ControlUp Secure DX scans and remediates security issues using a comprehensive catalog of known vulnerabilities, patches, and compliance issues. Secure DX now allows IT teams to address custom security needs and unpublished remediations. In this blog, I’ll show you how to create custom security scans and remediations for existing catalog remediations and custom issues not found in the catalog.
Secure DX has a built-in catalog of known CVEs, misconfigurations, and compliance settings that can run on a schedule (from a template) or on-demand. A custom issue scan detects issues outside the catalog and can added to a new or existing template or run on-demand.
For instance, let’s say there was an application that has been retired, it used a local SSH server with port 22 opened on the firewall, and now IT is concerned that the devices could be exploited and needs to find every device and remove the SSH server service and close port 22 on the local firewall. To do this using our new Custom Issues feature, we will need to take the following steps:
Let’s have a look at these steps in more detail.
The first action we need to take when creating a custom issue scan is to create an action script to detect the issue. To create an action script, Navigate to the Edge DX Configuration settings on the upper right side of the Edge DX user interface. From there, select Scripts and click Add Script in the upper right corner of the screen. Then, under Product, select Secure DX and provide the script with a name, description, and content.
Below is a sample PowerShell script to evaluate if port 22 is open.
#Test for port $port = 22 $testResult = Test-NetConnection -ComputerName localhost -Port $port -WarningAction SilentlyContinue if ($testResult.TcpTestSucceeded) { Write-Host "Open" } else { Write-Host "Closed" }
For the custom scan output in the next section, it is important to write an output (Write-Host) response in the script, such as Open/Closed or True/False.
Creating a custom remediation script is the same procedure as creating a security scan. Navigate to the Edge DX Configuration settings on the upper right side of the Edge DX user interface. From there, select Scripts and click Add Script in the upper right corner of the screen. Then, under Product, select Secure DX, and give the script a name, description, and content.
Below is a sample PowerShell script to stop the SSH service, uninstall the SSH server service, and then remove the SSH firewall port.
#Stop the SSH service Stop-Service -Name "sshd" #Uninstall the SSH Server Service Remove-WindowsCapability -Online -Name OpenSSH.Server~~~~0.0.1.0 sc delete sshd #Delete the SSH Firewall Port Remove-NetFirewallRule -DisplayName 'OpenSSH SSH Server'
After a scan and remediation script is created, navigate to the Secure DX Configuration settings on the upper right side of the screen. From there, select Custom Issues on the left navigation bar.
When creating a custom issue, set the following:
Next, navigate to Templates on the top menu of Secure DX and create a new or edit an existing template. From Edit Template, navigate to Scanning Scope and enable the custom scan you created.
To evaluate the custom security and action features discussed in this blog, create an Edge DX script to install the SSH Server, set the SSD service to start automatically, open port 22, and start the SSH service.
# Install SSH Server Add-WindowsCapability -Online -Name OpenSSH.Server~~~~0.0.1.0 #Set Service to start automatically Set-Service -Name sshd -StartupType 'Automatic' #Open Port 22 New-NetFirewallRule -Name sshd -DisplayName 'OpenSSH SSH Server' -Enabled True -Direction Inbound -Protocol TCP -Action Allow -LocalPort 22 -Program "C:WindowsSystem32OpenSSHsshd.exe" #Start SSD Start-Service sshd
ControlUp provides customers with a collection of scans and matching remediations out-of-the-box. But there are use cases where either:
For those scenarios you can also use the custom issues capability, often referred to as an “overwrite action”
Adding a custom issue overwrite to the catalog is similar to creating a custom issue scan and remediation. The key difference is that you must associate the remediation with a catalog item and include a validation script, as the remediation may differ from the existing scan. In Figure 3, you can see that the catalog item called “CrowdStrike Falcon agent is missing,” and a remediation script called “SDX Remediation – Install CrowdStrike is selected,” along with a validation script called “SDX Validation – Check if CrowdStrike is installed.”
By leveraging the power of Secure DX’s custom actions, IT administrators can take control of their unique security needs, addressing vulnerabilities and misconfigurations not covered by our standard catalog. To see how to set up and configure custom actions, we recommend watching this demo that covers all of the above scenarios:
The ability to create custom security scans and remediations ensures comprehensive protection and compliance explicitly tailored to your organization’s environment. Identifying devices with open ports or implementing custom remediation scripts, Secure DX provides the tools necessary to maintain a robust security posture. Start exploring these features today to enhance your IT security strategy with precision and flexibility.
To learn more about ControlUp endpoint security, check out our platform capability page or if you are ready to start using custom issues, make sure to read up on our latest documentation.