From 12c7901b8241fc37de8406c5edecc7c655922901 Mon Sep 17 00:00:00 2001 From: Enrique Martin Date: Wed, 3 Apr 2024 12:25:52 +0200 Subject: [PATCH 01/19] Support languages for pandora_security_win auditpol --- .../src/pandora_security_win.py | 39 ++++++++++++++----- .../win32/bin/util/pandora_security_win.conf | 8 ++++ 2 files changed, 37 insertions(+), 10 deletions(-) create mode 100644 pandora_agents/win32/bin/util/pandora_security_win.conf diff --git a/pandora_agents/plugins/windows/pandora_security_win/src/pandora_security_win.py b/pandora_agents/plugins/windows/pandora_security_win/src/pandora_security_win.py index d9ac15f978..c6be40985f 100644 --- a/pandora_agents/plugins/windows/pandora_security_win/src/pandora_security_win.py +++ b/pandora_agents/plugins/windows/pandora_security_win/src/pandora_security_win.py @@ -1,6 +1,7 @@ import wmi, sys, winreg, os, subprocess, json, re from datetime import datetime, timedelta - +import argparse +import configparser ## Define modules modules=[] @@ -333,22 +334,18 @@ def check_password_enforcement(): print("Failed to check password enforcement for users.", file=sys.stderr) -def check_login_audit_policy(): +def check_login_audit_policy(auditpol_logon_category, auditpol_logon_success_conf, auditpol_logon_noaudit_conf): try: # Run the auditpol command to check the audit policy for Logon/Logoff - cmd_command = "auditpol /get /subcategory:Logon" + cmd_command = f'auditpol /get /subcategory:"{auditpol_logon_category}"' result = subprocess.run(cmd_command, shell=True, capture_output=True, text=True, check=True) last_line = result.stdout.strip().split('\n')[-1] cleaned_line = re.sub(' +', ' ', last_line) # Interpret the result - if "Success and Failure" in result.stdout: + if auditpol_logon_success_conf in result.stdout: result = 1 - elif "Aciertos y errores" in result.stdout: - result = 1 - elif "No Auditing" in result.stdout: - result = 0 - elif "Sin auditoría" in result.stdout: + elif auditpol_logon_noaudit_conf in result.stdout: result = 0 else: print("Unable to determine audit policy for Logon/Logoff events.", file=sys.stderr) @@ -366,14 +363,36 @@ def check_login_audit_policy(): print("Failed to check audit policy using auditpol command.", file=sys.stderr) return +def parse_parameter(config=None, key="", default=""): + try: + return config.get("CONF", key) + except Exception as e: + return default if __name__ == "__main__": + + # Parse arguments + parser = argparse.ArgumentParser(description= "", formatter_class=argparse.RawTextHelpFormatter) + parser.add_argument('--conf', help='Path to configuration file', metavar='', required=False) + args = parser.parse_args() + config = configparser.ConfigParser() + + if(args.conf): + try: + config.read_string('[CONF]\n' + open(args.conf).read()) + except Exception as e: + print("Error while reading configuration file, using default values: "+str(e), file=sys.stderr) + + auditpol_logon_category = parse_parameter(config, "auditpol_logon_category", "Logon") + auditpol_logon_success_conf = parse_parameter(config, "auditpol_logon_success_conf", "Success and Failure") + auditpol_logon_noaudit_conf = parse_parameter(config, "auditpol_logon_noaudit_conf", "No Auditing") + check_antivirus_status() check_locksreen_enables() get_windows_update_info() is_firewall_enabled() check_password_enforcement() - check_login_audit_policy() + check_login_audit_policy(auditpol_logon_category, auditpol_logon_success_conf, auditpol_logon_noaudit_conf) for module in modules: print_module(module, True) diff --git a/pandora_agents/win32/bin/util/pandora_security_win.conf b/pandora_agents/win32/bin/util/pandora_security_win.conf new file mode 100644 index 0000000000..7986220bb4 --- /dev/null +++ b/pandora_agents/win32/bin/util/pandora_security_win.conf @@ -0,0 +1,8 @@ +auditpol_logon_category = Logon +#auditpol_logon_category = Inicio de sesión + +auditpol_logon_success_conf = Success and Failure +#auditpol_logon_success_conf = Aciertos y