fleet
fleet copied to clipboard
fleetdm
Article: Discovering xz vulnerability with Fleet [May 30]
Article
Proposed article title
Blog Post Summary
Goal
| User story |
|---|
| As a Fleet Admin, |
| I want to automate the remediation of the XZ vulnerability using Fleet |
| so that I can improve my organization's security posture. |
For help creating a user story, see "Writing a good user story" in the website handbook.
Technical Details
- Blog Post Type
- [ ] How-To Guide
- [ ] Case Study
- [ ] Interview
- [ ] Opinion Piece
- [ ] Research/Insight
- [ ] Product Update
- [ ] Other (please specify)
- Target Audience
- [ ] IT Administrators
- [ ] Security Analysts
- [ ] Developers
- [ ] General Audience
- Targeting Details
- [ ] Target Length:
- [ ] Release Date:
- [ ] Draft Due Date:
- [ ] SEO Keywords:
- [ ] SEO Title:
- [ ] SEO Description:
- TODO
- [ ] Author: ( )
- [ ] Proofread for readability/tone: ( )
- [ ] Technical Reviewer: ( )
- [ ] Final Art from Design: ( )
- [ ] Final Approver: ( )
- [ ] Merge PR / Publish on website
- [ ] Field Marketing (@drewbakerfdm): Post on social media
- [ ]
Prerequisites
<-- List any prerequisites that the reader should have before diving into the blog post. -->
Key Points
References/Resources
Additional Notes
Working Document
Published Link
@nonpunctual It looks like this article is pretty much ready to publish, but we need the queries you used. Would you please provide those ASAP? I think there's a time window since folks are moving on from this topic, so we'll need to publish soon.
@lukeheath @spokanemac I guess I've been unsure whether or not this workflow is a good demo for the product.
REMEDIATION SCRIPT:
#!/bin/sh
# binary name to check
applstr='brew'
# get current logged in user
crntusr="$(/usr/bin/stat -f %Su /dev/console)"
# Check if brew is installed, exit with instruction if not
if ! /usr/bin/sudo -i -u "$crntusr" /usr/bin/which "$applstr" 2>&1 > /dev/null
then
printf "Homebrew may not be installed.\nPlease install Homebrew to use this remediation.\nFor instructions, see https://brew.sh/"; exit
fi
# collect xz version
xz_vers="$(/usr/bin/sudo -i -u "$crntusr" xz --version)"
# remediate via Homebrew
if [ -z "$xz_vers" ]
then
printf "xz not installed via Homebrew.\nHost may not vulnerable.\nExiting..."; exit
elif echo "$xz_vers" | /usr/bin/grep -E '5\.6\.0|5\.6\.1'
then
printf "Executing Homebrew upgrade to roll xz back to known good version..."
/usr/bin/sudo -i -u "$crntusr" brew upgrade xz; /usr/bin/sudo -i -u "$crntusr" brew cleanup xz --prune=0
else
printf "xz version ok."
fi
QUERY THAT SATISFIES FLEET POLICY:
SCRIPT SCREENSHOT:
Tines Story URL:
https://rough-silence-1075.tines.com/stories/55098
Tines screenshot:
@nonpunctual Thanks! This is an excellent example for a specific use case: remediating xz installed with homebrew. We should call out that the xz vuln can hide in many different places, and maybe provide queries for those, but only provide the remediation script for homebrew.
@spokanemac Up to you if you want to include additional queries to hunt for xz. I generated some examples but haven't tried any of these:
To search for the presence and usage of the xz utility on your fleet of computers and servers using osquery, you can run several queries to get a comprehensive view. Here are some useful queries:
Check Installed Packages
This query checks if xz is installed on the system.
SELECT name, version, source FROM rpm_packages WHERE name = 'xz'
UNION ALL
SELECT name, version, source FROM deb_packages WHERE name = 'xz'
UNION ALL
SELECT name, version FROM programs WHERE name = 'xz';
Locate Binary Files
This query finds the location of the xz binary.
SELECT path FROM file WHERE path LIKE '%/xz';
Check for Running Processes
This query checks if the xz process is currently running.
SELECT pid, name, path, cmdline FROM processes WHERE name = 'xz';
Check for Usage in Logs
This query searches for references to xz in system logs.
SELECT * FROM syslog WHERE message LIKE '%xz%';
Check for Binary Presence in Common Paths
This query checks common system paths for the presence of the xz binary.
SELECT path FROM file WHERE path IN ('/bin/xz', '/usr/bin/xz', '/usr/local/bin/xz', '/sbin/xz', '/usr/sbin/xz', '/usr/local/sbin/xz');
File Integrity Monitoring (FIM)
This query monitors changes to the xz binary.
SELECT * FROM file_events WHERE target_path LIKE '%/xz';
Check for Installed Libraries
This query checks for libraries related to xz.
SELECT * FROM rpm_packages WHERE name LIKE '%xz%'
UNION ALL
SELECT * FROM deb_packages WHERE name LIKE '%xz%'
UNION ALL
SELECT * FROM programs WHERE name LIKE '%xz%';
@spokanemac @lukeheath I took a giant whack at revising this article from top to bottom:
https://docs.google.com/document/d/1CDMxLqTiTwmqDEUsRqEbR5iQ48-_PLksUmCCN4ZwA9s/edit
@nonpunctual Just make sure those queries are correct, I generated them and didn't run them.
@lukeheath @spokanemac I checked them. I removed the one that searches the entire fs. I don't think that's safe. All the others are limited in scope & I added notes to say that wildcards may impact Host performance.
@ksatter please read the article at the goog docs link above & approve. Thank you!!!
@nonpunctual @ksatter Checking in on this. I have it slated to publish on Thursday.
@spokanemac I think it's ready to go. Also went through it w @zayhanlon & she approved the content & the idea. @ksatter would appreciate 1 more look from you after our knock-down, drag out session from earlier. :) Thanks.
Admins with Fleet's aid, Quell XZ's threat, security made, A fortress upgraded.
