feat: decodes audit log extended data

open-amt-cloud-toolkit · Jun 10, 2024 · 8c2404c · 8c2404c
1 parent 6cf15c4
commit 8c2404c
Show file tree

Hide file tree

Showing 3 changed files with 124 additions and 74 deletions.
diff --git a/pkg/wsman/amt/auditlog/decoder.go b/pkg/wsman/amt/auditlog/decoder.go
@@ -7,6 +7,7 @@ package auditlog
 
 import (
 	"encoding/base64"
+	"strconv"
 	"strings"
 	"time"
 
@@ -186,90 +187,103 @@ func convertToAuditLogResult(auditlogdata []string) []AuditLogRecord {
 		exlen := []byte(decodedEventRecordStr[ptr : ptr+1])[0]
 		ptr++
 		auditLogRecord.Ex = decodedEventRecordStr[ptr : ptr+int(exlen)]
-		// auditLogRecord.ExStr = GetAuditLogExtendedDataString((auditLogRecord.AuditAppID*100)+auditLogRecord.EventID, auditLogRecord.Ex)
+		auditLogRecord.ExStr = GetAuditLogExtendedDataString(AuditEventId((auditLogRecord.AuditAppID*100)+auditLogRecord.EventID), auditLogRecord.Ex)
 
 		records = append([]AuditLogRecord{auditLogRecord}, records...)
 	}
 
 	return records
 }
 
+type AuditEventId int
+
 const (
-	ACLEntryAdded                   = 1602
-	ACLEntryModified                = 1603
-	ACLEntryRemoved                 = 1604
-	ACLAccessWithInvalidCredentials = 1605
-	ACLEntryStateChanged            = 1606
-	TLSStateChanged                 = 1607
-	SetRealmAuthenticationMode      = 1617
-	AMTUnprovisioningStarted        = 1619
-	FirmwareUpdate                  = 1900
-	AMTTimeSet                      = 2100
-	OptInPolicyChange               = 3000
-	SendConsentCode                 = 3001
+	ACLEntryAdded                   AuditEventId = 1602
+	ACLEntryModified                AuditEventId = 1603
+	ACLEntryRemoved                 AuditEventId = 1604
+	ACLAccessWithInvalidCredentials AuditEventId = 1605
+	ACLEntryStateChanged            AuditEventId = 1606
+	TLSStateChanged                 AuditEventId = 1607
+	SetRealmAuthenticationMode      AuditEventId = 1617
+	AMTUnprovisioningStarted        AuditEventId = 1619
+	FirmwareUpdate                  AuditEventId = 1900
+	AMTTimeSet                      AuditEventId = 2100
+	OptInPolicyChange               AuditEventId = 3000
+	SendConsentCode                 AuditEventId = 3001
 )
 
