How to prepare the infrastructure to meet new 0-day vulnerabilities
It is very important to constantly maintain an up-to-date inventory of infrastructure, especially software inventory, in order to identify potentially vulnerable hosts as soon as possible. You can use Osquery software for this.
Osquery presents the user with the composition of the operating system as a database. This approach allows you to write SQL queries in order to easily and efficiently obtain up-to-date information about your systems. Osquery offers a very handy tool for keeping an inventory of installed software.
For example, here are the queries to get the current list of installed software for RedHat and CentOS:
SELECT name, version FROM rpm_packages
For Windows systems:
SELECT name, version FROM programs
Because Osquery uses the HTTP protocol to exchange information between clients and the server, be sure to configure client authentication with TLS certificates.
It is also necessary to automate the installation and update of software, update operating systems, change their configurations. The Ansible + Chocolatey software connection can help.
Ansible is a powerful process automation tool. It provides easy management of servers, virtual machines and PCs, both Linux / Unix and Windows. Updating servers, changing system configuration, running services, executing scripts and much more is easily automated with Ansible.
Ansible uses SSH and WinRM protocols to connect to target systems. For Windows, it is also possible to configure additional SSH access, but this requires the installation of additional software. To protect your Ansible-managed infrastructure, we recommend that you create a separate TLS-authenticated profile that will be used to administer the hosts.
Tasks are made in the form of yaml files. If you save the next script to a yaml file and pass it to Ansible, the latter will connect to the target assets, start the Windows upgrade process if the necessary updates are available, and restart the system if necessary.
– name: Update Critical |
|
hosts: windows |
|
tasks: |
|
– name: Install all critical and security updates |
|
win_updates: |
|
category_names: |
|
– CriticalUpdates |
|
– SecurityUpdates |
|
state: installed |
|
register: update_result |
|
– name: Reboot host if required |
|
win_reboot: |
|
when: update_result.reboot_required |
For RedHat and CentOS:
– name: RedHat and CentOS Update |
|
hosts: rhel\centos |
|
tasks: |
|
– name: Install all updates |
|
yum:name: “*”state: latest |
|
– name: restart system to reboot to newest kernelshell: “sleep 5 && reboot”async: 1poll: 0– name: wait for 10 secondspause:seconds: 10– name: wait for the system to rebootwait_for_connection:connect_timeout: 20sleep: 5delay: 5timeout: 60 |
If with Linux systems everything is simple – there is a convenient, single software management manager, then with Windows systems it is more difficult – you need to update each element of the system separately, sometimes even after downloading the update. Chocolatey is the only central repository of software for Windows. The CLI interface is similar in concept to yum and apt-get for Linux and provides the ability to automate software installation and updates using cmd or PowerShell.
Example of the Chocolatey command to update software in Windows: choco upgrade all
Alternatively, you can start the upgrade process with the Ansible task
– name: Update Windows SW with Chocolatey |
|
hosts: windows |
|
tasks: |
|
– name: Upgrade installed packages with Chocolateywin_chocolatey:name: allstate: latest |
Because osquery and chocolatey are command line utilities, access to it should be restricted to all users who do not need to use cmd or powershell. This will make it difficult to access critical information about your infrastructure and is easily done through Group Policy. We also recommend limiting the execution of scripts on the infrastructure – the best option is to allow the execution of scripts signed by certificates from trusted publishers.
