在检测到新漏洞时创建 Slack 通知
通过使用 WebSphere Automation Swagger UI , Slack 块套件构建器和 Mustache 语法,创建将通知发送到 Webhook 以生成 Slack 消息的流程。 该通知包含 WebSphere Automation 检测到的任何新漏洞的详细信息。
准备工作
如果您计划实现变量或条件处理,请确保您熟悉 Mustache 语法 
。
检查 WebSphere Automation 资源通知
本教程的预期结果是, Slack 显示包含从 WebSphere Automation中新创建的资源通知传递的信息的消息。 对于本教程,资源通知包含在受管服务器中检测到新漏洞时创建新漏洞记录的详细信息。 在以下示例资源通知中, type 参数的值为 create; 创建的对象为 vulnerability。
{
"type": "CREATE",
"vulnerability": {
"id": "70357d34-411d-3321-a60f-ede653897a55",
"name": "6557248 : server1@defected1.example.com",
"description": "Multiple vulnerabilities exist in the Apache Log4j (CVE-2022-23302, CVE-2022-23305, CVE-2022-23307) library used by IBM WebSphere Application Server in the Admin Console and UDDI Registry application. The same Apache library is also used by the IBM WebSphere Application Server Liberty for z/OS in features zosConnect-1.0 and zosConnect-1.2. All vulnerabilities have been addressed previously by removing all existing Apache Log4j versions.",
"assetId": "1a5d141a-3294-3ff3-9182-5ae1d4f3465d",
"securityBulletinId": "23c15e59-1ef9-3eb5-a175-0845597cdbc1",
"resolved": false,
"cves": [
{
"id": "CVE-2022-23302",
"description": "Apache Log4j could allow a remote authenticated attacker to execute arbitrary code on the system, caused by an unsafe deserialization in JMSSink. By sending specially-crafted JNDI requests using TopicConnectionFactoryBindingName configuration, an attacker could exploit this vulnerability to execute arbitrary code on the system.",
"cvssBaseScore": 8.8
},
{
"id": "CVE-2022-23305",
"description": "Apache Log4j is vulnerable to SQL injection. A remote attacker could send specially-crafted SQL statements to the JDBCAppender, which could allow the attacker to view, add, modify or delete information in the back-end database.",
"cvssBaseScore": 6.5
},
{
"id": "CVE-2022-23307",
"description": "Apache Log4j could allow a remote attacker to execute arbitrary code on the system, caused by an unsafe deserialization in the in Apache Chainsaw component. By sending specially-crafted input, an attacker could exploit this vulnerability to execute arbitrary code on the system.",
"cvssBaseScore": 9.8
}
],
"remediations": [
{
"startVersion": "9.0.0.0",
"endVersion": "9.0.5.10",
"operator": "OR",
"iFixes": [
"PH42762"
],
"fixPack": "9.0.5.11",
"additionalInstallationInstructions": "https://www.ibm.com/support/pages/node/6557248"
}
],
"links": {
"self": {
"rel": "self",
"href": "https://cpd-websphere-automation.apps.wsa-412.example.com/vulnerabilities/70357d34-411d-3321-a60f-ede653897a55",
"type": "application/json",
"title": "self"
},
"asset": {
"rel": "related",
"href": "https://cpd-websphere-automation.apps.wsa-412.example.com/assets/1a5d141a-3294-3ff3-9182-5ae1d4f3465d",
"type": "application/json",
"title": "asset"
},
"securityBulletin": {
"rel": "related",
"href": "https://cpd-websphere-automation.apps.wsa-412.example.com/bulletins/23c15e59-1ef9-3eb5-a175-0845597cdbc1",
"type": "application/json",
"title": "securityBulletin"
}
},
"created": "2023-05-17T10:10:29Z",
"createdBy": "vulnerability-manager",
"updated": "2023-05-17T10:10:29Z",
"updatedBy": "vulnerability-manager",
"secondsExposed": 1379
}
}感兴趣的信息包括CVE ID、CVSS评分、受影响的服务器、漏洞描述和安全公告URL。
定义过程和预期结果
结果是让 Slack Webhook 目标接收有关新的高严重性 CVE 的信息,并在新的 Slack 消息中显示该信息。
- 打开 Web 浏览器以使用 Slack 块套件构建器。
https://app.slack.com/block-kit-builder/ - 使用块套件构建器来构造以您喜欢的格式显示文本的消息。 此 Slack 消息是使用以下示例构造的。
