Our Professional Services team has done a huge amount of work to help in this vey quickly by building content pack that will help you identify ShellShock vulnerability and monitor the batch bug. We are very proud to make this available to our HP ArcSight community, quickly.
Install and Configure Sysdig
Sysdig is an open source utility used to monitor and analyze system state activity. This tool will be used to tap into the kernel and look for shellshock activity originating from multiple attack vectors
To integrate with ArcSight, the Sysdig output will be pushed to a log file and into ESM through a syslog connector.
You can find instructions for installing and configuring sysdig at www.sysdig.org.
After the application is installed, you will have to configure the OS to start it at boot time. There are several options available to do this, the easiest being editing the rc.local file.
- Open /etc/rc.local for editing and add the following command to monitor and log shellshock activity.
- The hostname sent in the syslog header must be resolvable or the IP address will have to be sent instead
- The full FQDN should be sent in the syslog header
1. Ensure that a hostname is configured and resolvable on the end device.The output of the 'hostname' command should return the FQDN. In Red Hat based systems, the hostname can be set by configuring /etc/hosts and /etc/sysconfig/network. 4. By default, the bottom of the file has an example-forwarding rule. Append the following to the end of the file and replace <CONNECTOR_HOST> with the hostname or address of the SmartConnector server.
- On production systems, ensure /var/lib/rsyslog has enough space to deal with the working files. In this case it is approx 1GB.
- the double @@<CONNECTOR_HOST> is used for TCP forwarding. If UDP is required, use a single @.
- On the system with a syslog connector, place sysdig.subagent.sdkrfilereader.properties in <ARCSIGHT_HOME>/user/agent/flexagent/syslog.
- Restart the connector to apply the settings.
Install Shellshock Content Pack 1. Login to the ArcSight Console. 2. From the Navigator panel, click the Packages tab3. Click on the Import button to open the explorer window4. From the explorer window, navigate to the Lightning Base Package and click on Open. This will start the import process.5. Click OK to close the dialog menus and complete the installation The Shellshock Content PackThere are several resources to help you address your Shellshock vulnerability issues. The content is primarily based on based on two rules:
- /All Rules/Public/Shellshock/Sysdig Shellshock Exploit Detected
- /All Rules/Public/Shellshock/Shellshock Bash Vulnerability Detected
The Sysdig Shellshock Exploit Detected rule looks for events from the Sysdig utility to identify devices as they are probed or attacked with the Shellshock exploit. The Shellshock Bash Vulnerability Detected rule looks for events where one of the Shellshock vulnerabilities (CVE-2014-6271, CVE-2014-7169 or Nessus - 14272) is referenced. The Shellshock dashboard gives an overview of the recent Shellshock events reported, as well as a listing of the assets that have been tagged with one of the Shellshock vulnerabilities. The Assets with Shellshock Exposure report gives a list of all assets in the system that have been tagged with one of the Shellshock vulnerabilities. Finally, the Shellshock Events active channel shows all the events described above over a two-hour sliding window. For more information on this or HP ArcSight, call support, your regional sales rep, or visit HP ArcSight website. You can also read other blogs here on this vulnerability. You will see that there is a ZIP file attached and it contains the following files:
- Shellshock Guide.docx
The guide document covers everything that you need and includes a step by step process for the installation of the sysdig tool, the FlexConnector to receive the logs and then the actual content to identify when the vulnerability is used. The issue with ShellShock is that it is usually NOT going to generate log data that will be picked up by any SIEM (contrary to what some are saying). That's OK, but we need to have some indicators that a compromise attempt is being attempted and this is why we need the use of sysdig. From there, we need to process some of the log data to give us a really good view of what is happening.
The content will be refined over the days and weeks coming up and please do provide feedback and comments on this. The idea is that we can work together as a community to drive this to be better value. We have made a judgment call on this and we have worked out a way to resolve this now. But what is clear is that the attackers are morphing and adjusting their attack options and this means we need to modify our ways too.