 localhost securityd[130]: [com.apple.securityd:SecServer] 0x7fa3ed111e60 Session 100016 created, uid:501 sessionId:100016","predecoder":{"program_name":"securityd","timestamp":"2023-04-27 16:09:00.818727+0200"},"decoder":{"name":"macOS_securityd"},"data":{"uid":"501","sessionId":"100016"},"location":"macos"} ```

Screen Sharing

``` {"timestamp":"2023-04-27T14:12:50.998+0000","rule":{"level":3,"description":"Attempt to connect to screen sharing with username mariajo from 192.168.10.83 succeeded.","id":"89607","mitre":{"id":["T1021","T1078"],"tactic":["Lateral Movement","Defense Evasion","Persistence","Privilege Escalation","Initial Access"],"technique":["Remote Services","Valid Accounts"]},"firedtimes":1,"mail":false,"groups":["macOS","authentication_success"],"gdpr":["IV_32.2"],"gpg13":["7.1","7.2"],"hipaa":["164.312.b"],"nist_800_53":["AC.7","AU.14"],"pci_dss":["10.2.5"],"tsc":["CC6.8","CC7.2","CC7.3"]},"agent":{"id":"001","name":"MacBook-Air-de-Mariajo.local","ip":"FE80:0000:0000:0000:C805:77FF:FEAB:886A"},"manager":{"name":"ip-172-31-25-129"},"id":"1682604770.1225287","full_log":"2023-04-27 16:12:44.040442+0200 localhost screensharingd[2492]: Authentication: SUCCEEDED :: User Name: mariajo :: Viewer Address: 192.168.10.83 :: Type: Kerberos","predecoder":{"program_name":"screensharingd","timestamp":"2023-04-27 16:12:44.040442+0200"},"decoder":{"name":"macOS_screensharingd"},"data":{"action":"SUCCEEDED","dstuser":"mariajo","ip_address":"192.168.10.83","type":"Kerberos"},"location":"macos"} ```

No warning appears in the agent or manager logs during E2E testing

Previously reported warnings no longer appear in the macOS agent

[juliamagan]

Closing conclusion 👍🏼

Everything seems to be working properly