errores + +auditpol_logon_noaudit_conf = No Auditing +#auditpol_logon_noaudit_conf = Sin auditoría \ No newline at end of file From 7ed324fdb61eb2d44b4b8e1764b8dd37595f173c Mon Sep 17 00:00:00 2001 From: Enrique Martin Date: Wed, 3 Apr 2024 12:44:29 +0200 Subject: [PATCH 02/19] Debugging --- .../windows/pandora_security_win/src/pandora_security_win.py | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/pandora_agents/plugins/windows/pandora_security_win/src/pandora_security_win.py b/pandora_agents/plugins/windows/pandora_security_win/src/pandora_security_win.py index c6be40985f..bde46d4acc 100644 --- a/pandora_agents/plugins/windows/pandora_security_win/src/pandora_security_win.py +++ b/pandora_agents/plugins/windows/pandora_security_win/src/pandora_security_win.py @@ -387,6 +387,10 @@ if __name__ == "__main__": auditpol_logon_success_conf = parse_parameter(config, "auditpol_logon_success_conf", "Success and Failure") auditpol_logon_noaudit_conf = parse_parameter(config, "auditpol_logon_noaudit_conf", "No Auditing") + print(auditpol_logon_category) + print(auditpol_logon_success_conf) + print(auditpol_logon_noaudit_conf) + check_antivirus_status() check_locksreen_enables() get_windows_update_info() From def9f54044488347c8bc5644c9609cf6d03de7ae Mon Sep 17 00:00:00 2001 From: Enrique Martin Date: Wed, 3 Apr 2024 12:52:51 +0200 Subject: [PATCH 03/19] Debugging --- .../pandora_security_win/src/pandora_security_win.py | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/pandora_agents/plugins/windows/pandora_security_win/src/pandora_security_win.py b/pandora_agents/plugins/windows/pandora_security_win/src/pandora_security_win.py index bde46d4acc..17b1c86bf1 100644 --- a/pandora_agents/plugins/windows/pandora_security_win/src/pandora_security_win.py +++ b/pandora_agents/plugins/windows/pandora_security_win/src/pandora_security_win.py @@ -1,3 +1,5 @@ +# -*- coding: utf-8 -*- + import wmi, sys, winreg, os, subprocess, json, re from datetime import datetime, timedelta import argparse @@ -379,7 +381,9 @@ if __name__ == "__main__": if(args.conf): try: - config.read_string('[CONF]\n' + open(args.conf).read()) + with open(args.conf, 'r', encoding='utf-8') as f: + content = f.read() + config.read_string('[CONF]\n' + content) except Exception as e: print("Error while reading configuration file, using default values: "+str(e), file=sys.stderr) From 1a1d0272f440d92c7027c2779327c1154824a3ff Mon Sep 17 00:00:00 2001 From: Enrique Martin Date: Wed, 3 Apr 2024 13:01:39 +0200 Subject: [PATCH 04/19] Support UTF-8 for conf file --- .../windows/pandora_security_win/src/pandora_security_win.py | 4 ---- 1 file changed, 4 deletions(-) diff --git a/pandora_agents/plugins/windows/pandora_security_win/src/pandora_security_win.py b/pandora_agents/plugins/windows/pandora_security_win/src/pandora_security_win.py index 17b1c86bf1..2144b23629 100644 --- a/pandora_agents/plugins/windows/pandora_security_win/src/pandora_security_win.py +++ b/pandora_agents/plugins/windows/pandora_security_win/src/pandora_security_win.py @@ -391,10 +391,6 @@ if __name__ == "__main__": auditpol_logon_success_conf = parse_parameter(config, "auditpol_logon_success_conf", "Success and Failure") auditpol_logon_noaudit_conf = parse_parameter(config, "auditpol_logon_noaudit_conf", "No Auditing") - print(auditpol_logon_category) - print(auditpol_logon_success_conf) - print(auditpol_logon_noaudit_conf) - check_antivirus_status() check_locksreen_enables() get_windows_update_info() From b71adc42ac014c4d9bcb16dffe5940cf7706f4ab Mon Sep 17 00:00:00 2001 From: Enrique Martin Date: Wed, 3 Apr 2024 13:09:59 +0200 Subject: [PATCH 05/19] Added compiled plugin --- pandora_agents/win32/bin/util/pandora_security_win.exe | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/pandora_agents/win32/bin/util/pandora_security_win.exe b/pandora_agents/win32/bin/util/pandora_security_win.exe index a21f40faf6..d0869b6981 100755 --- a/pandora_agents/win32/bin/util/pandora_security_win.exe +++ b/pandora_agents/win32/bin/util/pandora_security_win.exe @@ -1,3 +1,3 @@ version https://git-lfs.github.com/spec/v1 -oid sha256:c58891fbd16bf80f288e0ff4751801aa02dbf4e6c914625b4d49a364c7e0b511 -size 7829249 +oid sha256:00ff23120d9c4b7f16586555550ada5460938d9fc8b2dca81c4acd49750122e2 +size 7735622 From 6725bb6da6981504506b8189140ebe404675ae8f Mon Sep 17 00:00:00 2001 From: Enrique Martin Date: Mon, 8 Apr 2024 12:33:12 +0200 Subject: [PATCH 06/19] Debugging --- .../windows/pandora_security_win/src/pandora_security_win.py | 5 ++--- 1 file changed, 2 insertions(+), 3 deletions(-) diff --git a/pandora_agents/plugins/windows/pandora_security_win/src/pandora_security_win.py b/pandora_agents/plugins/windows/pandora_security_win/src/pandora_security_win.py index 2144b23629..ec6ce60427 100644 --- a/pandora_agents/plugins/windows/pandora_security_win/src/pandora_security_win.py +++ b/pandora_agents/plugins/windows/pandora_security_win/src/pandora_security_win.py @@ -341,8 +341,7 @@ def check_login_audit_policy(auditpol_logon_category, auditpol_logon_success_con # Run the auditpol command to check the audit policy for Logon/Logoff cmd_command = f'auditpol /get /subcategory:"{auditpol_logon_category}"' result = subprocess.run(cmd_command, shell=True, capture_output=True, text=True, check=True) - last_line = result.stdout.strip().split('\n')[-1] - cleaned_line = re.sub(' +', ' ', last_line) + last_line = result.stdout.strip().split('\n')[-1].strip() # Interpret the result if auditpol_logon_success_conf in result.stdout: @@ -357,7 +356,7 @@ def check_login_audit_policy(auditpol_logon_category, auditpol_logon_success_con "type" : "generic_proc", "value": result, "module_group": "security", - "desc" : f"Check if the logon events audit log is enables, status:{cleaned_line}", + "desc" : f"Check if the logon events audit log is enables, status: {last_line}", }) except subprocess.CalledProcessError as e: From d46533e9d792d9689508db6e1f0215376b2c8cf9 Mon Sep 17 00:00:00 2001 From: Enrique Martin Date: Mon, 8 Apr 2024 12:43:33 +0200 Subject: [PATCH 07/19] Debugging --- .../windows/pandora_security_win/src/pandora_security_win.py | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/pandora_agents/plugins/windows/pandora_security_win/src/pandora_security_win.py b/pandora_agents/plugins/windows/pandora_security_win/src/pandora_security_win.py index ec6ce60427..f0094e2d23 100644 --- a/pandora_agents/plugins/windows/pandora_security_win/src/pandora_security_win.py +++ b/pandora_agents/plugins/windows/pandora_security_win/src/pandora_security_win.py @@ -340,8 +340,9 @@ def check_login_audit_policy(auditpol_logon_category, auditpol_logon_success_con try: # Run the auditpol command to check the audit policy for Logon/Logoff cmd_command = f'auditpol /get /subcategory:"{auditpol_logon_category}"' - result = subprocess.run(cmd_command, shell=True, capture_output=True, text=True, check=True) + result = subprocess.run(cmd_command, shell=True, capture_output=True, text=True, check=True, encoding='utf-8') last_line = result.stdout.strip().split('\n')[-1].strip() + cleaned_line = re.sub(' +', ' ', last_line) # Interpret the result if auditpol_logon_success_conf in result.stdout: @@ -356,7 +357,7 @@ def check_login_audit_policy(auditpol_logon_category, auditpol_logon_success_con "type" : "generic_proc", "value": result, "module_group": "security", - "desc" : f"Check if the logon events audit log is enables, status: {last_line}", + "desc" : f"Check if the logon events audit log is enables, status: {cleaned_line}", }) except subprocess.CalledProcessError as e: From 120c5ae7f90d91e601aa44f04e4379084d659d3c Mon Sep 17 00:00:00 2001 From: Enrique Martin Date: Mon, 8 Apr 2024 13:01:02 +0200 Subject: [PATCH 08/19] Debugging --- .../windows/pandora_security_win/src/pandora_security_win.py | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/pandora_agents/plugins/windows/pandora_security_win/src/pandora_security_win.py