3CX DLL-Sideloading attack: What you need to know

Thread Info
  • Replies 4 replies
  • Subscribers 17 subscribers
  • Views 7997 views
  • Users 0 members are here
Options
Suggested

How to auto deploy Sophos Server protection on AWS instances

JornLutters

Disclaimer: This information is provided as-is for the benefit of the Community. Please contact Sophos Professional Services if you require assistance with your specific environment.

The instructions in this article describe a way to automatically deploy Sophos Server Protection (Intercept X for Server) agents to all EC2 instances in a given AWS account. The intended goal is to simplify mass rollout and automatic deployment of agents without requiring redeployment of workloads (such as would be the case with cloud-init (UserData) scripting.

Please note that, due to the nature of this solution pushing agents to all workloads in the account it may cause issues with some restricted AMIs (such as Sophos UTM and Sophos Firewall) that are either locked down to a point where local agent installation is not possible or may result in conflicts. This can be addressed by modifying the provided code and/or instructions, or through moving these workloads to a different account. If you need any assistance with applying these instructions to an environment where agent rollout to all workloads is not desirable, contact your Sophos account representative or reach out to publiccloud@sophos.com.

About this solution

This solution utilizes the following AWS Services to first determine if an EC2 instance has the Sophos agent installed or not, and if not, automate the installation of the appropriate Sophos agent.

AWS Lambdahttps://aws.amazon.com/lambda/

AWS Lambda is a serverless compute service that lets you run code without provisioning or managing servers.

Amazon Systems Manager (abbreviated as SSM throughout this guide) - https://aws.amazon.com/systems-manager/

Amazon Systems Manager is a management service that helps you automatically collect software inventory, apply OS patches, create system images, and configure Windows and Linux operating systems.

AWS Identity and Access Management (abbreviated as IAM) - https://aws.amazon.com/iam/

AWS Identity and Access Management (IAM) enables you to manage Access to AWS services and resources securely.

AWS CloudWatchhttps://aws.amazon.com/cloudwatch/

CloudWatch provides you with data and actionable insights to monitor your applications, respond to system-wide performance changes, optimize resource utilization, and get a unified view of operational health.

How it works

This solution consists of an AWS Lambda function built in Python, which executes whenever an EC2 instance state changes from "stopped" to "running" (as determined through monitoring with CloudWatch). This function checks the instance state in SSM to determine if a Sophos agent is present in the workload, and if not, will automatically deploy a Sophos Server agent to the EC2 instance using the AWS SSM agent in the workload through the Sophos provided SSM Documents.

As such, this solution requires that the managed EC2 instances have the SSM agent installed, the agent has a role attached with necessary SSM permissions, and that the instances show up as 'managed' in the Systems Manager section. For details on this, see https://docs.aws.amazon.com/ssm/latest/APIReference/Welcome.html.

Please note that the file names used are referenced in various places across the Lambda function and SSM Documents. For this reason it is suggested that you copy/paste the exact file names shown below when creating the Lambda function and SSM Documents. 

Installation files

SophosServerAutoDeployAgent.zip

Included files are:

  1. README
  2. SophosLambdaDeploySSMDocs.py (Lambda Python 3.7 function).
  3. SophosSSMAgentsInstallDocument (SSM document that the Lambda function calls to determine platform type and, based on the outcome, calls the Linux or Windows Documents).
  4. SophosSSMAgentInstallLinux (SSM Document that downloads and installs Sophos Linux Server agent). 
  5. SophosWindowsAgentInstall (SSM Document that downloads and installs Sophos Windows Server agent).

Prerequisites

  • Working knowledge of AWS including EC2 instance creation, Lambda functions, IAM role creation and Systems Manager
  • System Manager should be configured and be managing your EC2 instances
    • NOTE: EC2 instances require SSM permissions to interact and exchange information with SSM

Step 1 - Create the EC2 IAM role

Note: This step is optional if your instances are already managed through SSM.
As mentioned in the prerequisites in order for the SSM agent on an EC2 instance to interact with the SSM service the instance needs to have an IAM role assigned to it that allows the relevant permissions. Luckily, Amazon has a pre-built policy called "AmazonEC2RoleforSSM" that we can use for this purpose.

