Get username from AMT audit logs

Get username from AMT audit logs

Imagen de Juliano M.

Hello,

Im getting the event logs from a vPro processor from a Java Application, inside an array of bytes, with this:

EventRecordBytes = WsmanUtils.getBase64Bytes(eventRecords[index].toString());

I can get many data, such as audit evt id, etc, for example:

// combine the AuditAppID and EventID bytes to get auditEventEnum

auditEventEnum = EventRecordBytes[1] * 1000;

auditEventEnum += EventRecordBytes[3];

Do you know an easy way to get the user that try to perform a KVM session?

Tks

Juliano Marcos Martins
publicaciones de 12 / 0 nuevos
Último envío
Para obtener más información sobre las optimizaciones del compilador, consulte el aviso sobre la optimización.
Imagen de Gael Hofemeier (Intel)

What AMT version are you working with?  You should be able to get the user name for any event that recorded via the audit log:

One of the following structures appears in each audit log record.

HTTPDigestInitiatorType

HTTP Digest user details

typedef _HTTPDigestInitiatorType

{

    uint8 Username_length;

    uint8 Username[];

} HTTPDigestInitiatorType;

 

Follow me on Twitter: @GHIntelBlogs Facebook: https://www.facebook.com/gh.intelblogs
Imagen de Juliano M.

Hello Gael.

Im working with all versions... its a large machines park. Since 4....

Almost is 7

Do you have some code explaining the conversion that I must perform?

Tks in advance

Juliano Marcos Martins
Imagen de Gael Hofemeier (Intel)

You might want to take a look at the Open Developer's Toolkit.  Ylian has added a wsman javascript stack.  You can download the source code and see if you can get an idea of how to use it.

Follow me on Twitter: @GHIntelBlogs Facebook: https://www.facebook.com/gh.intelblogs
Imagen de Juliano M.

Perfect, Ill check it and post here as soon as I find the asnwer.

Thank you very much

Juliano Marcos Martins
Imagen de Juliano M.

Hi Gael.

What I have from Open Dev Toolkit does not help a lot, because it have not implemented what I want to do, that is get the username or SID from events, mainly, I want to get the user that perform (or try to) a KVM session.

So far, what I get is:

when we get a event type kerberosSIDInitiatorType when reading audit log, we get this event for example:

ABIACAHYHwAAGAEFAAAAAAAFFQAAANhiakHgFYYr/SiaT1HVkGIADTEwLjUwLjEyNS4xMDAA

converting to an byte array we get:
[0, 18, 0, 8, 1, -40, 31, 0, 0, 24, 1, 5, 0, 0, 0, 0, 0, 5, 21, 0, 0, 0, -40, 98, 106, 65, -32, 21, -122, -43, -3, 40, 102, 78, 81, -43, -112, 98, 0, 13, 49, 48, 46, 53, 48, 46, 49, 50, 53, 46, 49, 48, 48, 0]

In the atached image you can see in details what is each information.

The doubt is how to convert the iten 4 (InitiatorData), that have the user SID, Domain size and Domain)?

the other information can be extracted normally. We are using Java.

For more information:

typedef _KerberosSIDInitiatorType

{
uint32 UserInDomain;
uint8 Domain_length;
uint8 Domain[];
} KerberosSIDInitiatorType;

Field Description
UserInDomain - SID number of the user
Domain_length - Length of domain ( up to 255)
Domain - Kerberos domain ( up to 255 bytes long)

Source: http://software.intel.com/sites/manageability/AMT_Implementation_and_Ref...

Adjuntos: 

AdjuntoTamaño
Descargar amt.png20.86 KB
Juliano Marcos Martins
Imagen de Juliano M.

We solve the problem here. Follow the solution, feel fre to contact me if you have doubts:

If Initiator Type == 1, so, we have the user from AD SID, using this SID we can retrieve all user info from AD.

We are using the Intel® WS-Management Java Client Library here as the base for development.

