We wrote scripts for Windows and Linux hosts to be used in ASGARD Management Center that scan the host for traces of log4j usage and a script to evaluate the results.
For the playbooks to work some files need to be put into the /var/lib/nextron/asgard2/playbook-files directory of ASGARD:
- The playbook scripts from this repo's playbook-files
You can use the file upload feature during playbook creation to achieve that:
If you need to edit or update the files, you can do that using scp, rsync, WinSCP or whatever tool you use for Linux file transfer. Do not forget to change the file ownership to asgard2:asgard2
(e.g. chown asgard2: /var/lib/nextron/asgard2/playbook-files/check4logFOURj*), if it was changed by uploading.
This section explains how to create a playbook in detail. If you are familiar with ASGARD's playbook creation, see the overview of the next 2 sections.
Go to Response Control > Playbooks > Add Playbook, enter
- Name: check4logFOURj Linux
- Description: Runs checks on selected Linux asset(s) in order to find possible log4j instances
and click Add Playbook.
Next add the single playbook steps. Therefore click anywhere on the newly created playbook to open its drop-down menu and then choose Add Step for each of the following Steps:
- Upload check script
- Choose the already uploaded script or select Upload New File if you want to upload it from the browser.
- Execute check script
- Commands 1:
chmod u+x check4logFOURj.sh - Commands 2:
bash check4logFOURj.sh
- Download results
- Path to File / Directory: results
- Check the 'Is Directory' box
- Check the 'Recursively' box
Text transcription of the screenshot:
- Name: check4logFOURj Linux
- Description: Runs checks on selected Linux asset(s) in order to find possible log4j instances
- Step 1:
- Name: Upload check script
- Type: Download File from ASGARD MC
- Step 2:
- Name: Execute check script
- Type: Run Command Line on Endsystem
- Commands:
chmod u+x check4logFOURj.shbash check4logFOURj.sh
- Step 3:
- Name: Download results
- Type: Upload File to ASGARD MC
- Path to File / Directory: results
- Is Directory: checked
- Recursively: checked
Text transcription of the screenshot:
- Name: check4logFOURj Windows
- Description: Runs checks on selected Windows asset(s) in order to find possible log4j instances
- Step 1:
- Name: Upload check script
- Type: Download File from ASGARD MC
- Step 2:
- Name: Execute check script
- Type: Run Command Line on Endsystem
- Commands:
powershell -exec bypass .\check4logFOURj.ps1
- Step 3:
- Name: Download results
- Type: Upload File to ASGARD MC
- Path to File / Directory: results
- Is Directory: checked
- Recursively: checked
The evaluation script can be found in this repository at evaluation-script. The script takes ZIP files generated by ASGARD Group Tasks (issued under Response Control) and outputs as text directly on the command line and offers flags to output json or csv files.
The evaluation script expects the results of the playbooks defined here. Also the script expects the results in a ZIP archive. So if you only plan to scan one system, scan it with a Group Task.
The help text:
usage: evalPB.py [-h] [-v] [--json JSONPATH] [--csv CSVPATH] inputfile [inputfile ...]
Evaluate Playbook Results
positional arguments:
inputfile Input Zip file(s) downloaded from ASGARD Playbook
options:
-h, --help show this help message and exit
-v, --vulnerable Only print findings of vulnarable versions
--json JSONPATH Dump results into json with the given path
--csv CSVPATH Dump results into csv with the given path
Save output as CSV:
python evalPB.py --csv log4j-inventory.csv results-1234.zip
You can also add multiple playbook results (e.g. from Windows and Linux hosts):
python evalPB.py --csv log4j-inventory.csv results-win.zip results-lin.zip
The result can then be evaluated with an auto filter table:
