Implemented static analysis for client side permissions (#4246)

Client side artifacts run on the endpoint without ACL enforcement. This
is usually what we want but sometimes the extra permissions can give the
user extra permissions on the end point.

The artifact writer can specify required permissions which will be
enforced by the server prior to collecting the artifact.

However, sometimes the artifact can use plugins with high priviledge
safely - in that case we do not want to restrict the users that may
collect it.

For example say the artifact collects autoruns by shelling to the
autoruns.exe tool. Even though it is using the execve() plugin this call
is safe because the args are fixed and can not be influenced by the
user. However if the artifact passed user input into the execve()
plugin, the user requires the EXECVE permission.

Previously, the artifact could declare EXECVE as a required permission,
for artifact uses where user input was directly allowed in execve()
calls. This enforces additional checks on the launching user to ensure
they have the EXECVE permission.

This PR modifies the artifact verifier to track plugin permissions used
in the artifact. This allows us to see if the artifact inadvertantly
gives the user permissions they do not have.

This PR introduces another field to the artifact definition called
`implied_permissions` where the artifact writer can declare permissions
which the artifact will give but the user does not require those. This
helps the verifier identify additional permissions that are accidentally
given to users on the client.

This PR adds a test to ensure built in artifacts have all necessary
permissions declared either in `required_permissions` or
`implied_permissions`

---------

Co-authored-by: snyk-bot <[email protected]>

Author: scudette

accessors/pst/cache.go

@@ -1,5 +1,5 @@
-//go:build !linux && !386
-// +build !linux,!386
+//go:build !386
+// +build !386
 
 package pst
 

accessors/pst/pst_accessor.go

@@ -1,5 +1,5 @@
-//go:build !linux && !386
-// +build !linux,!386
+//go:build !386
+// +build !386
 
 package pst
 

artifacts/definitions/Admin/Client/UpdateClientConfig.yaml

@@ -25,6 +25,10 @@ parameters:
      default: Y
      description: Should the client rekey its client ID.
 
+required_permissions:
+  - EXECVE
+  - FILESYSTEM_WRITE
+
 sources:
   - query: |
 

artifacts/definitions/Admin/Client/Upgrade/Debian.yaml

@@ -24,6 +24,10 @@ parameters:
     description: |
       The name of the service to restart after the upgrade.
 
+implied_permissions:
+  - EXECVE
+  - FILESYSTEM_WRITE
+
 sources:
   - precondition:
       SELECT OS From info() where OS =~ 'linux'

artifacts/definitions/Admin/Client/Upgrade/RedHat.yaml

@@ -24,6 +24,9 @@ parameters:
     description: |
       The name of the service to restart after the upgrade.
 
+implied_permissions:
+  - EXECVE
+
 sources:
   - precondition:
       SELECT OS From info() where OS =~ 'linux'

artifacts/definitions/Admin/Client/Upgrade/Windows.yaml

@@ -22,6 +22,10 @@ parameters:
       overwhelm the server so we stagger the download over this many
       seconds.
 
+implied_permissions:
+  - EXECVE
+  - FILESYSTEM_WRITE
+
 sources:
   - precondition:
       SELECT OS From info() where OS = 'windows'

artifacts/definitions/Generic/Client/CleanupTemp.yaml

@@ -13,6 +13,8 @@ parameters:
   - name: ReadllyDoIt
     type: bool
 
+required_permissions:
+  - FILESYSTEM_WRITE
 
 sources:
   - query: |

artifacts/definitions/Generic/Client/DiskSpace.yaml

@@ -6,6 +6,9 @@ description: |
     1. On Linux and MacOS we call `df -h`.
     2. On Windows we use WMI
 
+implied_permissions:
+  - EXECVE
+
 sources:
 - query: |
     LET NonWindows = SELECT * FROM foreach(row={

artifacts/definitions/Generic/Client/VQL.yaml

@@ -3,7 +3,7 @@ description: |
   Run arbitrary VQL on the endpoint.
 
 required_permissions:
-  - EXECVE
+  - IMPERSONATION
 
 parameters:
   - name: Command

artifacts/definitions/Generic/Forensic/LocalHashes/Init.yaml

@@ -8,6 +8,9 @@ parameters:
     description: Name of the local hash database
     default: hashdb.sqlite
 
+implied_permissions:
+  - FILESYSTEM_WRITE
+
 sources:
   - query: |
       LET SQL = "

artifacts/definitions/Generic/Utils/FetchBinary.yaml

@@ -42,6 +42,10 @@ parameters:
   - name: Version
     description: The version of the tool to fetch
 
+implied_permissions:
+  - SERVER_ADMIN
+  - FILESYSTEM_WRITE
+
 sources:
   - query: |
       -- The following VQL is particularly ancient because it is

artifacts/definitions/Linux/Network/PacketCapture.yaml

@@ -6,26 +6,29 @@ description: |
   The `Duration` parameter is used to define how long (in seconds) the capture should be.  Specific interfaces can be defined using the `Interface` parameter, otherwise the artifact defaults to an interface assignment of `any`.
 
