From 63ffe7cdd15166fbd1b1273c08c1e89267ecfda4 Mon Sep 17 00:00:00 2001 From: Matt Primrose Date: Wed, 12 Jun 2024 16:22:46 -0700 Subject: [PATCH 1/5] more auditlog parsing --- pkg/wsman/amt/auditlog/decoder.go | 1156 ++++++++++++++++++++++++++++- pkg/wsman/amt/auditlog/types.go | 104 +++ 2 files changed, 1219 insertions(+), 41 deletions(-) diff --git a/pkg/wsman/amt/auditlog/decoder.go b/pkg/wsman/amt/auditlog/decoder.go index 0ef05907..e694905c 100644 --- a/pkg/wsman/amt/auditlog/decoder.go +++ b/pkg/wsman/amt/auditlog/decoder.go @@ -6,8 +6,12 @@ package auditlog import ( + "bytes" "encoding/base64" - "strconv" + "encoding/binary" + "encoding/hex" + "fmt" + "net" "strings" "time" @@ -110,6 +114,18 @@ var RequestedStateToString = map[RequestedState]string{ RequestedStateNotApplicable: "NotApplicable", } +var ProvisioningMethodToString = map[int]string{ + 2: "Remote Configuration", + 3: "Manual Provisioning via MEBx", + 5: "Host-Based Provisioning Admin Mode", +} + +var InitiatorTypeToString = map[int]string{ + 0: "Unknown", + 1: "User", + 2: "Machine", +} + // RequestedStateToString returns a string representation of a RequestedState. func (r RequestedState) String() string { if value, exists := RequestedStateToString[r]; exists { @@ -131,6 +147,12 @@ var StoragePolicyToString = map[StoragePolicy]string{ StoragePolicyRestrictedRollOver: "RestrictedRollOver", } +var ProvisioningHashType = map[int]string{ + 1: "SHA1_160", + 2: "SHA_256", + 3: "SHA_384", +} + // StoragePolicyToString returns a string representation of a StoragePolicy. func (r StoragePolicy) String() string { if value, exists := StoragePolicyToString[r]; exists { @@ -187,7 +209,7 @@ func convertToAuditLogResult(auditlogdata []string) []AuditLogRecord { exlen := []byte(decodedEventRecordStr[ptr : ptr+1])[0] ptr++ auditLogRecord.Ex = decodedEventRecordStr[ptr : ptr+int(exlen)] - auditLogRecord.ExStr = GetAuditLogExtendedDataString((auditLogRecord.AuditAppID*100)+auditLogRecord.EventID, auditLogRecord.Ex) + auditLogRecord.ExStr = GetAuditLogExtendedDataString(auditLogRecord.AuditAppID, auditLogRecord.EventID, auditLogRecord.Ex) records = append([]AuditLogRecord{auditLogRecord}, records...) } @@ -196,18 +218,23 @@ func convertToAuditLogResult(auditlogdata []string) []AuditLogRecord { } const ( - ACLEntryAdded = 1602 - ACLEntryModified = 1603 - ACLEntryRemoved = 1604 - ACLAccessWithInvalidCredentials = 1605 - ACLEntryStateChanged = 1606 - TLSStateChanged = 1607 - SetRealmAuthenticationMode = 1617 - AMTUnprovisioningStarted = 1619 - FirmwareUpdate = 1900 - AMTTimeSet = 2100 - OptInPolicyChange = 3000 - SendConsentCode = 3001 + SecurityAdmin = 16 + RemoteControl = 17 + RedirectionManager = 18 + FirmwareUpdateManager = 19 + SecurityAuditLog = 20 + NetworkTime = 21 + NetworkAdministration = 22 + StorageAdministration = 23 + EventManager = 24 + SystemDefenseManager = 25 + AgentPresenceManager = 26 + WirelessConfiguration = 27 + EndpointAccessControl = 28 + KeyboardVideoMouse = 29 + UserOptIn = 30 + ScreenBlanking = 32 + Watchdog = 33 ) var RealmNames = []string{ @@ -240,44 +267,721 @@ var RealmNames = []string{ // Return human readable extended audit log data // TODO: Just put some of them here, but many more still need to be added, helpful link here: // https://software.intel.com/sites/manageability/AMT_Implementation_and_Reference_Guide/default.htm?turl=WordDocuments%2Fsecurityadminevents.htm -func GetAuditLogExtendedDataString(auditEventId int, data string) string { +func GetAuditLogExtendedDataString(appId, eventId int, data string) string { var extendedDataString string - switch auditEventId { - case ACLEntryAdded, ACLEntryRemoved: - if data[0] == 0 { - extendedDataString = data[2 : 2+data[1]] + switch appId { + case SecurityAdmin: + extendedDataString = parseSecurityAdminEvents(eventId, data) + case RemoteControl: + extendedDataString = parseRemoteControlEvents(eventId, data) + case RedirectionManager: + extendedDataString = parseRedirectionManagerEvents(eventId) + case FirmwareUpdateManager: + extendedDataString = parseFirmwareUpdateManagerEvents(eventId, data) + case SecurityAuditLog: + extendedDataString = parseSecurityAuditLog(eventId, data) + case NetworkTime: + extendedDataString = parseNetworkTimeEvents(eventId, data) + case NetworkAdministration: + extendedDataString = parseNetworkAdministrationEvents(eventId, data) + case StorageAdministration: + extendedDataString = parseStorageAdministrationEvents(eventId, data) + case EventManager: + extendedDataString = parseEventManagerEvents(eventId, data) + case SystemDefenseManager: + extendedDataString = parseSystemDefenseManagerEvents(eventId, data) + case AgentPresenceManager: + extendedDataString = parseAgentPresenceManagerEvents(eventId, data) + case WirelessConfiguration: + extendedDataString = parseWirelessConfigurationEvents(eventId, data) + case EndpointAccessControl: + case KeyboardVideoMouse: + case UserOptIn: + case ScreenBlanking: + case Watchdog: + default: + extendedDataString = "Unknown Event Group ID" + } + + return extendedDataString +} + +func parseSecurityAdminEvents(eventId int, data string) string { + + const ( + ProvisioningStarted = 0 + ProvisioningCompleted = 1 + ACLEntryAdded = 2 + ACLEntryModified = 3 + ACLEntryRemoved = 4 + ACLAccessWithInvalidCredentials = 5 + ACLEntryEnabled = 6 + TLSStateChanged = 7 + TLSServerCertificateSet = 8 + TLSServerCertificateRemoved = 9 + TLSTrustedRootCertificateAdded = 10 + TLSTrustedRootCertificateRemoved = 11 + TLSPreSharedKeySet = 12 + KerberosSettingsModified = 13 + KerberosMasterKeyModified = 14 + FlashWearOutCountersReset = 15 + PowerPackageModified = 16 + SetRealmAuthenticationMode = 17 + UpgradeClientToAdmin = 18 + AMTUnProvisioningStarted = 19 + ) + + var extendedDataString string + + byteData := []byte(data) + buf := bytes.NewBuffer(byteData) + + switch eventId { + case ProvisioningStarted: + extendedDataString = "Intel AMT transitioned to setup mode." + case ProvisioningCompleted: + extendedDataString = "Intel AMT transitioned to operational mode. " + if len(byteData) > 0 { + var ProvisioningParameters ProvisioningParameters + + // Read ProvisioningMethod + if err := binary.Read(buf, binary.LittleEndian, &ProvisioningParameters.ProvisioningMethod); err != nil { + return extendedDataString + } + + // Read HashType + if err := binary.Read(buf, binary.LittleEndian, &ProvisioningParameters.HashType); err != nil { + return extendedDataString + } + + // Read TrustedRootCertHash based on HashType + switch ProvisioningParameters.HashType { + case 1: // SHA1_160 + ProvisioningParameters.TrustedRootCertHash = make([]byte, 20) + case 2: // SHA_256 + ProvisioningParameters.TrustedRootCertHash = make([]byte, 32) + case 3: // SHA_384 + ProvisioningParameters.TrustedRootCertHash = make([]byte, 48) + default: + return extendedDataString + } + + if _, err := buf.Read(ProvisioningParameters.TrustedRootCertHash); err != nil { + return extendedDataString + } + + // Read NumberOfCertificates + if err := binary.Read(buf, binary.LittleEndian, &ProvisioningParameters.NumberOfCertificates); err != nil { + return extendedDataString + } + + // Read CertSerialNumbers + for i := 0; i < int(ProvisioningParameters.NumberOfCertificates); i++ { + serialNumber := make([]byte, 16) + if _, err := buf.Read(serialNumber); err != nil { + return extendedDataString + } + ProvisioningParameters.CertSerialNumbers = append(ProvisioningParameters.CertSerialNumbers, hex.EncodeToString(serialNumber)) + } + + // Read AdditionalCaSerialNumbers + if err := binary.Read(buf, binary.LittleEndian, &ProvisioningParameters.AdditionalCaSerialNumbers); err != nil { + return extendedDataString + } + + // Read ProvServFQDNLength + if err := binary.Read(buf, binary.LittleEndian, &ProvisioningParameters.ProvServFQDNLength); err != nil { + return extendedDataString + } + + // Read ProvServFQDN + fqdn := make([]byte, ProvisioningParameters.ProvServFQDNLength) + if _, err := buf.Read(fqdn); err != nil { + return extendedDataString + } + ProvisioningParameters.ProvServFQDN = string(fqdn) + + extendedDataString += provisioningCompletedToString(&ProvisioningParameters) + + } + case ACLEntryAdded: + extendedDataString = "User entry was added to the Intel AMT Device. " + + if len(byteData) > 0 { + var entry = readACLData(ACLEntryAdded, byteData) + + extendedDataString += aclEntryAddedToString(&entry) } case ACLEntryModified: - if data[1] == 0 { - extendedDataString = data[2:] + extendedDataString = "User entry was updated in the Intel AMT device. " + + if len(byteData) > 0 { + var entry = readACLData(ACLEntryModified, byteData) + + extendedDataString += aclEntryModifiedToString(&entry) + } + case ACLEntryRemoved: + extendedDataString = "User entry was removed from the Intel AMT device. " + if len(byteData) > 0 { + var entry = readACLData(ACLEntryRemoved, byteData) + + extendedDataString = aclEntryRemovedToString(&entry) } case ACLAccessWithInvalidCredentials: - extendedDataString = []string{"Invalid ME access", "Invalid MEBx access"}[data[0]] - case ACLEntryStateChanged: - r := []string{"Disabled", "Enabled"}[data[0]] - if data[1] == 0 { - r += ", " + data[2:] + if len(data) > 0 { + extendedDataString = "User attempted to access " + []string{"Intel AMT", "MEBx"}[data[0]] + " with invalid credentials." } + case ACLEntryEnabled: + extendedDataString = "ACL entry state was changed. " + if len(byteData) > 0 { + var entry = readACLData(ACLEntryEnabled, byteData) - extendedDataString = r + extendedDataString += aclEntryEnabledToString(&entry) + } case TLSStateChanged: - extendedDataString = "Remote " + []string{"NoAuth", "ServerAuth", "MutualAuth"}[data[0]] + ", Local " + []string{"NoAuth", "ServerAuth", "MutualAuth"}[data[1]] + if len(byteData) > 0 { + extendedDataString = "TLS state changed: Remote " + + []string{"NoAuth", "ServerAuth", "MutualAuth"}[byteData[0]] + + ", Local " + + []string{"NoAuth", "ServerAuth", "MutualAuth"}[byteData[1]] + } + case TLSServerCertificateSet: + extendedDataString = "TLS server certificate was defined. " + getCertificateSerialNumber(byteData) + case TLSServerCertificateRemoved: + extendedDataString = "TLS server certificate was removed. " + getCertificateSerialNumber(byteData) + case TLSTrustedRootCertificateAdded: + extendedDataString = "TLS trusted root certificate was added. " + getCertificateSerialNumber(byteData) + case TLSTrustedRootCertificateRemoved: + extendedDataString = "TLS trusted root certificate was removed. " + getCertificateSerialNumber(byteData) + case TLSPreSharedKeySet: + extendedDataString = "TLS pre-shared key was defined." + case KerberosSettingsModified: + if len(data) > 0 { + extendedDataString = "Kerberos settings were modified. Time tolerance: " + hex.EncodeToString([]byte(data)) + } + case KerberosMasterKeyModified: + extendedDataString = "Kerberos master key or passphrase was modified." + case FlashWearOutCountersReset: + extendedDataString = "Flash wear out counter was reset." + case PowerPackageModified: + if len(data) > 0 { + extendedDataString = "Active power package was set: " + hex.EncodeToString([]byte(data)) + } case SetRealmAuthenticationMode: - extendedDataString = RealmNames[common.ReadInt(data, 0)] + ", " + []string{"NoAuth", "Auth", "Disabled"}[data[4]] - case AMTUnprovisioningStarted: - extendedDataString = []string{"BIOS", "MEBx", "Local MEI", "Local WSMAN", "Remote WSMAN"}[data[0]] - case FirmwareUpdate: - extendedDataString = "From " + strconv.Itoa(common.ReadShort(data, 0)) + "." + strconv.Itoa(common.ReadShort(data, 2)) + "." + strconv.Itoa(common.ReadShort(data, 4)) + "." + strconv.Itoa(common.ReadShort(data, 6)) + " to " + strconv.Itoa(common.ReadShort(data, 8)) + "." + strconv.Itoa(common.ReadShort(data, 10)) + "." + strconv.Itoa(common.ReadShort(data, 12)) + "." + strconv.Itoa(common.ReadShort(data, 14)) - case AMTTimeSet: - t := time.Unix(int64(common.ReadInt(data, 0)), 0).Local() - extendedDataString = t.Format(time.RFC1123) - case OptInPolicyChange: - extendedDataString = "From " + []string{"None", "KVM", "All"}[data[0]] + " to " + []string{"None", "KVM", "All"}[data[1]] - case SendConsentCode: - extendedDataString = []string{"Success", "Failed 3 times"}[data[0]] + if len(data) > 0 { + extendedDataString = RealmNames[common.ReadInt(data, 0)] + ", " + []string{"NoAuth", "Auth", "Disabled"}[data[4]] + } + case UpgradeClientToAdmin: + extendedDataString = "The control mode of the Intel AMT was changed from Client control to Admin control." + case AMTUnProvisioningStarted: + if len(data) > 0 { + extendedDataString = []string{"BIOS", "MEBx", "Local MEI", "Local WSMAN", "Remote WSMAN"}[data[0]] + } default: - extendedDataString = "" + extendedDataString = "Unknown Event ID" + } + return extendedDataString +} + +func parseRemoteControlEvents(eventId int, data string) string { + byteData := []byte(data) + + var extendedDataString string + + const ( + PerformedPowerUp = 0 + PerformedPowerDown = 1 + PerformedPowerCycle = 2 + PerformedReset = 3 + SetBootOptions = 4 + PerformedGracefulPowerDown = 5 + PerformedGracefulReset = 6 + PerformedStandby = 7 + PerformedHibernate = 8 + PerformedNMI = 9 + ) + + switch eventId { + case PerformedPowerUp: + if len(byteData) > 0 { + rce := readBootOptionsData(byteData) + extendedDataString = "Remote power up initiated. \n" + parseBootOptionData(rce) + } + case PerformedPowerDown: + extendedDataString = "Remote power down initiated." + case PerformedPowerCycle: + if len(byteData) > 0 { + rce := readBootOptionsData(byteData) + extendedDataString = "Remote power cycle initiated. \n" + parseBootOptionData(rce) + } + case PerformedReset: + if len(byteData) > 0 { + rce := readBootOptionsData(byteData) + extendedDataString = "Remote reset initiated. \n" + parseBootOptionData(rce) + } + case SetBootOptions: + if len(byteData) > 0 { + rce := readBootOptionsData(byteData) + extendedDataString = "Boot options were set. \n" + parseBootOptionData(rce) + } + case PerformedGracefulPowerDown: + extendedDataString = "Remote graceful power down initiated." + case PerformedGracefulReset: + if len(byteData) > 0 { + rce := readBootOptionsData(byteData) + extendedDataString = "Remote graceful reset initiated. " + parseBootOptionData(rce) + } + case PerformedStandby: + extendedDataString = "Remote standby initiated." + case PerformedHibernate: + extendedDataString = "Remote hibernate initiated." + case PerformedNMI: + extendedDataString = "Remote NMI initiated." + default: + extendedDataString = "Unknown Event ID" + } + + return extendedDataString +} + +func parseRedirectionManagerEvents(eventId int) string { + var extendedDataString string + + const ( + IDERSessionOpened = 0 + IDERSessionClosed = 1 + IDEREnabled = 2 + IDERDisabled = 3 + SoLSessionOpened = 4 + SoLSessionClosed = 5 + SoLEnabled = 6 + SoLDisabled = 7 + KVMSessionStarted = 8 + KVMSessionEnded = 9 + KVMEnabled = 10 + KVMDisabled = 11 + VNCPasswordFailed = 12 + ) + + switch eventId { + case IDERSessionOpened: + extendedDataString = "An application opened a Storage Redirection session." + case IDERSessionClosed: + extendedDataString = "An application or firmware closed a Storage Redirection session." + case IDEREnabled: + extendedDataString = "Storage Redirection was enabled." + case IDERDisabled: + extendedDataString = "Storage Redirection was disabled." + case SoLSessionOpened: + extendedDataString = "An application opened a Serial Over LAN session." + case SoLSessionClosed: + extendedDataString = "An application or firmware closed a Serial Over LAN session." + case SoLEnabled: + extendedDataString = "Serial Over LAN was enabled." + case SoLDisabled: + extendedDataString = "Serial Over LAN was disabled." + case KVMSessionStarted: + extendedDataString = "An application opened a Keyboard-Video-Mouse session." + case KVMSessionEnded: + extendedDataString = "An application or firmware closed a Keyboard-Video-Mouse session." + case KVMEnabled: + extendedDataString = "Keyboard-Video-Mouse was enabled." + case KVMDisabled: + extendedDataString = "Keyboard-Video-Mouse was disabled." + case VNCPasswordFailed: + extendedDataString = "Incorrect Remote Frame Buffer (RFB) password entered 3 times." + } + + return extendedDataString +} + +func parseFirmwareUpdateManagerEvents(eventId int, data string) string { + + var extendedDataString string + + const ( + FirmwareUpdated = 0 + FirmwareFailed = 1 + ) + if len(data) > 0 { + byteData := []byte(data) + buf := bytes.NewBuffer(byteData) + + switch eventId { + case FirmwareUpdated: + oldFWVersion := FWVersion{} + newFWVersion := FWVersion{} + + readFWVersion(buf, &oldFWVersion) + readFWVersion(buf, &newFWVersion) + + extendedDataString = "Firmware update was started.\nOld version: " + + fmt.Sprint(oldFWVersion.Major) + "." + + fmt.Sprint(oldFWVersion.Minor) + "." + + fmt.Sprint(oldFWVersion.Hotfix) + "." + + fmt.Sprint(oldFWVersion.Build) + + "\nNew version: " + + fmt.Sprint(newFWVersion.Major) + "." + + fmt.Sprint(newFWVersion.Minor) + "." + + fmt.Sprint(newFWVersion.Hotfix) + "." + + fmt.Sprint(newFWVersion.Build) + case FirmwareFailed: + updateFailure := FWUpdateFailure{} + + binary.Read(buf, binary.LittleEndian, &updateFailure.Type) + binary.Read(buf, binary.LittleEndian, &updateFailure.Reason) + + extendedDataString = "Firmware update failed.\nFailure Type: " + + fmt.Sprint(updateFailure.Type) + "\nFailure Reason: " + fmt.Sprint(updateFailure.Reason) + } + } + return extendedDataString +} + +func parseSecurityAuditLog(eventId int, data string) string { + var extendedDataString string + + const ( + SecurityAuditLogCleared = 0 + SecurityAuditPolicyModified = 1 + SecurityAuditLogDisabled = 2 + SecurityAuditLogEnabled = 3 + SecurityAuditLogExported = 4 + SecurityAuditLogRecovered = 5 + ) + + switch eventId { + case SecurityAuditLogCleared: + extendedDataString = "Audit log was cleared." + case SecurityAuditPolicyModified: + extendedDataString = "Audit policy event was enabled or disabled." + case SecurityAuditLogDisabled: + extendedDataString = "Audit monitor feature was disabled." + case SecurityAuditLogEnabled: + extendedDataString = "Audit monitor feature was enabled." + case SecurityAuditLogExported: + extendedDataString = "Audit log signature and log-related information was exported." + case SecurityAuditLogRecovered: + if len(data) > 0 { + extendedDataString = "Internal check of audit log resulted in a recovery action.\nReason: " + + []string{"Unknown", "Migration failure", "Initialization failure"}[data[0]] + } + } + + return extendedDataString +} + +func parseNetworkTimeEvents(eventId int, data string) string { + var extendedDataString string + + const ( + IntelMETimeSet = 0 + ) + + switch eventId { + case IntelMETimeSet: + if len(data) > 0 { + extendedDataString = "Command received to set Intel AMT local time. Time: " + time.Unix(int64(common.ReadInt(data, 0)), 0).String() + } + } + + return extendedDataString +} + +func parseNetworkAdministrationEvents(eventId int, data string) string { + var extendedDataString string + + var InterfaceIDGenType = map[int]string{ + 0: "Random ID", + 1: "Intel ID", + 2: "Manual ID", + 3: "Invalid ID", + } + + const ( + TCPIPParametersSet = 0 + HostNameSet = 1 + DomainNameSet = 2 + VLANParametersSet = 3 + LinkPolicySet = 4 + IPv6ParametersSet = 5 + ) + + switch eventId { + case TCPIPParametersSet: + extendedDataString = "TCP/IP parameters were set.\n" + if len(data) > 0 { + event := readNetworkAdministrationEventData(TCPIPParametersSet, []byte(data)) + extendedDataString += "DHCP Enabled: " + []string{"Disabled", "Enabled"}[event.DHCPEnabled] + + "\nStatic IP: " + string(convertUINT32ToIPv4(event.IPV4Address)) + + "\nSubnet Mask: " + string(convertUINT32ToIPv4(event.SubnetMask)) + + "\nGateway: " + string(convertUINT32ToIPv4(event.Gateway)) + } + case HostNameSet: + extendedDataString = "Host name was set" + if len(data) > 0 { + event := readNetworkAdministrationEventData(HostNameSet, []byte(data)) + extendedDataString = " to " + event.HostName + } + case DomainNameSet: + extendedDataString = "Domain name was set" + if len(data) > 0 { + event := readNetworkAdministrationEventData(DomainNameSet, []byte(data)) + extendedDataString = " to " + event.DomainName + } + case VLANParametersSet: + extendedDataString = "VLAN tag was set" + if len(data) > 0 { + event := readNetworkAdministrationEventData(VLANParametersSet, []byte(data)) + extendedDataString = " to " + fmt.Sprint(event.VLANTag) + } + case LinkPolicySet: + extendedDataString = "Link policy was set" + if len(data) > 0 { + event := readNetworkAdministrationEventData(LinkPolicySet, []byte(data)) + extendedDataString = " to " + fmt.Sprint(event.LinkPolicy) + } + case IPv6ParametersSet: + extendedDataString = "IPv6 parameters were set.\n" + if len(data) > 0 { + event := readNetworkAdministrationEventData(IPv6ParametersSet, []byte(data)) + extendedDataString += "IPv6 Enabled: " + []string{"Disabled", "Enabled"}[event.IPV6Enabled] + + "\nInterface Gen Type: " + InterfaceIDGenType[int(event.InterfaceIDGenType)] + if event.InterfaceIDGenType == 2 { + extendedDataString += "\nInterface ID: " + string(event.InterfaceID) + } + extendedDataString += "\nIPV6 Address: " + string(event.IPV6Address) + + "\nIPV6 Gateway: " + string(event.IPV6Gateway) + + "\nIPV6 Primary DNS: " + string(event.IPV6PrimaryDNS) + + "\nIPV6 Secondary DNS: " + string(event.IPV6SecondaryDNS) + } + } + + return extendedDataString +} + +func parseStorageAdministrationEvents(eventId int, data string) string { + var extendedDataString string + + const ( + GlobalStorageAttributesSet = 0 + StorageEACLModified = 1 + StorageFPACLModified = 2 + StorageWriteOperation = 3 + ) + + switch eventId { + case GlobalStorageAttributesSet: + extendedDataString = "Global storage attributes were set.