Embed Size (px)
Citation preview
1
BigFix and Carbon Black Integration
IBM BigFix and Carbon Black Integration
Document version: 1.0
Date: October 2016
This document contains all of the available information related to the IBM BigFix and Carbon Black
integration.
2
Table of Contents Overview and architecture ................................................................................................................................ 5
Architecture .................................................................................................................................................. 6
Cb Agent Deployment and Health Monitoring ................................................................................................. 7
Requirements ................................................................................................................................................ 7
Importing the Content .................................................................................................................................. 7
Content Details .............................................................................................................................................. 8
Fixlets ....................................................................................................................................................... 8
Web Reports ............................................................................................................................................... 12
Install Cb Event Forwarder .............................................................................................................................. 15
Requirements .............................................................................................................................................. 15
Install Cb Event Forwarder RPM ................................................................................................................. 16
Configure Cb Event Forwarder .................................................................................................................... 16
Configure Cb Response ............................................................................................................................... 17
Apply the Changes to the Cb Response Server ........................................................................................... 17
If you have a single server, log in as root and run the following: ............................................................ 17
If you have a cluster, follow these steps: ................................................................................................. 17
Start and Stop Cb Event Forwarder Service ................................................................................................ 17
Integration ................................................................................................................................................... 18
To forward Cb Response events to the BigFix connector: ....................................................................... 18
Logging and Diagnostics .............................................................................................................................. 18
Configure BigFix Tamper Protection in Cb Protection ..................................................................................... 20
To enable tamper protection for the BigFix client: .................................................................................. 20
Configure Cb Protection BigFix Connector ...................................................................................................... 21
Obtain an API Token .................................................................................................................................... 23
To create an API user and get its API token: ............................................................................................ 23
Requirements .............................................................................................................................................. 24
Install the Cb Protection BigFix Connector .................................................................................................. 24
Configure the Cb Protection BigFix Connector............................................................................................ 24
Troubleshooting .......................................................................................................................................... 25
3
Uninstall ...................................................................................................................................................... 25
Configure Cb Response BigFix Connector ........................................................................................................ 26
Requirements .............................................................................................................................................. 26
Enable the NVD Feed in Cb Response ......................................................................................................... 27
Installation................................................................................................................................................... 28
Obtain an API Token .................................................................................................................................... 29
To obtain a Cb Response API token: ........................................................................................................ 29
Obtain a BigFix API Username and Password .............................................................................................. 29
Required BigFix Permissions ....................................................................................................................... 30
To set required BigFix permissions: ......................................................................................................... 30
Configure the Integration ............................................................................................................................ 31
Starting and Stopping the Connector .......................................................................................................... 33
Start Connector ........................................................................................................................................... 33
Restart Connector ....................................................................................................................................... 33
Stop Connector............................................................................................................................................ 33
Troubleshooting .......................................................................................................................................... 33
Uninstall ...................................................................................................................................................... 35
Banned Files .................................................................................................................................................... 35
Cb Protection............................................................................................................................................... 35
Cb Response ................................................................................................................................................ 35
Banned files configuration in BigFix ............................................................................................................ 36
Remediate Vulnerabilities with the BigFix Manage Vulnerable Computers Dashboard ................................. 36
Enable Carbon Black and BigFix to Communicate ....................................................................................... 37
Terminology ................................................................................................................................................ 37
Overview and getting started ..................................................................................................................... 37
At a glance: Manage Vulnerable Computers dashboard ............................................................................ 38
BigFix Permissions ....................................................................................................................................... 39
To set required BigFix permissions: ......................................................................................................... 39
Requirements .............................................................................................................................................. 40
Accessing the site ........................................................................................................................................ 40
4
About this task....................................................................................................................................... 41
Procedure .............................................................................................................................................. 41
Installing the Manage Vulnerabilities plugin ............................................................................................... 41
Before you begin................................................................................................................................... 41
About this task....................................................................................................................................... 42
Procedure .............................................................................................................................................. 42
Results ................................................................................................................................................... 42
Uninstalling the plugin ................................................................................................................................ 42
About this task....................................................................................................................................... 42
Procedure .............................................................................................................................................. 43
Configuring the Manage Vulnerable Computers plugin ............................................................................. 43
About this task....................................................................................................................................... 43
Procedure .............................................................................................................................................. 43
Viewing computer details ........................................................................................................................... 44
About this task....................................................................................................................................... 44
Procedure .............................................................................................................................................. 45
Quarantining computers ............................................................................................................................. 46
Before you begin................................................................................................................................... 46
About this task....................................................................................................................................... 46
Procedure .............................................................................................................................................. 46
Un-quarantining computers ........................................................................................................................ 46
About this task....................................................................................................................................... 46
Procedure .............................................................................................................................................. 47
Viewing Common Vulnerability Exposures (CVEs) and associated Fixlets .................................................. 47
About this task....................................................................................................................................... 47
Procedure .............................................................................................................................................. 48
Viewing actions ........................................................................................................................................... 49
About this task....................................................................................................................................... 49
Procedure .............................................................................................................................................. 49
Common problems and troubleshooting .................................................................................................... 49
5
Overview and architecture The IBM BigFix and Carbon Black integration allows administrators to deploy a full endpoint
security solution to detect, contain, investigate, and remediate security threats and attacks on
endpoints across the enterprise. You can run BigFix Fixlets to more easily deploy, monitor, manage,
and troubleshoot Carbon Black agents through BigFix. You can also use the Carbon Black tamper
proof capability to protect BigFix agents from being modified or terminated. More importantly, you
can use BigFix to remediate the vulnerabilities or malware identified by Carbon Black so that the
security threats and attacks can be eliminated or mitigated quickly and effectively.
The following functions are available in the BigFix and Carbon Black integration solution. Each integration function delivers unique value and is independent of the other functions, although all functions depend on the same solution infrastructure provided by BigFix and Carbon Black. Decide which integration functions you need based on the following descriptions:
• Cb Agent Deployment and Health Monitoring – A number of BigFix Fixlets are provided to deploy, monitor, manage, and troubleshoot the Carbon Black agents. Specifically, you can use the Fixlets to perform the following tasks:
- Deploy Carbon Black agents: Cb Protection for Windows and Cb Response for Windows
- Identify machines lacking Carbon Black agents
- Check current agent status and configuration
- Create deployment reports and dashboards in IBM BigFix
- Use agent debug and diagnostic health data for rapid troubleshooting
- Uninstall Carbon Black agents
You can download and install the Fixlets from the BigFix site https://bigfix.me/. For more information, see https://bigfix.me/projects/details/25. These features are described in the Cb Agent Deployment and Health Monitoring section of this document.
• BigFix Tamper Protection – The power of Cb Protection is leveraged to provide tamper protection for BigFix clients. The BigFix client is protected against termination, injection, or modification by other processes. Also, the BigFix client installation directory is protected against modifications by other processes. These protections allow the BigFix client to continue running and delivering patches even under harsh conditions. For more information, see the Configure BigFix Tamper Protection in Cb Protection section of this document.
• Removal of Malware Identified by Cb Protection – The Cb Protection BigFix connector pulls the list of banned files from Cb Protection and sends them to BigFix in the form of Fixlets that can be executed by an administrator. A single Fixlet is created per SHA1 hash of a banned file. If a Fixlet for a SHA1 hash already exists, its contents are replaced by the new data from the Cb Protection server. This can mean that the Fixlet becomes longer (for example, if the file is detected in additional locations) or shorter (for example, if the file has been deleted and is located in fewer locations). The Cb Protection BigFix connector makes administrators aware of unwanted files so they can remove them from the environment. For example, if a malware infection is detected and banned, this service allows BigFix to delete all offending files directly off of the endpoint without requiring future manual intervention. For more information on the Cb Protection BigFix connector, see the Configure_Cb_Protection_BigFix_Connector section of this document.
• Removal of Malware Identified by Cb Response – The Cb Response BigFix connector
processes data that is streamed from Cb Response and sends it to BigFix. The connector also
6
sends alerts for applications that have been detected as vulnerable, so that BigFix can suggest
high-priority patches and provide the location of banned files that attempted to execute in your
environment. Administrators can then decide whether to delete affected files from within their
environment. The Cb Response BigFix connector requires the Cb Event Forwarder standalone
service, which pushes data from the Cb Response server to the Cb Response BigFix connector.
For more information about Cb Event Forwarder, see the Configure_Cb_Event_Forwarder
section of this document. For more information on the Cb Response BigFix connector, see the
Configure Cb Response BigFix Connector section of this document.
• Remediation of Vulnerabilities Identified and Prioritized by Cb - Using the BigFix Manage Vulnerable Computers dashboard, you can view and remediate Carbon Black vulnerability data, known as Common Vulnerability Exposures (CVEs). The Manage Vulnerable Computers dashboard lists the CVEs, associated the CVE risk score and identifies the targeted computers and impacted computers. The dashboard provides a list of the Fixlets that are available for CVEs. Fixlets are the BigFix packages for the corrective action to remediate CVEs and security threats. You can also quarantine and unquarantine computers from the dashboard. For more information on the dashboard, see the Remediate Vulnerabilities with the BigFix Manage Vulnerable Computers Dashboard section of this document.
