Asking guidelines for extended response

[Julián Lliteras]

Hi

I'm working on the idea of central management of patches or vulnerabilities with wazuh. The idea beyond of active responses is great, but lacks of patch or scripts distribution among agents (windows and unixes). I know that shared folder may contain scripts but can not beeing executed by design. I would avoid existing ansible or GPOs platforms  as I want to keep simple with wazuh. My question is simple, with active-response features and <command> property may be used to patch agents or is better another approach to archieve central remediation. Actually I'm controlling +-700 agents in windows + linux and want more control about endpoint security.

Greetings in advance.

[Kevin Ledesma]

Hello Julian!

You are on the right path, using Active Response to patch Agents remotely is the correct approach, you may need to develop a custom script to do so:

• Active Response - Custom script

I think you will be able to automate it by using the 'hotfixes' content, and a custom command to execute your script on CVE alerts triggering

Here I'm sharing some useful links:

• Reddit post: Vulnerability detector & active response
  
• Active response documentation
• Reddit post: Trigger active response for each CVE

[Julián Lliteras]

Hi Kevin

Thanks for your reply!. I'm aware of docs, but as far I know all custom active-responses should be created in the agent bin directory. My idea is create active-response scripts in manager server and dispatch to agents. For example, I create a command that triggers a software update (e. firefox hotfix ) I dont want to copy the script in bin directory for each agent. Via shared folder the script is pushed to agent but cannont be executed via active-response. This is the only trick I must resolve and had no idea. In the other hand, the only way I think is not using active-response in the agent but create server scripts to connect to agents via ssh, psexec, winrm.... and perform action. 

Thanks for your help!

[Kevin Ledesma]

Hello Julian! Sorry for the delay

You are absolutely right, the only way to share a file across all the agents directly from the manager is using Shared Folder, If you already got a solution with a server script, feel free to share a sanitized version of it, this way, if someone else from the Wazuh community has a similar requirement can use your solution.

Thanks! Have a great week!