Endpoint configuration implemented in admin API

Author: qjerome

.github/coverage/coverage.txt

@@ -167,7 +167,7 @@ func NewAgent(c *config.Agent) (h *Agent, err error) {
 	}
 
 	// loading forwarder config
-	if h.forwarder, err = client.NewForwarder(h.ctx, h.config.FwdConfig); err != nil {
+	if h.forwarder, err = client.NewForwarder(h.ctx, &h.config.FwdConfig); err != nil {
 		return
 	}
 

agent/agent.go

@@ -6,19 +6,19 @@ import (
 
 // Canary configuration
 type Canary struct {
-	HideFiles       bool     `toml:"hide-files" comment:"Flag to set to hide files"`
-	HideDirectories bool     `toml:"hide-dirs" comment:"Flag to set to hide directories"`
-	SetAuditACL     bool     `toml:"set-audit-acl" comment:"Set Audit ACL to the canary directories, sub-directories and files to generate File System audit events\n https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-file-system"`
-	Directories     []string `toml:"directories" comment:"Directories where canary files will be created"`
-	Files           []string `toml:"files" comment:"Canary files to monitor. Files will be created if not existing"`
-	Delete          bool     `toml:"delete" comment:"Whether to delete or not the canary files when service stops"`
+	HideFiles       bool     `json:"hide-files" toml:"hide-files" comment:"Flag to set to hide files"`
+	HideDirectories bool     `json:"hide-dirs" toml:"hide-dirs" comment:"Flag to set to hide directories"`
+	SetAuditACL     bool     `json:"set-audit-acl" toml:"set-audit-acl" comment:"Set Audit ACL to the canary directories, sub-directories and files to generate File System audit events\n https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-file-system"`
+	Directories     []string `json:"directories" toml:"directories" comment:"Directories where canary files will be created"`
+	Files           []string `json:"files" toml:"files" comment:"Canary files to monitor. Files will be created if not existing"`
+	Delete          bool     `json:"delete" toml:"delete" comment:"Whether to delete or not the canary files when service stops"`
 	createdDir      *datastructs.SyncedSet
 }
 
 // Canaries structure holding canary configuration
 type Canaries struct {
-	Enable    bool      `toml:"enable" comment:"Enable canary files management"`
-	Actions   []string  `toml:"actions" comment:"Actions to apply when a canary file is touched"`
-	Whitelist []string  `toml:"whitelist" comment:"Process images being allowed to touch the canaries"`
-	Canaries  []*Canary `toml:"group" comment:"Canary files to create at every run"`
+	Enable    bool      `json:"enable" toml:"enable" comment:"Enable canary files management"`
+	Actions   []string  `json:"actions" toml:"actions" comment:"Actions to apply when a canary file is touched"`
+	Whitelist []string  `json:"whitelist" toml:"whitelist" comment:"Process images being allowed to touch the canaries"`
+	Canaries  []*Canary `json:"group" toml:"group" comment:"Canary files to create at every run"`
 }

agent/config/canary.go

@@ -27,33 +27,33 @@ var (
 )
 
 type Actions struct {
-	AvailableActions []string `toml:"available-actions" commented:"true" comment:"List of available actions (here as a memo for easier configuration, but it is not used in any way by the engine)"`
-	Low              []string `toml:"low" comment:"Default actions to be taken when event criticality is in [1; 4]"`
-	Medium           []string `toml:"medium" comment:"Default actions to be taken when event criticality is in [5; 7]"`
-	High             []string `toml:"high" comment:"Default actions to be taken when event criticality is in [8; 9]"`
-	Critical         []string `toml:"critical" comment:"Default actions to be taken when event criticality is 10"`
+	AvailableActions []string `json:"available-actions" toml:"available-actions" commented:"true" comment:"List of available actions (here as a memo for easier configuration, but it is not used in any way by the engine)"`
+	Low              []string `json:"low" toml:"low" comment:"Default actions to be taken when event criticality is in [1; 4]"`
+	Medium           []string `json:"medium" toml:"medium" comment:"Default actions to be taken when event criticality is in [5; 7]"`
+	High             []string `json:"high" toml:"high" comment:"Default actions to be taken when event criticality is in [8; 9]"`
+	Critical         []string `json:"critical" toml:"critical" comment:"Default actions to be taken when event criticality is 10"`
 }
 
