copyright 1998-2017 by Mark Verboom
ipv6 ready RSS Feed Schakel naar Nederlands

Go back to What's new

Security alert monitoring

To blog index

Friday, 6 February, 2015

Security alert monitoring

I was looking for a setup which would automatically monitor new security issue's that arrise, notify me about them and provide a way to follow up on those issue's. I couldn't really find anything that would fit those requirements and be as simple as possible. So I decided to look at it from a different angle: get a bug tracking system which has an interface and feed the system from a script that monitors the security issue's.

After browsing for a bit, Mantis BT came up as a good candidate. It looked like a simple enough setup, yet it provides a SOAP interface and seems to have more then enough features to track issue's.

www.mantisbt.org

Installing Mantis BT

Time to try and create the setup :)

I started out with an up-to-date 64bit Debian 7.8 installation in an OpenVZ zone. But I would expect any other setup would do. I'm going to provide the commands I used for this setup. I named the machine mantis-demo.

First part, get extra packages installed:

ssh root@mantis-demo
apt-get install unzip apache2 libapache2-mod-php5 php5-mysql php5-gd mysql-server libphp-simplepie

When prompted don't forget the mysql password for the root user. I'll refer to it as:

mysqlpass

Because Mantis needs to mail users their account information, we'll do a basic mail setup for the local system. But you can ofcourse setup a real mail configuration.

apt-get install exim4-daemon-light

When prompted for configuration options, choose the following:

  • Local delivery only; not on a network
  • System mail name: mantis-demo
  • Don't change the IP addresses
  • Other destinations: mantis-demo
  • Keep number of DNS-quieries minimal: No
  • Delivery method for local mail: mbox format in /var/mail
  • Split configuration into small files: No
  • Root and postmaster mail recipient: root
Now we download the last stable zip from the Mantis Sourceforge site

http://sourceforge.net/projects/mantisbt/files/mantis-stable/

When download the current version was 1.2.19, so all commands refer to that version. Follow the next commands to setup the software:

scp mantisbt-1.2.19.zip mantis-demo:/tmp
ssh root@mantis-demo
cd /opt
unzip /tmp/mantisbt-1.2.19.zip
ln -s mantisbt-1.2.19 mantis
chown -R www-data.www-data mantis*
cd /etc/apache2/sites-available
cat - > mantis-demo <<EOF
<VirtualHost *:80>
ServerName mantis-demo
DocumentRoot /var/www
LogFormat "%h %l %u %t "%r" %s %b "%{Referer}i" "%{User-agent}i"" combined
LogFormat "%{X-Forwarded-For}i %l %u %t "%r" %s %b "%{Referer}i" "%{User-agent}i"" com
bined_forwarded
# Log the originating ip if use a proxy
SetEnvIfNoCase X-Forwarded-For "." from_proxy=1
CustomLog /var/log/apache2/mantis-demo-access.log combined env=!from_proxy
CustomLog /var/log/apache2/mantis-demo-access.log combined_forwarded env=from_proxy
errorlog /var/log/apache2/mantis-demo-error.log

Alias /mantis/ /opt/mantis/
</VirtualHost>
EOF
cd /etc/apache2/sites-enabled
rm 000-default
ln -s ../sites-available/mantis-demo mantis-demo
/etc/init.d/apache2 restart

For Mantis to be able to populate the database we will create a new user. I personally don't like to use the root user credentials for the mantis database. Mantis will not create a user itself, it will create the database. For this setup we'll create a database named mantis, with a user named mantis with password mantis-demo (it's better to change this to something safer).

mysql -p mysql <<EOF
CREATE DATABASE mantis;
CREATE USER 'mantis'@'localhost' IDENTIFIED BY 'mantis-demo';
GRANT ALL PRIVILEGES ON mantis.* TO 'mantis'@'localhost';
EOF

So this should now have created a working mantis website. Try and open it in you webbrowser:

http://mantis-demo/mantis/

Fill in the following information:

  • hostname: localhost
  • username: mantis
  • password: mantis-demo
  • database name: mantis
  • admin : root
  • password: your password
Choose: Install/Upgrade Database

This should provide no errors. You can now click the link at the bottom of the page.

