Deep dive into Trend Micro Deep Security integration modules
Deep dive into Trend Micro Deep Security integration modules
At AnsibleFest 2020, we announced the extension of our security automation initiative to support endpoint protection use cases. If you have missed it, check out the recording of the talk "Automate your endpoint protection using Ansible" on the AnsibleFest page.
Today, following this announcement we release the supported Ansible Content Collection for Trend Micro Deep Security. We will walk through several examples and describe the use cases and how we envision the Collection being used in real world scenarios.
About Trend Micro Deep Security
Trend Micro Deep Security is one of the latest additions to the Ansible security automation initiative. As an endpoint protection solution it secures services and applications in virtual, cloud and container environments. It provides automated security policies and consolidates the security aspects across different environments in a single platform.
How to install the Certified Ansible Content Collection for Trend Micro Deep Security
The Trend Micro Deep Security Collection is available to Red Hat Ansible Automation Platform customers at Automation Hub, our software-as-a-service offering on cloud.redhat.com and a place for Red Hat subscribers to quickly find and use content that is supported by Red Hat and our technology partners.
The blog post "Getting Started with Automation Hub" gives an introduction to Automation Hub and how to configure your Ansible command line tools to access Automation Hub for Collection downloads.
Once that is done, the Collection is easily installed:
ansible-galaxy collection install trendmicro.deepsec
What's in the Ansible Content Collection for Trend Micro Deep Security?
The focus of the Collection is on modules and plugins supporting them:
there are modules for interacting with Trend Micro Deep Security agents,
like deepsec_firewallrules
, deepsec_anti_malware
, deepsec_log_inspectionrules
and
others. Basically the integration modules cover the REST APIs exposed by
TM Deep security firewall. If you are familiar with firewall
Collections and modules of Ansible, you will recognize this pattern: all
these modules provide the most simple way of interacting with endpoint
security and firewall solutions. Using those, general data can be
received, arbitrary commands can be sent and configuration sections can
be managed.
While these modules provide a great value for environments where the devices are not automated at all, the focus of this blog article is on the endpoint security use-cases where modules in the respective Collection can help automate. Being modules they have a precise scope, but enable users of the Collection to focus on that particular resource/REST API scenario without being disturbed by other content or configuration items. They also enable a simpler cross-product automation since other security Collections follow the same pattern.
Connect to Trend Micro Deep Security, the Collection way
The Collection supports httpapi as a connection type.
Trend Micro Deep security currently supports two ways for how their REST API can be interacted with, and for each of the respective cases, the Ansible inventory will be changed slightly as mentioned below:
In case of the newer REST APIs
the Ansible inventory will work with the network OS trendmicro.deepsec.deepsec
, a Trend Micro API secret key and ab api-version key:
[deepsec] host_deepsec.example.com [deepsec:vars] ansible_network_os=trendmicro.deepsec.deepsec ansible_httpapi_use_ssl=true ansible_httpapi_validate_certs=false ansible_connection=httpapi ansible_python_interpreter=/usr/bin/python ansible_httpapi_session_key={'api-secret-key': 'secret-key', 'api-version': 'v1'}
In case of APIs using the legacy REST APIs, the Ansible inventory will also require the network OS trendmicro.deepsec.deepsec
, but uses a username and a password.
[deepsec] host_deepsec.example.com [deepsec:vars] ansible_network_os=trendmicro.deepsec.deepsec ansible_user=admin ansible_httpapi_pass=password ansible_httpapi_use_ssl=true ansible_httpapi_validate_certs=false ansible_connection=ansible.netcommon.httpapi ansible_python_interpreter=python
Note that in a productive environment those variables should be supported in a secure way, for example, with the help of Red Hat Ansible Tower credentials
Use Case: Firewall Rule Configuration
A firewall is highly flexible and users can configure it to be restrictive or permissive. Like the intrusion prevention and web reputation modules, firewall policies are based on two principles: either they can permit any service unless it is explicitly denied or they deny all services unless explicitly allowed.
For example, using Ansible and Trend Micro Deep Security integration, modules users can take a restrictive firewall approach. This is often the recommended practice from a security perspective: All traffic is stopped by default and only traffic that's explicitly allowed is permitted.
A playbook to implement the "deny all traffic" approach is shown in the following listing:
--- - name: Deny all traffic hosts: deepsec collections: - trendmicro.deepsec gather_facts: false tasks: - name: Create Restrictive firewall rule trendmicro.deepsec.deepsec_firewallrules: state: present name: deny_all_firewallrule description: Deny all traffic by default over tcp action: deny priority: "0" source_iptype: any destination_iptype: any direction: incoming protocol: tcp tcpflags: - syn
Running this play will create a firewall rule that'll explicitly
deny all TCP syn bound traffic. Keep in mind that the
state
keyword is used and set to present
. It means
that the specified rule is created and that the module will go ahead and
create the config rule. On the contrary, if the user wants to
delete/drop any specific firewall rule, then the state
should be
set to absent
: in that case, during the play run, the module will
check if the specified firewall rule pre-exists and if so the module
will go ahead and delete/drop the respective firewall rule config.
Use Case: Antimalware Rule Configuration
Antimalware config helps agents on computers by providing real-time and on-demand protection against a variety of file based threats including malware, viruses, trojans and spyware. Using Ansible deepsec antimalware config module, users can fire all types of available scans:
- Real-time scan
- Manual scan
- Scheduled scan
- Quick scan
The playbook example we'll be discussing here will be with respect to real time scans as based on incident responses. Users can check for the threats and quarantine the observed threats.
--- - name: Scan and Quarantine in TrendMicro agents hosts: deepsec collections: - trendmicro.deepsec gather_facts: false tasks: - name: Create AntiMalware config trendmicro.deepsec.deepsec_anti_malware: name: scan_real_time description: scan and quarantine via anti-malware config scan_action_for_virus: pass alert_enabled: true scan_type: real-time real_time_scan: read-write cpu_usage: medium scan_action_for_virus: quarantine scan_action_for_trojans: quarantine scan_action_for_cve: quarantine scan_action_for_other_threats: quarantine state: present
The playbook listed above will create an antimalware config rule, which will initiate a real-time scan over Trend Micro agents every time there's a file received, copied, downloaded or modified.
All files will be scanned for any security threats. If during the scan the agents detect any threat based on virus, trojans, cve's and others, the agents will display the information with respect to the infected file and the respective files will be quarantined as specified in the playbook.
Use Case: Log Inspection Rule Configuration
The log inspection integration module helps users to identify events that are generally logged at system/OS level. It also includes application logs. Using the log rule configuration, users can forward the logged events to the SIEM system or to some centralized logging server for analytics, reporting and archiving.
Log inspection helps in real-time monitoring of third parties log files as well. The playbook listed below creates a rule for log inspection.
--- - name: Set up log inspection hosts: deepsec collections: - trendmicro.deepsec gather_facts: false tasks: - name: Create a Log inspection rule trendmicro.deepsec.deepsec_anti_malware: state: present name: custom log_rule for mysqld event description: some description minimum_agent_version: 6.0.0.0 type: defined template: basic-rule pattern: name pattern_type: string rule_id: 100001 rule_description: test rule description groups: - test alert_minimum_severity: 4 alert_enabled: true log_files: - location: /var/log/mysqld.log format: mysql-log register: log