From 3842f3a62fd58a9d9e499cab4dda9f3ebdb310ee Mon Sep 17 00:00:00 2001 From: Matt Primrose Date: Fri, 28 Jun 2024 23:07:57 -0700 Subject: [PATCH] feat: adds more audit log parsing for extended data --- pkg/wsman/amt/auditlog/decoder.go | 1801 +++++++++++++++++++++--- pkg/wsman/amt/auditlog/decoder_test.go | 170 ++- pkg/wsman/amt/auditlog/message_test.go | 12 +- pkg/wsman/amt/auditlog/types.go | 113 ++ 4 files changed, 1845 insertions(+), 251 deletions(-) diff --git a/pkg/wsman/amt/auditlog/decoder.go b/pkg/wsman/amt/auditlog/decoder.go index 0ef05907..9742d1f8 100644 --- a/pkg/wsman/amt/auditlog/decoder.go +++ b/pkg/wsman/amt/auditlog/decoder.go @@ -6,8 +6,12 @@ package auditlog import ( + "bytes" "encoding/base64" - "strconv" + "encoding/binary" + "encoding/hex" + "fmt" + "net" "strings" "time" @@ -27,6 +31,8 @@ const ( OverwritePolicyPartialRestrictedRollover OverwritePolicy = 32768 ) +const UnknownEventID = "Unknown Event ID" + var OverwritePolicyToString = map[OverwritePolicy]string{ OverwritePolicyUnknown: "Unknown", OverwritePolicyWrapsWhenFull: "WrapsWhenFull", @@ -140,183 +146,33 @@ func (r StoragePolicy) String() string { return ValueNotFound } -func convertToAuditLogResult(auditlogdata []string) []AuditLogRecord { - records := []AuditLogRecord{} - - for _, eventRecord := range auditlogdata { - ptr := 0 - - decodedEventRecord, err := base64.StdEncoding.DecodeString(eventRecord) - if err != nil { - continue - } - - decodedEventRecordStr := string(decodedEventRecord) - auditLogRecord := AuditLogRecord{} - - auditLogRecord.AuditAppID = common.ReadShort(decodedEventRecordStr, 0) - auditLogRecord.EventID = common.ReadShort(decodedEventRecordStr, 2) - auditLogRecord.AuditApp = AMTAuditStringTable[auditLogRecord.AuditAppID] - // auditLogRecord.InitiatorType = decodedEventRecordStr[:4] - auditLogRecord.Event = AMTAuditStringTable[(auditLogRecord.AuditAppID*100)+auditLogRecord.EventID] - - // if auditLogRecord.Event { - // auditLogRecord.Event = '#' + auditLogRecord.EventID - // } - - initiatorType, initiator, pointer := getInitiatorInfo(decodedEventRecordStr) - auditLogRecord.InitiatorType = initiatorType - auditLogRecord.Initiator = initiator - ptr = pointer - - // Read timestamp - timeStamp := common.ReadInt(decodedEventRecordStr, ptr) - auditLogRecord.Time = time.Unix(int64(timeStamp), 0) - ptr += 4 - - // Read network access - - auditLogRecord.MCLocationType = []byte(decodedEventRecordStr[ptr : ptr+1])[0] - ptr++ - netlen := []byte(decodedEventRecordStr[ptr : ptr+1])[0] - ptr++ - auditLogRecord.NetAddress = strings.ReplaceAll(decodedEventRecordStr[ptr:ptr+int(netlen)], "0000:0000:0000:0000:0000:0000:0000:0001", "::1") - - // Read extended data - ptr += int(netlen) - exlen := []byte(decodedEventRecordStr[ptr : ptr+1])[0] - ptr++ - auditLogRecord.Ex = decodedEventRecordStr[ptr : ptr+int(exlen)] - auditLogRecord.ExStr = GetAuditLogExtendedDataString((auditLogRecord.AuditAppID*100)+auditLogRecord.EventID, auditLogRecord.Ex) - - records = append([]AuditLogRecord{auditLogRecord}, records...) - } - - return records +var provisioningMethodToString = map[int]string{ + 2: "Remote Configuration", + 3: "Manual Provisioning via MEBx", + 5: "Host-Based Provisioning Admin Mode", } -const ( - ACLEntryAdded = 1602 - ACLEntryModified = 1603 - ACLEntryRemoved = 1604 - ACLAccessWithInvalidCredentials = 1605 - ACLEntryStateChanged = 1606 - TLSStateChanged = 1607 - SetRealmAuthenticationMode = 1617 - AMTUnprovisioningStarted = 1619 - FirmwareUpdate = 1900 - AMTTimeSet = 2100 - OptInPolicyChange = 3000 - SendConsentCode = 3001 -) - -var RealmNames = []string{ - "Redirection", - "PT Administration", - "Hardware Asset", - "Remote Control", - "Storage", - "Event Manager", - "Storage Admin", - "Agent Presence Local", - "Agent Presence Remote", - "Circuit Breaker", - "Network Time", - "General Information", - "Firmware Update", - "EIT", - "LocalUN", - "Endpoint Access Control", - "Endpoint Access Control Admin", - "Event Log Reader", - "Audit Log", - "ACL Realm", - "", - "", - "Local System", - // Add more as needed +var initiatorTypeToString = map[int]string{ + 0: "Unknown", + 1: "User", + 2: "Machine", } -// Return human readable extended audit log data -// TODO: Just put some of them here, but many more still need to be added, helpful link here: -// https://software.intel.com/sites/manageability/AMT_Implementation_and_Reference_Guide/default.htm?turl=WordDocuments%2Fsecurityadminevents.htm -func GetAuditLogExtendedDataString(auditEventId int, data string) string { - var extendedDataString string - - switch auditEventId { - case ACLEntryAdded, ACLEntryRemoved: - if data[0] == 0 { - extendedDataString = data[2 : 2+data[1]] - } - case ACLEntryModified: - if data[1] == 0 { - extendedDataString = data[2:] - } - case ACLAccessWithInvalidCredentials: - extendedDataString = []string{"Invalid ME access", "Invalid MEBx access"}[data[0]] - case ACLEntryStateChanged: - r := []string{"Disabled", "Enabled"}[data[0]] - if data[1] == 0 { - r += ", " + data[2:] - } - - extendedDataString = r - case TLSStateChanged: - extendedDataString = "Remote " + []string{"NoAuth", "ServerAuth", "MutualAuth"}[data[0]] + ", Local " + []string{"NoAuth", "ServerAuth", "MutualAuth"}[data[1]] - case SetRealmAuthenticationMode: - extendedDataString = RealmNames[common.ReadInt(data, 0)] + ", " + []string{"NoAuth", "Auth", "Disabled"}[data[4]] - case AMTUnprovisioningStarted: - extendedDataString = []string{"BIOS", "MEBx", "Local MEI", "Local WSMAN", "Remote WSMAN"}[data[0]] - case FirmwareUpdate: - extendedDataString = "From " + strconv.Itoa(common.ReadShort(data, 0)) + "." + strconv.Itoa(common.ReadShort(data, 2)) + "." + strconv.Itoa(common.ReadShort(data, 4)) + "." + strconv.Itoa(common.ReadShort(data, 6)) + " to " + strconv.Itoa(common.ReadShort(data, 8)) + "." + strconv.Itoa(common.ReadShort(data, 10)) + "." + strconv.Itoa(common.ReadShort(data, 12)) + "." + strconv.Itoa(common.ReadShort(data, 14)) - case AMTTimeSet: - t := time.Unix(int64(common.ReadInt(data, 0)), 0).Local() - extendedDataString = t.Format(time.RFC1123) - case OptInPolicyChange: - extendedDataString = "From " + []string{"None", "KVM", "All"}[data[0]] + " to " + []string{"None", "KVM", "All"}[data[1]] - case SendConsentCode: - extendedDataString = []string{"Success", "Failed 3 times"}[data[0]] - default: - extendedDataString = "" - } - - return extendedDataString +var optInPolicyToString = map[int]string{ + 0: "None", + 1: "KVM", + 255: "All", } -const ( - HTTPDigest byte = 0 - Kerberos byte = 1 - Local byte = 2 - KvmDefaultPort byte = 3 -) - -// [initiatorType: number, initiator: string, ptr: number] need to type it. -func getInitiatorInfo(decodedEventRecord string) (initatorType byte, initiator string, ptr int) { - var userlen uint8 - - initiatorType := []byte(decodedEventRecord[4:5])[0] - - switch initiatorType { - case HTTPDigest: - userlen = []byte(decodedEventRecord[5:6])[0] - initiator = decodedEventRecord[6 : 6+userlen] - ptr = 6 + int(userlen) - case Kerberos: - userlen = []byte(decodedEventRecord[9:10])[0] - initiator = common.GetSidString(decodedEventRecord[10 : 10+userlen]) - ptr = 10 + int(userlen) - case Local: - initiator = "Local" - ptr = 5 - case KvmDefaultPort: - initiator = "KVM Default Port" - ptr = 5 - default: - initiator = "" - ptr = 0 - } +var operationStatusToString = map[int]string{ + 0: "Remote operator entered a one-time password successfully", + 1: "Remote operator failed (3 times) to enter a one-time password correctly", +} - return initiatorType, initiator, ptr +var provisioningHashTypeToString = map[int]string{ + 1: "SHA1 160", + 2: "SHA 256", + 3: "SHA 384", } var ExtendedDataMap = map[int]string{ @@ -324,58 +180,81 @@ var ExtendedDataMap = map[int]string{ 1: "Invalid MEBx access", } -var AMTAuditStringTable = map[int]string{ - 16: "Security Admin", - 17: "RCO", - 18: "Redirection Manager", - 19: "Firmware Update Manager", - 20: "Security Audit Log", - 21: "Network Time", - 22: "Network Administration", - 23: "Storage Administration", - 24: "Event Manager", - 25: "Circuit Breaker Manager", - 26: "Agent Presence Manager", - 27: "Wireless Configuration", - 28: "EAC", - 29: "KVM", - 30: "User Opt-In Events", - 32: "Screen Blanking", - 33: "Watchdog Events", - 1600: "Provisioning Started", - 1601: "Provisioning Completed", +const ( + SecurityAdmin = 16 + RemoteControl = 17 + RedirectionManager = 18 + FirmwareUpdateManager = 19 + SecurityAuditLog = 20 + NetworkTime = 21 + NetworkAdministration = 22 + StorageAdministration = 23 + EventManager = 24 + SystemDefenseManager = 25 + AgentPresenceManager = 26 + WirelessConfiguration = 27 + EndpointAccessControl = 28 + KeyboardVideoMouse = 29 + UserOptIn = 30 + ScreenBlanking = 32 + Watchdog = 33 +) + +var AMTAppIDToString = map[int]string{ + 16: "Security Admin Events", + 17: "Remote Control Events", + 18: "Redirection Manager Events", + 19: "Firmware Update Manager Events", + 20: "Security AuditLog Events", + 21: "Network Time Events", + 22: "Network Administration Events", + 23: "Storage Administration Events", + 24: "Event Manager Events", + 25: "System Defense Manager Events", + 26: "Agent Presence Manager Events", + 27: "Wireless Configuration Events", + 28: "Endpoint Access Control Events", + 29: "Keyboard Video Mouse Events", + 30: "User Opt-In Events", + 32: "Screen Blanking Events", + 33: "Watchdog Events", +} + +var AMTAuditLogEventToString = map[int]string{ + 1600: "AMT Provisioning Started", + 1601: "AMT Provisioning Completed", 1602: "ACL Entry Added", 1603: "ACL Entry Modified", 1604: "ACL Entry Removed", 1605: "ACL Access with Invalid Credentials", - 1606: "ACL Entry State", + 1606: "ACL Entry State Changed", 1607: "TLS State Changed", 1608: "TLS Server Certificate Set", - 1609: "TLS Server Certificate Remove", + 1609: "TLS Server Certificate Removed", 1610: "TLS Trusted Root Certificate Added", 1611: "TLS Trusted Root Certificate Removed", - 1612: "TLS Preshared Key Set", + 1612: "TLS Pre-Shared Key Set", 1613: "Kerberos Settings Modified", - 1614: "Kerberos Master Key Modified", + 1614: "Kerberos Master Key or Passphrase Modified", 1615: "Flash Wear out Counters Reset", 1616: "Power Package Modified", 1617: "Set Realm Authentication Mode", 1618: "Upgrade Client to Admin Control Mode", - 1619: "Unprovisioning Started", + 1619: "AMT UnProvisioning Started", 1700: "Performed Power Up", 1701: "Performed Power Down", 1702: "Performed Power Cycle", 1703: "Performed Reset", 1704: "Set Boot Options", - 1705: "Remote graceful power down initiated", - 1706: "Remote graceful reset initiated", - 1707: "Remote Standby initiated", - 1708: "Remote Hiberate initiated", - 1709: "Remote NMI initiated", - 1800: "IDER Session Opened", - 1801: "IDER Session Closed", - 1802: "IDER Enabled", - 1803: "IDER Disabled", + 1705: "Performed Graceful Power Down", + 1706: "Performed Graceful Power Reset", + 1707: "Preformed Standby", + 1708: "Performed Hibernate", + 1709: "Performed NMI", + 1800: "IDE-R Session Opened", + 1801: "IDE-R Session Closed", + 1802: "IDE-R Enabled", + 1803: "IDE-R Disabled", 1804: "SoL Session Opened", 1805: "SoL Session Closed", 1806: "SoL Enabled", @@ -385,7 +264,7 @@ var AMTAuditStringTable = map[int]string{ 1810: "KVM Enabled", 1811: "KVM Disabled", 1812: "VNC Password Failed 3 Times", - 1900: "Firmware Updated", + 1900: "Firmware Update Started", 1901: "Firmware Update Failed", 