The following table summarizes which products are integrated with each other for each of the integration functions described above.
Use case Cb Protection
Cb Response
BigFix Compliance
Cb Agent
deployment and
health checking
X X X
Tamper
protection X X
Removal of Cb
Protection
identified
malware
X X
Removal of Cb
Response
identified
malware
X X
Vulnerability
remediation X X
Architecture
The following diagram shows the architecture of the BigFix and Carbon Black integration solution.
7
Cb Agent Deployment and Health Monitoring You can use BigFix Fixlets to more easily deploy, monitor, manage, and troubleshoot Carbon Black agents
from the BigFix console. This facilitates better system administration and lifecycle management.
You can complete the following system administration and lifecycle management tasks:
Deploy Carbon Black Agents (Cb Protection-Windows, Cb Response- Windows, Linux)
Identify Machines Lacking Carbon Black Agents
Check Current Agent Status and Configuration
Create Deployment Reports and Dashboards in IBM BigFix
Enforce Agent State On and Off-Networks
Agent Debug & Diagnostic Health Data for Rapid Troubleshooting
Uninstall Agent (Cb Response)
Requirements The requirements are as follows:
Carbon Black Response Integration
Cb Response v5.1.1+ and 5.2.0+
IBM BigFix v9.2.x and v9.5.x
Carbon Black Protection (formerly Bit9) Integration
Cb Protection v7.2.3 Patch 3+ and 8.0+
IBM BigFix v9.2.x and v9.5.x
Importing the Content
8
The content associated with this integration is currently available from the bigfix.me site:
https://bigfix.me/site/details/8345#tabs-2
IMPORTANT:
The content in this site is supported by Carbon Black.
If necessary, register and then log on. After you have logged on to bigfix.me, subscribe to the site to
download the content, as shown in the following example:
After you have subscribed, you can import the content in three different ways:
1. Leverage the BigFixMeSync Plugin at: https://bigfix.me/fixlet/details/9287
2. Download a single .BES file containing all of the site’s content, and import it into the console by
double-clicking the downloaded .BES file, as shown in the following example:
3. Download the individual .BES files associated with the content you want, and import them
individually.
For information about how to import a .BES file, see:
http://www.ibm.com/support/knowledgecenter/SSQL82_9.5.0/com.ibm.bigfix.doc/Platform/Console/Dialog
s/import.html.
Content Details
The following sections provide information about the content that is available.
Fixlets The Fixlets are organized into 3 categories: software deployment, application maintenance, and
troubleshooting. The following sections describe each of these.
Software Deployment The software deployment Fixlets are as follows:
Cb Protection – Deploy Windows Agent
To use this Fixlet, you must include the appropriate Carbon Black Protection Agent installer in the
root server’s Uploads folder, ..\BES Server\wwwrootbes\Uploads or
/var/opt/BESServer/wwwrootbes/Uploads), and the actionscript of the Fixlet will have
9
to be modified accordingly. The Agent installer can be downloaded from the Carbon Black
Protection Servers at:
https://<carbon black protection server>/hostpkg/
You must then modify the Fixlet’s action script to match the agent installer details. In particular, you
must modify the SHA1, size, URL, and SHA256 values in the prefetch statement, as shown in the
following example:
Cb Response – Deploy Windows Sensor
Cb Response – Deploy Linux Sensor
To leverage these Fixlets, you must add the appropriate Carbon Black Response Sensor installer in
the root server’s Uploads folder, ..\BES Server\wwwrootbes\Uploads or
/var/opt/BESServer/wwwrootbes/Uploads, and you must modify the action script of
the Fixlet accordingly.
For additional details on how to manually cache a file on the BigFix Server, see http://www-
01.ibm.com/support/docview.wss?uid=swg21506037.
You can download the Sensor installers from the Carbon Black Response Servers interface under
Administration > Sensors > Download Sensor Installer, as shown in the following example:
For more information about how to manually cache a file on the BigFix Server, see: http://www-
01.ibm.com/support/docview.wss?uid=swg21506037.
10
Application Maintenance The following Fixlets can be leveraged to both report on endpoints where the Carbon Black Agents are not
running, as well as to ensure that they stay running (even when off the network).
Cb Protection – Identify endpoints with agent not running
Cb Response – Identify endpoints with sensor not running
To deploy these Fixlets as a policy to enforce agent compliance, click Take Action, then select Policy
from the Preset drop-down menu, and in the Target tab, select the devices in scope:
Troubleshooting A number of Tasks are provided to facilitate data collection and troubleshooting, as follows:
Cb Protection – Generate and collect sensor status information
This task will execute a DasCLI.exe status on the hosts and return the results. This is useful to
quickly aggregate troubleshooting data from the endpoint's perspective. For instance, it can be useful
in diagnosing a communication problem between the endpoint and the Carbon Black Protection
server.
Cb Response - Generate and Collect Sensor Diagnostics
Directs the Carbon Black Response sensor to generate diagnostics data and upload it to the BigFix
Server. These diagnostic files are often requested by the Carbon Black team during support calls.
Cb Response - Force Sensor Check-In
In typical operation, the Carbon Black Response sensor checks in with the server every 30-60
seconds to upload new event data and binaries. When testing or diagnosing communications, it is
useful to use this task to instruct the sensor to check in immediately and upload its data. Similarly,
this could be combined with the Carbon Black server’s option to force the upload of all data on the
next check in to quickly pull all information available from the sensor.
Cb Response - Uninstall Cb Sensor
If you want to uninstall the Carbon Black Response sensor, for example, if you need to migrate an
endpoint to a different Carbon Black deployment, you can use task can automate the uninstallation
procedure.
11
Analyses To collect information about the Cb Response and Cb Protection agents, you must activate the following
analyses. You can do this from the BigFix Console:
1. Log on as a master operator.
2. Select the analyses.
3. Right-click the analyses and select Activate, as shown in the following example:
Cb Response Sensor Details: this analysis returns data for the following elements:
CbER Version
CbER Installation Date
CbER Service State
CbER Configuration/Profile Name
CbER Backend Server
CbER Sensor ID
CbER Sensor Modules/Collect Configuration
Cb Protection Agent Details: this analysis returns data for the following elements:
CbEP Version
CbEP Installation Date
CbEP Service State
CbEP Host Group
CbEP Backend Server
CbEP Current Level of Enforcement
CbEP Unique Files: number of unique files in the host’s CbEP
cache
CbEP Tamper Protection Status
12
Web Reports Web Reports is a high-level web application that complements and extends the power of IBM BigFix. It
connects to one or more IBM BigFix databases to aggregate and analyze your entire network. It allows you
to visualize your data, with both charts and data listings, in any standard web browser. Web Reports
provides you with a convenient, compact, and timely overview of your IBM BigFix network, no matter how
broadly it extends. The following sections provide instructions on how to create some sample web reports
for Carbon Black Protection and Carbon Black Response.
Carbon Black Enterprise Protection Agent Overview The following graphic shows an example of the Carbon Black Protection agent overview in BigFix Web
Reports.
13
To create reports, from IBM BigFix Web Reports, complete the following:
1. Select Explore Data > Computers, then click Edit Columns.
2. Uncheck any properties that you do not want, then leverage the live search under Available
Columns with the term carbon black enterprise protection to filter the properties to
those of the Cb Protection Agent Details Analysis, and select them, for example:
3. Add any charts you want by clicking Add Chart. For example:
4. Repeat for any additional charts.
5. Click the Save Report button to store it and make it available for subsequent reporting needs.
14
Carbon Black Enterprise Response Sensor Overview
The following graphic shows an example of a report in BigFix Web Reports.
From IBM BigFix Web Reports, complete the following:
1. Select Explore Data > Computers, then click Edit Columns.
2. Uncheck any properties that you do not want, then leverage the live search under Available
Columns with the term carbon black enterprise response to filter the properties to
those of the Cb Response Agent Details Analysis, and select them, as follows:
3. Add any charts that you want by clicking Add Chart. For example:
15
4. Repeat for any additional charts.
5. Click the Save Report button to store it and make it available for subsequent reporting needs.
Install Cb Event Forwarder
The Cb Event Forwarder is a standalone service that listens in on the Cb Response bus and export events (watchlist/feed hits and raw endpoint events, if configured) in a normalized JSON format. The events can be saved to a file, delivered to a network service, or archived automatically to an Amazon AWS S3 bucket. These events can be consumed by any external system that accepts JSON, including the Cb Response and Cb Protection BigFix connectors.
The list of events to collect is configurable. By default, all watchlist/feed hits, alerts, binary notifications, and raw sensor events are exported into JSON. The configuration file for the connector is stored in:
/etc/cb/integrations/event-forwarder/cb-event-forwarder.conf
Requirements
The following are Cb Event Forwarder installation requirements:
• The Cb Event Forwarder can be installed on any 64-bit Linux machine running CentOS 6.x.
