Here’s the Use-case:
InsightVM tracks vulnerabilities in an environment and provides remediation recommendations. InsightConnect talks to InsightVM pulls a csv with those recommendations and drops that file somewhere for Chef to use and update/patch software on affected servers.
Piece I need help with, how to get the csv with InsightConnect and how to drop that file somewhere for Chef to use?
The workflow here has an example of running an SQL report in InsightVM from InsightConnect. The SQL can be developed directly in InsightVM - it’s the SQL Report option where you write SQL agains the reporting data model. Once you have it working in InsightVM, just copy it over to InsightConnect.
As for dropping it someplace, it depends on where you want to put it. You could use FTP to drop it someplace, target an api and post it with the http requests plugin, use the git plugin to post it directly to a git repo, or even create a tighter integration with chef using the ssh plugin.
I haven’t done it yet, but what about using the PowerShell plugin to convert the Base64 version of the file to a network share?
$ProgressPreference = 'SilentlyContinue'
$Base64EncryptedFile = 'AAAAAA...'
$FileName = '\\server\share\file.csv'
$Bytes = [Convert]::FromBase64String($Base64EncryptedFil )
[IO.File]::WriteAllBytes($FileName, $Bytes)I’m honestly not sure - I haven’t tried making a powershell connection out to a windows share. I rather suspect it won’t work since linux doesn’t natively support UNC paths. A quick google seems to confirm this suspicion.
Another problem with this approach is exposing credentials directly in the powershell script (or having a world writable share someplace) - probably not the best approach when there are other options that could do it in a secure manner.
I use CredSSP to an actual Windows Box not the PowerShell container with restrictions only allowing CredSSP from the Orchestrator. This gives me Kerberos access to the network share. CredSSP can be dangerous, so locking it down is extremely important.
The other thing you can do is store the creds on the Windows box via environment variables or a credential object of some sort. That way you don’t have to send the creds “over the wire”.
We’re purely a linux/fargate shop. Any Windows capability such as kerberos access to some network share is unrealistic at the moment. Looking at some of the workflows available for github, it doesn’t look like those provide the capability I need to just drop a file there (I could be wrong), the s3 bucket plug-in looks to be the most reliable path forward at this time. I am also dealing with a 4.8GB csv file that has all the info Chef would need to perform remediation.
A longer term solution looks to be just using Chef automate for patch remediation and using InsightVM to track the remediation across our environments. We’ve integrated iVM into slack so leadership can quickly see who’s risky. This is helpful for prioritization.
I am also dealing with a 4.8GB csv file that has all the info Chef would need to perform remediation.
That’s not going to make it through ICON very well. We send that back and forth to the cloud as input/output to plugins, and, I think it will work, it won’t be the preferred solution due to performance.
Dunno…if I had to deal with something like that, I’d try to keep as much of it as possible outside of ICON and just bring in the bits I needed. But that’d be very case by case solution and not something I think I can solve in a general way.
@john_baughman My recommendation for doing something like this would honestly be directly from Chef (or from the system running chef) and just using a script to generate, download, cleanup the report you need with the information necessary. Something like this script - modified for your needs - is likely what I would do:
That way you get the report generated, downloaded, and chef can process it without needing to worry about the size of the report or anything else since it doesn’t appear that InsightConnect is being used for any real processing in this specific case.
Another option would be to use Chef’s http_request resource instead of having a script being run: http_request Resource
If you didn’t want to return the data from the VM console directly, there is also a cloud based API; however, I’m not certain all fields needed for Chef to process the file are available: InsightVM Cloud Integrations API