nexpose_sccm 0.4.0

data/bin/vuln_ids.csv

@@ -0,0 +1,7 @@
+vulnerability ids
+msft-cve-2017-0016
+msft-cve-2017-8527
+msft-cve-2017-0280
+msft-cve-2017-0267
+ssl-cve-2011-3389-beast
+windows-hotfix-ms16-136

data/conf/logging.yml

@@ -0,0 +1,8 @@
+---
+:logging:
+  :log_level: INFO
+  :log_directory: "../logs"
+  :log_file: output.log
+  :log_stdout: false
+  :log_file_rotation: 30
+  :log_file_size: 1048576

data/conf/nexpose.yml

@@ -0,0 +1,8 @@
+---
+:nexpose:
+  :host: 'nexpose_url'
+  :user: 'username'
+  :pass: 'password'
+  :port: '3780'
+  :timeout: 600
+  :query_timeout: 1800

data/conf/postgres.yml

@@ -0,0 +1,8 @@
+---
+:postgres:
+  :host: 'dwh_url'
+  :port: 5432
+  :user: 'postgres'
+  :pass: 'password'
+  :db: db_name
+  :sslmode: prefer # Possible values disable|allow|prefer|require

data/conf/queries.yml

@@ -0,0 +1,87 @@
+---
+:queries:
+  :asset_best_solution:
+    #:nsc: Not implemented
+    :dwh: SELECT da.ip_address AS key, da.ip_address, da.host_name, ds.nexpose_id
+          FROM dim_asset_vulnerability_finding_rollup_solution davfrs
+          JOIN dim_asset da ON (da.asset_id = davfrs.asset_id)
+          JOIN dim_solution ds ON (ds.solution_id = davfrs.solution_id)
+          JOIN dim_vulnerability_category dvc ON (dvc.vulnerability_id = davfrs.vulnerability_id)
+          WHERE UPPER(dvc.category_name) = 'MICROSOFT'
+          GROUP BY da.ip_address, da.host_name, ds.nexpose_id
+  :asset_best_solution_by_site:
+    :nsc: SELECT da.ip_address AS key, da.ip_address, da.host_name, ds.nexpose_id, concat('site_id_', dsa.site_id) as site_id
+          FROM dim_asset_vulnerability_best_solution davbs
+            JOIN dim_asset da ON (da.asset_id = davbs.asset_id)
+            JOIN dim_site_asset dsa ON dsa.asset_id = davbs.asset_id AND dsa.site_id = '<site id>'
+            JOIN dim_vulnerability_category dvc ON (dvc.vulnerability_id = davbs.vulnerability_id)
+              AND UPPER(dvc.category_name) = 'MICROSOFT'
+            JOIN dim_solution ds ON (ds.solution_id = davbs.solution_id)
+          GROUP BY da.ip_address, da.host_name, ds.nexpose_id, dsa.site_id
+    :dwh: SELECT da.ip_address AS key, da.ip_address, da.host_name, ds.nexpose_id
+          FROM dim_asset_vulnerability_finding_rollup_solution davfrs
+            JOIN dim_asset da ON (da.asset_id = davfrs.asset_id)
+            JOIN dim_site_asset dsa ON dsa.asset_id = davfrs.asset_id AND dsa.site_id = '<site id>'
+            JOIN dim_vulnerability_category dvc ON (dvc.vulnerability_id = davfrs.vulnerability_id)
+              AND UPPER(dvc.category_name) = 'MICROSOFT'
+            JOIN dim_solution ds ON (ds.solution_id = davfrs.solution_id)
+          GROUP BY da.ip_address, da.host_name, ds.nexpose_id
+  :tag_best_solution:
+    :nsc: WITH tag_assets AS (
+            SELECT da.asset_id, da.ip_address, da.host_name
+            FROM dim_tag_asset dat
+              JOIN dim_tag dt ON (dt.tag_id = dat.tag_id)
+              JOIN dim_asset da ON (da.asset_id = dat.asset_id)
+            WHERE dt.tag_name = '<tag name>'
+          )
+          SELECT ta.ip_address as key, ta.ip_address, ta.host_name, ds.nexpose_id
+          FROM dim_asset_vulnerability_solution davfrs
+            JOIN tag_assets ta ON (ta.asset_id = davfrs.asset_id)
+            JOIN dim_solution ds ON (ds.solution_id = davfrs.solution_id)