   A `BPF` (Berkeley Packet Filter) expression can also be supplied to filter the captured traffic as desired.
-  
+
   Read more about BPF expressions here: https://biot.com/capstats/bpf.html
 
 required_permissions:
   - EXECVE
 
+implied_permissions:
+  - FILESYSTEM_WRITE
+
 parameters:
   - name: Duration
     type: integer
     description: Duration (in seconds) of PCAP to be recorded.
     default: 10
-  
+
   - name: Interface
     type: string
     default: any
 
   - name: BPF
     type: string
     default:
-    
+
 precondition:
   SELECT * FROM info() where OS = 'linux'
 

artifacts/definitions/Linux/RHEL/Packages.yaml

@@ -1,6 +1,10 @@
 name: Linux.RHEL.Packages
 description: |
   Parse packages installed from dnf or yum
+
+implied_permissions:
+  - EXECVE
+
 sources:
   - precondition: |
       SELECT OS From info() where OS = 'linux'

artifacts/definitions/Linux/SuSE/Packages.yaml

@@ -3,6 +3,9 @@ author: Hilko Bengen <[email protected]>
 description: |
   Parse list of installed packages from zypper output
 
+implied_permissions:
+  - EXECVE
+
 sources:
   - precondition: |
       SELECT OS From info() WHERE OS = 'linux'
@@ -12,11 +15,11 @@ sources:
         FROM execve(
           length=1000000,
           argv=["zypper", "--xmlout", "search", "--installed-only", "--details", "--type=package"])
-      
+
       LET xml = parse_xml(
           file=str(str=zypper_output.Stdout),
           accessor="data")
-      
+
       SELECT *
       FROM foreach(
         row=xml.stream.`search-result`.`solvable-list`.solvable,

artifacts/definitions/Linux/Sys/Services.yaml

@@ -1,16 +1,17 @@
 name: Linux.Sys.Services
-description: Parse services from systemctl 
+description: Parse services from systemctl
+
+implied_permissions:
+  - EXECVE
 
 sources:
   - precondition: |
       SELECT OS From info() where OS = 'linux'
     queries:
       - |
         LET services = SELECT Stdout FROM execve(argv=['systemctl', 'list-units',  '--type=service'])
-        
+
         LET all_services = SELECT grok(grok="%{NOTSPACE:Unit}%{SPACE}%{NOTSPACE:Load}%{SPACE}%{NOTSPACE:Active}%{SPACE}%{NOTSPACE:Sub}%{SPACE}%{GREEDYDATA:Description}", data=Line) AS Parsed
         FROM parse_lines(accessor="data", filename=services.Stdout)
-        
+
         SELECT * FROM foreach(row=all_services, column="Parsed") WHERE Unit =~ ".service"
-        
-        

artifacts/definitions/Linux/Users/RootUsers.yaml

@@ -7,6 +7,9 @@ author: George-Andrei Iosif (@iosifache)
 
 type: CLIENT
 
+implied_permissions:
+  - EXECVE
+
 sources:
   - precondition: |
       SELECT OS

artifacts/definitions/Linux/Utils/InstallDeb.yaml

@@ -31,6 +31,7 @@ type: CLIENT
 
 required_permissions:
    - EXECVE
+   - FILESYSTEM_WRITE
 
 reference:
    - https://manpages.debian.org/bookworm/debconf-doc/debconf-devel.7.en.html#Type

artifacts/definitions/MacOS/Network/PacketCapture.yaml

@@ -6,26 +6,29 @@ description: |
   The `Duration` parameter is used to define how long (in seconds) the capture should be.  Specific interfaces can be defined using the `Interface` parameter, otherwise the artifact defaults to an interface assignment of `any`.
 
