偵測到新的漏洞時建立 Slack 通知
使用 WebSphere Automation Swagger 使用者介面、Slack 區塊套件建置器及 Mustache 語法,建立將通知傳送至導致 Slack 訊息的 Webhook 的處理程序。 通知包含 WebSphere Automation 偵測到的任何新漏洞的詳細資料。
開始之前
如果您計劃實作變數或條件式處理程序,請確定您熟悉 Mustache 語法。
檢查 WebSphere Automation 資源通知
本指導教學的預期結果是 Slack 會顯示訊息,其中包含從新建立的資源通知在 WebSphere Automation中傳遞的資訊。 在本指導教學中,當在受管理伺服器中偵測到新漏洞時,資源通知包含建立新漏洞記錄的詳細資料。 在下列資源通知範例中, type 參數的值是 create; 所建立的物件是 vulnerability。
{
"type": "CREATE",
"vulnerability": {
"id": "70357d34-411d-3321-a60f-ede653897a55",
"name": "6557248 : server1@defected1.example.com",
"description": "Multiple vulnerabilities exist in the Apache Log4j (CVE-2022-23302, CVE-2022-23305, CVE-2022-23307) library used by IBM WebSphere Application Server in the Admin Console and UDDI Registry application. The same Apache library is also used by the IBM WebSphere Application Server Liberty for z/OS in features zosConnect-1.0 and zosConnect-1.2. All vulnerabilities have been addressed previously by removing all existing Apache Log4j versions.",
"assetId": "1a5d141a-3294-3ff3-9182-5ae1d4f3465d",
"securityBulletinId": "23c15e59-1ef9-3eb5-a175-0845597cdbc1",
"resolved": false,
"cves": [
{
"id": "CVE-2022-23302",
"description": "Apache Log4j could allow a remote authenticated attacker to execute arbitrary code on the system, caused by an unsafe deserialization in JMSSink. By sending specially-crafted JNDI requests using TopicConnectionFactoryBindingName configuration, an attacker could exploit this vulnerability to execute arbitrary code on the system.",
"cvssBaseScore": 8.8
},
{
"id": "CVE-2022-23305",
"description": "Apache Log4j is vulnerable to SQL injection. A remote attacker could send specially-crafted SQL statements to the JDBCAppender, which could allow the attacker to view, add, modify or delete information in the back-end database.",
"cvssBaseScore": 6.5
},
{
"id": "CVE-2022-23307",
"description": "Apache Log4j could allow a remote attacker to execute arbitrary code on the system, caused by an unsafe deserialization in the in Apache Chainsaw component. By sending specially-crafted input, an attacker could exploit this vulnerability to execute arbitrary code on the system.",
"cvssBaseScore": 9.8
}
],
"remediations": [
{
"startVersion": "9.0.0.0",
"endVersion": "9.0.5.10",
"operator": "OR",
"iFixes": [
"PH42762"
],
"fixPack": "9.0.5.11",
"additionalInstallationInstructions": "https://www.ibm.com/support/pages/node/6557248"
}
],
"links": {
"self": {
"rel": "self",
"href": "https://cpd-websphere-automation.apps.wsa-412.example.com/vulnerabilities/70357d34-411d-3321-a60f-ede653897a55",
"type": "application/json",
"title": "self"
},
"asset": {
"rel": "related",
"href": "https://cpd-websphere-automation.apps.wsa-412.example.com/assets/1a5d141a-3294-3ff3-9182-5ae1d4f3465d",
"type": "application/json",
"title": "asset"
},
"securityBulletin": {
"rel": "related",
"href": "https://cpd-websphere-automation.apps.wsa-412.example.com/bulletins/23c15e59-1ef9-3eb5-a175-0845597cdbc1",
"type": "application/json",
"title": "securityBulletin"
}
},
"created": "2023-05-17T10:10:29Z",
"createdBy": "vulnerability-manager",
"updated": "2023-05-17T10:10:29Z",
"updatedBy": "vulnerability-manager",
"secondsExposed": 1379
}
}感興趣的資訊包括 CVE ID、CVSS 評分、受影響的伺服器、漏洞說明,以及安全公告的 URL。
定義程序及預期結果
結果是讓 Slack Webhook 目標接收新高嚴重性 CVE 的相關資訊,並在新的 Slack 訊息中顯示該資訊。
- 開啟 Web 瀏覽器至 Slack Block Kit 建置器。
https://app.slack.com/block-kit-builder/ - 使用區塊套件建置器來建構以您喜歡的格式顯示文字的訊息。 此 Slack 訊息是使用下列範例建構的。
{ "blocks": [ { "type": "section", "text": { "type": "mrkdwn", "text": ":alert1: WebSphere Automation detected a vulnerability for CVE <https://www.ibm.com/support/pages/node/6525706|CVE-2021-44228> (CVSS base score 10.0) on server *server1* on host *defected1.example.com*." } }, { "type": "divider" }, { "type": "section", "text": { "type": "mrkdwn", "text": "*CVE Information*\nApache Log4j could allow a remote attacker to execute arbitrary code on the system, caused by the failure to protect against attacker controlled LDAP and other JNDI related endpoints by JNDI features. By sending a specially crafted code string, an attacker could exploit this vulnerability to load arbitrary Java code on the server and take complete control of the system. Note: The vulnerability is also called Log4Shell or LogJam." } }, { "type": "divider" }, { "type": "actions", "elements": [ { "type": "button", "text": { "type": "plain_text", "text": "View Bulletin", "emoji": true }, "value": "click_me", "url": "https://www.ibm.com/support/pages/node/6525706" }, { "type": "button", "text": { "type": "plain_text", "text": "View All server1 CVEs", "emoji": true }, "value": "click_me_123", "url": "https://cpd-websphere-automation.example.com/websphereauto/websphere/1a5d141a-3294-3ff3-9182-5ae1d4f3465d/vulnerabilities/cves" } ] } ] } - 在正確建構 Slack 訊息之後,您可以使用 Mustache 語法來替代變數。 針對您要從 WebSphere Automation 事件傳送的參數進行這些替代。
{ "channel": "<your_Slack_channel>", "blocks": [ { "type": "header", "text": { "type": "plain_text", "text": "Vulnerability Detected" } }, { "type": "divider" }, { "type": "section", "text": { "type": "mrkdwn", "text": "{{icon}} WebSphere Automation detected a vulnerability for CVE <{{bulletinUrl}}|{{cveId}}> (CVSS base score {{cvssBaseScore}}) on {{#isJdk}}JDK *{{productName}}*{{/isJdk}}{{^isJdk}}server *{{serverName}}*{{/isJdk}} on host *{{hostName}}*." } }, { "type": "divider" }, { "type": "section", "text": { "type": "mrkdwn", "text": "*CVE Information*\n{{{@wsa_eq_cveSummary}}}" } }, { "type": "actions", "elements": [ { "type": "button", "text": { "type": "plain_text", "text": "View Bulletin" }, "value": "click_me", "url": "{{bulletinUrl}}" }{{^isJdk}}, { "type": "button", "text": { "type": "plain_text", "text": "View All CVEs for {{serverName}}" }, "value": "click_me_123", "url": "https://cpd-websphere-automation.example.com/websphereauto/websphere/{{serverId}}/vulnerabilities/cves" } {{/isJdk}} ] }, { "type": "divider" } ] }
設定 Webhook 動作
使用 WebSphere Automation Swagger 使用者介面來建立 Webhook 動作。 如需相關資訊,請參閱 建立 Webhook 動作。
在 body 參數中,建立您在 Slack Block Kit Builder 中建立的 JSON 元素清單 (以逗點區隔)。 body 參數值中的引號必須以反斜線字元跳出。 對您建立的變數名稱使用 Mustache 表示法 (雙大括弧)。
{
"id": "74313a6b-a163-4f7d-833b-31bf4f12670a",
"name": "Vulnerability Slack Notification Action",
"description": "POSTs a notification to Slack when triggered",
"type": "webhook",
"enabled": true,
"configuration": {
"targetUrl": "https://hooks.slack.com/services/12345/12345/12345",
"method": "POST",
"contentType": "application/json",
"headers": [],