+var RealmNames = []string{
+	"Redirection",
+	"PT Administration",
+	"Hardware Asset",
+	"Remote Control",
+	"Storage",
+	"Event Manager",
+	"Storage Admin",
+	"Agent Presence Local",
+	"Agent Presence Remote",
+	"Circuit Breaker",
+	"Network Time",
+	"General Information",
+	"Firmware Update",
+	"EIT",
+	"LocalUN",
+	"Endpoint Access Control",
+	"Endpoint Access Control Admin",
+	"Event Log Reader",
+	"Audit Log",
+	"ACL Realm",
+	"",
+	"",
+	"Local System",
+	// Add more as needed
+}
+
 // Return human readable extended audit log data
 // TODO: Just put some of them here, but many more still need to be added, helpful link here:
 // https://software.intel.com/sites/manageability/AMT_Implementation_and_Reference_Guide/default.htm?turl=WordDocuments%2Fsecurityadminevents.htm
-// func GetAuditLogExtendedDataString(auditEventId int, data string) string {
-// 	extendedDataString := ""
-
-// 	switch auditEventId {
-// 	case AclEntryAdded:
-// 	case AclEntryRemoved:
-// 		if data[0:1] == "0" {
-// 			indx, _ := strconv.Atoi(data[0:1])
-// 			extendedDataString = data[2 : 2+indx]
-// 		}
-// 		break
-// 	case AclEntryModified:
-// 		if data[1:2] == "0" {
-// 			extendedDataString = data[3:4]
-// 		}
-// 		break
-// 	case AclAccessWithInvalidCredentials:
-// 		extendedDataString = "" //['Invalid ME access', 'Invalid MEBx access'][data[:0]]
-// 		break
-// 	case AclEntryStateChanged:
-// 		{
-// 			// r := ['Disabled', 'Enabled'][data[:0]]
-// 			// if (data[:1] === 0) {
-// 			//   r += ', ' + data.substring(3)
-// 			// }
-// 			extendedDataString = r
-// 			break
-// 		}
-// 	case TlsStateChanged:
-// 		//extendedDataString = 'Remote ' + ['NoAuth', 'ServerAuth', 'MutualAuth'][data[:0]] + ', Local ' + ['NoAuth', 'ServerAuth', 'MutualAuth'][data[:1]]
-// 		break
-// 	case SetRealmAuthenticationMode:
-// 		//extendedDataString = RealmNames[Common.ReadInt(data, 0)] + ', ' + ['NoAuth', 'Auth', 'Disabled'][data[:4]]
-// 		break
-// 	case AmtUnprovisioningStarted:
-// 		//extendedDataString = ['BIOS', 'MEBx', 'Local MEI', 'Local WSMAN', 'Remote WSMAN'][data[:0]]
-// 		break
-// 	case FirmwareUpdate:
-// 		//extendedDataString = 'From ' + Common.ReadShort(data, 0) + '.' + Common.ReadShort(data, 2) + '.' + Common.ReadShort(data, 4) + '.' + Common.ReadShort(data, 6) + ' to ' + Common.ReadShort(data, 8) + '.' + Common.ReadShort(data, 10) + '.' + Common.ReadShort(data, 12) + '.' + Common.ReadShort(data, 14)
-// 		break
-// 	case AmtTimeSet:
-// 		{
-// 			// const t4 = new Date()
-// 			// t4.setTime(Common.ReadInt(data, 0) * 1000 + (new Date().getTimezoneOffset() * 60000))
-// 			// extendedDataString = t4.toLocaleString()
-// 			break
-// 		}
-// 	case OptInPolicyChange:
-// 		//extendedDataString = 'From ' + ['None', 'KVM', 'All'][data[:0]] + ' to ' + ['None', 'KVM', 'All'][data[:1]]
-// 		break
-// 	case SendConsentCode:
-// 		//extendedDataString = ['Success', 'Failed 3 times'][data[:0]]
-// 		break
-// 	default:
-// 		extendedDataString = null
-// 	}
-// 	return extendedDataString
-// }
+func GetAuditLogExtendedDataString(auditEventId AuditEventId, data string) string {
+	var extendedDataString string
+
+	switch auditEventId {
+	case ACLEntryAdded, ACLEntryRemoved:
+		if data[0] == 0 {
+			extendedDataString = data[2 : 2+data[1]]
+		}
+	case ACLEntryModified:
+		if data[1] == 0 {
+			extendedDataString = data[2:]
+		}
+	case ACLAccessWithInvalidCredentials:
+		extendedDataString = []string{"Invalid ME access", "Invalid MEBx access"}[data[0]]
+	case ACLEntryStateChanged:
+		r := []string{"Disabled", "Enabled"}[data[0]]
+		if data[1] == 0 {
+			r += ", " + data[2:]
+		}
+
+		extendedDataString = r
+	case TLSStateChanged:
+		extendedDataString = "Remote " + []string{"NoAuth", "ServerAuth", "MutualAuth"}[data[0]] + ", Local " + []string{"NoAuth", "ServerAuth", "MutualAuth"}[data[1]]
+	case SetRealmAuthenticationMode:
+		extendedDataString = RealmNames[common.ReadInt(data, 0)] + ", " + []string{"NoAuth", "Auth", "Disabled"}[data[4]]
+	case AMTUnprovisioningStarted:
+		extendedDataString = []string{"BIOS", "MEBx", "Local MEI", "Local WSMAN", "Remote WSMAN"}[data[0]]
+	case FirmwareUpdate:
+		extendedDataString = "From " + strconv.Itoa(common.ReadShort(data, 0)) + "." + strconv.Itoa(common.ReadShort(data, 2)) + "." + strconv.Itoa(common.ReadShort(data, 4)) + "." + strconv.Itoa(common.ReadShort(data, 6)) + " to " + strconv.Itoa(common.ReadShort(data, 8)) + "." + strconv.Itoa(common.ReadShort(data, 10)) + "." + strconv.Itoa(common.ReadShort(data, 12)) + "." + strconv.Itoa(common.ReadShort(data, 14))
+	case AMTTimeSet:
+		t := time.Unix(int64(common.ReadInt(data, 0)), 0).Local()
+		extendedDataString = t.Format(time.RFC1123)
+	case OptInPolicyChange:
+		extendedDataString = "From " + []string{"None", "KVM", "All"}[data[0]] + " to " + []string{"None", "KVM", "All"}[data[1]]
+	case SendConsentCode:
+		extendedDataString = []string{"Success", "Failed 3 times"}[data[0]]
+	default:
+		extendedDataString = ""
+	}
+
+	return extendedDataString
+}
 
