Planning and Packaging Your Remediation Module
Planning the development of a custom remediation module consists of the tasks listed in the following table, which indicates where to find information and guidance on each task area.
performing a functional analysis and the importance of understanding the remediation subsystem concept of operations |
|
coordinating your software development and generating the |
|
Data Available from the Remediation Subsystem
Custom remediation modules can receive two kinds of data from the remediation subsystem:
- event data, which includes a variety of data about the correlation policy that was violated and about the original triggering event that caused the policy violation
- instance configuration data, which includes values entered in the web interface when an instance of a remediation is configured
These two types of data incorporate both the data about the network traffic or change that triggered the rules in the violated policy, and the configured instance of the remediation that runs in response to that policy violation. See “Configuring Correlation Policies and Rules” and “Configuring Responses for Correlation Policies” in the FireSIGHT System User Guide for more information about creating, configuring and using correlation policies and remediations.
See the following sections for more information:
- Event Data describes how event data is provided to your remediation module and lists the correlation event data available to your module.
- Instance Configuration Data explains how
instance.config
files are made available to your remediation module and describes the types of data they may include.
Event Data
Event data is one type of information available to your remediation module. Event is information about intrusion, correlation, and other event types that the Defense Center generates when rules in a correlation policy trigger. You specify the event data fields to be sent for each remediation type in your module using the pe_item
element in the module.template
file.
When the remediation daemon sends event data to your remediation module, it passes the name of the remediation first, followed by the pe_item
fields in the order in which they appear in module.template
.
The remediation daemon handles any undefined pe_item
fields from the database differently depending on whether they field is marked as optional or required in module.template. See Handling Undefined Data Elements.
For details on specifying event data for remediations, see Defining Remediation Types. When specifying the pe_item
element, you must use the field names provided in the tables below.
The following table describes data available about the original event that triggered the correlation policy violation. Note that some fields in this table are event specific. These fields are set to zero when not applicable for the specific type of triggering event.
The following table describes the data available about each correlation event. Note that some of the data elements are not populated for certain event types.
The internal identification number of the event generated by the sensor. Set only for intrusion events. Primarily for Cisco internal use and not typically used for remediations. |
||||
The internal identification number of the Defense Center that generated the correlation event. Primarily for Cisco internal use and not typically used for remediations. |
||||
The internal identification number of the of the correlation policy that was violated by the triggering event. Primarily for Cisco internal use and not typically used for remediations. |
||||
The internal identification number of the correlation rule that triggered the correlation event. Primarily for Cisco internal use and not typically used for remediations. |
||||
The priority assigned to the rule for the correlation policy that generated the event. The rule may have a different priority in another policy. |
||||
A bit field in the correlation event message that indicates which of the fields that follow the mask are valid. See Event Defined Values for the values. Primarily for Cisco internal use and not typically used for remediations. |
The following table defines the mask values for the correlation event message fields. These values are used in the correlation event message to indicate which of the fields that follow the mask are valid.
The following table describes the data available about the source host involved in the intrusion event, or the only host involved in any other discovery event that caused the correlation policy violation. Note that only the source IP address is guaranteed to be populated.
The following table describes the data available about the source host’s server, or only server identified in the event that caused the correlation event. Note that only the transport protocol is guaranteed to be populated
The following table describes the data available about the destination host. This data is only available for intrusion events.
The following table describes the data available about the destination host’s server, or the only server identified in the event that caused the correlation event. Note that only the transport protocol is guaranteed to be populated.
Instance Configuration Data
When a user configures a new instance of your module, they provide data requested in your module.template
document. The values provided by the user are then written into the instance.conf
document for use by your remediation program.
For each configured instance of a remediation, the remediation subsystem places an instance.conf
document in a directory with the same name as the instance. This directory is created in the directory where your module was uploaded and installed. For example, if your module is called Firewall, it is uploaded into a directory called firewall
. If you then configure an instance called block_tokyo
, the remediation subsystem creates a directory called block_tokyo
in your firewall
directory and places the instance.conf
there. The directory path appears as follows:
/var/sf/remediation/firewall/block_tokyo/instance.config
See Packaging Your Module for more information on the directories where your module files reside.
Your module must be able to open, read, parse, and close the instance.conf
file.
Each instance.conf
document contains a top level element called instance
. The instance
element has two child elements: config
and remediation
. The following table describes the attributes and elements available to the instance element.
For more information about the data provided in the config
and remediation
elements, see the following:
The config Element
The config
element contains the data entered into the fields rendered on the web interface in response to the config_template
element in that remediation module’s module.template
document. These fields are translated back into the elements used to specify them in the module.template
document, and further specified using the name provided as an attribute of the element rather than a child element. They can include the following types of fields:
See Defining the Configuration Template for more details on how these fields are specified in the module.template
file.
