The document outlines a presentation from the Zabbix Conference LATAM 2016, focusing on monitoring vulnerabilities using Zabbix, Red Hat Enterprise Linux (RHEL), and the Yum security plugin. It covers the importance of vulnerability monitoring, the role of the CVE system, incident response, product security advisories, and how to implement a monitoring solution with Zabbix. Additionally, it provides practical examples, including scripts and templates for generating security reports and monitoring vulnerabilities in various server environments.

1. Zabbix Conference Latam 2016
Monitoring Vulnerabilities with Zabbix, RHEL
and Yum Security Plugin
Alessandro Silva
Technical Account Manager, Red Hat
alsilva@redhat.com
Twitter: @alessssilva

2. Zabbix Conference Latam 2016
$ Who am I
• Pós-graduando em Segurança da Informação – NCE/UFRJ
• Mais de 12 anos na indústria de TI e 10 somente com Linux.
• Certificações:
• RHCE - Red Hat Certified Engineer
• RHCSA em Openstack
• LPIC-3 Core
• LPIC-303 Security Specialist
• Zabbix Certified Specialist
• Desde 2011 trabalhando com Zabbix
• Technical Account Manager na Red Hat
• “Zabbix guy” na Red Hat

3. Zabbix Conference Latam 2016
Agenda
• Vulnerabilidades, impactos e contramedidas
• Por que monitorar vulnerabilidades?
• Segurança do Produto
• Como Zabbix pode nos ajudar?
• A solução Enterprise e Open Source
• Demo

4. Mas, afinal, o que é uma
vulnerabilidade?

5. Zabbix Conference Latam 2016
CVE
Common Vulnerabilities and Exposures
• Formato padronizado para notificação e acompanhamento de
questões de segurança relacionadas a software
• Mantido pela empresa MITRE Corporation
• Common Vulnerability Scoring System (CVSS)
• Severidades: Crítica, Importante, Moderada e Baixa
Vulnerabilidades
0
1000
2000
3000
4000
5000
6000
7000
8000
Número de Vulnerabilidades | Desde 1999
1999 2000
2001 2002
2003 2004
2005 2006
2007 2008
2009 2010
2011 2012
2013 2014
2015 2016
cve.mitre.org

6. Zabbix Conference Latam 2016
Resposta a Incidentes de Segurança
• ERISI/CSIRT - Computer Security Incident Response Team
✔ Investiga e analisa questões relacionadas a segurança de software
✔ Analisa quais produtos são afetados, impactos e contramedidas
• Publicação de erratas
✔ Severidades
✔ Impactos
✔ CVE

7. Zabbix Conference Latam 2016
Segurança do Produto
• Red Hat Security Advisory (RHSA)
• Red Hat Bug Fix Advisory (RHBA)
• Red Hat Enhancement Advisory (RHEA)
RHEL 6.0 RHEL 6.1 RHEL 6.2 RHEL 6.3 RHEL 6.4
0,0
1,0
2,0
3,0
4,0
5,0
6,0
7,0
8,0
9,0
Erratas de Segurança por mês
Red Hat Enterprise Linux - Instalação default do Servidor
Critica
Importante
Baixa/Moderada
Sistema Operacional
Errataspormês

8. Zabbix Conference Latam 2016
Segurança do Produto
Red Hat Enterprise
Linux 5
98%
Das vulnerabilidades
Críticas são corrigidos
em 1 dia
Red Hat Enterprise
Linux 6
92%
Das vulnerabilidades
Críticas são corrigidos
em 1 dia
Red Hat Enterprise
Linux 7
97%
Das vulnerabilidades
Críticas são corrigidos
em 1 dia

9. Zabbix Conference Latam 2016
Mas, o que iremos monitorar?
Servidores Físicos
Eles ainda existem e precisam ser monitorados
Servidores Virtuais
Monitore servidores virtuais em qualquer hypervisor
Monitore instâncias da nuvem
Cloud servers, contêiners,...