{ "blocks": [ { "type": "section", "text": { "type": "mrkdwn", "text": ":alert1: WebSphere Automation detected a vulnerability for CVE <https://www.ibm.com/support/pages/node/6525706|CVE-2021-44228> (CVSS base score 10.0) on server *server1* on host *defected1.example.com*." } }, { "type": "divider" }, { "type": "section", "text": { "type": "mrkdwn", "text": "*CVE Information*\nApache Log4j could allow a remote attacker to execute arbitrary code on the system, caused by the failure to protect against attacker controlled LDAP and other JNDI related endpoints by JNDI features. By sending a specially crafted code string, an attacker could exploit this vulnerability to load arbitrary Java code on the server and take complete control of the system. Note: The vulnerability is also called Log4Shell or LogJam." } }, { "type": "divider" }, { "type": "actions", "elements": [ { "type": "button", "text": { "type": "plain_text", "text": "View Bulletin", "emoji": true }, "value": "click_me", "url": "https://www.ibm.com/support/pages/node/6525706" }, { "type": "button", "text": { "type": "plain_text", "text": "View All server1 CVEs", "emoji": true }, "value": "click_me_123", "url": "https://cpd-websphere-automation.example.com/websphereauto/websphere/1a5d141a-3294-3ff3-9182-5ae1d4f3465d/vulnerabilities/cves" } ] } ] } - 在正确构造 Slack 消息之后,可以使用 Mustache 语法来替换变量。 对要从 WebSphere Automation 事件发送的参数进行这些替换。
{ "channel": "<your_Slack_channel>", "blocks": [ { "type": "header", "text": { "type": "plain_text", "text": "Vulnerability Detected" } }, { "type": "divider" }, { "type": "section", "text": { "type": "mrkdwn", "text": "{{icon}} WebSphere Automation detected a vulnerability for CVE <{{bulletinUrl}}|{{cveId}}> (CVSS base score {{cvssBaseScore}}) on {{#isJdk}}JDK *{{productName}}*{{/isJdk}}{{^isJdk}}server *{{serverName}}*{{/isJdk}} on host *{{hostName}}*." } }, { "type": "divider" }, { "type": "section", "text": { "type": "mrkdwn", "text": "*CVE Information*\n{{{@wsa_eq_cveSummary}}}" } }, { "type": "actions", "elements": [ { "type": "button", "text": { "type": "plain_text", "text": "View Bulletin" }, "value": "click_me", "url": "{{bulletinUrl}}" }{{^isJdk}}, { "type": "button", "text": { "type": "plain_text", "text": "View All CVEs for {{serverName}}" }, "value": "click_me_123", "url": "https://cpd-websphere-automation.example.com/websphereauto/websphere/{{serverId}}/vulnerabilities/cves" } {{/isJdk}} ] }, { "type": "divider" } ] }
设置 Webhook 操作
使用 WebSphere Automation Swagger UI 来创建 Webhook 操作。 更多信息,请参阅创建 webhook 操作。
在 body 参数中,创建在 Slack 块套件构建器中创建的 JSON 元素的逗号分隔列表。 主体参数值中的引号必须使用反斜杠字符进行转义。 将 Mustache 表示法 (双花括号) 用于您创建的变量名称。
{
"id": "74313a6b-a163-4f7d-833b-31bf4f12670a",
"name": "Vulnerability Slack Notification Action",
"description": "POSTs a notification to Slack when triggered",
"type": "webhook",
"enabled": true,
"configuration": {
"targetUrl": "https://hooks.slack.com/services/12345/12345/12345",
"method": "POST",
"contentType": "application/json",
"headers": [],