Note: These steps assume your EC2 instances currently do not have a role assigned If this is not the case, make sure to append the existing instance role with the "AmazonEC2RoleforSSM" policy instead of replacing the existing role on the instance.

  1. To create a new IAM role for this purpose, open your AWS console and navigate to IAM > Roles, then select Create Role.
  2. Select AWS Service and select EC2 from the ‘Common use cases’ section. Click Next: Permissions.
  3. Now you can attach permissions to your IAM role. Search for SSM in the "policy filter" field and select the AmazonEC2RoleforSSM policy.
  4. Next, search and add  AmazonSSMManagedInstanceCore policy.
  5. Once you have selected the policy, click Next: Tags.
  6. Here you can enter any tags you wish to use. Click Next: Review.
  7. Enter a Role name and Role description in the respective fields, then review the role policies to ensure the correct permissions have been applied. Click Create role.
  8. Navigate to your Instance ID in AWS.
    1. Select the Instance IDs you wish to deploy the agent on.
    2. Click Actions > Security > Modify IAM role.
    3. Select the IAM role we created in the previous steps.

Step 2 - Locate the installer URL and modify the SSM Documents

Since Sophos Central uses a client-specific installer URL it is of utmost importance to modify the provided SSM Documents with the relevant URL.

  1. Navigate to Sophos Central https://central.sophos.com and sign in.
  2. Go to Server Protection > Protect Devices.
  3. Right click on Download Linux Server Installer and copy the URL.
  4. Download and unpack the SophosServerAgentAutoDeployLambdaSSM.zip file provided in the "Installation files" section of this article.
  5. Open the SophosSSMAgentInstallLinux document in a text editor and navigate to the line containing "xxxxxxxxxxxxxxxx".
  6. Replace the URL in the document with the URL we copied from Central in step 3.
  7. Save the document.
  8. Return to Sophos Central and right click on Download Windows Server Installer to copy the URL.
  9. Open the SophosWindowsAgentInstall document in a text editor and navigate to the line "$url = \"xxxxxxxxxxxxxxxxxxxxx\"".
  10. Replace "xxxxxxxxxxxxxxxxxxxxx" with the URL copied from Sophos Central in step 7.
  11. Save the document.

Step 3 - Upload the SSM Documents for Windows and Linux

You will need to upload the installation scripts that are called by the Lambda function which will install the Sophos Protection Agent to your EC2 instances.

  1. Navigate to SSM in AWS and select Documents in the left-hand menu.
  2. Click Create command or session.
  3. Enter a name for your document e.g., SophosSSMAgentsInstallDocument.
  4. Leave the Document type as Command document and the content as JSON.
  5. Paste in the details from the SophosSSMAgentInstallDocument we downloaded earlier.
  6. Click Create document.
  7. Repeat the same process for creating the following documents:
    1. SophosSSMAgentInstallLinux
    2. SophosWindowsAgentInstall

Step 4 - Create an IAM Role for the Lambda Function

Next, we'll need to create an IAM role to enable the Lambda function to connect to the Systems Manager service and execute the required SSM Documents.

  1. Open your AWS console and navigate to IAM > Roles, then select Create Role.
  2. Select AWS Service and select Lambda from the ‘Common use cases’ section. Click Next: Permissions.
  3. Click Create Policy.
  4. Search for "Systems Manager" in the Service section, the select Systems Manager from the results.
  5. In Actions, unfold "List", "Read", and "Write". Select the following permissions:
    1. ListDocuments
    2. DescribeInstanceAssociationsStatus
    3. DescribeInstanceInformation
    4. DescribeInstancePatches
    5. DescribeInstancePatchStates
    6. DescribeInstancePatchSatesForPatchGroup
    7. DescribeInstanceProperties
    8. GetDocument
    9. StartAutomationExecution
    10. StopAutomationExecution
    11. sendCommand
  6. In the Resources section, select All Resources.
  7. Now that you've completed defining the policy permissions, click Next: Tags.
  8. Here you can enter any tags you wish to use. Click Next: Review.
  9. Provide a name and description for the policy in the respective fields.
  10. Review the policy's permissions and click Create policy.
  11. Return to the IAM role creation tab and click the small refresh icon in the right-hand corner of the policy field.
  12. Search for the name of the policy created in step 10 and select it.
  13. Next, search for the policy name AWSLambdaBasicExecutionRole and select it.
  14. Click Next: Tags.
  15. Here you can enter any tags you wish to use. Click Next: Review
  16. Enter a Role name and Role description in the respective fields, then review the role policies to ensure the correct permissions have been applied. Click Create role.