Take a look in the picture from the post above. We will have to use this information:

typedef _KerberosSIDInitiatorType
{
uint32 UserInDomain;
uint8 Domain_length;
uint8 Domain[];
} KerberosSIDInitiatorType;

The SID is the composition from Domain[] + UserInDomain

In Java, we need some Libraries to get the user from AD. You can see the part of our code here:

byte bytesUser[] = HandleBytesUtil.getDataArrayByEventRecordBytes(5, 4, EventRecordBytes);
int domainLength = EventRecordBytes[9];
byte kerberosDomainBytes[] = HandleBytesUtil.getDataArrayByEventRecordBytes(10,domainLength, EventRecordBytes);
timestampOffset = domainLength + 10;
usuarioEvent = HandleBytesUtil.getUserKerberos(bytesUser, kerberosDomainBytes);

Here is the class that manipulates SID related data:

import java.nio.ByteBuffer;
import java.util.Arrays;
import java.util.Calendar;

import br.com.infoserver.collector.LogCreator;

import com.sun.jna.platform.win32.Advapi32Util;
import com.sun.jna.platform.win32.WinNT;
import com.sun.jna.platform.win32.Advapi32Util.Account;
import com.sun.jna.platform.win32.WinNT.PSID;

public class HandleBytesUtil {

/**
* @param idx index
* @param length length of bytes the data
* @param eventRecordBytes byteArray with all informations
* @return the bytes that represent the data
*/
public static byte[] getDataArrayByEventRecordBytes(int idx,int length,byte eventRecordBytes[]){
byte byteArray[] = new byte[length];
for(int i = 0;i < byteArray.length; i++) {
byteArray[i] = eventRecordBytes[idx++];
}
return byteArray;
}

/**
* Combine both arrays of bytes to get SID of User
* @param bytesUser
* @param kerberosDomainBytes
* @return domain\\user
*/
public static String getUserKerberos(byte[] bytesUser, byte[] kerberosDomainBytes) {

//combine the bytes of the user with bytes of the domainKerberos to convert to SID
//using con.sun.jna.*
byte domainUserBytes[] = new byte[kerberosDomainBytes.length + bytesUser.length];
domainUserBytes = Arrays.copyOf(kerberosDomainBytes, domainUserBytes.length);

int i = kerberosDomainBytes.length;
for(byte b : bytesUser){
domainUserBytes[i]= b;
i++;
}

try{
PSID sid = new WinNT.PSID(domainUserBytes);
Account ac = Advapi32Util.getAccountBySid(sid);
return ac.fqn;
}catch (Exception e) {
LogCreator.doWriteTxt("Erro obtendo SID do usuario");
}
return "NA";
}

/**
* convert the timestamp bytes to calendar in UTC
* @param byteArray of 4 positions 32 bits
* @return Calendar
*/
public static Calendar getTimestampToCalendar(byte[] byteArrayTime){
// convert the timestamp bytes to timeInUTC
ByteBuffer timeBuffer = ByteBuffer.wrap(byteArrayTime);
timeBuffer = ByteBuffer.allocate(byteArrayTime.length);
Calendar calendar = Calendar.getInstance();

for(int i = 0; i < byteArrayTime.length ;i++){
timeBuffer.put(i,byteArrayTime[i]);
}
long timeInUTC = timeBuffer.getInt();
// convert timeInUTC to Java dateTime format. Note that
// Audit log return time in UTC time. You may want to
// convert to local time
// multiply by 1000 ... the time returned is second
calendar.setTimeInMillis((timeInUTC) * 1000);

return calendar;
}

}

Hope that this will be usefull for someone.

Juliano Marcos Martins
Imagen de Gael Hofemeier (Intel)

Thank you so much for providing your solution.  This would make a great blog.  Would you consider blogging this on IDZ?  I could blog it, but I'd rather you got the credit for it.

--Gael

Follow me on Twitter: @GHIntelBlogs Facebook: https://www.facebook.com/gh.intelblogs
Imagen de Juliano M.

Hello Gael.

I'm writing a post and will send as soon as I finish. :-)

Tks

Juliano Marcos Martins
Imagen de Gael Hofemeier (Intel)

Wonderful!

Follow me on Twitter: @GHIntelBlogs Facebook: https://www.facebook.com/gh.intelblogs
Imagen de Juliano M.
Juliano Marcos Martins
Imagen de Gael Hofemeier (Intel)

Thanks Juliano!   Your blog has been published and will be tweeted via @intelswblog  as well as my twitter account.

Follow me on Twitter: @GHIntelBlogs Facebook: https://www.facebook.com/gh.intelblogs

Inicie sesión para dejar un comentario.