b/pandora_agents/plugins/windows/pandora_security_win/src/pandora_security_win.py index f0094e2d23..f0e9b0a171 100644 --- a/pandora_agents/plugins/windows/pandora_security_win/src/pandora_security_win.py +++ b/pandora_agents/plugins/windows/pandora_security_win/src/pandora_security_win.py @@ -340,8 +340,8 @@ def check_login_audit_policy(auditpol_logon_category, auditpol_logon_success_con try: # Run the auditpol command to check the audit policy for Logon/Logoff cmd_command = f'auditpol /get /subcategory:"{auditpol_logon_category}"' - result = subprocess.run(cmd_command, shell=True, capture_output=True, text=True, check=True, encoding='utf-8') - last_line = result.stdout.strip().split('\n')[-1].strip() + result = subprocess.run(cmd_command, shell=True, capture_output=True, text=True, check=True, encoding='latin-1') + last_line = result.stdout.encode('latin-1').decode('utf-8').strip().split('\n')[-1].strip() cleaned_line = re.sub(' +', ' ', last_line) # Interpret the result From 96199c0558638a645777aa8d27f6f1be3dd69b30 Mon Sep 17 00:00:00 2001 From: Enrique Martin Date: Mon, 8 Apr 2024 13:06:25 +0200 Subject: [PATCH 09/19] Debugging --- .../windows/pandora_security_win/src/pandora_security_win.py | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/pandora_agents/plugins/windows/pandora_security_win/src/pandora_security_win.py b/pandora_agents/plugins/windows/pandora_security_win/src/pandora_security_win.py index f0e9b0a171..d8ddc5aaa7 100644 --- a/pandora_agents/plugins/windows/pandora_security_win/src/pandora_security_win.py +++ b/pandora_agents/plugins/windows/pandora_security_win/src/pandora_security_win.py @@ -340,8 +340,8 @@ def check_login_audit_policy(auditpol_logon_category, auditpol_logon_success_con try: # Run the auditpol command to check the audit policy for Logon/Logoff cmd_command = f'auditpol /get /subcategory:"{auditpol_logon_category}"' - result = subprocess.run(cmd_command, shell=True, capture_output=True, text=True, check=True, encoding='latin-1') - last_line = result.stdout.encode('latin-1').decode('utf-8').strip().split('\n')[-1].strip() + result = subprocess.run(cmd_command, shell=True, capture_output=True, text=True, check=True) + last_line = result.stdout.encode(sys.getdefaultencoding()).decode('utf-8').strip().split('\n')[-1].strip() cleaned_line = re.sub(' +', ' ', last_line) # Interpret the result From 96243ab530820c4e49783743326cc23bc3788923 Mon Sep 17 00:00:00 2001 From: Enrique Martin Date: Mon, 8 Apr 2024 13:28:08 +0200 Subject: [PATCH 10/19] Debugging --- .../windows/pandora_security_win/src/pandora_security_win.py | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/pandora_agents/plugins/windows/pandora_security_win/src/pandora_security_win.py b/pandora_agents/plugins/windows/pandora_security_win/src/pandora_security_win.py index d8ddc5aaa7..661fd77429 100644 --- a/pandora_agents/plugins/windows/pandora_security_win/src/pandora_security_win.py +++ b/pandora_agents/plugins/windows/pandora_security_win/src/pandora_security_win.py @@ -345,9 +345,9 @@ def check_login_audit_policy(auditpol_logon_category, auditpol_logon_success_con cleaned_line = re.sub(' +', ' ', last_line) # Interpret the result - if auditpol_logon_success_conf in result.stdout: + if auditpol_logon_success_conf.encode(sys.getdefaultencoding()).decode('utf-8') in result.stdout: result = 1 - elif auditpol_logon_noaudit_conf in result.stdout: + elif auditpol_logon_noaudit_conf.encode(sys.getdefaultencoding()).decode('utf-8') in result.stdout: result = 0 else: print("Unable to determine audit policy for Logon/Logoff events.", file=sys.stderr) From 85167b2d47f6858ed2f3a5f8b29c1c4ed9c76b33 Mon Sep 17 00:00:00 2001 From: Enrique Martin Date: Mon, 8 Apr 2024 13:44:48 +0200 Subject: [PATCH 11/19] Debugging --- .../pandora_security_win/src/pandora_security_win.py | 9 +++++---- 1 file changed, 5 insertions(+), 4 deletions(-) diff --git a/pandora_agents/plugins/windows/pandora_security_win/src/pandora_security_win.py