Skip to content

eventlog updates #337

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Draft
wants to merge 2 commits into
base: main
Choose a base branch
from
Draft

eventlog updates #337

Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
6cc6b1c
eventlog updates
May 24, 2024
5b1e78b
Merge branch 'main' into eventlog-parsing
rsdmike Dec 16, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
167 changes: 164 additions & 3 deletions pkg/wsman/amt/messagelog/decoder.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -10,6 +10,7 @@
"encoding/base64"
"encoding/binary"
"fmt"
"strconv"
"time"
)

Expand Down Expand Up @@ -482,21 +483,84 @@

func decodeEventDetailString(eventSensorType, eventOffset uint8, eventDataField []uint8) string {
switch eventSensorType {
case 5:
if eventOffset == 0 {
return "Case intrusion"
}
case 6:
value := int(eventDataField[1]) + (int(eventDataField[2]) << 8)

return fmt.Sprintf("Authentication failed %d times. The system may be under attack.", value)
case 15:
{
if eventDataField[0] == 235 {
return "Invalid Data"
return InvalidData
}

if eventOffset == 0 {
return SystemFirmwareError[int(eventDataField[1])]
}

if eventOffset == 3 {
if eventDataField[0] == 170 && eventDataField[1] == 48 {
return fmt.Sprintf("One Click Recovery: %s", OCRErrorEvents[int(eventDataField[2])])
} else if eventDataField[0] == 170 && eventDataField[1] == 64 {
return PlatformEraseErrorEvents[int(eventDataField[2])]
}

return OEMSpecificFirmwareErrorEvent
}

if eventOffset == 5 {
if eventDataField[0] == 170 && eventDataField[1] == 48 {
if eventDataField[2] == 1 {
return fmt.Sprintf("One Click Recovery: CSME Boot Option %d:%s added successfully", eventDataField[3], OCRSource[int(eventDataField[3])])
}
if eventDataField[2] < 7 {

Check failure on line 519 in pkg/wsman/amt/messagelog/decoder.go

View workflow job for this annotation

GitHub Actions / runner / golangci-lint 

[golangci] reported by reviewdog 🐶
if statements should only be cuddled with assignments (wsl)

Raw Output:
pkg/wsman/amt/messagelog/decoder.go:519:6: if statements should only be cuddled with assignments (wsl)
					if eventDataField[2] < 7 {
					^
return fmt.Sprintf("One Click Recovery: %s", OCRProgressEvents[int(eventDataField[2])])
}

return fmt.Sprintf("One Click Recovery: Unknown progress event %d", eventDataField[2])
}
if eventDataField[0] == 170 && eventDataField[1] == 64 {
if eventDataField[2] == 1 {
if eventDataField[3] == 2 {
return "Started erasing Device SSD"
}
if eventDataField[3] == 3 {
return "Started erasing Device TPM"
}
if eventDataField[3] == 5 {
return "Started erasing Device BIOS Reload of Golden Config"
}
}
if eventDataField[2] == 2 {
if eventDataField[3] == 2 {
return "Erasing Device SSD ended successfully"
}
if eventDataField[3] == 3 {

Check failure on line 541 in pkg/wsman/amt/messagelog/decoder.go

View workflow job for this annotation

GitHub Actions / runner / golangci-lint 

[golangci] reported by reviewdog 🐶
if statements should only be cuddled with assignments (wsl)

Raw Output:
pkg/wsman/amt/messagelog/decoder.go:541:7: if statements should only be cuddled with assignments (wsl)
						if eventDataField[3] == 3 {
						^
return "Erasing Device TPM ended successfully"
}
if eventDataField[3] == 5 {
return "Erasing Device BIOS Reload of Golden Config ended successfully"
}
}
if eventDataField[2] == 3 {
return "Beginning Platform Erase"
}
if eventDataField[2] == 4 {
return "Clear Reserved Parameters"
}
if eventDataField[2] == 5 {
return "All setting decremented"
}
}

return OEMSpecificFirmwareErrorEvent
}

return SystemFirmwareProgress[int(eventDataField[1])]

}
case 18:
// System watchdog event
Expand All @@ -513,12 +577,109 @@
case 32:
return "Operating system lockup or power interrupt"
case 35:
if eventDataField[0] == 64 {
return "BIOS POST (Power On Self-Test) Watchdog Timeout." // 64,2,252,84,89,0,0,0
}

return "System boot failure"
case 36:
var handle uint32
handle = (uint32(eventDataField[1]) << 24) + (uint32(eventDataField[2]) << 16) + (uint32(eventDataField[3]) << 8) + uint32(eventDataField[4])

var nic = "#" + strconv.Itoa(int(eventDataField[0]))

Check failure on line 589 in pkg/wsman/amt/messagelog/decoder.go

View workflow job for this annotation

GitHub Actions / runner / golangci-lint 

[golangci] reported by reviewdog 🐶
File is not `gofumpt`-ed with `-extra` (gofumpt)

Raw Output:
pkg/wsman/amt/messagelog/decoder.go:589: File is not `gofumpt`-ed with `-extra` (gofumpt)
		var nic = "#" + strconv.Itoa(int(eventDataField[0]))

if eventDataField[0] == 0xAA {
nic = "wired"
}
// TODO: Add wireless *****
//if (eventDataField[0] == 0xAA) nic = "wireless";