• The Cb Event Forwarder can be installed on the same machine as the Cb Response server or another machine. However, if you are forwarding events from a Cb Response cluster, it is recommended you install Cb Event Forwarder on a separate machine.
16
Install Cb Event Forwarder RPM
To install and configure the Cb Event Forwarder RPM, perform these steps as “root” on your target Linux system:
1. Install the CbOpenSource repository if it is not already installed:
cd /etc/yum.repos.d
curl -O https://opensource.carbonblack.com/release/x86_64/ CbOpenSource.repo
2. Install the Cb Event Forwarder RPM using Yum:
yum install cb-event-forwarder
Note:
Once the Cb Event Forwarder RPM is installed on a target system, you can configure and run multiple instances of Cb Event Forwarder to push Cb Response data to several destinations concurrently.
Configure Cb Event Forwarder
This section explains how to configure Cb Event Forwarder for the BigFix integration.
1. If you are installing Cb Event Forwarder on a machine other than the Cb Response
server, copy the RabbitMQ username and password into the following variables as
follows:
- rabbit_mq_username
- rabbit_mq_password
a. Copy the <username> value from /etc/cb/cb.conf
RabbitMQUser=<username> to /etc/cb/integrations/event- forwarder/cb-event-forwarder.conf
rabbit_mq_username=<username>.
b. Copy the <password> value from /etc/cb/cb.conf
RabbitMQPassword=<password> to /etc/cb/integrations/event- forwarder/cb-event-forwarder.conf
rabbit_mq_password=<password>.
c. Enter the hostname or IP address in the following variable where the Cb
Response server can be reached:
cb_server_hostname
If the Cb Event Forwarder is forwarding events from a Cb Response cluster, this variable should be set to the hostname or IP address of the Cb Response server master node.
2. Make sure the configuration is valid by running the Cb Event Forwarder in “check
mode” as “root”:
/usr/share/cb/integrations/event-forwarder/cb-event-forwarder - check
If everything is working properly, you will see a message starting with “Initialized output”.
If there are any problems, errors will appear on your screen.
17
Configure Cb Response
By default, Cb Response publishes feed.* and watchlist.* events over the bus. The default is acceptable for the BigFix integration. For more information on these events, see:
https://github.com/carbonblack/cb-event-forwarder/blob/master/EVENTS.md
If you are capturing binary observed events, then you must edit the EnableSolrBinaryInfoNotifications setting in /etc/cb/cb.conf and set it to
True.
By default, the Message Bus listens on port 5004. Make sure firewall rules allow for incoming TCP connections to this port on the Cb Response server.
Apply the Changes to the Cb Response Server
You will need to restart the Cb Response server if any variables were changed in /etc/ cb/cb.conf.
If you have a single server, log in as root and run the following:
service cb-enterprise restart
If you have a cluster, follow these steps:
1. Distribute the DatastoreBroadcastEventTypes,
EnableSolrBinaryInfoNotifications, and/or
EnableRawSensorDataBroadcast settings to the /etc/cb/cb.conf configuration file on all minion nodes.
2. Restart the cluster using the /usr/share/cb/cbcluster restart command.
Start and Stop Cb Event Forwarder Service
Once Cb Event Forwarder is installed, it is managed by the Upstart init system that comes with CentOS 6.x. You can control the Cb Event Forwarder service using the initctl command as follows:
• To start the service, execute this command:
initctl start cb-event-forwarder
• To stop the service, execute this command:
initctl stop cb-event-forwarder
The Cb Event Forwarder service is configured to start automatically on system boot.
18
Integration
The Cb Event Forwarder must be configured to forward Cb Response events in JSON format to the Cb Response BigFix connector.
To forward Cb Response events to the BigFix connector:
1. Modify /etc/cb/integrations/event-forwarder/cb-event-
forwarder.conf to specify the output protocol type:
output_type=tcp
2. Change the destination network address and port to that of the BigFix connector. For
more information, see Configure Cb Response BigFix Connector. By default these
values are localhost and 9999.
For example, change the following:
tcpout=<ipaddress>:<port>
to:
tcpout=localhost:9999
3. Change the output format to json in the configuration file:
output_format=json
Logging and Diagnostics
The Cb Response BigFix connector logs to the following directory:
/var/log/cb/integrations/cb-event-forwarder
The following is an example of a successful startup log:
2015/12/07 12:57:26 cb-event-forwarder version 3.0.0 starting
2015/12/07 12:57:26 Interface address 172.22.10.7
2015/12/07 12:57:26 Interface address fe80::20c:29ff:fe85:bcd0
2015/12/07 12:57:26 Configured to capture events:
[watchlist.hit.# watchlist.storage.hit.# feed.ingress.hit.#
feed.storage.hit.# feed.query.hit.# alert.watchlist.hit.#
ingress.event.process ingress.event.procstart
ingress.event.netconn ingress.event.procend
ingress.event.childproc ingress.event.moduleload
ingress.event.module ingress.event.filemod ingress.event.regmod
binaryinfo.# binarystore.file.added]
2015/12/07 12:57:26 Initialized output: File /var/cb/data/
event_bridge_output.json
2015/12/07 12:57:26 Diagnostics available via HTTP at http://
cbtest:33706/debug/vars
2015/12/07 12:57:26 Starting AMQP loop 2015/12/07
12:57:26 Connecting to message bus... 2015/12/07
12:57:26 Subscribed to watchlist.hit.#
2015/12/07 12:57:26 Subscribed to watchlist.storage.hit.#
2015/12/07 12:57:26 Subscribed to feed.ingress.hit.#
19
2015/12/07 12:57:26 Subscribed to feed.storage.hit.#
2015/12/07 12:57:26 Subscribed to feed.query.hit.#
2015/12/07 12:57:26 Subscribed to alert.watchlist.hit.#
2015/12/07 12:57:26 Subscribed to ingress.event.process
2015/12/07 12:57:26 Subscribed to ingress.event.procstart
2015/12/07 12:57:26 Subscribed to ingress.event.netconn
2015/12/07 12:57:26 Subscribed to ingress.event.procend
2015/12/07 12:57:26 Subscribed to ingress.event.childproc
2015/12/07 12:57:26 Subscribed to ingress.event.moduleload
2015/12/07 12:57:26 Subscribed to ingress.event.module
2015/12/07 12:57:26 Subscribed to ingress.event.filemod
2015/12/07 12:57:26 Subscribed to ingress.event.regmod
2015/12/07 12:57:26 Subscribed to binaryinfo.#
2015/12/07 12:57:26 Subscribed to binarystore.file.added
2015/12/07 12:57:26 Starting 4 message processors
In addition to the log file, the Cb Event Forwarder service starts an HTTP service for monitoring and debugging. The URL is available in the log file (see the Diagnostics available line above). The port is configurable through the http_server_port setting in the cb-event-forwarder.conf file. You can visit the Diagnostics page at the URL provided in the log file to track the performance and availability of the Cb Event Forwarder.
Note:
To reach the diagnostics, make sure that the port (default 33706) is open for incoming traffic on any firewalls between your host and the server running the Cb Event Forwarder.
20
Configure BigFix Tamper Protection in Cb Protection
Cb Protection offers tamper protection to a select set of processes, including:
• The Cb Protection agent itself
• The Cb Response agent
• The BigFix client
Tamper protection uses Cb Protection’s sophisticated rules engine to:
Protect the BigFix client processes against interference by other processes.
Protect the BigFix client files from alteration by non-BigFix processes.
Help ensure that patching and monitoring tasks performed by the BigFix client are not
interrupted or tampered with during operation.
To enable tamper protection for the BigFix client:
Tamper protection rules must be installed via a file to enable this feature.
1. In the Cb Protection console, navigate to Rules > Software Rules:
2. Using the menu to the left of the page, navigate to Rules > Software Rules >
Updaters:
3. Click the Add Updater button:
21
4. Choose the file to upload and supply the required password. The updater will now be installed.
5. Return to the Updater page, and locate the BigFix Agent Tamper Protection updater in the
Disabled Updaters section.
6. Select the checkbox to the left of this updater and use the action menu to enable it.
Note:
If you need to disable tamper protection for the BigFix agent at any time, use the action menu to disable it. The rules for this agent will be activated in your environment.
Note:
Due to a known issue within the Cb Protection agent, the tamper protection rules may not immediately become active on an endpoint after the installation of the BigFix agent. Simply reboot of the endpoint, or run ‘sc control parity 128’ on an administrative command prompt to force a refresh of the rules and enable the tamper protections.
Note:
If you must disable tamper protection for the BigFix agent at any time, use the Action menu to disable it. The rules for this agent will be activated in your environment.
Configure Cb Protection BigFix Connector
The Cb Protection BigFix connector pulls the list of banned files from Cb Protection and sends them to BigFix in the form of Fixlets that can be leveraged by a BigFix operator. A single Fixlet is created per SHA1 hash of a banned file.