\n" + if len(data) > 0 { + byteData := []byte(data) + buf := bytes.NewBuffer(byteData) + + event := StorageAdministrationEvent{} + + binary.Read(buf, binary.LittleEndian, &event.MaxPartnerStorage) + binary.Read(buf, binary.LittleEndian, &event.MaxNonPartnerTotalAllocationSize) + + extendedDataString += "Max Partner Storage: " + fmt.Sprint(event.MaxPartnerStorage) + + "\nMax Non-Partner Total Allocation Size: " + fmt.Sprint(event.MaxNonPartnerTotalAllocationSize) + + } + case StorageEACLModified: + extendedDataString = "Storage EACL entry was added or removed." + case StorageFPACLModified: + extendedDataString = "Storage FPACL entry was added, removed, or updated." + case StorageWriteOperation: + extendedDataString = "Application wrote a block to storage." + } + + return extendedDataString +} + +func parseEventManagerEvents(eventId int, data string) string { + var extendedDataString string + + const ( + AlertSubscribed = 0 + AlertUnsubscribed = 1 + EventLogCleared = 2 + EventLogFrozen = 3 + ) + + switch eventId { + case AlertSubscribed, AlertUnsubscribed: + if eventId == AlertSubscribed { + extendedDataString = "An alert subscription was created successfully.\n" + } else { + extendedDataString = "An existing alert subscription was cancelled.\n" + } + if len(data) > 0 { + event := readEventManagerEventData(AlertSubscribed, []byte(data)) + extendedDataString += parseEventManagerEventData(event) + } + case EventLogCleared: + extendedDataString = "Event log was cleared of existing records." + case EventLogFrozen: + if len(data) > 0 { + event := readEventManagerEventData(EventLogFrozen, []byte(data)) + extendedDataString = "Event log was " + []string{"unfrozen", "frozen"}[event.Freeze] + } + } + + return extendedDataString +} + +func parseSystemDefenseManagerEvents(eventId int, data string) string { + var extendedDataString string + + const ( + SDFilterAdded = 0 + SDFilterRemoved = 1 + SDPolicyAdded = 2 + SDPolicyRemoved = 3 + SDDefaultPolicySet = 4 + SDHeuristicsOptionSet = 5 + SDHeuristicsStateCleared = 6 + ) + + switch eventId { + case SDFilterAdded: + extendedDataString = "Attempt made to add a system defense filter." + case SDFilterRemoved: + extendedDataString = "System defense filter was removed successfully.\n" + if len(data) > 0 { + event := readSystemDefenseManagerEventData(SDFilterRemoved, []byte(data)) + extendedDataString += "Filter Handle: " + string(event.FilterHandle) + } + case SDPolicyAdded: + extendedDataString = "Attempt made to add a system defense policy." + case SDPolicyRemoved: + extendedDataString = "System defense policy was removed successfully.\n" + if len(data) > 0 { + event := readSystemDefenseManagerEventData(SDPolicyRemoved, []byte(data)) + extendedDataString += "Policy Handle: " + string(event.PolicyHandle) + } + case SDDefaultPolicySet: + extendedDataString = "System defense policy selected.\n" + if len(data) > 0 { + event := readSystemDefenseManagerEventData(SDDefaultPolicySet, []byte(data)) + extendedDataString += "Hardware Interface: " + string(event.HardwareInterface) + + "\nPolicy Handle: " + string(event.PolicyHandle) + } + case SDHeuristicsOptionSet: + extendedDataString = "System defense heuristics settings were set successfully.\n" + if len(data) > 0 { + event := readSystemDefenseManagerEventData(SDHeuristicsOptionSet, []byte(data)) + extendedDataString += "Interface Handle: " + string(event.InterfaceHandle) + + "\nBlock All: " + string(event.BlockAll) + + "\nBlock Offensive Port: " + string(event.BlockOffensivePort) + + "\nPolicy Handle: " + string(event.PolicyHandle) + } + case SDHeuristicsStateCleared: + extendedDataString = "System defense heuristics settings were removed successfully.\n" + if len(data) > 0 { + event := readSystemDefenseManagerEventData(SDHeuristicsStateCleared, []byte(data)) + extendedDataString += "Interface Handle: " + string(event.InterfaceHandle) + } + } + + return extendedDataString +} + +func parseAgentPresenceManagerEvents(eventId int, data string) string { + var extendedDataString string + + const ( + AgentWatchdogAdded = 0 + AgentWatchdogRemoved = 1 + AgentWatchdogActionSet = 2 + ) + + switch eventId { + case AgentWatchdogAdded: + extendedDataString = "An application entry was created to be monitored.\n" + if len(data) > 0 { + event := readAgentPresenceManagerEventData(AgentWatchdogAdded, []byte(data)) + extendedDataString += "Agent ID: " + string(event.AgentID) + + "\nAgent Heartbeat Time: " + string(event.AgentHeartBeatTime) + + "\nAgent Startup Time: " + string(event.AgentStartupTime) + } + case AgentWatchdogRemoved: + extendedDataString = "An application entry was removed.\n" + if len(data) > 0 { + event := readAgentPresenceManagerEventData(AgentWatchdogRemoved, []byte(data)) + extendedDataString += "Agent ID: " + string(event.AgentID) + } + case AgentWatchdogActionSet: + extendedDataString = "Actions were set, added, or removed for an application watchdog entry.\n" + if len(data) > 0 { + event := readAgentPresenceManagerEventData(AgentWatchdogActionSet, []byte(data)) + extendedDataString += "Agent ID: " + string(event.AgentID) + } + } + + return extendedDataString +} + +func parseWirelessConfigurationEvents(eventId int, data string) string { + var extendedDataString string + + const ( + WirelessProfileAdded = 0 + WirelessProfileRemoved = 1 + WirelessProfileUpdated = 2 + WirelessProfileModified = 3 + WirelessLinkPreferenceChanged = 4 + WirelessProfileShareWithUEFIEnabledSettingChanged = 5 + ) + + switch eventId { + case WirelessProfileAdded: + extendedDataString = "A new profile was added." + if len(data) > 0 { + event := readWirelessConfigurationEventData(WirelessProfileAdded, []byte(data)) + extendedDataString += "\nSSID: " + string(event.SSID) + + "\nProfile Priority: " + string(event.ProfilePriority) + + "\nProfile Name Length: " + string(event.ProfileNameLength) + + "\nProfile Name: " + string(event.ProfileName) + } + case WirelessProfileRemoved: + extendedDataString = "An existing profile was removed." + if len(data) > 0 { + event := readWirelessConfigurationEventData(WirelessProfileRemoved, []byte(data)) + extendedDataString += "\nProfile Name Length: " + string(event.ProfileNameLength) + + "\nProfile Name: " + string(event.ProfileName) + } + case WirelessProfileUpdated: + extendedDataString = "An existing profile was updated." + if len(data) > 0 { + event := readWirelessConfigurationEventData(WirelessProfileUpdated, []byte(data)) + extendedDataString += "\nSSID: " + string(event.SSID) + + "\nProfile Priority: " + string(event.ProfilePriority) + + "\nProfile Name Length: " + string(event.ProfileNameLength) + + "\nProfile Name: " + string(event.ProfileName) + } + case WirelessProfileModified: + extendedDataString = "An existing profile sync was modified." + if len(data) > 0 { + event := readWirelessConfigurationEventData(WirelessProfileModified, []byte(data)) + for _, profile := range event.ProfileSync { + extendedDataString += "\nProfile Sync: " + string(profile) + } + } + case WirelessLinkPreferenceChanged: + extendedDataString = "An existing profile link preference was changed." + if len(data) > 0 { + event := readWirelessConfigurationEventData(WirelessLinkPreferenceChanged, []byte(data)) + for _, timeout := range event.Timeout { + extendedDataString += "\nTimeout: " + string(timeout) + } + for _, linkPreference := range event.LinkPreference { + extendedDataString += "\nLink Preference: " + []string{"none", "ME", "Host"}[linkPreference] + } + } + case WirelessProfileShareWithUEFIEnabledSettingChanged: + extendedDataString = fmt.Sprintf("Wireless profile share with UEFI was set to %s.", []string{"Disabled", "Enabled"}[data[0]]) } return extendedDataString @@ -290,6 +994,376 @@ const ( KvmDefaultPort byte = 3 ) +func provisioningCompletedToString(provisioningCompleted *ProvisioningParameters) string { + return fmt.Sprintf("Provisioning Method: %s\n"+ + "Hash Type: %s\n"+ + "Trusted Root Cert Hash: %s\n"+ + "Number of Certificates: %d\n"+ + "Cert Serial Numbers: %v\n"+ + "Additional CA Serial Numbers: %d\n"+ + "Provisioning Server FQDN Length: %d\n"+ + "Provisioning Server FQDN: %s\n", + ProvisioningMethodToString[int(provisioningCompleted.ProvisioningMethod)], + ProvisioningHashType[int(provisioningCompleted.HashType)], + hex.EncodeToString(provisioningCompleted.TrustedRootCertHash), + provisioningCompleted.NumberOfCertificates, + provisioningCompleted.CertSerialNumbers, + provisioningCompleted.AdditionalCaSerialNumbers, + provisioningCompleted.ProvServFQDNLength, + provisioningCompleted.ProvServFQDN) +} + +func aclEntryAddedToString(entry *ACLEntry) string { + if entry.UsernameLength == 0 { + return fmt.Sprintf("ACL Entry Added:\n"+ + "Initiator Type: %s\n"+ + "SID: %d\n"+ + "Domain Length: %d\n"+ + "Domain: %s\n", + InitiatorTypeToString[int(entry.InitiatorType)], + entry.SID, + entry.DomainLength, + entry.Domain) + } else { + return fmt.Sprintf("ACL Entry Added:\n"+ + "Initiator Type: %s\n"+ + "Username: %s\n", + InitiatorTypeToString[int(entry.InitiatorType)], + entry.Username) + } +} + +func aclEntryModifiedToString(entry *ACLEntry) string { + parameterModifiedStr := "" + if entry.ParameterModified&0x01 != 0 { + parameterModifiedStr += "Username, " + } + if entry.ParameterModified&0x02 != 0 { + parameterModifiedStr += "Password, " + } + if entry.ParameterModified&0x04 != 0 { + parameterModifiedStr += "Local realms, " + } + if entry.ParameterModified&0x08 != 0 { + parameterModifiedStr += "Remote realms, " + } + if entry.ParameterModified&0x10 != 0 { + parameterModifiedStr += "Kerberos domain, " + } + if entry.ParameterModified&0x20 != 0 { + parameterModifiedStr += "SID, " + } + if len(parameterModifiedStr) > 0 { + parameterModifiedStr = parameterModifiedStr[:len(parameterModifiedStr)-2] // Remove the trailing comma and space + } + + return fmt.Sprintf("ACL Entry Modified:\n"+ + "Parameter Modified: %s\n"+ + "Initiator Type: %s\n"+ + "Username Length: %d\n"+ + "SID: %d\n"+ + "Username: %s\n"+ + "Domain Length: %d\n"+ + "Domain: %s\n", + parameterModifiedStr, + InitiatorTypeToString[int(entry.InitiatorType)], + entry.UsernameLength, + entry.SID, + entry.Username, + entry.DomainLength, + entry.Domain) +} + +func aclEntryRemovedToString(entry *ACLEntry) string { + return fmt.Sprintf("ACL Entry Removed:\n"+ + "Initiator Type: %s\n"+ + "Username Length: %d\n"+ + "SID: %d\n"+ + "Username: %s\n"+ + "Domain Length: %d\n"+ + "Domain: %s\n", + InitiatorTypeToString[int(entry.InitiatorType)], + entry.UsernameLength, + entry.SID, + entry.Username, + entry.DomainLength, + entry.Domain) +} + +func aclEntryEnabledToString(entry *ACLEntry) string { + return fmt.Sprintf("ACL Entry State Changed:\n"+ + "Entry State: %s\n"+ + "Initiator Type: %s\n"+ + "Username Length: %d\n"+ + "SID: %d\n"+ + "Username: %s\n"+ + "Domain Length: %d\n"+ + "Domain: %s\n", + []string{"Disabled", "Enabled"}[int(entry.EntryState)], + InitiatorTypeToString[int(entry.InitiatorType)], + entry.UsernameLength, + entry.SID, + entry.Username, + entry.DomainLength, + entry.Domain) +} + +func getCertificateSerialNumber(data []byte) string { + buf := bytes.NewBuffer(data) + if len(data) > 0 { + serialNumber := make([]byte, 20) + if _, err := buf.Read(serialNumber); err != nil { + return "" + } + + return "Certificate serial number: " + string(serialNumber) + } + return "" +} + +func getCommonACLProperties(buf *bytes.Buffer, entry *ACLEntry) { + // Read Initiator Type + binary.Read(buf, binary.LittleEndian, &entry.InitiatorType) + + // Read Username Length + binary.Read(buf, binary.LittleEndian, &entry.UsernameLength) + + if entry.UsernameLength == 0 { + binary.Read(buf, binary.LittleEndian, &entry.SID) + + binary.Read(buf, binary.LittleEndian, &entry.DomainLength) + + domain := make([]byte, entry.DomainLength) + + buf.Read(domain) + + entry.Domain = string(domain) + } else { + username := make([]byte, entry.UsernameLength) + + buf.Read(username) + + entry.Username = string(username) + } +} + +func getACLParameters(buf *bytes.Buffer, entry *ACLEntry) { + // Read Parameter Modified + if err := binary.Read(buf, binary.LittleEndian, &entry.ParameterModified); err != nil { + return + } +} + +func readACLData(id int, data []byte) ACLEntry { + buf := *bytes.NewBuffer(data) + entry := ACLEntry{} + + switch id { + case 2, 4: + getCommonACLProperties(&buf, &entry) + case 3: + getACLParameters(&buf, &entry) + getCommonACLProperties(&buf, &entry) + case 6: + binary.Read(&buf, binary.LittleEndian, &entry.EntryState) + getCommonACLProperties(&buf, &entry) + } + + return entry +} + +func readBootOptionsData(data []byte) RemoteControlEvent { + buf := bytes.NewBuffer(data) + rce := RemoteControlEvent{} + + binary.Read(buf, binary.LittleEndian, &rce.SpecialCommand) + binary.Read(buf, binary.LittleEndian, &rce.SpecialCommandParameter) + binary.Read(buf, binary.LittleEndian, &rce.BootOptions) + binary.Read(buf, binary.LittleEndian, &rce.OEMParameters) + + return rce +} + +func parseBootOptionData(rce RemoteControlEvent) string { + s := "Boot Media: " + []string{"None", "Floppy", "CD", "HDD", "USB", "PXE", "Diagnostic Partition", "BIOS Setup"}[rce.BootOptions] + + "\n " + "Boot Media Override: " + []string{"Disabled", "Enabled"}[rce.SpecialCommand] + + "\n " + "BIOS Pause: " + []string{"Disabled", "Enabled"}[rce.OEMParameters] + + "\n " + "BIOS Pause Key: " + []string{"None", "F1", "F2", "F3", "F4", "F5", "F6", "F7", "F8", "F9", "F10", "F11", "F12"}[rce.SpecialCommandParameter] + + return s +} + +func readFWVersion(buf *bytes.Buffer, version *FWVersion) { + binary.Read(buf, binary.LittleEndian, &version.Major) + binary.Read(buf, binary.LittleEndian, &version.Minor) + binary.Read(buf, binary.LittleEndian, &version.Hotfix) + binary.Read(buf, binary.LittleEndian, &version.Build) +} + +func readNetworkAdministrationEventData(id int, data []byte) NetworkAdministrationEvent { + buf := bytes.NewBuffer(data) + event := NetworkAdministrationEvent{} + switch id { + case 0: + binary.Read(buf, binary.LittleEndian, &event.InterfaceHandle) + binary.Read(buf, binary.LittleEndian, &event.DHCPEnabled) + binary.Read(buf, binary.LittleEndian, &event.IPV4Address) + binary.Read(buf, binary.LittleEndian, &event.SubnetMask) + binary.Read(buf, binary.LittleEndian, &event.Gateway) + binary.Read(buf, binary.LittleEndian, &event.PrimaryDNS) + binary.Read(buf, binary.LittleEndian, &event.SecondaryDNS) + case 1: + binary.Read(buf, binary.LittleEndian, &event.HostNameLength) + + hostname := make([]byte, event.HostNameLength) + + buf.Read(hostname) + + event.HostName = string(hostname) + case 2: + binary.Read(buf, binary.LittleEndian, &event.DomainNameLength) + + domainName := make([]byte, event.DomainNameLength) + + buf.Read(domainName) + + event.DomainName = string(domainName) + case 3: + binary.Read(buf, binary.LittleEndian, &event.InterfaceHandle) + binary.Read(buf, binary.LittleEndian, &event.VLANTag) + case 4: + binary.Read(buf, binary.LittleEndian, &event.InterfaceHandle) + binary.Read(buf, binary.LittleEndian, &event.LinkPolicy) + case 5: + binary.Read(buf, binary.LittleEndian, &event.InterfaceHandle) + binary.Read(buf, binary.LittleEndian, &event.IPV6Enabled) + binary.Read(buf, binary.LittleEndian, &event.InterfaceIDGenType) + if event.InterfaceIDGenType == 2 { + binary.Read(buf, binary.LittleEndian, &event.InterfaceID) + } + binary.Read(buf, binary.LittleEndian, &event.IPV6Address) + binary.Read(buf, binary.LittleEndian, &event.IPV6Gateway) + binary.Read(buf, binary.LittleEndian, &event.IPV6PrimaryDNS) + binary.Read(buf, binary.LittleEndian, &event.IPV6SecondaryDNS) + } + + return event +} + +func readEventManagerEventData(id int, data []byte) EventManagerEvent { + buf := bytes.NewBuffer(data) + event := EventManagerEvent{} + + switch id { + case 0, 1: + binary.Read(buf, binary.LittleEndian, &event.PolicyID) + binary.Read(buf, binary.LittleEndian, &event.SubscriptionAlertType) + binary.Read(buf, binary.LittleEndian, &event.IPAddrType) + binary.Read(buf, binary.LittleEndian, &event.AlertTargetIPAddress) + case 3: + binary.Read(buf, binary.LittleEndian, &event.Freeze) + } + + return event +} + +func parseEventManagerEventData(event EventManagerEvent) string { + s := "Policy ID: " + fmt.Sprint(event.PolicyID) + + "\nSubscription Alert Type: " + []string{"SNMP"}[event.SubscriptionAlertType] + + "\nIP Address Type: " + []string{"IPv4", "IPv6"}[event.IPAddrType] + ipAddress, err := decodeIPFromByteSlice(event.AlertTargetIPAddress) + if err != nil { + return "" + } else { + s += "\nTarget IP Address: " + ipAddress.String() + } + + return s +} + +func readSystemDefenseManagerEventData(id int, data []byte) SystemDefenseManagerEvent { + buf := bytes.NewBuffer(data) + event := SystemDefenseManagerEvent{} + + switch id { + case 1: + binary.Read(buf, binary.LittleEndian, &event.FilterHandle) + case 3: + binary.Read(buf, binary.LittleEndian, &event.PolicyHandle) + case 4: + binary.Read(buf, binary.LittleEndian, &event.HardwareInterface) + binary.Read(buf, binary.LittleEndian, &event.PolicyHandle) + case 5: + binary.Read(buf, binary.LittleEndian, &event.InterfaceHandle) + binary.Read(buf, binary.LittleEndian, &event.BlockAll) + binary.Read(buf, binary.LittleEndian, &event.BlockOffensivePort) + binary.Read(buf, binary.LittleEndian, &event.PolicyHandle) + case 6: + binary.Read(buf, binary.LittleEndian, &event.InterfaceHandle) + } + + return event +} + +func readAgentPresenceManagerEventData(id int, data []byte) AgentPresenceManagerEvent { + buf := bytes.NewBuffer(data) + event := AgentPresenceManagerEvent{} + + switch id { + case 0: + binary.Read(buf, binary.LittleEndian, &event.AgentID) + binary.Read(buf, binary.LittleEndian, &event.AgentHeartBeatTime) + binary.Read(buf, binary.LittleEndian, &event.AgentStartupTime) + case 1, 2: + binary.Read(buf, binary.LittleEndian, &event.AgentID) + } + + return event +} + +func readWirelessConfigurationEventData(id int, data []byte) WirelessConfigurationEvent { + buf := bytes.NewBuffer(data) + event := WirelessConfigurationEvent{} + + switch id { + case 0, 2: + binary.Read(buf, binary.LittleEndian, &event.SSID) + binary.Read(buf, binary.LittleEndian, &event.ProfilePriority) + binary.Read(buf, binary.LittleEndian, &event.ProfileNameLength) + binary.Read(buf, binary.LittleEndian, &event.ProfileName) + case 1: + binary.Read(buf, binary.LittleEndian, &event.ProfileNameLength) + binary.Read(buf, binary.LittleEndian, &event.ProfileName) + case 3: + binary.Read(buf, binary.LittleEndian, &event.ProfileSync) + case 4: + binary.Read(buf, binary.LittleEndian, &event.Timeout) + binary.Read(buf, binary.LittleEndian, &event.LinkPreference) + } + + return event +} + +func convertUINT32ToIPv4(intIP uint32) net.IP { + ip := make(net.IP, 4) + binary.BigEndian.PutUint32(ip, intIP) + return ip +} + +func decodeIPFromByteSlice(data []byte) (net.IP, error) { + switch len(data) { + case 4: + // IPv4 Address + return net.IP(data), nil + case 16: + // IPv6 Address + return net.IP(data), nil + default: + // Invalid length + return nil, fmt.Errorf("Invalid IP address length: %d", len(data)) + } +} + // [initiatorType: number, initiator: string, ptr: number] need to type it. func getInitiatorInfo(decodedEventRecord string) (initatorType byte, initiator string, ptr int) { var userlen uint8 diff --git a/pkg/wsman/amt/auditlog/types.go b/pkg/wsman/amt/auditlog/types.go index 859e94d6..f3dca180 100644 --- a/pkg/wsman/amt/auditlog/types.go +++ b/pkg/wsman/amt/auditlog/types.go @@ -102,4 +102,108 @@ type ( // RequestedState is an integer enumeration that indicates the last requested or desired state for the element, irrespective of the mechanism through which it was requested. RequestedState int + + ProvisioningParameters struct { + ProvisioningMethod uint8 + HashType uint8 + TrustedRootCertHash []byte + NumberOfCertificates uint8 + CertSerialNumbers []string + AdditionalCaSerialNumbers uint8 + ProvServFQDNLength uint8 + ProvServFQDN string + } + + ACLEntry struct { + ParameterModified uint8 + AccessType uint8 + EntryState uint8 + InitiatorType uint8 + UsernameLength uint8 + SID uint32 + Username string + DomainLength uint8 + Domain string + } + + RemoteControlEvent struct { + SpecialCommand uint8 + SpecialCommandParameter uint8 + BootOptions uint8 + OEMParameters uint8 + } + + FWVersion struct { + Major uint16 + Minor uint16 + Hotfix uint16 + Build uint16 + } + + FWUpdateFailure struct { + Type uint8 + Reason uint8 + } + + NetworkAdministrationEvent struct { + InterfaceHandle uint32 + DHCPEnabled uint8 + IPV4Address uint32 + SubnetMask uint32 + Gateway uint32 + PrimaryDNS uint32 + SecondaryDNS uint32 + HostNameLength uint8 + HostName string + DomainNameLength uint8 + DomainName string + VLANTag uint16 + LinkPolicy uint32 + IPV6Enabled uint8 + InterfaceIDGenType uint8 + InterfaceID []uint8 + IPV6Address []uint8 + IPV6Gateway []uint8 + IPV6PrimaryDNS []uint8 + IPV6SecondaryDNS []uint8 + } + + StorageAdministrationEvent struct { + MaxPartnerStorage uint32 + MaxNonPartnerTotalAllocationSize uint32 + } + + EventManagerEvent struct { + PolicyID uint8 + SubscriptionAlertType uint8 + IPAddrType uint8 + AlertTargetIPAddress []uint8 + Freeze uint8 + } + + SystemDefenseManagerEvent struct { + FilterHandle uint32 + PolicyHandle uint32 + HardwareInterface uint32 + InterfaceHandle uint32 + BlockAll uint8 + BlockOffensivePort uint8 + } + + AgentPresenceManagerEvent struct { + AgentID []uint8 + AgentHeartBeatTime uint16 + AgentStartupTime uint16 + } + + WirelessConfigurationEvent struct { + SSID []uint8 + ProfilePriority uint8 + ProfileNameLength uint8 + ProfileName []uint8 + ProfileSync []uint32 + Timeout []uint32 + LinkPreference []uint32 + ProfileSharingWithUEFI uint8 + } ) From 62a13a58f2707becf1e1dba269be20ce5a5d02c5 Mon Sep 17 00:00:00 2001 From: Matt Primrose Date: Fri, 14 Jun 2024 10:02:44 -0700 Subject: [PATCH 2/5] working on tests --- pkg/wsman/amt/auditlog/decoder.go | 986 ++++++++++++++----------- pkg/wsman/amt/auditlog/decoder_test.go | 105 ++- pkg/wsman/amt/auditlog/types.go | 20 +- 3 files changed, 661 insertions(+), 450 deletions(-) diff --git a/pkg/wsman/amt/auditlog/decoder.go b/pkg/wsman/amt/auditlog/decoder.go index e694905c..28ebc7a4 100644 --- a/pkg/wsman/amt/auditlog/decoder.go +++ b/pkg/wsman/amt/auditlog/decoder.go @@ -114,18 +114,6 @@ var RequestedStateToString = map[RequestedState]string{ RequestedStateNotApplicable: "NotApplicable", } -var ProvisioningMethodToString = map[int]string{ - 2: "Remote Configuration", - 3: "Manual Provisioning via MEBx", - 5: "Host-Based Provisioning Admin Mode", -} - -var InitiatorTypeToString = map[int]string{ - 0: "Unknown", - 1: "User", - 2: "Machine", -} - // RequestedStateToString returns a string representation of a RequestedState. func (r RequestedState) String() string { if value, exists := RequestedStateToString[r]; exists { @@ -147,12 +135,6 @@ var StoragePolicyToString = map[StoragePolicy]string{ StoragePolicyRestrictedRollOver: "RestrictedRollOver", } -var ProvisioningHashType = map[int]string{ - 1: "SHA1_160", - 2: "SHA_256", - 3: "SHA_384", -} - // StoragePolicyToString returns a string representation of a StoragePolicy. func (r StoragePolicy) String() string { if value, exists := StoragePolicyToString[r]; exists { @@ -162,59 +144,38 @@ func (r StoragePolicy) String() string { return ValueNotFound } -func convertToAuditLogResult(auditlogdata []string) []AuditLogRecord { - records := []AuditLogRecord{} - - for _, eventRecord := range auditlogdata { - ptr := 0 - - decodedEventRecord, err := base64.StdEncoding.DecodeString(eventRecord) - if err != nil { - continue - } - - decodedEventRecordStr := string(decodedEventRecord) - auditLogRecord := AuditLogRecord{} - - auditLogRecord.AuditAppID = common.ReadShort(decodedEventRecordStr, 0) - auditLogRecord.EventID = common.ReadShort(decodedEventRecordStr, 2) - auditLogRecord.AuditApp = AMTAuditStringTable[auditLogRecord.AuditAppID] - // auditLogRecord.InitiatorType = decodedEventRecordStr[:4] - auditLogRecord.Event = AMTAuditStringTable[(auditLogRecord.AuditAppID*100)+auditLogRecord.EventID] - - // if auditLogRecord.Event { - // auditLogRecord.Event = '#' + auditLogRecord.EventID - // } - - initiatorType, initiator, pointer := getInitiatorInfo(decodedEventRecordStr) - auditLogRecord.InitiatorType = initiatorType - auditLogRecord.Initiator = initiator - ptr = pointer - - // Read timestamp - timeStamp := common.ReadInt(decodedEventRecordStr, ptr) - auditLogRecord.Time = time.Unix(int64(timeStamp), 0) - ptr += 4 +var provisioningMethodToString = map[int]string{ + 2: "Remote Configuration", + 3: "Manual Provisioning via MEBx", + 5: "Host-Based Provisioning Admin Mode", +} - // Read network access +var initiatorTypeToString = map[int]string{ + 0: "Unknown", + 1: "User", + 2: "Machine", +} - auditLogRecord.MCLocationType = []byte(decodedEventRecordStr[ptr : ptr+1])[0] - ptr++ - netlen := []byte(decodedEventRecordStr[ptr : ptr+1])[0] - ptr++ - auditLogRecord.NetAddress = strings.ReplaceAll(decodedEventRecordStr[ptr:ptr+int(netlen)], "0000:0000:0000:0000:0000:0000:0000:0001", "::1") +var optInPolicyToString = map[int]string{ + 0: "None", + 1: "KVM", + 255: "All", +} - // Read extended data - ptr += int(netlen) - exlen := []byte(decodedEventRecordStr[ptr : ptr+1])[0] - ptr++ - auditLogRecord.Ex = decodedEventRecordStr[ptr : ptr+int(exlen)] - auditLogRecord.ExStr = GetAuditLogExtendedDataString(auditLogRecord.AuditAppID, auditLogRecord.EventID, auditLogRecord.Ex) +var operationStatusToString = map[int]string{ + 0: "Remote operator entered a one-time password successfully", + 1: "Remote operator failed 3 times to enter a one-time password correctly", +} - records = append([]AuditLogRecord{auditLogRecord}, records...) - } +var provisioningHashTypeToString = map[int]string{ + 1: "SHA1 160", + 2: "SHA 256", + 3: "SHA 384", +} - return records +var ExtendedDataMap = map[int]string{ + 0: "Invalid ME access", + 1: "Invalid MEBx access", } const ( @@ -237,6 +198,126 @@ const ( Watchdog = 33 ) +var AMTAppIDToString = map[int]string{ + 16: "Security Admin Events", + 17: "Remote Control Events", + 18: "Redirection Manager Events", + 19: "Firmware Update Manager Events", + 20: "Security AuditLog Events", + 21: "Network Time Events", + 22: "Network Administration Events", + 23: "Storage Administration Events", + 24: "Event Manager Events", + 25: "System Defense Manager Events", + 26: "Agent Presence Manager Events", + 27: "Wireless Configuration Events", + 28: "Endpoint Access Control Events", + 29: "Keyboard Video Mouse Events", + 30: "User Opt-In Events", + 32: "Screen Blanking Events", + 33: "Watchdog Events", +} + +var AMTAuditLogEventToString = map[int]string{ + 1600: "AMT Provisioning Started", + 1601: "AMT Provisioning Completed", + 1602: "ACL Entry Added", + 1603: "ACL Entry Modified", + 1604: "ACL Entry Removed", + 1605: "ACL Access with Invalid Credentials", + 1606: "ACL Entry State Changed", + 1607: "TLS State Changed", + 1608: "TLS Server Certificate Set", + 1609: "TLS Server Certificate Removed", + 1610: "TLS Trusted Root Certificate Added", + 1611: "TLS Trusted Root Certificate Removed", + 1612: "TLS Pre-Shared Key Set", + 1613: "Kerberos Settings Modified", + 1614: "Kerberos Master Key or Passphrase Modified", + 1615: "Flash Wear out Counters Reset", + 1616: "Power Package Modified", + 1617: "Set Realm Authentication Mode", + 1618: "Upgrade Client to Admin Control Mode", + 1619: "AMT UnProvisioning Started", + 1700: "Performed Power Up", + 1701: "Performed Power Down", + 1702: "Performed Power Cycle", + 1703: "Performed Reset", + 1704: "Set Boot Options", + 1705: "Performed Graceful Power Down", + 1706: "Performed Graceful Power Reset", + 1707: "Preformed Standby", + 1708: "Performed Hibernate", + 1709: "Performed NMI", + 1800: "IDE-R Session Opened", + 1801: "IDE-R Session Closed", + 1802: "IDE-R Enabled", + 1803: "IDE-R Disabled", + 1804: "SoL Session Opened", + 1805: "SoL Session Closed", + 1806: "SoL Enabled", + 1807: "SoL Disabled", + 1808: "KVM Session Started", + 1809: "KVM Session Ended", + 1810: "KVM Enabled", + 1811: "KVM Disabled", + 1812: "VNC Password Failed 3 Times", + 1900: "Firmware Update Started", + 1901: "Firmware Update Failed", + 2000: "Security Audit Log Cleared", + 2001: "Security Audit Policy Modified", + 2002: "Security Audit Log Disabled", + 2003: "Security Audit Log Enabled", + 2004: "Security Audit Log Exported", + 2005: "Security Audit Log Recovered", + 2100: "AMT Time Set", + 2200: "TCP/IP Parameters Set", + 2201: "Host Name Set", + 2202: "Domain Name Set", + 2203: "VLAN Parameters Set", + 2204: "Link Policy Set", + 2205: "IPv6 Parameters Set", + 2300: "Global Storage Attributes Set", + 2301: "Storage EACL Modified", + 2302: "Storage FPACL Modified", + 2303: "Storage Write Operation", + 2400: "Alert Subscribed", + 2401: "Alert Unsubscribed", + 2402: "Event Log Cleared", + 2403: "Event Log Frozen", + 2500: "System Defense Filter Added", + 2501: "System Defense Filter Removed", + 2502: "System Defense Policy Added", + 2503: "System Defense Policy Removed", + 2504: "System Defense Default Policy Set", + 2505: "System Defense Heuristics Option Set", + 2506: "System Defense Heuristics State Cleared", + 2600: "Agent Watchdog Added", + 2601: "Agent Watchdog Removed", + 2602: "Agent Watchdog Action Set", + 2700: "Wireless Profile Added", + 2701: "Wireless Profile Removed", + 2702: "Wireless Profile Updated", + 2703: "Wireless Profile Modified", + 2704: "Wireless Link Preference Changed", + 2705: "Wireless Profile Share With UEFI Enabled Setting Changed", + 2800: "EAC Posture Signer Set", + 2801: "EAC Enabled", + 2802: "EAC Disabled", + 2803: "EAC Posture State Updated", + 2804: "EAC Set Options", + 2900: "KVM Opt-In Enabled", + 2901: "KVM Opt-In Disabled", + 2902: "KVM Password Changed", + 2903: "KVM Consent Succeeded", + 2904: "KVM Consent Failed", + 3000: "Opt-In Policy Change", + 3001: "Send Consent Code Event", + 3002: "Start Opt-In Blocked Event", + 3301: "Watchdog Reset Triggering Options Changed", + 3302: "Watchdog Action Pairing Changed", +} + var RealmNames = []string{ "Redirection", "PT Administration", @@ -264,6 +345,60 @@ var RealmNames = []string{ // Add more as needed } +func convertToAuditLogResult(auditlogdata []string) []AuditLogRecord { + records := []AuditLogRecord{} + + for _, eventRecord := range auditlogdata { + ptr := 0 + + decodedEventRecord, err := base64.StdEncoding.DecodeString(eventRecord) + if err != nil { + continue + } + + decodedEventRecordStr := string(decodedEventRecord) + auditLogRecord := AuditLogRecord{} + + auditLogRecord.AuditAppID = common.ReadShort(decodedEventRecordStr, 0) + auditLogRecord.EventID = common.ReadShort(decodedEventRecordStr, 2) + auditLogRecord.AuditApp = AMTAppIDToString[auditLogRecord.AuditAppID] + auditLogRecord.Event = AMTAuditLogEventToString[(auditLogRecord.AuditAppID*100)+auditLogRecord.EventID] + + initiatorType, initiator, pointer := getInitiatorInfo(decodedEventRecordStr) + auditLogRecord.InitiatorType = initiatorType + auditLogRecord.Initiator = initiator + ptr = pointer + + // Read timestamp + timeStamp := common.ReadInt(decodedEventRecordStr, ptr) + auditLogRecord.Time = time.Unix(int64(timeStamp), 0) + ptr += 4 + + // Read network access + + auditLogRecord.MCLocationType = []byte(decodedEventRecordStr[ptr : ptr+1])[0] + ptr++ + + netlen := []byte(decodedEventRecordStr[ptr : ptr+1])[0] + ptr++ + + auditLogRecord.NetAddress = strings.ReplaceAll(decodedEventRecordStr[ptr:ptr+int(netlen)], "0000:0000:0000:0000:0000:0000:0000:0001", "::1") + + // Read extended data + ptr += int(netlen) + + exlen := []byte(decodedEventRecordStr[ptr : ptr+1])[0] + ptr++ + + auditLogRecord.Ex = decodedEventRecordStr[ptr : ptr+int(exlen)] + auditLogRecord.ExStr = GetAuditLogExtendedDataString(auditLogRecord.AuditAppID, auditLogRecord.EventID, auditLogRecord.Ex) + + records = append([]AuditLogRecord{auditLogRecord}, records...) + } + + return records +} + // Return human readable extended audit log data // TODO: Just put some of them here, but many more still need to be added, helpful link here: // https://software.intel.com/sites/manageability/AMT_Implementation_and_Reference_Guide/default.htm?turl=WordDocuments%2Fsecurityadminevents.htm @@ -296,10 +431,15 @@ func GetAuditLogExtendedDataString(appId, eventId int, data string) string { case WirelessConfiguration: extendedDataString = parseWirelessConfigurationEvents(eventId, data) case EndpointAccessControl: + extendedDataString = parseEndpointAccessControlEvents(eventId, data) case KeyboardVideoMouse: + extendedDataString = parseKeyboardVideoMouseEvents(eventId) case UserOptIn: + extendedDataString = parseUserOptInEvents(eventId, data) case ScreenBlanking: + extendedDataString = "Screen blanking events are no longer supported." case Watchdog: + extendedDataString = parseWatchdogEvents(eventId, data) default: extendedDataString = "Unknown Event Group ID" } @@ -308,7 +448,6 @@ func GetAuditLogExtendedDataString(appId, eventId int, data string) string { } func parseSecurityAdminEvents(eventId int, data string) string { - const ( ProvisioningStarted = 0 ProvisioningCompleted = 1 @@ -335,78 +474,19 @@ func parseSecurityAdminEvents(eventId int, data string) string { var extendedDataString string byteData := []byte(data) - buf := bytes.NewBuffer(byteData) switch eventId { case ProvisioningStarted: extendedDataString = "Intel AMT transitioned to setup mode." case ProvisioningCompleted: - extendedDataString = "Intel AMT transitioned to operational mode. " + extendedDataString = "Intel AMT transitioned to operational mode." if len(byteData) > 0 { - var ProvisioningParameters ProvisioningParameters - - // Read ProvisioningMethod - if err := binary.Read(buf, binary.LittleEndian, &ProvisioningParameters.ProvisioningMethod); err != nil { - return extendedDataString - } - - // Read HashType - if err := binary.Read(buf, binary.LittleEndian, &ProvisioningParameters.HashType); err != nil { - return extendedDataString - } - - // Read TrustedRootCertHash based on HashType - switch ProvisioningParameters.HashType { - case 1: // SHA1_160 - ProvisioningParameters.TrustedRootCertHash = make([]byte, 20) - case 2: // SHA_256 - ProvisioningParameters.TrustedRootCertHash = make([]byte, 32) - case 3: // SHA_384 - ProvisioningParameters.TrustedRootCertHash = make([]byte, 48) - default: - return extendedDataString - } - - if _, err := buf.Read(ProvisioningParameters.TrustedRootCertHash); err != nil { - return extendedDataString - } - - // Read NumberOfCertificates - if err := binary.Read(buf, binary.LittleEndian, &ProvisioningParameters.NumberOfCertificates); err != nil { - return extendedDataString - } - - // Read CertSerialNumbers - for i := 0; i < int(ProvisioningParameters.NumberOfCertificates); i++ { - serialNumber := make([]byte, 16) - if _, err := buf.Read(serialNumber); err != nil { - return extendedDataString - } - ProvisioningParameters.CertSerialNumbers = append(ProvisioningParameters.CertSerialNumbers, hex.EncodeToString(serialNumber)) - } - - // Read AdditionalCaSerialNumbers - if err := binary.Read(buf, binary.LittleEndian, &ProvisioningParameters.AdditionalCaSerialNumbers); err != nil { - return extendedDataString - } - - // Read ProvServFQDNLength - if err := binary.Read(buf, binary.LittleEndian, &ProvisioningParameters.ProvServFQDNLength); err != nil { - return extendedDataString - } - - // Read ProvServFQDN - fqdn := make([]byte, ProvisioningParameters.ProvServFQDNLength) - if _, err := buf.Read(fqdn); err != nil { - return extendedDataString - } - ProvisioningParameters.ProvServFQDN = string(fqdn) - - extendedDataString += provisioningCompletedToString(&ProvisioningParameters) + var event = readProvisioningCompletedEventData(byteData) + extendedDataString += provisioningCompletedToString(&event) } case ACLEntryAdded: - extendedDataString = "User entry was added to the Intel AMT Device. " + extendedDataString = "User entry was added to the Intel AMT Device." if len(byteData) > 0 { var entry = readACLData(ACLEntryAdded, byteData) @@ -414,7 +494,7 @@ func parseSecurityAdminEvents(eventId int, data string) string { extendedDataString += aclEntryAddedToString(&entry) } case ACLEntryModified: - extendedDataString = "User entry was updated in the Intel AMT device. " + extendedDataString = "User entry was updated in the Intel AMT device." if len(byteData) > 0 { var entry = readACLData(ACLEntryModified, byteData) @@ -422,7 +502,7 @@ func parseSecurityAdminEvents(eventId int, data string) string { extendedDataString += aclEntryModifiedToString(&entry) } case ACLEntryRemoved: - extendedDataString = "User entry was removed from the Intel AMT device. " + extendedDataString = "User entry was removed from the Intel AMT device." if len(byteData) > 0 { var entry = readACLData(ACLEntryRemoved, byteData) @@ -433,50 +513,67 @@ func parseSecurityAdminEvents(eventId int, data string) string { extendedDataString = "User attempted to access " + []string{"Intel AMT", "MEBx"}[data[0]] + " with invalid credentials." } case ACLEntryEnabled: - extendedDataString = "ACL entry state was changed. " + extendedDataString = "ACL entry state was changed." if len(byteData) > 0 { var entry = readACLData(ACLEntryEnabled, byteData) extendedDataString += aclEntryEnabledToString(&entry) } case TLSStateChanged: + extendedDataString = "TLS state changed." if len(byteData) > 0 { - extendedDataString = "TLS state changed: Remote " + - []string{"NoAuth", "ServerAuth", "MutualAuth"}[byteData[0]] + - ", Local " + - []string{"NoAuth", "ServerAuth", "MutualAuth"}[byteData[1]] + extendedDataString += "\nRemote: " + + []string{"No Auth", "Server Auth", "Mutual Auth"}[byteData[0]] + + "\nLocal: " + + []string{"No Auth", "Server Auth", "Mutual Auth"}[byteData[1]] } case TLSServerCertificateSet: - extendedDataString = "TLS server certificate was defined. " + getCertificateSerialNumber(byteData) + extendedDataString = "TLS server certificate was defined." + if len(byteData) > 0 { + extendedDataString += readCertificateSerialNumberToString(byteData) + } case TLSServerCertificateRemoved: - extendedDataString = "TLS server certificate was removed. " + getCertificateSerialNumber(byteData) + extendedDataString = "TLS server certificate was removed." + if len(byteData) > 0 { + extendedDataString += readCertificateSerialNumberToString(byteData) + } case TLSTrustedRootCertificateAdded: - extendedDataString = "TLS trusted root certificate was added. " + getCertificateSerialNumber(byteData) + extendedDataString = "TLS trusted root certificate was added." + if len(byteData) > 0 { + extendedDataString += readCertificateSerialNumberToString(byteData) + } case TLSTrustedRootCertificateRemoved: - extendedDataString = "TLS trusted root certificate was removed. " + getCertificateSerialNumber(byteData) + extendedDataString = "TLS trusted root certificate was removed." + if len(byteData) > 0 { + extendedDataString += readCertificateSerialNumberToString(byteData) + } case TLSPreSharedKeySet: extendedDataString = "TLS pre-shared key was defined." case KerberosSettingsModified: + extendedDataString = "Kerberos settings were modified." if len(data) > 0 { - extendedDataString = "Kerberos settings were modified. Time tolerance: " + hex.EncodeToString([]byte(data)) + extendedDataString += "Time tolerance: " + string(byteData) } case KerberosMasterKeyModified: extendedDataString = "Kerberos master key or passphrase was modified." case FlashWearOutCountersReset: extendedDataString = "Flash wear out counter was reset." case PowerPackageModified: + extendedDataString = "Active power package was set." if len(data) > 0 { - extendedDataString = "Active power package was set: " + hex.EncodeToString([]byte(data)) + extendedDataString += "Power policy: " + string(byteData) } case SetRealmAuthenticationMode: + extendedDataString = "Realm authentication mode changed." if len(data) > 0 { - extendedDataString = RealmNames[common.ReadInt(data, 0)] + ", " + []string{"NoAuth", "Auth", "Disabled"}[data[4]] + extendedDataString += "\n" + RealmNames[common.ReadInt(data, 0)] + ", " + []string{"NoAuth", "Auth", "Disabled"}[data[4]] } case UpgradeClientToAdmin: extendedDataString = "The control mode of the Intel AMT was changed from Client control to Admin control." case AMTUnProvisioningStarted: + extendedDataString = "Intel AMT UnProvisioned Started." if len(data) > 0 { - extendedDataString = []string{"BIOS", "MEBx", "Local MEI", "Local WSMAN", "Remote WSMAN"}[data[0]] + extendedDataString = "\nInitiator: " + []string{"BIOS", "MEBx", "Local MEI", "Local WSMAN", "Remote WSMAN"}[data[0]] } default: extendedDataString = "Unknown Event ID" @@ -504,33 +601,38 @@ func parseRemoteControlEvents(eventId int, data string) string { switch eventId { case PerformedPowerUp: + extendedDataString = "Remote power up initiated." if len(byteData) > 0 { rce := readBootOptionsData(byteData) - extendedDataString = "Remote power up initiated. \n" + parseBootOptionData(rce) + extendedDataString += remoteControlEventToString(rce) } case PerformedPowerDown: extendedDataString = "Remote power down initiated." case PerformedPowerCycle: + extendedDataString = "Remote power cycle initiated." if len(byteData) > 0 { rce := readBootOptionsData(byteData) - extendedDataString = "Remote power cycle initiated. \n" + parseBootOptionData(rce) + extendedDataString += remoteControlEventToString(rce) } case PerformedReset: + extendedDataString = "Remote reset initiated." if len(byteData) > 0 { rce := readBootOptionsData(byteData) - extendedDataString = "Remote reset initiated. \n" + parseBootOptionData(rce) + extendedDataString += remoteControlEventToString(rce) } case SetBootOptions: + extendedDataString = "Boot options were set." if len(byteData) > 0 { rce := readBootOptionsData(byteData) - extendedDataString = "Boot options were set. \n" + parseBootOptionData(rce) + extendedDataString += remoteControlEventToString(rce) } case PerformedGracefulPowerDown: extendedDataString = "Remote graceful power down initiated." case PerformedGracefulReset: + extendedDataString = "Remote graceful reset initiated." if len(byteData) > 0 { rce := readBootOptionsData(byteData) - extendedDataString = "Remote graceful reset initiated. " + parseBootOptionData(rce) + extendedDataString += remoteControlEventToString(rce) } case PerformedStandby: extendedDataString = "Remote standby initiated." @@ -817,7 +919,7 @@ func parseEventManagerEvents(eventId int, data string) string { } if len(data) > 0 { event := readEventManagerEventData(AlertSubscribed, []byte(data)) - extendedDataString += parseEventManagerEventData(event) + extendedDataString += eventManagerEventDataToString(event) } case EventLogCleared: extendedDataString = "Event log was cleared of existing records." @@ -987,6 +1089,124 @@ func parseWirelessConfigurationEvents(eventId int, data string) string { return extendedDataString } +func parseEndpointAccessControlEvents(eventId int, data string) string { + var extendedDataString