It’s my most favorite time of the month – Patch Tuesday! Ok, I might be slightly exaggerating there. Let’s face it. It’s a pain in the neck. I have to go around to every server in my development environment and ensure that all the critical patches have been taken care of. Usually, this means a trip to Windows Update, or checking the logs of the Windows Server Update Services (WSUS) server. Today, I woke up and decided Splunk was going to assist with this.
Last week, I noted that you could easily get a list of all the servers in your Active Directory environment with the use of the custom command ldapsearch. You can find this command in the SA-ldapsearch app. The hardest part of this command is the configuration for your domain. Once you have that out of the way, it’s incredibly useful.
If you are like me, you also have the Splunk Technology Add-on for Windows installed on all your servers. One of the inputs available (but disabled by default) is the Windows Update Log. You can enable it by going into the Splunk_TA_windows and altering local\inputs.conf to read:
[monitor://$WINDIR\WindowsUpdate.log] disabled = 0
Push the updated Splunk_TA_windows to your clients and within a few minutes you will get details of all the Windows Update activity that has happened recently. Now, let’s take a look at the logs that we get. The important one looks like this:
2013-05-15 03:26:08:868 844 e5c Report REPORT EVENT: {4BCB468C-170E-4BA8-8C2E-99AAE4CD853A} 2013-05-15 03:26:04:914-0600 1 190 101 {DFAA6388-FE05-49D7-A410-71B92D1C1B37} 202 0 AutomaticUpdates Success Content Install Installation Successful: Windows successfully installed the following update: Update for Windows Server 2008 R2 x64 Edition (KB2798162)
The Splunk_TA_windows extracts certain information from this. The most notable are the Common Information Model compatible signature_id and status fields. These tell us which patches have been installed and the status. Try this search:
sourcetype=WindowsUpdateLog "REPORT EVENT:" "Content Install" | chart latest(status) by host,signature_id
Now, back to the task at hand. Microsoft releases security bulletins on Patch Tuesday, and commentators generally take note and see which ones are critical or not so critical and which ones have exploits in the wild. This month there are three that are notable: MS13-038 is an Internet Explorer exploit that has exploit code in the wild and allows the execution of arbitrary code on the server. This exploit covers Windows Server 2003 through Windows Server 2008R2. It is fixed by patch KB2847204. Other critical patches include MS13-040, fixed by patch KB2836440 and MS13-037, fixed by patch KB2829530. You should, of course, understand the effects of each patch and the risks posed by the vulnerabilities in each case before patching. Never patch a server blindly.
Putting the various search bits together, we can construct a search that tells us which servers are at risk. Here is my search:
| ldapsearch domain=SHELL search="(&(operatingSystem=*Server*)(objectCategory=computer))" attrs="CN,operatingSystem"
| table cn,operatingSystem
| join cn [search sourcetype=WindowsUpdateLog "REPORT EVENT:" "Content Install"
| chart latest(status) by host,signature_id
| table host,KB2836440,KB2847204,KB2829530
| fillnull value="not installed" KB2836440 KB2847204 KB2829530 | rename host as cn]
| fillnull value="not installed" KB2836440 KB2847204 KB2829530
| where KB2836440!="installed" OR KB2847204!="installed" OR KB2829530!="installed"
You will need to replace the domain name in the ldapsearch command with your domain name. In addition, find a blog that reviews the monthly patches from Microsoft so you know which ones are important to you. Then let Splunk do the work of analyzing your servers.