If a Fixlet for an SHA1 hash already exists, its contents are replaced by the new data from the Cb Protection server. This can mean that the Fixlet becomes longer (for example, if the file is detected in additional locations) or shorter (for example, if the file has been deleted and is located in fewer locations).
22
The Cb Protection BigFix connector makes operators aware of unwanted files so they can remove them from within the environment. For example, if a malware infection is detected and banned, this service allows BigFix to delete all offending files directly off of the endpoint without requiring future manual intervention.
The Cb Protection BigFix connector is installed through a standard Windows MSI and operates as a Windows Service.
The following topics are covered in this section:
• Obtain an API Token
• Requirements
• Install the Cb Protection BigFix Connector
• Configure the Cb Protection BigFix Connector
• Troubleshooting
• Uninstall
23
Obtain an API Token
The Bigfix integration service must pull information using Bit9 APIs. For this to occur, you must obtain an API token using the Cb Protection console.
For access control, it is a best practice to have a separate console user for each API client with the minimum required access controls. However, the API client must have access permissions similar to what would be required to access the same objects through the Cb Protection console. For example, if an API client needs access to the “event” object, the user associated with an API token used in the client must have the “View events” permission.
The BigFix integration services requires the View files permission.
To create an API user and get its API token:
1. In the Cb Protection console, navigate to Administration > Login Accounts.
2. Select the Groups tab and click Add Group.
3. On the Add Group page:
a. Provide a Name, such as APIConnectorExtensions.
b. Provide a Description.
c. Select the check box for each permission required for your client.
Note:
Some permissions depend upon others. You must have permissions to view an object if you also intend to change it.
4. When you have configured the group, click Enabled in the Status line and click Save
at the bottom of the page.
5. Select the Users tab.
6. On the Login Accounts: Users page, click Add User.
7. On the Add User page:
a. Provide a User Name, such as BigfixConnectorAPIUser.
b. Provide a Password.
c. Select the Group you created above.
8. The BigFix integration service requires the “View files” permission. Be sure to grant
this permission to the new user.
9. Provide information in any other fields as needed.
10. At the bottom of the page, select the Show API token checkbox and click Generate.
11. A string of characters appear in the API Token box.
24
12. Copy the API Token somewhere so that you can use it later for your API code.
Also, take note of the login user name with which it is associated.
13. Click the Save button at the bottom of the page.
Note:
The API Token should not be used in any way that displays it in clear text. If the API Token is compromised, open the Edit Login Account page for the API user, check the Show API token box, click Generate to produce a new token, and then click Save. Then, use the new token for authentication.
To disable API access for a user that currently has permission, follow the steps above but click Clear instead of Generate. If server hardening is required, all API access should be removed.
Requirements
Cb Protection BigFix connector integration supports the following:
• OS Version: Windows Server 2008 R2
• Preferred System Type: 64-bit Operating System
• Cb Protection Server 7.2.3 Patch 3+ and 8.0+
Install the Cb Protection BigFix Connector
Install the Cb Protection BigFix connector as follows:
1. Download and launch the Cb Protection BigFix connecter installation MSI.
2. Install the MSI using the default options.
3. At the end of the installation, a new Windows service is installed called “Cb
Protection BigFix Connector”. The service will be stopped following installation
but configured to auto- start on boot.
4. Configure the connector using the steps in Configure the Cb Protection BigFix
Connector.
5. Then, manually start the service using the Windows Services Panel (services.msc).
Configure the Cb Protection BigFix Connector
Edit the configuration file, shown below at its default installation location. If you choose
a different directory during the connector installation, use your chosen path instead.
C:\Program Files\Carbon Black\Cb Protection BigFix
Connector\config.ini
1. Under the cb-protection-comms heading, enter the URL of the Cb Protection
console and the API token that you obtained in Obtain an API Token.
25
url = https://<dns-name>:<port>/
api_token = <api_token>
2. Under the bigfix-comms heading, enter the DNS or IP address and the network
port for the Cb Protection server’s API interface (not the web console). The default
port is 52311. Also, provide the username and password for accessing the BigFix
server.
url = <dns_name>:<api_network_port>
username = <bigfix_api_username>
password = <bigfix_api_password>
3. Under the bigfix-comms heading, enter the BigFix custom site name. This must be
the exact site name that is used when configuring the BigFix side of this integration:
bigfix_custom_site_name = <site name>
Note:
If this is the first time configuring the connector, enable the service at this point via the Windows Service Panel to begin sending data from the Cb Protection server to the BigFix server.
Troubleshooting
If problems occur, check the log file located at:
C:\Program Files\Carbon Black\Cb Protection BigFix
Connector\connector.log
You can also increase the logging level using the config.ini file within the same folder.
If there are error messages about connectivity problems, double check your hostname settings and API tokens/passwords used to connect to the Cb Response and BigFix servers.
If you experience issues related to the starting or stopping any of the Windows service, or it appears the connector is not logging any output to the previously mentioned log file, you can check the Windows System log (viewable in Event Viewer) to see if any errors are being reported related to the connector service. If so, uninstall the connector and reinstall it using the MSI’s default options.
If you have further problems, reach out to your customer support representative for additional assistance.
Uninstall
To uninstall the Windows service:
1. Open Add/Remove Programs from within the Control Panel.
2. Find the Cb Protection BigFix connector and click Uninstall. This shuts down the
service and remove all files related to the connector from the disk.
26
Configure Cb Response BigFix Connector
The Cb Response BigFix connector:
1. Listens to data from a Cb Response server through the Cb Event.
2. Processes the received data.
3. Sends the data over to BigFix.
This connector provides these services:
• Alerts BigFix about vulnerable applications that are running on endpoint devices.
• Suggests connections between vulnerable applications and watchlist hits.
• Automatically creates BigFix Fixlets to remove banned binaries from the endpoint systems that attempted to execute.
The connector requires an installed and properly configured Cb Event Forwarder and an API authentication information for both the Cb Response and IBM BigFix servers.
The following topics are covered in this section:
• Requirements
• Enable the NVD Feed in Cb Response
• Installation
• Obtain an API Token
• Obtain a BigFix API Username and Password
• Required BigFix Permissions
• Configure the Integration
• Starting and Stopping the Connector
• Troubleshooting
• Uninstall
Requirements
Cb Response BigFix connector integration requires the following:
• Cb Response Server version 5.1.1+ and 5.2.0+. For more information, see the Cb Response User Guide.
• Cb Event Forwarder version 3.0 or newer. For more information, see the Install Cb Event Forwarder section.
• Installation on a Cb Response server (or a server running either CentOS 6 or Red Hat 6).
• Network connectivity to the BigFix API from the server where the connector is installed.
27
Enable the NVD Feed in Cb Response
In the Cb Response console, enable the NVD feed as follows:
1. Log into the Cb Response console.
2. Navigate to Detect > Threat Intelligence.
3. Locate the National Vulnerability Database (NVD) option.
4. Select Enabled:
In addition to enabling the built-in NVD feed, also add in the updated NVD feed containing a much
richer and personalized feed through the following process:
1. Log into the Cb Response Console.
2. Navigate to Detect > Threat Intelligence.
3. Click the Add New Feed button in the top-right corner of the page.
4. In the Feed URL field, enter the following URL:
https://threatintel.bit9.com/api/v1/cbfeed/feed/nvdeap
28
5. Click Save.
6. You should now see two NVD feeds at the bottom of the page. Ensure both are enabled.
Installation
To install the Cb Response BigFix connector, perform the following steps as “root” on the target Linux system:
1. Install the CbOpenSource repository if it is not already installed:
cd /etc/yum.repos.d
curl -O https://opensource.carbonblack.com/release/x86_64/ CbOpenSource.repo
2. Install Cb Event Forwarder. For more information, see the Install Cb Event
Forwarder section.
3. Install the Cb Response BigFix connector RPM using YUM:
yum install cb-response-bigfix-connector
29
Obtain an API Token
To obtain a Cb Response API token:
1. Log into the Cb Response server with the appropriate account.
2. When you are logged in, in the Cb Response console menu, select username > My
Profile.
3. On the My Profile page, click API Token in the left menu.
4. Copy the displayed API token to a temporary location such as in Notepad. You will
need this in the next section Configure the Integration.
Obtain a BigFix API Username and Password
Obtain a dedicated, separate BigFix operator account for this integration. This account will be used for the dashboard data variables that interface with the plugin as well as the banned files Fixlets.
30
Required BigFix Permissions
Master operators can access the IBM BigFix Console to change permissions. Users must have certain permissions to read and write to the BigFix Manage Vulnerable Computers dashboard and Fixlet APIs. For more information, see:
http://www.ibm.com/support/ knowledgecenter/SS6MCG_9.5.0/com.ibm.bigfix.doc/Platform/Config/ c_understanding_operator_rights.html.
