Running Tripwire Security Scan with REST call

I was asked to initiate Tripwire Scan on all VMs deployed by vRealize Automation. This requirement was an issue raised by compliance audit finding. After some talks to Tripwire team, we decided on an approach to assign a tag to a host in Tripwire this will force initial VM scan.

VM is registered in Tripwire during agent installation this is handled by SCCM, Salt or Ansible respectively depending on underlaying operating system.

Additionally for the code to work you will have to create a REST endpoint for a Tripwire host using basic authentication. In my case the url is just Tripwire server fqdn over https.

First we have to find the VM Id in Tripwire. I’m in a lucky situation that all VM names are unique in all vCenters. Each VM name is equal to hostname part of its fqdn. Therefore a vSphere vmname will be used to find the asset in Tripwire.

//INPUTS:
//restHost <REST:RESTHost>: Tripwire vRO endpoint 
//hostname <String>: vSphere vmname
operationUrl = "/assetview/api/assets";
request = restHost.createRequest("GET", operationUrl);
request.setHeader("Content-Type", "application/json");
request.setHeader("Accept", "application/json");
response = request.execute();
//Evaluate response
var found = false;
if(response.statusCode < 400){
	System.debug("Response Status Code: " + response.statusCode);
	devices = JSON.parse(response.contentAsString)["computing-device"];
	for each (device in devices){
		var id = device["synthetic-id"][0]["@id"];
		var curHostname = device["hostname"].split(".")[0].toLowerCase();
		if (curHostname.indexOf(hostname) == 0 ){
			found = true;
			System.log("Found hostname: " + hostname);
			System.log("id: " + id);
			break;
		}
	}
	if(!found){
		//did not found the VM 
		throw "Error can't find the VM " + hostname + " in Tripwire.";
	}
}
else {
	throw "Error invoicing REST call - Url: " + operationUrl + ", returned Status Code: " + response.statusCode + ", response: " + response.contentAsString
}

Once a Tripwire host id is found we need a tag id.

//INPUTS:
//restHost <REST:RESTHost>: Tripwire vRO endpoint 
//tagName <String>: tripwire tag name that will force autoscan
operationUrl = '/assetview/api/tags';
request = restHost.createRequest("GET", operationUrl);
request.setHeader("Content-Type", "application/json");
request.setHeader("Accept", "application/json");
response = request.execute();
if(response.statusCode < 400){
	System.debug("Response Status Code: " + response.statusCode);
	tags = JSON.parse(response.contentAsString)["tag"];
	for each (tag in tags){
		tagId = tag["@id"];
		var curTagName = tag["name"];
		if (curTagName.indexOf(tagName) == 0 ){
			System.log("Found Tag Name: " + tagName);
			System.log("tagId: " + tagId);
			break;
		}
	}
}
else {
	throw "Error invoicing REST call - Url: " + operationUrl + ", rerurned Status Code: " + response.statusCode + ", response: " + response.contentAsString
}

Now we will assign tag to host and this will start automated scan of the VM.

//restHost <REST:RESTHost>: Tripwire vRO endpoint 
//hostId <String>: host Id recovered in step 1
//tagId <String>: tag Id recovered in step 2
operationUrl = /assetview/api/assets/{ID}/tags/{TagID};
operationUrl = operationUrl.replace("{ID}", hostId);
operationUrl = operationUrl.replace("{TagID}", tagId);
request = restHost.createRequest("POST", operationUrl, null);
request.setHeader("Content-Type", "application/json");
request.setHeader("Accept", "application/json");
response = request.execute();
if(response.statusCode < 400){
	System.debug("Response Status Code: " + response.statusCode);
	System.debug("Response: " + response.contentAsString);
}
else {
	throw "Error invoicing REST call - Url: " + operationUrl + ", rerurned Status Code: " + response.statusCode + ", response: " + response.contentAsString
}

The scan operation will be run by Tripwire as an async operation. I’m not checking the state of the scan since VMs provisioned automatically will scan green (and if not Tripwire team will contact the client and os team). The initial scan is required as I mentioned before for compliance reasons in my organization.