 // Dump structure definition
 type Dump struct {
-	Dir           string `toml:"dir" comment:"Directory used to store dumps"`
-	MaxDumps      int    `toml:"max-dumps" comment:"Maximum number of dumps per process"` // maximum number of dump per GUID
-	Compression   bool   `toml:"compression" comment:"Enable dumps compression"`
-	DumpUntracked bool   `toml:"dump-untracked" comment:"Dumps untracked process. Untracked processes are missing\n enrichment information and may generate unwanted dumps"` // whether or not we should dump untracked processes, if true it would create many FPs
+	Dir           string `json:"dir" toml:"dir" comment:"Directory used to store dumps"`
+	MaxDumps      int    `json:"max-dumps" toml:"max-dumps" comment:"Maximum number of dumps per process"` // maximum number of dump per GUID
+	Compression   bool   `json:"compression" toml:"compression" comment:"Enable dumps compression"`
+	DumpUntracked bool   `json:"dump-untracked" toml:"dump-untracked" comment:"Dumps untracked process. Untracked processes are missing\n enrichment information and may generate unwanted dumps"` // whether or not we should dump untracked processes, if true it would create many FPs
 }
 
 // Sysmon holds Sysmon related configuration
 type Sysmon struct {
-	Bin              string `toml:"bin" comment:"Path to Sysmon binary"`
-	ArchiveDirectory string `toml:"archive-directory" comment:"Path to Sysmon Archive directory"`
-	CleanArchived    bool   `toml:"clean-archived" comment:"Delete files older than 5min archived by Sysmon"`
+	Bin              string `json:"bin" toml:"bin" comment:"Path to Sysmon binary"`
+	ArchiveDirectory string `json:"archive-directory" toml:"archive-directory" comment:"Path to Sysmon Archive directory"`
+	CleanArchived    bool   `json:"clean-archived" toml:"clean-archived" comment:"Delete files older than 5min archived by Sysmon"`
 }
 
 // Rules holds rules configuration
 type Rules struct {
-	RulesDB        string        `toml:"rules-db" comment:"Path to Gene rules database"`
-	ContainersDB   string        `toml:"containers-db" comment:"Path to Gene rules containers\n (c.f. Gene documentation)"`
-	UpdateInterval time.Duration `toml:"update-interval" comment:"Update interval at which rules should be pulled from manager\n NB: only applies if a manager server is configured"`
+	RulesDB        string        `json:"rules-db" toml:"rules-db" comment:"Path to Gene rules database"`
+	ContainersDB   string        `json:"containers-db" toml:"containers-db" comment:"Path to Gene rules containers\n (c.f. Gene documentation)"`
+	UpdateInterval time.Duration `json:"update-interval" toml:"update-interval" comment:"Update interval at which rules should be pulled from manager\n NB: only applies if a manager server is configured"`
 }
 
 func (c *Rules) RulesPaths() (path, sha256Path string) {
@@ -64,9 +64,9 @@ func (c *Rules) RulesPaths() (path, sha256Path string) {
 
 // Audit holds Windows audit configuration
 type Audit struct {
-	Enable        bool     `toml:"enable" comment:"Enable following Audit Policies or not"`
-	AuditPolicies []string `toml:"audit-policies" comment:"Audit Policies to enable (c.f. auditpol /get /category:* /r)"`
-	AuditDirs     []string `toml:"audit-dirs" comment:"Set Audit ACL to directories, sub-directories and files to generate File System audit events\n https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-file-system)"`
+	Enable        bool     `json:"enable" toml:"enable" comment:"Enable following Audit Policies or not"`
+	AuditPolicies []string `json:"audit-policies" toml:"audit-policies" comment:"Audit Policies to enable (c.f. auditpol /get /category:* /r)"`
+	AuditDirs     []string `json:"audit-dirs" toml:"audit-dirs" comment:"Set Audit ACL to directories, sub-directories and files to generate File System audit events\n https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-file-system)"`
 }
 
 // Configure configures the desired audit policies
@@ -111,23 +111,22 @@ func (c *Audit) Restore() {
 
