Microsoft TAG Policies

The microsoftupdate.php script was generated due to a custommer needs of automatically get which new KBs should be defined as compliance baseline for each version of the Windows Operating System. Both scripts are available since openNAC release:

To generate the Microsoft’s msrc API key, access this URL: https://portal.msrc.microsoft.com/en-us/developer

The API key is needed for both versions of the script to work.

../../../../_images/ScriptMicro.png

There are two versions of the script: 6794

h2. microsoftupdate.php

This is the version that will get the KB list from Microsoft and print out in the standard output the text which needs to be set, in the tag policy, manually by an user.

Variables needed:

msApiKey: MSRC API key

period: Year and month of the report, in the format YYYY-MMM, example: 2018-Jul

msApiVersion: Should not be changed, it is microsoft API version. Default value=”1.3”

msUrl: Should not be changed, it is the microsoft’s security response center API url. Default value = “https://api.msrc.microsoft.com/cvrf/”.$period.”?api-version=”.$msApiVersion

../../../../_images/ScriptMicro1.png

This is how to execute it:

php /usr/share/opennac/utils/microsoftupdate.php

August 2018 Security Updates Tracking ID: 2018-Aug
(&,'DOS_WINDOWS_10','IAI_KB4343892')
(&,'RDI_WINDOWS_10_1703','IAI_KB4343885')
(&,'RDI_WINDOWS_10_1709','IAI_KB4343897')
(&,'RDI_WINDOWS_10_1803','IAI_KB4343909')
(&,'RDI_WINDOWS_10_1607','IAI_KB4343887')
(&,'DOS_WINDOWS_8','IAI_KB4343888','IAI_KB4343898')
(&,'DOS_WINDOWS_7','IAI_KB4343900','IAI_KB4343899')
../../../../_images/ScriptMicro2.png

Use the script output to create an user device tag policy en ON NAC –> Tag Policies –> UD Tag Policies. UD Tag Policies

h2. microsoftupdate_v2.php

This script version works more autonomously, so you will need to feed a couple more variables and, it will directly update the tag policy of your choice with the KB’s indicated by Microsoft.

Variables needed:

Microsoft Variables:

msApiKey: MSRC API key;

period: Year and month of the report, in the format YYYY-MMM, example: 2018-Jul. Default value = date(‘Y-M’)

msApiVersion: Should not be changed, it is microsoft API version. Default value=”1.3”;

msUrl: Should not be changed, it is the microsoft’s security response center API url. Default value = “https://api.msrc.microsoft.com/cvrf/”.$period.”?api-version=”.$msApiVersion

openNAC Variables:

apiUrl: openNAC’s core url. Usually is set to localhost. Default value=”https://localhost/api”.

tagEval: Tag, that exists within Tag Policies, which should be populated with the rule. Default value=”EPC_WIN_COMPLIANCE”.

onUser: openNAC user that should be used to update the Tag Policy’s rule. Default value=”admin”.

onPassword: openNAC user’s password that should be used to update the Tag Policy’s rule. Default value=”openNAC”.

How to execute it (It should probably be added to cron, so it could be executed periodically)

php /usr/share/opennac/utils/microsoftupdate_v2.php

After executed this script tagEval variable will contains the microsoft’s KBs as requirements, it will be ready for use into a rule on openNAC policy

Cron example

Access Core device by CLI, go to /etc/cron.d create a file using Vim, and edit the file with the schedule details.

  • Execute the job each day 20 of the month:
cd /etc/cron.d
Vim exampleupdatetag
* * 20 * * php /usr/share/opennac/utils/microsoftupdate_v2.php > /var/log/opennac/opennac-microsoftupdate.log 2&>1
../../../../_images/ScriptMicro3.png

Restart the crond service.

service crond restart