10. Zabbix Conference Latam 2016
Por que Monitorar?
Gerenciamento e
compliance
Manutenção
do ciclo de vida
Manter a vigilância
na infraestrutura

11. Como o Zabbix pode ajudar?

12. Zabbix Conference Latam 2016
Usando o Zabbix para monitorar
Notificações
Controle
Centralizado
Configuração
Status
Checagens
Monitoração SNMP
Monitoração com agente
Monitoração com ping e porta
Dispositivos
monitorados
Dispositivos
de rede
Servidores com
Agente Zabbix
Servidores sem
Agente Zabbix

13. Zabbix Conference Latam 2016
Zabbix + RHEL + Yum Security Plugin
YUMYUM
Security Plugin
+ +

14. Zabbix Conference Latam 2016
Implementação
• Instalação do YUM security plugin
• Agendar os relatórios de segurança no Cron
• Estender o agente Zabbix via UserParameter
• Criar o template RHN Security
✔ itens, triggers, gráficos, telas ...
• Criar o script de checagem de vulnerabilidades

15. Zabbix Conference Latam 2016
YUM Security Plugin
# yum install -y yum-plugin-security
# yum updateinfo
Loaded plugins: product-id, refresh-packagekit, rhnplugin, security, subscription-manager
Updates Information Summary: available
42 Security notice(s)
5 Critical Security notice(s)
15 Important Security notice(s)
7 Low Security notice(s)
15 Moderate Security notice(s)
143 Bugfix notice(s)
13 Enhancement notice(s)
updateinfo summary done
# yum install -y yum-plugin-security
# yum updateinfo
Loaded plugins: product-id, refresh-packagekit, rhnplugin, security, subscription-manager
Updates Information Summary: available
42 Security notice(s)
5 Critical Security notice(s)
15 Important Security notice(s)
7 Low Security notice(s)
15 Moderate Security notice(s)
143 Bugfix notice(s)
13 Enhancement notice(s)
updateinfo summary done
YUMYUM
Security Plugin
Gerando o Relatório de Segurança
# crontab -e
* 0 * * * yum updateinfo > $zbxlogdir/security-reports/sec-report

16. Zabbix Conference Latam 2016
Agente Zabbix
Estendendo com UserParameter
UserParameter=rhn.security,grep -m 1 "Security notice" /var/log/zabbix/security-
reports/sec-report | awk '{print $1} END { if (!NR) print"0"}'
UserParameter=rhn.security.critical,grep "Critical Security" /var/log/zabbix/security-
reports/sec-report | awk '{print $1} END { if (!NR)print "0"}'
UserParameter=rhn.security.important,grep "Important Security" /var/log/zabbix/security-
reports/sec-report | awk '{print $1} END { if (!NR) print "0"}'
UserParameter=rhn.security.low,grep "Low Security" /var/log/zabbix/security-reports/sec-
report | awk '{print $1} END { if (!NR) print "0"}'
UserParameter=rhn.security.moderate,grep "Moderate Security" /var/log/zabbix/security-
reports/sec-report | awk '{print $1} END { if (!NR)print "0"}'
UserParameter=rhn.bugfix,grep "Bugfix notice" /var/log/zabbix/security-reports/sec-report
| awk '{print $1} END { if (!NR) print "0"}'
UserParameter=rhn.enhancement,grep "Enhancement notice" /var/log/zabbix/security-
reports/sec-report | awk '{print $1} END { if (!NR) print "0"}'
UserParameter=rhn.security,grep -m 1 "Security notice" /var/log/zabbix/security-
reports/sec-report | awk '{print $1} END { if (!NR) print"0"}'
UserParameter=rhn.security.critical,grep "Critical Security" /var/log/zabbix/security-
reports/sec-report | awk '{print $1} END { if (!NR)print "0"}'
UserParameter=rhn.security.important,grep "Important Security" /var/log/zabbix/security-
reports/sec-report | awk '{print $1} END { if (!NR) print "0"}'
UserParameter=rhn.security.low,grep "Low Security" /var/log/zabbix/security-reports/sec-
report | awk '{print $1} END { if (!NR) print "0"}'
UserParameter=rhn.security.moderate,grep "Moderate Security" /var/log/zabbix/security-
reports/sec-report | awk '{print $1} END { if (!NR)print "0"}'
UserParameter=rhn.bugfix,grep "Bugfix notice" /var/log/zabbix/security-reports/sec-report
| awk '{print $1} END { if (!NR) print "0"}'
UserParameter=rhn.enhancement,grep "Enhancement notice" /var/log/zabbix/security-
reports/sec-report | awk '{print $1} END { if (!NR) print "0"}'
$DIR/etc/zabbix_agentd.conf.d/zabbix_agentd.userparams.conf