To set required BigFix permissions:
1. In the IBM BigFix Console, navigate to All Content > Operators.
2. Select the appropriate Operator
3. Navigate to the Details tab and set the following:
a. Under Permissions, set Custom Content to Yes.
b. Under Interface Login Privileges, set Can use REST API to Yes:
31
Configure the Integration
Edit the following file using this procedure:
/etc/cb/integrations/bigfix/connector.config
1. Under the cb-event-forwarder heading, enter the port through which Cb
Response will receive data from Cb Event Forwarder. The default value is 9999.
listen_port = <portnumber>
2. Under the cb-enterprise-response heading, enter the URL of the Cb Response
server and the API token that you obtained in the Obtain an API Token section.
Note:
Make sure the API token has access permissions to all feed and
watchlist configuration. A global administrator token is required for
this.
url = https://<dns-name>:<port>/
api_token = <api_token>
3. Under the ibm-bigfix heading, enter the DNS or IP address and the network port
for the server’s API interface (not web console). The default port is 52311. Also,
provide the username and password for accessing the BigFix server.
Note:
On the BigFix side, users must have certain permissions to read/write to the BigFix dashboard and Fixlet APIs (see BigFix Permissions).
url = <dns_name>:<api_network_port>
username = <bigfix_api_username>
password = <bigfix_api_password>
4. Under the ibm-bigfix heading, enter the BigFix custom site name. This must be the exact site name that is used when configuring BigFix side of this integration:
bigfix_custom_site_name = <site name>
5. Under the integration-core heading, enter the names of the watchlists you
would like the connector to use as “security events”. Cb Response uses hits on these
watchlists to implicate a vulnerable process as the potential cause of the detected
issue.
You can choose which watchlists are listened to. By default, Cb Response listens to the built-in watchlist “Alliance: VirusTotal Score > 3”, but Carbon Black highly recommends inserting your own watchlists that represent your environment. Hits on these watchlists will be considered indicators of compromise for your environment and trigger this connector’s processing to indicate suspected vulnerabilities linked to the compromise within the BigFix console.
integration_implication_watchlists = [
“<watchlist_name>”,
“<watchlist2_name>”,
32
...
]
33
Starting and Stopping the Connector
Once the Cb Response BigFix connector is installed, the integration automatically registers to be launched upon startup. However, immediately after the installation, the connector remains inactive to allow for user configuration.
Start Connector
When you have finished the Cb Response BigFix connector configuration, start the service as follows:
sudo start cb-response-bigfix-connector
Note that when the connector starts it creates a special watchlist for this integration. The watchlist
is a product of the feed names indicated in the advanced section of the configuration file and could
be updated at any time. Therefore, do not rely on this watchlist for reasons beyond that required by
this connector.
Restart Connector
If you make additional configuration changes, restart the connector using this command:
sudo restart cb-response-bigfix-connector
Stop Connector
To temporarily stop the connector, use this command:
sudo stop cb-response-bigfix-connector
Note:
The service resumes upon reboot. If you want the service to remain powered off, follow the instructions in the Uninstall section.
Troubleshooting
If you notice problems with the Cb Response BigFix connector (or if you are prompted by a support professional to provide detail in troubleshooting efforts), you may be asked to provide the log file for the Cb Response BigFix connector. The output log file for the connector is located at:
/var/log/cb/bigfix/connector.log
Any issues during startup of the connector service can be found in:
/var/log/cb/Bigfix/connector.errors
By default, the logging level is set to a minimal level. If you need more detailed logging, alter the log level within the configuration file here:
/etc/cb/integrations/Bigfix/connector.config/
default_log_level = ERROR
Select one of the following log levels:
• CRITICAL
• ERROR
• WARNING
• INFO
• DEBUG
34
Note:
Remember to lower the log level after you have collected the information you need. Otherwise, the log file can become extremely large.
35
Uninstall
To uninstall the Cb Response BigFix connector, run this YUM command:
yum remove cb-response-bigfix-connector
Banned Files The Cb Protection BigFix connector pulls the list of banned files from Cb Protection and
sends them to BigFix in the form of Fixlets, which can be executed by an administrator. A
single Fixlet is created per SHA1 of a banned file. If a Fixlet for a SHA1 hash already exists,
its contents are replaced by the new data from the Cb Protection server. This can mean that
the Fixlet becomes longer (for example, if the file is detected in additional locations) or
shorter (for example, if the file has been deleted and is located in fewer locations). The Cb
Protection BigFix connector makes administrators aware of unwanted files so they can
remove them from within the environment. For example, if a malware infection is detected
and banned, this service allows BigFix to delete all offending files directly off of the
endpoint without requiring future manual intervention.
When Cb Protection or Cb Response bans files, they become BigFix Fixlets. Two different paths are used for this:
Cb Protection
When files are banned in the Cb Protection interface, the following occurs:
1. The Cb Protection BigFix connector service, which has access to the
server’s API, downloads the list of file locations for all banned files from
the server.
2. The service creates new (or updates existing) Fixlets. It creates a single Fixlet
per SHA1 hash (banned file) and sends these to the BigFix server with the
new location.
3. The BigFix operator can run the Fixlet at any time to delete the banned files.
Cb Response
When files are banned in the Cb Response interface, the following occurs:
1. When a banned file is executed and blocked, the Cb Response server
sends a notification through the Cb Event Forwarder.
2. The Cb Response BigFix connector (which is always listening to the Cb
Event Forwarder) identifies the blocked execution event.
3. The service creates new (or updates existing) Fixlets. It creates a single
Fixlet per MD5 hash (banned file) and sends these to the BigFix server with
the new location.
4. The BigFix operator can run the Fixlet at any time to delete the banned files.
Note:
Unlike Cb Protection, Cb Response can only remove the banned files that have attempted to execute. This might not include all file instances within the enterprise.
36
Banned files configuration in BigFix To host the Fixlets associated with the banned files, you must create and configure a custom site in the
BigFix console.
For information about how to create and configure a custom site in BigFix, see:
https://www.ibm.com/support/knowledgecenter/SSQL82_9.5.0/com.ibm.bigfix.doc/Platform/Console/c_creatin
g_custom_sites.html.
You must subscribe the computers on which you would like to manage banned files to the site.
Assign Read access to the custom site to the console operators who need permissions to take action
on the banned files Fixlets (to delete the files for example).
Assign Write privileges to the custom site to the console operator leveraged for the Cb Response
plugin, that is the console operator who has REST API access and custom content rights. This console
operator needs Write privileges to the custom site to create the banned file fixlets.
The name of the custom site that you create in BigFix must be leveraged in a configuration element
on the Cb Response and Cb Protection plugins to allow them to know in which site to create the
Fixlets.
After the site is set up correctly and the correct permissions assigned, the BigFix operator
can run the Fixlets at any time to delete the banned files.
Remediate Vulnerabilities with the BigFix Manage Vulnerable Computers Dashboard
Note:
The Cb Protection BigFix and Cb Response connector integration discussed in this document assumes that you have already installed and configured IBM BigFix and have existing BigFix users.
Cb Response provides security intelligence for protecting assets and information from advanced threats. BigFix provides a dashboard that is integrated with Cb Response. From this dashboard, you can view and remediate vulnerabilities that are detected by Cb Response. You can also quarantine and unquarantine computers.
Before you can install and use the Manage Vulnerable Computers dashboard, you must have a license. Separately, you must have Cb Response installed and configured to monitor your endpoints.
This section describes how to set up, install, and use the Manage Vulnerable Computers dashboard to remediate vulnerabilities and quarantine or unquarantine computers.
The following topics are covered in this section:
Enable Carbon Black and BigFix to Communicate
Terminology
Overview and getting started
At a glance: Manage Vulnerable Computers dashboard
BigFix Permissions
37
Requirements
Accessing the site
Installing the Manage Vulnerabilities plugin
Configuring the Manage Vulnerable Computers plugin
Viewing computer details
Quarantining computers
Un-quarantining computers
Viewing Common Vulnerability Exposures (CVEs) and associated Fixlets
Viewing actions
Common problems and troubleshooting
Enable Carbon Black and BigFix to Communicate
To enable Cb Response and BigFix to communicate, you must complete some short configuration steps in Cb Response. For information about how to complete the Carbon Black configuration, see the previous sections in this document:
• Configure Cb Event Forwarder
• Configure BigFix Tamper Protection in Cb Protection
• Configure Cb Protection BigFix Connector
• Configure Cb Response BigFix Connector
Terminology The following terms are used in this guide and displayed on the Manage Vulnerable Computers
dashboard:
Term Definition
CVEs The CVEs associated with vulnerable applications that have recently
been run in the enterprise. For example, if a vulnerable version of an
application is launched somewhere in the enterprise, the CVEs are the
vulnerabilities that particular version that the vulnerable application is
susceptible to.
Impacted Computers The computers for which CVEs were detected. For example, if 5
computers in the enterprise are running a version of a vulnerable
application, there will be 5 Impacted computers for the CVEs.
Targeted CVEs If there is a security alert on a process related to a CVE, the CVE is
upgraded to a Targeted CVE. This indicates that for some vulnerable
application, there is a suspicion it was involved in a security event.
Targeted Computers The endpoints for which the CVEs were upgraded to Targeted CVEs.
Actionable CVEs CVEs for which there is content available to remediate.
