Skip to content

Add filter to UNC paths and mapped drives in Windows#30060

Merged
MarcelKemp merged 20 commits into
4.13.0from
fix/2042-check-network-drives
Jun 10, 2025
Merged

Add filter to UNC paths and mapped drives in Windows#30060
MarcelKemp merged 20 commits into
4.13.0from
fix/2042-check-network-drives

Conversation

@jotacarma90
Copy link
Copy Markdown
Member

@jotacarma90 jotacarma90 commented Jun 2, 2025
edited by MarcelKemp
Loading

Related issue
https://github.com/wazuh/internal-devel-requests/issues/2042

Description

In this PR we have added some wrappers for certain file operation functions, to prevent the use of network paths.
We have also added all the necessary unit tests to cover the new cases and new functions.
Adapted the use of these wrappers to all expected functions.
Documentation request: https://github.com/wazuh/internal-documentation-requests/issues/156

Configuration options

  • logcollecor:
  <localfile>
    <location>Z:/test.log</location>
    <log_format>syslog</log_format>
  </localfile>

  <localfile>
    <location>\\192.168.0.5\shared\test.log</location>
    <log_format>syslog</log_format>
  </localfile>
  • syscheck:
    <directories>Z:\scheduled</directories>
    <directories>\\192.168.0.5\shared\scheduled</directories>

    <directories realtime="yes">Z:\realtime</directories>
    <directories realtime="yes">\\192.168.0.5\shared\realtime</directories>

    <directories whodata="yes">Z:\whodata</directories>
    <directories whodata="yes">\\192.168.0.5\shared\whodata</directories>
  • osquery:
  <wodle name="osquery">
    <disabled>no</disabled>
    <run_daemon>yes</run_daemon>
    <bin_path>\\192.168.0.5\shared\osqueryd.exe</bin_path>
    <log_path>\\192.168.0.5\shared\test.log</log_path>
    <config_path>\\192.168.0.5\shared\test.conf</config_path>
    <add_labels>no</add_labels>
  </wodle>
  • command:
<wodle name="command">
  <disabled>no</disabled>
  <tag>test</tag>
  <command>\\192.168.0.5\shared\test.exe</command>
  <ignore_output>no</ignore_output>
  <run_on_start>yes</run_on_start>
  <timeout>0</timeout>
</wodle>
  • rootcheck:
  <rootcheck>
    <disabled>no</disabled>
    <base_directory>\\192.168.0.5\shared\scheduled</base_directory>
    <rootkit_files>\\192.168.0.5\shared\scheduled</rootkit_files>
    <rootkit_trojans>\\192.168.0.5\shared\scheduled</rootkit_trojans>
  </rootcheck>
  • sca:
  <sca>
    <enabled>yes</enabled>
    <scan_on_start>yes</scan_on_start>
    <interval>12h</interval>
    <skip_nfs>yes</skip_nfs>
    <policies>
      <policy>\\192.168.0.5\shared\scheduled</policy>
      <policy>Z:\whodata</policy>
    </policies>
  </sca>
  • I tried to configure deprecated open-scap and cis-cat modules:
<wodle name="open-scap">
  <timeout>1800</timeout>
  <interval>1d</interval>
  <scan-on-start>yes</scan-on-start>
  <content type="xccdf" path="\\192.168.0.5\shared\osqueryd.exe"/>
  <content type="oval" path="\\192.168.0.5\shared\osqueryd.exe"/>
</wodle>

<wodle name="cis-cat">
  <disabled>no</disabled>
  <timeout>1800</timeout>
  <wday>monday</wday>
  <time>04:00</time>
  <interval>2w</interval>
  <scan-on-start>yes</scan-on-start>

  <java_path>\\192.168.0.5\shared\osqueryd.exe</java_path>
  <ciscat_path>\\192.168.0.5\shared\osqueryd.exe</ciscat_path>
  <content type="xccdf" path="\\192.168.0.5\shared\osqueryd.exe">
    <profile>xccdf_org.cisecurity.benchmarks_profile_Level_2_-_Server</profile>
  </content>
</wodle>
  • But open-scap seem not compatible with Windowsm and cis-cat shows errors but no ntlmssp traffic:
2025/06/06 13:50:29 wazuh-modulesd:oscap[4428] wm_oscap.c:298 at wm_oscap_main(): INFO: OPEN-SCAP module not compatible with Windows.
2025/06/09 15:30:05 wazuh-modulesd:ciscat[13148] wm_ciscat.c:166 at wm_ciscat_main(): ERROR: CIS-CAT tool not found at '\\192.168.0.5\shared\osqueryd.exe'.