string + + const ( + EACPostureSignerSet = 0 + EACEnabled = 1 + EACDisabled = 2 + EASPostureStateUpdate = 3 + EACSetOptions = 4 + ) + + switch eventId { + case EACPostureSignerSet: + extendedDataString = "A certificate handle for signing EAC postures was either set or removed." + case EACEnabled: + extendedDataString = "EAC was set to enabled by WS-MAN interface." + case EACDisabled: + extendedDataString = "EAC was set to disabled by WS-MAN interface." + case EASPostureStateUpdate: + extendedDataString = "Controllable fields of EAC posture were reset manually by WS-MAN interface." + case EACSetOptions: + extendedDataString = "EAC options were changed." + if len(data) > 0 { + byteData := []byte(data) + buf := bytes.NewBuffer(byteData) + var eacVendors uint32 + _ = binary.Read(buf, binary.LittleEndian, &eacVendors) + extendedDataString += "\nEAC Vendors: " + string(eacVendors) + } + } + + return extendedDataString +} + +func parseKeyboardVideoMouseEvents(eventId int) string { + var extendedDataString string + + const ( + KVMOptInEnabled = 0 + KVMOptInDisabled = 1 + KVMPasswordChanged = 2 + KVMConsentSucceeded = 3 + KVMConsentFailed = 4 + ) + + switch eventId { + case KVMOptInEnabled: + extendedDataString = "User consent for a KVM session is now required." + case KVMOptInDisabled: + extendedDataString = "User consent for a KVM session is no longer required." + case KVMPasswordChanged: + extendedDataString = "RFB password for KVM session has changed." + case KVMConsentSucceeded: + extendedDataString = "Remote operator entered a one-time password successfully." + case KVMConsentFailed: + extendedDataString = "Remote operator failed to enter a one-time password correctly." + } + + return extendedDataString +} + +func parseUserOptInEvents(eventId int, data string) string { + var extendedDataString string + + const ( + OptInPolicyChange = 0 + SendConsentCodeEvent = 1 + StartOptInBlockedEvent = 2 + ) + + switch eventId { + case OptInPolicyChange: + extendedDataString = "A user has modified the opt-in policy settings." + if len(data) > 0 { + event := readUserOptInEventData(OptInPolicyChange, []byte(data)) + extendedDataString += "\nPrevious Opt-In Policy: " + optInPolicyToString[int(event.PreviousOptInPolicy)] + + "\nCurrent Opt-In Policy: " + optInPolicyToString[int(event.CurrentOptInPolicy)] + } + case SendConsentCodeEvent: + extendedDataString = "The remote operator sent a consent code." + if len(data) > 0 { + event := readUserOptInEventData(SendConsentCodeEvent, []byte(data)) + extendedDataString += "\nOperation Status: " + string(event.OperationStatus) + } + case StartOptInBlockedEvent: + extendedDataString = "The remote operator attempted to send a start opt-in request, but the request was blocked (denial-of-service attack prevention)." + } + + return extendedDataString +} + +func parseWatchdogEvents(eventId int, data string) string { + var extendedDataString string + + const ( + WatchdogResetTriggeringOptionsChanged = 0 + WatchdogActionPairingChanged = 1 + ) + + switch eventId { + case WatchdogResetTriggeringOptionsChanged: + extendedDataString = "A user has modified the watchdog action settings." + case WatchdogActionPairingChanged: + extendedDataString = "A user has modified a watchdog to add, remove, or alter the watchdog action connected to it." + if len(data) > 0 { + byteData := []byte(data) + var opStatus uint8 + buf := bytes.NewBuffer(byteData) + + _ = binary.Read(buf, binary.LittleEndian, &opStatus) + + extendedDataString += "\nOperation Status: " + operationStatusToString[int(opStatus)] + } + } + + return extendedDataString +} + const ( HTTPDigest byte = 0 Kerberos byte = 1 @@ -994,43 +1214,87 @@ const ( KvmDefaultPort byte = 3 ) +func readProvisioningCompletedEventData(data []byte) ProvisioningParameters { + buf := bytes.NewBuffer(data) + event := ProvisioningParameters{} + + // Read ProvisioningMethod + _ = binary.Read(buf, binary.LittleEndian, &event.ProvisioningMethod) + + // Read HashType + _ = binary.Read(buf, binary.LittleEndian, &event.HashType) + + // Read TrustedRootCertHash based on HashType + switch event.HashType { + case 1: // SHA1_160 + event.TrustedRootCertHash = make([]byte, 20) + case 2: // SHA_256 + event.TrustedRootCertHash = make([]byte, 32) + case 3: // SHA_384 + event.TrustedRootCertHash = make([]byte, 48) + } + + buf.Read(event.TrustedRootCertHash) + + // Read NumberOfCertificates + _ = binary.Read(buf, binary.LittleEndian, &event.NumberOfCertificates) + + // Read CertSerialNumbers + for i := 0; i < int(event.NumberOfCertificates); i++ { + serialNumber := make([]byte, 16) + buf.Read(serialNumber) + event.CertSerialNumbers = append(event.CertSerialNumbers, hex.EncodeToString(serialNumber)) + } + + // Read AdditionalCaSerialNumbers + _ = binary.Read(buf, binary.LittleEndian, &event.AdditionalCaSerialNumbers) + + // Read ProvServFQDNLength + _ = binary.Read(buf, binary.LittleEndian, &event.ProvServFQDNLength) + + // Read ProvServFQDN + fqdn := make([]byte, event.ProvServFQDNLength) + buf.Read(fqdn) + + event.ProvServFQDN = string(fqdn) + + return event +} + func provisioningCompletedToString(provisioningCompleted *ProvisioningParameters) string { - return fmt.Sprintf("Provisioning Method: %s\n"+ - "Hash Type: %s\n"+ - "Trusted Root Cert Hash: %s\n"+ - "Number of Certificates: %d\n"+ - "Cert Serial Numbers: %v\n"+ - "Additional CA Serial Numbers: %d\n"+ - "Provisioning Server FQDN Length: %d\n"+ - "Provisioning Server FQDN: %s\n", - ProvisioningMethodToString[int(provisioningCompleted.ProvisioningMethod)], - ProvisioningHashType[int(provisioningCompleted.HashType)], - hex.EncodeToString(provisioningCompleted.TrustedRootCertHash), - provisioningCompleted.NumberOfCertificates, - provisioningCompleted.CertSerialNumbers, - provisioningCompleted.AdditionalCaSerialNumbers, - provisioningCompleted.ProvServFQDNLength, - provisioningCompleted.ProvServFQDN) + s := fmt.Sprintf("\nProvisioning Method: %s", provisioningMethodToString[int(provisioningCompleted.ProvisioningMethod)]) + if provisioningCompleted.HashType != 0 { + s += fmt.Sprintf("\nHash Type: %s", provisioningHashTypeToString[int(provisioningCompleted.HashType)]) + } + if len(provisioningCompleted.TrustedRootCertHash) > 0 { + s += fmt.Sprintf("\nTrusted Root Cert Hash: %s", hex.EncodeToString(provisioningCompleted.TrustedRootCertHash)) + } + if provisioningCompleted.NumberOfCertificates > 0 { + s += fmt.Sprintf("\nNumber of Certificates: %d", provisioningCompleted.NumberOfCertificates) + s += fmt.Sprintf("\nCert Serial Numbers (first 3): %v", provisioningCompleted.CertSerialNumbers) + if provisioningCompleted.AdditionalCaSerialNumbers > 3 { + s += fmt.Sprintf("\nThere are %d additional certificates", provisioningCompleted.AdditionalCaSerialNumbers) + } + } + if provisioningCompleted.ProvServFQDNLength > 0 { + s += fmt.Sprintf("\nProvisioning Server FQDN: %s", provisioningCompleted.ProvServFQDN) + } + + return s } func aclEntryAddedToString(entry *ACLEntry) string { + s := fmt.Sprintf("\nInitiator Type: %s", initiatorTypeToString[int(entry.InitiatorType)]) if entry.UsernameLength == 0 { - return fmt.Sprintf("ACL Entry Added:\n"+ - "Initiator Type: %s\n"+ - "SID: %d\n"+ - "Domain Length: %d\n"+ - "Domain: %s\n", - InitiatorTypeToString[int(entry.InitiatorType)], - entry.SID, - entry.DomainLength, - entry.Domain) + s += fmt.Sprintf("\nSID: %d", entry.SID) + if entry.DomainLength > 0 { + s += fmt.Sprintf("\nDomain: %s", entry.Domain) + } } else { - return fmt.Sprintf("ACL Entry Added:\n"+ - "Initiator Type: %s\n"+ - "Username: %s\n", - InitiatorTypeToString[int(entry.InitiatorType)], - entry.Username) + s += fmt.Sprintf("\nUsername: %s", entry.Username) } + + return s } func aclEntryModifiedToString(entry *ACLEntry) string { @@ -1057,81 +1321,66 @@ func aclEntryModifiedToString(entry *ACLEntry) string { parameterModifiedStr = parameterModifiedStr[:len(parameterModifiedStr)-2] // Remove the trailing comma and space } - return fmt.Sprintf("ACL Entry Modified:\n"+ - "Parameter Modified: %s\n"+ - "Initiator Type: %s\n"+ - "Username Length: %d\n"+ - "SID: %d\n"+ - "Username: %s\n"+ - "Domain Length: %d\n"+ - "Domain: %s\n", - parameterModifiedStr, - InitiatorTypeToString[int(entry.InitiatorType)], - entry.UsernameLength, - entry.SID, - entry.Username, - entry.DomainLength, - entry.Domain) + s := fmt.Sprintf("\nParameter(s) Modified: %s\nInitiator Type: %s", parameterModifiedStr, initiatorTypeToString[int(entry.InitiatorType)]) + if entry.UsernameLength == 0 { + s += fmt.Sprintf("\nSID: %d", entry.SID) + if entry.DomainLength > 0 { + s += fmt.Sprintf("\nDomain: %s", entry.Domain) + } + } else { + s += fmt.Sprintf("\nUsername: %s", entry.Username) + } + + return s } func aclEntryRemovedToString(entry *ACLEntry) string { - return fmt.Sprintf("ACL Entry Removed:\n"+ - "Initiator Type: %s\n"+ - "Username Length: %d\n"+ - "SID: %d\n"+ - "Username: %s\n"+ - "Domain Length: %d\n"+ - "Domain: %s\n", - InitiatorTypeToString[int(entry.InitiatorType)], - entry.UsernameLength, - entry.SID, - entry.Username, - entry.DomainLength, - entry.Domain) + s := fmt.Sprintf("\nInitiator Type: %s", initiatorTypeToString[int(entry.InitiatorType)]) + if entry.UsernameLength == 0 { + s += fmt.Sprintf("\nSID: %d", entry.SID) + if entry.DomainLength > 0 { + s += fmt.Sprintf("\nDomain: %s", entry.Domain) + } + } else { + s += fmt.Sprintf("\nUsername: %s", entry.Username) + } + + return s } func aclEntryEnabledToString(entry *ACLEntry) string { - return fmt.Sprintf("ACL Entry State Changed:\n"+ - "Entry State: %s\n"+ - "Initiator Type: %s\n"+ - "Username Length: %d\n"+ - "SID: %d\n"+ - "Username: %s\n"+ - "Domain Length: %d\n"+ - "Domain: %s\n", - []string{"Disabled", "Enabled"}[int(entry.EntryState)], - InitiatorTypeToString[int(entry.InitiatorType)], - entry.UsernameLength, - entry.SID, - entry.Username, - entry.DomainLength, - entry.Domain) + s := fmt.Sprintf("\nEntry State: %s\nInitiator Type: %s", []string{"Disabled", "Enabled"}[int(entry.EntryState)], initiatorTypeToString[int(entry.InitiatorType)]) + if entry.UsernameLength == 0 { + s += fmt.Sprintf("\nSID: %d", entry.SID) + if entry.DomainLength > 0 { + s += fmt.Sprintf("\nDomain: %s", entry.Domain) + } + } else { + s += fmt.Sprintf("\nUsername: %s", entry.Username) + } + + return s } -func getCertificateSerialNumber(data []byte) string { - buf := bytes.NewBuffer(data) - if len(data) > 0 { - serialNumber := make([]byte, 20) - if _, err := buf.Read(serialNumber); err != nil { - return "" - } +func readCertificateSerialNumberToString(data []byte) string { + byteData := []byte(data) - return "Certificate serial number: " + string(serialNumber) - } - return "" + hexString := hex.EncodeToString(byteData) + + return "\nCertificate serial number: " + string(hexString) } func getCommonACLProperties(buf *bytes.Buffer, entry *ACLEntry) { // Read Initiator Type - binary.Read(buf, binary.LittleEndian, &entry.InitiatorType) + _ = binary.Read(buf, binary.LittleEndian, &entry.InitiatorType) // Read Username Length - binary.Read(buf, binary.LittleEndian, &entry.UsernameLength) + _ = binary.Read(buf, binary.LittleEndian, &entry.UsernameLength) if entry.UsernameLength == 0 { - binary.Read(buf, binary.LittleEndian, &entry.SID) + _ = binary.Read(buf, binary.LittleEndian, &entry.SID) - binary.Read(buf, binary.LittleEndian, &entry.DomainLength) + _ = binary.Read(buf, binary.LittleEndian, &entry.DomainLength) domain := make([]byte, entry.DomainLength) @@ -1149,9 +1398,7 @@ func getCommonACLProperties(buf *bytes.Buffer, entry *ACLEntry) { func getACLParameters(buf *bytes.Buffer, entry *ACLEntry) { // Read Parameter Modified - if err := binary.Read(buf, binary.LittleEndian, &entry.ParameterModified); err != nil { - return - } + _ = binary.Read(buf, binary.LittleEndian, &entry.ParameterModified) } func readACLData(id int, data []byte) ACLEntry { @@ -1165,7 +1412,7 @@ func readACLData(id int, data []byte) ACLEntry { getACLParameters(&buf, &entry) getCommonACLProperties(&buf, &entry) case 6: - binary.Read(&buf, binary.LittleEndian, &entry.EntryState) + _ = binary.Read(&buf, binary.LittleEndian, &entry.EntryState) getCommonACLProperties(&buf, &entry) } @@ -1176,16 +1423,16 @@ func readBootOptionsData(data []byte) RemoteControlEvent { buf := bytes.NewBuffer(data) rce := RemoteControlEvent{} - binary.Read(buf, binary.LittleEndian, &rce.SpecialCommand) - binary.Read(buf, binary.LittleEndian, &rce.SpecialCommandParameter) - binary.Read(buf, binary.LittleEndian, &rce.BootOptions) - binary.Read(buf, binary.LittleEndian, &rce.OEMParameters) + _ = binary.Read(buf, binary.LittleEndian, &rce.SpecialCommand) + _ = binary.Read(buf, binary.LittleEndian, &rce.SpecialCommandParameter) + _ = binary.Read(buf, binary.LittleEndian, &rce.BootOptions) + _ = binary.Read(buf, binary.LittleEndian, &rce.OEMParameters) return rce } -func parseBootOptionData(rce RemoteControlEvent) string { - s := "Boot Media: " + []string{"None", "Floppy", "CD", "HDD", "USB", "PXE", "Diagnostic Partition", "BIOS Setup"}[rce.BootOptions] + +func remoteControlEventToString(rce RemoteControlEvent) string { + s := "\nBoot Media: " + []string{"None", "Floppy", "CD", "HDD", "USB", "PXE", "Diagnostic Partition", "BIOS Setup"}[rce.BootOptions] + "\n " + "Boot Media Override: " + []string{"Disabled", "Enabled"}[rce.SpecialCommand] + "\n " + "BIOS Pause: " + []string{"Disabled", "Enabled"}[rce.OEMParameters] + "\n " + "BIOS Pause Key: " + []string{"None", "F1", "F2", "F3", "F4", "F5", "F6", "F7", "F8", "F9", "F10", "F11", "F12"}[rce.SpecialCommandParameter] @@ -1194,10 +1441,10 @@ func parseBootOptionData(rce RemoteControlEvent) string { } func readFWVersion(buf *bytes.Buffer, version *FWVersion) { - binary.Read(buf, binary.LittleEndian, &version.Major) - binary.Read(buf, binary.LittleEndian, &version.Minor) - binary.Read(buf, binary.LittleEndian, &version.Hotfix) - binary.Read(buf, binary.LittleEndian, &version.Build) + _ = binary.Read(buf, binary.LittleEndian, &version.Major) + _ = binary.Read(buf, binary.LittleEndian, &version.Minor) + _ = binary.Read(buf, binary.LittleEndian, &version.Hotfix) + _ = binary.Read(buf, binary.LittleEndian, &version.Build) } func readNetworkAdministrationEventData(id int, data []byte) NetworkAdministrationEvent { @@ -1205,15 +1452,15 @@ func readNetworkAdministrationEventData(id int, data []byte) NetworkAdministrati event := NetworkAdministrationEvent{} switch id { case 0: - binary.Read(buf, binary.LittleEndian, &event.InterfaceHandle) - binary.Read(buf, binary.LittleEndian, &event.DHCPEnabled) - binary.Read(buf, binary.LittleEndian, &event.IPV4Address) - binary.Read(buf, binary.LittleEndian, &event.SubnetMask) - binary.Read(buf, binary.LittleEndian, &event.Gateway) - binary.Read(buf, binary.LittleEndian, &event.PrimaryDNS) - binary.Read(buf, binary.LittleEndian, &event.SecondaryDNS) + _ = binary.Read(buf, binary.LittleEndian, &event.InterfaceHandle) + _ = binary.Read(buf, binary.LittleEndian, &event.DHCPEnabled) + _ = binary.Read(buf, binary.LittleEndian, &event.IPV4Address) + _ = binary.Read(buf, binary.LittleEndian, &event.SubnetMask) + _ = binary.Read(buf, binary.LittleEndian, &event.Gateway) + _ = binary.Read(buf, binary.LittleEndian, &event.PrimaryDNS) + _ = binary.Read(buf, binary.LittleEndian, &event.SecondaryDNS) case 1: - binary.Read(buf, binary.LittleEndian, &event.HostNameLength) + _ = binary.Read(buf, binary.LittleEndian, &event.HostNameLength) hostname := make([]byte, event.HostNameLength) @@ -1221,7 +1468,7 @@ func readNetworkAdministrationEventData(id int, data []byte) NetworkAdministrati event.HostName = string(hostname) case 2: - binary.Read(buf, binary.LittleEndian, &event.DomainNameLength) + _ = binary.Read(buf, binary.LittleEndian, &event.DomainNameLength) domainName := make([]byte, event.DomainNameLength) @@ -1229,22 +1476,22 @@ func readNetworkAdministrationEventData(id int, data []byte) NetworkAdministrati event.DomainName = string(domainName) case 3: - binary.Read(buf, binary.LittleEndian, &event.InterfaceHandle) - binary.Read(buf, binary.LittleEndian, &event.VLANTag) + _ = binary.Read(buf, binary.LittleEndian, &event.InterfaceHandle) + _ = binary.Read(buf, binary.LittleEndian, &event.VLANTag) case 4: - binary.Read(buf, binary.LittleEndian, &event.InterfaceHandle) - binary.Read(buf, binary.LittleEndian, &event.LinkPolicy) + _ = binary.Read(buf, binary.LittleEndian, &event.InterfaceHandle) + _ = binary.Read(buf, binary.LittleEndian, &event.LinkPolicy) case 5: - binary.Read(buf, binary.LittleEndian, &event.InterfaceHandle) - binary.Read(buf, binary.LittleEndian, &event.IPV6Enabled) - binary.Read(buf, binary.LittleEndian, &event.InterfaceIDGenType) + _ = binary.Read(buf, binary.LittleEndian, &event.InterfaceHandle) + _ = binary.Read(buf, binary.LittleEndian, &event.IPV6Enabled) + _ = binary.Read(buf, binary.LittleEndian, &event.InterfaceIDGenType) if event.InterfaceIDGenType == 2 { - binary.Read(buf, binary.LittleEndian, &event.InterfaceID) + _ = binary.Read(buf, binary.LittleEndian, &event.InterfaceID) } - binary.Read(buf, binary.LittleEndian, &event.IPV6Address) - binary.Read(buf, binary.LittleEndian, &event.IPV6Gateway) - binary.Read(buf, binary.LittleEndian, &event.IPV6PrimaryDNS) - binary.Read(buf, binary.LittleEndian, &event.IPV6SecondaryDNS) + _ = binary.Read(buf, binary.LittleEndian, &event.IPV6Address) + _ = binary.Read(buf, binary.LittleEndian, &event.IPV6Gateway) + _ = binary.Read(buf, binary.LittleEndian, &event.IPV6PrimaryDNS) + _ = binary.Read(buf, binary.LittleEndian, &event.IPV6SecondaryDNS) } return event @@ -1256,18 +1503,18 @@ func readEventManagerEventData(id int, data []byte) EventManagerEvent { switch id { case 0, 1: - binary.Read(buf, binary.LittleEndian, &event.PolicyID) - binary.Read(buf, binary.LittleEndian, &event.SubscriptionAlertType) - binary.Read(buf, binary.LittleEndian, &event.IPAddrType) - binary.Read(buf, binary.LittleEndian, &event.AlertTargetIPAddress) + _ = binary.Read(buf, binary.LittleEndian, &event.PolicyID) + _ = binary.Read(buf, binary.LittleEndian, &event.SubscriptionAlertType) + _ = binary.Read(buf, binary.LittleEndian, &event.IPAddrType) + _ = binary.Read(buf, binary.LittleEndian, &event.AlertTargetIPAddress) case 3: - binary.Read(buf, binary.LittleEndian, &event.Freeze) + _ = binary.Read(buf, binary.LittleEndian, &event.Freeze) } return event } -func parseEventManagerEventData(event EventManagerEvent) string { +func eventManagerEventDataToString(event EventManagerEvent) string { s := "Policy ID: " + fmt.Sprint(event.PolicyID) + "\nSubscription Alert Type: " + []string{"SNMP"}[event.SubscriptionAlertType] + "\nIP Address Type: " + []string{"IPv4", "IPv6"}[event.IPAddrType] @@ -1287,19 +1534,19 @@ func readSystemDefenseManagerEventData(id int, data []byte) SystemDefenseManager switch id { case 1: - binary.Read(buf, binary.LittleEndian, &event.FilterHandle) + _ = binary.Read(buf, binary.LittleEndian, &event.FilterHandle) case 3: - binary.Read(buf, binary.LittleEndian, &event.PolicyHandle) + _ = binary.Read(buf, binary.LittleEndian, &event.PolicyHandle) case 4: - binary.Read(buf, binary.LittleEndian, &event.HardwareInterface) - binary.Read(buf, binary.LittleEndian, &event.PolicyHandle) + _ = binary.Read(buf, binary.LittleEndian, &event.HardwareInterface) + _ = binary.Read(buf, binary.LittleEndian, &event.PolicyHandle) case 5: - binary.Read(buf, binary.LittleEndian, &event.InterfaceHandle) - binary.Read(buf, binary.LittleEndian, &event.BlockAll) - binary.Read(buf, binary.LittleEndian, &event.BlockOffensivePort) - binary.Read(buf, binary.LittleEndian, &event.PolicyHandle) + _ = binary.Read(buf, binary.LittleEndian, &event.InterfaceHandle) + _ = binary.Read(buf, binary.LittleEndian, &event.BlockAll) + _ = binary.Read(buf, binary.LittleEndian, &event.BlockOffensivePort) + _ = binary.Read(buf, binary.LittleEndian, &event.PolicyHandle) case 6: - binary.Read(buf, binary.LittleEndian, &event.InterfaceHandle) + _ = binary.Read(buf, binary.LittleEndian, &event.InterfaceHandle) } return event @@ -1311,11 +1558,11 @@ func readAgentPresenceManagerEventData(id int, data []byte) AgentPresenceManager switch id { case 0: - binary.Read(buf, binary.LittleEndian, &event.AgentID) - binary.Read(buf, binary.LittleEndian, &event.AgentHeartBeatTime) - binary.Read(buf, binary.LittleEndian, &event.AgentStartupTime) + _ = binary.Read(buf, binary.LittleEndian, &event.AgentID) + _ = binary.Read(buf, binary.LittleEndian, &event.AgentHeartBeatTime) + _ = binary.Read(buf, binary.LittleEndian, &event.AgentStartupTime) case 1, 2: - binary.Read(buf, binary.LittleEndian, &event.AgentID) + _ = binary.Read(buf, binary.LittleEndian, &event.AgentID) } return event @@ -1327,18 +1574,33 @@ func readWirelessConfigurationEventData(id int, data []byte) WirelessConfigurati switch id { case 0, 2: - binary.Read(buf, binary.LittleEndian, &event.SSID) - binary.Read(buf, binary.LittleEndian, &event.ProfilePriority) - binary.Read(buf, binary.LittleEndian, &event.ProfileNameLength) - binary.Read(buf, binary.LittleEndian, &event.ProfileName) + _ = binary.Read(buf, binary.LittleEndian, &event.SSID) + _ = binary.Read(buf, binary.LittleEndian, &event.ProfilePriority) + _ = binary.Read(buf, binary.LittleEndian, &event.ProfileNameLength) + _ = binary.Read(buf, binary.LittleEndian, &event.ProfileName) case 1: - binary.Read(buf, binary.LittleEndian, &event.ProfileNameLength) - binary.Read(buf, binary.LittleEndian, &event.ProfileName) + _ = binary.Read(buf, binary.LittleEndian, &event.ProfileNameLength) + _ = binary.Read(buf, binary.LittleEndian, &event.ProfileName) case 3: - binary.Read(buf, binary.LittleEndian, &event.ProfileSync) + _ = binary.Read(buf, binary.LittleEndian, &event.ProfileSync) case 4: - binary.Read(buf, binary.LittleEndian, &event.Timeout) - binary.Read(buf, binary.LittleEndian, &event.LinkPreference) + _ = binary.Read(buf, binary.LittleEndian, &event.Timeout) + _ = binary.Read(buf, binary.LittleEndian, &event.LinkPreference) + } + + return event +} + +func readUserOptInEventData(id int, data []byte) UserOptInEvent { + buf := bytes.NewBuffer(data) + event := UserOptInEvent{} + + switch id { + case 0: + _ = binary.Read(buf, binary.LittleEndian, &event.PreviousOptInPolicy) + _ = binary.Read(buf, binary.LittleEndian, &event.CurrentOptInPolicy) + case 1: + _ = binary.Read(buf, binary.LittleEndian, &event.OperationStatus) } return event @@ -1392,125 +1654,3 @@ func getInitiatorInfo(decodedEventRecord string) (initatorType byte, initiator s return initiatorType, initiator, ptr } - -var ExtendedDataMap = map[int]string{ - 0: "Invalid ME access", - 1: "Invalid MEBx access", -} - -var AMTAuditStringTable = map[int]string{ - 16: "Security Admin", - 17: "RCO", - 18: "Redirection Manager", - 19: "Firmware Update Manager", - 20: "Security Audit Log", - 21: "Network Time", - 22: "Network Administration", - 23: "Storage Administration", - 24: "Event Manager", - 25: "Circuit Breaker Manager", - 26: "Agent Presence Manager", - 27: "Wireless Configuration", - 28: "EAC", - 29: "KVM", - 30: "User Opt-In Events", - 32: "Screen Blanking", - 33: "Watchdog Events", - 1600: "Provisioning Started", - 1601: "Provisioning Completed", - 1602: "ACL Entry Added", - 1603: "ACL Entry Modified", - 1604: "ACL Entry Removed", - 1605: "ACL Access with Invalid Credentials", - 1606: "ACL Entry State", - 1607: "TLS State Changed", - 1608: "TLS Server Certificate Set", - 1609: "TLS Server Certificate Remove", - 1610: "TLS Trusted Root Certificate Added", - 1611: "TLS Trusted Root Certificate Removed", - 1612: "TLS Preshared Key Set", - 1613: "Kerberos Settings Modified", - 1614: "Kerberos Master Key Modified", - 1615: "Flash Wear out Counters Reset", - 1616: "Power Package Modified", - 1617: "Set Realm Authentication Mode", - 1618: "Upgrade Client to Admin Control Mode", - 1619: "Unprovisioning Started", - 1700: "Performed Power Up", - 1701: "Performed Power Down", - 1702: "Performed Power Cycle", - 1703: "Performed Reset", - 1704: "Set Boot Options", - 1705: "Remote graceful power down initiated", - 1706: "Remote graceful reset initiated", - 1707: "Remote Standby initiated", - 1708: "Remote Hiberate initiated", - 1709: "Remote NMI initiated", - 1800: "IDER Session Opened", - 1801: "IDER Session Closed", - 1802: "IDER Enabled", - 1803: "IDER Disabled", - 1804: "SoL Session Opened", - 1805: "SoL Session Closed", - 1806: "SoL Enabled", - 1807: "SoL Disabled", - 1808: "KVM Session Started", - 1809: "KVM Session Ended", - 1810: "KVM Enabled", - 1811: "KVM Disabled", - 1812: "VNC Password Failed 3 Times", - 1900: "Firmware Updated", - 1901: "Firmware Update Failed", - 2000: "Security Audit Log Cleared", - 2001: "Security Audit Policy Modified", - 2002: "Security Audit Log Disabled", - 2003: "Security Audit Log Enabled", - 2004: "Security Audit Log Exported", - 2005: "Security Audit Log Recovered", - 2100: "Intel(R) ME Time Set", - 2200: "TCPIP Parameters Set", - 2201: "Host Name Set", - 2202: "Domain Name Set", - 2203: "VLAN Parameters Set", - 2204: "Link Policy Set", - 2205: "IPv6 Parameters Set", - 2300: "Global Storage Attributes Set", - 2301: "Storage EACL Modified", - 2302: "Storage FPACL Modified", - 2303: "Storage Write Operation", - 2400: "Alert Subscribed", - 2401: "Alert Unsubscribed", - 2402: "Event Log Cleared", - 2403: "Event Log Frozen", - 2500: "CB Filter Added", - 2501: "CB Filter Removed", - 2502: "CB Policy Added", - 2503: "CB Policy Removed", - 2504: "CB Default Policy Set", - 2505: "CB Heuristics Option Set", - 2506: "CB Heuristics State Cleared", - 2600: "Agent Watchdog Added", - 2601: "Agent Watchdog Removed", - 2602: "Agent Watchdog Action Set", - 2700: "Wireless Profile Added", - 2701: "Wireless Profile Removed", - 2702: "Wireless Profile Updated", - 2703: "An existing profile sync was modified", - 2704: "An existing profile link preference was changed", - 2705: "Wireless profile share with UEFI enabled setting was changed", - 2800: "EAC Posture Signer SET", - 2801: "EAC Enabled", - 2802: "EAC Disabled", - 2803: "EAC Posture State", - 2804: "EAC Set Options", - 2900: "KVM Opt-in Enabled", - 2901: "KVM Opt-in Disabled", - 2902: "KVM Password Changed", - 2903: "KVM Consent Succeeded", - 2904: "KVM Consent Failed", - 3000: "Opt-In Policy Change", - 3001: "Send Consent Code Event", - 3002: "Start Opt-In Blocked Event", - 3301: "A user has modified the Watchdog Action settings", - 3302: "A user has modified a Watchdog to add, remove, or alter the Watchdog Action connected to it", -} diff --git a/pkg/wsman/amt/auditlog/decoder_test.go b/pkg/wsman/amt/auditlog/decoder_test.go index 4bf3bc11..3cc8ef86 100644 --- a/pkg/wsman/amt/auditlog/decoder_test.go +++ b/pkg/wsman/amt/auditlog/decoder_test.go @@ -106,33 +106,98 @@ func TestRequestedState_String(t *testing.T) { func TestGetAuditLogExtendedDataString(t *testing.T) { tests := []struct { - name string - auditEventId int - data string - expected string + name string + appId int + eventId int + data string + expected string }{ - {"ACLEntryAdded", ACLEntryAdded, "\x00\x05Hello World", "Hello"}, - {"ACLEntryRemoved", ACLEntryRemoved, "\x00\x05Hello World", "Hello"}, - {"ACLEntryModified", ACLEntryModified, "\x01\x00Hello World", "Hello World"}, - {"ACLAccessWithInvalidCredentials", ACLAccessWithInvalidCredentials, "\x00", "Invalid ME access"}, - {"ACLAccessWithInvalidCredentials", ACLAccessWithInvalidCredentials, "\x01", "Invalid MEBx access"}, - {"ACLEntryStateChanged", ACLEntryStateChanged, "\x00\x00Hello World", "Disabled, Hello World"}, - {"ACLEntryStateChanged", ACLEntryStateChanged, "\x01\x01", "Enabled"}, - {"TLSStateChanged", TLSStateChanged, "\x01\x02", "Remote ServerAuth, Local MutualAuth"}, - {"SetRealmAuthenticationMode", SetRealmAuthenticationMode, "\x00\x00\x00\x00\x02", "Redirection, Disabled"}, - {"AMTUnprovisioningStarted", AMTUnprovisioningStarted, "\x03", "Local WSMAN"}, - {"FirmwareUpdate", FirmwareUpdate, "\x00\x01\x00\x02\x00\x03\x00\x04\x00\x05\x00\x06\x00\x07\x00\x08", "From 1.2.3.4 to 5.6.7.8"}, - {"AMTTimeSet", AMTTimeSet, "\x00\x00\x00\x00", time.Unix(0, 0).Local().Format(time.RFC1123)}, - {"OptInPolicyChange", OptInPolicyChange, "\x00\x01", "From None to KVM"}, - {"SendConsentCode", SendConsentCode, "\x00", "Success"}, + {"Security Admin - Provisioning Started", SecurityAdmin, 0, "", "Intel AMT transitioned to setup mode."}, + {"Security Admin - Provisioning Completed Manual", SecurityAdmin, 1, "\x03", "Intel AMT transitioned to operational mode.\nProvisioning Method: Manual Provisioning via MEBx"}, + {"Security Admin - Provisioning Completed PKI", SecurityAdmin, 1, "\x05\x02\xcb<˷`1\xe5\xe0\x13\x8f\x8dӚ#\xf9\xdeG\xff\xc3^C\xc1\x14L\xea'\xd4jZ\xb1\xcb_\x02\f\x8e\xe0\xc9\rj\x89\x15\x88\x04\x06\x1e\xe2A\xf9\xaf\x03:\xf1\xe6\xa7\x11\xa9\xa0\xbb(d\xb1\x1d\t\xfa\xe5\x00\x12Intel.vprodemo.com", "Intel AMT transitioned to operational mode.\nProvisioning Method: Host-Based Provisioning Admin Mode\nHash Type: SHA 256\nTrusted Root Cert Hash: cb3ccbb76031e5e0138f8dd39a23f9de47ffc35e43c1144cea27d46a5ab1cb5f\nNumber of Certificates: 2\nCert Serial Numbers (first 3): [0c8ee0c90d6a89158804061ee241f9af 033af1e6a711a9a0bb2864b11d09fae5]\nProvisioning Server FQDN: Intel.vprodemo.com"}, + {"Security Admin - ACL Added without data", SecurityAdmin, 2, "", "User entry was added to the Intel AMT Device."}, + {"Security Admin - ACL Added with data", SecurityAdmin, 2, "\x00\x04test", "User entry was added to the Intel AMT Device.\nACL Entry Added.\nInitiator Type: Unknown\nUsername: test"}, + {"Security Admin - ACL Modified without data", SecurityAdmin, 3, "", "User entry was updated in the Intel AMT device."}, + {"Security Admin - ACL Modified with data", SecurityAdmin, 3, "\x00\x04test", "User entry was updated in the Intel AMT device.\nACL Entry Added.\nInitiator Type: Unknown\nUsername: test"}, + {"Security Admin - ACL Removed without data", SecurityAdmin, 4, "", "User entry was removed from the Intel AMT device."}, + {"Security Admin - ACL Removed with data", SecurityAdmin, 4, "\x00\x04test", "User entry was removed from the Intel AMT device.\nACL Entry Added.\nInitiator Type: Unknown\nUsername: test"}, + {"Security Admin - Invalid credentials Intel AMT", SecurityAdmin, 5, "\x00", "User attempted to access Intel AMT with invalid credentials."}, + {"Security Admin - Invalid credentials MEBx", SecurityAdmin, 5, "\x01", "User attempted to access MEBx with invalid credentials."}, + {"Security Admin - ACL State change without data ", SecurityAdmin, 6, "", "ACL entry state was changed."}, + {"Security Admin - ACL State change with data ", SecurityAdmin, 6, "\x01\x01\x04test", "ACL entry state was changed.\nEntry State: Enabled\nInitiator Type: Unknown\nUsername: test"}, + {"Security Admin - TLS State change without data", SecurityAdmin, 7, "", "TLS state changed."}, + {"Security Admin - TLS State change with data", SecurityAdmin, 7, "\x01\x00", "TLS state changed.\nRemote: Server Auth\nLocal: No Auth"}, + {"Security Admin - TLS Server Certificate Set without data", SecurityAdmin, 8, "", "TLS server certificate was defined."}, + {"Security Admin - TLS Server Certificate Set with data", SecurityAdmin, 8, "M\xf5\xa0`\xe1\xe1>p\xc0S_e\xf23\b%\xa2\x831\x93", "TLS server certificate was defined.\nCertificate serial number: 4df5a060e1e13e70c0535f65f2330825a2833193"}, + {"Security Admin - TLS Server Certificate Removed without data", SecurityAdmin, 9, "", "TLS server certificate was removed."}, + {"Security Admin - TLS Server Certificate Removed with data", SecurityAdmin, 9, "M\xf5\xa0`\xe1\xe1>p\xc0S_e\xf23\b%\xa2\x831\x93", "TLS server certificate was removed.\nCertificate serial number: 4df5a060e1e13e70c0535f65f2330825a2833193"}, + {"Security Admin - TLS Trusted Root Certificate Added without data", SecurityAdmin, 10, "", "TLS trusted root certificate was added."}, + {"Security Admin - TLS Trusted Root Certificate Added with data", SecurityAdmin, 10, "M\xf5\xa0`\xe1\xe1>p\xc0S_e\xf23\b%\xa2\x831\x93", "TLS trusted root certificate was added.\nCertificate serial number: 4df5a060e1e13e70c0535f65f2330825a2833193"}, + {"Security Admin - TLS Trusted Root Certificate Removed without data", SecurityAdmin, 11, "", "TLS trusted root certificate was removed."}, + {"Security Admin - TLS Trusted Root Certificate Removed with data", SecurityAdmin, 11, "M\xf5\xa0`\xe1\xe1>p\xc0S_e\xf23\b%\xa2\x831\x93", "TLS trusted root certificate was removed.\nCertificate serial number: 4df5a060e1e13e70c0535f65f2330825a2833193"}, + {"Security Admin - TLS Pre-Shared Key Set", SecurityAdmin, 12, "", "TLS pre-shared key was defined."}, + {"Security Admin - Kerberos Settings Modified without data", SecurityAdmin, 13, "", "Kerberos settings were modified."}, + {"Security Admin - Kerberos Settings Modified with data", SecurityAdmin, 13, "\x01", "Kerberos settings were modified.\nTime tolerance: 1"}, + {"Security Admin - Kerberos Master Key Modified", SecurityAdmin, 14, "", "Kerberos master key or passphrase was modified."}, + {"Security Admin - Flash Wear Out Counter Reset", SecurityAdmin, 15, "", "Flash wear out counter was reset."}, + {"Security Admin - Power Package Modified without data", SecurityAdmin, 16, "", "Active power package was set."}, + {"Security Admin - Power Package Modified with data", SecurityAdmin, 16, "\x01", "Active power package was set.\nPower policy: 1"}, + {"Security Admin - Set Realm Authentication Mode without data", SecurityAdmin, 17, "", "Realm authentication mode changed."}, + {"Security Admin - Set Realm Authentication Mode with data", SecurityAdmin, 17, "\x01\x00\x00\x00\x01", "Realm authentication mode changed.\nPT Administration, Auth"}, + {"Security Admin - Upgrade Client to Admin", SecurityAdmin, 18, "", "The control mode of the Intel AMT was changed from Client control to Admin control."}, + {"Security Admin - AMT UnProvisioning Started - BIOS", SecurityAdmin, 19, "\x00", "BIOS"}, + {"Security Admin - AMT UnProvisioning Started - MEBx", SecurityAdmin, 19, "\x01", "MEBx"}, + {"Security Admin - AMT UnProvisioning Started - Local MEI", SecurityAdmin, 19, "\x02", "Local MEI"}, + {"Security Admin - AMT UnProvisioning Started - Local WSMAN", SecurityAdmin, 19, "\x03", "Local WSMAN"}, + {"Security Admin - AMT UnProvisioning Started - Remote WSMAN", SecurityAdmin, 19, "\x04", "Remote WSMAN"}, + {"Security Admin - Unknown Event", SecurityAdmin, 20, "", "Unknown Event ID"}, + {"Remote Control - Performed Power-Up", RemoteControl, 0, "\x00\x00\x00\x00\x00\x00\x00", "Remote power up initiated.\nBoot Media: None\n Boot Media Override: Disabled\n BIOS Pause: Disabled\n BIOS Pause Key: None"}, + {"Remote Control - Performed Power-Down", RemoteControl, 1, "", "Remote power down initiated."}, + {"Remote Control - Performed Power-Cycle", RemoteControl, 2, "\x00\x00\x00\x00\x00\x00\x00", "Remote power cycle initiated.\nBoot Media: None\n Boot Media Override: Disabled\n BIOS Pause: Disabled\n BIOS Pause Key: None"}, + {"Remote Control - Performed Reset", RemoteControl, 3, "\x00\x00\x00\x00\x00\x00\x00", "Remote reset initiated.\nBoot Media: None\n Boot Media Override: Disabled\n BIOS Pause: Disabled\n BIOS Pause Key: None"}, + {"Remote Control - Set Boot Options", RemoteControl, 4, "\x05\x00\x00\x00\x00\x00\x00", "Boot options were set.\nBoot Media: PXE\n Boot Media Override: Disabled\n BIOS Pause: Disabled\n BIOS Pause Key: None"}, + {"Remote Control - Performed Graceful Power Down", RemoteControl, 5, "", "Remote graceful power down initiated."}, + {"Remote Control - Performed Graceful Power Reset", RemoteControl, 6, "\x00\x00\x00\x00\x00\x00\x00", "Remote reset initiated.\nBoot Media: None\n Boot Media Override: Disabled\n BIOS Pause: Disabled\n BIOS Pause Key: None"}, + {"Remote Control - Performed Standby", RemoteControl, 7, "", "Remote standby initiated."}, + {"Remote Control - Performed Hibernate", RemoteControl, 8, "", "Remote hibernate initiated."}, + {"Remote Control - Performed NMI", RemoteControl, 9, "", "Remote NMI initiated."}, + {"Remote Control - Unknown Event", RemoteControl, 10, "", "Unknown Event ID"}, + {"Redirection Manager - IDER Session Opened", RedirectionManager, 0, "", "An application opened a Storage Redirection session."}, + {"Redirection Manager - IDER Session Closed", RedirectionManager, 1, "", "An application or firmware closed a Storage Redirection session."}, + {"Redirection Manager - IDER Enabled", RedirectionManager, 2, "", "Storage Redirection was enabled."}, + {"Redirection Manager - IDER Disabled", RedirectionManager, 3, "", "Storage Redirection was disabled."}, + {"Redirection Manager - SoL Session Opened", RedirectionManager, 4, "", "An application opened a Serial Over LAN session."}, + {"Redirection Manager - SoL Session Closed", RedirectionManager, 5, "", "An application or firmware closed a Serial Over LAN session."}, + {"Redirection Manager - SoL Enabled", RedirectionManager, 6, "", "Serial Over LAN was enabled."}, + {"Redirection Manager - SoL Disabled", RedirectionManager, 7, "", "Serial Over LAN was disabled."}, + {"Redirection Manager - KVM Session Started", RedirectionManager, 8, "", "An application opened a Keyboard-Video-Mouse session."}, + {"Redirection Manager - KVM Session Ended", RedirectionManager, 9, "", "An application or firmware closed a Keyboard-Video-Mouse session."}, + {"Redirection Manager - KVM Enabled", RedirectionManager, 10, "", "Keyboard-Video-Mouse was enabled."}, + {"Redirection Manager - KVM Disabled", RedirectionManager, 11, "", "Keyboard-Video-Mouse was disabled."}, + {"Redirection Manager - VNC Password Failed", RedirectionManager, 12, "", "Incorrect Remote Frame Buffer (RFB) password entered 3 times."}, + {"Firmware Update Manager", FirmwareUpdateManager, "\x00", "Invalid ME access"}, + {"Security Audit Log", SecurityAuditLog, "\x01", "Invalid MEBx access"}, + {"Network Time", NetworkTime, 0, "d\x9aNp", "Command received to set Intel AMT local time. Time: 2023-06-26 19:50:24 -0700 MST"}, + {"Network Administration", NetworkAdministration, "\x01\x01", "Enabled"}, + {"Storage Administration", StorageAdministration, "\x01\x02", "Remote ServerAuth, Local MutualAuth"}, + {"Event Manager", EventManager, "\x00\x00\x00\x00\x02", "Redirection, Disabled"}, + {"System Defense Manager", SystemDefenseManager, "\x03", "Local WSMAN"}, + {"Agent Presence Manager", AgentPresenceManager, "\x00\x01\x00\x02\x00\x03\x00\x04\x00\x05\x00\x06\x00\x07\x00\x08", "From 1.2.3.4 to 5.6.7.8"}, + {"Wireless Configuration", WirelessConfiguration, "\x00\x00\x00\x00", time.Unix(0, 0).Local().Format(time.RFC1123)}, + {"Endpoint Access Control", EndpointAccessControl, "\x00\x01", "From None to KVM"}, + {"Keyboard Video Mouse", KeyboardVideoMouse, "", "Success"}, + {"User Opt-In", UserOptIn, 0, "\x01\x00", "A user has modified the opt-in policy settings.\nPrevious Opt-In Policy: KVM\nCurrent Opt-In Policy: None"}, + {"Screen Blanking", ScreenBlanking, "\x00", "Success"}, + {"Watchdog", Watchdog, "\x00", "Success"}, } for _, tt := range tests { t.Run(tt.name, func(t *testing.T) { - result := GetAuditLogExtendedDataString(tt.auditEventId, tt.data) + result := GetAuditLogExtendedDataString(tt.appId, tt.eventId, tt.data) if result != tt.expected { - t.Errorf("GetAuditLogExtendedDataString(%d, %q) = %v; want %v", tt.auditEventId, tt.data, result, tt.expected) + t.Errorf("GetAuditLogExtendedDataString(%d, %d, %q) = %v; want %v", tt.appId, tt.eventId, tt.data, result, tt.expected) } }) } } + diff --git a/pkg/wsman/amt/auditlog/types.go b/pkg/wsman/amt/auditlog/types.go index f3dca180..26679be7 100644 --- a/pkg/wsman/amt/auditlog/types.go +++ b/pkg/wsman/amt/auditlog/types.go @@ -197,13 +197,19 @@ type ( } WirelessConfigurationEvent struct { - SSID []uint8 - ProfilePriority uint8 - ProfileNameLength uint8 - ProfileName []uint8 - ProfileSync []uint32 - Timeout []uint32 - LinkPreference []uint32 + SSID []uint8 + ProfilePriority uint8 + ProfileNameLength uint8 + ProfileName []uint8 + ProfileSync []uint32 + Timeout []uint32 + LinkPreference []uint32 ProfileSharingWithUEFI uint8 } + + UserOptInEvent struct { + PreviousOptInPolicy uint8 + CurrentOptInPolicy uint8 + OperationStatus uint8 + } ) From c3ec06fa22996a6f4437a0d7d5d9bcbbd268867f Mon Sep 17 00:00:00 2001 From: Matt Primrose Date: Fri, 28 Jun 2024 16:23:56 -0700 Subject: [PATCH 3/5] more audit log test updates --- pkg/wsman/amt/auditlog/decoder.go | 256 ++++++++++++++++--------- pkg/wsman/amt/auditlog/decoder_test.go | 97 +++++++--- pkg/wsman/amt/auditlog/message_test.go | 12 +- pkg/wsman/amt/auditlog/types.go | 11 +- 4 files changed, 245 insertions(+), 131 deletions(-) diff --git a/pkg/wsman/amt/auditlog/decoder.go b/pkg/wsman/amt/auditlog/decoder.go index 28ebc7a4..99c21f13 100644 --- a/pkg/wsman/amt/auditlog/decoder.go +++ b/pkg/wsman/amt/auditlog/decoder.go @@ -491,7 +491,7 @@ func parseSecurityAdminEvents(eventId int, data string) string { if len(byteData) > 0 { var entry = readACLData(ACLEntryAdded, byteData) - extendedDataString += aclEntryAddedToString(&entry) + extendedDataString += aclEntryToString(&entry) } case ACLEntryModified: extendedDataString = "User entry was updated in the Intel AMT device." @@ -506,7 +506,7 @@ func parseSecurityAdminEvents(eventId int, data string) string { if len(byteData) > 0 { var entry = readACLData(ACLEntryRemoved, byteData) - extendedDataString = aclEntryRemovedToString(&entry) + extendedDataString += aclEntryToString(&entry) } case ACLAccessWithInvalidCredentials: if len(data) > 0 { @@ -552,7 +552,7 @@ func parseSecurityAdminEvents(eventId int, data string) string { case KerberosSettingsModified: extendedDataString = "Kerberos settings were modified." if len(data) > 0 { - extendedDataString += "Time tolerance: " + string(byteData) + extendedDataString += "\nTime tolerance: " + fmt.Sprint(byteData[0]) } case KerberosMasterKeyModified: extendedDataString = "Kerberos master key or passphrase was modified." @@ -561,19 +561,21 @@ func parseSecurityAdminEvents(eventId int, data string) string { case PowerPackageModified: extendedDataString = "Active power package was set." if len(data) > 0 { - extendedDataString += "Power policy: " + string(byteData) + extendedDataString += "\nPower policy: " + fmt.Sprint(byteData[0]) } case SetRealmAuthenticationMode: extendedDataString = "Realm authentication mode changed." if len(data) > 0 { - extendedDataString += "\n" + RealmNames[common.ReadInt(data, 0)] + ", " + []string{"NoAuth", "Auth", "Disabled"}[data[4]] + byteData := []byte(data) + extendedDataString += "\n" + RealmNames[byteData[0]] + ", " + []string{"NoAuth", "Auth", "Disabled"}[byteData[4]] } case UpgradeClientToAdmin: extendedDataString = "The control mode of the Intel AMT was changed from Client control to Admin control." case AMTUnProvisioningStarted: extendedDataString = "Intel AMT UnProvisioned Started." if len(data) > 0 { - extendedDataString = "\nInitiator: " + []string{"BIOS", "MEBx", "Local MEI", "Local WSMAN", "Remote WSMAN"}[data[0]] + byteData := []byte(data) + extendedDataString += "\nInitiator: " + []string{"BIOS", "MEBx", "Local MEI", "Local WSMAN", "Remote WSMAN"}[byteData[0]] } default: extendedDataString = "Unknown Event ID" @@ -759,9 +761,9 @@ func parseSecurityAuditLog(eventId int, data string) string { case SecurityAuditPolicyModified: extendedDataString = "Audit policy event was enabled or disabled." case SecurityAuditLogDisabled: - extendedDataString = "Audit monitor feature was disabled." + extendedDataString = "Access monitor feature was disabled." case SecurityAuditLogEnabled: - extendedDataString = "Audit monitor feature was enabled." + extendedDataString = "Access monitor feature was enabled." case SecurityAuditLogExported: extendedDataString = "Audit log signature and log-related information was exported." case SecurityAuditLogRecovered: @@ -812,10 +814,10 @@ func parseNetworkAdministrationEvents(eventId int, data string) string { switch eventId { case TCPIPParametersSet: - extendedDataString = "TCP/IP parameters were set.