2000: "Security Audit Log Cleared", 2001: "Security Audit Policy Modified", @@ -393,8 +272,8 @@ var AMTAuditStringTable = map[int]string{ 2003: "Security Audit Log Enabled", 2004: "Security Audit Log Exported", 2005: "Security Audit Log Recovered", - 2100: "Intel(R) ME Time Set", - 2200: "TCPIP Parameters Set", + 2100: "AMT Time Set", + 2200: "TCP/IP Parameters Set", 2201: "Host Name Set", 2202: "Domain Name Set", 2203: "VLAN Parameters Set", @@ -408,35 +287,1509 @@ var AMTAuditStringTable = map[int]string{ 2401: "Alert Unsubscribed", 2402: "Event Log Cleared", 2403: "Event Log Frozen", - 2500: "CB Filter Added", - 2501: "CB Filter Removed", - 2502: "CB Policy Added", - 2503: "CB Policy Removed", - 2504: "CB Default Policy Set", - 2505: "CB Heuristics Option Set", - 2506: "CB Heuristics State Cleared", + 2500: "System Defense Filter Added", + 2501: "System Defense Filter Removed", + 2502: "System Defense Policy Added", + 2503: "System Defense Policy Removed", + 2504: "System Defense Default Policy Set", + 2505: "System Defense Heuristics Option Set", + 2506: "System Defense Heuristics State Cleared", 2600: "Agent Watchdog Added", 2601: "Agent Watchdog Removed", 2602: "Agent Watchdog Action Set", 2700: "Wireless Profile Added", 2701: "Wireless Profile Removed", 2702: "Wireless Profile Updated", - 2703: "An existing profile sync was modified", - 2704: "An existing profile link preference was changed", - 2705: "Wireless profile share with UEFI enabled setting was changed", - 2800: "EAC Posture Signer SET", + 2703: "Wireless Profile Modified", + 2704: "Wireless Link Preference Changed", + 2705: "Wireless Profile Share With UEFI Enabled Setting Changed", + 2800: "EAC Posture Signer Set", 2801: "EAC Enabled", 2802: "EAC Disabled", - 2803: "EAC Posture State", + 2803: "EAC Posture State Updated", 2804: "EAC Set Options", - 2900: "KVM Opt-in Enabled", - 2901: "KVM Opt-in Disabled", + 2900: "KVM Opt-In Enabled", + 2901: "KVM Opt-In Disabled", 2902: "KVM Password Changed", 2903: "KVM Consent Succeeded", 2904: "KVM Consent Failed", 3000: "Opt-In Policy Change", 3001: "Send Consent Code Event", 3002: "Start Opt-In Blocked Event", - 3301: "A user has modified the Watchdog Action settings", - 3302: "A user has modified a Watchdog to add, remove, or alter the Watchdog Action connected to it", + 3301: "Watchdog Reset Triggering Options Changed", + 3302: "Watchdog Action Pairing Changed", +} + +var RealmNames = []string{ + "Redirection", + "PT Administration", + "Hardware Asset", + "Remote Control", + "Storage", + "Event Manager", + "Storage Admin", + "Agent Presence Local", + "Agent Presence Remote", + "Circuit Breaker", + "Network Time", + "General Information", + "Firmware Update", + "EIT", + "LocalUN", + "Endpoint Access Control", + "Endpoint Access Control Admin", + "Event Log Reader", + "Audit Log", + "ACL Realm", + "", + "", + "Local System", + // Add more as needed +} + +func convertToAuditLogResult(auditlogdata []string) []AuditLogRecord { + records := []AuditLogRecord{} + + for _, eventRecord := range auditlogdata { + ptr := 0 + + decodedEventRecord, err := base64.StdEncoding.DecodeString(eventRecord) + if err != nil { + continue + } + + decodedEventRecordStr := string(decodedEventRecord) + auditLogRecord := AuditLogRecord{} + + auditLogRecord.AuditAppID = common.ReadShort(decodedEventRecordStr, 0) + auditLogRecord.EventID = common.ReadShort(decodedEventRecordStr, 2) + auditLogRecord.AuditApp = AMTAppIDToString[auditLogRecord.AuditAppID] + auditLogRecord.Event = AMTAuditLogEventToString[(auditLogRecord.AuditAppID*100)+auditLogRecord.EventID] + + initiatorType, initiator, pointer := getInitiatorInfo(decodedEventRecordStr) + auditLogRecord.InitiatorType = initiatorType + auditLogRecord.Initiator = initiator + ptr = pointer + + // Read timestamp + timeStamp := common.ReadInt(decodedEventRecordStr, ptr) + auditLogRecord.Time = time.Unix(int64(timeStamp), 0) + ptr += 4 + + // Read network access + + auditLogRecord.MCLocationType = []byte(decodedEventRecordStr[ptr : ptr+1])[0] + ptr++ + + netlen := []byte(decodedEventRecordStr[ptr : ptr+1])[0] + ptr++ + + auditLogRecord.NetAddress = strings.ReplaceAll(decodedEventRecordStr[ptr:ptr+int(netlen)], "0000:0000:0000:0000:0000:0000:0000:0001", "::1") + + // Read extended data + ptr += int(netlen) + + exlen := []byte(decodedEventRecordStr[ptr : ptr+1])[0] + ptr++ + + auditLogRecord.Ex = decodedEventRecordStr[ptr : ptr+int(exlen)] + auditLogRecord.ExStr = GetAuditLogExtendedDataString(auditLogRecord.AuditAppID, auditLogRecord.EventID, auditLogRecord.Ex) + + records = append([]AuditLogRecord{auditLogRecord}, records...) + } + + return records +} + +// Return human readable extended audit log data +// TODO: Just put some of them here, but many more still need to be added, helpful link here: +// https://software.intel.com/sites/manageability/AMT_Implementation_and_Reference_Guide/default.htm?turl=WordDocuments%2Fsecurityadminevents.htm +func GetAuditLogExtendedDataString(appId, eventId int, data string) string { + var extendedDataString string + + switch appId { + case SecurityAdmin: + extendedDataString = parseSecurityAdminEvents(eventId, data) + case RemoteControl: + extendedDataString = parseRemoteControlEvents(eventId, data) + case RedirectionManager: + extendedDataString = parseRedirectionManagerEvents(eventId) + case FirmwareUpdateManager: + extendedDataString = parseFirmwareUpdateManagerEvents(eventId, data) + case SecurityAuditLog: + extendedDataString = parseSecurityAuditLog(eventId, data) + case NetworkTime: + extendedDataString = parseNetworkTimeEvents(eventId, data) + case NetworkAdministration: + extendedDataString = parseNetworkAdministrationEvents(eventId, data) + case StorageAdministration: + extendedDataString = parseStorageAdministrationEvents(eventId, data) + case EventManager: + extendedDataString = parseEventManagerEvents(eventId, data) + case SystemDefenseManager: + extendedDataString = parseSystemDefenseManagerEvents(eventId, data) + case AgentPresenceManager: + extendedDataString = parseAgentPresenceManagerEvents(eventId, data) + case WirelessConfiguration: + extendedDataString = parseWirelessConfigurationEvents(eventId, data) + case EndpointAccessControl: + extendedDataString = parseEndpointAccessControlEvents(eventId, data) + case KeyboardVideoMouse: + extendedDataString = parseKeyboardVideoMouseEvents(eventId) + case UserOptIn: + extendedDataString = parseUserOptInEvents(eventId, data) + case Watchdog: + extendedDataString = parseWatchdogEvents(eventId, data) + default: + extendedDataString = "Unknown Event Group ID" + } + + return extendedDataString +} + +func parseSecurityAdminEvents(eventId int, data string) string { + const ( + ProvisioningStarted = 0 + ProvisioningCompleted = 1 + ACLEntryAdded = 2 + ACLEntryModified = 3 + ACLEntryRemoved = 4 + ACLAccessWithInvalidCredentials = 5 + ACLEntryEnabled = 6 + TLSStateChanged = 7 + TLSServerCertificateSet = 8 + TLSServerCertificateRemoved = 9 + TLSTrustedRootCertificateAdded = 10 + TLSTrustedRootCertificateRemoved = 11 + TLSPreSharedKeySet = 12 + KerberosSettingsModified = 13 + KerberosMasterKeyModified = 14 + FlashWearOutCountersReset = 15 + PowerPackageModified = 16 + SetRealmAuthenticationMode = 17 + UpgradeClientToAdmin = 18 + AMTUnProvisioningStarted = 19 + ) + + var extendedDataString string + + byteData := []byte(data) + + switch eventId { + case ProvisioningStarted: + extendedDataString = "Intel AMT transitioned to setup mode." + case ProvisioningCompleted: + extendedDataString = "Intel AMT transitioned to operational mode." + + if len(byteData) > 0 { + event := readProvisioningCompletedEventData(byteData) + + extendedDataString += provisioningCompletedToString(&event) + } + case ACLEntryAdded: + extendedDataString = "User entry was added to the Intel AMT Device." + + if len(byteData) > 0 { + entry := readACLData(ACLEntryAdded, byteData) + + extendedDataString += aclEntryToString(&entry) + } + case ACLEntryModified: + extendedDataString = "User entry was updated in the Intel AMT device." + + if len(byteData) > 0 { + entry := readACLData(ACLEntryModified, byteData) + + extendedDataString += aclEntryModifiedToString(&entry) + } + case ACLEntryRemoved: + extendedDataString = "User entry was removed from the Intel AMT device." + + if len(byteData) > 0 { + entry := readACLData(ACLEntryRemoved, byteData) + + extendedDataString += aclEntryToString(&entry) + } + case ACLAccessWithInvalidCredentials: + if len(data) > 0 { + extendedDataString = "User attempted to access " + []string{"Intel AMT", "MEBx"}[data[0]] + " with invalid credentials." + } + case ACLEntryEnabled: + extendedDataString = "ACL entry state was changed." + + if len(byteData) > 0 { + entry := readACLData(ACLEntryEnabled, byteData) + + extendedDataString += aclEntryEnabledToString(&entry) + } + case TLSStateChanged: + extendedDataString = "TLS state changed." + + if len(byteData) > 0 { + extendedDataString += "\nRemote: " + + []string{"No Auth", "Server Auth", "Mutual Auth"}[byteData[0]] + + "\nLocal: " + + []string{"No Auth", "Server Auth", "Mutual Auth"}[byteData[1]] + } + case TLSServerCertificateSet: + extendedDataString = "TLS server certificate was defined." + + if len(byteData) > 0 { + extendedDataString += readCertificateSerialNumberToString(byteData) + } + case TLSServerCertificateRemoved: + extendedDataString = "TLS server certificate was removed." + + if len(byteData) > 0 { + extendedDataString += readCertificateSerialNumberToString(byteData) + } + case TLSTrustedRootCertificateAdded: + extendedDataString = "TLS trusted root certificate was added." + + if len(byteData) > 0 { + extendedDataString += readCertificateSerialNumberToString(byteData) + } + case TLSTrustedRootCertificateRemoved: + extendedDataString = "TLS trusted root certificate was removed." + + if len(byteData) > 0 { + extendedDataString += readCertificateSerialNumberToString(byteData) + } + case TLSPreSharedKeySet: + extendedDataString = "TLS pre-shared key was defined." + case KerberosSettingsModified: + extendedDataString = "Kerberos settings were modified." + + if len(data) > 0 { + extendedDataString += "\nTime tolerance: " + fmt.Sprint(byteData[0]) + } + case KerberosMasterKeyModified: + extendedDataString = "Kerberos master key or passphrase was modified." + case FlashWearOutCountersReset: + extendedDataString = "Flash wear out counter was reset." + case PowerPackageModified: + extendedDataString = "Active power package was set." + + if len(data) > 0 { + extendedDataString += "\nPower policy: " + fmt.Sprint(byteData[0]) + } + case SetRealmAuthenticationMode: + extendedDataString = "Realm authentication mode changed." + + if len(data) > 0 { + byteData := []byte(data) + extendedDataString += "\n" + RealmNames[byteData[0]] + ", " + []string{"NoAuth", "Auth", "Disabled"}[byteData[4]] + } + case UpgradeClientToAdmin: + extendedDataString = "The control mode of the Intel AMT was changed from Client control to Admin control." + case AMTUnProvisioningStarted: + extendedDataString = "Intel AMT UnProvisioned Started." + + if len(data) > 0 { + byteData := []byte(data) + extendedDataString += "\nInitiator: " + []string{"BIOS", "MEBx", "Local MEI", "Local WSMAN", "Remote WSMAN"}[byteData[0]] + } + default: + extendedDataString = UnknownEventID + } + + return extendedDataString +} + +func parseRemoteControlEvents(eventId int, data string) string { + byteData := []byte(data) + + var extendedDataString string + + const ( + PerformedPowerUp = 0 + PerformedPowerDown = 1 + PerformedPowerCycle = 2 + PerformedReset = 3 + SetBootOptions = 4 + PerformedGracefulPowerDown = 5 + PerformedGracefulReset = 6 + PerformedStandby = 7 + PerformedHibernate = 8 + PerformedNMI = 9 + ) + + switch eventId { + case PerformedPowerUp: + extendedDataString = "Remote power up initiated." + + if len(byteData) > 0 { + rce := readBootOptionsData(byteData) + extendedDataString += remoteControlEventToString(rce) + } + case PerformedPowerDown: + extendedDataString = "Remote power down initiated." + case PerformedPowerCycle: + extendedDataString = "Remote power cycle initiated." + + if len(byteData) > 0 { + rce := readBootOptionsData(byteData) + extendedDataString += remoteControlEventToString(rce) + } + case PerformedReset: + extendedDataString = "Remote reset initiated." + + if len(byteData) > 0 { + rce := readBootOptionsData(byteData) + extendedDataString += remoteControlEventToString(rce) + } + case SetBootOptions: + extendedDataString = "Boot options were set." + + if len(byteData) > 0 { + rce := readBootOptionsData(byteData) + extendedDataString += remoteControlEventToString(rce) + } + case PerformedGracefulPowerDown: + extendedDataString = "Remote graceful power down initiated." + case PerformedGracefulReset: + extendedDataString = "Remote graceful reset initiated." + + if len(byteData) > 0 { + rce := readBootOptionsData(byteData) + extendedDataString += remoteControlEventToString(rce) + } + case PerformedStandby: + extendedDataString = "Remote standby initiated." + case PerformedHibernate: + extendedDataString = "Remote hibernate initiated." + case PerformedNMI: + extendedDataString = "Remote NMI initiated." + default: + extendedDataString = UnknownEventID + } + + return extendedDataString +} + +func parseRedirectionManagerEvents(eventId int) string { + var extendedDataString string + + const ( + IDERSessionOpened = 0 + IDERSessionClosed = 1 + IDEREnabled = 2 + IDERDisabled = 3 + SoLSessionOpened = 4 + SoLSessionClosed = 5 + SoLEnabled = 6 + SoLDisabled = 7 + KVMSessionStarted = 8 + KVMSessionEnded = 9 + KVMEnabled = 10 + KVMDisabled = 11 + VNCPasswordFailed = 12 + ) + + switch eventId { + case IDERSessionOpened: + extendedDataString = "An application opened a Storage Redirection session." + case IDERSessionClosed: + extendedDataString = "An application or firmware closed a Storage Redirection session." + case IDEREnabled: + extendedDataString = "Storage Redirection was enabled." + case IDERDisabled: + extendedDataString = "Storage Redirection was disabled." + case SoLSessionOpened: + extendedDataString = "An application opened a Serial Over LAN session." + case SoLSessionClosed: + extendedDataString = "An application or firmware closed a Serial Over LAN session." + case SoLEnabled: + extendedDataString = "Serial Over LAN was enabled." + case SoLDisabled: + extendedDataString = "Serial Over LAN was disabled." + case KVMSessionStarted: + extendedDataString = "An application opened a Keyboard-Video-Mouse session." + case KVMSessionEnded: + extendedDataString = "An application or firmware closed a Keyboard-Video-Mouse session." + case KVMEnabled: + extendedDataString = "Keyboard-Video-Mouse was enabled." + case KVMDisabled: + extendedDataString = "Keyboard-Video-Mouse was disabled." + case VNCPasswordFailed: + extendedDataString = "Incorrect Remote Frame Buffer (RFB) password entered 3 times." + } + + return extendedDataString +} + +func parseFirmwareUpdateManagerEvents(eventId int, data string) string { + var extendedDataString string + + const ( + FirmwareUpdated = 0 + FirmwareFailed = 1 + ) + + if len(data) > 0 { + byteData := []byte(data) + buf := bytes.NewBuffer(byteData) + + switch eventId { + case FirmwareUpdated: + oldFWVersion := FWVersion{} + newFWVersion := FWVersion{} + + readFWVersion(buf, &oldFWVersion) + readFWVersion(buf, &newFWVersion) + + extendedDataString = "Firmware update was started.\nOld version: " + + fmt.Sprint(oldFWVersion.Major) + "." + + fmt.Sprint(oldFWVersion.Minor) + "." + + fmt.Sprint(oldFWVersion.Hotfix) + "." + + fmt.Sprint(oldFWVersion.Build) + + "\nNew version: " + + fmt.Sprint(newFWVersion.Major) + "." + + fmt.Sprint(newFWVersion.Minor) + "." + + fmt.Sprint(newFWVersion.Hotfix) + "." + + fmt.Sprint(newFWVersion.Build) + case FirmwareFailed: + updateFailure := FWUpdateFailure{} + + binary.Read(buf, binary.LittleEndian, &updateFailure.Type) + binary.Read(buf, binary.LittleEndian, &updateFailure.Reason) + + extendedDataString = "Firmware update failed.\nFailure Type: " + + fmt.Sprint(updateFailure.Type) + "\nFailure Reason: " + fmt.Sprint(updateFailure.Reason) + } + } + + return extendedDataString +} + +func parseSecurityAuditLog(eventId int, data string) string { + var extendedDataString string + + const ( + SecurityAuditLogCleared = 0 + SecurityAuditPolicyModified = 1 + SecurityAuditLogDisabled = 2 + SecurityAuditLogEnabled = 3 + SecurityAuditLogExported = 4 + SecurityAuditLogRecovered = 5 + ) + + switch eventId { + case SecurityAuditLogCleared: + extendedDataString = "Audit log was cleared." + case SecurityAuditPolicyModified: + extendedDataString = "Audit policy event was enabled or disabled." + case SecurityAuditLogDisabled: + extendedDataString = "Access monitor feature was disabled." + case SecurityAuditLogEnabled: + extendedDataString = "Access monitor feature was enabled." + case SecurityAuditLogExported: + extendedDataString = "Audit log signature and log-related information was exported." + case SecurityAuditLogRecovered: + if len(data) > 0 { + extendedDataString = "Internal check of audit log resulted in a recovery action.\nReason: " + + []string{"Unknown", "Migration failure", "Initialization failure"}[data[0]] + } + } + + return extendedDataString +} + +func parseNetworkTimeEvents(eventId int, data string) string { + var extendedDataString string + + const ( + IntelMETimeSet = 0 + ) + + switch eventId { + case IntelMETimeSet: + extendedDataString = "Command received to set Intel AMT local time." + + if len(data) > 0 { + extendedDataString += "\nTime: " + time.Unix(int64(common.ReadInt(data, 0)), 0).String() + } + } + + return extendedDataString +} + +func parseNetworkAdministrationEvents(eventId int, data string) string { + var extendedDataString string + + InterfaceIDGenType := map[int]string{ + 0: "Random ID", + 1: "Intel ID", + 2: "Manual ID", + 3: "Invalid ID", + } + + const ( + TCPIPParametersSet = 0 + HostNameSet = 1 + DomainNameSet = 2 + VLANParametersSet = 3 + LinkPolicySet = 4 + IPv6ParametersSet = 5 + ) + + switch eventId { + case TCPIPParametersSet: + extendedDataString = "TCP/IP parameters were set." + + if len(data) > 0 { + event := readNetworkAdministrationEventData(TCPIPParametersSet, []byte(data)) + extendedDataString += "\nDHCP Enabled: " + []string{"Disabled", "Enabled"}[event.DHCPEnabled] + + "\nStatic IP: " + convertUINT32ToIPv4(event.IPV4Address).String() + + "\nSubnet Mask: " + convertUINT32ToIPv4(event.SubnetMask).String() + + "\nGateway: " + convertUINT32ToIPv4(event.Gateway).String() + } + case HostNameSet: + extendedDataString = "Host name was set" + + if len(data) > 0 { + event := readNetworkAdministrationEventData(HostNameSet, []byte(data)) + extendedDataString += " to " + event.HostName + } + case DomainNameSet: + extendedDataString = "Domain name was set" + + if len(data) > 0 { + event := readNetworkAdministrationEventData(DomainNameSet, []byte(data)) + extendedDataString += " to " + event.DomainName + } + case VLANParametersSet: + extendedDataString = "VLAN tag was set" + + if len(data) > 0 { + event := readNetworkAdministrationEventData(VLANParametersSet, []byte(data)) + + if event.VLANTag == 0 { + extendedDataString += " to disabled" + } else { + extendedDataString += " to " + fmt.Sprint(event.VLANTag) + } + } + case LinkPolicySet: + extendedDataString = "Link policy was set" + + if len(data) > 0 { + event := readNetworkAdministrationEventData(LinkPolicySet, []byte(data)) + extendedDataString += " to " + fmt.Sprint(event.LinkPolicy) + } + case IPv6ParametersSet: + extendedDataString = "IPv6 parameters were set." + + if len(data) > 0 { + event := readNetworkAdministrationEventData(IPv6ParametersSet, []byte(data)) + extendedDataString += "\nIPv6: " + []string{"Disabled", "Enabled"}[event.IPV6Enabled] + + "\nInterface Gen Type: " + InterfaceIDGenType[int(event.InterfaceIDGenType)] + + if event.InterfaceIDGenType == 2 { + interfaceId := fmt.Sprintf("%02x%02x:%02x%02x:%02x%02x:%02x%02x", + event.InterfaceID[0], event.InterfaceID[1], event.InterfaceID[2], event.InterfaceID[3], + event.InterfaceID[4], event.InterfaceID[5], event.InterfaceID[6], event.InterfaceID[7]) + extendedDataString += "\nInterface ID: " + interfaceId + } + + extendedDataString += "\nIPv6 Address: " + net.IP(event.IPV6Address).String() + + "\nIPv6 Gateway: " + net.IP(event.IPV6Gateway).String() + + "\nIPv6 Primary DNS: " + net.IP(event.IPV6PrimaryDNS).String() + + "\nIPv6 Secondary DNS: " + net.IP(event.IPV6SecondaryDNS).String() + } + } + + return extendedDataString +} + +func parseStorageAdministrationEvents(eventId int, data string) string { + var extendedDataString string + + const ( + GlobalStorageAttributesSet = 0 + StorageEACLModified = 1 + StorageFPACLModified = 2 + StorageWriteOperation = 3 + ) + + switch eventId { + case GlobalStorageAttributesSet: + extendedDataString = "Global storage attributes were set." + + if len(data) > 0 { + byteData := []byte(data) + buf := bytes.NewBuffer(byteData) + + event := StorageAdministrationEvent{} + + binary.Read(buf, binary.LittleEndian, &event.MaxPartnerStorage) + binary.Read(buf, binary.LittleEndian, &event.MaxNonPartnerTotalAllocationSize) + + extendedDataString += "\nMax Partner Storage: " + fmt.Sprint(event.MaxPartnerStorage) + + "\nMax Non-Partner Total Allocation Size: " + fmt.Sprint(event.MaxNonPartnerTotalAllocationSize) + } + case StorageEACLModified: + extendedDataString = "Storage EACL entry was added or removed." + case StorageFPACLModified: + extendedDataString = "Storage FPACL entry was added, removed, or updated." + case StorageWriteOperation: + extendedDataString = "Application wrote a block to storage." + } + + return extendedDataString +} + +func parseEventManagerEvents(eventId int, data string) string { + var extendedDataString string + + const ( + AlertSubscribed = 0 + AlertUnsubscribed = 1 + EventLogCleared = 2 + EventLogFrozen = 3 + ) + + switch eventId { + case AlertSubscribed, AlertUnsubscribed: + if eventId == AlertSubscribed { + extendedDataString = "An alert subscription was created successfully." + } else { + extendedDataString = "An existing alert subscription was cancelled." + } + + if len(data) > 0 { + event := readEventManagerEventData(AlertSubscribed, []byte(data)) + extendedDataString += eventManagerEventDataToString(event) + } + case EventLogCleared: + extendedDataString = "Event log was cleared of existing records." + case EventLogFrozen: + if len(data) > 0 { + event := readEventManagerEventData(EventLogFrozen, []byte(data)) + extendedDataString = "Event log was " + []string{"unfrozen", "frozen"}[event.Freeze] + } + } + + return extendedDataString +} + +func parseSystemDefenseManagerEvents(eventId int, data string) string { + var extendedDataString string + + const ( + SDFilterAdded = 0 + SDFilterRemoved = 1 + SDPolicyAdded = 2 + SDPolicyRemoved = 3 + SDDefaultPolicySet = 4 + SDHeuristicsOptionSet = 5 + SDHeuristicsStateCleared = 6 + ) + + switch eventId { + case SDFilterAdded: + extendedDataString = "Attempt made to add a system defense filter." + case SDFilterRemoved: + extendedDataString = "System defense filter was removed successfully." + + if len(data) > 0 { + event := readSystemDefenseManagerEventData(SDFilterRemoved, []byte(data)) + extendedDataString += "\nFilter Handle: " + fmt.Sprint(event.FilterHandle) + } + case SDPolicyAdded: + extendedDataString = "Attempt made to add a system defense policy." + case SDPolicyRemoved: + extendedDataString = "System defense policy was removed successfully." + + if len(data) > 0 { + event := readSystemDefenseManagerEventData(SDPolicyRemoved, []byte(data)) + extendedDataString += "\nPolicy Handle: " + fmt.Sprint(event.PolicyHandle) + } + case SDDefaultPolicySet: + extendedDataString = "System defense policy selected." + + if len(data) > 0 { + event := readSystemDefenseManagerEventData(SDDefaultPolicySet, []byte(data)) + extendedDataString += "\nHardware Interface: " + fmt.Sprint(event.HardwareInterface) + + "\nPolicy Handle: " + fmt.Sprint(event.PolicyHandle) + } + case SDHeuristicsOptionSet: + extendedDataString = "System defense heuristics settings were set successfully." + + if len(data) > 0 { + event := readSystemDefenseManagerEventData(SDHeuristicsOptionSet, []byte(data)) + extendedDataString += "\nInterface Handle: " + fmt.Sprint(event.InterfaceHandle) + + "\nBlock All: " + fmt.Sprint(event.BlockAll) + + "\nBlock Offensive Port: " + fmt.Sprint(event.BlockOffensivePort) + + "\nPolicy Handle: " + fmt.Sprint(event.PolicyHandle) + } + case SDHeuristicsStateCleared: + extendedDataString = "System defense heuristics settings were removed successfully." + + if len(data) > 0 { + event := readSystemDefenseManagerEventData(SDHeuristicsStateCleared, []byte(data)) + extendedDataString += "\nInterface Handle: " + fmt.Sprint(event.InterfaceHandle) + } + } + + return extendedDataString +} + +func parseAgentPresenceManagerEvents(eventId int, data string) string { + var extendedDataString string + + const ( + AgentWatchdogAdded = 0 + AgentWatchdogRemoved = 1 + AgentWatchdogActionSet = 2 + ) + + switch eventId { + case AgentWatchdogAdded: + extendedDataString = "An application entry was created to be monitored." + + if len(data) > 0 { + event := readAgentPresenceManagerEventData(AgentWatchdogAdded, []byte(data)) + extendedDataString += "\nAgent ID: " + fmt.Sprintf("%08x-%04x-%04x-%04x-%012x", + event.AgentID[0:4], + event.AgentID[4:6], + event.AgentID[6:8], + event.AgentID[8:10], + event.AgentID[10:]) + + "\nAgent Heartbeat Time: " + fmt.Sprint(event.AgentHeartBeatTime) + + "\nAgent Startup Time: " + fmt.Sprint(event.AgentStartupTime) + } + case AgentWatchdogRemoved: + extendedDataString = "An application entry was removed." + + if len(data) > 0 { + event := readAgentPresenceManagerEventData(AgentWatchdogRemoved, []byte(data)) + extendedDataString += "\nAgent ID: " + fmt.Sprintf("%08x-%04x-%04x-%04x-%012x", + event.AgentID[0:4], + event.AgentID[4:6], + event.AgentID[6:8], + event.AgentID[8:10], + event.AgentID[10:]) + } + case AgentWatchdogActionSet: + extendedDataString = "Actions were set, added, or removed for an application watchdog entry." + + if len(data) > 0 { + event := readAgentPresenceManagerEventData(AgentWatchdogActionSet, []byte(data)) + extendedDataString += "\nAgent ID: " + fmt.Sprintf("%08x-%04x-%04x-%04x-%012x", + event.AgentID[0:4], + event.AgentID[4:6], + event.AgentID[6:8], + event.AgentID[8:10], + event.AgentID[10:]) + } + } + + return extendedDataString +} + +func parseWirelessConfigurationEvents(eventId int, data string) string { + var extendedDataString string + + const ( + WirelessProfileAdded = 0 + WirelessProfileRemoved = 1 + WirelessProfileUpdated = 2 + WirelessProfileModified = 3 + WirelessLinkPreferenceChanged = 4 + WirelessProfileShareWithUEFIEnabledSettingChanged = 5 + ) + + switch eventId { + case WirelessProfileAdded: + extendedDataString = "A new profile was added." + + if len(data) > 0 { + event := readWirelessConfigurationEventData(WirelessProfileAdded, []byte(data)) + extendedDataString += "\nSSID: " + strings.Trim(fmt.Sprint(string(event.SSID)), "\x00") + + "\nProfile Priority: " + fmt.Sprint(event.ProfilePriority) + + "\nProfile Name Length: " + fmt.Sprint(event.ProfileNameLength) + + "\nProfile Name: " + fmt.Sprint(string(event.ProfileName)) + } + case WirelessProfileRemoved: + extendedDataString = "An existing profile was removed." + + if len(data) > 0 { + event := readWirelessConfigurationEventData(WirelessProfileRemoved, []byte(data)) + extendedDataString += "\nProfile Name Length: " + fmt.Sprint(event.ProfileNameLength) + + "\nProfile Name: " + fmt.Sprint(string(event.ProfileName)) + } + case WirelessProfileUpdated: + extendedDataString = "An existing profile was updated." + + if len(data) > 0 { + event := readWirelessConfigurationEventData(WirelessProfileUpdated, []byte(data)) + extendedDataString += "\nSSID: " + strings.Trim(fmt.Sprint(string(event.SSID)), "\x00") + + "\nProfile Priority: " + fmt.Sprint(event.ProfilePriority) + + "\nProfile Name Length: " + fmt.Sprint(event.ProfileNameLength) + + "\nProfile Name: " + fmt.Sprint(string(event.ProfileName)) + } + case WirelessProfileModified: + extendedDataString = "An existing profile sync was modified." + + if len(data) > 0 { + event := readWirelessConfigurationEventData(WirelessProfileModified, []byte(data)) + extendedDataString += "\nProfile sync " + []string{"is disabled", "user", "admin", "is unrestricted"}[event.ProfileSync] + } + case WirelessLinkPreferenceChanged: + extendedDataString = "An existing profile link preference was changed." + + if len(data) > 0 { + event := readWirelessConfigurationEventData(WirelessLinkPreferenceChanged, []byte(data)) + extendedDataString += "\nTimeout: " + fmt.Sprint(event.Timeout) + extendedDataString += "\nLink Preference: " + []string{"none", "ME", "Host"}[int(event.LinkPreference)] + } + case WirelessProfileShareWithUEFIEnabledSettingChanged: + extendedDataString = fmt.Sprintf("Wireless profile share with UEFI was set to %s.", []string{"Disabled", "Enabled"}[data[0]]) + } + + return extendedDataString +} + +func parseEndpointAccessControlEvents(eventId int, data string) string { + var extendedDataString string + + const ( + EACPostureSignerSet = 0 + EACEnabled = 1 + EACDisabled = 2 + EASPostureStateUpdate = 3 + EACSetOptions = 4 + ) + + switch eventId { + case EACPostureSignerSet: + extendedDataString = "A certificate handle for signing EAC postures was either set or removed." + case EACEnabled: + extendedDataString = "EAC was set to enabled by WS-MAN interface." + case EACDisabled: + extendedDataString = "EAC was set to disabled by WS-MAN interface." + case EASPostureStateUpdate: + extendedDataString = "Controllable fields of EAC posture were reset manually by WS-MAN interface." + case EACSetOptions: + extendedDataString = "EAC options were changed." + + if len(data) > 0 { + byteData := []byte(data) + buf := bytes.NewBuffer(byteData) + + var eacVendors uint32 + _ = binary.Read(buf, binary.LittleEndian, &eacVendors) + extendedDataString += "\nEAC Vendors: " + fmt.Sprint(eacVendors) + } + } + + return extendedDataString +} + +func parseKeyboardVideoMouseEvents(eventId int) string { + var extendedDataString string + + const ( + KVMOptInEnabled = 0 + KVMOptInDisabled = 1 + KVMPasswordChanged = 2 + KVMConsentSucceeded = 3 + KVMConsentFailed = 4 + ) + + switch eventId { + case KVMOptInEnabled: + extendedDataString = "User consent for a KVM session is now required." + case KVMOptInDisabled: + extendedDataString = "User consent for a KVM session is no longer required." + case KVMPasswordChanged: + extendedDataString = "RFB password for KVM session has changed." + case KVMConsentSucceeded: + extendedDataString = operationStatusToString[0] + case KVMConsentFailed: + extendedDataString = operationStatusToString[1] + } + + return extendedDataString +} + +func parseUserOptInEvents(eventId int, data string) string { + var extendedDataString string + + const ( + OptInPolicyChange = 0 + SendConsentCodeEvent = 1 + StartOptInBlockedEvent = 2 + ) + + switch eventId { + case OptInPolicyChange: + extendedDataString = "A user has modified the opt-in policy settings." + + if len(data) > 0 { + event := readUserOptInEventData(OptInPolicyChange, []byte(data)) + extendedDataString += "\nPrevious Opt-In Policy: " + optInPolicyToString[int(event.PreviousOptInPolicy)] + + "\nCurrent Opt-In Policy: " + optInPolicyToString[int(event.CurrentOptInPolicy)] + } + case SendConsentCodeEvent: + extendedDataString = "The remote operator sent a consent code." + + if len(data) > 0 { + event := readUserOptInEventData(SendConsentCodeEvent, []byte(data)) + extendedDataString += "\n" + operationStatusToString[int(event.OperationStatus)] + } + case StartOptInBlockedEvent: + extendedDataString = "The remote operator attempted to send a start opt-in request, but the request was blocked (denial-of-service attack prevention)." + } + + return extendedDataString +} + +func parseWatchdogEvents(eventId int, data string) string { + var extendedDataString string + + const ( + WatchdogResetTriggeringOptionsChanged = 0 + WatchdogActionPairingChanged = 1 + ) + + switch eventId { + case WatchdogResetTriggeringOptionsChanged: + extendedDataString = "A user has modified the watchdog action settings." + case WatchdogActionPairingChanged: + extendedDataString = "A user has modified a watchdog to add, remove, or alter the watchdog action connected to it." + + if len(data) > 0 { + byteData := []byte(data) + + var opStatus uint8 + + buf := bytes.NewBuffer(byteData) + + _ = binary.Read(buf, binary.LittleEndian, &opStatus) + + extendedDataString += "\n" + operationStatusToString[int(opStatus)] + } + } + + return extendedDataString +} + +const ( + HTTPDigest byte = 0 + Kerberos byte = 1 + Local byte = 2 + KvmDefaultPort byte = 3 +) + +func readProvisioningCompletedEventData(data []byte) ProvisioningParameters { + buf := bytes.NewBuffer(data) + event := ProvisioningParameters{} + + // Read ProvisioningMethod + _ = binary.Read(buf, binary.LittleEndian, &event.ProvisioningMethod) + + // Read HashType + _ = binary.Read(buf, binary.LittleEndian, &event.HashType) + + // Read TrustedRootCertHash based on HashType + switch event.HashType { + case 1: // SHA1_160 + event.TrustedRootCertHash = make([]byte, 20) + case 2: // SHA_256 + event.TrustedRootCertHash = make([]byte, 32) + case 3: // SHA_384 + event.TrustedRootCertHash = make([]byte, 48) + } + + buf.Read(event.TrustedRootCertHash) + + // Read NumberOfCertificates + _ = binary.Read(buf, binary.LittleEndian, &event.NumberOfCertificates) + + // Read CertSerialNumbers + for i := 0; i < int(event.NumberOfCertificates); i++ { + serialNumber := make([]byte, 16) + buf.Read(serialNumber) + event.CertSerialNumbers = append(event.CertSerialNumbers, hex.EncodeToString(serialNumber)) + } + + // Read AdditionalCaSerialNumbers + _ = binary.Read(buf, binary.LittleEndian, &event.AdditionalCaSerialNumbers) + + // Read ProvServFQDNLength + _ = binary.Read(buf, binary.LittleEndian, &event.ProvServFQDNLength) + + // Read ProvServFQDN + fqdn := make([]byte, event.ProvServFQDNLength) + buf.Read(fqdn) + + event.ProvServFQDN = string(fqdn) + + return event +} + +func