diff --git a/pkg/wsman/amt/auditlog/decoder.go b/pkg/wsman/amt/auditlog/decoder.go index e694905c..28ebc7a4 100644 --- a/pkg/wsman/amt/auditlog/decoder.go +++ b/pkg/wsman/amt/auditlog/decoder.go @@ -114,18 +114,6 @@ var RequestedStateToString = map[RequestedState]string{ RequestedStateNotApplicable: "NotApplicable", } -var ProvisioningMethodToString = map[int]string{ - 2: "Remote Configuration", - 3: "Manual Provisioning via MEBx", - 5: "Host-Based Provisioning Admin Mode", -} - -var InitiatorTypeToString = map[int]string{ - 0: "Unknown", - 1: "User", - 2: "Machine", -} - // RequestedStateToString returns a string representation of a RequestedState. func (r RequestedState) String() string { if value, exists := RequestedStateToString[r]; exists { @@ -147,12 +135,6 @@ var StoragePolicyToString = map[StoragePolicy]string{ StoragePolicyRestrictedRollOver: "RestrictedRollOver", } -var ProvisioningHashType = map[int]string{ - 1: "SHA1_160", - 2: "SHA_256", - 3: "SHA_384", -} - // StoragePolicyToString returns a string representation of a StoragePolicy. func (r StoragePolicy) String() string { if value, exists := StoragePolicyToString[r]; exists { @@ -162,59 +144,38 @@ func (r StoragePolicy) String() string { return ValueNotFound } -func convertToAuditLogResult(auditlogdata []string) []AuditLogRecord { - records := []AuditLogRecord{} - - for _, eventRecord := range auditlogdata { - ptr := 0 - - decodedEventRecord, err := base64.StdEncoding.DecodeString(eventRecord) - if err != nil { - continue - } - - decodedEventRecordStr := string(decodedEventRecord) - auditLogRecord := AuditLogRecord{} - - auditLogRecord.AuditAppID = common.ReadShort(decodedEventRecordStr, 0) - auditLogRecord.EventID = common.ReadShort(decodedEventRecordStr, 2) - auditLogRecord.AuditApp = AMTAuditStringTable[auditLogRecord.AuditAppID] - // auditLogRecord.InitiatorType = decodedEventRecordStr[:4] - auditLogRecord.Event = AMTAuditStringTable[(auditLogRecord.AuditAppID*100)+auditLogRecord.EventID] - - // if auditLogRecord.Event { - // auditLogRecord.Event = '#' + auditLogRecord.EventID - // } - - initiatorType, initiator, pointer := getInitiatorInfo(decodedEventRecordStr) - auditLogRecord.InitiatorType = initiatorType - auditLogRecord.Initiator = initiator - ptr = pointer - - // Read timestamp - timeStamp := common.ReadInt(decodedEventRecordStr, ptr) - auditLogRecord.Time = time.Unix(int64(timeStamp), 0) - ptr += 4 +var provisioningMethodToString = map[int]string{ + 2: "Remote Configuration", + 3: "Manual Provisioning via MEBx", + 5: "Host-Based Provisioning Admin Mode", +} - // Read network access +var initiatorTypeToString = map[int]string{ + 0: "Unknown", + 1: "User", + 2: "Machine", +} - auditLogRecord.MCLocationType = []byte(decodedEventRecordStr[ptr : ptr+1])[0] - ptr++ - netlen := []byte(decodedEventRecordStr[ptr : ptr+1])[0] - ptr++ - auditLogRecord.NetAddress = strings.ReplaceAll(decodedEventRecordStr[ptr:ptr+int(netlen)], "0000:0000:0000:0000:0000:0000:0000:0001", "::1") +var optInPolicyToString = map[int]string{ + 0: "None", + 1: "KVM", + 255: "All", +} - // Read extended data - ptr += int(netlen) - exlen := []byte(decodedEventRecordStr[ptr : ptr+1])[0] - ptr++ - auditLogRecord.Ex = decodedEventRecordStr[ptr : ptr+int(exlen)] - auditLogRecord.ExStr = GetAuditLogExtendedDataString(auditLogRecord.AuditAppID, auditLogRecord.EventID, auditLogRecord.Ex) +var operationStatusToString = map[int]string{ + 0: "Remote operator entered a one-time password successfully", + 1: "Remote operator failed 3 times to enter a one-time password correctly", +} - records = append([]AuditLogRecord{auditLogRecord}, records...) - } +var provisioningHashTypeToString = map[int]string{ + 1: "SHA1 160", + 2: "SHA 256", + 3: "SHA 384", +} - return records +var ExtendedDataMap = map[int]string{ + 0: "Invalid ME access", + 1: "Invalid MEBx access", } const ( @@ -237,6 +198,126 @@ const ( Watchdog = 33 ) +var AMTAppIDToString = map[int]string{ + 16: "Security Admin Events", + 17: "Remote Control Events", + 18: "Redirection Manager Events", + 19: "Firmware Update Manager Events", + 20: "Security AuditLog Events", + 21: "Network Time Events", + 22: "Network Administration Events", + 23: "Storage Administration Events", + 24: "Event Manager Events", + 25: "System Defense Manager Events", + 26: "Agent Presence Manager Events", + 27: "Wireless Configuration Events", + 28: "Endpoint Access Control Events", + 29: "Keyboard Video Mouse Events", + 30: "User Opt-In Events", + 32: "Screen Blanking Events", + 33: "Watchdog Events", +} + +var AMTAuditLogEventToString = map[int]string{ + 1600: "AMT Provisioning Started", + 1601: "AMT Provisioning Completed", + 1602: "ACL Entry Added", + 1603: "ACL Entry Modified", + 1604: "ACL Entry Removed", + 1605: "ACL Access with Invalid Credentials", + 1606: "ACL Entry State Changed", + 1607: "TLS State Changed", + 1608: "TLS Server Certificate Set", + 1609: "TLS Server Certificate Removed", + 1610: "TLS Trusted Root Certificate Added", + 1611: "TLS Trusted Root Certificate Removed", + 1612: "TLS Pre-Shared Key Set", + 1613: "Kerberos Settings Modified", + 1614: "Kerberos Master Key or Passphrase Modified", + 1615: "Flash Wear out Counters Reset", + 1616: "Power Package Modified", + 1617: "Set Realm Authentication Mode", + 1618: "Upgrade Client to Admin Control Mode", + 1619: "AMT UnProvisioning Started", + 1700: "Performed Power Up", + 1701: "Performed Power Down", + 1702: "Performed Power Cycle", + 1703: "Performed Reset", + 1704: "Set Boot Options", + 1705: "Performed Graceful Power Down", + 1706: "Performed Graceful Power Reset", + 1707: "Preformed Standby", + 1708: "Performed Hibernate", + 1709: "Performed NMI", + 1800: "IDE-R Session Opened", + 1801: "IDE-R Session Closed", + 1802: "IDE-R Enabled", + 1803: "IDE-R Disabled", + 1804: "SoL Session Opened", + 1805: "SoL Session Closed", + 1806: "SoL Enabled", + 1807: "SoL Disabled", + 1808: "KVM Session Started", + 1809: "KVM Session Ended", + 1810: "KVM Enabled", + 1811: "KVM Disabled", + 1812: "VNC Password Failed 3 Times", + 1900: "Firmware Update Started", + 1901: "Firmware Update Failed", + 2000: "Security Audit Log Cleared", + 2001: "Security Audit Policy Modified", + 2002: "Security Audit Log Disabled", + 2003: "Security Audit Log Enabled", + 2004: "Security Audit Log Exported", + 2005: "Security Audit Log Recovered", + 2100: "AMT Time Set", + 2200: "TCP/IP Parameters Set", + 2201: "Host Name Set", + 2202: "Domain Name Set", + 2203: "VLAN Parameters Set", + 2204: "Link Policy Set", + 2205: "IPv6 Parameters Set", + 2300: "Global Storage Attributes Set", + 2301: "Storage EACL Modified", + 2302: "Storage FPACL Modified", + 2303: "Storage Write Operation", + 2400: "Alert Subscribed", + 2401: "Alert Unsubscribed", + 2402: "Event Log Cleared", + 2403: "Event Log Frozen", + 2500: "System Defense Filter Added", + 2501: "System Defense Filter Removed", + 2502: "System Defense Policy Added", + 2503: "System Defense Policy Removed", + 2504: "System Defense Default Policy Set", + 2505: "System Defense Heuristics Option Set", + 2506: "System Defense Heuristics State Cleared", + 2600: "Agent Watchdog Added", + 2601: "Agent Watchdog Removed", + 2602: "Agent Watchdog Action Set", + 2700: "Wireless Profile Added", + 2701: "Wireless Profile Removed", + 2702: "Wireless Profile Updated", + 2703: "Wireless Profile Modified", + 2704: "Wireless Link Preference Changed", + 2705: "Wireless Profile Share With UEFI Enabled Setting Changed", + 2800: "EAC Posture Signer Set", + 2801: "EAC Enabled", + 2802: "EAC Disabled", + 2803: "EAC Posture State Updated", + 2804: "EAC Set Options", + 