“Vulnerability Management“… This is an important topic for your corporate security. One of the steps in this process is the monitoring of your applications and operating systems. With hundreds (thousands?) of devices connected to your network, how to keep an eye on the applications and patches installed on all of them? There exists plenty of vulnerability management tools which allow you to track/install patches from a central place. But again, most small organizations don’t have the resources or budget to deploy this kind software and users have to keep your laptops/workstations up-to-date. This article will show you how to implement a basic control of your pool of Windows workstations based on Secunia PSI and OSSEC.
Secunia PSI (“Personal Software Inspector“) is a free tool which scan your computer at regular intervals and reports uninstalled patches, unsafe (or end-of-life) applications.
Secunia PSI can be integrated to their commercial product called “CSI” (“Corporate Software Inspector“). About OSSEC, I won’t present the product once more. If you follow my blog, you already know that it’s one of my favorite tool.
The goal will be to configure OSSEC to keep track of changes detected by Secunia PSI. How? Secunia stores all the data about your computer in their own “cloud”. Nothing is kept local. An API is available (examples here) but it’s not easy to use it from OSSEC. Fortunately, there is an interesting log file located in “C:\Program Files\Secunia\PSI\psialog.txt“. Just a remember: your system are full of logs! In our case, it contains all the required material to perform basic alerting like:
- Report applications changes (added, removed, clean, unsafe, …)
- Report of the PSI score is not 100%
A few words about how Secunia stores the scan results. You must be aware of this. Your computer profile is sent to the Secunia cloud (psi.secunia.com) via HTTPS:
POST /psi_api/2004/?type=data& \
scantype=4& \
tz=-3600& \
domain=0& \
uid=6X4EUbXhif39a59e330eea22c2d56acaxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx& \
ui=agent& \
langroup=LAB& \
host=WIN7LAB
Your UID (stored in the Windows registry) is randomly generated during the software installation. Keep this in mind: they know a lot of details about you and your company. Example: the workgroup or domain is sent to Secunia. As most organization use their domain name, it’s easy for Secunia to know which software is used in which company. Of course, based on all the collected data, they’re able to perform nice statistics.
Now, the recipe:
- An OSSEC server
- OSSEC Windows agents properly configured
- Secunia PSI properly deployed and configured
- Some decoders and rules
Let’s have a look at the PSI log file. Two types of events are important. A first one gives details about the application being scanned (new, unsafe, etc) and the second one gives details about the scan results (this one contains the percentage).
[11/25 19:17:54.288] Setting state of 'Adobe Flash Player 11.x' to clean
[11/26 14:19:24.791] server.showBalloon('Secunia PSI - Scan Completed Successfully', \
'You have insecure programs on your PC.
Secunia System Score: 67%
Based on the following detections:
5 Insecure programs
1 End-of-Life programs
12 Patched programs
')
First, let’s write decoders to handle those events:
<decoder name="secunia-psi-event"> Â <prematch>^[\d\d/\d\d \d\d:\d\d:\d\d.\d+] Setting state of</prematch> Â <regex>Setting state of '(\.+)' to (\S+)$</regex> Â <order>extra_data, action</order> </decoder>
<decoder name="secunia-psi-score"> Â <prematch>Secunia System Score:</prematch> Â <regex offset="after_prematch">(\d+)%</regex> Â <order>status</order> </decoder>
In the first rule, the variable “extra_data” will contain the application name and “action” its status. The different status I already detected are: “determining“, “clean“, “created“, “added“, “approved“, “downloading“, “downloaded“, “entry“, “queued“, “condfailt“, “started” (they are maybe others, let me know if you have more information). In the second decoder, the variable “status” will contain the integer representing the scan score (0-100). Now we can define some rules:
 <rule id="110000" level="0">    <decoded_as>secunia-psi-score</decoded_as>    <description>Secunia Scan Results</description>  </rule>  <rule id="110001" level="9">    <if_sid>110000</if_sid>    <regex>: \d\d%</regex>    <description>Vulnerabilities found. Secunia scan score not 100%</description>  </rule>  <rule id="110002" level="0">    <decoded_as>secunia-psi-event</decoded_as>    <description>Secunia PSI Event</description>  </rule>  <rule id="110004" level="9">    <if_sid>110002</if_sid>    <match>added</match>    <description>New application detected by Secunia</description>  </rule>
Results will look like:
OSSEC HIDS Notification. 2011 Nov 28 20:55:40 Received From: (win7lab) 192.168.254.240->\Program Files\Secunia\PSI\psialog.txt Rule: 110003 fired (level 9) -> "New application detected by Secunia" Portion of the log(s): [11/28 20:49:14.130] Setting state of 'Adobe Flash Player 11.x' to added --END OF NOTIFICATION
OSSEC HIDS Notification. 2011 Nov 28 20:59:27 Received From: (win7lab) 192.168.254.240->\Program Files\Secunia\PSI\psialog.txt Rule: 110001 fired (level 9) -> "Secunia scan score not 100%" Portion of the log(s): Secunia System Score: 98% --END OF NOTIFICATION
Simple and efficient! However, it’s not complete. At the moment, I don’t know where to find the status of the Windows patches. I’m trying to get more info from Secunia. I’m not aware of commercial SIEM nor log management solutions which interpret Secunia PSI results; this is good for OSSEC. You can imagine plenty of scenarios: hosts with a scan score below 100% can be stored to temporary tables. Dangerous applications can also be stored in a table and used to write correlation rules…