+            JOIN dim_vulnerability_category dvc ON (dvc.vulnerability_id = davfrs.vulnerability_id)
+          WHERE UPPER(dvc.category_name) = 'MICROSOFT'
+          GROUP BY ta.ip_address, ta.host_name, ds.nexpose_id
+    :dwh: WITH tag_assets AS (
+            SELECT da.asset_id, da.ip_address, da.host_name
+            FROM dim_asset_tag dat
+              JOIN dim_tag dt ON (dt.tag_id = dat.tag_id)
+              JOIN dim_asset da ON (da.asset_id = dat.asset_id)
+            WHERE dt.name = '<tag name>'
+          )
+          SELECT ta.ip_address as key, ta.ip_address, ta.host_name, ds.nexpose_id
+          FROM dim_asset_vulnerability_finding_rollup_solution davfrs
+            JOIN tag_assets ta ON (ta.asset_id = davfrs.asset_id)
+            JOIN dim_solution ds ON (ds.solution_id = davfrs.solution_id)
+            JOIN dim_vulnerability_category dvc ON (dvc.vulnerability_id = davfrs.vulnerability_id)
+          WHERE UPPER(dvc.category_name) = 'MICROSOFT'
+          GROUP BY ta.ip_address, ta.host_name, ds.nexpose_id
+  :vuln_by_name: #Microsoft CVE-2017-0016: SMBv2/SMBv3 Null Dereference Denial of Service Vulnerability
+    :nsc: SELECT dv.nexpose_id AS key, da.ip_address, da.host_name, ds.nexpose_id
+          FROM dim_asset_vulnerability_best_solution davbs
+            JOIN dim_solution ds ON (ds.solution_id = davbs.solution_id)
+            JOIN dim_vulnerability dv ON (dv.vulnerability_id = davbs.vulnerability_id)
+            JOIN dim_asset da ON (da.asset_id = davbs.asset_id)
+          WHERE dv.title IN ('<vulnerability titles>') AND da.ip_address IN ('<asset_ips>')
+          GROUP BY da.ip_address, da.host_name, ds.nexpose_id, dv.nexpose_id
+    :dwh: SELECT dv.nexpose_id AS key, da.ip_address, da.host_name, ds.nexpose_id
+          FROM dim_asset_vulnerability_finding_solution davfs
+            JOIN dim_solution ds ON (ds.solution_id = davfs.solution_id)
+            JOIN dim_vulnerability dv ON (dv.vulnerability_id = davfs.vulnerability_id)
+            JOIN dim_asset da ON (da.asset_id = davfs.asset_id)
+          WHERE dv.title IN ('<vulnerability titles>') AND da.ip_address IN ('<asset ips>')
+          GROUP BY da.ip_address, da.host_name, ds.nexpose_id, dv.nexpose_id
+  :vuln_by_id: #msft-cve-2017-0016, msft-cve-2017-8527, msft-cve-2017-0280, msft-cve-2017-0267
+    :nsc: SELECT dv.nexpose_id AS key, da.ip_address, da.host_name, ds.nexpose_id
+          FROM dim_asset_vulnerability_best_solution davbs
+            JOIN dim_solution ds ON (ds.solution_id = davbs.solution_id)
+            JOIN dim_vulnerability dv ON (dv.vulnerability_id = davbs.vulnerability_id)
+            JOIN dim_asset da ON (da.asset_id = davbs.asset_id)
+          WHERE dv.nexpose_id IN ('<vulnerability ids>') AND da.ip_address IN ('<asset ips>')
+          GROUP BY dv.nexpose_id, da.ip_address, da.host_name, ds.nexpose_id
+    :dwh: SELECT dv.nexpose_id AS key, da.ip_address, da.host_name, ds.nexpose_id
+          FROM dim_asset_vulnerability_finding_solution davfs
+            JOIN dim_solution ds ON (ds.solution_id = davfs.solution_id)
+            JOIN dim_vulnerability dv ON (dv.vulnerability_id = davfs.vulnerability_id)
+            JOIN dim_asset da ON (da.asset_id = davfs.asset_id)
+          WHERE dv.nexpose_id IN ('<vulnerability ids>') AND da.ip_address IN ('<asset ips>')
+          GROUP BY dv.nexpose_id, da.ip_address, da.host_name, ds.nexpose_id

