Using Agent7 for Compliance

Introduction

I’ve made a few posts about Agent7, what it does and the capabilities. In this post, Ill share how you can use it to query your entire fleet to check configuration and compliance settings. Check it out on Github

Why might I use this?

Typically in an enterprise environment, there is a need to ask certain questions about your fleet. Now these questions may be:

  • Who is logged in?
  • What software was installed within X time period?
  • Is X software running right now?
  • Can my fleet reach outbound on port 5000?

You may need to ask these questions because you want to ensure your controls are working properly or to validate any assumptions. As noted before, Agent7 is NOT opinionated about HOW it uses the data it collects. Quite simply, Agent7 collects data, stores it on the backend and allows the user to ask questions. 

Let’s see some examples

Example 1: I want to know if my fleet can get outbound on port 445 (which is a no-no)

This question can be easily answered. Agent7 has a capability called RTR (Real Time Response). Similar to some EDR tools, it allows you to run commands on all your agents at once. So for example, we can run a command against our fleet saying “Can you get outbound on port 445?”

As shown in the figure below, we can a run a powershell command on our fleet and Agent7 will respond with the answer. Based on the result, we see that our fleet can indeed reach outbound on port 445. Egress traffic filtering needs some work. 

 

 

 

 

 

 

Example 2: We have a policy that says all local and domain accounts must change their password every 90 days.. are we compliant?

This question is pretty easy to answer with Agent7. It already collects all local/domain accounts and provides a dashboard for this. Let’s see:

The credential report aggregates all local and domain (from AD) accounts in a single table and allows you to filter on when the account was rotated, if its privileged, the logon count and more. This can easily be used to satisfy a internal or external audit. 

Example 3: Do we restrict access to ports internal (e.g. can our users just host random internal services on their computers?)

This question is pretty difficult to answer normally but using Agent7 can help. Agent7 has a feature called neighbors that basically turns your entire fleet into a distributed scanner; allowing you to find ports/services running on your endpoints.

 

 

The three (3) examples provided above are simply that.. examples. I plan to build more structure into the compliance. For example, it would be great for users to run a set of scripts against their endpoint to test “Egress Traffic Filtering”. Or another set of scripts to test “Local Priv Escalation”. This is all pretty easy to customize with the dynamic API provided. That is hopefully coming soon. See us on Github

Thanks for reading!

Leave a Reply

Your email address will not be published. Required fields are marked *