Simple Mailbot that checks the BSI (Bundesamt für Sicherheit in der Informationstechnik; govermental institution for information security in germany) CERT RSS feed and parses CERT reports to be send to the given mail address.
Current version: v0.5.0
- check for installed git
- check for installed ruby programming language and installed bundler gem on the target machine
- clone the repository
- run
bundle installto get the required gems - setup config.json
- run main script
ruby cert_bot.rb -f <path_to_config.json>in the bin directory
script usage: ruby <script> [parameters] -f <filename>
help usage : ruby <script> (-h | --help)
help usage for parameter: ruby <script> <parameter> (-h | --help)
CERT bot help:
-h, --help show help text
-v, --version prints the current version of the project
-f, --file argument: <filename>; parameter that indicates a filepath to the config json file
-u, --updated also sends an e-mail for updated advisories
-d, --debug script call does additional debug logging
-s, --severity argument: <severity>; specifies the severity threshold when a severity should sent an e-mail
-j, --json argument: <filepath>; writes advisories as json objects into a file instead of sending an e-mail to the given directory
The BSI gives a severity for the published advisories with different levels and input for the severity rating. The entries in the bracket are the possible values for the severity parameter:
- low: ["low", "niedrig"]
- medium: ["medium", "mittel"]
- high: ["high", "hoch"]
- critical: ["critical", "kritisch"]
So an example call for sending only messages for high or critical advisories can look as:
ruby cert_bot.rb -s high -f <path_to_config.json>
The CERT Advisories from the BSI show two ratings for CVSS score:
- base score: score for qualities intrinsic to a vulnerability
- temporal score: score evolvement over the lifetime of a vulnerability
The CVSS score used in the current mail and json output states the temporal score of a vulnerability in sync with the rating of the BSI severity rating.
Published advisories change over time. They can get additional affected products, vulnerabilities or information links.
In that case an advisory gets updated and republished in the rss feed. That leeds to duplicated notifications for advisories.
For that case the update status is noted within the mail text to mark if this is a new or updated advisory.
The BSI differs between three states: new, update, silent-update. In the default behavior the script will only send notifications
for advisories with the status new. If you consume these notifications to review the advisories for your own assets, getting
updated advisories lead to duplicated notifications or tickets that need to be reviewed and connected to already existing ones.
If you still want to recieve notifications for updated advisories you can add the flag -u or --updated to get mails for
updated advisories.
Specify JSON parameters for usage in config.json
{
"address":"sender mail domain",
"port":"587",
"helo":"sender mail helo",
"user":"user", # optional
"password":"password", # optional
"from":"sender address",
"to":"recipient address",
"authtype":"plain", # optional
"tls_verify":"true", # optional
"tls_hostname":"nil" # optional
}
and set the path for the configuration class to get your values set. A few parameter are optional and will be set with default values if not present.
Additionally if the script runs into trouble there are some basic debug information that can be used to check for bugs and anormal behavior. To use this debug
output that is stored in the same directory as the config.json can be activated by using the debug flag -d oder --debug. This will add which advisory is
read and which does generate a new entry based on the script parameter.
- via cronjob (hourly):
00 * * * * ruby /path/to/bin/cert_bot.rb -d -s high -f /path/to/config.json - systemd-timer (in preparation): --
Our CERT RSS Feed received a new security advisory:
Title: Linux Kernel: Schwachstelle ermöglicht nicht spezifizierten Angriff
Description: Ein Angreifer kann eine Schwachstelle im Linux Kernel ausnutzen, um einen nicht näher spezifizierten Angriff durchzuführen.
Link: https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2022-1360
Date: Fri, 09 Sep 2022 10:11:37 +0200
Status: New
Severity: hoch
CVSS Score (3.1): 7.2
CVEs: CVE-2022-40307
Affected versions:
Open Source Linux Kernel <= 5.19.8
WID: WID-SEC-2022-1360
Best wishes,
Your CERT Bot.
Instead of an e-mail the flag -j or --json creates a JSON formatted output file for a given advisory. This file can be written to a given location. An example can look like this:
{
"wid": "WID-SEC-2022-1251",
"title": "Xerox FreeFlow Print Server: Mehrere Schwachstellen",
"description": "Ein entfernter, anonymer Angreifer kann mehrere Schwachstellen in Xerox FreeFlow Print Server ausnutzen, um die Vertraulichkeit, Verfügbarkeit und Integrität des Systems zu gefährden.",
"link": "https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2022-1251",
"release": "Thu, 01 Sep 2022 13:11:37 +0200",
"status": "New",
"cves": [
"CVE-2020-0689",
"CVE-2022-35822"
],
"cvss": 8.5,
"affected": [
{
"name": "Xerox FreeFlow Print Server v2",
"cpeversion": "v2",
"cpeproduct": "cpe:/a:xerox:freeflow_print_server"
}
],
"severity": "hoch"
}
The JSON output does contain additional information in comparison to the mail: it does hold the cpe (common platform enumeration) in version 2.2. Version 2.3 does not seem to be supported within the BSI informations.
Written with Ruby >= 3.1
see LICENSE
created by: Benjamin Held