Automation is the one of the keys to a successful DevOps department. There are many workflow engines, like the one in Cisco’s SecureX. This blog discusses one way to automate launching connector runs.
Why automate connector runs? One reason is because you will have vulnerability risk information at the same time each day. This provides consistent data for statistical purposes. Unburdening people from launching connector runs manually gives time to your DevOps personnel for other projects.
There are two code examples to draw from:
- connectors_auto_start.py – scans the list of connectors and determines when to launch a connector run and is discussed in this blog.
- show_connector_status.py – scans the list of connectors and informs you when a connector would be launched.
After experimenting with the connector APIs, I created connectors_auto_start.py. The code example, show.connector_status.py, is what the experimentation left behind. It is not polished, but has some useful functions.
I decided to use the PrettyTable library for output in connectors_auto_start.py. This library is easy to use and is great for making readable output. Please use the requirements.txt to install the libraries. I’ll discuss more about PrettyTable later on.
The flow of connectors_auto_start.py is:
- Obtain a list of connectors
- For each connector, get the latest connector run
- If the criteria is met, launch the connector run
To obtain a list of connectors, the List Connector API is invoked. The response information contains the connector name, the connector ID, the connector host address, and if the connector is currently running. Later on the host address determines whether this connector is a file based connector or not. The response is returned to the caller.
Obtaining connector runs
With the list of connectors, we eliminate the file-based connectors. Why? Because I didn’t want to code uploading a file at this time. (Another blog perhaps). Non-base file connectors have a host associated with them.
Here the main code obtains a list of connector runs. If a connector doesn’t have any runs, then the automation won’t try to launch it. Why? Because if it hasn’t been run at least once, it hasn’t been tested.
The get connector runs function invokes the List Connector Runs API to obtain a list of connector runs for each connector. The connector ID is used to specify the connector.
Note that the JSON return is the response since the array does not have a field value.
Launching the connector run
Two more criteria to go.The first criterion checks if the connector is already running by checking the start and end time stamps on the latest run. If the end time stamp is not available, then the connector is running. I think this is a nice feature which I discovered while experimenting, which means that this feature is not in the current API documentation.
If the connector is not running, then grab the end time stamp and proceed to the second criterion which checks if enough time has elapsed since the connector ended. The elapsed time can be passed as a command line input parameter. If not specified, it defaults to 24 hours.
All criteria have been met, so launch the connector with the Run Connector API. The connector run ID is returned.
The connector run ID is used in the output.
As stated earlier, the PrettyTable library is straight-forward to use. Here is where the table is initialized.
As you can see, there are two columns, “Connector Name” and “Status”. The “Connector Name” column is right aligned and the “Status” column is left aligned. Borders are turned off, but a row of tildes are added to separate the heading from the rows.
Rows are added with the add_row() method. The table is printed with a print() call.
So now you know how to use the List Connectors, List Connector Runs, and Run Connector APIs. This blog gives some ideas on how to automate the timing of launching connector runs that should be adaptable to workflow engines.
If you’re interested in playing with these samples, they’re located in theKenna Security blog_samples repo in the connectors directory. One thought would be to add code to check if a connector is running too long.