Overview and getting started BigFix provides a dashboard from which you can view and remediate Cb Response vulnerability data.
The Manage Vulnerable Computers dashboard lists the CVEs, associated CVSS risk score, and
38
identifies the targeted computers and impacted computers. The dashboard provides a list of the Fixlets
that are available for CVEs. Fixlets are the BigFix packages for the corrective action to remediate
CVEs and security threats. You can also quarantine or unquarantine computers from the Manage
Vulnerable Computers dashboard.
To use the Manage Vulnerable Computers dashboard to view Cb Response vulnerability data, you
must complete three simple steps in BigFix:
Acquire the Manage Vulnerabilities site.
Install the Manage Vulnerable Computers dashboard plugin.
Configure the Manage Vulnerable Computers plugin.
Use the documentation in the following sections to complete each of the tasks in BigFix.
Attention:
You must also complete some configuration steps in Cb Response to enable Cb
Response to communicate with BigFix.
At a glance: Manage Vulnerable Computers dashboard The Manage Vulnerable Computers dashboard identifies the risk assessment data from Cb
Response, enabling you to immediately identify the computers that are most at risk. The dashboard
provides details of computers that have been targeted in an attack, known as targeted computers, and
also shows the number of impacted computers. It also shows the number of CVEs associated with
each computer, the number of targeted CVEs for each computer, and the number of actionable CVEs
for each computer. The dashboard lists the Fixlets that are available for CVEs. You can run the Fixlets
from the Manage Vulnerable Computers dashboard to secure the vulnerable computers.
Cb Response connects to BigFix and sends vulnerability data to the BigFix server. The Manage
Vulnerable Computers dashboard displays this enriched risk assessment data. By checking the Show
Computers that have Relevant Fixlets option, you can filter the list to show only computers for
which there are relevant Fixlets. The following graphic shows an example of the Computers tab on
the dashboard. You can filter the computers by columns. For example, by clicking the CVEs column,
you can see which CVEs are impacting most of your computers, quickly giving you a view of the
most serious problems in your deployment.
39
BigFix Permissions
Master operators can access the IBM BigFix Console to change permissions. Users must have particular permissions to read/write to the BigFix Manage Vulnerable Computers dashboard and Fixlet APIs. For more information, see:
http://www.ibm.com/support/ knowledgecenter/SS6MCG_9.5.0/com.ibm.bigfix.doc/Platform/Config/ c_understanding_operator_rights.html.
To set required BigFix permissions:
1. In the IBM BigFix Console, navigate to All Content > Operators.
2. Select the appropriate Operator.
3. Navigate to the Details tab and set the following:
a. Under Permissions, Custom Content should be set to Yes.
b. Under Interface Login Privileges, Can use REST API should be set to
Yes:
40
Requirements Ensure that your system meets the requirements for the Manage Vulnerable Computers dashboard
to work correctly.
The Manage Vulnerable Computers dashboard has the following requirements:
Cb Response v5.1 or later is supported.
BigFix console version 9.2.6 is recommended.
BigFix client version 4.1.8 or later.
The BES Server Plugin Service must be installed on the BigFix server and must be configured
correctly. If you need to install the BES Server Plugin Service, go to the Endpoint
Protection domain, click Manage Vulnerabilities > Setup and Maintenance > Fixlets and
Tasks and run the Install BES Server Plugin Service Fixlet, targeting the
BigFix server.
BigFix Web Reports must be set up and running for the Manage Vulnerable Computers
plug-in to work correctly. For information about configuring Web Reports, see BigFix Web
Reports.
Your computers must be subscribed to the site that contains the Fixlet and patch content.
If you are not a master operator, you must be subscribed to the site that contains the Fixlet and
patch content
As an operator, you must have permissions to manage the computers that are subscribed to
the site. For information about how operators are assigned permissions to computers, see
http://www.ibm.com/support/knowledgecenter/SS63NW_9.5.0/com.ibm.bigfix.doc/Platform/
Console/c_adding_local_operators.html.
To quarantine and un-quarantine computers, you must set up a policy action for both the
Quarantine and Un-quarantine Fixlets. To set up the policy actions, use the following
example, which shows how to set up the policy action for quarantining computers:
1. From the Endpoint Protection domain, select Manage Vulnerabilities > Setup and
Maintenance > Fixlets and Tasks.
2. Select the Quarantine Microsoft Windows computers Fixlet and review
the information in the Fixlet description.
3. Click Take Action.
4. On the Targets tab in the Take Action dialog, select the Dynamically target by
property option, and select All Computers.
5. On the Execution tab, clear the Ends on check box, check the Reapply this action
check box with the whenever it becomes relevant again option selected, and clear
the Limit to check box.
6. Click OK to set up the policy action.
Complete a similar procedure to set up the policy action for the un-quarantine Fixlet. Set up
the un-quarantine policy action on the Un-quarantine Microsoft Windows
computers Fixlet from Manage Vulnerabilities > Setup and Maintenance > Fixlets and
Tasks.
Accessing the site The Manage Vulnerable Computers dashboard runs from the BigFix Endpoint Protection domain.
Before you can access the Manage Vulnerable Computers dashboard, you must acquire the
Manage Vulnerabilities site and accept the license agreement. After you acquire the Manage
Vulnerabilities site, you must gather the contents of the site to your console. You must also subscribe
your computers to the site so that they can access the content.
41
About this task
You cannot access the Manage Vulnerabilities site unless you have a license for BigFix
Compliance. For information about getting a license, see BigFix Licensing.
The procedure for acquiring the Manage Vulnerabilities site and gathering the contents of the site is
similar to the procedure for other BigFix applications and sites.
Procedure
1. From the BigFix console, go to the BigFix Management domain and click License
Overview.
2. Go to the BigFix Compliance section of the License Overview dashboard.
3. Click Enable for the Manage Vulnerabilities site. The Manage Vulnerabilities site is made
available on your console. It typically takes a few minutes for the contents to become
available on your system.
4. From the All Content domain, subscribe the computers that you want to manage from the
Manage Vulnerable Computers dashboard to the Manage Vulnerabilities site.
Installing the Manage Vulnerabilities plugin Before you can view Cb Response vulnerability data from the BigFix console, you must install a
plugin. The plugin processes data for the Manage Vulnerable Computers dashboard to display. To
install the plugin, you run a Fixlet. There is a separate installation Fixlet available for Windows and
Linux. When running the installation Fixlet, you must target the BigFix server.
Before you begin Before installing the plugin, complete the following prerequisites as necessary:
The BES Server Plugin Service must be installed on the BigFix server and must be configured
correctly.
Create a new console user for the installation with master operator privileges.
After you install the BES Server Plugin Service on the server, enable encryption of the
credentials for the BigFix REST API by running the Configure REST API credentials for
BES Server Plugin Service Task from Fixlets and Tasks node of the All Content domain:
1. Click the Configure REST API credentials for BES Server
Plugin Service Task. The user interface from which you must start the
encryption enablement Task is displayed.
2. Enter the user name and password for the master operator user that you created. This
creates an encrypted password.
3. Click Take Action and specify the server where you are installing the Manage
Vulnerable Computers dashboard, which is the BigFix server.
Note: The Configure REST API credentials for BES Server
Plugin Service Task remains relevant after you run it. You can check the action
history to confirm that it runs successfully.
The BigFix client must be installed on the BigFix server and must be version 4.1.8 or later.
42
About this task
To enable Cb Response and BigFix to communicate, you must complete some short configuration
steps in Cb Response. From within BigFix, you must run a Fixlet to install a plugin for the Manage
Vulnerable Computers dashboard. This page describes how to install the plugin for the Manage
Vulnerable Computers dashboard in BigFix. The installation Fixlet installs the plugin and connects
the BigFix server to the Cb Response system. After you install the plugin and complete the
configuration that is required in Cb Response, Cb Response posts vulnerability data to the BigFix
server using the REST API.
Complete the following steps to install the plugin for the Manage Vulnerable Computers dashboard.
Procedure
1. From the BigFix console, go to the Endpoint Protection domain.
2. Click Manage Vulnerabilities, then Setup and Maintenance, and then select Fixlets and
Tasks.
3. Depending on the operating system on which you are installing the plugin, select the
Install or Update Manage Vulnerabilities Plugin on Windows or
Install or Update Manage Vulnerabilities Plugin on Linux Fixlet.
4. Review the information in the Fixlet description and if necessary, complete any prerequisite
information described.
5. Click Take Action. From the Take Action dialog box, target the BigFix server.
6. Click OK to run the installation Fixlet.
Results After the Fixlet runs successfully, the dashboard service starts automatically. To open the dashboard
on the console, go to the Endpoint Protection domain, click Manage Vulnerabilities, and select
Manage Vulnerable Computers.
The plugin is installed in the following location on the BigFix server:
On Windows, the dashboard is installed in the C:\Program Files (x86)\BigFix Enterprise\BES Server\Applications\mvplugin directory.
On Linux, the dashboard is installed in the /var/opt/BESServer/Applications/mvplugin directory.
