This adds two new modules, audit and dispatch with additional
modifications to the agent.
The audit module can be used to read and parse the kernel audit trail on
Linux systems. The agent can then log the audit messages, or write them
to the dispatch module.
The dispatch module is a general module used for alert forwarding from
the agent. If the dispatch module is running, any alerts the agent
receives from persistent modules will be forwarded to the active
dispatch module, where the dispatch module can write the message to a
remote endpoint.
Don't use MaxErrors from the matched file var, as the Search field has
not been set here. Use MaxErrors from the parent Search type we are
currently inspecting checks for instead.
sshkey scans the file system on remote agents for SSH keys, and where
identified returns fingerprints for the keys.
Where private keys and public keys are identified, fingerprints will be
returned for these keys if possible.
The module also identifies authorized_keys files, and returns the
fingerprints of any public keys present in the authorized_keys file,
allowing correlation between identified public/private fingerprints and
the hosts the keys have access to.
In cases where multiple paths are present in a single search (e.g.,
-path is used more than once with the mig command line) the maxdepth
option was not behaving correctly.
pathWalk would examine the paths in scope for a search to determine if
it should be considered. Upon finding one, it would not break out of the
loop, so depending on the ordering, the search may not be marked as
current even if it was under the root of a search path.
This was resulting in the current directory depth not being consistently
reduced upon returning from pathWalk, causing the current depth to
continuously increase for a given search.
The matchlimit option to the file module was not working correctly due
to a couple reasons.
First, it relied on the Totalhits value in the module statistics to
compare the number of hits to the match limit. This value was compiled
in buildResults, so was 0 throughout module execution. Because of this
matchlimit would never be exceeded.
Also, the comparison to Totalhits was only occuring on directory entry.
This means if the match limit was hit while scanning a single directory,
it would continue to scan files exceeding the match limit.
This modifies the way results are processed by Search types, so
individual checks submit matched files via a channel to the parent
Search entry. The Search entry can then maintain a list of matches, and
increment Totalhits as required while the processing is occuring instead
of in buildResults.
Closes#382
Reworks test tables so all tests execute from a single table, and test
file system creation is separated from the individual tests themselves.
This should permit more complicated test cases. This also removes
various Linux specific path elements so the tests should work on all
platforms.
If a file symlink existed in the root of a search path (e.g., /tmp was
being searched and /tmp/file was a symlink) path separators were not
being added correctly, resulting in no separator between the directory
path and the file name.
This caused subsequent checks (e.g., trying to follow and open the
symlink for content inspection) to fail, resulting in errors being
included in the module error log.
Zack Mullaly
Tristan Weir
Aaron Meihm