Expand endpoint security use cases with Secure DX Custom Issues

Endpoint SecuritySecure DX

ControlUp Secure DX scans and remediates security issues using a comprehensive catalog of known vulnerabilities, patches, and compliance issues. Secure DX now allows IT teams to address custom security needs and unpublished remediations. In this blog, I’ll show you how to create custom security scans and remediations for existing catalog remediations and custom issues not found in the catalog.

Create a custom issue security scan not in the Secure DX Catalog

Secure DX has a built-in catalog of known CVEs, misconfigurations, and compliance settings that can run on a schedule (from a template) or on-demand. A custom issue scan detects issues outside the catalog and can added to a new or existing template or run on-demand.

For instance, let’s say there was an application that has been retired, it used a local SSH server with port 22 opened on the firewall, and now IT is concerned that the devices could be exploited and needs to find every device and remove the SSH server service and close port 22 on the local firewall. To do this using our new Custom Issues feature, we will need to take the following steps:

  1. Create and add a scan script
  2. Create and add a remediation script
  3. Create a Secure DX custom issue
  4. Test the custom issue

Let’s have a look at these steps in more detail.

Create a scan script

The first action we need to take when creating a custom issue scan is to create an action script to detect the issue. To create an action script, Navigate to the Edge DX Configuration settings on the upper right side of the Edge DX user interface. From there, select Scripts and click Add Script in the upper right corner of the screen. Then, under Product, select Secure DX and provide the script with a name, description, and content.

Below is a sample PowerShell script to evaluate if port 22 is open.

#Test for port
$port = 22
$testResult = Test-NetConnection -ComputerName localhost -Port $port -WarningAction SilentlyContinue
if ($testResult.TcpTestSucceeded) {
Write-Host "Open"
} else {
Write-Host "Closed"
}

For the custom scan output in the next section, it is important to write an output (Write-Host) response in the script, such as Open/Closed or True/False.

Create a remediation script

Creating a custom remediation script is the same procedure as creating a security scan. Navigate to the Edge DX Configuration settings on the upper right side of the Edge DX user interface. From there, select Scripts and click Add Script in the upper right corner of the screen. Then, under Product, select Secure DX, and give the script a name, description, and content.

Below is a sample PowerShell script to stop the SSH service, uninstall the SSH server service, and then remove the SSH firewall port.

#Stop the SSH service
Stop-Service -Name "sshd"
#Uninstall the SSH Server Service
Remove-WindowsCapability -Online -Name OpenSSH.Server~~~~0.0.1.0
sc delete sshd
#Delete the SSH Firewall Port
Remove-NetFirewallRule -DisplayName 'OpenSSH SSH Server'

Create a Secure DX custom issue

After a scan and remediation script is created, navigate to the Secure DX Configuration settings on the upper right side of the screen. From there, select Custom Issues on the left navigation bar.

When creating a custom issue, set the following:

  • Name and Description
  • Severity level to show the impact of the issue
  • Category such as misconfiguration, compliance, vulnerability, application, or OS patch
  • The sub category
  • Scan script name to execute with the expected script output, such as true or false
  • Remediation script name to execute with the option to restart the device.
Figure 1 – Create a custom issue

Next, navigate to Templates on the top menu of Secure DX and create a new or edit an existing template. From Edit Template, navigate to Scanning Scope and enable the custom scan you created.

Figure 2 – Add custom issue to catalog

Testing the custom issue

To evaluate the custom security and action features discussed in this blog, create an Edge DX script to install the SSH Server, set the SSD service to start automatically, open port 22, and start the SSH service.

 

# Install SSH Server
Add-WindowsCapability -Online -Name OpenSSH.Server~~~~0.0.1.0
#Set Service to start automatically
Set-Service -Name sshd -StartupType 'Automatic'
#Open Port 22
New-NetFirewallRule -Name sshd -DisplayName 'OpenSSH SSH Server' -Enabled True -Direction Inbound -Protocol TCP -Action Allow -LocalPort 22 -Program "C:WindowsSystem32OpenSSHsshd.exe"
#Start SSD
Start-Service sshd

Create custom remediations for catalog issues

ControlUp provides customers with a collection of scans and matching remediations out-of-the-box. But there are use cases where either:

  • a customer has specific remediation requirements, so the built-in remediation is not suitable for them
  • the ControlUp catalog only provides the scan and not the remediation

For those scenarios you can also use the custom issues capability, often referred to as an “overwrite action”

Adding a custom issue overwrite to the catalog is similar to creating a custom issue scan and remediation. The key difference is that you must associate the remediation with a catalog item and include a validation script, as the remediation may differ from the existing scan. In Figure 3, you can see that the catalog item called “CrowdStrike Falcon agent is missing,” and a remediation script called “SDX Remediation – Install CrowdStrike is selected,” along with a validation script called “SDX Validation – Check if CrowdStrike is installed.”

Figure 3 – Add a custom issue remediation to a catalog

By leveraging the power of Secure DX’s custom actions, IT administrators can take control of their unique security needs, addressing vulnerabilities and misconfigurations not covered by our standard catalog. To see how to set up and configure custom actions, we recommend watching this demo that covers all of the above scenarios:

The ability to create custom security scans and remediations ensures comprehensive protection and compliance explicitly tailored to your organization’s environment. Identifying devices with open ports or implementing custom remediation scripts, Secure DX provides the tools necessary to maintain a robust security posture. Start exploring these features today to enhance your IT security strategy with precision and flexibility.

To learn more about ControlUp endpoint security, check out our platform capability page or if you are ready to start using custom issues, make sure to read up on our latest documentation.

Jeff Johnson

Jeff is a product marketing manager for ControlUp. He is responsible for evangelizing the Digital Employee Experience on physical endpoints such as Windows, macOS, and Linux. Jeff has spent his career specializing in enterprise strategies for client computing, application delivery, virtualization, and systems management. Jeff was one of the key architects of the Consumerization of IT Strategy for Microsoft, which has redefined how enterprises allow unmanaged devices to access corporate intellectual property.