For example, if the module.template
document contains the following config_template
element definition:
The Instance Configuration screen for that element contains the following three fields:
- Host IP, which takes an IP address value.
- Username, which takes a string value that may not contain white space characters.
- Login Password, which takes a string value identified as a password.
Suppose a user configures an instance, named AdminInstance, of the remediation module and provides the following values:
The instance.conf
will contain the following:
Note that the above example does not include </instance>
. This is because the instance.conf
document for this example instance would go on to include the remediation
element discussed next in this section. If you do not require additional remediation configuration in your module, the instance.conf
returned for that module does not include remediation elements.
The remediation Element
The instance
element contains a remediation
element for each remediation configured for that instance. Each remediation
element has, as an attribute, the name of the remediation instance (entered into the web interface at the time the instance is configured) and the type of the remediation, which was initially provided by the remediation_type
element in the module.template
document. For more information about the module.template
file, see Communicating with the Remediation Subsystem.
In addition, remediation
elements can contain config
elements. These function in the same way as config
elements that are child elements of instance
, but use data originally specified in the config_template
element that is a child of remediation_type
in the module.template
document. The following describes these attributes and elements.
For example, suppose the module.template
document in the example provided in The config Element continues with the following:
The Instance Detail page that allows you to add remediations to a created instance contains the remediation type “ACL Insertion”. Adding “ACL Insertion” to the instance takes the user to a page that includes a name field, which populates the name attribute value for that remediation element in the instance.conf
, and a field labelled ACL Number, which accepts an integer value.
Suppose a user adds this remediation to the AdminInstance instance and provides the following values:
The instance.conf
document written when the user saved the example configuration values would, after the section provided in the example in The config Element, continue as follows:
Note that if no more remediations were added to the instance, the instance.conf
should be terminated with </instance>
at this point.
Data Returned by Modules
Remediation modules must return exit status codes, known as return codes, to the Defense Center. The Table View of Remediations in the Defense Center web interface displays a result message for each remediation launched. The return code from the remediation program determines the result message displayed.
Return codes must be integers in the 0 to 255 range inclusive, as defined in the following table.
See Defining Exit Statuses for the list of predefined codes and for directions on creating custom codes.
Packaging and Installing Your Module
The remediation API requires that you package your remediation modules. The files that make up your module must be provided in a gzipped tar file.
See the following sections for more information:
- Packaging Your Module provides helpful tips for packaging your binaries and
module.template
files for upload and installation. - Installing Your Module explains how to install your remediation module on the Defense Center.
Packaging Your Module
When packaging your remediation files for installation, keep in mind the following:
- Remediation modules must be packaged in a gzipped tarball (
.tar.gz
or.tgz
) before you install them. - When you install the module, the package is extracted into
/var/sf/remediation/remediation_directory
whereremediation_directory
is a combination of thename
attribute of the module’smodule
element and the data in theversion
element.
For example, one of the default remediation modules shipped with the Defense Center is the Cisco PIX Shun module. That module resides in /var/sf/remediation/cisco_pix_1.0
.
- When extracted, your remediation module’s
module.template
document must reside in the top level of the directory created to contain that module package. - As instances of remediations are created, they are saved in a directory created in your module directory and named for the instance.
For example, instances of the Cisco PIX Shun module might reside in /var/sf/remediation/cisco_pix_1.0/PIX_01
and /var/sf/remediation/cisco_pix_1.0/PIX_02
.
For example, you upload and install a module that is packaged in firewall.tgz and is named in the module.template
as firewall
with a version value of 1.0
. The system installs the module in the following directory: /var/sf/remediation/firewall_1.0
. That directory contains your module.template file and your program binary. When you add an instance to the remediation module and name it block_tokyo, the system creates the following directory:
Installing Your Module
Once you have correctly packaged your remediation module, use the Modules page to install it.
To install a new module on the Remediation API:
1. Select Policies > Actions > Modules.
The Installed Remediation Modules page appears.
2. Click Browse to navigate to the location where you saved the tar.gz file that contains the custom remediation module.
The custom remediation module installs.
4. Select Policies > Actions > Modules.
The Installed Remediation Modules table lists the module just installed. The Module Name, Version, and Description columns match the information defined in the module.template
file.
5. Add instances of your new module and associate remediations to each instance, as described in the FireSIGHT System User Guide.
You can use the Modules page to view the remediation modules installed on the Defense Center. The list displays custom remediation modules and Cisco-provided ones. You can also delete your custom modules.
To view or delete a module from the Remediation API:
1. Select Policies > Actions > Modules.
The Installed Remediation Modules page appears.
2. Perform one of the following actions:
The Module Detail page appears.
- Click the Delete icon next to the module you want to delete. You cannot delete default modules provided by Cisco.
The remediation module is deleted from the Remediation API.