2900: "KVM Opt-In Enabled", + 2901: "KVM Opt-In Disabled", + 2902: "KVM Password Changed", + 2903: "KVM Consent Succeeded", + 2904: "KVM Consent Failed", + 3000: "Opt-In Policy Change", + 3001: "Send Consent Code Event", + 3002: "Start Opt-In Blocked Event", + 3301: "Watchdog Reset Triggering Options Changed", + 3302: "Watchdog Action Pairing Changed", +} + var RealmNames = []string{ "Redirection", "PT Administration", @@ -264,6 +345,60 @@ var RealmNames = []string{ // Add more as needed } +func convertToAuditLogResult(auditlogdata []string) []AuditLogRecord { + records := []AuditLogRecord{} + + for _, eventRecord := range auditlogdata { + ptr := 0 + + decodedEventRecord, err := base64.StdEncoding.DecodeString(eventRecord) + if err != nil { + continue + } + + decodedEventRecordStr := string(decodedEventRecord) + auditLogRecord := AuditLogRecord{} + + auditLogRecord.AuditAppID = common.ReadShort(decodedEventRecordStr, 0) + auditLogRecord.EventID = common.ReadShort(decodedEventRecordStr, 2) + auditLogRecord.AuditApp = AMTAppIDToString[auditLogRecord.AuditAppID] + auditLogRecord.Event = AMTAuditLogEventToString[(auditLogRecord.AuditAppID*100)+auditLogRecord.EventID] + + initiatorType, initiator, pointer := getInitiatorInfo(decodedEventRecordStr) + auditLogRecord.InitiatorType = initiatorType + auditLogRecord.Initiator = initiator + ptr = pointer + + // Read timestamp + timeStamp := common.ReadInt(decodedEventRecordStr, ptr) + auditLogRecord.Time = time.Unix(int64(timeStamp), 0) + ptr += 4 + + // Read network access + + auditLogRecord.MCLocationType = []byte(decodedEventRecordStr[ptr : ptr+1])[0] + ptr++ + + netlen := []byte(decodedEventRecordStr[ptr : ptr+1])[0] + ptr++ + + auditLogRecord.NetAddress = strings.ReplaceAll(decodedEventRecordStr[ptr:ptr+int(netlen)], "0000:0000:0000:0000:0000:0000:0000:0001", "::1") + + // Read extended data + ptr += int(netlen) + + exlen := []byte(decodedEventRecordStr[ptr : ptr+1])[0] + ptr++ + + auditLogRecord.Ex = decodedEventRecordStr[ptr : ptr+int(exlen)] + auditLogRecord.ExStr = GetAuditLogExtendedDataString(auditLogRecord.AuditAppID, auditLogRecord.EventID, auditLogRecord.Ex) + + records = append([]AuditLogRecord{auditLogRecord}, records...) + } + + return records +} + // Return human readable extended audit log data // TODO: Just put some of them here, but many more still need to be added, helpful link here: // https://software.intel.com/sites/manageability/AMT_Implementation_and_Reference_Guide/default.htm?turl=WordDocuments%2Fsecurityadminevents.htm @@ -296,10 +431,15 @@ func GetAuditLogExtendedDataString(appId, eventId int, data string) string { case WirelessConfiguration: extendedDataString = parseWirelessConfigurationEvents(eventId, data) case EndpointAccessControl: + extendedDataString = parseEndpointAccessControlEvents(eventId, data) case KeyboardVideoMouse: + extendedDataString = parseKeyboardVideoMouseEvents(eventId) case UserOptIn: + extendedDataString = parseUserOptInEvents(eventId, data) case ScreenBlanking: + extendedDataString = "Screen blanking events are no longer supported." case Watchdog: + extendedDataString = parseWatchdogEvents(eventId, data) default: extendedDataString = "Unknown Event Group ID" } @@ -308,7 +448,6 @@ func GetAuditLogExtendedDataString(appId, eventId int, data string) string { } func parseSecurityAdminEvents(eventId int, data string) string { - const ( ProvisioningStarted = 0 ProvisioningCompleted = 1 @@ -335,78 +474,19 @@ func parseSecurityAdminEvents(eventId int, data string) string { var extendedDataString string byteData := []byte(data) - buf := bytes.NewBuffer(byteData) switch eventId { case ProvisioningStarted: extendedDataString = "Intel AMT transitioned to setup mode." case ProvisioningCompleted: - extendedDataString = "Intel AMT transitioned to operational mode. " + extendedDataString = "Intel AMT transitioned to operational mode." if len(byteData) > 0 { - var ProvisioningParameters ProvisioningParameters - - // Read ProvisioningMethod - if err := binary.Read(buf, binary.LittleEndian, &ProvisioningParameters.ProvisioningMethod); err != nil { - return extendedDataString - } - - // Read HashType - if err := binary.Read(buf, binary.LittleEndian, &ProvisioningParameters.HashType); err != nil { - return extendedDataString - } - - // Read TrustedRootCertHash based on HashType - switch ProvisioningParameters.HashType { - case 1: // SHA1_160 - ProvisioningParameters.TrustedRootCertHash = make([]byte, 20) - case 2: // SHA_256 - ProvisioningParameters.TrustedRootCertHash = make([]byte, 32) - case 3: // SHA_384 - ProvisioningParameters.TrustedRootCertHash = make([]byte, 48) - default: - return extendedDataString - } - - if _, err := buf.Read(ProvisioningParameters.TrustedRootCertHash); err != nil { - return extendedDataString - } - - // Read NumberOfCertificates - if err := binary.Read(buf, binary.LittleEndian, &ProvisioningParameters.NumberOfCertificates); err != nil { - return extendedDataString - } - - // Read CertSerialNumbers - for i := 0; i < int(ProvisioningParameters.NumberOfCertificates); i++ { - serialNumber := make([]byte, 16) - if _, err := buf.Read(serialNumber); err != nil { - return extendedDataString - } - ProvisioningParameters.CertSerialNumbers = append(ProvisioningParameters.CertSerialNumbers, hex.EncodeToString(serialNumber)) - } - - // Read AdditionalCaSerialNumbers - if err := binary.Read(buf, binary.LittleEndian, &ProvisioningParameters.AdditionalCaSerialNumbers); err != nil { - return extendedDataString - } - - // Read ProvServFQDNLength - if err := binary.Read(buf, binary.LittleEndian, &ProvisioningParameters.ProvServFQDNLength); err != nil { - return extendedDataString - } - - // Read ProvServFQDN - fqdn := make([]byte, ProvisioningParameters.ProvServFQDNLength) - if _, err := buf.Read(fqdn); err != nil { - return extendedDataString - } - ProvisioningParameters.ProvServFQDN = string(fqdn) - - extendedDataString += provisioningCompletedToString(&ProvisioningParameters) + var event = readProvisioningCompletedEventData(byteData) + extendedDataString += provisioningCompletedToString(&event) } case ACLEntryAdded: - extendedDataString = "User entry was added to the Intel AMT Device. " + extendedDataString = "User entry was added to the Intel AMT Device." if len(byteData) > 0 { var entry = readACLData(ACLEntryAdded, byteData) @@ -414,7 +494,7 @@ func parseSecurityAdminEvents(eventId int, data string) string { extendedDataString += aclEntryAddedToString(&entry) } case ACLEntryModified: - extendedDataString = "User entry was updated in the Intel AMT device. " + extendedDataString = "User entry was updated in the Intel AMT device." if len(byteData) > 0 { var entry = readACLData(ACLEntryModified, byteData) @@ -422,7 +502,7 @@ func parseSecurityAdminEvents(eventId int, data string) string { extendedDataString += aclEntryModifiedToString(&entry) } case ACLEntryRemoved: - extendedDataString = "User entry was removed from the Intel AMT device. " + extendedDataString = "User entry was removed from the Intel AMT device." if len(byteData) > 0 { var entry = readACLData(ACLEntryRemoved, byteData) @@ -433,50 +513,67 @@ func parseSecurityAdminEvents(eventId int, data string) string { extendedDataString = "User attempted to access " + []string{"Intel AMT", "MEBx"}[data[0]] + " with invalid credentials." } case ACLEntryEnabled: - extendedDataString = "ACL entry state was changed. " + extendedDataString = "ACL entry state was changed." if len(byteData) > 0 { var entry = readACLData(ACLEntryEnabled, byteData) extendedDataString += aclEntryEnabledToString(&entry) } case TLSStateChanged: + extendedDataString = "TLS state changed." if len(byteData) > 0 { - extendedDataString = "TLS state changed: Remote " + - []string{"NoAuth", "ServerAuth", "MutualAuth"}[byteData[0]] + - ", Local " + - []string{"NoAuth", "ServerAuth", "MutualAuth"}[byteData[1]] + extendedDataString += "\nRemote: " + + []string{"No Auth", "Server Auth", "Mutual Auth"}[byteData[0]] + + "\nLocal: " + + []string{"No Auth", "Server Auth", "Mutual Auth"}[byteData[1]] } case TLSServerCertificateSet: - extendedDataString = "TLS server certificate was defined. " + getCertificateSerialNumber(byteData) + extendedDataString = "TLS server certificate was defined." + if len(byteData) > 0 { + extendedDataString += readCertificateSerialNumberToString(byteData) + } case TLSServerCertificateRemoved: - extendedDataString = "TLS server certificate was removed. " + getCertificateSerialNumber(byteData) + extendedDataString = "TLS server certificate was removed." + if len(byteData) > 0 { + extendedDataString += readCertificateSerialNumberToString(byteData) + } case TLSTrustedRootCertificateAdded: - extendedDataString = "TLS trusted root certificate was added. " + getCertificateSerialNumber(byteData) + extendedDataString = "TLS trusted root certificate was added." + if len(byteData) > 0 { + extendedDataString += readCertificateSerialNumberToString(byteData) + } case TLSTrustedRootCertificateRemoved: - extendedDataString = "TLS trusted root certificate was removed. " + getCertificateSerialNumber(byteData) + extendedDataString = "TLS trusted root certificate was removed." + if len(byteData) > 0 { + extendedDataString += readCertificateSerialNumberToString(byteData) + } case TLSPreSharedKeySet: extendedDataString = "TLS pre-shared key was defined." case KerberosSettingsModified: + extendedDataString = "Kerberos settings were modified." if len(data) > 0 { - extendedDataString = "Kerberos settings were modified. Time tolerance: " + hex.EncodeToString([]byte(data)) + extendedDataString += "Time tolerance: " + string(byteData) } case KerberosMasterKeyModified: extendedDataString = "Kerberos master key or passphrase was modified." case FlashWearOutCountersReset: extendedDataString = "Flash wear out counter was reset." case PowerPackageModified: + extendedDataString = "Active power package was set." if len(data) > 0 { - extendedDataString = "Active power package was set: " + hex.EncodeToString([]byte(data)) + extendedDataString += "Power policy: " + string(byteData) } case SetRealmAuthenticationMode: + extendedDataString = "Realm authentication mode changed." if len(data) > 0 { - extendedDataString = RealmNames[common.ReadInt(data, 0)] + ", " + []string{"NoAuth", "Auth", "Disabled"}[data[4]] + extendedDataString += "\n" + RealmNames[common.ReadInt(data, 0)] + ", " + []string{"NoAuth", "Auth", "Disabled"}[data[4]] } case UpgradeClientToAdmin: extendedDataString = "The control mode of the Intel AMT was changed from Client control to Admin control." case AMTUnProvisioningStarted: + extendedDataString = "Intel AMT UnProvisioned Started." if len(data) > 0 { - extendedDataString = []string{"BIOS", "MEBx", "Local MEI", "Local WSMAN", "Remote WSMAN"}[data[0]] + extendedDataString = "\nInitiator: " + []string{"BIOS", "MEBx", "Local MEI", "Local WSMAN", "Remote WSMAN"}[data[0]] } default: extendedDataString = "Unknown Event ID" @@ -504,33 +601,38 @@ func parseRemoteControlEvents(eventId int, data string) string { switch eventId { case PerformedPowerUp: + extendedDataString = "Remote power up initiated." if len(byteData) > 0 { rce := readBootOptionsData(byteData) - extendedDataString = "Remote power up initiated. \n" + parseBootOptionData(rce) + extendedDataString += remoteControlEventToString(rce) } case PerformedPowerDown: extendedDataString = "Remote power down initiated." case PerformedPowerCycle: + extendedDataString = "Remote power cycle initiated." if len(byteData) > 0 { rce := readBootOptionsData(byteData) - extendedDataString = "Remote power cycle initiated. \n" + parseBootOptionData(rce) + extendedDataString += remoteControlEventToString(rce) } case PerformedReset: + extendedDataString = "Remote reset initiated." if len(byteData) > 0 { rce := readBootOptionsData(byteData) - extendedDataString = "Remote reset initiated. \n" + parseBootOptionData(rce) + extendedDataString += remoteControlEventToString(rce) } case SetBootOptions: + extendedDataString = "Boot options were set." if len(byteData) > 0 { rce := readBootOptionsData(byteData) - extendedDataString = "Boot options were set. \n" + parseBootOptionData(rce) + extendedDataString += remoteControlEventToString(rce) } case PerformedGracefulPowerDown: extendedDataString = "Remote graceful power down initiated." case PerformedGracefulReset: + extendedDataString = "Remote graceful reset initiated." if len(byteData) > 0 { rce := readBootOptionsData(byteData) - extendedDataString = "Remote graceful reset initiated. " + parseBootOptionData(rce) + extendedDataString += remoteControlEventToString(rce) } case PerformedStandby: extendedDataString = "Remote standby initiated." @@ -817,7 +919,7 @@ func parseEventManagerEvents(eventId int, data string) string { } if len(data) > 0 { event := readEventManagerEventData(AlertSubscribed, []byte(data)) - extendedDataString += parseEventManagerEventData(event) + extendedDataString += eventManagerEventDataToString(event) } case EventLogCleared: extendedDataString = "Event log was cleared of existing records." @@ -987,6 +1089,124 @@ func parseWirelessConfigurationEvents(eventId int, data string) string { return extendedDataString } +func parseEndpointAccessControlEvents(eventId int, data string) string { + var extendedDataString string + + const ( + EACPostureSignerSet = 0 + EACEnabled = 1 + EACDisabled = 2 + EASPostureStateUpdate = 3 + EACSetOptions = 4 + ) + + switch eventId { + case EACPostureSignerSet: + extendedDataString = "A certificate handle for signing EAC postures was either set or removed." + case EACEnabled: + extendedDataString = "EAC was set to enabled by WS-MAN interface." + case EACDisabled: + extendedDataString = "EAC was set to disabled by WS-MAN interface." + case EASPostureStateUpdate: + extendedDataString = "Controllable fields of EAC posture were reset manually by WS-MAN interface." + case EACSetOptions: + extendedDataString = "EAC options were changed." + if len(data) > 0 { + byteData := []byte(data) + buf := bytes.NewBuffer(byteData) + var eacVendors uint32 + _ = binary.Read(buf, binary.LittleEndian, &eacVendors) + extendedDataString += "\nEAC Vendors: " + string(eacVendors) + } + } + + return extendedDataString +} + +func parseKeyboardVideoMouseEvents(eventId int) string { + var extendedDataString string + + const ( + KVMOptInEnabled = 0 + KVMOptInDisabled = 1 + KVMPasswordChanged = 2 + KVMConsentSucceeded = 3 + KVMConsentFailed = 4 + ) + + switch eventId { + case KVMOptInEnabled: + extendedDataString = "User consent for a KVM session is now required." + case KVMOptInDisabled: + extendedDataString = "User consent for a KVM session is no longer required." + case KVMPasswordChanged: + extendedDataString = "RFB password for KVM session has changed." + case KVMConsentSucceeded: + extendedDataString = "Remote operator entered a one-time password successfully." + case KVMConsentFailed: + extendedDataString = "Remote operator failed to enter a one-time password correctly." + } + + return extendedDataString +} + +func parseUserOptInEvents(eventId int, data string) string { + var extendedDataString string + + const ( + OptInPolicyChange = 0 + SendConsentCodeEvent = 1 + StartOptInBlockedEvent = 2 + ) + + switch eventId { + case OptInPolicyChange: + extendedDataString = "A user has modified the opt-in policy settings." + if len(data) > 0 { + event := readUserOptInEventData(OptInPolicyChange, []byte(data)) + extendedDataString += "\nPrevious Opt-In Policy: " + optInPolicyToString[int(event.PreviousOptInPolicy)] + + "\nCurrent Opt-In Policy: " + optInPolicyToString[int(event.CurrentOptInPolicy)] + } + case SendConsentCodeEvent: + extendedDataString = "The remote operator sent a consent code." + if len(data) > 0 { + event := readUserOptInEventData(SendConsentCodeEvent, []byte(data)) + extendedDataString += "\nOperation Status: " + string(event.OperationStatus) + } + case StartOptInBlockedEvent: + extendedDataString = "The remote operator attempted to send a start opt-in request, but the request was blocked (denial-of-service attack prevention)." + } + + return extendedDataString +} + +func parseWatchdogEvents(eventId int, data string) string { + var extendedDataString string + + const ( + WatchdogResetTriggeringOptionsChanged = 0 + WatchdogActionPairingChanged = 1 + ) + + switch eventId { + case WatchdogResetTriggeringOptionsChanged: + extendedDataString = "A user has modified the watchdog action settings." + case WatchdogActionPairingChanged: + extendedDataString = "A user has modified a watchdog to add, remove, or alter the watchdog action connected to it." + if len(data) > 0 { + byteData := []byte(data) + var opStatus uint8 + buf := bytes.NewBuffer(byteData) + + _ = binary.Read(buf, binary.LittleEndian, &opStatus) + + extendedDataString += "\nOperation Status: " + operationStatusToString[int(opStatus)] + } + } + + return extendedDataString +} + const ( HTTPDigest byte = 0 Kerberos byte = 1 @@ -994,43 +1214,87 @@ const ( KvmDefaultPort byte = 3 ) +func readProvisioningCompletedEventData(data []byte) ProvisioningParameters { + buf := bytes.NewBuffer(data) + event := ProvisioningParameters{} + + // Read ProvisioningMethod + _ = binary.Read(buf, binary.LittleEndian, &event.ProvisioningMethod) + + // Read HashType + _ = binary.Read(buf, binary.LittleEndian, &event.HashType) + + // Read TrustedRootCertHash based on HashType + switch event.HashType { + case 1: // SHA1_160 + event.TrustedRootCertHash = make([]byte, 20) + case 2: // SHA_256 + event.TrustedRootCertHash = make([]byte, 32) + case 3: // SHA_384 + event.TrustedRootCertHash = make([]byte, 48) + } + + buf.Read(event.TrustedRootCertHash) + + // Read NumberOfCertificates + _ = binary.Read(buf, binary.LittleEndian, &event.NumberOfCertificates) + + // Read CertSerialNumbers + for i := 0; i < int(event.NumberOfCertificates); i++ { + serialNumber := make([]byte, 16) + buf.Read(serialNumber) + event.CertSerialNumbers = append(event.CertSerialNumbers, hex.EncodeToString(serialNumber)) + } + + // Read AdditionalCaSerialNumbers + _ = binary.Read(buf, binary.LittleEndian, &event.AdditionalCaSerialNumbers) + + // Read ProvServFQDNLength + _ = binary.Read(buf, binary.LittleEndian, &event.ProvServFQDNLength) + + // Read ProvServFQDN + fqdn := make([]byte, event.ProvServFQDNLength) + buf.Read(fqdn) + + event.ProvServFQDN = string(fqdn) + + return event +} + func provisioningCompletedToString(provisioningCompleted *ProvisioningParameters) string { - return fmt.Sprintf("Provisioning Method: %s\n"+ - "Hash Type: %s\n"+ - "Trusted Root Cert Hash: %s\n"+ - "Number of Certificates: %d\n"+ - "Cert Serial Numbers: %v\n"+ - "Additional CA Serial Numbers: %d\n"+ - "Provisioning Server FQDN Length: %d\n"+ - "Provisioning Server FQDN: %s\n", - ProvisioningMethodToString[int(provisioningCompleted.ProvisioningMethod)], - ProvisioningHashType[int(provisioningCompleted.HashType)], - hex.EncodeToString(provisioningCompleted.TrustedRootCertHash), - provisioningCompleted.NumberOfCertificates, - provisioningCompleted.CertSerialNumbers, - provisioningCompleted.AdditionalCaSerialNumbers, - provisioningCompleted.ProvServFQDNLength, - provisioningCompleted.ProvServFQDN) + s := fmt.Sprintf("\nProvisioning Method: %s", provisioningMethodToString[int(provisioningCompleted.ProvisioningMethod)]) + if provisioningCompleted.HashType != 0 { + s += fmt.Sprintf("\nHash Type: %s", provisioningHashTypeToString[int(provisioningCompleted.HashType)]) + } + if len(provisioningCompleted.TrustedRootCertHash) > 0 { + s += fmt.Sprintf("\nTrusted Root Cert Hash: %s", hex.EncodeToString(provisioningCompleted.TrustedRootCertHash)) + } + if provisioningCompleted.NumberOfCertificates > 0 { + s += fmt.Sprintf("\nNumber of Certificates: %d", provisioningCompleted.NumberOfCertificates) + s += fmt.Sprintf("\nCert Serial Numbers (first 3): %v", provisioningCompleted.CertSerialNumbers) + if provisioningCompleted.AdditionalCaSerialNumbers > 3 { + s += fmt.Sprintf("\nThere are %d additional certificates", provisioningCompleted.AdditionalCaSerialNumbers) + } + } + if provisioningCompleted.ProvServFQDNLength > 0 { + s += fmt.Sprintf("\nProvisioning Server FQDN: %s", provisioningCompleted.ProvServFQDN) + } + + return s } func aclEntryAddedToString(entry *ACLEntry) string { + s := fmt.Sprintf("\nInitiator Type: %s", initiatorTypeToString[int(entry.InitiatorType)]) if entry.UsernameLength == 0 { - return fmt.Sprintf("ACL Entry Added:\n"+ - "Initiator Type: %s\n"+ - "SID: %d\n"+ - "Domain Length: %d\n"+ - "Domain: %s\n", - InitiatorTypeToString[int(entry.InitiatorType)], - entry.SID, - entry.DomainLength, - entry.Domain) + s += fmt.Sprintf("\nSID: %d", entry.SID) + if entry.DomainLength > 0 { + s += fmt.Sprintf("\nDomain: %s", entry.Domain) + } } else { - return fmt.Sprintf("ACL Entry Added:\n"+ - "Initiator Type: %s\n"+ - "Username: %s\n", - InitiatorTypeToString[int(entry.InitiatorType)], - entry.Username) + s += fmt.Sprintf("\nUsername: %s", entry.Username) } + + return s } func aclEntryModifiedToString(entry *ACLEntry) string { @@ -1057,81 +1321,66 @@ func aclEntryModifiedToString(entry *ACLEntry) string { parameterModifiedStr = parameterModifiedStr[:len(parameterModifiedStr)-2] // Remove the trailing comma and space } - return fmt.Sprintf("ACL Entry Modified:\n"+ - "Parameter Modified: %s\n"+ - "Initiator Type: %s\n"+ - "Username Length: %d\n"+ - "SID: %d\n"+ - "Username: %s\n"+ - "Domain Length: %d\n"+ - "Domain: %s\n", - parameterModifiedStr, - InitiatorTypeToString[int(entry.InitiatorType)], - entry.UsernameLength, - entry.SID, - entry.Username, - entry.DomainLength, - entry.Domain) + s := fmt.Sprintf("\nParameter(s) Modified: %s\nInitiator Type: %s", parameterModifiedStr, initiatorTypeToString[int(entry.InitiatorType)]) + if entry.UsernameLength == 0 { + s += fmt.Sprintf("\nSID: %d", entry.SID) + if entry.DomainLength > 0 { + s += fmt.Sprintf("\nDomain: %s", entry.Domain) + } + } else { + s += fmt.Sprintf("\nUsername: %s", entry.Username) + } + + return s } func aclEntryRemovedToString(entry *ACLEntry) string { - return fmt.Sprintf("ACL Entry Removed:\n"+ - "Initiator Type: %s\n"+ - "Username Length: %d\n"+ - "SID: %d\n"+ - "Username: %s\n"+ - "Domain Length: %d\n"+ - "Domain: %s\n", - InitiatorTypeToString[int(entry.InitiatorType)], - entry.UsernameLength, - entry.SID, - entry.Username, - entry.DomainLength, - entry.Domain) + s := fmt.Sprintf("\nInitiator Type: %s", initiatorTypeToString[int(entry.InitiatorType)]) + if entry.UsernameLength == 0 { + s += fmt.Sprintf("\nSID: %d", entry.SID) + if entry.DomainLength > 0 { + s += fmt.Sprintf("\nDomain: %s", entry.Domain) + } + } else { + s += fmt.Sprintf("\nUsername: %s", entry.Username) + } + + return s } func aclEntryEnabledToString(entry *ACLEntry) string { - return fmt.Sprintf("ACL Entry State Changed:\n"+ - "Entry State: %s\n"+ - "Initiator Type: %s\n"+ - "Username Length: %d\n"+ - "SID: %d\n"+ - "Username: %s\n"+ - "Domain Length: %d\n"+ - "Domain: %s\n", - []string{"Disabled", "Enabled"}[int(entry.EntryState)], - InitiatorTypeToString[int(entry.InitiatorType)], - entry.UsernameLength, - entry.SID, - entry.Username, - entry.DomainLength, - entry.Domain) + s := fmt.Sprintf("\nEntry State: %s\nInitiator Type: %s", []string{"Disabled", "Enabled"}[int(entry.EntryState)], initiatorTypeToString[int(entry.InitiatorType)]) + if entry.UsernameLength == 0 { + s += fmt.Sprintf("\nSID: %d", entry.SID) + if entry.DomainLength > 0 { + s += fmt.Sprintf("\nDomain: %s", entry.Domain) + } + } else { + s += fmt.Sprintf("\nUsername: %s", entry.Username) + } + + return s } -func getCertificateSerialNumber(data []byte) string { - buf := bytes.NewBuffer(data) - if len(data) > 0 { - serialNumber := make([]byte, 20) - if _, err := buf.Read(serialNumber); err != nil { - return "" - } +func readCertificateSerialNumberToString(data []byte) string { + byteData := []byte(data) - return "Certificate serial number: " + string(serialNumber) - } - return "" + hexString := hex.EncodeToString(byteData) + + return "\nCertificate serial number: " + string(hexString) } func getCommonACLProperties(buf *bytes.Buffer, entry *ACLEntry) { // Read Initiator Type - binary.Read(buf, binary.LittleEndian, &entry.InitiatorType) + _ = binary.Read(buf, binary.LittleEndian, &entry.InitiatorType) // Read Username Length - binary.Read(buf, binary.LittleEndian, &entry.UsernameLength) + _ = binary.Read(buf, binary.LittleEndian, &entry.UsernameLength) if entry.UsernameLength == 0 { - binary.Read(buf, binary.LittleEndian, &entry.SID) + _ = binary.Read(buf, binary.LittleEndian, &entry.SID) - binary.Read(buf, binary.LittleEndian, &entry.DomainLength) + _ = binary.Read(buf, binary.LittleEndian, &entry.DomainLength) domain := make([]byte, entry.DomainLength) @@ -1149,9 +1398,7 @@ func getCommonACLProperties(buf *bytes.Buffer, entry *ACLEntry) { func getACLParameters(buf *bytes.Buffer, entry *ACLEntry) { // Read Parameter Modified - if err := binary.Read(buf, binary.LittleEndian, &entry.ParameterModified); err != nil { - return - } + _ = binary.Read(buf, binary.LittleEndian, &entry.ParameterModified) } func readACLData(id int, data []byte) ACLEntry { @@ -1165,7 +1412,7 @@ func readACLData(id int, data []byte) ACLEntry { getACLParameters(&buf, &entry) getCommonACLProperties(&buf, &entry) case 6: - binary.Read(&buf, binary.LittleEndian, &entry.EntryState) + _ = binary.Read(&buf, binary.LittleEndian, &entry.EntryState) getCommonACLProperties(&buf, &entry) } @@ -1176,16 +1423,16 @@ func readBootOptionsData(data []byte) RemoteControlEvent { buf := bytes.NewBuffer(data) rce := RemoteControlEvent{} - binary.Read(buf, binary.LittleEndian, &rce.SpecialCommand) - binary.Read(buf, binary.LittleEndian, &rce.SpecialCommandParameter) - binary.Read(buf, binary.LittleEndian, &rce.BootOptions) - binary.Read(buf, binary.LittleEndian, &rce.OEMParameters) + _ = binary.Read(buf, binary.LittleEndian, &rce.SpecialCommand) + _ = binary.Read(buf, binary.LittleEndian, &rce.SpecialCommandParameter) + _ = binary.Read(buf, binary.LittleEndian, &rce.BootOptions) + _ = binary.Read(buf, binary.LittleEndian, &rce.OEMParameters) return rce } -func parseBootOptionData(rce RemoteControlEvent) string { - s := "Boot Media: " + []string{"None", "Floppy", "CD", "HDD", "USB", "PXE", "Diagnostic Partition", "BIOS Setup"}[rce.BootOptions] + +func remoteControlEventToString(rce RemoteControlEvent) string { + s := "\nBoot Media: " + []string{"None", "Floppy", "CD", "HDD", "USB", "PXE", "Diagnostic Partition", "BIOS Setup"}[rce.BootOptions] + "\n " + "Boot Media Override: " + []string{"Disabled", "Enabled"}[rce.SpecialCommand] + "\n " + "BIOS Pause: " + []string{"Disabled", "Enabled"}[rce.OEMParameters] + "\n " + "BIOS Pause Key: " + []string{"None", "F1", "F2", "F3", "F4", "F5", "F6", "F7", "F8", "F9", "F10", "F11", "F12"}[rce.SpecialCommandParameter] @@ -1194,10 +1441,10 @@ func parseBootOptionData(rce RemoteControlEvent) string { } func readFWVersion(buf *bytes.Buffer, version *FWVersion) { - binary.Read(buf, binary.LittleEndian, &version.Major) - binary.Read(buf, binary.LittleEndian, &version.Minor) - binary.Read(buf, binary.LittleEndian, &version.Hotfix) - binary.Read(buf, binary.LittleEndian, &version.Build) + _ = binary.Read(buf, binary.LittleEndian, &version.Major) + _ = binary.Read(buf, binary.LittleEndian, &version.Minor) + _ = binary.Read(buf, binary.LittleEndian, &version.Hotfix) + _ = binary.Read(buf, binary.LittleEndian, &version.Build) } func readNetworkAdministrationEventData(id int, data []byte) NetworkAdministrationEvent { @@ -1205,15 +1452,15 @@ func readNetworkAdministrationEventData(id int, data []byte) NetworkAdministrati event := NetworkAdministrationEvent{} switch id { case 0: - binary.Read(buf, binary.LittleEndian, &event.InterfaceHandle) - binary.Read(buf, binary.LittleEndian, &event.DHCPEnabled) - binary.Read(buf, binary.LittleEndian, &event.IPV4Address) - binary.Read(buf, binary.LittleEndian, &event.SubnetMask) - binary.Read(buf, binary.LittleEndian, &event.Gateway) - binary.Read(buf, binary.LittleEndian, &event.PrimaryDNS) - binary.Read(buf, binary.LittleEndian, &event.SecondaryDNS) + _ = binary.Read(buf, binary.LittleEndian, &event.InterfaceHandle) + _ = binary.Read(buf, binary.LittleEndian, &event.DHCPEnabled) + _ = binary.Read(buf, binary.LittleEndian, &event.IPV4Address) + _ = binary.Read(buf, binary.LittleEndian, &event.SubnetMask) + _ = binary.Read(buf, binary.LittleEndian, &event.Gateway) + _ = binary.Read(buf, binary.LittleEndian, &event.PrimaryDNS) + _ = binary.Read(buf, binary.LittleEndian, &event.SecondaryDNS) case 1: - binary.Read(buf, binary.LittleEndian, &event.HostNameLength) + _ = binary.Read(buf, binary.LittleEndian, &event.HostNameLength) hostname := make([]byte, event.HostNameLength) @@ -1221,7 +1468,7 @@ func readNetworkAdministrationEventData(id int, data []byte) NetworkAdministrati event.HostName = string(hostname) case 2: - binary.Read(buf, binary.LittleEndian, &event.DomainNameLength) + _ = binary.Read(buf, binary.LittleEndian, &event.DomainNameLength) domainName := make([]byte, event.DomainNameLength) @@ -1229,22 +1476,22 @@ func readNetworkAdministrationEventData(id int, data []byte) NetworkAdministrati event.DomainName = string(domainName) case 3: - binary.Read(buf, binary.LittleEndian, &event.InterfaceHandle) - binary.Read(buf, binary.LittleEndian, &event.VLANTag) + _ = binary.Read(buf, binary.LittleEndian, &event.InterfaceHandle) + _ = binary.Read(buf, binary.LittleEndian, &event.VLANTag) case 4: - binary.Read(buf, binary.LittleEndian, &event.InterfaceHandle) - binary.Read(buf, binary.LittleEndian, &event.LinkPolicy) + _ = binary.Read(buf, binary.LittleEndian, &event.InterfaceHandle) + _ = binary.Read(buf, binary.LittleEndian, &event.LinkPolicy) case 5: - binary.Read(buf, binary.LittleEndian, &event.InterfaceHandle) - binary.Read(buf, binary.LittleEndian, &event.IPV6Enabled) - binary.Read(buf, binary.LittleEndian, &event.InterfaceIDGenType) + _ = binary.Read(buf, binary.LittleEndian, &event.InterfaceHandle) + _ = binary.Read(buf, binary.LittleEndian, &event.IPV6Enabled) + _ = binary.Read(buf, binary.LittleEndian, &event.InterfaceIDGenType) if event.InterfaceIDGenType == 2 { - binary.Read(buf, binary.LittleEndian, &event.InterfaceID) + _ = binary.Read(buf, binary.LittleEndian, &event.InterfaceID) } - binary.Read(buf, binary.LittleEndian, &event.IPV6Address) - binary.Read(buf, binary.LittleEndian, &event.IPV6Gateway) - binary.Read(buf, binary.LittleEndian, &event.IPV6PrimaryDNS) - binary.Read(buf, binary.LittleEndian, &event.IPV6SecondaryDNS) + _ = binary.Read(buf, binary.LittleEndian, &event.IPV6Address) + _ = binary.Read(buf, binary.LittleEndian, &event.IPV6Gateway) + _ = binary.Read(buf, binary.LittleEndian, &event.IPV6PrimaryDNS) + _ = binary.Read(buf, binary.LittleEndian, &event.IPV6SecondaryDNS) } return event @@ -1256,18 +1503,18 @@ func readEventManagerEventData(id int, data []byte) EventManagerEvent { switch id { case 0, 1: - binary.Read(buf, binary.LittleEndian, &event.PolicyID) - binary.Read(buf, binary.LittleEndian, &event.SubscriptionAlertType) - binary.Read(buf, binary.LittleEndian, &event.IPAddrType) - binary.Read(buf, binary.LittleEndian, &event.AlertTargetIPAddress) + _ = binary.Read(buf, binary.LittleEndian, &event.PolicyID) + _ = binary.Read(buf, binary.LittleEndian, &event.SubscriptionAlertType) + _ = binary.Read(buf, binary.LittleEndian, &event.IPAddrType) + _ = binary.Read(buf, binary.LittleEndian, &event.AlertTargetIPAddress) case 3: - binary.Read(buf, binary.LittleEndian, &event.Freeze) + _ = binary.Read(buf, binary.LittleEndian, &event.Freeze) } return event } -func parseEventManagerEventData(event EventManagerEvent) string { +func eventManagerEventDataToString(event EventManagerEvent) string { s := "Policy ID: " + fmt.Sprint(event.PolicyID) + "\nSubscription Alert Type: " + []string{"SNMP"}[event.SubscriptionAlertType] + "\nIP Address Type: " + []string{"IPv4", "IPv6"}[event.IPAddrType] @@ -1287,19 +1534,19 @@ func readSystemDefenseManagerEventData(id int, data []byte) SystemDefenseManager switch id { case 1: - binary.Read(buf, binary.LittleEndian, &event.FilterHandle) + _ = binary.Read(buf, binary.LittleEndian, &event.FilterHandle) case 3: - binary.Read(buf, binary.LittleEndian, &event.PolicyHandle) + _ = binary.Read(buf, binary.LittleEndian, &event.PolicyHandle) case 4: - binary.Read(buf, binary.LittleEndian, &event.HardwareInterface) - binary.Read(buf, binary.LittleEndian, &event.PolicyHandle) + _ = binary.Read(buf, binary.LittleEndian, &event.HardwareInterface) + _ = binary.Read(buf, binary.LittleEndian, &event.PolicyHandle) case 5: - binary.Read(buf, binary.LittleEndian, &event.InterfaceHandle) - binary.Read(buf, binary.LittleEndian, &event.BlockAll) - binary.Read(buf, binary.LittleEndian, &event.BlockOffensivePort) - binary.Read(buf, binary.LittleEndian, &event.PolicyHandle) + _ = binary.Read(buf, binary.LittleEndian, &event.InterfaceHandle) + _ = binary.Read(buf, binary.LittleEndian, &event.BlockAll) + _ = binary.Read(buf, binary.LittleEndian, &event.BlockOffensivePort) + _ = binary.Read(buf, binary.LittleEndian, &event.PolicyHandle) case 6: - binary.Read(buf, binary.LittleEndian, &event.InterfaceHandle) + _ = binary.Read(buf, binary.LittleEndian, &event.InterfaceHandle) } return event @@ -1311,11 +1558,11 @@ func readAgentPresenceManagerEventData(id int, data []byte) AgentPresenceManager switch id { case 0: - binary.Read(buf, binary.LittleEndian, &event.AgentID) - binary.Read(buf, binary.LittleEndian, &event.AgentHeartBeatTime) - binary.Read(buf, binary.LittleEndian, &event.AgentStartupTime) + _ = binary.Read(buf, binary.LittleEndian, &event.AgentID) + _ = binary.Read(buf, binary.LittleEndian, &event.AgentHeartBeatTime) + _ = binary.Read(buf, binary.LittleEndian, &event.AgentStartupTime) case 1, 2: - binary.Read(buf, binary.LittleEndian, &event.AgentID) + _ = binary.Read(buf, binary.LittleEndian, &event.AgentID) } return event @@ -1327,18 +1574,33 @@ func readWirelessConfigurationEventData(id int, data []byte) WirelessConfigurati switch id { case 0, 2: - binary.Read(buf, binary.LittleEndian, &event.SSID) - binary.Read(buf, binary.LittleEndian, &event.ProfilePriority) - binary.Read(buf, binary.LittleEndian, &event.ProfileNameLength) - binary.Read(buf, binary.LittleEndian, &event.ProfileName) + _ = binary.Read(buf, binary.LittleEndian, &event.SSID) + _ = binary.Read(buf, binary.LittleEndian, &event.ProfilePriority) + _ = binary.Read(buf, binary.LittleEndian, &event.ProfileNameLength) + _ = binary.Read(buf, binary.LittleEndian, &event.ProfileName) case 1: - binary.Read(buf, binary.LittleEndian, &event.ProfileNameLength) - binary.Read(buf, binary.LittleEndian, &event.ProfileName) + _ = binary.Read(buf, binary.LittleEndian, &event.ProfileNameLength) + _ = binary.Read(buf, binary.LittleEndian, &event.ProfileName) case 3: - binary.Read(buf, binary.LittleEndian, &event.ProfileSync) + _ = binary.Read(buf, binary.LittleEndian, &event.ProfileSync) case 4: - binary.Read(buf, binary.LittleEndian, &event.Timeout) - binary.Read(buf, binary.LittleEndian, &event.LinkPreference) + _ = binary.Read(buf, binary.LittleEndian, &event.Timeout) + _ = binary.Read(buf, binary.LittleEndian, &event.LinkPreference) + } + + return event +} + +func readUserOptInEventData(id int, data []byte) UserOptInEvent { + buf := bytes.NewBuffer(data) + event := UserOptInEvent{} + + switch id { + case 0: + _ = binary.Read(buf, binary.LittleEndian, &event.PreviousOptInPolicy) + _ = binary.Read(buf, binary.LittleEndian, &event.CurrentOptInPolicy) + case 1: + _ = binary.Read(buf, binary.LittleEndian, &event.OperationStatus) } return event @@ -1392,125 +1654,3 @@ func getInitiatorInfo(decodedEventRecord string) (initatorType byte, initiator s return initiatorType, initiator, ptr } - -var ExtendedDataMap = map[int]string{ - 0: "Invalid ME access", - 1: "Invalid MEBx access", -} - -var AMTAuditStringTable = map[int]string{ - 16: "Security Admin", - 17: "RCO", - 18: "Redirection Manager", - 19: "Firmware Update Manager", - 20: "Security Audit Log", - 21: "Network Time", - 22: "Network Administration", - 23: "Storage Administration", - 24: "Event Manager", - 25: "Circuit Breaker Manager", - 26: "Agent Presence Manager", - 27: "Wireless Configuration", - 28: "EAC", - 29: "KVM", - 30: "User Opt-In Events", - 32: "Screen Blanking", - 33: "Watchdog Events", - 1600: "Provisioning Started", - 1601: "Provisioning Completed", - 1602: "ACL Entry Added", - 1603: "ACL Entry Modified", - 1604: "ACL Entry Removed", - 1605: "ACL Access with Invalid Credentials", - 1606: "ACL Entry State", - 1607: "TLS State Changed", - 1608: "TLS Server Certificate Set", - 1609: "TLS Server Certificate Remove", - 1610: "TLS Trusted Root Certificate Added", - 1611: "TLS Trusted Root Certificate Removed", - 1612: "TLS Preshared Key Set", - 1613: "Kerberos Settings Modified", - 1614: "Kerberos Master Key Modified", - 1615: "Flash Wear out Counters Reset", - 1616: "Power Package Modified", - 1617: "Set Realm Authentication Mode", - 1618: "Upgrade Client to Admin Control Mode", - 1619: "Unprovisioning Started", - 1700: "Performed Power Up", - 1701: "Performed Power Down", - 1702: "Performed Power Cycle", - 1703: "Performed Reset", - 1704: "Set Boot Options", - 1705: "Remote graceful power down initiated", - 1706: "Remote graceful reset initiated", - 1707: "Remote Standby initiated", - 1708: "Remote Hiberate initiated", - 1709: "Remote NMI initiated", - 1800: "IDER Session Opened", - 1801: "IDER Session Closed", - 1802: "IDER Enabled", - 1803: "IDER Disabled", - 1804: "SoL Session Opened", - 1805: "SoL Session Closed", - 1806: "SoL Enabled", - 1807: "SoL Disabled", - 1808: "KVM Session Started", - 1809: "KVM Session Ended", - 1810: "KVM Enabled", - 1811: "KVM Disabled", - 1812: "VNC Password Failed 3 Times", - 1900: "Firmware Updated", - 1901: "Firmware Update Failed", - 2000: "Security Audit Log Cleared", - 2001: "Security Audit Policy Modified", - 2002: "Security Audit Log Disabled", - 2003: "Security Audit Log Enabled", - 2004: "Security Audit Log Exported", - 2005: "Security Audit Log Recovered", - 2100: "Intel(R) ME Time