To keep the installation as secure as possible, remove the admin directory from the installation

cd /opt/mantis
rm -rf admin

Configuring Mantis BT

Now that the basic installation is done, we can configure Mantis.

Go back to the webinterface and login:

http://mantis-demo/mantis/

Username: administrator
Password: root

Now you should see the Mantis interface with the Add Project page. We'll make a new project, I will use the name Security here in this example.

Now that we have a project, we need to create a user that will be used in the script to create issue's.

Go to: Manage Users and choose Create New Account.

For this example I will use the user autoissue with password autoissue. The user needs developer Access Level, because this is the lowest level which has rights to assign issue's to users. As email adress I will use root@mantis-demo so the activation email will be sent to the local root user.

On the commandline check for the activation url in the mailbox

grep http /var/mail/mail | tail -1

Copy and paste the URL in your webbrowser and set the account password. In this example I will use autoissue, but a stronger password is recommended. Choose Update User.

This will return you to the login screen. Log in again as administrator.

Choose Manage and then Manage Projects and click the Security project.

In the section Add user to project choose autoissue with accesslevel developer and click Add User.

This should conclude the (very) basic configuration of Mantis.

rss2mantis

Next we need to setup the automatic interface to get data from an RSS feed into mantis. I made a script to do this, called rss2mantis.

cd /opt
wget -O - https://www.verboom.net/blog/20150206.0/rss2mantis.tar.gz | tar xzvf -
chown -R root.root rss2mantis

Now we need to configure rss2mantis. The example below puts in a test rss feed so you can check if the script works.

cd /opt/rss2mantis
cat - > rss2mantis.ini <<EOF
[settings]
soapurl = "http://mantis-demo/mantis/api/soap/mantisconnect.php?wsdl"
mantislogin = "autoissue"
mantispass = "autoissue"
issueproject = "Security"
issueassign = "administrator"
issuedefaultcat = "General"
statusfile = "/opt/rss2mantis/rss2mantis.status"

[test]
url = "https://www.verboom.net/blog/20150206.0/test.xml"
name = "test"
category = "General"
EOF

Now we can test the script.

./rss2mantis -f rss2mantis.ini

Go back to the mantis webinterface and go to My View. This should now list an issue.

Click on the issue number to open the issue. This should look something like this:

With the setup now working, you can schedue rss2mantis to run periodically from cron, for example every hour:

echo "0 * * * * /opt/rss2mantis/rss2mantis -f /opt/rss2mantis/rss2mantis.ini" | crontab

Background and finetuning

The example ini file has most of the available options listed. There might be a few that don't make sense.

The settings section contains all the global settings. This also includes who should get the issue's assigned and what the category should be. Options not used in the example, but that can be useful when doing a real implementation are:

basiclogin = "username"
basicpass = "password"

These are login details that will be used when requesting the Mantis SOAP interface and are only required when Mantis is behind a webserver with basic authentication.

It is also handy to know that the only section title that has any special meaning is the one named settings. All the others will have to be feeds. The names of those sections aren't used by the script.

Mandatory per feed is:

url = "feed url"
name = "name of the feed"

It is optional to add a category option to a feed. This will override the category defined in the settings section.

After running the script, it will update the file defined in the settings section under statusfile. This contains the last timestamp per feed when the feed was checked. When checking the feed only entries what were created later then the timestamp in the file will be converted to issue's and posted into Mantis.

With the example configuration, the script isn't very useful. You need to put in some RSS feed that makes sense for what you want to monitor, for example:

https://nvd.nist.gov/download/nvd-rss.xml

Another useful website to find CVE's is:

http://www.cvedetails.com/

You can query for specific vendors or products. With some creativity you can also make RSS feeds out of these, for example for openssh:

http://www.cvedetails.com/vulnerability-feed.php?vendor_id=97&product_id=585&version_id=0&orderby=3&cvssscoremin=0

2015/03/25

There is an update for the script, please check the following aritcle:

rss2mantis script update