data/conf/sccm.yml

@@ -0,0 +1,30 @@
+---
+:sccm:
+  ## Must be NetBIOS name
+  :host: 'SCCM_host_or_ip'
+  :port: 5986
+  :path: wsman
+  :protocol: https
+  :user: 'Administrator'
+  :pass: 'password'
+  :no_ssl_peer_verification: false
+  ## openssl s_client -showcerts -servername 10.3.23.212 -connect 10.3.23.212:5986 < /dev/null 2>/dev/null | openssl x509 -fingerprint -noout -in /dev/stdin | sed -e "s/://g"
+  :ssl_peer_fingerprint: 'server_certificate_fingerprint'
+  :location: '<site_name>:\'
+  :namespace: 'root\sms\site_<site_name>'
+  :staging: '<software_download_location>'
+  :create_deployment_package: true
+  :download_updates: true
+  :integration_prefix: 'Rapid7'
+  :generate_unknown_device_report: true
+  :report_location: '../reports/'
+  :software_update_group:
+    ## Available scopes are one of the following: [asset_best_solution, tag_best_solution]
+    :scope: asset_best_solution_by_site
+    ## Create new software update group or update an existing
+    ## Available actions include one of the following: [update, create]
+    :action: update
+  ## data source can be 'nsc' or 'dwh' (Nexpose Security Console or Data Warehouse respectively)
+  :data_source: nsc
+  :software_update_group_key: key  # How to group SUGs, base off of SQL query column name
+  :collection_key: site_id  # How to group collections, base off of SQL query column name

data/conf/secret.yml

@@ -0,0 +1,4 @@
+---
+#:secret:
+#  :encrypt_key_dir: ".nxkeys/"
+#  :encrypt_cred_file: "../conf/secrets.yml.enc"