 // Agent structure
 type Agent struct {
-	//Channels        []string             `toml:"channels" comment:"Windows log channels to listen to. Either channel names\n can be used (i.e. Microsoft-Windows-Sysmon/Operational) or aliases"`
-	DatabasePath    string            `toml:"db-path" comment:"Path to local database root directory"`
-	CritTresh       int               `toml:"criticality-treshold" comment:"Dumps/forward only events above criticality threshold\n or filtered events (i.e. Gene filtering rules)"`
-	EnableHooks     bool              `toml:"en-hooks" comment:"Enable enrichment hooks and dump hooks"`
-	EnableFiltering bool              `toml:"en-filters" comment:"Enable event filtering (log filtered events, not only alerts)\n See documentation: https://github.com/0xrawsec/gene"`
-	Logfile         string            `toml:"logfile" comment:"Logfile used to log messages generated by the engine"` // for WHIDS log messages (not alerts)
-	LogAll          bool              `toml:"log-all" comment:"Log any incoming event passing through the engine"`    // log all events to logfile (used for debugging)
-	Endpoint        bool              `toml:"endpoint" comment:"True if current host is the endpoint on which logs are generated\n Example: turn this off if running on a WEC"`
-	EtwConfig       *Etw              `toml:"etw" comment:"ETW configuration"`
-	FwdConfig       *config.Forwarder `toml:"forwarder" comment:"Forwarder configuration"`
-	Sysmon          *Sysmon           `toml:"sysmon" comment:"Sysmon related settings"`
-	Actions         *Actions          `toml:"actions" comment:"Default actions to apply to events, depending on their criticality"`
-	Dump            *Dump             `toml:"dump" comment:"Dump related settings"`
-	Report          *Report           `toml:"reporting" comment:"Reporting related settings"`
-	RulesConfig     *Rules            `toml:"rules" comment:"Gene rules related settings\n Gene repo: https://github.com/0xrawsec/gene\n Gene rules repo: https://github.com/0xrawsec/gene-rules"`
-	AuditConfig     *Audit            `toml:"audit" comment:"Windows auditing configuration"`
-	CanariesConfig  *Canaries         `toml:"canaries" comment:"Canary files configuration"`
+	DatabasePath    string           `json:"db-path" toml:"db-path" comment:"Path to local database root directory"`
+	CritTresh       int              `json:"criticality-treshold" toml:"criticality-treshold" comment:"Dumps/forward only events above criticality threshold\n or filtered events (i.e. Gene filtering rules)" `
+	EnableHooks     bool             `json:"en-hooks" toml:"en-hooks" comment:"Enable enrichment hooks and dump hooks"`
+	EnableFiltering bool             `json:"en-filters" toml:"en-filters" comment:"Enable event filtering (log filtered events, not only alerts)\n See documentation: https://github.com/0xrawsec/gene" `
+	Logfile         string           `json:"logfile" toml:"logfile" comment:"Logfile used to log messages generated by the engine"` // for WHIDS log messages (not alerts)
+	LogAll          bool             `json:"log-all" toml:"log-all" comment:"Log any incoming event passing through the engine" `   // log all events to logfile (used for debugging)
+	Endpoint        bool             `json:"endpoint" toml:"endpoint" comment:"True if current host is the endpoint on which logs are generated\n Example: turn this off if running on a WEC"`
+	EtwConfig       Etw              `json:"etw" toml:"etw" comment:"ETW configuration"`
+	FwdConfig       config.Forwarder `json:"forwarder" toml:"forwarder" comment:"Forwarder configuration"`
+	Sysmon          Sysmon           `json:"sysmon" toml:"sysmon" comment:"Sysmon related settings"`
+	Actions         Actions          `json:"actions" toml:"actions" comment:"Default actions to apply to events, depending on their criticality"`
+	Dump            Dump             `json:"dump" toml:"dump" comment:"Dump related settings"`
+	Report          Report           `json:"report" toml:"reporting" comment:"Reporting related settings"`
+	RulesConfig     Rules            `json:"rules" toml:"rules" comment:"Gene rules related settings\n Gene repo: https://github.com/0xrawsec/gene\n Gene rules repo: https://github.com/0xrawsec/gene-rules"`
+	AuditConfig     Audit            `json:"audit" toml:"audit" comment:"Windows auditing configuration"`
+	CanariesConfig  Canaries         `json:"canaries" toml:"canaries" comment:"Canary files configuration"`
 }
 
 // LoadsHIDSConfig loads a HIDS configuration from a file
@@ -144,7 +143,7 @@ func LoadsHIDSConfig(path string) (c Agent, err error) {
 
 // IsForwardingEnabled returns true if a forwarder is actually configured to forward logs
 func (c *Agent) IsForwardingEnabled() bool {
-	return *c.FwdConfig != emptyForwarderConfig && !c.FwdConfig.Local
+	return c.FwdConfig != emptyForwarderConfig && !c.FwdConfig.Local
 }
 
 // Prepare creates directory used in the config if not existing

agent/config/config.go

@@ -2,7 +2,7 @@ package config
 
 type Etw struct {
 	// set as private not to support it officially as Microsoft-Windows-Kernel-File generates too many events
-	enTraceFile bool     `toml:"trace-files" comment:"Enable file read/write events via an optimized Microsoft-Windows-Kernel-File provider"`
-	Providers   []string `toml:"providers" comment:"ETW providers to enable in the EDR autologger setting"`
-	Traces      []string `toml:"traces" comment:"Additional ETW traces to retrieve events"`
+	enTraceFile bool     `json:"trace-files" toml:"trace-files" comment:"Enable file read/write events via an optimized Microsoft-Windows-Kernel-File provider"`
+	Providers   []string `json:"providers" toml:"providers" comment:"ETW providers to enable in the EDR autologger setting"`
+	Traces      []string `json:"traces" toml:"traces" comment:"Additional ETW traces to retrieve events"`
 }

agent/config/etw.go

@@ -63,7 +63,7 @@ var (
 
 // OSQuery holds configuration about OSQuery tool
 type OSQuery struct {
-	Tables []string `toml:"tables" comment:"OSQuery tables to add to the report"`
+	Tables []string `json:"tables" toml:"tables" comment:"OSQuery tables to add to the report"`
 }
 