Check failure on line 595 in pkg/wsman/amt/messagelog/decoder.go

View workflow job for this annotation

GitHub Actions / runner / golangci-lint 

[golangci] reported by reviewdog 🐶
File is not `gofumpt`-ed with `-extra` (gofumpt)

Raw Output:
pkg/wsman/amt/messagelog/decoder.go:595: File is not `gofumpt`-ed with `-extra` (gofumpt)
		//if (eventDataField[0] == 0xAA) nic = "wireless";

if handle == 4294967293 {
return fmt.Sprintf("All received packet filter was matched on %s interface.", nic)
}

if handle == 4294967292 {
return fmt.Sprintf("All outbound packet filter was matched on %s interface.", nic)
}

if handle == 4294967290 {
return fmt.Sprintf("Spoofed packet filter was matched on %s interface.", nic)
}

return fmt.Sprintf("Filter %d was matched on %s interface.", handle, nic)
case 37:
return "System firmware started (at least one CPU is properly executing)."
default:
return fmt.Sprintf("Unknown Sensor Type #%d", eventSensorType)
case 192:
if eventOffset == 0 && eventDataField[0] == 170 && eventDataField[1] == 48 {
return SOLIDERStatus[int(eventDataField[2])]
}
if eventDataField[2] == 0 || eventDataField[2] == 2 {
return SecurityPolicyEvent[int(eventDataField[2])]
} else {
return "Security policy invoked."
}
case 193:
if (eventDataField[0] == 0xAA) && (eventDataField[1] == 0x30) && (eventDataField[2] == 0x00) && (eventDataField[3] == 0x00) {
return "User request for remote connection."
}
if (eventDataField[0] == 0xAA) && (eventDataField[1] == 0x20) && (eventDataField[2] == 0x03) && (eventDataField[3] == 0x01) {

Check failure on line 625 in pkg/wsman/amt/messagelog/decoder.go

View workflow job for this annotation

GitHub Actions / runner / golangci-lint 

[golangci] reported by reviewdog 🐶
if statements should only be cuddled with assignments (wsl)

Raw Output:
pkg/wsman/amt/messagelog/decoder.go:625:3: if statements should only be cuddled with assignments (wsl)
		if (eventDataField[0] == 0xAA) && (eventDataField[1] == 0x20) && (eventDataField[2] == 0x03) && (eventDataField[3] == 0x01) {
		^
return "EAC error: attempt to get posture while NAC in Intel® AMT is disabled."
} // eventDataField = 0xAA20030100000000
if (eventDataField[0] == 0xAA) && (eventDataField[1] == 0x20) && (eventDataField[2] == 0x04) && (eventDataField[3] == 0x00) {
return "HWA Error: general error"
} // Used to be "Certificate revoked." but don"t know the source of this.
}
return fmt.Sprintf("Unknown Sensor Type #%d", eventSensorType)

Check failure on line 632 in pkg/wsman/amt/messagelog/decoder.go

View workflow job for this annotation

GitHub Actions / runner / golangci-lint 

[golangci] reported by reviewdog 🐶
return with no blank line before (nlreturn)

Raw Output:
pkg/wsman/amt/messagelog/decoder.go:632:2: return with no blank line before (nlreturn)
	return fmt.Sprintf("Unknown Sensor Type #%d", eventSensorType)
	^
}

const InvalidData = "Invalid Data"

Check failure on line 635 in pkg/wsman/amt/messagelog/decoder.go

View workflow job for this annotation

GitHub Actions / runner / golangci-lint 

[golangci] reported by reviewdog 🐶
File is not `gofumpt`-ed with `-extra` (gofumpt)

Raw Output:
pkg/wsman/amt/messagelog/decoder.go:635: File is not `gofumpt`-ed with `-extra` (gofumpt)
const InvalidData = "Invalid Data"
const OEMSpecificFirmwareErrorEvent = "OEM Specific Firmware Error event"
const OEMSpecificFirmwareErrorEvent = "OEM Specific Firmware Error event"

var SecurityPolicyEvent = map[int]string{
0: "Security policy invoked. Some or all network traffic (TX) was stopped.",
2: "Security policy invoked. Some or all network traffic (RX) was stopped.",
}

var SOLIDERStatus = map[int]string{
0: "A remote Serial Over LAN session was established.",
1: "Remote Serial Over LAN session finished. User control was restored.",
2: "A remote IDE-Redirection session was established.",
3: "Remote IDE-Redirection session finished. User control was restored.",
}

var PlatformEraseErrorEvents = map[int]string{
1: "Got an error erasing Device SSD",
2: "Erasing Device TPM is not supported",
3: "Reached Max Counter",
}

var OCRProgressEvents = map[int]string{
0: "Boot parameters received from CSME",
1: "CSME Boot Option % added successfully",
2: "HTTPS URI name resolved",
3: "HTTPS connected successfully",
4: "HTTPSBoot download is completed",
5: "Attempt to boot",
6: "Exit boot services",
}

var OCRSource = map[int]string{
1: "",
2: "HTTPS",
4: "Local PBA",
8: "WinRE",
}

var OCRErrorEvents = map[int]string{
0: "",
1: "No network connection available",
2: "Name resolution of URI failed",
3: "Connect to URI failed",
4: "OEM app not found at local URI",
5: "HTTPS TLS Auth failed",
6: "HTTPS Digest Auth failed",
7: "Verified boot failed (bad image)",
8: "HTTPS Boot File not found",
}

var EventSeverity = map[int]string{
Expand Down
Loading