We just put out a new Assimilation release 1.1.3 with a few bug fixes, and a few new features. The new features center around visualization, security, with even more emphasis on helping you “eat the elephant” of getting you into a better security posture. In this post, we’ll explain more in detail what these features are and why you will care – especially if you care about security.
Assimilation Release 1.1.3 Features
Visualizations
We’ve added a new program called drawwithdot which produces drawings suitable for feeding in to the dot program from the graphviz package. Dot will then lay out your graph in a sensible way, and produce a drawing of the graph layout in one of several formats including PNG and SVG. Drawwithdot currently creates five different kinds of drawings – which are explained below. As a note, creating new kinds of drawings is shockingly easy.
- monitoring – illustrates services and monitoring methods (agents) in a diagram – indicating which services are failing checks, and which services are not being monitored.
- network – illustrates servers, switches, interconnections, NICs, IP and MAC addresses
- service – illustrates services and clients, IP:port pairs – emphasizing services which run as root. This may be most usefully thought of as an attack surface visualization.
- monring – illustrates our host monitoring topology used to distribute detection of host failures.
- everything – all the diagrams above combined.
Best Practices Scores
We’ve had best practices for a while, but we just added best practice scoring with this release. We created an algorithm which assigns a score for each violation of best practices. Each machine also receives a total score for its best practices in each category. A fully compliant score is zero. For Ubuntu Linux, it looks like the average system fails about half of the checks. We’ve currently implemented about 70 of the 250 checks needed for the DISA/NIST STIGs.
New Queries
We also added a few queries that allow you to query the scores. These queries are pure Cypher queries. They are:
- allbpscores – return best practice scores for all all categories for all hosts, sorted by highest security score first
- allservernetscores – return all network scores for all hosts, sorted by highest score first
- allsecserverscores – return all security scores for all hosts, sorted by highest score first
So, if you want to know what the scoring algorithm says your top 10 highest risk servers are, then our new allsecserverscores query will tell you.
New Score Reports
These reports provide information about your scores which are oriented towards helping you figure out an attack plan for triaging your security issues if you are using system management tools like Ansible, SaltStack, Chef or Puppet. The idea of these reports is that they will tell you what types of issues cause the most problems over your base of servers. These reports are provided as subcommands of our assimcli program. The new subcommands are:
- dtypescores – returns the scores sorted organized by discovery type
- secdtypes – a shorthand for dtypescores [flags] security
The normal output of these commands is CSV-style output consisting of scores totaled across a discovery area, along the discovery area. Discovery areas correspond to where this data was discovered. For example /proc/sys, PAM rules, /etc/login.defs, are each separate discovery areas.
Each command can take the following mutually-exclusive flags:
- –hostnames: adds in the score for each host in this discovery area.
- –ruleids: adds in the total score for each rule id in each discovery area.
In addition, each can take the names of score categories on the command line. The current score areas are network and security. We’ll be writing some follow-up articles on these capabilities so you can see how to use them in performing security triage on your site.
Other New Features
- Improved support for LLDP analysis and added support for LLDP-MED
- Added support for CDP
- Added discovery of the /etc/auditd.conf file and its log files.
- Added best practice rules related to /etc/auditd.conf and its log files.
- Added support for Neo4j authentication.
All in all, a pretty cool release providing more features than ever for securing your systems and keeping them secure. By all means, download the software and give it a try.
Please note: I reserve the right to delete comments that are offensive or off-topic.