Alerting for Automation: navi mail
Automation is the key to success in any security program. Often, in security we find a python script or two very useful. However, what often gets left out are ways of communicating success or failure of our scripts.
I found this out first hand when creating navi automation scripts. My script would run for a few months and then it would be a few weeks for me to detect the failure. So, I thought it would be useful to send an email of the output of certain commands or communicate the success of other commands.
This way, for example, if I reset my Tenable.io authentication keys and the automation script fails, the output can be emailed to me for immediate awareness.
Introducing the navi mail command.
This command is used to mail yourself a message. For example, to send “Script completed successfully” at the end of a custom script, the navi command would look like:
navi mail --to "your_email_address@gmail.com" --subject "Custom Script Success" --message "Script completed successfully"
On Linux systems or the Docker version of navi, you can use the back tic(“`") to send the output of a command as the message. As a simple example, try mailing yourself the output of the “hostnamectl” command.
If you got the above error when following along you may have to allow the below option in Gmail. Also, at the time of writing this article it looks like this method won’t be supported by Gmail after May 30th 2022. You may need to use another email provider for a throw-away email address.
Important Note: DO NOT use this method on your primary email accounts. Use a throw-away account that receives no email.
If your command worked, you should have received the output of the “hostnamectl” command in your inbox.
How about something more interesting like the output of the “navi evaluate” command? The “navi evaluate” command parses all of the 19506 plugin outputs in the navi.db and prints out the average minutes per asset over three categories(Scanners, Policies and Scan Names). This can help identify the cause of slow scans. Below is the output from my home lab:
Download new data each day using navi update full and then run navi evaluate to get visibility into any slow scan issues on a scanner, scan policy or scan name basis AND mail yourself the output!
navi mail --to "your_email@your_domain.com" --message "(back tic)navi evalute (back tic)"What about sending a navi export? Done! A common use-case is to tag assets based on plugin data, export that data into a CSV and email it to the asset owners. There are tuns of specific use-cases around this concept. The most common I’ve seen is credential failures. This is a four step process.
- tag assets
- update navi.db
- export to csv
- mail the file
To tag our assets based on the plugin 104410 using navi we need to use the following command: navi tag --c "Credential Problems" --v "Credential failures" --plugin 104410 Any asset that has the plugin 104410 has a credential failure and the output explains why.
Now in Tenable.io you can identify assets that have credential failures using the newly created Tag. However, we are here for automation, so it’s time to export the data and email ourselves the file.
The tag data is pulled down from Tenable.io using the asset exports api endpoint. As a result, after all of your tagging commands you will need to update the tags table in navi by running: navi update assets. Control the time domain by using the --days option. navi update assets --days 1 vs navi update assets --days 180 could result in a different amount of assets identified.
Now that we have fresh data in the navi.db, we can export our asset data into a CSV. Without this step, our tag will result in an empty list and will error out when trying to export. It can take Tenable.io a few minutes to process large tag requests. So wait a few mins and run the navi update command again if you receive an error.
navi export bytag --c "Credential Problems" --v "Credential failures" --file yourfilename
Now that we have our file, it’s time to email it to ourselves!
navi mail --to your_email@your_domain.com --subject "Test file" --file "yourfilename.csv"
Check your inbox you should have your CSV!
Thanks for reading along! If you’re using navi and have suggestions please let me know on github!