\n" + extendedDataString = "TCP/IP parameters were set." if len(data) > 0 { event := readNetworkAdministrationEventData(TCPIPParametersSet, []byte(data)) - extendedDataString += "DHCP Enabled: " + []string{"Disabled", "Enabled"}[event.DHCPEnabled] + + extendedDataString += "\nDHCP Enabled: " + []string{"Disabled", "Enabled"}[event.DHCPEnabled] + "\nStatic IP: " + string(convertUINT32ToIPv4(event.IPV4Address)) + "\nSubnet Mask: " + string(convertUINT32ToIPv4(event.SubnetMask)) + "\nGateway: " + string(convertUINT32ToIPv4(event.Gateway)) @@ -824,39 +826,43 @@ func parseNetworkAdministrationEvents(eventId int, data string) string { extendedDataString = "Host name was set" if len(data) > 0 { event := readNetworkAdministrationEventData(HostNameSet, []byte(data)) - extendedDataString = " to " + event.HostName + extendedDataString += " to " + event.HostName } case DomainNameSet: extendedDataString = "Domain name was set" if len(data) > 0 { event := readNetworkAdministrationEventData(DomainNameSet, []byte(data)) - extendedDataString = " to " + event.DomainName + extendedDataString += " to " + event.DomainName } case VLANParametersSet: extendedDataString = "VLAN tag was set" if len(data) > 0 { event := readNetworkAdministrationEventData(VLANParametersSet, []byte(data)) - extendedDataString = " to " + fmt.Sprint(event.VLANTag) + if event.VLANTag == 0 { + extendedDataString += " to disabled" + } else { + extendedDataString += " to " + fmt.Sprint(event.VLANTag) + } } case LinkPolicySet: extendedDataString = "Link policy was set" if len(data) > 0 { event := readNetworkAdministrationEventData(LinkPolicySet, []byte(data)) - extendedDataString = " to " + fmt.Sprint(event.LinkPolicy) + extendedDataString += " to " + fmt.Sprint(event.LinkPolicy) } case IPv6ParametersSet: - extendedDataString = "IPv6 parameters were set.\n" + extendedDataString = "IPv6 parameters were set." if len(data) > 0 { event := readNetworkAdministrationEventData(IPv6ParametersSet, []byte(data)) - extendedDataString += "IPv6 Enabled: " + []string{"Disabled", "Enabled"}[event.IPV6Enabled] + + extendedDataString += "\nIPv6: " + []string{"Disabled", "Enabled"}[event.IPV6Enabled] + "\nInterface Gen Type: " + InterfaceIDGenType[int(event.InterfaceIDGenType)] if event.InterfaceIDGenType == 2 { extendedDataString += "\nInterface ID: " + string(event.InterfaceID) } - extendedDataString += "\nIPV6 Address: " + string(event.IPV6Address) + - "\nIPV6 Gateway: " + string(event.IPV6Gateway) + - "\nIPV6 Primary DNS: " + string(event.IPV6PrimaryDNS) + - "\nIPV6 Secondary DNS: " + string(event.IPV6SecondaryDNS) + extendedDataString += "\nIPv6 Address: " + net.IP(event.IPV6Address).String() + + "\nIPv6 Gateway: " + net.IP(event.IPV6Gateway).String() + + "\nIPv6 Primary DNS: " + net.IP(event.IPV6PrimaryDNS).String() + + "\nIPv6 Secondary DNS: " + net.IP(event.IPV6SecondaryDNS).String() } } @@ -875,7 +881,7 @@ func parseStorageAdministrationEvents(eventId int, data string) string { switch eventId { case GlobalStorageAttributesSet: - extendedDataString = "Global storage attributes were set.\n" + extendedDataString = "Global storage attributes were set." if len(data) > 0 { byteData := []byte(data) buf := bytes.NewBuffer(byteData) @@ -885,7 +891,7 @@ func parseStorageAdministrationEvents(eventId int, data string) string { binary.Read(buf, binary.LittleEndian, &event.MaxPartnerStorage) binary.Read(buf, binary.LittleEndian, &event.MaxNonPartnerTotalAllocationSize) - extendedDataString += "Max Partner Storage: " + fmt.Sprint(event.MaxPartnerStorage) + + extendedDataString += "\nMax Partner Storage: " + fmt.Sprint(event.MaxPartnerStorage) + "\nMax Non-Partner Total Allocation Size: " + fmt.Sprint(event.MaxNonPartnerTotalAllocationSize) } @@ -913,9 +919,9 @@ func parseEventManagerEvents(eventId int, data string) string { switch eventId { case AlertSubscribed, AlertUnsubscribed: if eventId == AlertSubscribed { - extendedDataString = "An alert subscription was created successfully.\n" + extendedDataString = "An alert subscription was created successfully." } else { - extendedDataString = "An existing alert subscription was cancelled.\n" + extendedDataString = "An existing alert subscription was cancelled." } if len(data) > 0 { event := readEventManagerEventData(AlertSubscribed, []byte(data)) @@ -950,40 +956,40 @@ func parseSystemDefenseManagerEvents(eventId int, data string) string { case SDFilterAdded: extendedDataString = "Attempt made to add a system defense filter." case SDFilterRemoved: - extendedDataString = "System defense filter was removed successfully.\n" + extendedDataString = "System defense filter was removed successfully." if len(data) > 0 { event := readSystemDefenseManagerEventData(SDFilterRemoved, []byte(data)) - extendedDataString += "Filter Handle: " + string(event.FilterHandle) + extendedDataString += "\nFilter Handle: " + fmt.Sprint(event.FilterHandle) } case SDPolicyAdded: extendedDataString = "Attempt made to add a system defense policy." case SDPolicyRemoved: - extendedDataString = "System defense policy was removed successfully.\n" + extendedDataString = "System defense policy was removed successfully." if len(data) > 0 { event := readSystemDefenseManagerEventData(SDPolicyRemoved, []byte(data)) - extendedDataString += "Policy Handle: " + string(event.PolicyHandle) + extendedDataString += "\nPolicy Handle: " + fmt.Sprint(event.PolicyHandle) } case SDDefaultPolicySet: - extendedDataString = "System defense policy selected.\n" + extendedDataString = "System defense policy selected." if len(data) > 0 { event := readSystemDefenseManagerEventData(SDDefaultPolicySet, []byte(data)) - extendedDataString += "Hardware Interface: " + string(event.HardwareInterface) + - "\nPolicy Handle: " + string(event.PolicyHandle) + extendedDataString += "\nHardware Interface: " + fmt.Sprint(event.HardwareInterface) + + "\nPolicy Handle: " + fmt.Sprint(event.PolicyHandle) } case SDHeuristicsOptionSet: - extendedDataString = "System defense heuristics settings were set successfully.\n" + extendedDataString = "System defense heuristics settings were set successfully." if len(data) > 0 { event := readSystemDefenseManagerEventData(SDHeuristicsOptionSet, []byte(data)) - extendedDataString += "Interface Handle: " + string(event.InterfaceHandle) + - "\nBlock All: " + string(event.BlockAll) + - "\nBlock Offensive Port: " + string(event.BlockOffensivePort) + - "\nPolicy Handle: " + string(event.PolicyHandle) + extendedDataString += "\nInterface Handle: " + fmt.Sprint(event.InterfaceHandle) + + "\nBlock All: " + fmt.Sprint(event.BlockAll) + + "\nBlock Offensive Port: " + fmt.Sprint(event.BlockOffensivePort) + + "\nPolicy Handle: " + fmt.Sprint(event.PolicyHandle) } case SDHeuristicsStateCleared: - extendedDataString = "System defense heuristics settings were removed successfully.\n" + extendedDataString = "System defense heuristics settings were removed successfully." if len(data) > 0 { event := readSystemDefenseManagerEventData(SDHeuristicsStateCleared, []byte(data)) - extendedDataString += "Interface Handle: " + string(event.InterfaceHandle) + extendedDataString += "\nInterface Handle: " + fmt.Sprint(event.InterfaceHandle) } } @@ -1001,24 +1007,39 @@ func parseAgentPresenceManagerEvents(eventId int, data string) string { switch eventId { case AgentWatchdogAdded: - extendedDataString = "An application entry was created to be monitored.\n" + extendedDataString = "An application entry was created to be monitored." if len(data) > 0 { event := readAgentPresenceManagerEventData(AgentWatchdogAdded, []byte(data)) - extendedDataString += "Agent ID: " + string(event.AgentID) + - "\nAgent Heartbeat Time: " + string(event.AgentHeartBeatTime) + - "\nAgent Startup Time: " + string(event.AgentStartupTime) + extendedDataString += "\nAgent ID: " + fmt.Sprintf("%08x-%04x-%04x-%04x-%012x", + event.AgentID[0:4], + event.AgentID[4:6], + event.AgentID[6:8], + event.AgentID[8:10], + event.AgentID[10:]) + + "\nAgent Heartbeat Time: " + fmt.Sprint(event.AgentHeartBeatTime) + + "\nAgent Startup Time: " + fmt.Sprint(event.AgentStartupTime) } case AgentWatchdogRemoved: - extendedDataString = "An application entry was removed.\n" + extendedDataString = "An application entry was removed." if len(data) > 0 { event := readAgentPresenceManagerEventData(AgentWatchdogRemoved, []byte(data)) - extendedDataString += "Agent ID: " + string(event.AgentID) + extendedDataString += "\nAgent ID: " + fmt.Sprintf("%08x-%04x-%04x-%04x-%012x", + event.AgentID[0:4], + event.AgentID[4:6], + event.AgentID[6:8], + event.AgentID[8:10], + event.AgentID[10:]) } case AgentWatchdogActionSet: - extendedDataString = "Actions were set, added, or removed for an application watchdog entry.\n" + extendedDataString = "Actions were set, added, or removed for an application watchdog entry." if len(data) > 0 { event := readAgentPresenceManagerEventData(AgentWatchdogActionSet, []byte(data)) - extendedDataString += "Agent ID: " + string(event.AgentID) + extendedDataString += "\nAgent ID: " + fmt.Sprintf("%08x-%04x-%04x-%04x-%012x", + event.AgentID[0:4], + event.AgentID[4:6], + event.AgentID[6:8], + event.AgentID[8:10], + event.AgentID[10:]) } } @@ -1068,7 +1089,7 @@ func parseWirelessConfigurationEvents(eventId int, data string) string { if len(data) > 0 { event := readWirelessConfigurationEventData(WirelessProfileModified, []byte(data)) for _, profile := range event.ProfileSync { - extendedDataString += "\nProfile Sync: " + string(profile) + extendedDataString += "\nProfile Sync: " + fmt.Sprint(profile) } } case WirelessLinkPreferenceChanged: @@ -1076,7 +1097,7 @@ func parseWirelessConfigurationEvents(eventId int, data string) string { if len(data) > 0 { event := readWirelessConfigurationEventData(WirelessLinkPreferenceChanged, []byte(data)) for _, timeout := range event.Timeout { - extendedDataString += "\nTimeout: " + string(timeout) + extendedDataString += "\nTimeout: " + fmt.Sprint(timeout) } for _, linkPreference := range event.LinkPreference { extendedDataString += "\nLink Preference: " + []string{"none", "ME", "Host"}[linkPreference] @@ -1116,7 +1137,7 @@ func parseEndpointAccessControlEvents(eventId int, data string) string { buf := bytes.NewBuffer(byteData) var eacVendors uint32 _ = binary.Read(buf, binary.LittleEndian, &eacVendors) - extendedDataString += "\nEAC Vendors: " + string(eacVendors) + extendedDataString += "\nEAC Vendors: " + fmt.Sprint(eacVendors) } } @@ -1283,7 +1304,7 @@ func provisioningCompletedToString(provisioningCompleted *ProvisioningParameters return s } -func aclEntryAddedToString(entry *ACLEntry) string { +func aclEntryToString(entry *ACLEntry) string { s := fmt.Sprintf("\nInitiator Type: %s", initiatorTypeToString[int(entry.InitiatorType)]) if entry.UsernameLength == 0 { s += fmt.Sprintf("\nSID: %d", entry.SID) @@ -1319,23 +1340,11 @@ func aclEntryModifiedToString(entry *ACLEntry) string { } if len(parameterModifiedStr) > 0 { parameterModifiedStr = parameterModifiedStr[:len(parameterModifiedStr)-2] // Remove the trailing comma and space - } - - s := fmt.Sprintf("\nParameter(s) Modified: %s\nInitiator Type: %s", parameterModifiedStr, initiatorTypeToString[int(entry.InitiatorType)]) - if entry.UsernameLength == 0 { - s += fmt.Sprintf("\nSID: %d", entry.SID) - if entry.DomainLength > 0 { - s += fmt.Sprintf("\nDomain: %s", entry.Domain) - } } else { - s += fmt.Sprintf("\nUsername: %s", entry.Username) + parameterModifiedStr = "None" } - return s -} - -func aclEntryRemovedToString(entry *ACLEntry) string { - s := fmt.Sprintf("\nInitiator Type: %s", initiatorTypeToString[int(entry.InitiatorType)]) + s := fmt.Sprintf("\nParameter(s) Modified: %s\nInitiator Type: %s", parameterModifiedStr, initiatorTypeToString[int(entry.InitiatorType)]) if entry.UsernameLength == 0 { s += fmt.Sprintf("\nSID: %d", entry.SID) if entry.DomainLength > 0 { @@ -1424,18 +1433,69 @@ func readBootOptionsData(data []byte) RemoteControlEvent { rce := RemoteControlEvent{} _ = binary.Read(buf, binary.LittleEndian, &rce.SpecialCommand) - _ = binary.Read(buf, binary.LittleEndian, &rce.SpecialCommandParameter) - _ = binary.Read(buf, binary.LittleEndian, &rce.BootOptions) - _ = binary.Read(buf, binary.LittleEndian, &rce.OEMParameters) + _ = binary.Read(buf, binary.LittleEndian, &rce.SpecialCommandParameterHighByte) + _ = binary.Read(buf, binary.LittleEndian, &rce.SpecialCommandParameterLowByte) + _ = binary.Read(buf, binary.LittleEndian, &rce.BootOptionsMaskByte1) + _ = binary.Read(buf, binary.LittleEndian, &rce.BootOptionsMaskByte2) + _ = binary.Read(buf, binary.LittleEndian, &rce.OEMParameterByte1) + _ = binary.Read(buf, binary.LittleEndian, &rce.OEMParameterByte2) return rce } +var remoteControlSpecialCommandToString = map[int]string{ + 0: "None", + 1: "PXE", + 2: "HDD", + 3: "HDD - Safe Mode", + 4: "Diagnostic Partition", + 5: "CD or DVD Boot", + 193: "Intel Command", + 194: "Intel Command - HTTPS Boot", + 195: "Intel Command - PBA Boot", +} + +var remoteControlSpecialCommandParameterHighByteToString = map[int]string{ + 0: "SRoU is connected to CD/DVD device", + 1: "SRoU is connected to floppy device", +} + +var remoteControlSpecialCommandParameterLowByte193ToString = map[int]string{ + 1: "SRoU is to be used on next boot.", + 2: "BIOS will enforce secure boot over SRoU.", + 4: "BIOS is to be re-flashed on next boot.", + 8: "Boot into BIOS SETUP screen.", + 16: "BIOS Pause on the next boot.", + 32: "BIOS is to participate in a KVM session.", + 64: "BIOS is to start a Remote Secure Erase (RSE) session.", + 128: "BIOS is to start a Remote Platform Erase (RPE) session.", +} + +var remoteControlSpecialCommandParameterLowByte194or195ToString = map[int]string{ + 2: "BIOS will enforce secure boot on next boot.", + 32: "BIOS is to participate in a KVM session.", +} + +var remoteControlSpecialCommandParameterLowByteOthersToString = map[int]string{ + 32: "BIOS is to participate in a KVM session.", +} + func remoteControlEventToString(rce RemoteControlEvent) string { - s := "\nBoot Media: " + []string{"None", "Floppy", "CD", "HDD", "USB", "PXE", "Diagnostic Partition", "BIOS Setup"}[rce.BootOptions] + - "\n " + "Boot Media Override: " + []string{"Disabled", "Enabled"}[rce.SpecialCommand] + - "\n " + "BIOS Pause: " + []string{"Disabled", "Enabled"}[rce.OEMParameters] + - "\n " + "BIOS Pause Key: " + []string{"None", "F1", "F2", "F3", "F4", "F5", "F6", "F7", "F8", "F9", "F10", "F11", "F12"}[rce.SpecialCommandParameter] + // s := "\nBoot Media: " + []string{"None", "PXE", "HDD", "HDD - Safe Mode", "Diagnostic Partition", "CD or DVD Boot", "USB", "PXE", "BIOS Setup"}[rce.BootOptions] + + // "\n " + "Boot Media Override: " + []string{"Disabled", "Enabled"}[rce.SpecialCommand] + + // "\n " + "BIOS Pause: " + []string{"Disabled", "Enabled"}[rce.OEMParameters] + + // "\n " + "BIOS Pause Key: " + []string{"None", "F1", "F2", "F3", "F4", "F5", "F6", "F7", "F8", "F9", "F10", "F11", "F12"}[rce.SpecialCommandParameter] + + s := "\nSpecial Command: " + remoteControlSpecialCommandToString[int(rce.SpecialCommand)] + + if rce.SpecialCommand == 193 { + s += "\nSpecial Command Parameter High Byte: " + remoteControlSpecialCommandParameterHighByteToString[int(rce.SpecialCommandParameterHighByte)] + s += "\nSpecial Command Parameter Low Byte: " + remoteControlSpecialCommandParameterLowByte193ToString[int(rce.SpecialCommandParameterLowByte)] + } else if rce.SpecialCommand > 193 { + s += "\nSpecial Command Parameter Low Byte: " + remoteControlSpecialCommandParameterLowByte194or195ToString[int(rce.SpecialCommandParameterLowByte)] + } else { + s += "\nSpecial Command Parameter Low Byte: " + remoteControlSpecialCommandParameterLowByteOthersToString[int(rce.SpecialCommandParameterLowByte)] + } return s } @@ -1486,12 +1546,21 @@ func readNetworkAdministrationEventData(id int, data []byte) NetworkAdministrati _ = binary.Read(buf, binary.LittleEndian, &event.IPV6Enabled) _ = binary.Read(buf, binary.LittleEndian, &event.InterfaceIDGenType) if event.InterfaceIDGenType == 2 { - _ = binary.Read(buf, binary.LittleEndian, &event.InterfaceID) + interfaceId := make([]byte, 8) + buf.Read(interfaceId) } - _ = binary.Read(buf, binary.LittleEndian, &event.IPV6Address) - _ = binary.Read(buf, binary.LittleEndian, &event.IPV6Gateway) - _ = binary.Read(buf, binary.LittleEndian, &event.IPV6PrimaryDNS) - _ = binary.Read(buf, binary.LittleEndian, &event.IPV6SecondaryDNS) + ipv6Address := make([]byte, 16) + buf.Read(ipv6Address) + event.IPV6Address = ipv6Address + ipv6Gateway := make([]byte, 16) + buf.Read(ipv6Gateway) + event.IPV6Gateway = ipv6Gateway + ipv6PrimaryDNS := make([]byte, 16) + buf.Read(ipv6PrimaryDNS) + event.IPV6PrimaryDNS = ipv6PrimaryDNS + ipv6SecondaryDNS := make([]byte, 16) + buf.Read(ipv6SecondaryDNS) + event.IPV6SecondaryDNS = ipv6SecondaryDNS } return event @@ -1506,7 +1575,16 @@ func readEventManagerEventData(id int, data []byte) EventManagerEvent { _ = binary.Read(buf, binary.LittleEndian, &event.PolicyID) _ = binary.Read(buf, binary.LittleEndian, &event.SubscriptionAlertType) _ = binary.Read(buf, binary.LittleEndian, &event.IPAddrType) - _ = binary.Read(buf, binary.LittleEndian, &event.AlertTargetIPAddress) + if event.IPAddrType == 0 { + ipAddress := make([]byte, 4) + buf.Read(ipAddress) + event.AlertTargetIPAddress = ipAddress + } + if event.IPAddrType == 1 { + ipAddress := make([]byte, 16) + buf.Read(ipAddress) + event.AlertTargetIPAddress = ipAddress + } case 3: _ = binary.Read(buf, binary.LittleEndian, &event.Freeze) } @@ -1515,15 +1593,12 @@ func readEventManagerEventData(id int, data []byte) EventManagerEvent { } func eventManagerEventDataToString(event EventManagerEvent) string { - s := "Policy ID: " + fmt.Sprint(event.PolicyID) + - "\nSubscription Alert Type: " + []string{"SNMP"}[event.SubscriptionAlertType] + - "\nIP Address Type: " + []string{"IPv4", "IPv6"}[event.IPAddrType] - ipAddress, err := decodeIPFromByteSlice(event.AlertTargetIPAddress) - if err != nil { - return "" - } else { - s += "\nTarget IP Address: " + ipAddress.String() + s := "\nPolicy ID: " + fmt.Sprint(event.PolicyID) + if event.SubscriptionAlertType == 1 { + s += "\nSubscription Alert Type: SNMP" } + s += "\nIP Address Type: " + []string{"IPv4", "IPv6"}[event.IPAddrType] + + "\nAlert Target IP Address: " + net.IP(event.AlertTargetIPAddress).String() return s } @@ -1556,15 +1631,13 @@ func readAgentPresenceManagerEventData(id int, data []byte) AgentPresenceManager buf := bytes.NewBuffer(data) event := AgentPresenceManagerEvent{} - switch id { - case 0: - _ = binary.Read(buf, binary.LittleEndian, &event.AgentID) + agentId := make([]byte, 16) + buf.Read(agentId) + event.AgentID = agentId + if id == 0 { _ = binary.Read(buf, binary.LittleEndian, &event.AgentHeartBeatTime) _ = binary.Read(buf, binary.LittleEndian, &event.AgentStartupTime) - case 1, 2: - _ = binary.Read(buf, binary.LittleEndian, &event.AgentID) } - return event } @@ -1609,6 +1682,7 @@ func readUserOptInEventData(id int, data []byte) UserOptInEvent { func convertUINT32ToIPv4(intIP uint32) net.IP { ip := make(net.IP, 4) binary.BigEndian.PutUint32(ip, intIP) + return ip } diff --git a/pkg/wsman/amt/auditlog/decoder_test.go b/pkg/wsman/amt/auditlog/decoder_test.go index 3cc8ef86..0f996d44 100644 --- a/pkg/wsman/amt/auditlog/decoder_test.go +++ b/pkg/wsman/amt/auditlog/decoder_test.go @@ -7,7 +7,7 @@ package auditlog import ( "testing" - "time" + // "time" ) func TestOverwritePolicy_String(t *testing.T) { @@ -113,18 +113,26 @@ func TestGetAuditLogExtendedDataString(t *testing.T) { expected string }{ {"Security Admin - Provisioning Started", SecurityAdmin, 0, "", "Intel AMT transitioned to setup mode."}, - {"Security Admin - Provisioning Completed Manual", SecurityAdmin, 1, "\x03", "Intel AMT transitioned to operational mode.\nProvisioning Method: Manual Provisioning via MEBx"}, + {"Security Admin - Provisioning Completed Manual", SecurityAdmin, 1, "\u0003", "Intel AMT transitioned to operational mode.\nProvisioning Method: Manual Provisioning via MEBx"}, {"Security Admin - Provisioning Completed PKI", SecurityAdmin, 1, "\x05\x02\xcb<˷`1\xe5\xe0\x13\x8f\x8dӚ#\xf9\xdeG\xff\xc3^C\xc1\x14L\xea'\xd4jZ\xb1\xcb_\x02\f\x8e\xe0\xc9\rj\x89\x15\x88\x04\x06\x1e\xe2A\xf9\xaf\x03:\xf1\xe6\xa7\x11\xa9\xa0\xbb(d\xb1\x1d\t\xfa\xe5\x00\x12Intel.vprodemo.com", "Intel AMT transitioned to operational mode.\nProvisioning Method: Host-Based Provisioning Admin Mode\nHash Type: SHA 256\nTrusted Root Cert Hash: cb3ccbb76031e5e0138f8dd39a23f9de47ffc35e43c1144cea27d46a5ab1cb5f\nNumber of Certificates: 2\nCert Serial Numbers (first 3): [0c8ee0c90d6a89158804061ee241f9af 033af1e6a711a9a0bb2864b11d09fae5]\nProvisioning Server FQDN: Intel.vprodemo.com"}, {"Security Admin - ACL Added without data", SecurityAdmin, 2, "", "User entry was added to the Intel AMT Device."