If you subsequently want to uninstall the plugin, use the Uninstall the Manage
Vulnerabilities Plugin on Windows or Uninstall the Manage
Vulnerabilities on Linux Fixlet to remove.
Uninstalling the plugin To uninstall the plugin for the Manage Vulnerable Computers dashboard, run a Fixlet.
About this task
To uninstall the Manage Vulnerable Computers dashboard, run the uninstallation Fixlet and target
the BigFix server.
43
Procedure
1. From the BigFix console, go to the Endpoint Protection domain.
2. Click Manage Vulnerabilities, then Setup and Maintenance, and then select Fixlets and
Tasks.
3. Depending on the operating system on which you are uninstalling the plugin, select the
Uninstall the Manage Vulnerabilities Plugin on Windows or
Uninstall the Manage Vulnerabilities Plugin on Linux Fixlet.
4. Review the information in the Fixlet description and if necessary, complete any prerequisite
information described.
5. Click Take Action. From the Take Action dialog box, target the BigFix server.
6. Click OK to run the uninstallation Fixlet.
Configuring the Manage Vulnerable Computers plugin After you install the Manage Vulnerable Computers plugin, you must run a Fixlet to complete some
short configuration steps. This Fixlet automatically configures how Cb Response datascans are
configured for the Manage Vulnerable Computers dashboard in BigFix. When running this Fixlet,
you can also change the expiration period for vulnerability data as displayed on the Manage
Vulnerable Computers dashboard. This is an optional change and the default value is 30 days.
About this task
You must run this Fixlet to configure the plugin.
Important: The default setting for the CVE expiration period is 30 days. The default value for the
MaxEventStoreDays property (process document expiration) in Cb Response is 60 days. If you
do not change either the Cb Response default value or BigFix CVE expiration period default value, it
is likely that there will discrepancies between CVE data in BigFix and Carbon Black.
Complete the following steps to configure the plugin.
Procedure
1. From the Endpoint Protection domain, click Manage Vulnerabilities > Setup and
Maintenance > Fixlets and Tasks.
2. Select the Configure the Manage Vulnerabilities Plugin Fixlet.
3. Ignore the first parameter value. This is automatically set to False and cannot be changed.
4. You can change the configuration setting that controls the expiry period (in days) for
vulnerability data received from Carbon Black. The default setting is 30 days. After the
number of days that you specify have elapsed, and if the vulnerability has not been reported
by Carbon Black again, the vulnerability is no longer displayed on the dashboard. For
example, if the expiry is set to 25 days, and if Carbon Black reports an endpoint with a
vulnerability and does not report that same vulnerability on an endpoint within the 25 days,
that vulnerability is no longer reported on the dashboard. If a vulnerability gets reported a
second time, the new timestamp is added to the vulnerability and the 25 day expiry for that
given vulnerability is reset to the new scan date. The maximum value that you can choose is
60 days and the minimum is 1 day.
5. To run the Fixlet, click Take Action and target the BigFix server.
44
Viewing computer details From the Manage Vulnerable Computers dashboard, you can view all of the computers that you
manage for which Cb Response has sent vulnerability information. You can view the computer ID,
computer name, operating system, quarantine status, targeted CVEs, CVEs, and actionable CVEs for
each computer. You can also quarantine and un-quarantine computers.
About this task
The Computers tab in the Manage Vulnerable Computers dashboard provides you with a view of
all the computers that you manage in BigFix for which Cb Response sends vulnerability information.
From the Search field, you can search for computers. The following graphic shows an example of the
Computers view. In the computers list, the computers that the BigFix operator manages are
displayed. The CVEs column shows all of the CVEs associated with each computer as detected by Cb
Response. The currency of the CVE data is controlled by the value that you specify in the Configure
Manage Vulnerabilities Plugin Fixlet when configuring the plugin (see Configuring the Manage
Vulnerable Computers plugin). In this example, there are 70 CVEs. The targeted CVEs column shows
the number of CVEs related to attacks on computers and the Actionable CVEs column shows the
number of CVEs for which you can take action to remediate. This view also shows the computer ID,
the computer name, operating system, and quarantine status. In the lower part of the screen, the CVEs
list shows each of the CVEs that are impacting the selected computer. Beside these CVEs, any Fixlet
that is available for the currently selected CVE is shown. To run the Fixlet to remediate the currently
selected CVE, the operator selects the Fixlet and then clicks the Take Default Action button.
In this graphic, the Show Computers that have Relevant Fixlets check box is highlighted. By
checking this, only computers for which there are relevant Fixlets are displayed. If you unset this
check box, all computers are displayed, including computers for which there are no relevant Fixlets.
45
Note:
By design, some Fixlets do not have a default action. If a Fixlet for a CVE does not have a
default action, you cannot click Take Default Action to run the Fixlet. To run a Fixlet that
does not have a default action, click Open Fixlet, then click Take Action. From the Take
Action dialog, select an action and target the computers that are impacted by the CVE.
Complete the following steps to view computers that have relevant Fixlets.
Procedure
1. From the Manage Vulnerable Computers dashboard, click the Computers tab.
2. Before you can access the complete functionality of the Computers tab for the first time, you
must activate an analysis. Run the analysis if prompted. The CVEs column shows how many
CVEs are impacting the currently selected computer.
3. To display only the computers for which there are relevant Fixlets, check the Show
Computers that have Relevant Fixlets radio button. When you check this box, the total
number of computers might be reduced to show only computers for which there are relevant
computers. If you do not check this box, all computers are listed.
4. To search for a specific computer, enter some search criteria in the Search field.
46
Quarantining computers You can quarantine Microsoft Windows computers from the Manage Vulnerable Computers
dashboard. Quarantining a computer involves removing it from the network, where the only allowed
network traffic is BigFix communication.
Before you begin You must have the policy action set up for quarantining, as described in the Requirements section.
About this task
The quarantine and un-quarantine feature is available only for Microsoft Windows computers. The
Computers tab in the Manage Vulnerable Computers dashboard provides you with a view of all the
computers that you manage as a BigFix operator. You can view the computer ID, the computer name,
quarantine state, and CVE information for the computers. You can also quarantine computers.
You can only quarantine one computer at a time. To quarantine a computer, you run a Fixlet that
identifies that computer to be quarantined. This computer is then quarantined by the quarantine policy
action Fixlet that continuously enforces the policy.
Complete the following steps to quarantine a Microsoft Windows computer.
Procedure
1. From the Manage Vulnerable Computers dashboard, click the Computers tab.
2. Select a Microsoft Windows computer that you want to quarantine.
3. Click Quarantine Computer. If your BigFix console version is an earlier version than
version 9.2.6, all computers are loaded in the Take Action screen, rather than the computer
that you selected in the previous step. If you want to load only the computer that you select in
the previous step, upgrade your console to version 9.2.6 or later before proceeding.
4. From the Take Action dialog, select the computer. From the Execution tab, you can schedule
a time and date for the quarantine.
5. Click OK to quarantine the computer. After this action completes, the policy action Fixlet
detects that the computer needs to be quarantined and quarantines the computer. It might take
some time before the status of the computer is changed to Quarantined on the dashboard.
Click the Refresh icon to refresh the data if the Quarantine Status is slow to update.
Un-quarantining computers From the Manage Vulnerable Computers dashboard you can see all of the computers that you
manage and view CVEs and quarantine data for each computer. You can also quarantine and un-
quarantine computers.
About this task
The Computers tab in the Manage Vulnerable Computers dashboard provides you with a view of
all of the computers that you manage. You can view the computer ID, the computer name, quarantine
state, and CVEs associated with the computers that you manage. You can also quarantine and un-
quarantine computers.
You can un-quarantine only Microsoft Windows computers and only one computer at a time.
47
Complete the following steps to un-quarantine a computer.
Procedure
1. From the Manage Vulnerable Computers dashboard, click the Computers tab.
2. Select the computer that you want to un-quarantine.
3. Click Unquarantine Computer.
4. From Execution tab on the Take Action dialog box, you can schedule a time for the
computer to be un-quarantined, or click OK to un-quarantine the computer immediately.
Viewing Common Vulnerability Exposures (CVEs) and associated Fixlets
The Manage Vulnerable Computers dashboard displays vulnerability data from Cb Response. The
vulnerabilities detected by Cb Response are known as Common Vulnerability Exposures (CVEs).
This CVE data is displayed in the dashboard for the computers that you control as an operator in
BigFix. The Manage Vulnerable Computers dashboard does not display all CVEs detected by Cb
Response for all computers.
About this task
From the Manage Vulnerable Computers dashboard, you can view a list of CVEs for the computers
that you manage. You can also view the BigFix Fixlets, including any superseded Fixlets that are
available to remediate any particular CVE. Fixlets are the BigFix actions that remediate or fix
vulnerabilities.
BigFix provides a large number of Fixlets. For example, the BigFix patch sites contain Fixlets for
different operating systems and application patches. For any particular computer, to evaluate whether
or not a Fixlet is relevant, the computer must be subscribed to the site that contains the Fixlets. For
many CVEs, there are Fixlets available to remediate the CVEs. For some CVEs, there might be one or
more Fixlets available. By selecting a CVE, you can view any applicable Fixlets for the CVE.