provisioningCompletedToString(provisioningCompleted *ProvisioningParameters) string { + s := fmt.Sprintf("\nProvisioning Method: %s", provisioningMethodToString[int(provisioningCompleted.ProvisioningMethod)]) + + if provisioningCompleted.HashType != 0 { + s += fmt.Sprintf("\nHash Type: %s", provisioningHashTypeToString[int(provisioningCompleted.HashType)]) + } + + if len(provisioningCompleted.TrustedRootCertHash) > 0 { + s += fmt.Sprintf("\nTrusted Root Cert Hash: %s", hex.EncodeToString(provisioningCompleted.TrustedRootCertHash)) + } + + if provisioningCompleted.NumberOfCertificates > 0 { + s += fmt.Sprintf("\nNumber of Certificates: %d", provisioningCompleted.NumberOfCertificates) + s += fmt.Sprintf("\nCert Serial Numbers (first 3): %v", provisioningCompleted.CertSerialNumbers) + + if provisioningCompleted.AdditionalCaSerialNumbers > 3 { + s += fmt.Sprintf("\nThere are %d additional certificates", provisioningCompleted.AdditionalCaSerialNumbers) + } + } + + if provisioningCompleted.ProvServFQDNLength > 0 { + s += fmt.Sprintf("\nProvisioning Server FQDN: %s", provisioningCompleted.ProvServFQDN) + } + + return s +} + +func aclEntryToString(entry *ACLEntry) string { + s := fmt.Sprintf("\nInitiator Type: %s", initiatorTypeToString[int(entry.InitiatorType)]) + + if entry.UsernameLength == 0 { + s += fmt.Sprintf("\nSID: %d", entry.SID) + + if entry.DomainLength > 0 { + s += fmt.Sprintf("\nDomain: %s", entry.Domain) + } + } else { + s += fmt.Sprintf("\nUsername: %s", entry.Username) + } + + return s +} + +func aclEntryModifiedToString(entry *ACLEntry) string { + parameterModifiedStr := "" + + if entry.ParameterModified&0x01 != 0 { + parameterModifiedStr += "Username, " + } + + if entry.ParameterModified&0x02 != 0 { + parameterModifiedStr += "Password, " + } + + if entry.ParameterModified&0x04 != 0 { + parameterModifiedStr += "Local realms, " + } + + if entry.ParameterModified&0x08 != 0 { + parameterModifiedStr += "Remote realms, " + } + + if entry.ParameterModified&0x10 != 0 { + parameterModifiedStr += "Kerberos domain, " + } + + if entry.ParameterModified&0x20 != 0 { + parameterModifiedStr += "SID, " + } + + if len(parameterModifiedStr) > 0 { + parameterModifiedStr = parameterModifiedStr[:len(parameterModifiedStr)-2] // Remove the trailing comma and space + } else { + parameterModifiedStr = "None" + } + + s := fmt.Sprintf("\nParameter(s) Modified: %s\nInitiator Type: %s", parameterModifiedStr, initiatorTypeToString[int(entry.InitiatorType)]) + + if entry.UsernameLength == 0 { + s += fmt.Sprintf("\nSID: %d", entry.SID) + if entry.DomainLength > 0 { + s += fmt.Sprintf("\nDomain: %s", entry.Domain) + } + } else { + s += fmt.Sprintf("\nUsername: %s", entry.Username) + } + + return s +} + +func aclEntryEnabledToString(entry *ACLEntry) string { + s := fmt.Sprintf("\nEntry State: %s\nInitiator Type: %s", []string{"Disabled", "Enabled"}[int(entry.EntryState)], initiatorTypeToString[int(entry.InitiatorType)]) + if entry.UsernameLength == 0 { + s += fmt.Sprintf("\nSID: %d", entry.SID) + if entry.DomainLength > 0 { + s += fmt.Sprintf("\nDomain: %s", entry.Domain) + } + } else { + s += fmt.Sprintf("\nUsername: %s", entry.Username) + } + + return s +} + +func readCertificateSerialNumberToString(data []byte) string { + hexString := hex.EncodeToString(data) + + return "\nCertificate serial number: " + hexString +} + +func getCommonACLProperties(buf *bytes.Buffer, entry *ACLEntry) { + // Read Initiator Type + _ = binary.Read(buf, binary.LittleEndian, &entry.InitiatorType) + + // Read Username Length + _ = binary.Read(buf, binary.LittleEndian, &entry.UsernameLength) + + if entry.UsernameLength == 0 { + _ = binary.Read(buf, binary.LittleEndian, &entry.SID) + + _ = binary.Read(buf, binary.LittleEndian, &entry.DomainLength) + + domain := make([]byte, entry.DomainLength) + + buf.Read(domain) + + entry.Domain = string(domain) + } else { + username := make([]byte, entry.UsernameLength) + + buf.Read(username) + + entry.Username = string(username) + } +} + +func getACLParameters(buf *bytes.Buffer, entry *ACLEntry) { + // Read Parameter Modified + _ = binary.Read(buf, binary.LittleEndian, &entry.ParameterModified) +} + +func readACLData(id int, data []byte) ACLEntry { + buf := *bytes.NewBuffer(data) + entry := ACLEntry{} + + switch id { + case 2, 4: + getCommonACLProperties(&buf, &entry) + case 3: + getACLParameters(&buf, &entry) + getCommonACLProperties(&buf, &entry) + case 6: + _ = binary.Read(&buf, binary.LittleEndian, &entry.EntryState) + getCommonACLProperties(&buf, &entry) + } + + return entry +} + +func readBootOptionsData(data []byte) RemoteControlEvent { + buf := bytes.NewBuffer(data) + rce := RemoteControlEvent{} + + _ = binary.Read(buf, binary.LittleEndian, &rce.SpecialCommand) + _ = binary.Read(buf, binary.LittleEndian, &rce.SpecialCommandParameterHighByte) + _ = binary.Read(buf, binary.LittleEndian, &rce.SpecialCommandParameterLowByte) + _ = binary.Read(buf, binary.LittleEndian, &rce.BootOptionsMaskByte1) + _ = binary.Read(buf, binary.LittleEndian, &rce.BootOptionsMaskByte2) + _ = binary.Read(buf, binary.LittleEndian, &rce.OEMParameterByte1) + _ = binary.Read(buf, binary.LittleEndian, &rce.OEMParameterByte2) + + return rce +} + +var remoteControlSpecialCommandToString = map[int]string{ + 0: "None", + 1: "PXE", + 2: "HDD", + 3: "HDD - Safe Mode", + 4: "Diagnostic Partition", + 5: "CD or DVD Boot", + 193: "Intel Command", + 194: "Intel Command - HTTPS Boot", + 195: "Intel Command - PBA Boot", +} + +var remoteControlSpecialCommandParameterHighByteToString = map[int]string{ + 0: "SRoU is connected to CD/DVD device", + 1: "SRoU is connected to floppy device", +} + +var remoteControlSpecialCommandParameterLowByte193ToString = map[int]string{ + 1: "SRoU is to be used on next boot.", + 2: "BIOS will enforce secure boot over SRoU.", + 4: "BIOS is to be re-flashed on next boot.", + 8: "Boot into BIOS SETUP screen.", + 16: "BIOS Pause on the next boot.", + 32: "BIOS is to participate in a KVM session.", + 64: "BIOS is to start a Remote Secure Erase (RSE) session.", + 128: "BIOS is to start a Remote Platform Erase (RPE) session.", +} + +var remoteControlSpecialCommandParameterLowByte194or195ToString = map[int]string{ + 2: "BIOS will enforce secure boot on next boot.", + 32: "BIOS is to participate in a KVM session.", +} + +var remoteControlSpecialCommandParameterLowByteOthersToString = map[int]string{ + 32: "BIOS is to participate in a KVM session.", +} + +func remoteControlEventToString(rce RemoteControlEvent) string { + // s := "\nBoot Media: " + []string{"None", "PXE", "HDD", "HDD - Safe Mode", "Diagnostic Partition", "CD or DVD Boot", "USB", "PXE", "BIOS Setup"}[rce.BootOptions] + + // "\n " + "Boot Media Override: " + []string{"Disabled", "Enabled"}[rce.SpecialCommand] + + // "\n " + "BIOS Pause: " + []string{"Disabled", "Enabled"}[rce.OEMParameters] + + // "\n " + "BIOS Pause Key: " + []string{"None", "F1", "F2", "F3", "F4", "F5", "F6", "F7", "F8", "F9", "F10", "F11", "F12"}[rce.SpecialCommandParameter] + s := "\nSpecial Command: " + remoteControlSpecialCommandToString[int(rce.SpecialCommand)] + + if rce.SpecialCommand == 193 { + s += "\nSpecial Command Parameter High Byte: " + remoteControlSpecialCommandParameterHighByteToString[int(rce.SpecialCommandParameterHighByte)] + s += "\nSpecial Command Parameter Low Byte: " + remoteControlSpecialCommandParameterLowByte193ToString[int(rce.SpecialCommandParameterLowByte)] + } else if rce.SpecialCommand > 193 { + s += "\nSpecial Command Parameter Low Byte: " + remoteControlSpecialCommandParameterLowByte194or195ToString[int(rce.SpecialCommandParameterLowByte)] + } else { + s += "\nSpecial Command Parameter Low Byte: " + remoteControlSpecialCommandParameterLowByteOthersToString[int(rce.SpecialCommandParameterLowByte)] + } + + return s +} + +func readFWVersion(buf *bytes.Buffer, version *FWVersion) { + _ = binary.Read(buf, binary.LittleEndian, &version.Major) + _ = binary.Read(buf, binary.LittleEndian, &version.Minor) + _ = binary.Read(buf, binary.LittleEndian, &version.Hotfix) + _ = binary.Read(buf, binary.LittleEndian, &version.Build) +} + +func readNetworkAdministrationEventData(id int, data []byte) NetworkAdministrationEvent { + buf := bytes.NewBuffer(data) + event := NetworkAdministrationEvent{} + + switch id { + case 0: + _ = binary.Read(buf, binary.LittleEndian, &event.InterfaceHandle) + _ = binary.Read(buf, binary.LittleEndian, &event.DHCPEnabled) + _ = binary.Read(buf, binary.LittleEndian, &event.IPV4Address) + _ = binary.Read(buf, binary.LittleEndian, &event.SubnetMask) + _ = binary.Read(buf, binary.LittleEndian, &event.Gateway) + _ = binary.Read(buf, binary.LittleEndian, &event.PrimaryDNS) + _ = binary.Read(buf, binary.LittleEndian, &event.SecondaryDNS) + case 1: + _ = binary.Read(buf, binary.LittleEndian, &event.HostNameLength) + + hostname := make([]byte, event.HostNameLength) + + buf.Read(hostname) + + event.HostName = string(hostname) + case 2: + _ = binary.Read(buf, binary.LittleEndian, &event.DomainNameLength) + + domainName := make([]byte, event.DomainNameLength) + + buf.Read(domainName) + + event.DomainName = string(domainName) + case 3: + _ = binary.Read(buf, binary.LittleEndian, &event.InterfaceHandle) + _ = binary.Read(buf, binary.LittleEndian, &event.VLANTag) + case 4: + _ = binary.Read(buf, binary.LittleEndian, &event.InterfaceHandle) + _ = binary.Read(buf, binary.LittleEndian, &event.LinkPolicy) + case 5: + _ = binary.Read(buf, binary.LittleEndian, &event.InterfaceHandle) + _ = binary.Read(buf, binary.LittleEndian, &event.IPV6Enabled) + _ = binary.Read(buf, binary.LittleEndian, &event.InterfaceIDGenType) + + if event.InterfaceIDGenType == 2 { + interfaceId := make([]byte, 8) + buf.Read(interfaceId) + event.InterfaceID = interfaceId + } + + ipv6Address := make([]byte, 16) + buf.Read(ipv6Address) + event.IPV6Address = ipv6Address + + ipv6Gateway := make([]byte, 16) + buf.Read(ipv6Gateway) + event.IPV6Gateway = ipv6Gateway + + ipv6PrimaryDNS := make([]byte, 16) + buf.Read(ipv6PrimaryDNS) + event.IPV6PrimaryDNS = ipv6PrimaryDNS + + ipv6SecondaryDNS := make([]byte, 16) + buf.Read(ipv6SecondaryDNS) + event.IPV6SecondaryDNS = ipv6SecondaryDNS + } + + return event +} + +func readEventManagerEventData(id int, data []byte) EventManagerEvent { + buf := bytes.NewBuffer(data) + event := EventManagerEvent{} + + switch id { + case 0, 1: + _ = binary.Read(buf, binary.LittleEndian, &event.PolicyID) + _ = binary.Read(buf, binary.LittleEndian, &event.SubscriptionAlertType) + _ = binary.Read(buf, binary.LittleEndian, &event.IPAddrType) + + if event.IPAddrType == 0 { + ipAddress := make([]byte, 4) + buf.Read(ipAddress) + event.AlertTargetIPAddress = ipAddress + } + + if event.IPAddrType == 1 { + ipAddress := make([]byte, 16) + buf.Read(ipAddress) + event.AlertTargetIPAddress = ipAddress + } + case 3: + _ = binary.Read(buf, binary.LittleEndian, &event.Freeze) + } + + return event +} + +func eventManagerEventDataToString(event EventManagerEvent) string { + s := "\nPolicy ID: " + fmt.Sprint(event.PolicyID) + + if event.SubscriptionAlertType == 1 { + s += "\nSubscription Alert Type: SNMP" + } + + s += "\nIP Address Type: " + []string{"IPv4", "IPv6"}[event.IPAddrType] + + "\nAlert Target IP Address: " + net.IP(event.AlertTargetIPAddress).String() + + return s +} + +func readSystemDefenseManagerEventData(id int, data []byte) SystemDefenseManagerEvent { + buf := bytes.NewBuffer(data) + event := SystemDefenseManagerEvent{} + + switch id { + case 1: + _ = binary.Read(buf, binary.LittleEndian, &event.FilterHandle) + case 3: + _ = binary.Read(buf, binary.LittleEndian, &event.PolicyHandle) + case 4: + _ = binary.Read(buf, binary.LittleEndian, &event.HardwareInterface) + _ = binary.Read(buf, binary.LittleEndian, &event.PolicyHandle) + case 5: + _ = binary.Read(buf, binary.LittleEndian, &event.InterfaceHandle) + _ = binary.Read(buf, binary.LittleEndian, &event.BlockAll) + _ = binary.Read(buf, binary.LittleEndian, &event.BlockOffensivePort) + _ = binary.Read(buf, binary.LittleEndian, &event.PolicyHandle) + case 6: + _ = binary.Read(buf, binary.LittleEndian, &event.InterfaceHandle) + } + + return event +} + +func readAgentPresenceManagerEventData(id int, data []byte) AgentPresenceManagerEvent { + buf := bytes.NewBuffer(data) + event := AgentPresenceManagerEvent{} + + agentId := make([]byte, 16) + buf.Read(agentId) + event.AgentID = agentId + + if id == 0 { + _ = binary.Read(buf, binary.LittleEndian, &event.AgentHeartBeatTime) + _ = binary.Read(buf, binary.LittleEndian, &event.AgentStartupTime) + } + + return event +} + +func readWirelessConfigurationEventData(id int, data []byte) WirelessConfigurationEvent { + buf := bytes.NewBuffer(data) + event := WirelessConfigurationEvent{} + + switch id { + case 0, 2: + ssid := make([]byte, 32) + buf.Read(ssid) + event.SSID = ssid + _ = binary.Read(buf, binary.LittleEndian, &event.ProfilePriority) + _ = binary.Read(buf, binary.LittleEndian, &event.ProfileNameLength) + profileName := make([]byte, event.ProfileNameLength) + buf.Read(profileName) + event.ProfileName = profileName + case 1: + _ = binary.Read(buf, binary.LittleEndian, &event.ProfileNameLength) + profileName := make([]byte, event.ProfileNameLength) + buf.Read(profileName) + event.ProfileName = profileName + case 3: + _ = binary.Read(buf, binary.LittleEndian, &event.ProfileSync) + case 4: + _ = binary.Read(buf, binary.LittleEndian, &event.Timeout) + _ = binary.Read(buf, binary.LittleEndian, &event.LinkPreference) + } + + return event +} + +func readUserOptInEventData(id int, data []byte) UserOptInEvent { + buf := bytes.NewBuffer(data) + event := UserOptInEvent{} + + switch id { + case 0: + _ = binary.Read(buf, binary.LittleEndian, &event.PreviousOptInPolicy) + _ = binary.Read(buf, binary.LittleEndian, &event.CurrentOptInPolicy) + case 1: + _ = binary.Read(buf, binary.LittleEndian, &event.OperationStatus) + } + + return event +} + +func convertUINT32ToIPv4(intIP uint32) net.IP { + ip := make(net.IP, 4) + binary.BigEndian.PutUint32(ip, intIP) + + return ip +} + +// [initiatorType: number, initiator: string, ptr: number] need to type it. +func getInitiatorInfo(decodedEventRecord string) (initatorType byte, initiator string, ptr int) { + var userlen uint8 + + initiatorType := []byte(decodedEventRecord[4:5])[0] + + switch initiatorType { + case HTTPDigest: + userlen = []byte(decodedEventRecord[5:6])[0] + initiator = decodedEventRecord[6 : 6+userlen] + ptr = 6 + int(userlen) + case Kerberos: + userlen = []byte(decodedEventRecord[9:10])[0] + initiator = common.GetSidString(decodedEventRecord[10 : 10+userlen]) + ptr = 10 + int(userlen) + case Local: + initiator = "Local" + ptr = 5 + case KvmDefaultPort: + initiator = "KVM Default Port" + ptr = 5 + default: + initiator = "" + ptr = 0 + } + + return initiatorType, initiator, ptr } diff --git a/pkg/wsman/amt/auditlog/decoder_test.go b/pkg/wsman/amt/auditlog/decoder_test.go index 4bf3bc11..708f42b9 100644 --- a/pkg/wsman/amt/auditlog/decoder_test.go +++ b/pkg/wsman/amt/auditlog/decoder_test.go @@ -7,7 +7,6 @@ package auditlog import ( "testing" - "time" ) func TestOverwritePolicy_String(t *testing.T) { @@ -106,32 +105,161 @@ func TestRequestedState_String(t *testing.T) { func TestGetAuditLogExtendedDataString(t *testing.T) { tests := []struct { - name string - auditEventId int - data string - expected string + name string + appId int + eventId int + data string + expected string }{ - {"ACLEntryAdded", ACLEntryAdded, "\x00\x05Hello World", "Hello"}, - {"ACLEntryRemoved", ACLEntryRemoved, "\x00\x05Hello World", "Hello"}, - {"ACLEntryModified", ACLEntryModified, "\x01\x00Hello World", "Hello World"}, - {"ACLAccessWithInvalidCredentials", ACLAccessWithInvalidCredentials, "\x00", "Invalid ME access"}, - {"ACLAccessWithInvalidCredentials", ACLAccessWithInvalidCredentials, "\x01", "Invalid MEBx access"}, - {"ACLEntryStateChanged", ACLEntryStateChanged, "\x00\x00Hello World", "Disabled, Hello World"}, - {"ACLEntryStateChanged", ACLEntryStateChanged, "\x01\x01", "Enabled"}, - {"TLSStateChanged", TLSStateChanged, "\x01\x02", "Remote ServerAuth, Local MutualAuth"}, - {"SetRealmAuthenticationMode", SetRealmAuthenticationMode, "\x00\x00\x00\x00\x02", "Redirection, Disabled"}, - {"AMTUnprovisioningStarted", AMTUnprovisioningStarted, "\x03", "Local WSMAN"}, - {"FirmwareUpdate", FirmwareUpdate, "\x00\x01\x00\x02\x00\x03\x00\x04\x00\x05\x00\x06\x00\x07\x00\x08", "From 1.2.3.4 to 5.6.7.8"}, - {"AMTTimeSet", AMTTimeSet, "\x00\x00\x00\x00", time.Unix(0, 0).Local().Format(time.RFC1123)}, - {"OptInPolicyChange", OptInPolicyChange, "\x00\x01", "From None to KVM"}, - {"SendConsentCode", SendConsentCode, "\x00", "Success"}, + {"Unknown Event Group ID", 999, 0, "", "Unknown Event Group ID"}, + {"Security Admin - Provisioning Started", SecurityAdmin, 0, "", "Intel AMT transitioned to setup mode."}, + {"Security Admin - Provisioning Completed Manual", SecurityAdmin, 1, "\u0003", "Intel AMT transitioned to operational mode.\nProvisioning Method: Manual Provisioning via MEBx"}, + {"Security Admin - Provisioning Completed PKI", SecurityAdmin, 1, "\x05\x02\xcb<˷`1\xe5\xe0\x13\x8f\x8dӚ#\xf9\xdeG\xff\xc3^C\xc1\x14L\xea'\xd4jZ\xb1\xcb_\x02\f\x8e\xe0\xc9\rj\x89\x15\x88\x04\x06\x1e\xe2A\xf9\xaf\x03:\xf1\xe6\xa7\x11\xa9\xa0\xbb(d\xb1\x1d\t\xfa\xe5\x00\x12Intel.vprodemo.com", "Intel AMT transitioned to operational mode.\nProvisioning Method: Host-Based Provisioning Admin Mode\nHash Type: SHA 256\nTrusted Root Cert Hash: cb3ccbb76031e5e0138f8dd39a23f9de47ffc35e43c1144cea27d46a5ab1cb5f\nNumber of Certificates: 2\nCert Serial Numbers (first 3): [0c8ee0c90d6a89158804061ee241f9af 033af1e6a711a9a0bb2864b11d09fae5]\nProvisioning Server FQDN: Intel.vprodemo.com"}, + {"Security Admin - ACL Added without data", SecurityAdmin, 2, "", "User entry was added to the Intel AMT Device."}, + {"Security Admin - ACL Added with data", SecurityAdmin, 2, "\u0000\u0004test", "User entry was added to the Intel AMT Device.\nInitiator Type: Unknown\nUsername: test"}, + {"Security Admin - ACL Modified without data", SecurityAdmin, 3, "", "User entry was updated in the Intel AMT device."}, + {"Security Admin - ACL Modified with data", SecurityAdmin, 3, "\u0000\u0000\u0004test", "User entry was updated in the Intel AMT device.\nParameter(s) Modified: None\nInitiator Type: Unknown\nUsername: test"}, + {"Security Admin - ACL Modified with data", SecurityAdmin, 3, "\u0001\u0000\u0004test", "User entry was updated in the Intel AMT device.\nParameter(s) Modified: Username\nInitiator Type: Unknown\nUsername: test"}, + {"Security Admin - ACL Modified with data", SecurityAdmin, 3, "\u0002\u0000\u0004test", "User entry was updated in the Intel AMT device.\nParameter(s) Modified: Password\nInitiator Type: Unknown\nUsername: test"}, + {"Security Admin - ACL Modified with data", SecurityAdmin, 3, "\u0004\u0000\u0004test", "User entry was updated in the Intel AMT device.\nParameter(s) Modified: Local realms\nInitiator Type: Unknown\nUsername: test"}, + {"Security Admin - ACL Modified with data", SecurityAdmin, 3, "\u0008\u0000\u0004test", "User entry was updated in the Intel AMT device.\nParameter(s) Modified: Remote realms\nInitiator Type: Unknown\nUsername: test"}, + {"Security Admin - ACL Modified with data", SecurityAdmin, 3, "\u0010\u0000\u0004test", "User entry was updated in the Intel AMT device.\nParameter(s) Modified: Kerberos domain\nInitiator Type: Unknown\nUsername: test"}, + {"Security Admin - ACL Modified with data", SecurityAdmin, 3, "\u0020\u0000\u0004test", "User entry was updated in the Intel AMT device.\nParameter(s) Modified: SID\nInitiator Type: Unknown\nUsername: test"}, + {"Security Admin - ACL Modified with data", SecurityAdmin, 3, "\u0021\u0000\u0004test", "User entry was updated in the Intel AMT device.\nParameter(s) Modified: Username, SID\nInitiator Type: Unknown\nUsername: test"}, + {"Security Admin - ACL Modified with data", SecurityAdmin, 3, "\u0031\u0000\u0004test", "User entry was updated in the Intel AMT device.\nParameter(s) Modified: Username, Kerberos domain, SID\nInitiator Type: Unknown\nUsername: test"}, + {"Security Admin - ACL Removed without data", SecurityAdmin, 4, "", "User entry was removed from the Intel AMT device."}, + {"Security Admin - ACL Removed with data", SecurityAdmin, 4, "\x00\x04test", "User entry was removed from the Intel AMT device.\nInitiator Type: Unknown\nUsername: test"}, + {"Security Admin - Invalid credentials Intel AMT", SecurityAdmin, 5, "\x00", "User attempted to access Intel AMT with invalid credentials."}, + {"Security Admin - Invalid credentials MEBx", SecurityAdmin, 5, "\x01", "User attempted to access MEBx with invalid credentials."}, + {"Security Admin - ACL State change without data ", SecurityAdmin, 6, "", "ACL entry state was changed."}, + {"Security Admin - ACL State change with data ", SecurityAdmin, 6, "\x01\x01\x04test", "ACL entry state was changed.\nEntry State: Enabled\nInitiator Type: User\nUsername: test"}, + {"Security Admin - TLS State change without data", SecurityAdmin, 7, "", "TLS state changed."}, + {"Security Admin - TLS State change with data", SecurityAdmin, 7, "\x01\x00", "TLS state changed.\nRemote: Server Auth\nLocal: No Auth"}, + {"Security Admin - TLS Server Certificate Set without data", SecurityAdmin, 8, "", "TLS server certificate was defined."}, + {"Security Admin - TLS Server Certificate Set with data", SecurityAdmin, 8, "M\xf5\xa0`\xe1\xe1>p\xc0S_e\xf23\b%\xa2\x831\x93", "TLS server certificate was defined.\nCertificate serial number: 4df5a060e1e13e70c0535f65f2330825a2833193"}, + {"Security Admin - TLS Server Certificate Removed without data", SecurityAdmin, 9, "", "TLS server certificate was removed."}, + {"Security Admin - TLS Server Certificate Removed with data", SecurityAdmin, 9, "M\xf5\xa0`\xe1\xe1>p\xc0S_e\xf23\b%\xa2\x831\x93", "TLS server certificate was removed.\nCertificate serial number: 4df5a060e1e13e70c0535f65f2330825a2833193"}, + {"Security Admin - TLS Trusted Root Certificate Added without data", SecurityAdmin, 10, "", "TLS trusted root certificate was added."}, + {"Security Admin - TLS Trusted Root Certificate Added with data", SecurityAdmin, 10, "M\xf5\xa0`\xe1\xe1>p\xc0S_e\xf23\b%\xa2\x831\x93", "TLS trusted root certificate was added.\nCertificate serial number: 4df5a060e1e13e70c0535f65f2330825a2833193"}, + {"Security Admin - TLS Trusted Root Certificate Removed without data", SecurityAdmin, 11, "", "TLS trusted root certificate was removed."}, + {"Security Admin - TLS Trusted Root Certificate Removed with data", SecurityAdmin, 11, "M\xf5\xa0`\xe1\xe1>p\xc0S_e\xf23\b%\xa2\x831\x93", "TLS trusted root certificate was removed.\nCertificate serial number: 4df5a060e1e13e70c0535f65f2330825a2833193"}, + {"Security Admin - TLS Pre-Shared Key Set", SecurityAdmin, 12, "", "TLS pre-shared key was defined."