Step 5 - Create the Lambda Function

  1. Navigate to AWS Lambda in your AWS account and click Create function.
  2. Select to ‘Author the function from scratch’ and enter the basic information for the function. This includes an identifiable function name.
  3. Select Python 3.7 from the ‘runtime’ dropdown menu.
  4. Select an existing role and then select the IAM role we created in Step 4.
  5. Click Create Function.

Step 6 - Configure the Lambda Function

Once you have created the function you can upload the function code provided in the Installation Files by editing the function.

  1. Right-click py from the left-hand menu in the ‘Code source’ window and click Open.
  2. Copy the Lambda function script from the Python script you downloaded in step 2 of this article and paste it into the window.
  3. Ensure the <DocumentName> in the ‘#Run the command with SSM’ section matches the Document name you uploaded in Step 3.
  4. Click Deploy (This is the same as a ‘Save’ option. Please note that if you do not click Deploy and you have made changes to the script, they will not be saved).
  5. Select the Configuration tab.
  6. Click Edit.
  7. Enter a description of the function configuration and select the role you created in step 4 as the execution role.
  8. Click Save.

Step 7 - Configure the function trigger

With the function created, the next thing we need to configure is the conditions that cause the Lambda to execute the function. This is handled by the Trigger mechanism, which we'll add to the function in this step.

  1. Click Add Trigger.
  2. Select EventBridge (CloudWatch Events).
  3. Select to create a new rule.
  4. Enter the rule name and description.
  5. Change the rule type to Event Pattern.
  6. Select EC2 from the first drop-down menu.
  7. Select EC2 instance state-change notification from the second drop-down menu.
  8. Select Detail.
  9. Select State.
  10. From the drop-down menu select Running.
    1. (Optional) You can configure which instances this trigger will apply to by clicking "Instances" and adding the Instance ID(s) of the EC2 instance(s) you wish to apply this function on.
  11. Click Add.

Step 8 - Testing and verification

With everything set up and configured, the last step is to recreate the trigger circumstances and monitor the environment to make sure the desired action (Sophos agent installation) is taking place.

  1. Create a new EC2 instance (or start one that was previously stopped and doesn't have the Sophos Server Protection agent installed on it yet).
    1. When creating a new instance, make sure to select the Instance IAM role for SSM we created in Step 1 from the IAM role drop-down when configuring the Instance details.
  2. To check if the function triggered successfully, navigate to Lambda in AWS > Select your Function > Click on the Monitor Tab and select the Logs.
  3. In the ‘Recent invocations’ window, you will see the logs for any time the function is called.
  4. You can view more details by clicking on the link for the log.


Updated disclaimer
[edited by: Qoosh at 8:04 PM (GMT -7) on 31 Mar 2023]

  • Excellent post.

    Could you please update your linux script. I found that the .sh file you pointed to is the old linux installer. I used the SophosSetup.sh url in the Central Admin dashboard. 

    For our purposes we used your script and modified it to not install Sophos on all machines, but just the machines that have a tag Sophos yes or Yes. This is to prevent a sprawl of sophos licenses used. Especially on very shortlived machines that deploy and terminate quickly.

    We also added another variable to the actual SSM documents to allow for --devicegroup (windows) or --group (linux) to automagically add the servers to the right groups. Perhaps this is something to look into for the future? 

  • Is there a way to uninstall the agent once the AWS EC2 instance has stopped (Due to AWS Elastic BeanStalk)

  • This is a terrible solution.  It requires far too many integrations, ssm, lamda, cloudwatch, iam, etc.  Too many things have to go right for this to work, and there is limited visibility without building a whole bunch of other things to get alerted when this goes wrong.  It also doesn't lend itself well to creating new clusters of autoscaled instances without repeating this configuration every single time.  Additionally, iam permissions required to run this must be integrated with any iam roles that are already applied to the instances.

    Most importantly, it doesn't even remove the instance from Sophos Central when the instance is terminated.

Unfiltered HTML