Users can read sensitive information

[dobin]

Problem

Normal (low privileged) users can read:

• Config/fibratus.yml
• Logs/fibratus.txt

A local attacker is able to gain access to potentially sensitive information (confidentiality).

Solution

Remove read permissions for users (non-admins) for the mentioned files.

Additional context

While not necessarily a security vulnerability, it is best practice to not give the attacker access to EDR logs
. E.g. Defender will only show alert summaries in its UI, but need admin to look at the details. Defender Log files are not readable (C:\ProgramData\Microsoft\Windows Defender\Support).

Note that Defender Windows Events are also user-readable for some reason (Application and Service Logs/Microsoft/Windows/Windows Defender/operational). So placing fibratus events in Windows Logs/Application is okish.

[rabbitstack]

Good spot! One possible mitigation could consist of adding the log/config file security descriptor DACL to prevent read access from non-system/admin users. Makes sense?

[dobin]

Hm. If you mean to remove read permissions of the file for Users group on install, then yes. ChatGPT says one should also disable inheritance on the file. But i am not an expert in this.