}, + {"Security Admin - Kerberos Settings Modified without data", SecurityAdmin, 13, "", "Kerberos settings were modified."}, + {"Security Admin - Kerberos Settings Modified with data", SecurityAdmin, 13, "\x01", "Kerberos settings were modified.\nTime tolerance: 1"}, + {"Security Admin - Kerberos Master Key Modified", SecurityAdmin, 14, "", "Kerberos master key or passphrase was modified."}, + {"Security Admin - Flash Wear Out Counter Reset", SecurityAdmin, 15, "", "Flash wear out counter was reset."}, + {"Security Admin - Power Package Modified without data", SecurityAdmin, 16, "", "Active power package was set."}, + {"Security Admin - Power Package Modified with data", SecurityAdmin, 16, "\x01", "Active power package was set.\nPower policy: 1"}, + {"Security Admin - Set Realm Authentication Mode without data", SecurityAdmin, 17, "", "Realm authentication mode changed."}, + {"Security Admin - Set Realm Authentication Mode with data", SecurityAdmin, 17, "\x01\x00\x00\x00\x01", "Realm authentication mode changed.\nPT Administration, Auth"}, + {"Security Admin - Upgrade Client to Admin", SecurityAdmin, 18, "", "The control mode of the Intel AMT was changed from Client control to Admin control."}, + {"Security Admin - AMT UnProvisioning Started - BIOS", SecurityAdmin, 19, "\x00", "Intel AMT UnProvisioned Started.\nInitiator: BIOS"}, + {"Security Admin - AMT UnProvisioning Started - MEBx", SecurityAdmin, 19, "\x01", "Intel AMT UnProvisioned Started.\nInitiator: MEBx"}, + {"Security Admin - AMT UnProvisioning Started - Local MEI", SecurityAdmin, 19, "\x02", "Intel AMT UnProvisioned Started.\nInitiator: Local MEI"}, + {"Security Admin - AMT UnProvisioning Started - Local WSMAN", SecurityAdmin, 19, "\x03", "Intel AMT UnProvisioned Started.\nInitiator: Local WSMAN"}, + {"Security Admin - AMT UnProvisioning Started - Remote WSMAN", SecurityAdmin, 19, "\u0004", "Intel AMT UnProvisioned Started.\nInitiator: Remote WSMAN"}, + {"Security Admin - Unknown Event", SecurityAdmin, 20, "", "Unknown Event ID"}, + // {"Remote Control - Performed Power-Up", RemoteControl, 0, "\x00\x00\x00\x00\x00\x00\x00", "Remote power up initiated.\nBoot Media: None\n Boot Media Override: Disabled\n BIOS Pause: Disabled\n BIOS Pause Key: None"}, + {"Remote Control - Performed Power-Down", RemoteControl, 1, "", "Remote power down initiated."}, + // {"Remote Control - Performed Power-Cycle", RemoteControl, 2, "\x00\x00\x00\x00\x00\x00\x00", "Remote power cycle initiated.\nBoot Media: None\n Boot Media Override: Disabled\n BIOS Pause: Disabled\n BIOS Pause Key: None"}, + // {"Remote Control - Performed Reset", RemoteControl, 3, "\x00\x00\x00\x00\x00\x00\x00", "Remote reset initiated.\nBoot Media: None\n Boot Media Override: Disabled\n BIOS Pause: Disabled\n BIOS Pause Key: None"}, + // {"Remote Control - Set Boot Options", RemoteControl, 4, "\x05\x00\x00\x00\x00\x00\x00", "Boot options were set.\nBoot Media: PXE\n Boot Media Override: Disabled\n BIOS Pause: Disabled\n BIOS Pause Key: None"}, + {"Remote Control - Performed Graceful Power Down", RemoteControl, 5, "", "Remote graceful power down initiated."}, + // {"Remote Control - Performed Graceful Power Reset", RemoteControl, 6, "\x00\x00\x00\x00\x00\x00\x00", "Remote reset initiated.\nBoot Media: None\n Boot Media Override: Disabled\n BIOS Pause: Disabled\n BIOS Pause Key: None"}, + {"Remote Control - Performed Standby", RemoteControl, 7, "", "Remote standby initiated."}, + {"Remote Control - Performed Hibernate", RemoteControl, 8, "", "Remote hibernate initiated."}, + {"Remote Control - Performed NMI", RemoteControl, 9, "", "Remote NMI initiated."}, + {"Remote Control - Unknown Event", RemoteControl, 10, "", "Unknown Event ID"}, + {"Redirection Manager - IDER Session Opened", RedirectionManager, 0, "", "An application opened a Storage Redirection session."}, + {"Redirection Manager - IDER Session Closed", RedirectionManager, 1, "", "An application or firmware closed a Storage Redirection session."}, + {"Redirection Manager - IDER Enabled", RedirectionManager, 2, "", "Storage Redirection was enabled."}, + {"Redirection Manager - IDER Disabled", RedirectionManager, 3, "", "Storage Redirection was disabled."}, + {"Redirection Manager - SoL Session Opened", RedirectionManager, 4, "", "An application opened a Serial Over LAN session."}, + {"Redirection Manager - SoL Session Closed", RedirectionManager, 5, "", "An application or firmware closed a Serial Over LAN session."}, + {"Redirection Manager - SoL Enabled", RedirectionManager, 6, "", "Serial Over LAN was enabled."}, + {"Redirection Manager - SoL Disabled", RedirectionManager, 7, "", "Serial Over LAN was disabled."}, + {"Redirection Manager - KVM Session Started", RedirectionManager, 8, "", "An application opened a Keyboard-Video-Mouse session."}, + {"Redirection Manager - KVM Session Ended", RedirectionManager, 9, "", "An application or firmware closed a Keyboard-Video-Mouse session."}, + {"Redirection Manager - KVM Enabled", RedirectionManager, 10, "", "Keyboard-Video-Mouse was enabled."}, + {"Redirection Manager - KVM Disabled", RedirectionManager, 11, "", "Keyboard-Video-Mouse was disabled."}, + {"Redirection Manager - VNC Password Failed", RedirectionManager, 12, "", "Incorrect Remote Frame Buffer (RFB) password entered 3 times."}, + {"Firmware Update Manager - Updated", FirmwareUpdateManager, 0, "\x10\x00\x01\x00\x19\x00\x7F\x09\x10\x00\x01\x00\x1A\x00\xE8\x03", "Firmware update was started.\nOld version: 16.1.25.2431\nNew version: 16.1.26.1000"}, + {"Firmware Update Manager - Update Failed", FirmwareUpdateManager, 1, "\x01\x02", "Firmware update failed.\nFailure Type: 1\nFailure Reason: 2"}, + {"Security Audit Log - Log cleared", SecurityAuditLog, 0, "", "Audit log was cleared."}, + {"Security Audit Log - Policy event was enabled or disabled", SecurityAuditLog, 1, "", "Audit policy event was enabled or disabled."}, + {"Security Audit Log - Disable monitor feature", SecurityAuditLog, 2, "", "Access monitor feature was disabled."}, + {"Security Audit Log - Enable monitor feature", SecurityAuditLog, 3, "", "Access monitor feature was enabled."}, + {"Security Audit Log - Log exported", SecurityAuditLog, 4, "", "Audit log signature and log-related information was exported."}, + {"Security Audit Log - Log recovery - Unknown", SecurityAuditLog, 5, "\x00", "Internal check of audit log resulted in a recovery action.\nReason: Unknown"}, + {"Security Audit Log - Log recovery - Migration failure", SecurityAuditLog, 5, "\x01", "Internal check of audit log resulted in a recovery action.\nReason: Migration failure"}, + {"Security Audit Log - Log recovery - Initialization failure", SecurityAuditLog, 5, "\x02", "Internal check of audit log resulted in a recovery action.\nReason: Initialization failure"}, + {"Network Time", NetworkTime, 0, "", "Command received to set Intel AMT local time."}, + {"Network Administration - TCP/IP Parameters Set", NetworkAdministration, 0, "\x00\x00\x00\x00\x01\x02\x00\xA8\xC0\x00\xFF\xFF\xFF\x01\x00\xA8\xC0\x04\x04\x04\x02\x02\x02\x02\x01", "TCP/IP parameters were set.\nDHCP Enabled: Enabled\nStatic IP: 192.168.0.2\nSubnet Mask: 255.255.255.0\nGateway: 192.168.0.1"}, + {"Network Administration - Host Name Set", NetworkAdministration, 1, "\x04test", "Host name was set to test"}, + {"Network Administration - Domain Name Set", NetworkAdministration, 2, "\x04test", "Domain name was set to test"}, + {"Network Administration - VLAN Parameters Set", NetworkAdministration, 3, "\u0000\u0000\u0000\u0000\u0000\u0000", "VLAN tag was set to disabled"}, + {"Network Administration - VLAN Parameters Set", NetworkAdministration, 3, "\u0000\u0000\u0000\u0000\u0000\u000F", "VLAN tag was set to 3840"}, + {"Network Administration - Link Policy Set", NetworkAdministration, 4, "\u0000\u0000\u0000\u0000\u0001\u0000\u0000\u0000", "Link policy was set to 1"}, + {"Network Administration - Link Policy Set", NetworkAdministration, 4, "\u0000\u0000\u0000\u0000\u0001\u0000\u0000\u0000", "Link policy was set to 1"}, + {"Network Administration - IPv6 Parameters Set", NetworkAdministration, 5, "\x00\x00\x00\x00\x01\x01\x20\x01\x0d\xb8\x85\xa3\x00\x00\x00\x00\x8a\x2e\x03\x70\x73\x34\x20\x01\x0d\xb8\x85\xa3\x00\x00\x00\x00\x8a\x2e\x03\x70\x73\x34\x20\x01\x0d\xb8\x85\xa3\x00\x00\x00\x00\x8a\x2e\x03\x70\x73\x34\x20\x01\x0d\xb8\x85\xa3\x00\x00\x00\x00\x8a\x2e\x03\x70\x73\x34", "IPv6 parameters were set.\nIPv6: Enabled\nInterface Gen Type: Intel ID\nIPv6 Address: 2001:db8:85a3::8a2e:370:7334\nIPv6 Gateway: 2001:db8:85a3::8a2e:370:7334\nIPv6 Primary DNS: 2001:db8:85a3::8a2e:370:7334\nIPv6 Secondary DNS: 2001:db8:85a3::8a2e:370:7334"}, + {"Network Administration - IPv6 Parameters Set", NetworkAdministration, 5, "\x00\x00\x00\x00\x01\x02\x02\x1a\x2b\xff\xfe\x3c\x4d\x5e\x20\x01\x0d\xb8\x85\xa3\x00\x00\x00\x00\x8a\x2e\x03\x70\x73\x34\x20\x01\x0d\xb8\x85\xa3\x00\x00\x00\x00\x8a\x2e\x03\x70\x73\x34\x20\x01\x0d\xb8\x85\xa3\x00\x00\x00\x00\x8a\x2e\x03\x70\x73\x34\x20\x01\x0d\xb8\x85\xa3\x00\x00\x00\x00\x8a\x2e\x03\x70\x73\x34", "IPv6 parameters were set.\nIPv6: Enabled\nInterface Gen Type: Manual ID\nInterface ID: 021a:2bff:fe3c:4d5e\nIPv6 Address: 2001:db8:85a3::8a2e:370:7334\nIPv6 Gateway: 2001:db8:85a3::8a2e:370:7334\nIPv6 Primary DNS: 2001:db8:85a3::8a2e:370:7334\nIPv6 Secondary DNS: 2001:db8:85a3::8a2e:370:7334"}, + {"Storage Administration - Global Storage Attributes Set", StorageAdministration, 0, "\x00\x00\x01\x00\x00\x00\x01\x00", "Global storage attributes were set.\nMax Partner Storage: 65536\nMax Non-Partner Total Allocation Size: 65536"}, + {"Storage Administration - Storage EACL Modified", StorageAdministration, 1, "", "Storage EACL entry was added or removed."}, + {"Storage Administration - Storage FPACL Modified", StorageAdministration, 2, "", "Storage FPACL entry was added, removed, or updated."}, + {"Storage Administration - Storage Write Operation", StorageAdministration, 3, "", "Application wrote a block to storage."}, + {"Event Manager - Alert Subscribed", EventManager, 0, "\x01\x01\x00\xc0\xa8\x00\x01", "An alert subscription was created successfully.\nPolicy ID: 1\nSubscription Alert Type: SNMP\nIP Address Type: IPv4\nAlert Target IP Address: 192.168.0.1"}, + {"Event Manager - Alert Unsubscribed", EventManager, 1, "\x01\x01\x00\xc0\xa8\x00\x01", "An existing alert subscription was cancelled.\nPolicy ID: 1\nSubscription Alert Type: SNMP\nIP Address Type: IPv4\nAlert Target IP Address: 192.168.0.1"}, + {"Event Manager - Alert Unsubscribed", EventManager, 1, "\x01\x01\x01\x20\x01\x0d\xb8\x85\xa3\x00\x00\x00\x00\x8a\x2e\x03\x70\x73\x34", "An existing alert subscription was cancelled.\nPolicy ID: 1\nSubscription Alert Type: SNMP\nIP Address Type: IPv6\nAlert Target IP Address: 2001:db8:85a3::8a2e:370:7334"}, + {"Event Manager - Event Log Cleared", EventManager, 2, "", "Event log was cleared of existing records."}, + {"Event Manager - Event Log Frozen", EventManager, 3, "\x01", "Event log was frozen"}, + {"Event Manager - Event Log Frozen", EventManager, 3, "\x00", "Event log was unfrozen"}, + {"System Defense Manager - SD Filter Added", SystemDefenseManager, 0, "", "Attempt made to add a system defense filter."}, + {"System Defense Manager - SD Filter Removed", SystemDefenseManager, 1, "\x01\x00\x00\x00", "System defense filter was removed successfully.