"body": "{ \"channel\": \"<your_Slack_channel>\", \"blocks\": [ { \"type\": \"header\", \"text\": { \"type\": \"plain_text\", \"text\": \"Vulnerability Detected\" } }, { \"type\": \"divider\" }, { \"type\": \"section\", \"text\": { \"type\": \"mrkdwn\", \"text\": \"{{icon}} WebSphere Automation detected a vulnerability for CVE <{{bulletinUrl}}|{{cveId}}> (CVSS base score {{cvssBaseScore}}) on {{#isJdk}}JDK *{{productName}}*{{/isJdk}}{{^isJdk}}server *{{serverName}}*{{/isJdk}} on host *{{hostName}}*.\" } }, { \"type\": \"divider\" }, { \"type\": \"section\", \"text\": { \"type\": \"mrkdwn\", \"text\": \"*CVE Information*\\n{{{@wsa_eq_cveSummary}}}\" } }, { \"type\": \"actions\", \"elements\": [ { \"type\": \"button\", \"text\": { \"type\": \"plain_text\", \"text\": \"View Bulletin\" }, \"value\": \"click_me\", \"url\": \"{{bulletinUrl}}\" }{{^isJdk}}, { \"type\": \"button\", \"text\": { \"type\": \"plain_text\", \"text\": \"View All CVEs for {{serverName}}\" }, \"value\": \"click_me_123\", \"url\": \"https://cpd-websphere-automation.example.com/websphereauto/websphere/{{serverId}}/vulnerabilities/cves\" } {{/isJdk}} ] }, { \"type\": \"divider\" } ] }"
}
}測試 Webhook 動作
若要測試 Webhook 動作,請開啟 WebSphere Automation Swagger 使用者介面,並使用 PATCH /action/{actionId} 控制項將寫在程式中的值傳遞至 Slack。 如需相關資訊,請參閱 建立動作。
在 actionId 文字欄位中輸入動作 ID。 使用 Swagger 使用者介面在您建立動作時所指派的 actionId 值。
在 要求內文 欄位中輸入下列 JSON 程式碼:
{
"operation": "invoke-action",
"variables": {
"hostName": "example.com",
"cveSummary": "Example CVE summary",
"bulletinUrl": "https://www.ibm.com/support/pages/node/6525706",
"cveId": "CVE-2021-44228",
"icon": ":alert1:",
"serverName": "server1",
"cvssBaseScore": "10",
"isJdk": "false",
"serverId": "1a5d141a-3294-3ff3-9182-5ae1d4f3465d",
"productName": "WebSphere Application Server"
}
}按一下 執行。
請確定伺服器回應碼的值為 200。 成功的回應也有"successful": true在回應主體中。
開啟 Slack 通道,並確認已建立新訊息。
建立資源觸發程式
遵循指示來 建立資源觸發程式。 請參閱下列範例資源觸發程式。
將 actionId 參數的值設為 Swagger 使用者介面指派給動作的動作 ID。
在 variableMappings 區段中,建立與動作及突發事件表格中定義的變數相符的變數。 針對每一個變數,建立 JSONata 表示式,以評估為布林https://try.jsonata.org/ 或您要傳遞至 Webhook 的值。
{
"id": "46e65c6e-8c9d-4fe9-90fb-ac5ca2303fae",
"name": "Vulnerability Created Trigger",
"description": "Triggers the Slack Notification action when a vulnerability with a CVE that has a CVSS base score greater than 9 is created.",
"actionId": "<your_Slack_Notification_action_id>",
"type": "resource",
"enabled": true,
"configuration": {
"resourceType": "vulnerability",
"operation": "create"
},
"variableMappings": {
"hostName": "$asset.hostName",
"cveSummary": "($maxCvssBaseScore := $max(vulnerability.cves.cvssBaseScore); vulnerability.cves[cvssBaseScore = $maxCvssBaseScore][0].description)",
"bulletinUrl": "$bulletin.url",
"cveId": "($maxCvssBaseScore := $max(vulnerability.cves.cvssBaseScore); vulnerability.cves[cvssBaseScore = $maxCvssBaseScore][0].id)",
"icon": "($maxCvssBaseScore := $max(vulnerability.cves.cvssBaseScore); $maxCvssBaseScore > 0 and $maxCvssBaseScore <= 3.9 ? ':warning:' : ($maxCvssBaseScore >= 4 and $maxCvssBaseScore <= 6.9 ? ':standup_ibm_status_major_warning_orange:' : ($maxCvssBaseScore >= 7 and $maxCvssBaseScore <= 8.9 ? ':ibm-warning-filled:' : ':alert1:')))",
"serverName": "$asset.serverName",
"cvssBaseScore": "$number($max(vulnerability.cves.cvssBaseScore))",
"isJdk": "$asset.type = 'jdk'",
"serverId": "$asset.id",
"productName": "$asset.productName"
}
}各種 JSONata 表示式的說明如下。
- cveSummary: CVSS 評分最高之資源通知中的 CVE 說明。
- cveId:CVSS 評分最高之資源通知中的 CVE CVE ID。
- icon: 指出 CVSS 評分最高之 CVE 緊急性的圖示; CVSS 評分 3.9 或以下、 4.0 至 6.9的主要警告及大於 7.0 的警示會顯示警告符號
- cvssBaseScore: 資源通知中 CVE 的最高 CVSS 評分。
下列變數使用環境定義變數。 如需相關資訊,請參閱 觸發程式資源。
- isJDK:布林值,如果 CVE 設定為影響 Java Developer Kit ,則會評估為
true。 - productName: 具有漏洞的產品名稱。
- servername: 具有漏洞的伺服器名稱。
- hostname: 具有漏洞之執行時期的主機名稱。
- bulletinUrl: 漏洞安全公告的 URL。
使用 Swagger 使用者介面來啟用資源觸發程式,以執行其 JSON 程式碼。 如需相關資訊,請參閱 建立資源觸發程式。