Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add new rules and decoders for macOS sshd logs #590

Open
K-Embee opened this issue Mar 27, 2020 · 0 comments
Open

Add new rules and decoders for macOS sshd logs #590

K-Embee opened this issue Mar 27, 2020 · 0 comments

Comments

@K-Embee
Copy link
Contributor

K-Embee commented Mar 27, 2020

See #348

Introduction

Currently, SSH events (and others) from MacOS do not trigger alerts on Wazuh. The logs provided by /var/log/system.log provide next to no information besides the fact that an SSHD process has started or stopped. They are readable by the predecoder and sshd decoder but do not trip any relevant rules. The goal of this issue is to create new rules and decoders to parse the full logs of the SSHD process on MacOS which as of MacOS 10.12 Sierra are no longer stored by default in an easily readable .log text file and must be dumped via a command such as log.

Details

Logs collected from /var/log/system.log have the following format:

Mar 19 11:16:20 macos1013 sshd: alice [priv][82027]: USER_PROCESS: 82038 ttys001
Mar 20 06:36:22 macos1014 com.apple.xpc.launchd[1] (com.openssh.sshd.2143DE96-DF0E-4100-9D09-6A0924A60506[2245]): Service exited with abnormal code: 255

MacOS provides much more complete logs via the log command, and offers them in a variety of formats. We will be using the --style syslog and --info options to obtain the necessary logs in the following format:

2020-03-24 06:07:50.998187-0700  localhost sshd[201]: Accepted publickey for alice from 10.0.2.2 port 55468 ssh2: RSA SHA256:abcdefghijklmopqrstuvwxyzabcdefghijklmopqrs
2020-03-23 09:55:42.391078-0700  localhost sshd[17329]: error: PAM: authentication error for alice from 192.168.33.1
2020-03-23 08:14:32.766049-0700  localhost sshd[8981]: error: maximum authentication attempts exceeded for invalid user eve from 192.168.33.1 port 55146 ssh2 [preauth]
2020-03-23 09:58:27.102292-0700  localhost sshd[18093]: error: maximum authentication attempts exceeded for alice from 192.168.33.1 port 55764 ssh2 [preauth]

Due to the predecoder not recognizing the MacOS date format (and subsequently the program name), the SSH decoder fails to pick them up. Thus, a specialized MacOS date format decoder, alongside child decoders for SSH would be necessary to decode these logs. In addition, while many logs on Mac are identical to their Linux counterparts, not all are and even without the date format issue some still fail to trip the proper rules.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@K-Embee