Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add new virtual table windows_security_center #6256

Merged
merged 8 commits into from
Feb 28, 2020
Merged

Add new virtual table windows_security_center #6256

merged 8 commits into from
Feb 28, 2020

Conversation

terracatta
Copy link
Contributor

@terracatta terracatta commented Feb 19, 2020
edited
Loading

This table is built around the wscapi which communicates with Microsoft's Windows Security Center service.

Windows Security Center is a security reporting dashboard available on Windows 10 devices which notifies users when the configuration of their device (eg. Firewall Off) exposes them to risk. These categories are often composite items populated and scored based on one or more underlying settings.

For example, the Firewall state is a composite of several Windows Firewall Profiles: Domain, Public and Private. We can inspect what the WSC output is when each is modified:

+--------------------+-----------------+-----------------+------------------+
| wsc_firewall_state | domain_firewall | public_firewall | private_firewall |
+--------------------+-----------------+-----------------+------------------+
| Good               | enabled         | enabled         | enabled          |
| Poor               | enabled         | disabled        | disabled         |
| Poor               | disabled        | enabled         | disabled         |
| Poor               | disabled        | disabled        | enabled          |
| Poor               | disabled        | disabled        | disabled         |
+--------------------+-----------------+-----------------+------------------+

What is the output of this table?

Each column has 1:4 possible states defined by the API Microsoft Docs: WSC_SECURITY_PROVIDER_HEALTH enumeration

  • Good - The status of the security provider category is good and does not need user attention.
  • Poor - The status of the security provider category is poor and the computer may be at risk.
  • Snoozed - The security provider category is in snooze state. Snooze indicates that WSC is not actively protecting the computer.
  • Not Monitored - The status of the security provider category is not monitored by WSC.

The columns output are the following:

  • global_state - The overall health of the Windows Security Center. This returns Good when all other services are also in Good states.
  • firewall - The health of the monitored Firewall (see windows_security_products).
  • autoupdate - The health of the Windows Autoupdate feature.
  • antivirus - The health of the moinitored Antivirus solution (see windows_security_products)
  • antispyware - The health of the monitored Antispyware solution (see windows_security_products)
  • internet_settings - The health of the Internet Settings
  • windows_security_center_service - The health of the Windows Security Center Service
  • user_account_control - The health of the User Account Control (UAC) capability in Windows.
SELECT * FROM windows_security_center;
+---------------+----------+------------+-----------+-------------+-------------------+---------------------------------+----------------------+
| global_state  | firewall | autoupdate | antivirus | antispyware | internet_settings | windows_security_center_service | user_account_control |
+---------------+----------+------------+-----------+-------------+-------------------+---------------------------------+----------------------+
| Good          | Good     | Good       | Good      | Good        | Good              | Good                            | Good                 |
+---------------+----------+------------+-----------+-------------+-------------------+---------------------------------+----------------------+

Where are these settings being configured within the OS UI?

Global State

If any of the categories have a red alert symbol the state will report back as Poor.
The screenshot below shows a Good configuration:

image

Firewall

If either the Private or Public firewall profiles are disabled the state will report back as Poor.
The Screenshot below shows a Good configuration:

image

Autoupdate

If Windows Update is somehow blocked or broken the state will report back as Poor.
The screenshot below shows a Good configuration:

image

Antivirus

If Windows Defender or another certified antivirus provider is not registered with Windows Security Center the state will report back as Poor.
The screenshot below shows a Good configuration:

image

Antispyware

If Windows Defender or another certified antispyware provider is not registered with Windows Security Center the state will report back as Poor. This setting has been deprecated in Windows 10:1607 but was left for devices running Windows 7.

image

Internet Settings

If certain controls in the Internet Settings dialog are changed to a not-recommended configuration the state will report back as Poor as shown in the screenshot below:

image

Windows Security Center Service

If the WSC service is disabled or tampered with to prevent starting the state will report back as Poor

Windows UAC

If the slider is set to the bottom-most position, the state will report back as Poor.
The screenshot below shows the minimum Good configuration:

image

@terracatta
Copy link
Contributor Author

This is now ready for review. I also updated the description of the PR from this morning.

@terracatta terracatta requested a review from zwass February 19, 2020 23:53
zwass
zwass requested changes Feb 20, 2020
View reviewed changes
Copy link
Member

@zwass zwass left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Nice table idea. Just a few small changes and we'll be good to merge.

osquery/tables/system/windows/windows_security_center.cpp Outdated Show resolved Hide resolved
osquery/tables/system/windows/windows_security_center.cpp Outdated Show resolved Hide resolved
osquery/tables/system/windows/windows_security_center.cpp Show resolved Hide resolved
@terracatta
Copy link
Contributor Author

@zwass okay, I think I added all the things you asked for. I also added some additional logging for the error states.

I ended up deleting one of the columns (the global_state) as that value can be derived and also there are some cases where autoupdate can show as poor and global_state still shows as "good".

@terracatta terracatta requested a review from zwass February 20, 2020 20:24
@terracatta
Copy link
Contributor Author

@theopolis Ok this should be ready for another look through!

zwass
zwass approved these changes Feb 27, 2020
View reviewed changes
Copy link
Member

@zwass zwass left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looking good to me. Any other concerns @theopolis?

@theopolis theopolis merged commit a7655d3 into osquery:master Feb 28, 2020
@terracatta terracatta deleted the jem_add_windows_security_center_table branch February 28, 2020 17:24
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@theopolis theopolis theopolis left review comments

@Smjert Smjert Smjert left review comments

@zwass zwass zwass approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@terracatta @Smjert @zwass @theopolis