   A `BPF` (Berkeley Packet Filter) expression can also be supplied to filter the captured traffic as desired.
-  
+
   Read more about BPF expressions here: https://biot.com/capstats/bpf.html
 
 required_permissions:
   - EXECVE
 
+implied_permissions:
+  - FILESYSTEM_WRITE
+
 parameters:
   - name: Duration
     type: integer
     description: Duration (in seconds) of PCAP to be recorded.
     default: 10
-  
+
   - name: Interface
     type: string
     default: any
 
   - name: BPF
     type: string
     default:
-    
+
 precondition:
   SELECT * FROM info() where OS = 'darwin'
 

artifacts/definitions/MacOS/System/Packages.yaml

@@ -1,24 +1,29 @@
 name: MacOS.System.Packages
 description: |
   Parse packages installed on Macs
+
 parameters:
   - name: Length
     description: Size (in bytes) of output that will be returned
     type: int
     default: "100000000"
+
+implied_permissions:
+  - EXECVE
+
 sources:
   - precondition: |
       SELECT OS From info() where OS = 'darwin'
     query: |
-        LET packages = SELECT parse_json(data=Stdout) AS Json 
+        LET packages = SELECT parse_json(data=Stdout) AS Json
           FROM execve(argv=[
             "system_profiler", "-json", "SPApplicationsDataType"
           ], length=Length)
 
         SELECT  _name AS Name,
-                get(field="version") AS Version, 
-                path AS Path, 
-                lastModified AS LastModified, 
+                get(field="version") AS Version,
+                path AS Path,
+                lastModified AS LastModified,
                 obtained_from AS ObtainedFrom,
                 get(field="signed_by") AS SignedBy,
                 arch_kind AS _Architecture

artifacts/definitions/Windows/ActiveDirectory/BloodHound.yaml

@@ -23,6 +23,9 @@ reference:
 required_permissions:
   - EXECVE
 
+implied_permissions:
+  - FILESYSTEM_WRITE
+
 tools:
   - name: SharpHound
     url: https://github.com/BloodHoundAD/BloodHound/raw/master/Collectors/SharpHound.exe

artifacts/definitions/Windows/Applications/NirsoftBrowserViewer.yaml

@@ -38,6 +38,10 @@ parameters:
      default: LOCAL
      description: Default timezone for parsing timestamps
 
+implied_permissions:
+  - EXECVE
+  - FILESYSTEM_WRITE
+
 sources:
   - precondition:
       SELECT OS From info() where OS = 'windows'

artifacts/definitions/Windows/Applications/SBECmd.yaml

@@ -34,6 +34,10 @@ tools:
 
 precondition: SELECT OS From info() where OS = 'windows'
 
+implied_permissions:
+  - EXECVE
+  - FILESYSTEM_WRITE
+
 parameters:
   - name: userRegex
     default: .

artifacts/definitions/Windows/Forensics/BulkExtractor.yaml

@@ -45,6 +45,9 @@ author: Matt Green - @mgreen27
 required_permissions:
   - EXECVE
 
+implied_permissions:
+  - FILESYSTEM_WRITE
+
 tools:
   - name: Bulk_Extractor_Binary
     url: https://github.com/Velocidex/Tools/raw/main/BulkExtractor/bulk_extractor.exe

artifacts/definitions/Windows/Memory/Acquisition.yaml

@@ -20,6 +20,9 @@ description: |
   go-winpmem.exe expand image.compressed image.raw
   ```
 
+implied_permissions:
+  - FILESYSTEM_WRITE
+
 precondition: |
   SELECT OS FROM info()
   WHERE OS = 'windows'

artifacts/definitions/Windows/Network/PacketCapture.yaml

@@ -15,6 +15,10 @@ tools:
     - name: etl2pcapng
       url: https://github.com/microsoft/etl2pcapng/releases/download/v1.4.0/etl2pcapng.zip
 
+implied_permissions:
+  - FILESYSTEM_WRITE
+  - EXECVE
+
 parameters:
     - name: StartTrace
       type: bool

artifacts/definitions/Windows/Remediation/Sinkhole.yaml

@@ -20,6 +20,9 @@ author: Matt Green - @mgreen27
 required_permissions:
   - EXECVE
 
+implied_permissions:
+  - FILESYSTEM_WRITE
+
 type: CLIENT
 
 parameters:

artifacts/definitions/Windows/Sys/Interfaces.yaml

@@ -3,6 +3,9 @@ description: |
   Report information about the systems interfaces. This artifact
   simply parses the output from ipconfig /all.
 
+implied_permissions:
+  - EXECVE
+
 sources:
  - precondition:
      SELECT OS from info() where OS = "windows"

artifacts/definitions/Windows/Sysinternals/Autoruns.yaml

@@ -15,6 +15,9 @@ tools:
 
 precondition: SELECT OS From info() where OS = 'windows'
 
+implied_permissions:
+  - EXECVE
+
 parameters:
   - name: All
     type: bool