\nFilter Handle: 1"}, + {"System Defense Manager - SD Policy Added", SystemDefenseManager, 2, "", "Attempt made to add a system defense policy."}, + {"System Defense Manager - SD Policy Removed", SystemDefenseManager, 3, "\x01\x00\x00\x00", "System defense policy was removed successfully.\nPolicy Handle: 1"}, + {"System Defense Manager - SD Default Policy Set", SystemDefenseManager, 4, "\x01\x00\x00\x00\x01\x00\x00\x00", "System defense policy selected.\nHardware Interface: 1\nPolicy Handle: 1"}, + {"System Defense Manager - SD Heuristics Option Set", SystemDefenseManager, 5, "\x01\x00\x00\x00\x01\xd9\x00\x01\x00\x00", "System defense heuristics settings were set successfully.\nInterface Handle: 1\nBlock All: 1\nBlock Offensive Port: 217\nPolicy Handle: 256"}, + {"System Defense Manager - SD Heuristics State Cleared", SystemDefenseManager, 6, "\x01\x00\x00\x00", "System defense heuristics settings were removed successfully.\nInterface Handle: 1"}, + {"Agent Presence Manager - Agent Watchdog Added", AgentPresenceManager, 0, "\x3b\xd4\x6c\x70\x98\x85\x45\xb6\x9f\xe2\x62\x2f\x14\x97\x38\x7e\xa0\x00\x0a\x00", "An application entry was created to be monitored.\nAgent ID: 3bd46c70-9885-45b6-9fe2-622f1497387e\nAgent Heartbeat Time: 160\nAgent Startup Time: 10"}, + {"Agent Presence Manager - Agent Watchdog Removed", AgentPresenceManager, 1, "\x3b\xd4\x6c\x70\x98\x85\x45\xb6\x9f\xe2\x62\x2f\x14\x97\x38\x7e", "An application entry was removed.\nAgent ID: 3bd46c70-9885-45b6-9fe2-622f1497387e"}, + {"Agent Presence Manager - Agent Watchdog Action Set", AgentPresenceManager, 2, "\x3b\xd4\x6c\x70\x98\x85\x45\xb6\x9f\xe2\x62\x2f\x14\x97\x38\x7e", "Actions were set, added, or removed for an application watchdog entry.\nAgent ID: 3bd46c70-9885-45b6-9fe2-622f1497387e"}, + {"Wireless Configuration - Wireless Profile Added", WirelessConfiguration, 0, "test\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x01\x04test", "A new profile was added.\nSSID: test\nProfile Priority: 1\nProfile Name Length: 4\nProfile Name: test"}, + {"Wireless Configuration - Wireless Profile Removed", WirelessConfiguration, 1, "\x04test", "An existing profile was removed.\nProfile Name Length: 4\nProfile Name: test"}, + {"Wireless Configuration - Wireless Profile Updated", WirelessConfiguration, 2, "test\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x01\x04test", "An existing profile was updated.\nSSID: test\nProfile Priority: 1\nProfile Name Length: 4\nProfile Name: test"}, + {"Wireless Configuration - Wireless Profile Modified", WirelessConfiguration, 3, "\u0000\u0000\u0000\u0000", "An existing profile sync was modified.\nProfile sync is disabled"}, + {"Wireless Configuration - Wireless Profile Modified", WirelessConfiguration, 3, "\u0001\u0000\u0000\u0000", "An existing profile sync was modified.\nProfile sync user"}, + {"Wireless Configuration - Wireless Profile Modified", WirelessConfiguration, 3, "\u0002\u0000\u0000\u0000", "An existing profile sync was modified.\nProfile sync admin"}, + {"Wireless Configuration - Wireless Profile Modified", WirelessConfiguration, 3, "\u0003\u0000\u0000\u0000", "An existing profile sync was modified.\nProfile sync is unrestricted"}, + {"Wireless Configuration - Wireless Link Preference Changed", WirelessConfiguration, 4, "\u0003\u0000\u0000\u0000\u0001\u0000\u0000\u0000", "An existing profile link preference was changed.\nTimeout: 3\nLink Preference: ME"}, + {"Wireless Configuration - Wireless Link Preference Changed", WirelessConfiguration, 4, "\u0003\u0000\u0000\u0000\u0002\u0000\u0000\u0000", "An existing profile link preference was changed.\nTimeout: 3\nLink Preference: Host"}, + {"Wireless Configuration - Wireless Profile Share with UEFI Enabled Setting Changed", WirelessConfiguration, 5, "\u0001", "Wireless profile share with UEFI was set to Enabled."}, + {"Wireless Configuration - Wireless Profile Share with UEFI Enabled Setting Changed", WirelessConfiguration, 5, "\u0000", "Wireless profile share with UEFI was set to Disabled."}, + {"Endpoint Access Control - EAC Posture Signer Set", EndpointAccessControl, 0, "", "A certificate handle for signing EAC postures was either set or removed."}, + {"Endpoint Access Control - EAC Enabled", EndpointAccessControl, 1, "", "EAC was set to enabled by WS-MAN interface."}, + {"Endpoint Access Control - EAC Disabled", EndpointAccessControl, 2, "", "EAC was set to disabled by WS-MAN interface."}, + {"Endpoint Access Control - EAC Posture State Updated", EndpointAccessControl, 3, "", "Controllable fields of EAC posture were reset manually by WS-MAN interface."}, + {"Endpoint Access Control - EAC Set Options", EndpointAccessControl, 4, "\x96\x1f\u0000\u0000", "EAC options were changed.\nEAC Vendors: 8086"}, + {"Keyboard Video Mouse - KVM Opt-In Enabled", KeyboardVideoMouse, 0, "", "User consent for a KVM session is now required."}, + {"Keyboard Video Mouse - KVM Opt-In Disabled", KeyboardVideoMouse, 1, "", "User consent for a KVM session is no longer required."}, + {"Keyboard Video Mouse - KVM Password Changed", KeyboardVideoMouse, 2, "", "RFB password for KVM session has changed."}, + {"Keyboard Video Mouse - KVM Consent Succeeded", KeyboardVideoMouse, 3, "", "Remote operator entered a one-time password successfully"}, + {"Keyboard Video Mouse - KVM Consent Failed", KeyboardVideoMouse, 4, "", "Remote operator failed (3 times) to enter a one-time password correctly"}, + {"User Opt-In - Policy Change", UserOptIn, 0, "\x01\x00", "A user has modified the opt-in policy settings.\nPrevious Opt-In Policy: KVM\nCurrent Opt-In Policy: None"}, + {"User Opt-In - Policy Change", UserOptIn, 0, "\x00\x01", "A user has modified the opt-in policy settings.\nPrevious Opt-In Policy: None\nCurrent Opt-In Policy: KVM"}, + {"User Opt-In - Policy Change", UserOptIn, 0, "\x00\xff", "A user has modified the opt-in policy settings.\nPrevious Opt-In Policy: None\nCurrent Opt-In Policy: All"}, + {"User Opt-In - Send Consent Code Event", UserOptIn, 1, "\x00", "The remote operator sent a consent code.\nRemote operator entered a one-time password successfully"}, + {"User Opt-In - Send Consent Code Event", UserOptIn, 1, "\x01", "The remote operator sent a consent code.\nRemote operator failed (3 times) to enter a one-time password correctly"}, + {"User Opt-In - Start Opt-In Blocked Event", UserOptIn, 2, "", "The remote operator attempted to send a start opt-in request, but the request was blocked (denial-of-service attack prevention)."}, + {"Watchdog - Reset-Triggering Options Changed", Watchdog, 0, "", "A user has modified the watchdog action settings."}, + {"Watchdog - Action Pairing Changed", Watchdog, 1, "\x00", "A user has modified a watchdog to add, remove, or alter the watchdog action connected to it.\nRemote operator entered a one-time password successfully"}, + {"Watchdog - Action Pairing Changed", Watchdog, 1, "\x01", "A user has modified a watchdog to add, remove, or alter the watchdog action connected to it.\nRemote operator failed (3 times) to enter a one-time password correctly"}, } for _, tt := range tests { t.Run(tt.name, func(t *testing.T) { - result := GetAuditLogExtendedDataString(tt.auditEventId, tt.data) + result := GetAuditLogExtendedDataString(tt.appId, tt.eventId, tt.data) if result != tt.expected { - t.Errorf("GetAuditLogExtendedDataString(%d, %q) = %v; want %v", tt.auditEventId, tt.data, result, tt.expected) + t.Errorf("GetAuditLogExtendedDataString(%d, %d, %q) = %v; want %v", tt.appId, tt.eventId, tt.data, result, tt.expected) } }) } diff --git a/pkg/wsman/amt/auditlog/message_test.go b/pkg/wsman/amt/auditlog/message_test.go index be2fa2ac..fe9eaca2 100644 --- a/pkg/wsman/amt/auditlog/message_test.go +++ b/pkg/wsman/amt/auditlog/message_test.go @@ -169,27 +169,27 @@ func TestPositiveAMT_AuditLog(t *testing.T) { AuditAppID: 19, EventID: 0, InitiatorType: 0x2, - AuditApp: "Firmware Update Manager", - Event: "Firmware Updated", + AuditApp: "Firmware Update Manager Events", + Event: "Firmware Update Started", Initiator: "Local", Time: time.Unix(int64(1073007983), 0), MCLocationType: 0x2, NetAddress: "", Ex: "\x00\f\x00\x00\x00(\x05\x99\x00\f\x00\x00\x00$\x05\x94", - ExStr: "From 12.0.40.1433 to 12.0.36.1428", + ExStr: "Firmware update was started.\nOld version: 3072.0.10240.39173\nNew version: 3072.0.9216.37893", }, { AuditAppID: 19, EventID: 0, InitiatorType: 0x2, - AuditApp: "Firmware Update Manager", - Event: "Firmware Updated", + AuditApp: "Firmware Update Manager Events", + Event: "Firmware Update Started", Initiator: "Local", Time: time.Unix(int64(1073007982), 0), MCLocationType: 0x2, NetAddress: "", Ex: "\x00\f\x00\x00\x00(\x05\x99\x00\f\x00\x00\x00$\x05\x94", - ExStr: "From 12.0.40.1433 to 12.0.36.1428", + ExStr: "Firmware update was started.\nOld version: 3072.0.10240.39173\nNew version: 3072.0.9216.37893", }, }, }, diff --git a/pkg/wsman/amt/auditlog/types.go b/pkg/wsman/amt/auditlog/types.go index 859e94d6..e577d6d2 100644 --- a/pkg/wsman/amt/auditlog/types.go +++ b/pkg/wsman/amt/auditlog/types.go @@ -102,4 +102,117 @@ type ( // RequestedState is an integer enumeration that indicates the last requested or desired state for the element, irrespective of the mechanism through which it was requested. RequestedState int + + ProvisioningParameters struct { + ProvisioningMethod uint8 + HashType uint8 + TrustedRootCertHash []byte + NumberOfCertificates uint8 + CertSerialNumbers []string + AdditionalCaSerialNumbers uint8 + ProvServFQDNLength uint8 + ProvServFQDN string + } + + ACLEntry struct { + ParameterModified uint8 + AccessType uint8 + EntryState uint8 + InitiatorType uint8 + UsernameLength uint8 + SID uint32 + Username string + DomainLength uint8 + Domain string + } + + RemoteControlEvent struct { + SpecialCommand uint8 + SpecialCommandParameterHighByte uint8 + SpecialCommandParameterLowByte uint8 + BootOptionsMaskByte1 uint8 + BootOptionsMaskByte2 uint8 + OEMParameterByte1 uint8 + OEMParameterByte2 uint8 + } + + FWVersion struct { + Major uint16 + Minor uint16 + Hotfix uint16 + Build uint16 + } + + FWUpdateFailure struct { + Type uint8 + Reason uint8 + } + + NetworkAdministrationEvent struct { + InterfaceHandle uint32 + DHCPEnabled uint8 + IPV4Address uint32 + SubnetMask uint32 + Gateway uint32 + PrimaryDNS uint32 + SecondaryDNS uint32 + HostNameLength uint8 + HostName string + DomainNameLength uint8 + DomainName string + VLANTag uint16 + LinkPolicy uint32 + IPV6Enabled uint8 + InterfaceIDGenType uint8 + InterfaceID []uint8 + IPV6Address []uint8 + IPV6Gateway []uint8 + IPV6PrimaryDNS []uint8 + IPV6SecondaryDNS []uint8 + } + + StorageAdministrationEvent struct { + MaxPartnerStorage uint32 + MaxNonPartnerTotalAllocationSize uint32 + } + + EventManagerEvent struct { + PolicyID uint8 + SubscriptionAlertType uint8 + IPAddrType uint8 + AlertTargetIPAddress []uint8 + Freeze uint8 + } + + SystemDefenseManagerEvent struct { + FilterHandle uint32 + PolicyHandle uint32 + HardwareInterface uint32 + InterfaceHandle uint32 + BlockAll uint8 + BlockOffensivePort uint8 + } + + AgentPresenceManagerEvent struct { + AgentID []uint8 + AgentHeartBeatTime uint16 + AgentStartupTime uint16 + } + + WirelessConfigurationEvent struct { + SSID []uint8 + ProfilePriority uint8 + ProfileNameLength uint8 + ProfileName []uint8 + ProfileSync uint32 + Timeout uint32 + LinkPreference uint32 + ProfileSharingWithUEFI uint8 + } + + UserOptInEvent struct { + PreviousOptInPolicy uint8 + CurrentOptInPolicy uint8 + OperationStatus uint8 + } )