data/lib/nexpose_sccm.rb

@@ -0,0 +1,294 @@
+require 'nexpose_sccm/collection'
+require 'nexpose_sccm/connection'
+require 'nexpose_sccm/deployment_package'
+require 'nexpose_sccm/device'
+require 'nexpose_sccm/software_update_group'
+require 'nexpose_sccm/utilities/utility_config'
+require 'nexpose_sccm/utilities/nx_logger'
+require 'nexpose_sccm/data_source'
+require 'nexpose_sccm/version'
+
+module NexposeSCCM
+  class << self
+
+    def setup(settings)
+      @logger = NexposeSCCM::NxLogger.instance
+      @logger.setup_statistics_collection(NexposeSCCM::VENDOR,
+                                          NexposeSCCM::PRODUCT,
+                                          NexposeSCCM::VERSION)
+      @logger.setup_logging(true,
+                            settings[:logging][:log_level],
+                            settings[:logging][:log_stdout],
+                            settings[:logging][:log_file_rotation],
+                            settings[:logging][:log_file_size])
+      NexposeSCCM.logger = @logger
+
+      ## Setting up SCCM connection
+      @logger.debug("Logging into SCCM")
+      sccm = settings[:sccm]
+      @sccm = NexposeSCCM::Connection.new(sccm[:protocol],
+                                          sccm[:host],
+                                          sccm[:port],
+                                          sccm[:path],
+                                          sccm[:location],
+                                          sccm[:user],
+                                          sccm[:pass],
+                                          sccm[:namespace],
+                                          sccm[:staging],
+                                          sccm[:no_ssl_peer_verification],
+                                          sccm[:ssl_peer_fingerprint])
+      ## Logging into SCCM
+      @sccm.login
+    end
+
+    def generate_updates(settings, input_file=nil)
+      scope = settings[:sccm][:software_update_group][:scope]
+      data_source = settings[:sccm][:data_source]
+
+      if settings[:sccm][:generate_unknown_device_report]
+        date = Time.now.strftime('%Y%m%d_%H%M%S')
+        report = "devices-not-found-sccm-#{date}.csv"
+        report_location = settings[:sccm][:report_location]
+        unless File.exist?(File.expand_path(report_location))
+          Dir.mkdir(report_location)
+        end
+
+        csv_report_contents = Set.new()
+      end
+
+      # Get known SCCM devices with details
+      sccm_devices = @sccm.get_devices
+      ## Get current list of collections
+      collections = @sccm.get_collections(sccm_devices)
+
+      ## Initiate the data source connection
+      @logger.debug("Logging into Nexpose / DWH")
+      @nsc = NexposeSCCM::DataSource::Connection.new(data_source,
+                                                     settings[:postgres],
+                                                     settings[:nexpose])
+
+      @logger.info("Successfully connected to Data Source #{data_source}")
+
+      sup_data = []
+      begin
+        query = settings[:queries][scope.to_sym][data_source.to_sym]
+        match_for_prompt = query.scan(/'<.*?>'/)
+
+        unless match_for_prompt.nil? || match_for_prompt.empty?
+          if !input_file.nil? && File.exist?(input_file)
+            inputs = CSV.read(input_file, :headers=>true)
+          end
+
+          match_for_prompt.each do |match|
+            if !inputs.nil? && inputs.headers.include?(match.gsub("'<",'').gsub(">'",''))
+              input = inputs[match.gsub("'<",'').gsub(">'",'')]
+            else
+              input = prompt("Please provide #{match} to be processed " \
+                        "(comma separated for any lists): ").strip.split(',')
+            end
+            input = input.map{|e| "'#{e}'"}
+
+            query.gsub!(/#{match}/, "#{input.join(',')}")
+          end
+        end
+
+        @logger.debug("Retrieving Data")
+        sup_data = @nsc.fetch_data(query)
+      rescue => e
+        @logger.error("There was an error running the query. " \
+          "Check the scope and data source settings for validity: #{e}")
+        exit
+      end
+
+      unless sup_data.length > 0
+        @logger.debug("No updates returned using query: #{query}")
+        @logger.info('No updates to work on. Exiting...')
+        exit 0
+      end
+
+      ## SUP scopes are defined by the query used to run them.
+      @logger.info("Software Update Group scope: #{scope}")
+
+      sugs = {}
+
+      @logger.debug("Getting CI_IDS using scope: #{scope}")
+
+      @logger.info("Looping through output of length #{sup_data.length}")
+      sup_data.each do |o|
+        unless o.key?(:key)
+          @logger.error("Query to pull data from #{data_source} " \
+                    "does not have the 'key' field, exiting...")
+          exit 1
+        end
+
+        key = o[settings[:sccm][:software_update_group_key].to_sym]
+        collection_key = o[settings[:sccm][:collection_key].to_sym]
+        key_ip = o[:ip_address].split(':')[0].strip
+        key_hostname = o[:host_name]
+
+        device = sccm_devices.select do |dev|
+          (dev.host_name.to_s.casecmp(key_hostname) == 0 unless key_hostname.nil?) ||
+            (dev.ip_address.to_a.include?(key_ip) unless key_ip.nil?)
+        end.first
+
+        if device.nil?
+          if settings[:sccm][:generate_unknown_device_report]
+            csv_report_contents << [key_ip, key_hostname]
+          end
+        else
+          collection_name = "Rapid7_#{collection_key}"
+          collection_match = collections.select do |collection|