 // PrepareCommands builds up osquery commands
@@ -84,10 +84,10 @@ func (c *OSQuery) PrepareCommands() (cmds []ReportCommand) {
 
 // Report holds report configuration
 type Report struct {
-	EnableReporting bool            `toml:"en-reporting" comment:"Enables IR reporting"`
-	OSQuery         OSQuery         `toml:"osquery" comment:"OSQuery configuration"`
-	Commands        []ReportCommand `toml:"commands" comment:"Commands to execute in addition to the OSQuery ones" commented:"true"`
-	CommandTimeout  time.Duration   `toml:"timeout" comment:"Timeout after which every command expires (to prevent too long commands)"`
+	EnableReporting bool            `json:"en-reporting" toml:"en-reporting" comment:"Enables IR reporting"`
+	OSQuery         OSQuery         `json:"osquery" toml:"osquery" comment:"OSQuery configuration"`
+	Commands        []ReportCommand `json:"commands" toml:"commands" comment:"Commands to execute in addition to the OSQuery ones" commented:"true"`
+	CommandTimeout  time.Duration   `json:"timeout" toml:"timeout" comment:"Timeout after which every command expires (to prevent too long commands)"`
 }
 
 // PrepareCommands builds up all commands to run

agent/config/reports.go

@@ -14,13 +14,13 @@ func BuildDefaultConfig(root string) *config.Agent {
 	logDir := filepath.Join(root, "Logs")
 
 	return &config.Agent{
-		RulesConfig: &config.Rules{
+		RulesConfig: config.Rules{
 			RulesDB:        filepath.Join(root, "Database", "Rules"),
 			ContainersDB:   filepath.Join(root, "Database", "Containers"),
 			UpdateInterval: 60 * time.Second,
 		},
 
-		FwdConfig: &clientConfig.Forwarder{
+		FwdConfig: clientConfig.Forwarder{
 			Local: true,
 			Client: clientConfig.Client{
 				MaxUploadSize: api.DefaultMaxUploadSize,
@@ -30,7 +30,7 @@ func BuildDefaultConfig(root string) *config.Agent {
 				RotationInterval: time.Hour * 5,
 			},
 		},
-		EtwConfig: &config.Etw{
+		EtwConfig: config.Etw{
 			Providers: []string{
 				"Microsoft-Windows-Sysmon",
 				"Microsoft-Windows-Windows Defender",
@@ -39,25 +39,25 @@ func BuildDefaultConfig(root string) *config.Agent {
 			},
 			Traces: []string{"Eventlog-Security"},
 		},
-		Sysmon: &config.Sysmon{
+		Sysmon: config.Sysmon{
 			Bin:              "C:\\Windows\\Sysmon64.exe",
 			ArchiveDirectory: "C:\\Sysmon\\",
 			CleanArchived:    true,
 		},
-		Actions: &config.Actions{
+		Actions: config.Actions{
 			AvailableActions: AvailableActions,
 			Low:              []string{},
 			Medium:           []string{"brief", "filedump", "regdump"},
 			High:             []string{"report", "filedump", "regdump"},
 			Critical:         []string{"report", "filedump", "regdump", "memdump"},
 		},
-		Dump: &config.Dump{
+		Dump: config.Dump{
 			Dir:           filepath.Join(root, "Dumps"),
 			Compression:   true,
 			MaxDumps:      4,
 			DumpUntracked: false,
 		},
-		Report: &config.Report{
+		Report: config.Report{
 			EnableReporting: false,
 			OSQuery: config.OSQuery{
 				Tables: []string{"processes", "services", "scheduled_tasks", "drivers", "startup_items", "process_open_sockets"}},
@@ -69,10 +69,10 @@ func BuildDefaultConfig(root string) *config.Agent {
 			}},
 			CommandTimeout: 60 * time.Second,
 		},
-		AuditConfig: &config.Audit{
+		AuditConfig: config.Audit{
 			AuditPolicies: []string{"File System"},
 		},
-		CanariesConfig: &config.Canaries{
+		CanariesConfig: config.Canaries{
 			Enable: false,
 			Canaries: []*config.Canary{
 				{

agent/defaults.go

@@ -138,7 +138,7 @@ func TestHooks(t *testing.T) {
 	defer os.RemoveAll(tmp)
 
 	c := BuildDefaultConfig(tmp)
-	c.Actions = &config.Actions{
+	c.Actions = config.Actions{
 		AvailableActions: AvailableActions,
 		Low:              []string{},
 		Medium:           []string{},