{"id":57,"date":"2022-03-20T10:21:19","date_gmt":"2022-03-20T14:21:19","guid":{"rendered":"https:\/\/mattonmacs.dev\/?p=57"},"modified":"2022-03-20T10:23:15","modified_gmt":"2022-03-20T14:23:15","slug":"logging-virustotal-package-scans-to-slack","status":"publish","type":"post","link":"https:\/\/mattonmacs.dev\/2022\/03\/20\/logging-virustotal-package-scans-to-slack\/","title":{"rendered":"Logging VirusTotal Package Scans to Slack"},"content":{"rendered":"\n

When I need to create or automate a process, I generally try not to reinvent the wheel unless absolutely necessary. So, when I was looking to automate running a set of AutoPkg recipes on a set interval, Rich Trouton’s autopkg-conductor<\/a> turned out to be a perfect fit for my needs. You can read his full post about it on his blog here<\/a>.<\/p>\n\n\n\n

Now, AutoPkg by default includes a number of features to ensure the package you’ve grabbed is legitimate. That said, there’s still a small but real risk of malware hitching a ride alongside a legitimate package. Fortunately, there’s a great PostProcessor called VirusTotalAnalyzer<\/a> to check for this. No solution is perfect, of course, but having all your packages run through VirusTotal<\/a> adds another layer to your defense in depth strategy.<\/p>\n\n\n\n

Rich’s autopkg-conductor has built-in support for posting details of new packages to Slack as they’re uploaded to Jamf Pro as part of a jss or jamf recipe. So, I made a slight modification to line 201<\/a> to add the VirusTotalAnalyzer PostProcessor:<\/p>\n\n\n\n

\/usr\/local\/bin\/autopkg run --recipe-list=${recipe_list} --post=${slack_post_processor} --key ${slack_autopkg_processor_key}=${slack_webhook} --post \"io.github.hjuutilainen.VirusTotalAnalyzer\/VirusTotalAnalyzer\" >> \/tmp\/autopkg.out 2>>\/tmp\/autopkg_error.out<\/code><\/pre>\n\n\n\n
You’ll notice there are a few more lines calling autopkg<\/code> to run recipes in Rich’s script based on the results of some if statements. The line referenced above will be run when the script is configured to use the Slacker post-processor. If you want to have VirusTotalAnalyzer run under any conditions, you’ll want to add it to the autopkg<\/code> lines in the other conditions.<\/p>\n\n\n\n
autopkg-conductor generates logs in a specific format (autopkg-run-for-<<date>><\/code>), stored by default in ~\/Library\/Logs<\/code>. Unfortunately, the output of any additional PostProcessors, while logged, are not picked up by the native Slack reporting. Enter virustotalLogger!<\/p>\n\n\n\n
Provided a Slack webhook URL and log location, my script will detect the most recent run log, read any included VirusTotal results, and send them to the provided Slack webhook. I have it set to run immediately following autopkg-conductor. This is great for reporting, but has some drawbacks:

– By the time this script runs and reports scan results, the package has already been uploaded to your Jamf Pro instance.
– If you have further automation in place for package deployment, some devices may have already installed the new package.
– This is just straight reporting–no action is taken based on what VirusTotal reports. And, it relies on someone monitoring the Slack channel for reported VirusTotal detections.<\/p>\n\n\n\n
Since originally creating virustotalLogger, I’ve migrated all of my jss recipes to use Graham Pugh’s jamf-upload<\/a> instead. This allowed me to address all of the above drawbacks while still using the script to receive package scan results. I’ll be making a post on that later.<\/p>\n\n\n\n
virustotalLogger can be found on my GitHub here<\/a>.<\/p>\n","protected":false},"excerpt":{"rendered":"
When I need to create or automate a process, I generally try not to reinvent the wheel unless absolutely necessary. So, when I was looking to automate running a set of AutoPkg recipes on a set interval, Rich Trouton’s autopkg-conductor turned out to be a perfect fit for my needs. You can read his full … Continue reading “Logging VirusTotal Package Scans to Slack”<\/span><\/a><\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[8,12,11],"tags":[14,13,18,19,15,16,17],"_links":{"self":[{"href":"https:\/\/mattonmacs.dev\/wp-json\/wp\/v2\/posts\/57"}],"collection":[{"href":"https:\/\/mattonmacs.dev\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/mattonmacs.dev\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/mattonmacs.dev\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/mattonmacs.dev\/wp-json\/wp\/v2\/comments?post=57"}],"version-history":[{"count":2,"href":"https:\/\/mattonmacs.dev\/wp-json\/wp\/v2\/posts\/57\/revisions"}],"predecessor-version":[{"id":59,"href":"https:\/\/mattonmacs.dev\/wp-json\/wp\/v2\/posts\/57\/revisions\/59"}],"wp:attachment":[{"href":"https:\/\/mattonmacs.dev\/wp-json\/wp\/v2\/media?parent=57"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/mattonmacs.dev\/wp-json\/wp\/v2\/categories?post=57"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/mattonmacs.dev\/wp-json\/wp\/v2\/tags?post=57"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}