}, - {"Security Admin - ACL Added with data", SecurityAdmin, 2, "\x00\x04test", "User entry was added to the Intel AMT Device.\nACL Entry Added.\nInitiator Type: Unknown\nUsername: test"}, + {"Security Admin - ACL Added with data", SecurityAdmin, 2, "\u0000\u0004test", "User entry was added to the Intel AMT Device.\nInitiator Type: Unknown\nUsername: test"}, {"Security Admin - ACL Modified without data", SecurityAdmin, 3, "", "User entry was updated in the Intel AMT device."}, - {"Security Admin - ACL Modified with data", SecurityAdmin, 3, "\x00\x04test", "User entry was updated in the Intel AMT device.\nACL Entry Added.\nInitiator Type: Unknown\nUsername: test"}, + {"Security Admin - ACL Modified with data", SecurityAdmin, 3, "\u0000\u0000\u0004test", "User entry was updated in the Intel AMT device.\nParameter(s) Modified: None\nInitiator Type: Unknown\nUsername: test"}, + {"Security Admin - ACL Modified with data", SecurityAdmin, 3, "\u0001\u0000\u0004test", "User entry was updated in the Intel AMT device.\nParameter(s) Modified: Username\nInitiator Type: Unknown\nUsername: test"}, + {"Security Admin - ACL Modified with data", SecurityAdmin, 3, "\u0002\u0000\u0004test", "User entry was updated in the Intel AMT device.\nParameter(s) Modified: Password\nInitiator Type: Unknown\nUsername: test"}, + {"Security Admin - ACL Modified with data", SecurityAdmin, 3, "\u0004\u0000\u0004test", "User entry was updated in the Intel AMT device.\nParameter(s) Modified: Local realms\nInitiator Type: Unknown\nUsername: test"}, + {"Security Admin - ACL Modified with data", SecurityAdmin, 3, "\u0008\u0000\u0004test", "User entry was updated in the Intel AMT device.\nParameter(s) Modified: Remote realms\nInitiator Type: Unknown\nUsername: test"}, + {"Security Admin - ACL Modified with data", SecurityAdmin, 3, "\u0010\u0000\u0004test", "User entry was updated in the Intel AMT device.\nParameter(s) Modified: Kerberos domain\nInitiator Type: Unknown\nUsername: test"}, + {"Security Admin - ACL Modified with data", SecurityAdmin, 3, "\u0020\u0000\u0004test", "User entry was updated in the Intel AMT device.\nParameter(s) Modified: SID\nInitiator Type: Unknown\nUsername: test"}, + {"Security Admin - ACL Modified with data", SecurityAdmin, 3, "\u0021\u0000\u0004test", "User entry was updated in the Intel AMT device.\nParameter(s) Modified: Username, SID\nInitiator Type: Unknown\nUsername: test"}, + {"Security Admin - ACL Modified with data", SecurityAdmin, 3, "\u0031\u0000\u0004test", "User entry was updated in the Intel AMT device.\nParameter(s) Modified: Username, Kerberos domain, SID\nInitiator Type: Unknown\nUsername: test"}, {"Security Admin - ACL Removed without data", SecurityAdmin, 4, "", "User entry was removed from the Intel AMT device."}, - {"Security Admin - ACL Removed with data", SecurityAdmin, 4, "\x00\x04test", "User entry was removed from the Intel AMT device.\nACL Entry Added.\nInitiator Type: Unknown\nUsername: test"}, + {"Security Admin - ACL Removed with data", SecurityAdmin, 4, "\x00\x04test", "User entry was removed from the Intel AMT device.\nInitiator Type: Unknown\nUsername: test"}, {"Security Admin - Invalid credentials Intel AMT", SecurityAdmin, 5, "\x00", "User attempted to access Intel AMT with invalid credentials."}, {"Security Admin - Invalid credentials MEBx", SecurityAdmin, 5, "\x01", "User attempted to access MEBx with invalid credentials."}, {"Security Admin - ACL State change without data ", SecurityAdmin, 6, "", "ACL entry state was changed."}, - {"Security Admin - ACL State change with data ", SecurityAdmin, 6, "\x01\x01\x04test", "ACL entry state was changed.\nEntry State: Enabled\nInitiator Type: Unknown\nUsername: test"}, + {"Security Admin - ACL State change with data ", SecurityAdmin, 6, "\x01\x01\x04test", "ACL entry state was changed.\nEntry State: Enabled\nInitiator Type: User\nUsername: test"}, {"Security Admin - TLS State change without data", SecurityAdmin, 7, "", "TLS state changed."}, {"Security Admin - TLS State change with data", SecurityAdmin, 7, "\x01\x00", "TLS state changed.\nRemote: Server Auth\nLocal: No Auth"}, {"Security Admin - TLS Server Certificate Set without data", SecurityAdmin, 8, "", "TLS server certificate was defined."}, @@ -145,19 +153,19 @@ func TestGetAuditLogExtendedDataString(t *testing.T) { {"Security Admin - Set Realm Authentication Mode without data", SecurityAdmin, 17, "", "Realm authentication mode changed."}, {"Security Admin - Set Realm Authentication Mode with data", SecurityAdmin, 17, "\x01\x00\x00\x00\x01", "Realm authentication mode changed.\nPT Administration, Auth"}, {"Security Admin - Upgrade Client to Admin", SecurityAdmin, 18, "", "The control mode of the Intel AMT was changed from Client control to Admin control."}, - {"Security Admin - AMT UnProvisioning Started - BIOS", SecurityAdmin, 19, "\x00", "BIOS"}, - {"Security Admin - AMT UnProvisioning Started - MEBx", SecurityAdmin, 19, "\x01", "MEBx"}, - {"Security Admin - AMT UnProvisioning Started - Local MEI", SecurityAdmin, 19, "\x02", "Local MEI"}, - {"Security Admin - AMT UnProvisioning Started - Local WSMAN", SecurityAdmin, 19, "\x03", "Local WSMAN"}, - {"Security Admin - AMT UnProvisioning Started - Remote WSMAN", SecurityAdmin, 19, "\x04", "Remote WSMAN"}, + {"Security Admin - AMT UnProvisioning Started - BIOS", SecurityAdmin, 19, "\x00", "Intel AMT UnProvisioned Started.\nInitiator: BIOS"}, + {"Security Admin - AMT UnProvisioning Started - MEBx", SecurityAdmin, 19, "\x01", "Intel AMT UnProvisioned Started.\nInitiator: MEBx"}, + {"Security Admin - AMT UnProvisioning Started - Local MEI", SecurityAdmin, 19, "\x02", "Intel AMT UnProvisioned Started.\nInitiator: Local MEI"}, + {"Security Admin - AMT UnProvisioning Started - Local WSMAN", SecurityAdmin, 19, "\x03", "Intel AMT UnProvisioned Started.\nInitiator: Local WSMAN"}, + {"Security Admin - AMT UnProvisioning Started - Remote WSMAN", SecurityAdmin, 19, "\u0004", "Intel AMT UnProvisioned Started.\nInitiator: Remote WSMAN"}, {"Security Admin - Unknown Event", SecurityAdmin, 20, "", "Unknown Event ID"}, - {"Remote Control - Performed Power-Up", RemoteControl, 0, "\x00\x00\x00\x00\x00\x00\x00", "Remote power up initiated.\nBoot Media: None\n Boot Media Override: Disabled\n BIOS Pause: Disabled\n BIOS Pause Key: None"}, + // {"Remote Control - Performed Power-Up", RemoteControl, 0, "\x00\x00\x00\x00\x00\x00\x00", "Remote power up initiated.\nBoot Media: None\n Boot Media Override: Disabled\n BIOS Pause: Disabled\n BIOS Pause Key: None"}, {"Remote Control - Performed Power-Down", RemoteControl, 1, "", "Remote power down initiated."}, - {"Remote Control - Performed Power-Cycle", RemoteControl, 2, "\x00\x00\x00\x00\x00\x00\x00", "Remote power cycle initiated.\nBoot Media: None\n Boot Media Override: Disabled\n BIOS Pause: Disabled\n BIOS Pause Key: None"}, - {"Remote Control - Performed Reset", RemoteControl, 3, "\x00\x00\x00\x00\x00\x00\x00", "Remote reset initiated.\nBoot Media: None\n Boot Media Override: Disabled\n BIOS Pause: Disabled\n BIOS Pause Key: None"}, - {"Remote Control - Set Boot Options", RemoteControl, 4, "\x05\x00\x00\x00\x00\x00\x00", "Boot options were set.\nBoot Media: PXE\n Boot Media Override: Disabled\n BIOS Pause: Disabled\n BIOS Pause Key: None"}, + // {"Remote Control - Performed Power-Cycle", RemoteControl, 2, "\x00\x00\x00\x00\x00\x00\x00", "Remote power cycle initiated.\nBoot Media: None\n Boot Media Override: Disabled\n BIOS Pause: Disabled\n BIOS Pause Key: None"}, + // {"Remote Control - Performed Reset", RemoteControl, 3, "\x00\x00\x00\x00\x00\x00\x00", "Remote reset initiated.\nBoot Media: None\n Boot Media Override: Disabled\n BIOS Pause: Disabled\n BIOS Pause Key: None"}, + // {"Remote Control - Set Boot Options", RemoteControl, 4, "\x05\x00\x00\x00\x00\x00\x00", "Boot options were set.\nBoot Media: PXE\n Boot Media Override: Disabled\n BIOS Pause: Disabled\n BIOS Pause Key: None"}, {"Remote Control - Performed Graceful Power Down", RemoteControl, 5, "", "Remote graceful power down initiated."}, - {"Remote Control - Performed Graceful Power Reset", RemoteControl, 6, "\x00\x00\x00\x00\x00\x00\x00", "Remote reset initiated.\nBoot Media: None\n Boot Media Override: Disabled\n BIOS Pause: Disabled\n BIOS Pause Key: None"}, + // {"Remote Control - Performed Graceful Power Reset", RemoteControl, 6, "\x00\x00\x00\x00\x00\x00\x00", "Remote reset initiated.\nBoot Media: None\n Boot Media Override: Disabled\n BIOS Pause: Disabled\n BIOS Pause Key: None"}, {"Remote Control - Performed Standby", RemoteControl, 7, "", "Remote standby initiated."}, {"Remote Control - Performed Hibernate", RemoteControl, 8, "", "Remote hibernate initiated."}, {"Remote Control - Performed NMI", RemoteControl, 9, "", "Remote NMI initiated."}, @@ -175,20 +183,50 @@ func TestGetAuditLogExtendedDataString(t *testing.T) { {"Redirection Manager - KVM Enabled", RedirectionManager, 10, "", "Keyboard-Video-Mouse was enabled."}, {"Redirection Manager - KVM Disabled", RedirectionManager, 11, "", "Keyboard-Video-Mouse was disabled."}, {"Redirection Manager - VNC Password Failed", RedirectionManager, 12, "", "Incorrect Remote Frame Buffer (RFB) password entered 3 times."}, - {"Firmware Update Manager", FirmwareUpdateManager, "\x00", "Invalid ME access"}, - {"Security Audit Log", SecurityAuditLog, "\x01", "Invalid MEBx access"}, + {"Firmware Update Manager - Updated", FirmwareUpdateManager, 0, "\x10\x00\x01\x00\x19\x00\x7F\x09\x10\x00\x01\x00\x1A\x00\xE8\x03", "Firmware update was started.\nOld version: 16.1.25.2431\nNew version: 16.1.26.1000"}, + {"Firmware Update Manager - Update Failed", FirmwareUpdateManager, 1, "\x01\x02", "Firmware update failed.\nFailure Type: 1\nFailure Reason: 2"}, + {"Security Audit Log - Log cleared", SecurityAuditLog, 0, "", "Audit log was cleared."}, + {"Security Audit Log - Policy event was enabled or disabled", SecurityAuditLog, 1, "", "Audit policy event was enabled or disabled."}, + {"Security Audit Log - Disable monitor feature", SecurityAuditLog, 2, "", "Access monitor feature was disabled."}, + {"Security Audit Log - Enable monitor feature", SecurityAuditLog, 3, "", "Access monitor feature was enabled."}, + {"Security Audit Log - Log exported", SecurityAuditLog, 4, "", "Audit log signature and log-related information was exported."}, + {"Security Audit Log - Log recovery - Unknown", SecurityAuditLog, 5, "\x00", "Internal check of audit log resulted in a recovery action.\nReason: Unknown"}, + {"Security Audit Log - Log recovery - Migration failure", SecurityAuditLog, 5, "\x01", "Internal check of audit log resulted in a recovery action.\nReason: Migration failure"}, + {"Security Audit Log - Log recovery - Initialization failure", SecurityAuditLog, 5, "\x02", "Internal check of audit log resulted in a recovery action.\nReason: Initialization failure"}, {"Network Time", NetworkTime, 0, "d\x9aNp", "Command received to set Intel AMT local time. Time: 2023-06-26 19:50:24 -0700 MST"}, - {"Network Administration", NetworkAdministration, "\x01\x01", "Enabled"}, - {"Storage Administration", StorageAdministration, "\x01\x02", "Remote ServerAuth, Local MutualAuth"}, - {"Event Manager", EventManager, "\x00\x00\x00\x00\x02", "Redirection, Disabled"}, - {"System Defense Manager", SystemDefenseManager, "\x03", "Local WSMAN"}, - {"Agent Presence Manager", AgentPresenceManager, "\x00\x01\x00\x02\x00\x03\x00\x04\x00\x05\x00\x06\x00\x07\x00\x08", "From 1.2.3.4 to 5.6.7.8"}, - {"Wireless Configuration", WirelessConfiguration, "\x00\x00\x00\x00", time.Unix(0, 0).Local().Format(time.RFC1123)}, - {"Endpoint Access Control", EndpointAccessControl, "\x00\x01", "From None to KVM"}, - {"Keyboard Video Mouse", KeyboardVideoMouse, "", "Success"}, - {"User Opt-In", UserOptIn, 0, "\x01\x00", "A user has modified the opt-in policy settings.\nPrevious Opt-In Policy: KVM\nCurrent Opt-In Policy: None"}, - {"Screen Blanking", ScreenBlanking, "\x00", "Success"}, - {"Watchdog", Watchdog, "\x00", "Success"}, + // {"Network Administration - TCP/IP Parameters Set", NetworkAdministration, 0, "\x00\x00\x00\x00\x01\xC0\xA8\x00\x02\xFF\xFF\xFF\x00\xC0\xA8\x00\x01\x04\x04\x04\x02\x02\x02\x02\x01", "TCP/IP parameters were set.\nDHCP Enabled: Enabled\nStatic IP Address: 192.168.0.2\nSubnet Mask: 255.255.255.0\nGateway: 192.168.0.1"}, + {"Network Administration - Host Name Set", NetworkAdministration, 1, "\x04test", "Host name was set to test"}, + {"Network Administration - Domain Name Set", NetworkAdministration, 2, "\x04test", "Domain name was set to test"}, + {"Network Administration - VLAN Parameters Set", NetworkAdministration, 3, "\u0000\u0000\u0000\u0000\u0000\u0000", "VLAN tag was set to disabled"}, + {"Network Administration - VLAN Parameters Set", NetworkAdministration, 3, "\u0000\u0000\u0000\u0000\u0000\u000F", "VLAN tag was set to 3840"}, + {"Network Administration - Link Policy Set", NetworkAdministration, 4, "\u0000\u0000\u0000\u0000\u0001\u0000\u0000\u0000", "Link policy was set to 1"}, + {"Network Administration - Link Policy Set", NetworkAdministration, 4, "\u0000\u0000\u0000\u0000\u0001\u0000\u0000\u0000", "Link policy was set to 1"}, + {"Network Administration - IPv6 Parameters Set", NetworkAdministration, 5, "\x00\x00\x00\x00\x01\x01\x20\x01\x0d\xb8\x85\xa3\x00\x00\x00\x00\x8a\x2e\x03\x70\x73\x34\x20\x01\x0d\xb8\x85\xa3\x00\x00\x00\x00\x8a\x2e\x03\x70\x73\x34\x20\x01\x0d\xb8\x85\xa3\x00\x00\x00\x00\x8a\x2e\x03\x70\x73\x34\x20\x01\x0d\xb8\x85\xa3\x00\x00\x00\x00\x8a\x2e\x03\x70\x73\x34", "IPv6 parameters were set.\nIPv6: Enabled\nInterface Gen Type: Intel ID\nIPv6 Address: 2001:db8:85a3::8a2e:370:7334\nIPv6 Gateway: 2001:db8:85a3::8a2e:370:7334\nIPv6 Primary DNS: 2001:db8:85a3::8a2e:370:7334\nIPv6 Secondary DNS: 2001:db8:85a3::8a2e:370:7334"}, + {"Storage Administration - Global Storage Attributes Set", StorageAdministration, 0, "\x00\x00\x01\x00\x00\x00\x01\x00", "Global storage attributes were set.\nMax Partner Storage: 65536\nMax Non-Partner Total Allocation Size: 65536"}, + {"Storage Administration - Storage EACL Modified", StorageAdministration, 1, "", "Storage EACL entry was added or removed."}, + {"Storage Administration - Storage FPACL Modified", StorageAdministration, 2, "", "Storage FPACL entry was added, removed, or updated."}, + {"Storage Administration - Storage Write Operation", StorageAdministration, 3, "", "Application wrote a block to storage."}, + {"Event Manager - Alert Subscribed", EventManager, 0, "\x01\x01\x00\xc0\xa8\x00\x01", "An alert subscription was created successfully.\nPolicy ID: 1\nSubscription Alert Type: SNMP\nIP Address Type: IPv4\nAlert Target IP Address: 192.168.0.1"}, + {"Event Manager - Alert Unsubscribed", EventManager, 1, "\x01\x01\x00\xc0\xa8\x00\x01", "An existing alert subscription was cancelled.\nPolicy ID: 1\nSubscription Alert Type: SNMP\nIP Address Type: IPv4\nAlert Target IP Address: 192.168.0.1"}, + {"Event Manager - Event Log Cleared", EventManager, 2, "", "Event log was cleared of existing records."}, + {"Event Manager - Event Log Frozen", EventManager, 3, "\x01", "Event log was frozen"}, + {"Event Manager - Event Log Frozen", EventManager, 3, "\x00", "Event log was unfrozen"}, + {"System Defense Manager - SD Filter Added", SystemDefenseManager, 0, "", "Attempt made to add a system defense filter."}, + {"System Defense Manager - SD Filter Removed", SystemDefenseManager, 1, "\x01\x00\x00\x00", "System defense filter was removed successfully.\nFilter Handle: 1"}, + {"System Defense Manager - SD Policy Added", SystemDefenseManager, 2, "", "Attempt made to add a system defense policy."}, + {"System Defense Manager - SD Policy Removed", SystemDefenseManager, 3, "\x01\x00\x00\x00", "System defense policy was removed successfully.\nPolicy Handle: 1"}, + {"System Defense Manager - SD Default Policy Set", SystemDefenseManager, 4, "\x01\x00\x00\x00\x01\x00\x00\x00", "System defense policy selected.\nHardware Interface: 1\nPolicy Handle: 1"}, + {"System Defense Manager - SD Heuristics Option Set", SystemDefenseManager, 5, "\x01\x00\x00\x00\x01\xd9\x00\x01\x00\x00", "System defense heuristics settings were set successfully.\nInterface Handle: 1\nBlock All: 1\nBlock Offensive Port: 217\nPolicy Handle: 256"}, + {"System Defense Manager - SD Heuristics State Cleared", SystemDefenseManager, 6, "\x01\x00\x00\x00", "System defense heuristics settings were removed successfully.\nInterface Handle: 1"}, + {"Agent Presence Manager - Agent Watchdog Added", AgentPresenceManager, 0, "\x3b\xd4\x6c\x70\x98\x85\x45\xb6\x9f\xe2\x62\x2f\x14\x97\x38\x7e\xa0\x00\x0a\x00", "An application entry was created to be monitored.\nAgent ID: 3bd46c70-9885-45b6-9fe2-622f1497387e\nAgent Heartbeat Time: 160\nAgent Startup Time: 10"}, + {"Agent Presence Manager - Agent Watchdog Removed", AgentPresenceManager, 1, "\x3b\xd4\x6c\x70\x98\x85\x45\xb6\x9f\xe2\x62\x2f\x14\x97\x38\x7e", "An application entry was removed.\nAgent ID: 3bd46c70-9885-45b6-9fe2-622f1497387e"}, + {"Agent Presence Manager - Agent Watchdog Action Set", AgentPresenceManager, 2, "\x3b\xd4\x6c\x70\x98\x85\x45\xb6\x9f\xe2\x62\x2f\x14\x97\x38\x7e", "Actions were set, added, or removed for an application watchdog entry.\nAgent ID: 3bd46c70-9885-45b6-9fe2-622f1497387e"}, + // {"Wireless Configuration - Wireless Profile Added", WirelessConfiguration, 0, "\x00", time.Unix(0, 0).Local().Format(time.RFC1123)}, + // {"Endpoint Access Control", EndpointAccessControl, "\x00\x01", "From None to KVM"}, + // {"Keyboard Video Mouse", KeyboardVideoMouse, "", "Success"}, + // {"User Opt-In", UserOptIn, 0, "\x01\x00", "A user has modified the opt-in policy settings.\nPrevious Opt-In Policy: KVM\nCurrent Opt-In Policy: None"}, + // {"Screen Blanking", ScreenBlanking, "\x00", "Success"}, + // {"Watchdog", Watchdog, "\x00", "Success"}, } for _, tt := range tests { @@ -200,4 +238,3 @@ func TestGetAuditLogExtendedDataString(t *testing.T) { }) } } - diff --git a/pkg/wsman/amt/auditlog/message_test.go b/pkg/wsman/amt/auditlog/message_test.go index be2fa2ac..fe9eaca2 100644 --- a/pkg/wsman/amt/auditlog/message_test.go +++ b/pkg/wsman/amt/auditlog/message_test.go @@ -169,27 +169,27 @@ func TestPositiveAMT_AuditLog(t *testing.T) { AuditAppID: 19, EventID: 0, InitiatorType: 0x2, - AuditApp: "Firmware Update Manager", - Event: "Firmware Updated", + AuditApp: "Firmware Update Manager Events", + Event: "Firmware Update Started", Initiator: "Local", Time: time.Unix(int64(1073007983), 0), MCLocationType: 0x2, NetAddress: "", Ex: "\x00\f\x00\x00\x00(\x05\x99\x00\f\x00\x00\x00$\x05\x94", - ExStr: "From 12.0.40.1433 to 12.0.36.1428", + ExStr: "Firmware update was started.\nOld version: 3072.0.10240.39173\nNew version: 3072.0.9216.37893", }, { AuditAppID: 19, EventID: 0, InitiatorType: 0x2, - AuditApp: "Firmware Update Manager", - Event: "Firmware Updated", + AuditApp: "Firmware Update Manager Events", + Event: "Firmware Update Started", Initiator: "Local", Time: time.Unix(int64(1073007982), 0), MCLocationType: 0x2, NetAddress: "", Ex: "\x00\f\x00\x00\x00(\x05\x99\x00\f\x00\x00\x00$\x05\x94", - ExStr: "From 12.0.40.1433 to 12.0.36.1428", + ExStr: "Firmware update was started.