Logs/Alerts example

  • When starting the agent, you see these warning logs (I have used WARNINGS in most of the logs, since the impact on those modules is only that of not being able to monitor or configure those specific paths. In the case of the wodle command, I have used ERROR since not being able to configure the command in this way completely prevents the module from starting):
2025/06/05 12:00:38 wazuh-agent[992] syscheck-config.c:1707 at Read_Syscheck(): WARNING: (9801): Network path not allowed in configuration. 'directories': Z:\scheduled.
2025/06/05 12:00:38 wazuh-agent[992] localfile-config.c:330 at Read_Localfile(): WARNING: (9801): Network path not allowed in configuration. 'location': Z:/test.log.
2025/06/05 12:00:38 wazuh-agent[992] syscheck-config.c:1707 at Read_Syscheck(): WARNING: (9801): Network path not allowed in configuration. 'directories': \\192.168.0.5\shared\scheduled.
2025/06/05 12:00:38 wazuh-agent[992] localfile-config.c:330 at Read_Localfile(): WARNING: (9801): Network path not allowed in configuration. 'location': \\192.168.0.5\shared\test.log.
2025/06/05 12:00:38 wazuh-agent[992] syscheck-config.c:1707 at Read_Syscheck(): WARNING: (9801): Network path not allowed in configuration. 'directories': Z:\realtime.
2025/06/05 12:00:38 wazuh-agent[992] syscheck-config.c:1707 at Read_Syscheck(): WARNING: (9801): Network path not allowed in configuration. 'directories': \\192.168.0.5\shared\realtime.
2025/06/05 12:00:38 wazuh-agent[992] syscheck-config.c:1707 at Read_Syscheck(): WARNING: (9801): Network path not allowed in configuration. 'directories': Z:\whodata.
2025/06/05 12:00:38 wazuh-agent[992] syscheck-config.c:1707 at Read_Syscheck(): WARNING: (9801): Network path not allowed in configuration. 'directories': \\192.168.0.5\shared\whodata.
2025/06/05 12:00:38 wazuh-agent[992] wmodules-osquery-monitor.c:73 at wm_osquery_monitor_read(): WARNING: (9801): Network path not allowed in configuration. 'bin_path': \\192.168.0.5\shared\osqueryd.exe.
2025/06/05 12:00:38 wazuh-agent[992] wmodules-osquery-monitor.c:84 at wm_osquery_monitor_read(): WARNING: (9801): Network path not allowed in configuration. 'log_path': \\192.168.0.5\shared\test.log.
2025/06/05 12:00:38 wazuh-agent[992] wmodules-osquery-monitor.c:96 at wm_osquery_monitor_read(): WARNING: (9801): Network path not allowed in configuration. 'config_path': \\192.168.0.5\shared\test.conf.
2025/06/06 09:56:28 wazuh-agent[2788] wmodules-command.c:101 at wm_command_read(): ERROR: (9801): Network path not allowed in configuration. 'command': \\192.168.0.5\shared\test.exe.
  • Logging with rootcheck and sca filter:
2025/06/06 11:56:32 wazuh-agent[5112] file_op.c:493 at w_stat(): WARNING: (9800): File access denied. Network path usage is not allowed: '\\192.168.0.5\shared\scheduled'.
2025/06/06 11:56:32 sca[5112] wmodules-sca.c:294 at wm_sca_read(): WARNING: Policy file '\\192.168.0.5\shared\scheduled' not found. Check your configuration.
2025/06/06 11:56:32 wazuh-agent[5112] file_op.c:493 at w_stat(): WARNING: (9800): File access denied. Network path usage is not allowed: 'Z:\whodata'.
2025/06/06 11:56:32 sca[5112] wmodules-sca.c:294 at wm_sca_read(): WARNING: Policy file 'Z:\whodata' not found. Check your configuration.
2025/06/06 11:56:33 rootcheck[5112] check_rc_sys.c:397 at check_rc_sys(): DEBUG: Starting on check_rc_sys
2025/06/06 11:56:33 wazuh-agent[5112] file_op.c:493 at w_stat(): WARNING: (9800): File access denied. Network path usage is not allowed: '\\192.168.0.5\shared\scheduled\WINDOWS'.
2025/06/06 11:56:33 wazuh-agent[5112] file_op.c:493 at w_stat(): WARNING: (9800): File access denied. Network path usage is not allowed: '\\192.168.0.5\shared\scheduled\Program Files'.
  • No ntlmssp traffic shows up in wireshark:

