Amazon Inspector Classic tutorial - Red Hat Enterprise Linux

Before you follow the instructions in this tutorial, we recommend that you get familiar with the Amazon Inspector Classic terminology and concepts.

This tutorial shows how to use Amazon Inspector Classic to analyze the behavior of an EC2 instance that runs the Red Hat Enterprise Linux 7.5 operating system. It provides step-by-step instructions on how to navigate the Amazon Inspector Classic workflow. The workflow includes preparing Amazon EC2 instances, running an assessment template, and performing the recommended security fixes generated in the assessment's findings. If you are a first-time user and would like to set up and run an Amazon Inspector Classic assessment with one click, see Creating a Basic Assessment.

Step 1: Set up an Amazon EC2 instance to use with Amazon Inspector Classic

For this tutorial, create one EC2 instance that runs Red Hat Enterprise Linux 7.5, and tag it using the Name key and a value of InspectorEC2InstanceLinux.

Note

For more information about tagging EC2 instances, see Resources and Tags.

Step 2: Modify your Amazon EC2 instance

For this tutorial, you modify your target EC2 instance to expose it to the potential security issue CVE-2018-1111. For more information, see https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-1111 and Common vulnerabilities and exposures.

Connect to your instance, InspectorEC2InstanceLinux, and run the following command:

sudo yum install dhclient-12:4.2.5-68.el7

For instructions on how to connect to an EC2 instance, see Connect to Your Instance in the Amazon EC2 User Guide.

Step 3: Create an assessment target and install an agent on the EC2 instance

Amazon Inspector Classic uses assessment targets to designate the AWS resources that you want to evaluate.

To create an assessment target and install an agent on an EC2 instance

1. Sign in to the AWS Management Console and open the Amazon Inspector Classic console at https://console.aws.amazon.com/inspector/.

2. In the navigation pane, choose Assessment targets, and then choose Create.

   Do the following:

   1. For Name, enter the name for your assessment target.

      For this tutorial, enter MyTargetLinux.

   2. For Use Tags, choose the EC2 instances that you want to include in this assessment target by entering values for the Key and Value fields.

      For this tutorial, choose the EC2 instance that you created in the preceding step by entering Name in the Key field and InspectorEC2InstanceLinux in the Value field.

      To include all EC2 instances in your AWS account and Region in the assessment target, select the All Instances check box.

   3. Choose Save.

   4. Install an Amazon Inspector Classic agent on your tagged EC2 instance. To install an agent on all EC2 instances included in an assessment target, select the Install Agents check box.

      Note

      You can also install the Amazon Inspector Classic agent using the AWS Systems Manager Run Command. To install the agent on all instances in the assessment target, you can specify the same tags that you used when creating the assessment target. Or you can install the Amazon Inspector Classic agent on your EC2 instance manually. For more information, see Installing Amazon Inspector Classic agents.

   5. Choose Save.

Note

At this point, Amazon Inspector Classic creates a service-linked role called AWSServiceRoleForAmazonInspector. The role grants Amazon Inspector Classic the necessary access to your resources. For more information, see Creating a service-linked role for Amazon Inspector Classic.

Step 4: Create and run your assessment template

To create and run your template

1. In the navigation pane, choose Assessment templates, and then choose Create.

2. For Name, enter the name for your assessment template. For this tutorial, enter MyFirstTemplateLinux.

3. For Target name, choose the assessment target that you created above, MyTargetLinux.

4. For Rules packages, choose the rules packages that you want to use in this assessment template.

   For this tutorial, choose Common Vulnerabilities and Exposures-1.1.

5. For Duration, specify the duration for your assessment template.

   For this tutorial, select 15 minutes.

6. Choose Create and run.

Step 5: Locate and analyze your finding

A completed assessment run produces a set of findings, or potential security issues that Amazon Inspector Classic discovers in your assessment target. You can review the findings and follow the recommended steps to resolve the potential security issues.

In this tutorial, if you complete the preceding steps, your assessment run produces a finding against the common vulnerability CVE-2018-1111.

To locate and analyze your finding

1. In the navigation pane, choose Assessment runs. Verify that the status of the run for the assessment template called MyFirstTemplateLinux is set to Collecting data. This indicates that the assessment run is currently in progress, and the telemetry data for your target is being collected and analyzed against the selected rules packages.

2. You can't view the findings generated by the assessment run while it is still in progress. Let the assessment run complete its entire duration. However, for this tutorial, you can stop the run after several minutes.

   The status of MyFirstTemplateLinux changes first to Stopping, then in a few minutes to Analyzing, and then finally to Analysis complete. To see this change in status, choose the Refresh icon.

3. In the navigation pane, choose Findings.

   You can see a new finding of High severity called Instance InspectorEC2InstanceLinux is vulnerable to CVE-2018-1111.

   Note

   If you don't see the new finding, choose the Refresh icon.

   To expand the view and see the details of this finding, choose the arrow to the left of the finding. The details of the finding include the following:

   • ARN of the finding

   • Name of the assessment run that produced this finding

   • Name of the assessment target that produced this finding

   • Name of the assessment template that produced this finding

   • Assessment run start time

   • Assessment run end time

   • Assessment run status

   • Name of the rules package that includes the rule that triggered this finding

   • Amazon Inspector Classic agent ID

   • Name of the finding

   • Severity of the finding

   • Description of the finding

   • Recommended remediation steps that you can complete to fix the potential security issue described by the finding

Step 6: Apply the recommended fix to your assessment target

For this tutorial, you modified your assessment target to expose it to the potential security issue CVE-2018-1111. In this procedure, you apply the recommended fix for the issue.

To apply the fix to your target

1. Connect to your instance InspectorEC2InstanceLinux that you created in the preceding section, and run the following command:

   sudo yum update dhclient-12:4.2.5-68.el7

2. On the Assessment templates page, choose MyFirstTemplateLinux, and then choose Run to start a new assessment run using this template.

3. Follow the steps in Step 5: Locate and analyze your finding to see the findings that result from this subsequent run of the MyFirstTemplateLinux template.

   Because you resolved the CVE-2018-1111 security issue, you should no longer see a finding for it.