ADVISOR DETAILS

RECENT BLOG POSTS

Get username from AMT audit logs using JAVA

If you are using Intel® WS-Management Java Client Library in order to play with vPro Machines Logs, one thing that its missing from the examples its a way to get the username that try to perform a KVM session for example. So, the following piece of code can help you.

When colleting log, If Initiator Type == 1, so, we have the user from AD SID, using this SID we can retrieve all user info from AD.

in the KerberosSIDInitiatorType you have this information:

typedef _KerberosSIDInitiatorType
{
uint32 UserInDomain;
uint8 Domain_length;
uint8 Domain[];
} KerberosSIDInitiatorType;

The SID is the composition from Domain + UserInDomain

In Java, we need some Libraries to get the user from AD. You can see the part of our code here:

byte bytesUser[] = HandleBytesUtil.getDataArrayByEventRecordBytes(5, 4, EventRecordBytes);
int domainLength = EventRecordBytes[9];
byte kerberosDomainBytes[] = HandleBytesUtil.getDataArrayByEventRecordBytes(10,domainLength, EventRecordBytes);
timestampOffset = domainLength + 10;
usuarioEvent = HandleBytesUtil.getUserKerberos(bytesUser, kerberosDomainBytes);

Here is the class that manipulates SID related data:

import java.nio.ByteBuffer;
import java.util.Arrays;
import java.util.Calendar;

import br.com.infoserver.collector.LogCreator;

import com.sun.jna.platform.win32.Advapi32Util;
import com.sun.jna.platform.win32.WinNT;
import com.sun.jna.platform.win32.Advapi32Util.Account;
import com.sun.jna.platform.win32.WinNT.PSID;

public class HandleBytesUtil {

/**
* @param idx index
* @param length length of bytes the data
* @param eventRecordBytes byteArray with all informations
* @return the bytes that represent the data
*/
public static byte[] getDataArrayByEventRecordBytes(int idx,int length,byte eventRecordBytes[]){
byte byteArray[] = new byte[length];
for(int i = 0;i < byteArray.length; i++) {
byteArray[i] = eventRecordBytes[idx++];
}
return byteArray;
}

/**
* Combine both arrays of bytes to get SID of User
* @param bytesUser
* @param kerberosDomainBytes
* @return domain\\user
*/
public static String getUserKerberos(byte[] bytesUser, byte[] kerberosDomainBytes) {

//combine the bytes of the user with bytes of the domainKerberos to convert to SID
//using con.sun.jna.*
byte domainUserBytes[] = new byte[kerberosDomainBytes.length + bytesUser.length];
domainUserBytes = Arrays.copyOf(kerberosDomainBytes, domainUserBytes.length);

int i = kerberosDomainBytes.length;
for(byte b : bytesUser){
domainUserBytes[i]= b;
i++;
}

try{
PSID sid = new WinNT.PSID(domainUserBytes);
Account ac = Advapi32Util.getAccountBySid(sid);
return ac.fqn;
}catch (Exception e) {
LogCreator.doWriteTxt(“Erro obtendo SID do usuario”);
}
return “NA”;
}

/**
* convert the timestamp bytes to calendar in UTC
* @param byteArray of 4 positions 32 bits
* @return Calendar
*/
public static Calendar getTimestampToCalendar(byte[] byteArrayTime){
// convert the timestamp bytes to timeInUTC
ByteBuffer timeBuffer = ByteBuffer.wrap(byteArrayTime);
timeBuffer = ByteBuffer.allocate(byteArrayTime.length);
Calendar calendar = Calendar.getInstance();

for(int i = 0; i < byteArrayTime.length ;i++){
timeBuffer.put(i,byteArrayTime[i]);
}
long timeInUTC = timeBuffer.getInt();
// convert timeInUTC to Java dateTime format. Note that
// Audit log return time in UTC time. You may want to
// convert to local time
// multiply by 1000 … the time returned is second
calendar.setTimeInMillis((timeInUTC) * 1000);

return calendar;
}

}

Feel free to contact me if you need.

Read more >