Image

Tier 2 ITs testing 🟢

Extra testing using Responder + Wireshark

https://github.com/wazuh/internal-devel-requests/issues/2042#issuecomment-2956198415

Review Checklist

  • Code changes reviewed
  • Relevant evidence provided
  • Tests cover the new functionality
  • Configuration changes documented
  • Developer documentation reflects the changes
  • Meets requirements and/or definition of done
  • No unresolved dependencies with other issues

vikman90 and others added 11 commits May 30, 2025 11:17
@jotacarma90 jotacarma90 changed the title Fix/2042 check network drives Add filter to UNC paths and mapped drives in Windows Jun 2, 2025
@jotacarma90 jotacarma90 force-pushed the fix/2042-check-network-drives branch 3 times, most recently from 9cc2f27 to 77972f5 Compare June 4, 2025 10:17
@jotacarma90 jotacarma90 force-pushed the fix/2042-check-network-drives branch 4 times, most recently from 1505fe3 to fa29890 Compare June 4, 2025 12:32
@jotacarma90 jotacarma90 force-pushed the fix/2042-check-network-drives branch 7 times, most recently from ffc58af to 60d0fcc Compare June 4, 2025 15:39
@jotacarma90 jotacarma90 force-pushed the fix/2042-check-network-drives branch from 60d0fcc to 2f85e7b Compare June 4, 2025 15:57
@jotacarma90 jotacarma90 force-pushed the fix/2042-check-network-drives branch from 07c3efd to fe39bc5 Compare June 5, 2025 07:55
@jotacarma90 jotacarma90 marked this pull request as ready for review June 5, 2025 12:05
@jotacarma90 jotacarma90 force-pushed the fix/2042-check-network-drives branch 3 times, most recently from 7aea034 to 447ed3a Compare June 6, 2025 09:00
@jotacarma90 jotacarma90 force-pushed the fix/2042-check-network-drives branch from 447ed3a to 12bf021 Compare June 6, 2025 09:35
MarcelKemp
MarcelKemp approved these changes Jun 6, 2025
View reviewed changes
Copy link
Copy Markdown
Member

@MarcelKemp MarcelKemp left a comment
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM.

  • Code changes reviewed
  • Relevant evidence provided
  • Tests cover the new functionality
  • Configuration changes documented
  • Developer documentation reflects the changes
  • Meets requirements and/or definition of done
  • No unresolved dependencies with other issues

An issue needs to be opened to reflect this in the documentation.

vikman90
vikman90 approved these changes Jun 10, 2025
View reviewed changes
Copy link
Copy Markdown
Member

@vikman90 vikman90 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Tests show there is no further NetNTLMv2 traffic.
Both the code and the logs provided make sense.
LGTM!

@MarcelKemp MarcelKemp merged commit 688972d into 4.13.0 Jun 10, 2025
87 checks passed
@MarcelKemp MarcelKemp deleted the fix/2042-check-network-drives branch June 10, 2025 11:28
@vikman90 vikman90 mentioned this pull request Jan 22, 2026
Merged
7 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@vikman90 vikman90 vikman90 approved these changes

@MarcelKemp MarcelKemp MarcelKemp approved these changes

@lchico lchico Awaiting requested review from lchico

@mjcr99 mjcr99 Awaiting requested review from mjcr99

Assignees

@jotacarma90 jotacarma90

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@jotacarma90 @vikman90 @MarcelKemp