Use custom script analysis

Custom analyses allow you to add analysis scripts to those provided by Cyberwatch. The results of these analysis scripts will be reported into the information of the associated assets.

The interest may be to add system information, packages or applications, etc., to the asset. The properties that can be reported and the syntax of the script results are described in the declarative data documentation.

Activation of the feature

The feature can be activated by going to the menu Administration and switching on “Custom analyses”. If the “Custom Scripts” menu is not available in the settings, it may mean that this feature is not active in your Cyberwatch license. You can contact us at support@cyberwatch.fr so that we can activate it (no additional cost).

Custom analysis creation

1. Ensure that the Custom Analyses feature is activated;
2. Go to Settings > Analysis Scripts and click on the + Add button.

• The Name field is used to identify the custom analysis script;
• The Operating System field is used to specify the target of the custom analysis script. It will be executed only on assets with the operating system targeted by the analysis script;
• The Source Code field must contain the analysis script. It must comply with the targeted operating system, and convey the desired information following the syntax of declarative data.

After saving this new script, you must associate it with a scanning policy so that it is executed on the targeted assets.

Associate a custom script analysis to a scanning policy

1. Select a scanning policy in the list Settings > Scanning policies.
2. Click on the edit button (pencil icon) corresponding to the scanning policy to edit.
3. In the “Custom analyses” line of the form, click on the “Add a custom analysis” button.
4. Select the analysis as well as its period of recurrence.
5. Save.

Dissociate a custom script analysis from a scanning policy

1. Select a scanning policy in the list Settings > Scanning policies.
2. Click on the edit button (pencil icon) corresponding to the scanning policy to edit.
3. In the “Custom analyses” line of the form, click on the trash icon corresponding to the custom analysis to dissociate.
4. Save.

Practical Case: Implementing an Analysis Script

Suppose a technology not covered by Cyberwatch vulnerability scans, such as Keycloak, is present on our Linux assets. We can implement a custom analysis script to report the necessary information to Cyberwatch, which can then identify and raise potential associated vulnerabilities.

• The first step is to dynamically retrieve the version of the desired technology on the assets. In the case of Keycloak, the following command can be used:

bash-5.1$ /opt/keycloak/bin/kc.sh --version
Keycloak 24.0.2
JVM: 17.0.10 (Red Hat, Inc. OpenJDK 64-Bit Server VM 17.0.10+7-LTS)
OS: Linux 5.15.0-101-generic amd64
# We format the command output to only get the version
bash-5.1$ /opt/keycloak/bin/kc.sh --version | grep 'Keycloak' | cut -d ' ' -f2
24.0.2

• To communicate information about the technology and its version to Cyberwatch, we can use the CPE code format, which is a structured naming scheme. In the case of Keycloak, the associated CPE code is as follows, where <version> should be replaced with the targeted version:

cpe:2.3:a:redhat:keycloak:<version>:*:*:*:*:*:*:*

To simplify the retrieval of the CPE code associated with a technology, a search form is available.

• Once we can dynamically retrieve the version of our technology, and in possession of the CPE code, the following custom analysis script can be implemented:

KC_VERSION=$(/opt/keycloak/bin/kc.sh --version | grep 'Keycloak' | cut -d ' ' -f2)
echo "NVD_APPLICATION:cpe:2.3:a:redhat:keycloak:$KC_VERSION:*:*:*:*:*:*:*"

The script output provides the declarative data NVD_APPLICATION that allows specifying a technology based on its CPE code.

• The last step is to implement this custom analysis script on Cyberwatch and associate it with an analysis policy.