"body": "{ \"channel\": \"<your_Slack_channel>\", \"blocks\": [ { \"type\": \"header\", \"text\": { \"type\": \"plain_text\", \"text\": \"Vulnerability Detected\" } }, { \"type\": \"divider\" }, { \"type\": \"section\", \"text\": { \"type\": \"mrkdwn\", \"text\": \"{{icon}} WebSphere Automation detected a vulnerability for CVE <{{bulletinUrl}}|{{cveId}}> (CVSS base score {{cvssBaseScore}}) on {{#isJdk}}JDK *{{productName}}*{{/isJdk}}{{^isJdk}}server *{{serverName}}*{{/isJdk}} on host *{{hostName}}*.\" } }, { \"type\": \"divider\" }, { \"type\": \"section\", \"text\": { \"type\": \"mrkdwn\", \"text\": \"*CVE Information*\\n{{{@wsa_eq_cveSummary}}}\" } }, { \"type\": \"actions\", \"elements\": [ { \"type\": \"button\", \"text\": { \"type\": \"plain_text\", \"text\": \"View Bulletin\" }, \"value\": \"click_me\", \"url\": \"{{bulletinUrl}}\" }{{^isJdk}}, { \"type\": \"button\", \"text\": { \"type\": \"plain_text\", \"text\": \"View All CVEs for {{serverName}}\" }, \"value\": \"click_me_123\", \"url\": \"https://cpd-websphere-automation.example.com/websphereauto/websphere/{{serverId}}/vulnerabilities/cves\" } {{/isJdk}} ] }, { \"type\": \"divider\" } ] }"
}
}测试 Webhook 操作
要测试 Webhook 操作,请打开 WebSphere Automation Swagger UI 并使用 PATCH /action/{actionId} 控件将硬编码值传递给 Slack。 更多信息,请参阅创建操作。
在 actionId 文本字段中输入操作标识。 使用 Swagger UI 在创建操作时为其分配的 actionId 值。
在 请求主体 字段中输入以下 JSON 代码:
{
"operation": "invoke-action",
"variables": {
"hostName": "example.com",
"cveSummary": "Example CVE summary",
"bulletinUrl": "https://www.ibm.com/support/pages/node/6525706",
"cveId": "CVE-2021-44228",
"icon": ":alert1:",
"serverName": "server1",
"cvssBaseScore": "10",
"isJdk": "false",
"serverId": "1a5d141a-3294-3ff3-9182-5ae1d4f3465d",
"productName": "WebSphere Application Server"
}
}单击 执行。
确保服务器响应代码的值为 200。 成功的响应还具有"successful": true在响应主体中。
打开 Slack 通道并确认已创建新消息。
创建资源触发器
按照说明创建资源触发器。 请参阅以下示例资源触发器。
将 actionId 参数的值设置为 Swagger UI 分配给操作的操作标识。
在 variableMappings 部分中,创建与操作和事件表中定义的变量匹配的变量。 为每个变量创建 JSONata 表达式,其值为布尔值 https://try.jsonata.org/ 或要传递给 webhook 的值。
{
"id": "46e65c6e-8c9d-4fe9-90fb-ac5ca2303fae",
"name": "Vulnerability Created Trigger",
"description": "Triggers the Slack Notification action when a vulnerability with a CVE that has a CVSS base score greater than 9 is created.",
"actionId": "<your_Slack_Notification_action_id>",
"type": "resource",
"enabled": true,
"configuration": {
"resourceType": "vulnerability",
"operation": "create"
},
"variableMappings": {
"hostName": "$asset.hostName",
"cveSummary": "($maxCvssBaseScore := $max(vulnerability.cves.cvssBaseScore); vulnerability.cves[cvssBaseScore = $maxCvssBaseScore][0].description)",
"bulletinUrl": "$bulletin.url",
"cveId": "($maxCvssBaseScore := $max(vulnerability.cves.cvssBaseScore); vulnerability.cves[cvssBaseScore = $maxCvssBaseScore][0].id)",
"icon": "($maxCvssBaseScore := $max(vulnerability.cves.cvssBaseScore); $maxCvssBaseScore > 0 and $maxCvssBaseScore <= 3.9 ? ':warning:' : ($maxCvssBaseScore >= 4 and $maxCvssBaseScore <= 6.9 ? ':standup_ibm_status_major_warning_orange:' : ($maxCvssBaseScore >= 7 and $maxCvssBaseScore <= 8.9 ? ':ibm-warning-filled:' : ':alert1:')))",
"serverName": "$asset.serverName",
"cvssBaseScore": "$number($max(vulnerability.cves.cvssBaseScore))",
"isJdk": "$asset.type = 'jdk'",
"serverId": "$asset.id",
"productName": "$asset.productName"
}
}各种 JSONata 表达式的描述如下所示。
- cveSummary: 具有最高 CVSS 分数的资源通知中 CVE 的描述。
- cveId: 具有最高 CVSS 分数的资源通知中 CVE 的 CVE 标识。
- icon: 指示 CVE 具有最高 CVSS 分数的紧急程度的图标; 针对 CVSS 分数 3.9 或更低值显示警告符号,针对 4.0 到 6.9显示主要警告以及针对大于 7.0 的警报
- cvssBaseScore: 资源通知中 CVE 的最高 CVSS 分数。
以下变量使用上下文变量。 更多信息,请参阅 " 触发器资源 "。
- isJDK: 如果将 CVE 设置为影响 Java Developer Kit ,那么求值为
true的布尔值。 - productName: 具有漏洞的产品的名称。
- servername: 具有漏洞的服务器的名称。
- hostname: 具有漏洞的运行时的主机名。
- bulletinUrl:漏洞安全公告URL。
通过使用 Swagger UI 运行其 JSON 代码来启用资源触发器。 更多信息,请参阅创建资源触发器。