\nOld version: 3072.0.10240.39173\nNew version: 3072.0.9216.37893", }, }, }, diff --git a/pkg/wsman/amt/auditlog/types.go b/pkg/wsman/amt/auditlog/types.go index 26679be7..a98a7127 100644 --- a/pkg/wsman/amt/auditlog/types.go +++ b/pkg/wsman/amt/auditlog/types.go @@ -127,10 +127,13 @@ type ( } RemoteControlEvent struct { - SpecialCommand uint8 - SpecialCommandParameter uint8 - BootOptions uint8 - OEMParameters uint8 + SpecialCommand uint8 + SpecialCommandParameterHighByte uint8 + SpecialCommandParameterLowByte uint8 + BootOptionsMaskByte1 uint8 + BootOptionsMaskByte2 uint8 + OEMParameterByte1 uint8 + OEMParameterByte2 uint8 } FWVersion struct { From 6f8cc9ba3d4da77c0b97574ed3c9bfe43943208d Mon Sep 17 00:00:00 2001 From: Matt Primrose Date: Fri, 28 Jun 2024 21:42:02 -0700 Subject: [PATCH 4/5] even more audit log tests --- pkg/wsman/amt/auditlog/decoder.go | 48 +++++++++++++------------- pkg/wsman/amt/auditlog/decoder_test.go | 36 +++++++++++++++---- pkg/wsman/amt/auditlog/types.go | 6 ++-- 3 files changed, 57 insertions(+), 33 deletions(-) diff --git a/pkg/wsman/amt/auditlog/decoder.go b/pkg/wsman/amt/auditlog/decoder.go index 99c21f13..b1fa1530 100644 --- a/pkg/wsman/amt/auditlog/decoder.go +++ b/pkg/wsman/amt/auditlog/decoder.go @@ -1063,45 +1063,39 @@ func parseWirelessConfigurationEvents(eventId int, data string) string { extendedDataString = "A new profile was added." if len(data) > 0 { event := readWirelessConfigurationEventData(WirelessProfileAdded, []byte(data)) - extendedDataString += "\nSSID: " + string(event.SSID) + - "\nProfile Priority: " + string(event.ProfilePriority) + - "\nProfile Name Length: " + string(event.ProfileNameLength) + - "\nProfile Name: " + string(event.ProfileName) + extendedDataString += "\nSSID: " + strings.Trim(fmt.Sprint(string(event.SSID)), "\x00") + + "\nProfile Priority: " + fmt.Sprint(event.ProfilePriority) + + "\nProfile Name Length: " + fmt.Sprint(event.ProfileNameLength) + + "\nProfile Name: " + fmt.Sprint(string(event.ProfileName)) } case WirelessProfileRemoved: extendedDataString = "An existing profile was removed." if len(data) > 0 { event := readWirelessConfigurationEventData(WirelessProfileRemoved, []byte(data)) - extendedDataString += "\nProfile Name Length: " + string(event.ProfileNameLength) + - "\nProfile Name: " + string(event.ProfileName) + extendedDataString += "\nProfile Name Length: " + fmt.Sprint(event.ProfileNameLength) + + "\nProfile Name: " + fmt.Sprint(string(event.ProfileName)) } case WirelessProfileUpdated: extendedDataString = "An existing profile was updated." if len(data) > 0 { event := readWirelessConfigurationEventData(WirelessProfileUpdated, []byte(data)) - extendedDataString += "\nSSID: " + string(event.SSID) + - "\nProfile Priority: " + string(event.ProfilePriority) + - "\nProfile Name Length: " + string(event.ProfileNameLength) + - "\nProfile Name: " + string(event.ProfileName) + extendedDataString += "\nSSID: " + strings.Trim(fmt.Sprint(string(event.SSID)), "\x00") + + "\nProfile Priority: " + fmt.Sprint(event.ProfilePriority) + + "\nProfile Name Length: " + fmt.Sprint(event.ProfileNameLength) + + "\nProfile Name: " + fmt.Sprint(string(event.ProfileName)) } case WirelessProfileModified: extendedDataString = "An existing profile sync was modified." if len(data) > 0 { event := readWirelessConfigurationEventData(WirelessProfileModified, []byte(data)) - for _, profile := range event.ProfileSync { - extendedDataString += "\nProfile Sync: " + fmt.Sprint(profile) - } + extendedDataString += "\nProfile sync " + []string{"is disabled", "user", "admin", "is unrestricted"}[event.ProfileSync] } case WirelessLinkPreferenceChanged: extendedDataString = "An existing profile link preference was changed." if len(data) > 0 { event := readWirelessConfigurationEventData(WirelessLinkPreferenceChanged, []byte(data)) - for _, timeout := range event.Timeout { - extendedDataString += "\nTimeout: " + fmt.Sprint(timeout) - } - for _, linkPreference := range event.LinkPreference { - extendedDataString += "\nLink Preference: " + []string{"none", "ME", "Host"}[linkPreference] - } + extendedDataString += "\nTimeout: " + fmt.Sprint(event.Timeout) + extendedDataString += "\nLink Preference: " + []string{"none", "ME", "Host"}[int(event.LinkPreference)] } case WirelessProfileShareWithUEFIEnabledSettingChanged: extendedDataString = fmt.Sprintf("Wireless profile share with UEFI was set to %s.", []string{"Disabled", "Enabled"}[data[0]]) @@ -1192,7 +1186,7 @@ func parseUserOptInEvents(eventId int, data string) string { extendedDataString = "The remote operator sent a consent code." if len(data) > 0 { event := readUserOptInEventData(SendConsentCodeEvent, []byte(data)) - extendedDataString += "\nOperation Status: " + string(event.OperationStatus) + extendedDataString += "\nRemote operator " + []string{"entered a one-time password successfully.", "failed (3 times) to enter a one-time password correctly."}[event.OperationStatus] } case StartOptInBlockedEvent: extendedDataString = "The remote operator attempted to send a start opt-in request, but the request was blocked (denial-of-service attack prevention)." @@ -1221,7 +1215,7 @@ func parseWatchdogEvents(eventId int, data string) string { _ = binary.Read(buf, binary.LittleEndian, &opStatus) - extendedDataString += "\nOperation Status: " + operationStatusToString[int(opStatus)] + extendedDataString += "\nRemote operator " + []string{"entered a one-time password successfully","failed (3 times) to enter a one-time password correctly"}[opStatus] } } @@ -1647,13 +1641,19 @@ func readWirelessConfigurationEventData(id int, data []byte) WirelessConfigurati switch id { case 0, 2: - _ = binary.Read(buf, binary.LittleEndian, &event.SSID) + ssid := make([]byte, 32) + buf.Read(ssid) + event.SSID = ssid _ = binary.Read(buf, binary.LittleEndian, &event.ProfilePriority) _ = binary.Read(buf, binary.LittleEndian, &event.ProfileNameLength) - _ = binary.Read(buf, binary.LittleEndian, &event.ProfileName) + profileName := make([]byte, event.ProfileNameLength) + buf.Read(profileName) + event.ProfileName = profileName case 1: _ = binary.Read(buf, binary.LittleEndian, &event.ProfileNameLength) - _ = binary.Read(buf, binary.LittleEndian, &event.ProfileName) + profileName := make([]byte, event.ProfileNameLength) + buf.Read(profileName) + event.ProfileName = profileName case 3: _ = binary.Read(buf, binary.LittleEndian, &event.ProfileSync) case 4: diff --git a/pkg/wsman/amt/auditlog/decoder_test.go b/pkg/wsman/amt/auditlog/decoder_test.go index 0f996d44..20c08e8e 100644 --- a/pkg/wsman/amt/auditlog/decoder_test.go +++ b/pkg/wsman/amt/auditlog/decoder_test.go @@ -221,12 +221,36 @@ func TestGetAuditLogExtendedDataString(t *testing.T) { {"Agent Presence Manager - Agent Watchdog Added", AgentPresenceManager, 0, "\x3b\xd4\x6c\x70\x98\x85\x45\xb6\x9f\xe2\x62\x2f\x14\x97\x38\x7e\xa0\x00\x0a\x00", "An application entry was created to be monitored.\nAgent ID: 3bd46c70-9885-45b6-9fe2-622f1497387e\nAgent Heartbeat Time: 160\nAgent Startup Time: 10"}, {"Agent Presence Manager - Agent Watchdog Removed", AgentPresenceManager, 1, "\x3b\xd4\x6c\x70\x98\x85\x45\xb6\x9f\xe2\x62\x2f\x14\x97\x38\x7e", "An application entry was removed.\nAgent ID: 3bd46c70-9885-45b6-9fe2-622f1497387e"}, {"Agent Presence Manager - Agent Watchdog Action Set", AgentPresenceManager, 2, "\x3b\xd4\x6c\x70\x98\x85\x45\xb6\x9f\xe2\x62\x2f\x14\x97\x38\x7e", "Actions were set, added, or removed for an application watchdog entry.\nAgent ID: 3bd46c70-9885-45b6-9fe2-622f1497387e"}, - // {"Wireless Configuration - Wireless Profile Added", WirelessConfiguration, 0, "\x00", time.Unix(0, 0).Local().Format(time.RFC1123)}, - // {"Endpoint Access Control", EndpointAccessControl, "\x00\x01", "From None to KVM"}, - // {"Keyboard Video Mouse", KeyboardVideoMouse, "", "Success"}, - // {"User Opt-In", UserOptIn, 0, "\x01\x00", "A user has modified the opt-in policy settings.\nPrevious Opt-In Policy: KVM\nCurrent Opt-In Policy: None"}, - // {"Screen Blanking", ScreenBlanking, "\x00", "Success"}, - // {"Watchdog", Watchdog, "\x00", "Success"}, + {"Wireless Configuration - Wireless Profile Added", WirelessConfiguration, 0, "test\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x01\x04test", "A new profile was added.\nSSID: test\nProfile Priority: 1\nProfile Name Length: 4\nProfile Name: test"}, + {"Wireless Configuration - Wireless Profile Removed", WirelessConfiguration, 1, "\x04test", "An existing profile was removed.\nProfile Name Length: 4\nProfile Name: test"}, + {"Wireless Configuration - Wireless Profile Updated", WirelessConfiguration, 2, "test\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x01\x04test", "An existing profile was updated.\nSSID: test\nProfile Priority: 1\nProfile Name Length: 4\nProfile Name: test"}, + {"Wireless Configuration - Wireless Profile Modified", WirelessConfiguration, 3, "\u0000\u0000\u0000\u0000", "An existing profile sync was modified.\nProfile sync is disabled"}, + {"Wireless Configuration - Wireless Profile Modified", WirelessConfiguration, 3, "\u0001\u0000\u0000\u0000", "An existing profile sync was modified.\nProfile sync user"}, + {"Wireless Configuration - Wireless Profile Modified", WirelessConfiguration, 3, "\u0002\u0000\u0000\u0000", "An existing profile sync was modified.\nProfile sync admin"}, + {"Wireless Configuration - Wireless Profile Modified", WirelessConfiguration, 3, "\u0003\u0000\u0000\u0000", "An existing profile sync was modified.\nProfile sync is unrestricted"}, + {"Wireless Configuration - Wireless Link Preference Changed", WirelessConfiguration, 4, "\u0003\u0000\u0000\u0000\u0001\u0000\u0000\u0000", "An existing profile link preference was changed.\nTimeout: 3\nLink Preference: ME"}, + {"Wireless Configuration - Wireless Link Preference Changed", WirelessConfiguration, 4, "\u0003\u0000\u0000\u0000\u0002\u0000\u0000\u0000", "An existing profile link preference was changed.\nTimeout: 3\nLink Preference: Host"}, + {"Wireless Configuration - Wireless Profile Share with UEFI Enabled Setting Changed", WirelessConfiguration, 5, "\u0001", "Wireless profile share with UEFI was set to Enabled."}, + {"Wireless Configuration - Wireless Profile Share with UEFI Enabled Setting Changed", WirelessConfiguration, 5, "\u0000", "Wireless profile share with UEFI was set to Disabled."}, + {"Endpoint Access Control - EAC Posture Signer Set", EndpointAccessControl, 0, "", "A certificate handle for signing EAC postures was either set or removed."}, + {"Endpoint Access Control - EAC Enabled", EndpointAccessControl, 1, "", "EAC was set to enabled by WS-MAN interface."}, + {"Endpoint Access Control - EAC Disabled", EndpointAccessControl, 2, "", "EAC was set to disabled by WS-MAN interface."}, + {"Endpoint Access Control - EAC Posture State Updated", EndpointAccessControl, 3, "", "Controllable fields of EAC posture were reset manually by WS-MAN interface."}, + {"Endpoint Access Control - EAC Set Options", EndpointAccessControl, 4, "\x96\x1f\u0000\u0000", "EAC options were changed.\nEAC Vendors: 8086"}, + {"Keyboard Video Mouse - KVM Opt-In Enabled", KeyboardVideoMouse, 0, "", "User consent for a KVM session is now required."}, + {"Keyboard Video Mouse - KVM Opt-In Disabled", KeyboardVideoMouse, 1, "", "User consent for a KVM session is no longer required."}, + {"Keyboard Video Mouse - KVM Password Changed", KeyboardVideoMouse, 2, "", "RFB password for KVM session has changed."}, + {"Keyboard Video Mouse - KVM Consent Succeeded", KeyboardVideoMouse, 3, "", "Remote operator entered a one-time password successfully."}, + {"Keyboard Video Mouse - KVM Consent Failed", KeyboardVideoMouse, 4, "", "Remote operator failed to enter a one-time password correctly."}, + {"User Opt-In - Policy Change", UserOptIn, 0, "\x01\x00", "A user has modified the opt-in policy settings.\nPrevious Opt-In Policy: KVM\nCurrent Opt-In Policy: None"}, + {"User Opt-In - Policy Change", UserOptIn, 0, "\x00\x01", "A user has modified the opt-in policy settings.\nPrevious Opt-In Policy: None\nCurrent Opt-In Policy: KVM"}, + {"User Opt-In - Policy Change", UserOptIn, 0, "\x00\xff", "A user has modified the opt-in policy settings.\nPrevious Opt-In Policy: None\nCurrent Opt-In Policy: All"}, + {"User Opt-In - Send Consent Code Event", UserOptIn, 1, "\x00", "The remote operator sent a consent code.\nRemote operator entered a one-time password successfully."}, + {"User Opt-In - Send Consent Code Event", UserOptIn, 1, "\x01", "The remote operator sent a consent code.\nRemote operator failed (3 times) to enter a one-time password correctly."}, + {"User Opt-In - Start Opt-In Blocked Event", UserOptIn, 2, "", "The remote operator attempted to send a start opt-in request, but the request was blocked (denial-of-service attack prevention)."}, + {"Watchdog - Reset-Triggering Options Changed", Watchdog, 0, "", "A user has modified the watchdog action settings."}, + {"Watchdog - Action Pairing Changed", Watchdog, 1, "\x00", "A user has modified a watchdog to add, remove, or alter the watchdog action connected to it.\nRemote operator entered a one-time password successfully"}, + {"Watchdog - Action Pairing Changed", Watchdog, 1, "\x01", "A user has modified a watchdog to add, remove, or alter the watchdog action connected to it.\nRemote operator failed (3 times) to enter a one-time password correctly"}, } for _, tt := range tests { diff --git a/pkg/wsman/amt/auditlog/types.go b/pkg/wsman/amt/auditlog/types.go index a98a7127..e577d6d2 100644 --- a/pkg/wsman/amt/auditlog/types.go +++ b/pkg/wsman/amt/auditlog/types.go @@ -204,9 +204,9 @@ type ( ProfilePriority uint8 ProfileNameLength uint8 ProfileName []uint8 - ProfileSync []uint32 - Timeout []uint32 - LinkPreference []uint32 + ProfileSync uint32 + Timeout uint32 + LinkPreference uint32 ProfileSharingWithUEFI uint8 } From 7833cae10f24d3d400343a9e5cfe88d25d0c9fe2 Mon Sep 17 00:00:00 2001 From: Matt Primrose Date: Fri, 28 Jun 2024 22:29:55 -0700 Subject: [PATCH 5/5] code cleanup --- pkg/wsman/amt/auditlog/decoder.go | 30 ++++++++------------------ pkg/wsman/amt/auditlog/decoder_test.go | 5 ++++- 2 files changed, 13 insertions(+), 22 deletions(-) diff --git a/pkg/wsman/amt/auditlog/decoder.go b/pkg/wsman/amt/auditlog/decoder.go index b1fa1530..41568f77 100644 --- a/pkg/wsman/amt/auditlog/decoder.go +++ b/pkg/wsman/amt/auditlog/decoder.go @@ -436,8 +436,6 @@ func GetAuditLogExtendedDataString(appId, eventId int, data string) string { extendedDataString = parseKeyboardVideoMouseEvents(eventId) case UserOptIn: extendedDataString = parseUserOptInEvents(eventId, data) - case ScreenBlanking: - extendedDataString = "Screen blanking events are no longer supported." case Watchdog: extendedDataString = parseWatchdogEvents(eventId, data) default: @@ -818,9 +816,9 @@ func parseNetworkAdministrationEvents(eventId int, data string) string { if len(data) > 0 { event := readNetworkAdministrationEventData(TCPIPParametersSet, []byte(data)) extendedDataString += "\nDHCP Enabled: " + []string{"Disabled", "Enabled"}[event.DHCPEnabled] + - "\nStatic IP: " + string(convertUINT32ToIPv4(event.IPV4Address)) + - "\nSubnet Mask: " + string(convertUINT32ToIPv4(event.SubnetMask)) + - "\nGateway: " + string(convertUINT32ToIPv4(event.Gateway)) + "\nStatic IP: " + convertUINT32ToIPv4(event.IPV4Address).String() + + "\nSubnet Mask: " + convertUINT32ToIPv4(event.SubnetMask).String() + + "\nGateway: " + convertUINT32ToIPv4(event.Gateway).String() } case HostNameSet: extendedDataString = "Host name was set" @@ -857,7 +855,10 @@ func parseNetworkAdministrationEvents(eventId int, data string) string { extendedDataString += "\nIPv6: " + []string{"Disabled", "Enabled"}[event.IPV6Enabled] + "\nInterface Gen Type: " + InterfaceIDGenType[int(event.InterfaceIDGenType)] if event.InterfaceIDGenType == 2 { - extendedDataString += "\nInterface ID: " + string(event.InterfaceID) + interfaceId := fmt.Sprintf("%02x%02x:%02x%02x:%02x%02x:%02x%02x", + event.InterfaceID[0], event.InterfaceID[1], event.InterfaceID[2], event.InterfaceID[3], + event.InterfaceID[4], event.InterfaceID[5], event.InterfaceID[6], event.InterfaceID[7]) + extendedDataString += "\nInterface ID: " + interfaceId } extendedDataString += "\nIPv6 Address: " + net.IP(event.IPV6Address).String() + "\nIPv6 Gateway: " + net.IP(event.IPV6Gateway).String() + @@ -1215,7 +1216,7 @@ func parseWatchdogEvents(eventId int, data string) string { _ = binary.Read(buf, binary.LittleEndian, &opStatus) - extendedDataString += "\nRemote operator " + []string{"entered a one-time password successfully","failed (3 times) to enter a one-time password correctly"}[opStatus] + extendedDataString += "\nRemote operator " + []string{"entered a one-time password successfully", "failed (3 times) to enter a one-time password correctly"}[opStatus] } } @@ -1542,6 +1543,7 @@ func readNetworkAdministrationEventData(id int, data []byte) NetworkAdministrati if event.InterfaceIDGenType == 2 { interfaceId := make([]byte, 8) buf.Read(interfaceId) + event.InterfaceID = interfaceId } ipv6Address := make([]byte, 16) buf.Read(ipv6Address) @@ -1686,20 +1688,6 @@ func convertUINT32ToIPv4(intIP uint32) net.IP { return ip } -func decodeIPFromByteSlice(data []byte) (net.IP, error) { - switch len(data) { - case 4: - // IPv4 Address - return net.IP(data), nil - case 16: - // IPv6 Address - return net.IP(data), nil - default: - // Invalid length - return nil, fmt.Errorf("Invalid IP address length: %d", len(data)) - } -} - // [initiatorType: number, initiator: string, ptr: number] need to type it. func getInitiatorInfo(decodedEventRecord string) (initatorType byte, initiator string, ptr int) { var userlen uint8 diff --git a/pkg/wsman/amt/auditlog/decoder_test.go b/pkg/wsman/amt/auditlog/decoder_test.go index 20c08e8e..896485c0 100644 --- a/pkg/wsman/amt/auditlog/decoder_test.go +++ b/pkg/wsman/amt/auditlog/decoder_test.go @@ -112,6 +112,7 @@ func TestGetAuditLogExtendedDataString(t *testing.T) { data string expected string }{ + {"Unknown Event Group ID", 999, 0, "", "Unknown Event Group ID"}, {"Security Admin - Provisioning Started", SecurityAdmin, 0, "", "Intel AMT transitioned to setup mode."}, {"Security Admin - Provisioning Completed Manual", SecurityAdmin, 1, "\u0003", "Intel AMT transitioned to operational mode.\nProvisioning Method: Manual Provisioning via MEBx"}, {"Security Admin - Provisioning Completed PKI", SecurityAdmin, 1, "\x05\x02\xcb<˷`1\xe5\xe0\x13\x8f\x8dӚ#\xf9\xdeG\xff\xc3^C\xc1\x14L\xea'\xd4jZ\xb1\xcb_\x02\f\x8e\xe0\xc9\rj\x89\x15\x88\x04\x06\x1e\xe2A\xf9\xaf\x03:\xf1\xe6\xa7\x11\xa9\xa0\xbb(d\xb1\x1d\t\xfa\xe5\x00\x12Intel.vprodemo.com", "Intel AMT transitioned to operational mode.\nProvisioning Method: Host-Based Provisioning Admin Mode\nHash Type: SHA 256\nTrusted Root Cert Hash: cb3ccbb76031e5e0138f8dd39a23f9de47ffc35e43c1144cea27d46a5ab1cb5f\nNumber of Certificates: 2\nCert Serial Numbers (first 3): [0c8ee0c90d6a89158804061ee241f9af 033af1e6a711a9a0bb2864b11d09fae5]\nProvisioning Server FQDN: Intel.vprodemo.com"}, @@ -194,7 +195,7 @@ func TestGetAuditLogExtendedDataString(t *testing.T) { {"Security Audit Log - Log recovery - Migration failure", SecurityAuditLog, 5, "\x01", "Internal check of audit log resulted in a recovery action.\nReason: Migration failure"}, {"Security Audit Log - Log recovery - Initialization failure", SecurityAuditLog, 5, "\x02", "Internal check of audit log resulted in a recovery action.\nReason: Initialization failure"}, {"Network Time", NetworkTime, 0, "d\x9aNp", "Command received to set Intel AMT local time. Time: 2023-06-26 19:50:24 -0700 MST"}, - // {"Network Administration - TCP/IP Parameters Set", NetworkAdministration, 0, "\x00\x00\x00\x00\x01\xC0\xA8\x00\x02\xFF\xFF\xFF\x00\xC0\xA8\x00\x01\x04\x04\x04\x02\x02\x02\x02\x01", "TCP/IP parameters were set.\nDHCP Enabled: Enabled\nStatic IP Address: 192.168.0.2\nSubnet Mask: 255.255.255.0\nGateway: 192.168.0.1"}, + {"Network Administration - TCP/IP Parameters Set", NetworkAdministration, 0, "\x00\x00\x00\x00\x01\x02\x00\xA8\xC0\x00\xFF\xFF\xFF\x01\x00\xA8\xC0\x04\x04\x04\x02\x02\x02\x02\x01", "TCP/IP parameters were set.\nDHCP Enabled: Enabled\nStatic IP: 192.168.0.2\nSubnet Mask: 255.255.255.0\nGateway: 192.168.0.1"}, {"Network Administration - Host Name Set", NetworkAdministration, 1, "\x04test", "Host name was set to test"}, {"Network Administration - Domain Name Set", NetworkAdministration, 2, "\x04test", "Domain name was set to test"}, {"Network Administration - VLAN Parameters Set", NetworkAdministration, 3, "\u0000\u0000\u0000\u0000\u0000\u0000", "VLAN tag was set to disabled"}, @@ -202,12 +203,14 @@ func TestGetAuditLogExtendedDataString(t *testing.T) { {"Network Administration - Link Policy Set", NetworkAdministration, 4, "\u0000\u0000\u0000\u0000\u0001\u0000\u0000\u0000", "Link policy was set to 1"}, {"Network Administration - Link Policy Set", NetworkAdministration, 4, "\u0000\u0000\u0000\u0000\u0001\u0000\u0000\u0000", "Link policy was set to 1"}, {"Network Administration - IPv6 Parameters Set", NetworkAdministration, 5, "\x00\x00\x00\x00\x01\x01\x20\x01\x0d\xb8\x85\xa3\x00\x00\x00\x00\x8a\x2e\x03\x70\x73\x34\x20\x01\x0d\xb8\x85\xa3\x00\x00\x00\x00\x8a\x2e\x03\x70\x73\x34\x20\x01\x0d\xb8\x85\xa3\x00\x00\x00\x00\x8a\x2e\x03\x70\x73\x34\x20\x01\x0d\xb8\x85\xa3\x00\x00\x00\x00\x8a\x2e\x03\x70\x73\x34", "IPv6 parameters were set.\nIPv6: Enabled\nInterface Gen Type: Intel ID\nIPv6 Address: 2001:db8:85a3::8a2e:370:7334\nIPv6 Gateway: 2001:db8:85a3::8a2e:370:7334\nIPv6 Primary DNS: 2001:db8:85a3::8a2e:370:7334\nIPv6 Secondary DNS: 2001:db8:85a3::8a2e:370:7334"}, + {"Network Administration - IPv6 Parameters Set", NetworkAdministration, 5, "\x00\x00\x00\x00\x01\x02\x02\x1a\x2b\xff\xfe\x3c\x4d\x5e\x20\x01\x0d\xb8\x85\xa3\x00\x00\x00\x00\x8a\x2e\x03\x70\x73\x34\x20\x01\x0d\xb8\x85\xa3\x00\x00\x00\x00\x8a\x2e\x03\x70\x73\x34\x20\x01\x0d\xb8\x85\xa3\x00\x00\x00\x00\x8a\x2e\x03\x70\x73\x34\x20\x01\x0d\xb8\x85\xa3\x00\x00\x00\x00\x8a\x2e\x03\x70\x73\x34", "IPv6 parameters were set.\nIPv6: Enabled\nInterface Gen Type: Manual ID\nInterface ID: 021a:2bff:fe3c:4d5e\nIPv6 Address: 2001:db8:85a3::8a2e:370:7334\nIPv6 Gateway: 2001:db8:85a3::8a2e:370:7334\nIPv6 Primary DNS: 2001:db8:85a3::8a2e:370:7334\nIPv6 Secondary DNS: 2001:db8:85a3::8a2e:370:7334"}, {"Storage Administration - Global Storage Attributes Set", StorageAdministration, 0, "\x00\x00\x01\x00\x00\x00\x01\x00", "Global storage attributes were set.\nMax Partner Storage: 65536\nMax Non-Partner Total Allocation Size: 65536"}, {"Storage Administration - Storage EACL Modified", StorageAdministration, 1, "", "Storage EACL entry was added or removed."}, {"Storage Administration - Storage FPACL Modified", StorageAdministration, 2, "", "Storage FPACL entry was added, removed, or updated."}, {"Storage Administration - Storage Write Operation", StorageAdministration, 3, "", "Application wrote a block to storage."}, {"Event Manager - Alert Subscribed", EventManager, 0, "\x01\x01\x00\xc0\xa8\x00\x01", "An alert subscription was created successfully.\nPolicy ID: 1\nSubscription Alert Type: SNMP\nIP Address Type: IPv4\nAlert Target IP Address: 192.168.0.1"}, {"Event Manager - Alert Unsubscribed", EventManager, 1, "\x01\x01\x00\xc0\xa8\x00\x01", "An existing alert subscription was cancelled.\nPolicy ID: 1\nSubscription Alert Type: SNMP\nIP Address Type: IPv4\nAlert Target IP Address: 192.168.0.1"}, + {"Event Manager - Alert Unsubscribed", EventManager, 1, "\x01\x01\x01\x20\x01\x0d\xb8\x85\xa3\x00\x00\x00\x00\x8a\x2e\x03\x70\x73\x34", "An existing alert subscription was cancelled.\nPolicy ID: 1\nSubscription Alert Type: SNMP\nIP Address Type: IPv6\nAlert Target IP Address: 2001:db8:85a3::8a2e:370:7334"}, {"Event Manager - Event Log Cleared", EventManager, 2, "", "Event log was cleared of existing records."}, {"Event Manager - Event Log Frozen", EventManager, 3, "\x01", "Event log was frozen"}, {"Event Manager - Event Log Frozen", EventManager, 3, "\x00", "Event log was unfrozen"},