Configuration Assessment Automation -Proactive approach towards security | Lucideus Research

The first step towards any security breach or attack is the improper system configurations of assets(which includes servers, endpoints, routers, firewalls, database, printer etc) present in a network. These improper configurations act as an open door for vulnerabilities which may trigger other assets present within the network and very soon may affect the entire network. For instance, a weak password policy or non-standard authentication timeout/retries can make an asset vulnerable to brute force. Thus it becomes very crucial to constantly monitor the system configurations of the assets that in any way are connected to a network. The question here arises as why to automate the monitoring? Well, depending on the type of asset,usually overall configuration controls that should be kept under surveillance, ranges from 50-300. To monitor every single configuration of all assets in an organisation manually is next to impossible!


Approaches for automation - Role of agents in cybersecurity
An agent in cyber security domain can be described as a computer program that performs certain task for a user or for some other program. The nature of such task in monitoring front could be either Vulnerability Assessment or Configuration Assessment. Automating the configuration assessment through monitoring and surveillance agents can prevent attacks way before.

Coming to the point that being nothing but a computer program, an agent differs from a program with the fact that it does not require user interaction. Agents are capable of a certain degree of autonomy to perform task on behalf of its master(user or other program). Thus based on the nature of agents, the categorisation can be done as:

  • Agent-Based - When an agent resides over an asset physically and interacts with the system, the approach is referred as Agent-based.
  • Agent-less - The approach where agent can access the asset remotely.
In general the choice of approach depends on the nature of asset and the accessibility given.

Pre-requisites

The agentless approach for automating the configuration assessment of linux server via SSH is be summarised below:

Language used: Python

Packages required: While there are several modules that provide SSH connection, mostly used are:
  • paramiko - apt-get install python-paramiko
  • Pexpect - sudo apt-get install python-pexpect  
  • openpyxl - A Python library to read/write Excel 2010 xlsx/xlsm/xltx/xltm files.

    To install: pip install openpyxl

Credentials – credentials(Host,Username,Password,Port) required to access the asset remotely via SSH. 

Configuration Assessment

Agentless approach:

The very first step for configuration assessment is to establish a connection with the remote asset. In this approach, a SSH connection is established with the remote asset. We use SSH protocol so as to have an end to end encrypted communication. 

Using Paramiko:

Paramiko is a python-based module that help us connect with the remote asset through SSH. let's have a look at how to use this module:
The credentials given above can be either hardcoded or accessed dyanamically.To execute commands remotely, We may define a method as:
The method exec_command executes commands over a remote asset. The additional argument "timeout" can be optional. Everytime the method is called a new channel is opened and command is executed. The input and output streams are then returned as Python file-like objects as stdin,stderr and stdout.
Using pexpect: pexpect is another python module which can be used as an alternative way to establish the SSH connection. It spawns child applications and responds to some expected pattern in the output. The module controls the application as if a human is interacting with it.

Note: An important thing to note here is that the method “expect()” expects a certain pattern in the output, So one must already know what they should be expecting on the console. For example, in “p.expect('Password:')”, the console may also prompt for “password:” instead of “Password:”. In case the credentials are not of root privilege, we first have to expect “p.expect('$’)” before expecting “#” on the console. The reason for fetching the variable “prompt”  is because the module provides the output exactly as given on the console, which also includes the hostname. Also, output also has color codes which are required to be removed. The variable “extra” does a regex search for the extra unicodes using the “re” module. 

To execute commands using pexpect, one can  define the following method:


PoC for the overall assessment using Paramiko:


"wb" is an object that holds the excel file to be opened. "ip" is a list of lists for credentials of various assets. The code loops over all the assets, makes connection with each asset and executes the commands one by one. openpyxl is the module which lets us read/write values directly to excel sheets. Output of every command against every asset is then saved in this excel sheet. Note : For the demo purpose we modified an existing excel file and saved the outputs against already defined configuration controls. One may create this sheet from scratch and format it the way they require!


Fig: The resulting excel sheet having configurations from different servers



Scope Ahead/ Conclusion
Monitoring numerous configurations of various assets can be a redundant and cumbersome task, which is very much prone to human errors as well. Automating such configuration assessment helps not only in monitoring various assets in one place but also saves time and energy of IT administrators. The above shown methodology is one approach to save the assessed data. One may also save it in a database instead of excel file. Also, Similar configuration assessment can be done for various assets as well, for example routers, switches, firewalls, databases,( using agentless approach). Moreover, this methodology can even be used to build an entire framework meant just for configuration monitoring and surveillance.



Post a Comment

0 Comments