b/pandora_agents/plugins/windows/pandora_security_win/src/pandora_security_win.py index 661fd77429..84ba3c0ac1 100644 --- a/pandora_agents/plugins/windows/pandora_security_win/src/pandora_security_win.py +++ b/pandora_agents/plugins/windows/pandora_security_win/src/pandora_security_win.py @@ -341,13 +341,14 @@ def check_login_audit_policy(auditpol_logon_category, auditpol_logon_success_con # Run the auditpol command to check the audit policy for Logon/Logoff cmd_command = f'auditpol /get /subcategory:"{auditpol_logon_category}"' result = subprocess.run(cmd_command, shell=True, capture_output=True, text=True, check=True) - last_line = result.stdout.encode(sys.getdefaultencoding()).decode('utf-8').strip().split('\n')[-1].strip() + last_line = result.stdout.strip().split('\n')[-1].strip() + last_line_parts = re.split(r'\s\s+', last_line) cleaned_line = re.sub(' +', ' ', last_line) # Interpret the result - if auditpol_logon_success_conf.encode(sys.getdefaultencoding()).decode('utf-8') in result.stdout: + if auditpol_logon_success_conf.encode(sys.getdefaultencoding()) == last_line_parts[1].encode(sys.getdefaultencoding()): result = 1 - elif auditpol_logon_noaudit_conf.encode(sys.getdefaultencoding()).decode('utf-8') in result.stdout: + elif auditpol_logon_noaudit_conf.encode(sys.getdefaultencoding()) == last_line_parts[1].encode(sys.getdefaultencoding()): result = 0 else: print("Unable to determine audit policy for Logon/Logoff events.", file=sys.stderr) @@ -381,7 +382,7 @@ if __name__ == "__main__": if(args.conf): try: - with open(args.conf, 'r', encoding='utf-8') as f: + with open(args.conf, 'r', encoding=sys.getdefaultencoding()) as f: content = f.read() config.read_string('[CONF]\n' + content) except Exception as e: From 3dc743286120bb22f8e1fda4f8e091485526e934 Mon Sep 17 00:00:00 2001 From: Enrique Martin Date: Mon, 8 Apr 2024 13:48:25 +0200 Subject: [PATCH 12/19] Debugging --- .../windows/pandora_security_win/src/pandora_security_win.py | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/pandora_agents/plugins/windows/pandora_security_win/src/pandora_security_win.py b/pandora_agents/plugins/windows/pandora_security_win/src/pandora_security_win.py index 84ba3c0ac1..1e78c5f815 100644 --- a/pandora_agents/plugins/windows/pandora_security_win/src/pandora_security_win.py +++ b/pandora_agents/plugins/windows/pandora_security_win/src/pandora_security_win.py @@ -345,6 +345,11 @@ def check_login_audit_policy(auditpol_logon_category, auditpol_logon_success_con last_line_parts = re.split(r'\s\s+', last_line) cleaned_line = re.sub(' +', ' ', last_line) + print(last_line_parts[1]) + print(last_line_parts[1].encode(sys.getdefaultencoding())) + print(auditpol_logon_success_conf) + print(auditpol_logon_success_conf.encode(sys.getdefaultencoding())) + # Interpret the result if auditpol_logon_success_conf.encode(sys.getdefaultencoding()) == last_line_parts[1].encode(sys.getdefaultencoding()): result = 1 From bd23db3fdac6a8168ddbae51cb372864f97a2953 Mon Sep 17 00:00:00 2001 From: Enrique Martin Date: Mon, 8 Apr 2024 13:59:46 +0200 Subject: [PATCH 13/19] Debugging --- .../windows/pandora_security_win/src/pandora_security_win.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/pandora_agents/plugins/windows/pandora_security_win/src/pandora_security_win.py b/pandora_agents/plugins/windows/pandora_security_win/src/pandora_security_win.py index 1e78c5f815..b8e3fb850d 100644 --- a/pandora_agents/plugins/windows/pandora_security_win/src/pandora_security_win.py +++ b/pandora_agents/plugins/windows/pandora_security_win/src/pandora_security_win.py @@ -340,7 +340,7 @@ def check_login_audit_policy(auditpol_logon_category, auditpol_logon_success_con try: # Run the auditpol command to check the audit policy for Logon/Logoff cmd_command = f'auditpol /get /subcategory:"{auditpol_logon_category}"' - result = subprocess.run(cmd_command, shell=True, capture_output=True, text=True, check=True) + result = subprocess.run(cmd_command, shell=True, capture_output=True, text=True, check=True, encoding=sys.getdefaultencoding()) last_line = result.stdout.strip().split('\n')[-1].strip() last_line_parts = re.split(r'\s\s+', last_line) cleaned_line = re.sub(' +', ' ', last_line) From a87d551a93b582c089ada773b8e51ecdb491dcce Mon Sep 17 00:00:00 2001 From: Enrique Martin Date: Mon, 8 Apr 2024 14:06:47 +0200 Subject: [PATCH 14/19] Debugging --- .../windows/pandora_security_win/src/pandora_security_win.py | 1 + 1 file changed, 1 insertion(+) diff --git a/pandora_agents/plugins/windows/pandora_security_win/src/pandora_security_win.py b/pandora_agents/plugins/windows/pandora_security_win/src/pandora_security_win.py index b8e3fb850d..962c8bc8be 100644 --- a/pandora_agents/plugins/windows/pandora_security_win/src/pandora_security_win.py +++ b/pandora_agents/plugins/windows/pandora_security_win/src/pandora_security_win.py @@ -345,6 +345,7 @@ def check_login_audit_policy(auditpol_logon_category, auditpol_logon_success_con last_line_parts = re.split(r'\s\s+', last_line) cleaned_line = re.sub(' +', ' ', last_line) + print(sys.getdefaultencoding()) print(last_line_parts[1]) print(last_line_parts[1].encode(sys.getdefaultencoding())) print(auditpol_logon_success_conf) From 29d8a0f98ad24dd06aeda9df4cb7bf72412bec67 Mon Sep 17 00:00:00 2001 From: Enrique Martin Date: Mon, 8 Apr 2024 14:55:57 +0200 Subject: [PATCH 15/19] Debugging --- .../src/pandora_security_win.py | 14 +++++++------- 1 file changed, 7 insertions(+), 7 deletions(-) diff --git a/pandora_agents/plugins/windows/pandora_security_win/src/pandora_security_win.py b/pandora_agents/plugins/windows/pandora_security_win/src/pandora_security_win.py index 962c8bc8be..1c8edb77f7 100644 --- a/pandora_agents/plugins/windows/pandora_security_win/src/pandora_security_win.py +++ b/pandora_agents/plugins/windows/pandora_security_win/src/pandora_security_win.py @@ -340,21 +340,21 @@ def check_login_audit_policy(auditpol_logon_category, auditpol_logon_success_con try: # Run the auditpol command to check the audit policy for Logon/Logoff cmd_command = f'auditpol /get /subcategory:"{auditpol_logon_category}"' - result = subprocess.run(cmd_command, shell=True, capture_output=True, text=True, check=True, encoding=sys.getdefaultencoding()) + result = subprocess.run(cmd_command, shell=True, capture_output=True, text=True, check=True, encoding="latin-1") last_line = result.stdout.strip().split('\n')[-1].strip() last_line_parts = re.split(r'\s\s+', last_line) cleaned_line = re.sub(' +', ' ', last_line) - print(sys.getdefaultencoding()) + print("latin-1") print(last_line_parts[1]) - print(last_line_parts[1].encode(sys.getdefaultencoding())) + print(last_line_parts[1].encode("latin-1")) print(auditpol_logon_success_conf) - print(auditpol_logon_success_conf.encode(sys.getdefaultencoding())) + print(auditpol_logon_success_conf.encode("latin-1")) # Interpret the result - if auditpol_logon_success_conf.encode(sys.getdefaultencoding()) == last_line_parts[1].encode(sys.getdefaultencoding()): + if auditpol_logon_success_conf.encode("latin-1") == last_line_parts[1].encode("latin-1"): result = 1 - elif auditpol_logon_noaudit_conf.encode(sys.getdefaultencoding()) == last_line_parts[1].encode(sys.getdefaultencoding()): + elif auditpol_logon_noaudit_conf.encode("latin-1") == last_line_parts[1].encode("latin-1"): result = 0 else: print("Unable to determine audit policy for Logon/Logoff events.", file=sys.stderr) @@ -388,7 +388,7 @@ if __name__ == "__main__": if(args.conf): try: - with open(args.conf, 'r', encoding=sys.getdefaultencoding()) as f: + with open(args.conf, 'r', encoding="latin-1") as f: content = f.read() config.read_string('[CONF]\n' + content) except Exception as e: From 8b03baad22c5ebdf446bdf82cbf2030f4f3108a4 Mon Sep 17 00:00:00 2001 From: Enrique Martin Date: Mon, 8 Apr 2024 15:04:31 +0200 Subject: [PATCH 16/19] Debugging --- .../src/pandora_security_win.py | 15 ++++++++------- 1 