17. Zabbix Conference Latam 2016
Relatório de Vulnerabilidades
Vulnerabilidade Severidade Fix
---------------------- -------------------- -------------
CVE-2015-1781 Moderate/Sec. glibc-2.17-105.el7.x86_64
CVE-2013-7423 Moderate/Sec. glibc-2.17-105.el7.x86_64
CVE-2015-1473 Moderate/Sec. glibc-2.17-105.el7.x86_64
CVE-2013-1753 Moderate/Sec. python-2.7.5-34.el7.x86_64
CVE-2014-4616 Moderate/Sec. python-2.7.5-34.el7.x86_64
CVE-2014-4650 Moderate/Sec. python-2.7.5-34.el7.x86_64
CVE-2015-3276 Moderate/Sec. openldap-2.4.40-8.el7.x86_64
CVE-2015-3194 Moderate/Sec. openssl-libs-1:1.0.1e-51.el7_2.1.x86_64
CVE-2015-3196 Moderate/Sec. openssl-libs-1:1.0.1e-51.el7_2.1.x86_64
CVE-2015-3195 Moderate/Sec. openssl-libs-1:1.0.1e-51.el7_2.1.x86_64
CVE-2015-7575 Moderate/Sec. openssl-libs-1:1.0.1e-51.el7_2.2.x86_64
CVE-2016-0797 Important/Sec. openssl-libs-1:1.0.1e-51.el7_2.4.x86_64
CVE-2016-0702 Important/Sec. openssl-libs-1:1.0.1e-51.el7_2.4.x86_64
CVE-2016-0705 Important/Sec. openssl-libs-1:1.0.1e-51.el7_2.4.x86_64
CVE-2016-0800 Important/Sec. openssl-libs-1:1.0.1e-51.el7_2.4.x86_64
CVE-2015-3197 Important/Sec. openssl-libs-1:1.0.1e-51.el7_2.4.x86_64
Vulnerabilidade Severidade Fix
---------------------- -------------------- -------------
CVE-2015-1781 Moderate/Sec. glibc-2.17-105.el7.x86_64
CVE-2013-7423 Moderate/Sec. glibc-2.17-105.el7.x86_64
CVE-2015-1473 Moderate/Sec. glibc-2.17-105.el7.x86_64
CVE-2013-1753 Moderate/Sec. python-2.7.5-34.el7.x86_64
CVE-2014-4616 Moderate/Sec. python-2.7.5-34.el7.x86_64
CVE-2014-4650 Moderate/Sec. python-2.7.5-34.el7.x86_64
CVE-2015-3276 Moderate/Sec. openldap-2.4.40-8.el7.x86_64
CVE-2015-3194 Moderate/Sec. openssl-libs-1:1.0.1e-51.el7_2.1.x86_64
CVE-2015-3196 Moderate/Sec. openssl-libs-1:1.0.1e-51.el7_2.1.x86_64
CVE-2015-3195 Moderate/Sec. openssl-libs-1:1.0.1e-51.el7_2.1.x86_64
CVE-2015-7575 Moderate/Sec. openssl-libs-1:1.0.1e-51.el7_2.2.x86_64
CVE-2016-0797 Important/Sec. openssl-libs-1:1.0.1e-51.el7_2.4.x86_64
CVE-2016-0702 Important/Sec. openssl-libs-1:1.0.1e-51.el7_2.4.x86_64
CVE-2016-0705 Important/Sec. openssl-libs-1:1.0.1e-51.el7_2.4.x86_64
CVE-2016-0800 Important/Sec. openssl-libs-1:1.0.1e-51.el7_2.4.x86_64
CVE-2015-3197 Important/Sec. openssl-libs-1:1.0.1e-51.el7_2.4.x86_64
Gerando o Relatório de Vulnerabilidades:
# crontab -e
* 0 * * * yum updateinfo list cve > $zbxlogdir/security-reports/vuln-report

18. Zabbix Conference Latam 2016
Projeto está disponível
• Template
• Arquivos de configuração
• Scripts
https://github.com/alessssilva/zabbix/tree/master/zabbix-security-insights
It's better to
SHARE
Your mother was right

19. DEMO

20. Zabbix Conference Latam 2016
Referências
• Product Security Overview
✔ https://access.redhat.com/site/security/team/
• Red Hat Security Center
✔ https://access.redhat.com/security/
• Documentação oficial do Zabbix
✔ http://zabbix.com/documentation
• Common Vulnerabilities and Exposure
✔ http://cve.mitre.org/

21. 22INSERT DESIGNATOR, IF NEEDED
OBRIGADO!
plus.google.com/+Red
Hat
linkedin.com/company/red-h
at
youtube.com/user/RedHatVide
os
facebook.com/redhati
nc
twitter.com/RedHatNe
ws