Automate ASM "Ready to Be Enforced" Attack Signatures

I'm glad the script works for you 🙂

When a new batch of signatures is released, they should be reviewed to determine if there's a reason to enforce them before they complete their staging period. For example, when the Log4j and most other critical signatures are released, I've followed a different process. 

First of all, my environment has a separate Signature Set named "Immediate Enforcement Signatures (Critical Sigs)". This Signature Set is attached to all policies. 

Then when I want to enforce a new signature that hasn't completed it's staging period, I manually add that signature to the Signature Set using the GUI, then run this script from the Big-IQ:

---------------------------------------------------------------------------------------------------

# This script skips Standby devices, then creates a list of all ASM policy hashes, then finds the ID of the Immediate Enforcement Signatures (Critical Sigs) signature set, and enforces the signatures in that signature set for all ASM policies that have the signature set attached.
# In ASM GUI, add new signature(s) to the Immediate Enforcement Signatures (Critical Sigs) signature set, then run this script to enforce the set on all policies

bash
cd /var/tmp

CREDS=admin

# Writes HA Status to a file
tmsh show /cm failover-status | grep Status > /var/tmp/ha-status.txt
chmod 755 /var/tmp/ha-status.txt

# Exits script if the HA Status file contains the string STANDBY
if grep -q STANDBY /var/tmp/ha-status.txt; then
exit
fi

# Creates variable with list of policy hashes, then prints variable contents to txt file (excluding parent and default policies)
FILENAME=$(curl -kvu $CREDS http://localhost/mgmt/tm/asm/policies | jq -r '.items[] | .id')
printf "$FILENAME\n" > /var/tmp/policy-hashes.txt

FILENAME="policy-hashes.txt"
LINES=$(cat $FILENAME)

# ASM - Enable and Enforce Signatures in Signature Set on all policies, and Applies Policies - All Policies
for LINE in $LINES
do
SETID=$(curl -kvu $CREDS -X GET "https://localhost/mgmt/tm/asm/policies/$LINE/signature-sets" -u $CREDS -k -v -H "Content-Type: application/json" | jq -r '.items[] | select(.signatureSetReference.name=="Immediate Enforcement Signatures (Critical Sigs)") | .id')
DATA='{"commands":[{"method":"PATCH","uri":"/mgmt/tm/asm/policies/'$LINE'/signatures?$filter=signatureSets/id+eq+'\'$SETID\''","body":{"performStaging":false,"enabled":true}}]}'
curl -kvu $CREDS -X POST "https://localhost/mgmt/tm/asm/tasks/bulk" -u $CREDS -k -v -H "Content-Type: application/json" -d $DATA | jq .
LINK=\"https://localhost/mgmt/tm/asm/policies/$LINE\"
curl -kvu $CREDS POST https://localhost/mgmt/tm/asm/tasks/apply-policy -k -v -H "Content-Type: application/json" -d "{\"policyReference\": {\"link\": $LINK }}" | jq .
sleep 10s
done

---------------------------------------------------------------------------------------------------

This script does the equivilent of going to Security > Application Security > Policy Building > Learning and Blocking Settings, then under the Attack Signatures section, clicking "Enforce and Enable all Attack Signatures in the Signature Set" for Signature Set "Immediate Enforcement Signatures (Critical Sigs)", then it applies the policy. 

The script automatically loops through all of your policies to enforce the Signature Set and apply the policy on all of them one-at-a-time. If you already have a Signature Set for this purpose, you can change the name in the script to match your Signature Set.

If you want to exclude specific policies, such as a Parent or Template policy, you can change the line where the FILENAME variable is created to exclude those policies like this:

FILENAME=$(curl -kvu $CREDS http://localhost/mgmt/tm/asm/policies | jq -r '.items[] | select(.name!="asm_parent") | select(.name!="asm_template") | .id')