Set", - 2200: "TCPIP Parameters Set", - 2201: "Host Name Set", - 2202: "Domain Name Set", - 2203: "VLAN Parameters Set", - 2204: "Link Policy Set", - 2205: "IPv6 Parameters Set", - 2300: "Global Storage Attributes Set", - 2301: "Storage EACL Modified", - 2302: "Storage FPACL Modified", - 2303: "Storage Write Operation", - 2400: "Alert Subscribed", - 2401: "Alert Unsubscribed", - 2402: "Event Log Cleared", - 2403: "Event Log Frozen", - 2500: "CB Filter Added", - 2501: "CB Filter Removed", - 2502: "CB Policy Added", - 2503: "CB Policy Removed", - 2504: "CB Default Policy Set", - 2505: "CB Heuristics Option Set", - 2506: "CB Heuristics State Cleared", - 2600: "Agent Watchdog Added", - 2601: "Agent Watchdog Removed", - 2602: "Agent Watchdog Action Set", - 2700: "Wireless Profile Added", - 2701: "Wireless Profile Removed", - 2702: "Wireless Profile Updated", - 2703: "An existing profile sync was modified", - 2704: "An existing profile link preference was changed", - 2705: "Wireless profile share with UEFI enabled setting was changed", - 2800: "EAC Posture Signer SET", - 2801: "EAC Enabled", - 2802: "EAC Disabled", - 2803: "EAC Posture State", - 2804: "EAC Set Options", - 2900: "KVM Opt-in Enabled", - 2901: "KVM Opt-in Disabled", - 2902: "KVM Password Changed", - 2903: "KVM Consent Succeeded", - 2904: "KVM Consent Failed", - 3000: "Opt-In Policy Change", - 3001: "Send Consent Code Event", - 3002: "Start Opt-In Blocked Event", - 3301: "A user has modified the Watchdog Action settings", - 3302: "A user has modified a Watchdog to add, remove, or alter the Watchdog Action connected to it", -} diff --git a/pkg/wsman/amt/auditlog/decoder_test.go b/pkg/wsman/amt/auditlog/decoder_test.go index 4bf3bc11..3cc8ef86 100644 --- a/pkg/wsman/amt/auditlog/decoder_test.go +++ b/pkg/wsman/amt/auditlog/decoder_test.go @@ -106,33 +106,98 @@ func TestRequestedState_String(t *testing.T) { func TestGetAuditLogExtendedDataString(t *testing.T) { tests := []struct { - name string - auditEventId int - data string - expected string + name string + appId int + eventId int + data string + expected string }{ - {"ACLEntryAdded", ACLEntryAdded, "\x00\x05Hello World", "Hello"}, - {"ACLEntryRemoved", ACLEntryRemoved, "\x00\x05Hello World", "Hello"}, - {"ACLEntryModified", ACLEntryModified, "\x01\x00Hello World", "Hello World"}, - {"ACLAccessWithInvalidCredentials", ACLAccessWithInvalidCredentials, "\x00", "Invalid ME access"}, - {"ACLAccessWithInvalidCredentials", ACLAccessWithInvalidCredentials, "\x01", "Invalid MEBx access"}, - {"ACLEntryStateChanged", ACLEntryStateChanged, "\x00\x00Hello World", "Disabled, Hello World"}, - {"ACLEntryStateChanged", ACLEntryStateChanged, "\x01\x01", "Enabled"}, - {"TLSStateChanged", TLSStateChanged, "\x01\x02", "Remote ServerAuth, Local MutualAuth"}, - {"SetRealmAuthenticationMode", SetRealmAuthenticationMode, "\x00\x00\x00\x00\x02", "Redirection, Disabled"}, - {"AMTUnprovisioningStarted", AMTUnprovisioningStarted, "\x03", "Local WSMAN"}, - {"FirmwareUpdate", FirmwareUpdate, "\x00\x01\x00\x02\x00\x03\x00\x04\x00\x05\x00\x06\x00\x07\x00\x08", "From 1.2.3.4 to 5.6.7.8"}, - {"AMTTimeSet", AMTTimeSet, "\x00\x00\x00\x00", time.Unix(0, 0).Local().Format(time.RFC1123)}, - {"OptInPolicyChange", OptInPolicyChange, "\x00\x01", "From None to KVM"}, - {"SendConsentCode", SendConsentCode, "\x00", "Success"}, + {"Security Admin - Provisioning Started", SecurityAdmin, 0, "", "Intel AMT transitioned to setup mode."}, + {"Security Admin - Provisioning Completed Manual", SecurityAdmin, 1, "\x03", "Intel AMT transitioned to operational mode.\nProvisioning Method: Manual Provisioning via MEBx"}, + {"Security Admin - Provisioning Completed PKI", SecurityAdmin, 1, "\x05\x02\xcb<˷`1\xe5\xe0\x13\x8f\x8dӚ#\xf9\xdeG\xff\xc3^C\xc1\x14L\xea'\xd4jZ\xb1\xcb_\x02\f\x8e\xe0\xc9\rj\x89\x15\x88\x04\x06\x1e\xe2A\xf9\xaf\x03:\xf1\xe6\xa7\x11\xa9\xa0\xbb(d\xb1\x1d\t\xfa\xe5\x00\x12Intel.vprodemo.com", "Intel AMT transitioned to operational mode.\nProvisioning Method: Host-Based Provisioning Admin Mode\nHash Type: SHA 256\nTrusted Root Cert Hash: cb3ccbb76031e5e0138f8dd39a23f9de47ffc35e43c1144cea27d46a5ab1cb5f\nNumber of Certificates: 2\nCert Serial Numbers (first 3): [0c8ee0c90d6a89158804061ee241f9af 033af1e6a711a9a0bb2864b11d09fae5]\nProvisioning Server FQDN: Intel.vprodemo.com"}, + {"Security Admin - ACL Added without data", SecurityAdmin, 2, "", "User entry was added to the Intel AMT Device."}, + {"Security Admin - ACL Added with data", SecurityAdmin, 2, "\x00\x04test", "User entry was added to the Intel AMT Device.\nACL Entry Added.\nInitiator Type: Unknown\nUsername: test"}, + {"Security Admin - ACL Modified without data", SecurityAdmin, 3, "", "User entry was updated in the Intel AMT device."}, + {"Security Admin - ACL Modified with data", SecurityAdmin, 3, "\x00\x04test", "User entry was updated in the Intel AMT device.\nACL Entry Added.\nInitiator Type: Unknown\nUsername: test"}, + {"Security Admin - ACL Removed without data", SecurityAdmin, 4, "", "User entry was removed from the Intel AMT device."}, + {"Security Admin - ACL Removed with data", SecurityAdmin, 4, "\x00\x04test", "User entry was removed from the Intel AMT device.\nACL Entry Added.\nInitiator Type: Unknown\nUsername: test"}, + {"Security Admin - Invalid credentials Intel AMT", SecurityAdmin, 5, "\x00", "User attempted to access Intel AMT with invalid credentials."}, + {"Security Admin - Invalid credentials MEBx", SecurityAdmin, 5, "\x01", "User attempted to access MEBx with invalid credentials."}, + {"Security Admin - ACL State change without data ", SecurityAdmin, 6, "", "ACL entry state was changed."}, + {"Security Admin - ACL State change with data ", SecurityAdmin, 6, "\x01\x01\x04test", "ACL entry state was changed.\nEntry State: Enabled\nInitiator Type: Unknown\nUsername: test"}, + {"Security Admin - TLS State change without data", SecurityAdmin, 7, "", "TLS state changed."}, + {"Security Admin - TLS State change with data", SecurityAdmin, 7, "\x01\x00", "TLS state changed.\nRemote: Server Auth\nLocal: No Auth"}, + {"Security Admin - TLS Server Certificate Set without data", SecurityAdmin, 8, "", "TLS server certificate was defined."}, + {"Security Admin - TLS Server Certificate Set with data", SecurityAdmin, 8, "M\xf5\xa0`\xe1\xe1>p\xc0S_e\xf23\b%\xa2\x831\x93", "TLS server certificate was defined.\nCertificate serial number: 4df5a060e1e13e70c0535f65f2330825a2833193"}, + {"Security Admin - TLS Server Certificate Removed without data", SecurityAdmin, 9, "", "TLS server certificate was removed."}, + {"Security Admin - TLS Server Certificate Removed with data", SecurityAdmin, 9, "M\xf5\xa0`\xe1\xe1>p\xc0S_e\xf23\b%\xa2\x831\x93", "TLS server certificate was removed.\nCertificate serial number: 4df5a060e1e13e70c0535f65f2330825a2833193"}, + {"Security Admin - TLS Trusted Root Certificate Added without data", SecurityAdmin, 10, "", "TLS trusted root certificate was added."}, + {"Security Admin - TLS Trusted Root Certificate Added with data", SecurityAdmin, 10, "M\xf5\xa0`\xe1\xe1>p\xc0S_e\xf23\b%\xa2\x831\x93", "TLS trusted root certificate was added.\nCertificate serial number: 4df5a060e1e13e70c0535f65f2330825a2833193"}, + {"Security Admin - TLS Trusted Root Certificate Removed without data", SecurityAdmin, 11, "", "TLS trusted root certificate was removed."}, + {"Security Admin - TLS Trusted Root Certificate Removed with data", SecurityAdmin, 11, "M\xf5\xa0`\xe1\xe1>p\xc0S_e\xf23\b%\xa2\x831\x93", "TLS trusted root certificate was removed.\nCertificate serial number: 4df5a060e1e13e70c0535f65f2330825a2833193"}, + {"Security Admin - TLS Pre-Shared Key Set", SecurityAdmin, 12, "", "TLS pre-shared key was defined."