48
Important:
Some CVE data displayed on the Manage Vulnerable Computers dashboard might
be slightly out of date. For example, if you run a Fixlet that remediates a CVE, the
CVE is not removed from the dashboard until the period that you have configured for
the cveTimeoutIntervalInDays property in the Configure Manage
Vulnerabilities Plugin Fixlet elapses.
Complete the following steps to view CVEs and applicable Fixlets that are available for a
CVE.
Procedure
1. From the Manage Vulnerable Computers dashboard, click the CVEs tab. The list of CVE
data from Cb Response for the computers that you manage is displayed.
2. Select a CVE. Any Fixlets available to correct the CVE are loaded.
You might not see any Fixlets for a CVE in the following cases:
Scenario 1
A Fixlet might not have been developed for the particular CVE.
Scenario 2
A Fixlet or Fixlets might already have been run to remediate the CVE, and there are no
remaining relevant Fixlets.
Scenario 3
A Fixlet is available for the CVE, but computers are not subscribed to the site that contains
the Fixlet. For Fixlets to be evaluated by computers, the computers must be subscribed to the
site. The site must be enabled and the contents must be gathered.
Scenario 4
A Fixlet is available for the CVE, but as an operator, you might not be subscribed to the site
that contains the Fixlet. If you are not subscribed to the site that contains the Fixlet, the Fixlet
is not displayed.
Scenario 5
A Fixlet is available for the CVE, but it might not be applicable to some computers. The CVE
might have been remediated, rendering the Fixlet not relevant on that computer. For example,
an operator might have remediated the specific CVE, or an application might have been
removed, an application or operating system might have been upgraded. The Actions tab
might indicate if a Fixlet was previously run for the CVE.
Scenario 6
In exceptional circumstances, a Fixlet might have been archived by IBM. Typically if a Fixlet
has been archived, another Fixlet is available that supersedes it, and the superseded Fixlet is
typically available.
49
3. To view only CVEs for which there are relevant Fixlets, check the Show CVEs that have
Relevant Fixlets check box.
4. Click Open Fixlet to view the source Fixlet or click Take Default Action to run the Fixlet to
remediate the CVE. If you want to schedule the Fixlet to run during a patch window, click the
Execution tab and select the time and date that you want the Fixlet to run. Then click Submit
to run the action. To view the processing status for actions, click the Actions tab.
Viewing actions From the Actions tab on the Computers or CVEs view, you can track the progress of actions
that you deployed from the Manage Vulnerable Computers dashboard.
About this task
From the dashboard, you can view the actions that you deployed to run Fixlets and
superseded Fixlets. An Actions tab is available from within both the CVEs view and the
Computers view.
Complete the following steps to track the progress of actions that you deployed from the
CVEs or Computers view.
Procedure
1. From the Manage Vulnerable Computers dashboard, click the CVEs or Computers tab.
2. Click the Actions tab.
3. Select an action to view detailed information about the action execution.
Common problems and troubleshooting Read this section for information about any known issues using the Manage Vulnerable
Computers dashboard.
To help troubleshoot issues using the Manage Vulnerable Computers dashboard, review the
following troubleshooting tips:
Verify that the installation is successful
Check that the action for the Install or Update the Manage
Vulnerabilities Plugin completed successfully and make sure that the Fixlet is no
longer relevant. Allow some time for the action to complete and for the relevance to be
evaluated.
Checking for data posted by Cb Response
To check for incoming data from Cb Response, check the dashboard variable under which Cb
Response posts data on the BigFix server. On the BigFix server, open the following URL in a
browser and log in using your BigFix credentials:
https://127.0.0.1:52311/api/dashboardvariables/MVScan.ojo
Every time that Cb Response sends data to your BigFix server, a unique variable is created
under MVScan.ojo. If there are no variables or MVScan.ojo does not exist, Cb Response
50
has not sent any data to the BigFix server. The variable name starts with the date on which the
scan was run, for example:
{"name":"20160815.144128.789.1 -Data","timestamp":
"20160815.144128.789.1 -Data","vendor":"CarbonBlack",
"version":"1.0","assets":[{"fqdn":"Computer1",
"besid":"2222222","cves":[{"id":"2016-0034","risk":1,"implicated":1},
{"id":"2015-6161","risk":1,"implicated":1},{"id":"2015-
1763","risk":1,
"implicated":0},{"id":"2015-
1762","risk":1,"implicated":0},{"id":"2015-1761",
"risk":1,"implicated":0},{"id":"2014-3566","risk":1,"implicated":1},
{"id":"2014-0160","risk":1,"implicated":1},{"id":"2010-
3190","risk":1,
"implicated":1}]},{"fqdn":"dk07-rhat7-
ho","besid":"1198993","cves":[{"id":
"2016-1979","risk":1,"implicated":0},{"id":"2016-
1978","risk":1,"implicated":0},
{"id":"2016-4449","risk":1,"implicated":1},{"id":"2016-
4448","risk":1,
"implicated":0},{"id":"2016-
4447","risk":1,"implicated":0},{"id":"2016-3705",
"risk":1,"implicated":0},{"id":"2016-3627","risk":1,"implicated":1},
{"id":"2016-1840","risk":1,"implicated":1},{"id":"2016-
1839","risk":1,
In addition, besid identifies the BigFix computers to which the CVE information
relates.
Checking that the Cb Response process is running
To check if the Cb Response process is running, check the processes on the Task Manager.
When the Cb Response plugin is installed and running, the MVNode.exe process is visible
from the Task Manager. Alternatively, type tasklist from an MS-DOS prompt. For
Linux, enter:
$# ps aux | grep MVNode
You can also check the log files. When the process starts and is running, this is indicated in
the log files. The following section provides information about where to find the log files.
Logging
The log files for the Cb Response plugin are located in the following directory, depending on
your platform:
On Windows, the log files are located in the C:\Program Files\Bigfix
Enterprise\BES Server\Applications\Logs directory.
On Linux, the log files are located in the
/var/opt/BESServer/Applications/Logs directory.
The logs are available in the format: mvplugin.DD_MM_YYYY.log where the logs are
generated for each day.
51
No BigFix content appearing for CVE or computer
Make sure that you have permission to manage the computers as an operator in BigFix.
Operators will only see computers in Bigfix for which they have permission to manage. For
more information, see:
http://www.ibm.com/support/knowledgecenter/SS63NW_9.5.0/com.ibm.bigfix.doc/Platform/
Console/c_adding_local_operators.html
Make sure that you have access to the site. As an operator, you must also have access to the
site. For more information, see:
http://www.ibm.com/support/knowledgecenter/SS63NW_9.5.0/com.ibm.bigfix.doc/Platform/
Console/c_adding_local_operators.html
Make sure that the computers are subscribed to the patch sites with the remediation content.
Computers must be subscribed to relevant patch sites for there to be content available for
them, otherwise the filter will eliminate them from the original data set as they have no
relevant content. For more information, see:
http://www.ibm.com/support/knowledgecenter/SS6MCG_9.5.0/com.ibm.bigfix.doc/Platform/
Console/c_viewing_site_properties.html
Verify that the configuration Fixlet ran successfully
Verify that the action for the Configure Manage Vulnerabilities Plugin
Fixlet completed successfully.
Confirm that the value for the scanFullSystemReportType property is set to false
in the properties.ini file in the BESServer/Applications/mvplugin folder or
the /var/opt/BESServer/Applications/mvplugin directory.
No Fixlet for CVE
For complete information, see Viewing Common Vulnerability Exposures (CVEs) and
associated Fixlets.
Discrepancies between CVE data in BigFix and Carbon Black
The default setting for the CVE expiration period in BigFix is 30 days. The default value for
the MaxEventStoreDays property (process document expiration) in Cb Response is 60
days. If you do not change either of the Cb Response default value or BigFix CVE expiration
period default value, it is likely that there will discrepancies between CVE data in BigFix and
Carbon Black. It is less likely that there will be discrepancies if you choose the same value for
the MaxEventStoreDays property in Cb Response and the BigFix CVE expiration period.
Unable to quarantine or un-quarantine computers
If you are unable to successfully quarantine or un-quarantine Microsoft Windows computers,
make sure that the policy actions are set up correctly for the quarantine or un-quarantine
Fixlets. See the Requirements for more information.
52
References The latest version of this documentation is always available on the IBM BigFix Developer
Works wiki. Refer to the wiki for the most current version:
https://www.ibm.com/developerworks/community/wikis/home?lang=en#!/wiki/Tivoli%20En
dpoint%20Manager/page/BigFix%20and%20Carbon%20Black%20Integration
Refer to the Carbon Black documentation for full instructions about how to set up and
configure Carbon Black Protection and Carbon Black Response.
For more information about setting up and configuring BigFix, see the BigFix Knowledge
Center at:
http://www.ibm.com/support/knowledgecenter/SSQL82_9.5.0