+            collection.name.eql?(collection_name)
+          end.first
+
+          if collection_match.nil?
+            collection_match = NexposeSCCM::Collection.new(collection_name)
+            collection_match.members.add(device)
+            collections << collection_match
+          else
+            collection_match.members.add(device)
+          end
+        end
+
+        unless sugs.key?(key)
+          sugs[key] = {
+            :ci_ids => [],
+            :description => "Scope: #{scope}",
+            :name => "Rapid7_#{key}"
+          }
+        end
+
+        ## Pesky way of grabbing an UUID for the specific microsoft patch until
+        ## Nexpose has a better way of making this data available
+        nexpose_id = o[:nexpose_id]
+        uuid = nil
+        begin
+          match = nexpose_id.match(/([0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12})/).captures
+          uuid = match[0]
+        rescue
+          @logger.debug('Must be no UUID available, going to next...')
+        end
+        next if uuid.nil?
+        ci_ids = @sccm.get_ci_id(uuid)
+        next unless ci_ids.length > 0
+
+        sugs[key][:ci_ids] += ci_ids
+      end
+
+      ## Get current list of SUGs for update actions
+      @logger.debug("Retrieving current Software Update Groups from SCCM")
+      groups = @sccm.get_software_update_groups
+
+      sug_objects=[]
+      sug_action_type = settings[:sccm][:software_update_group][:action]
+      ## At a minimum, we create Software Update Groups
+      sugs.each do |k,v|
+        @logger.info("Working on SUP: #{k}")
+        match = groups.select { |g| g.name.casecmp(v[:name]) == 0 }
+        ## Update if we find matching names
+        if sug_action_type.casecmp('update') == 0
+          if match.length > 0
+            sug = match[0]
+            sug.ci_ids = v[:ci_ids]
+            sug.description = v[:description]
+            res = sug.save(@sccm)
+            sug_objects << sug
+            if res
+              msg = "Successfully updated Software Update Group: #{v[:name]}"
+              @logger.debug(msg)
+            else
+              @logger.error("Error updating Software Update Group: #{v[:name]}")
+            end
+          end
+        end
+
+        if sug_action_type.casecmp('create') == 0 || match.empty?
+          ## Create sug if action is create or update didn't work.
+          sug = NexposeSCCM::SoftwareUpdateGroup.new(v[:name],
+                                                     v[:description],
+                                                     v[:ci_ids])
+          sug_objects << sug
+          res = sug.save(@sccm)
+          if res
+            msg = "Successfully created Software Update Group: #{v[:name]}"
+            @logger.debug(msg)
+          else
+            @logger.error("Error creating Software Update Group: #{v[:name]}")
+          end
+        end
+      end
+
+      # Save collections with devices
+      @logger.debug("Saving Collections")
+      collections.each do |collection|
+        collection.save(@sccm)
+      end
+
+      ## Download/deployment package creation if set to true
+      if settings[:sccm].key?(:create_deployment_package) &&
+        settings[:sccm][:create_deployment_package]
+        @logger.debug("Creating the Deployment Packages")
+        sug_objects.each do |sug_object|
+          name = sug_object.name
+          package_name = "Rapid7-Deployment-Package-#{name}"
+          package_path = "#{@sccm.staging}\\#{name}"
+
+          deployment_package = @sccm.get_deployment_package(package_name)
+          package_id =
+            if deployment_package.empty?
+              nil
+            else
+              deployment_package.first[:package_id]
+            end
+            #deployment_package.empty? ? nil : deployment_package.first[:package_id]
+          package = NexposeSCCM::DeploymentPackage.new(package_name,
+                                                       name,
+                                                       package_path,
+                                                       package_id)
+
+          # Don't process if no ci ids for SUG
+          unless sug_object.ci_ids.empty?
+            @logger.debug("Saving the Deployment Package: #{package_name}")
+            # Save deployment package if enabled and doesn't exist already
+            package.save(@sccm) if package.id.nil?
+
+            # Download updates if enabled
+            @logger.debug("Downloading the Deployment Package")
+            package.download_updates(@sccm) if settings[:sccm][:download_updates]
+          end
+        end
+      end
+
+      # Generate report if configured and content exists
+      if settings[:sccm][:generate_unknown_device_report]
+        report_length = csv_report_contents.length
+        if report_length > 0
+          @logger.debug("Creating Unknown Device report")
+          CSV.open(report_location + report, 'ab') do |csv|
+            csv << ['IP Address','Hostname']
+            csv_report_contents.each do |entry|
+              csv << entry
+            end
+          end
+        end
+        @logger.debug("Unknown Device report length: #{report_length}")
+      end
+
+      @logger.info("Nexpose SCCM integration has finished.")
+    end
+
+    def prompt(*args)
+      print(*args)
+      gets
+    end
+
+    attr_accessor :logger
+    def logger
+      if @logger.nil?
+        puts "Someone forgot to set their logger...exiting"
+        exit 1
+      end
+      @logger
+    end
+  end
+end