}, + {"Security Admin - Kerberos Settings Modified without data", SecurityAdmin, 13, "", "Kerberos settings were modified."}, + {"Security Admin - Kerberos Settings Modified with data", SecurityAdmin, 13, "\x01", "Kerberos settings were modified.\nTime tolerance: 1"}, + {"Security Admin - Kerberos Master Key Modified", SecurityAdmin, 14, "", "Kerberos master key or passphrase was modified."}, + {"Security Admin - Flash Wear Out Counter Reset", SecurityAdmin, 15, "", "Flash wear out counter was reset."}, + {"Security Admin - Power Package Modified without data", SecurityAdmin, 16, "", "Active power package was set."}, + {"Security Admin - Power Package Modified with data", SecurityAdmin, 16, "\x01", "Active power package was set.\nPower policy: 1"}, + {"Security Admin - Set Realm Authentication Mode without data", SecurityAdmin, 17, "", "Realm authentication mode changed."}, + {"Security Admin - Set Realm Authentication Mode with data", SecurityAdmin, 17, "\x01\x00\x00\x00\x01", "Realm authentication mode changed.\nPT Administration, Auth"}, + {"Security Admin - Upgrade Client to Admin", SecurityAdmin, 18, "", "The control mode of the Intel AMT was changed from Client control to Admin control."}, + {"Security Admin - AMT UnProvisioning Started - BIOS", SecurityAdmin, 19, "\x00", "BIOS"}, + {"Security Admin - AMT UnProvisioning Started - MEBx", SecurityAdmin, 19, "\x01", "MEBx"}, + {"Security Admin - AMT UnProvisioning Started - Local MEI", SecurityAdmin, 19, "\x02", "Local MEI"}, + {"Security Admin - AMT UnProvisioning Started - Local WSMAN", SecurityAdmin, 19, "\x03", "Local WSMAN"}, + {"Security Admin - AMT UnProvisioning Started - Remote WSMAN", SecurityAdmin, 19, "\x04", "Remote WSMAN"}, + {"Security Admin - Unknown Event", SecurityAdmin, 20, "", "Unknown Event ID"}, + {"Remote Control - Performed Power-Up", RemoteControl, 0, "\x00\x00\x00\x00\x00\x00\x00", "Remote power up initiated.\nBoot Media: None\n Boot Media Override: Disabled\n BIOS Pause: Disabled\n BIOS Pause Key: None"}, + {"Remote Control - Performed Power-Down", RemoteControl, 1, "", "Remote power down initiated."}, + {"Remote Control - Performed Power-Cycle", RemoteControl, 2, "\x00\x00\x00\x00\x00\x00\x00", "Remote power cycle initiated.\nBoot Media: None\n Boot Media Override: Disabled\n BIOS Pause: Disabled\n BIOS Pause Key: None"}, + {"Remote Control - Performed Reset", RemoteControl, 3, "\x00\x00\x00\x00\x00\x00\x00", "Remote reset initiated.\nBoot Media: None\n Boot Media Override: Disabled\n BIOS Pause: Disabled\n BIOS Pause Key: None"}, + {"Remote Control - Set Boot Options", RemoteControl, 4, "\x05\x00\x00\x00\x00\x00\x00", "Boot options were set.\nBoot Media: PXE\n Boot Media Override: Disabled\n BIOS Pause: Disabled\n BIOS Pause Key: None"}, + {"Remote Control - Performed Graceful Power Down", RemoteControl, 5, "", "Remote graceful power down initiated."}, + {"Remote Control - Performed Graceful Power Reset", RemoteControl, 6, "\x00\x00\x00\x00\x00\x00\x00", "Remote reset initiated.\nBoot Media: None\n Boot Media Override: Disabled\n BIOS Pause: Disabled\n BIOS Pause Key: None"}, + {"Remote Control - Performed Standby", RemoteControl, 7, "", "Remote standby initiated."}, + {"Remote Control - Performed Hibernate", RemoteControl, 8, "", "Remote hibernate initiated."}, + {"Remote Control - Performed NMI", RemoteControl, 9, "", "Remote NMI initiated."}, + {"Remote Control - Unknown Event", RemoteControl, 10, "", "Unknown Event ID"}, + {"Redirection Manager - IDER Session Opened", RedirectionManager, 0, "", "An application opened a Storage Redirection session."}, + {"Redirection Manager - IDER Session Closed", RedirectionManager, 1, "", "An application or firmware closed a Storage Redirection session."}, + {"Redirection Manager - IDER Enabled", RedirectionManager, 2, "", "Storage Redirection was enabled."}, + {"Redirection Manager - IDER Disabled", RedirectionManager, 3, "", "Storage Redirection was disabled."}, + {"Redirection Manager - SoL Session Opened", RedirectionManager, 4, "", "An application opened a Serial Over LAN session."}, + {"Redirection Manager - SoL Session Closed", RedirectionManager, 5, "", "An application or firmware closed a Serial Over LAN session."}, + {"Redirection Manager - SoL Enabled", RedirectionManager, 6, "", "Serial Over LAN was enabled."}, + {"Redirection Manager - SoL Disabled", RedirectionManager, 7, "", "Serial Over LAN was disabled."}, + {"Redirection Manager - KVM Session Started", RedirectionManager, 8, "", "An application opened a Keyboard-Video-Mouse session."}, + {"Redirection Manager - KVM Session Ended", RedirectionManager, 9, "", "An application or firmware closed a Keyboard-Video-Mouse session."}, + {"Redirection Manager - KVM Enabled", RedirectionManager, 10, "", "Keyboard-Video-Mouse was enabled."}, + {"Redirection Manager - KVM Disabled", RedirectionManager, 11, "", "Keyboard-Video-Mouse was disabled."}, + {"Redirection Manager - VNC Password Failed", RedirectionManager, 12, "", "Incorrect Remote Frame Buffer (RFB) password entered 3 times."}, + {"Firmware Update Manager", FirmwareUpdateManager, "\x00", "Invalid ME access"}, + {"Security Audit Log", SecurityAuditLog, "\x01", "Invalid MEBx access"}, + {"Network Time", NetworkTime, 0, "d\x9aNp", "Command received to set Intel AMT local time. Time: 2023-06-26 19:50:24 -0700 MST"}, + {"Network Administration", NetworkAdministration, "\x01\x01", "Enabled"}, + {"Storage Administration", StorageAdministration, "\x01\x02", "Remote ServerAuth, Local MutualAuth"}, + {"Event Manager", EventManager, "\x00\x00\x00\x00\x02", "Redirection, Disabled"}, + {"System Defense Manager", SystemDefenseManager, "\x03", "Local WSMAN"}, + {"Agent Presence Manager", AgentPresenceManager, "\x00\x01\x00\x02\x00\x03\x00\x04\x00\x05\x00\x06\x00\x07\x00\x08", "From 1.2.3.4 to 5.6.7.8"}, + {"Wireless Configuration", WirelessConfiguration, "\x00\x00\x00\x00", time.Unix(0, 0).Local().Format(time.RFC1123)}, + {"Endpoint Access Control", EndpointAccessControl, "\x00\x01", "From None to KVM"}, + {"Keyboard Video Mouse", KeyboardVideoMouse, "", "Success"}, + {"User Opt-In", UserOptIn, 0, "\x01\x00", "A user has modified the opt-in policy settings.\nPrevious Opt-In Policy: KVM\nCurrent Opt-In Policy: None"}, + {"Screen Blanking", ScreenBlanking, "\x00", "Success"}, + {"Watchdog", Watchdog, "\x00", "Success"}, } for _, tt := range tests { t.Run(tt.name, func(t *testing.T) { - result := GetAuditLogExtendedDataString(tt.auditEventId, tt.data) + result := GetAuditLogExtendedDataString(tt.appId, tt.eventId, tt.data) if result != tt.expected { - t.Errorf("GetAuditLogExtendedDataString(%d, %q) = %v; want %v", tt.auditEventId, tt.data, result, tt.expected) + t.Errorf("GetAuditLogExtendedDataString(%d, %d, %q) = %v; want %v", tt.appId, tt.eventId, tt.data, result, tt.expected) } }) } } + diff --git a/pkg/wsman/amt/auditlog/types.go b/pkg/wsman/amt/auditlog/types.go index f3dca180..26679be7 100644 --- a/pkg/wsman/amt/auditlog/types.go +++ b/pkg/wsman/amt/auditlog/types.go @@ -197,13 +197,19 @@ type ( } WirelessConfigurationEvent struct { - SSID []uint8 - ProfilePriority uint8 - ProfileNameLength uint8 - ProfileName []uint8 - ProfileSync []uint32 - Timeout []uint32 - LinkPreference []uint32 + SSID []uint8 + ProfilePriority uint8 + ProfileNameLength uint8 + ProfileName []uint8 + ProfileSync []uint32 + Timeout []uint32 + LinkPreference []uint32 ProfileSharingWithUEFI uint8 } + + UserOptInEvent struct { + PreviousOptInPolicy uint8 + CurrentOptInPolicy uint8 + OperationStatus uint8 + } )