 const (
 	HTTPDigest     byte = 0

diff --git a/pkg/wsman/amt/auditlog/decoder_test.go b/pkg/wsman/amt/auditlog/decoder_test.go
@@ -5,7 +5,10 @@
 
 package auditlog
 
-import "testing"
+import (
+	"testing"
+	"time"
+)
 
 func TestOverwritePolicy_String(t *testing.T) {
 	tests := []struct {
@@ -100,3 +103,36 @@ func TestRequestedState_String(t *testing.T) {
 		}
 	}
 }
+
+func TestGetAuditLogExtendedDataString(t *testing.T) {
+	tests := []struct {
+		name         string
+		auditEventId AuditEventId
+		data         string
+		expected     string
+	}{
+		{"ACLEntryAdded", ACLEntryAdded, "\x00\x05Hello World", "Hello"},
+		{"ACLEntryRemoved", ACLEntryRemoved, "\x00\x05Hello World", "Hello"},
+		{"ACLEntryModified", ACLEntryModified, "\x01\x00Hello World", "Hello World"},
+		{"ACLAccessWithInvalidCredentials", ACLAccessWithInvalidCredentials, "\x00", "Invalid ME access"},
+		{"ACLAccessWithInvalidCredentials", ACLAccessWithInvalidCredentials, "\x01", "Invalid MEBx access"},
+		{"ACLEntryStateChanged", ACLEntryStateChanged, "\x00\x00Hello World", "Disabled, Hello World"},
+		{"ACLEntryStateChanged", ACLEntryStateChanged, "\x01\x01", "Enabled"},
+		{"TLSStateChanged", TLSStateChanged, "\x01\x02", "Remote ServerAuth, Local MutualAuth"},
+		{"SetRealmAuthenticationMode", SetRealmAuthenticationMode, "\x00\x00\x00\x00\x02", "Redirection, Disabled"},
+		{"AMTUnprovisioningStarted", AMTUnprovisioningStarted, "\x03", "Local WSMAN"},
+		{"FirmwareUpdate", FirmwareUpdate, "\x00\x01\x00\x02\x00\x03\x00\x04\x00\x05\x00\x06\x00\x07\x00\x08", "From 1.2.3.4 to 5.6.7.8"},
+		{"AMTTimeSet", AMTTimeSet, "\x00\x00\x00\x00", time.Unix(0, 0).Local().Format(time.RFC1123)},
+		{"OptInPolicyChange", OptInPolicyChange, "\x00\x01", "From None to KVM"},
+		{"SendConsentCode", SendConsentCode, "\x00", "Success"},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			result := GetAuditLogExtendedDataString(tt.auditEventId, tt.data)
+			if result != tt.expected {
+				t.Errorf("GetAuditLogExtendedDataString(%d, %q) = %v; want %v", tt.auditEventId, tt.data, result, tt.expected)
+			}
+		})
+	}
+}
diff --git a/pkg/wsman/amt/auditlog/message_test.go b/pkg/wsman/amt/auditlog/message_test.go
@@ -176,7 +176,7 @@ func TestPositiveAMT_AuditLog(t *testing.T) {
 							MCLocationType: 0x2,
 							NetAddress:     "",
 							Ex:             "\x00\f\x00\x00\x00(\x05\x99\x00\f\x00\x00\x00$\x05\x94",
-							ExStr:          "",
+							ExStr:          "From 12.0.40.1433 to 12.0.36.1428",
 						},
 						{
 							AuditAppID:     19,
@@ -189,7 +189,7 @@ func TestPositiveAMT_AuditLog(t *testing.T) {
 							MCLocationType: 0x2,
 							NetAddress:     "",
 							Ex:             "\x00\f\x00\x00\x00(\x05\x99\x00\f\x00\x00\x00$\x05\x94",
-							ExStr:          "",
+							ExStr:          "From 12.0.40.1433 to 12.0.36.1428",
 						},
 					},
 				},