file changed, 8 insertions(+), 7 deletions(-) diff --git a/pandora_agents/plugins/windows/pandora_security_win/src/pandora_security_win.py b/pandora_agents/plugins/windows/pandora_security_win/src/pandora_security_win.py index 1c8edb77f7..38ca331481 100644 --- a/pandora_agents/plugins/windows/pandora_security_win/src/pandora_security_win.py +++ b/pandora_agents/plugins/windows/pandora_security_win/src/pandora_security_win.py @@ -4,6 +4,7 @@ import wmi, sys, winreg, os, subprocess, json, re from datetime import datetime, timedelta import argparse import configparser +import locale ## Define modules modules=[] @@ -340,21 +341,21 @@ def check_login_audit_policy(auditpol_logon_category, auditpol_logon_success_con try: # Run the auditpol command to check the audit policy for Logon/Logoff cmd_command = f'auditpol /get /subcategory:"{auditpol_logon_category}"' - result = subprocess.run(cmd_command, shell=True, capture_output=True, text=True, check=True, encoding="latin-1") + result = subprocess.run(cmd_command, shell=True, capture_output=True, text=True, check=True, encoding=locale.getpreferredencoding()) last_line = result.stdout.strip().split('\n')[-1].strip() last_line_parts = re.split(r'\s\s+', last_line) cleaned_line = re.sub(' +', ' ', last_line) - print("latin-1") + print(locale.getpreferredencoding()) print(last_line_parts[1]) - print(last_line_parts[1].encode("latin-1")) + print(last_line_parts[1].encode(locale.getpreferredencoding())) print(auditpol_logon_success_conf) - print(auditpol_logon_success_conf.encode("latin-1")) + print(auditpol_logon_success_conf.encode(locale.getpreferredencoding())) # Interpret the result - if auditpol_logon_success_conf.encode("latin-1") == last_line_parts[1].encode("latin-1"): + if auditpol_logon_success_conf.encode(locale.getpreferredencoding()) == last_line_parts[1].encode(locale.getpreferredencoding()): result = 1 - elif auditpol_logon_noaudit_conf.encode("latin-1") == last_line_parts[1].encode("latin-1"): + elif auditpol_logon_noaudit_conf.encode(locale.getpreferredencoding()) == last_line_parts[1].encode(locale.getpreferredencoding()): result = 0 else: print("Unable to determine audit policy for Logon/Logoff events.", file=sys.stderr) @@ -388,7 +389,7 @@ if __name__ == "__main__": if(args.conf): try: - with open(args.conf, 'r', encoding="latin-1") as f: + with open(args.conf, 'r', encoding=locale.getpreferredencoding()) as f: content = f.read() config.read_string('[CONF]\n' + content) except Exception as e: From ffef2e0e106a7a5c66bea26def46cec4f340194a Mon Sep 17 00:00:00 2001 From: Enrique Martin Date: Mon, 8 Apr 2024 15:29:46 +0200 Subject: [PATCH 17/19] Debugging --- .../pandora_security_win/src/pandora_security_win.py | 8 ++++++-- 1 file changed, 6 insertions(+), 2 deletions(-) diff --git a/pandora_agents/plugins/windows/pandora_security_win/src/pandora_security_win.py b/pandora_agents/plugins/windows/pandora_security_win/src/pandora_security_win.py index 38ca331481..3995b3db00 100644 --- a/pandora_agents/plugins/windows/pandora_security_win/src/pandora_security_win.py +++ b/pandora_agents/plugins/windows/pandora_security_win/src/pandora_security_win.py @@ -340,8 +340,12 @@ def check_password_enforcement(): def check_login_audit_policy(auditpol_logon_category, auditpol_logon_success_conf, auditpol_logon_noaudit_conf): try: # Run the auditpol command to check the audit policy for Logon/Logoff - cmd_command = f'auditpol /get /subcategory:"{auditpol_logon_category}"' - result = subprocess.run(cmd_command, shell=True, capture_output=True, text=True, check=True, encoding=locale.getpreferredencoding()) + cmd_command = f'auditpol /get /subcategory:"{auditpol_logon_category.encode("utf-8").decode("utf-8")}"' + result = subprocess.run(cmd_command, shell=True, capture_output=True, text=False, check=True) + + print(result.stdout) + print(auditpol_logon_success_conf) + last_line = result.stdout.strip().split('\n')[-1].strip() last_line_parts = re.split(r'\s\s+', last_line) cleaned_line = re.sub(' +', ' ', last_line) From db0ca68b81a0ef705f1af19714f69d0c9aed59a3 Mon Sep 17 00:00:00 2001 From: Enrique Martin Date: Tue, 9 Apr 2024 14:12:18 +0200 Subject: [PATCH 18/19] Debugging --- .../src/pandora_security_win.py | 25 ++++++------------- 1 file changed, 7 insertions(+), 18 deletions(-) diff --git a/pandora_agents/plugins/windows/pandora_security_win/src/pandora_security_win.py b/pandora_agents/plugins/windows/pandora_security_win/src/pandora_security_win.py index 3995b3db00..0fc119bb03 100644 --- a/pandora_agents/plugins/windows/pandora_security_win/src/pandora_security_win.py +++ b/pandora_agents/plugins/windows/pandora_security_win/src/pandora_security_win.py @@ -4,7 +4,6 @@ import wmi, sys, winreg, os, subprocess, json, re from datetime import datetime, timedelta import argparse import configparser -import locale ## Define modules modules=[] @@ -340,26 +339,16 @@ def check_password_enforcement(): def check_login_audit_policy(auditpol_logon_category, auditpol_logon_success_conf, auditpol_logon_noaudit_conf): try: # Run the auditpol command to check the audit policy for Logon/Logoff - cmd_command = f'auditpol /get /subcategory:"{auditpol_logon_category.encode("utf-8").decode("utf-8")}"' + cmd_command = f'auditpol /get /subcategory:"{auditpol_logon_category}"' result = subprocess.run(cmd_command, shell=True, capture_output=True, text=False, check=True) - - print(result.stdout) - print(auditpol_logon_success_conf) - - last_line = result.stdout.strip().split('\n')[-1].strip() - last_line_parts = re.split(r'\s\s+', last_line) + stdout = result.stdout.decode('cp850', errors='replace') + last_line = stdout.strip().split('\n')[-1] cleaned_line = re.sub(' +', ' ', last_line) - print(locale.getpreferredencoding()) - print(last_line_parts[1]) - print(last_line_parts[1].encode(locale.getpreferredencoding())) - print(auditpol_logon_success_conf) - print(auditpol_logon_success_conf.encode(locale.getpreferredencoding())) - # Interpret the result - if auditpol_logon_success_conf.encode(locale.getpreferredencoding()) == last_line_parts[1].encode(locale.getpreferredencoding()): + if auditpol_logon_success_conf in stdout: result = 1 - elif auditpol_logon_noaudit_conf.encode(locale.getpreferredencoding()) == last_line_parts[1].encode(locale.getpreferredencoding()): + elif auditpol_logon_noaudit_conf in stdout: result = 0 else: print("Unable to determine audit policy for Logon/Logoff events.", file=sys.stderr) @@ -369,7 +358,7 @@ def check_login_audit_policy(auditpol_logon_category, auditpol_logon_success_con "type" : "generic_proc", "value": result, "module_group": "security", - "desc" : f"Check if the logon events audit log is enables, status: {cleaned_line}", + "desc" : f"Check if the logon events audit log is enables, status:{cleaned_line}", }) except subprocess.CalledProcessError as e: @@ -393,7 +382,7 @@ if __name__ == "__main__": if(args.conf): try: - with open(args.conf, 'r', encoding=locale.getpreferredencoding()) as f: + with open(args.conf, 'r', encoding='utf-8') as f: content = f.read() config.read_string('[CONF]\n' + content) except Exception as e: From 34d9f66493d91fc08923443dc6d7fe4fc288dce9 Mon Sep 17 00:00:00 2001 From: Enrique Martin Date: Tue, 9 Apr 2024 14:25:52 +0200 Subject: [PATCH 19/19] Set Windows CMD encoding to cp850 (DOS latin 1) --- pandora_agents/win32/bin/util/pandora_security_win.exe | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/pandora_agents/win32/bin/util/pandora_security_win.exe b/pandora_agents/win32/bin/util/pandora_security_win.exe index d0869b6981..6be32bc37c 100755 --- a/pandora_agents/win32/bin/util/pandora_security_win.exe +++ b/pandora_agents/win32/bin/util/pandora_security_win.exe @@ -1,3 +1,3 @@ version https://git-lfs.github.com/spec/v1 -oid sha256:00ff23120d9c4b7f16586555550ada5460938d9fc8b2dca81c4acd49750122e2 -size 7735622 +oid sha256:293dc77d39c303793a73bf83a2698c5886331f24b8abed4a40566474a64e3f60 +size 7735667