IBM Partner Pavilion 2.3 Chapter 8. Interpreting scan results in SiteProtector

Chapter 8. Interpreting scan results in SiteProtector

This chapter explains how to use OS identification and the views in SiteProtector

to analyze the results of vulnerability assessment scans by the Enterprise Scanner

agent.

Topics

“OS identification (OSID) certainty” on page 104

“How OSID is updated in Enterprise Scanner” on page 105

“Setting up a Summary view for vulnerability management” on page 106

“Summary page for vulnerability management” on page 106

“Running reports in the SiteProtector Console” on page 117

“Types of assessment reports” on page 117

“Viewing an Enterprise Scanner report in the SiteProtector Console” on page 119

Contents

Main Page Trademarks and Disclaimer Page Contents Trademarks and Disclaimer ......iii About this book...........vii Part 1. Scanning from the Proventia Manager ..............1 Chapter 1. Ad hoc scanning in the Proventia Manager ..........3 Chapter 2. Interpreting scan results in the Proventia Manager ........21 Part 3. Maintenance........139 Part 4. Appendixes ........163 About this book Related publications Publications viii License agreement Technical support contacts Page Page Chapter 1. Ad hoc scanning in the Proventia Manager Section A: Network configuration Section B: Policy configuration Section A: Network configuration Configuring the management network interface 4 Configuring the scanning network interface Configuring scanning interface DNS settings 6 Assigning perspective to a scanning interface Configuring routes for perspective Section B: Policy configuration Defining assets for a discovery scan 8 Displaying assessment checks by groups Displaying information about assessment checks 10 Selecting assessment checks with filters Configuring common assessment settings for an Assessment policy 12 9. Configure options for using OS information in the Use of OS Information section: 14 12. Configure the options for locking out accounts in the Account Lockout Control section: Page Defining assessment credentials for a policy 16 Important: To avoid locking an account, do not add the account more than once. Defining the service names associated with TCP and UDP ports 18 Defining ports or assets to exclude from a scan Configuring and saving a scan policy in the Proventia Manager 20 Chapter 2. Interpreting scan results in the Proventia Manager Running an ad hoc scan 22 Monitoring the status of a scan Viewing the results of an ad hoc scan Exporting scan results from Proventia Manager 24 Purging scan data from the database Page Part 2. Scanning from the SiteProtector Console Chapters Page Chapter 3. Enterprise Scanner policies Policy inheritance with Enterprise Scanner policies General inheritance behavior 30 Inheritance with Enterprise Scanner policies Inheritance indicators Deploying an Enterprise Scanner policy from the policy repository Migrating a locally managed Enterprise Scanner agent into SiteProtector 32 Viewing asset or agent policies for Enterprise Scanner Getting vulnerability help for a SiteProtector Console without Internet access 34 Agent policies for Enterprise Scanner Agent policy descriptions for Enterprise Scanner Contents of an agent policy Policy inheritance with agent policies Network Locations policy What is perspective? 36 Default perspective When to use additional perspectives Assigning perspective to a scanning interface Configuring routes for perspective Notification policy Event notification settings for Enterprise Scanner 38 Configuring advanced parameters for event notification Access policy Networking policy Configuring the management network interface 40 Configuring the scanning network interface Configuring scanning interface DNS settings 42 Services policy Time policy 44 Update Settings policy Asset policies for Enterprise Scanner Asset policy descriptions for Enterprise Scanner Scope of scanning Contents of an asset policy Discovery policy Policy contents 46 Defining assets to discover Before you begin Assessment policy Displaying information about assessment checks 48 Displaying assessment checks by groups Selecting assessment checks with filters 50 Configuring common assessment settings 8. Configure options for using OS information in the Use of OS Information section: 52 11. Configure the options for locking out accounts in the Account Lockout Control section: 54 Assessment Credentials policy Defining assessment credentials for a policy Important: To avoid locking an account, do not add the account more than once. 56 Scan Control policy What is perspective? Defining scanning cycles and assigning perspectives to scans 58 Scan Window policy Important consideration for multiple agents Defining when scanning is allowed 60 Scan Exclusion policy Defining ports or assets to exclude from a scan Network Services policy Default settings 62 Policy inheritance Service definition Configuring a Network Services policy Ad Hoc Scan Control policy Configuration options 64 Running an ad hoc discovery scan with Enterprise Scanner Running an ad hoc assessment scan with Enterprise Scanner 66 Chapter 4. Understanding scanning processes in SiteProtector What is perspective? Perspective identifies network location 68 Default perspective Technical requirements Defining perspectives Perspectives in policies 70 Scan jobs and related terms Definitions Assets with unassigned criticality Scheduled and running scans The importance of tasks and subtasks Types of tasks Common management tasks Base management tasks Tasks per type of scan Priorities for running tasks Criticality and assessment tasks Task prioritization Stages of a scanning process 74 Dynamic prioritization The process for a scanning cycle The following table describes the general process for a scanning cycle: Optimizing cycle duration, scan windows, and subtasks for Enterprise Size of scan windows 76 Calibration considerations Discovery cycle duration Achieving the right balance Page Chapter 5. Background scanning in SiteProtector Determining when background scans run Scanning refresh cycle 80 Important points about refresh cycles Scanning windows How policies apply to ad hoc and background scans Asset policies and ad hoc scans Changing assessment and discovery policies Scan Control policy Scan window and refresh cycle examples 82 Background scanning checklists for Enterprise Scanner Checklist for background discovery scanning Checklist for background assessment scanning Enabling background scanning 84 Defining when scanning is allowed 86 Defining ports or assets to exclude from a scan Defining network services 88 Defining assessment credentials for a policy Important: To avoid inadvertently locking an account, do not add the account more than once. 90 Page Viewing your scan jobs Viewing discovery job results 92 Viewing assessment job results Page Chapter 7. Managing scans in SiteProtector Stopping and restarting scan jobs Impact of stopping scan jobs 96 Impact of restarting scan jobs Suspending and enabling all background scans Minimum scanning requirements 98 Registration and authentication Steps to initiate a scan The following table provides a brief reminder of the steps needed to initiate a scan: Scanning behaviors for ad hoc scans Inheritance Priority Troubleshooting scanning behaviors for ad hoc scans Expected scanning behaviors for background scans 100 Page 102 Chapter 8. Interpreting scan results in SiteProtector OS identification (OSID) certainty What determines certainty? 104 Sources of OSID Certainty of OSID sources How OSID is updated in Enterprise Scanner Conditions for reassessing OSID Exception Rules for updating OSID About user-supplied OSIDs Setting up a Summary view for vulnerability management Summary page for vulnerability management 106 Vulnerability management options Page Viewing vulnerabilities in the SiteProtector Console using Enterprise About vulnerability assessment 108 Creating custom views Viewing vulnerabilities by asset in Enterprise Scanner Page 110 Viewing vulnerabilities by detail in Enterprise Scanner 112 Viewing vulnerabilities by object in Enterprise Scanner Viewing vulnerabilities by target operating system in Enterprise Scanner Use this view to identify weaknesses that affect specific operating systems. 114 You can analyze specific operating systems that are more affectedby vulnerabilities. Viewing vulnerabilities by vulnerability name in Enterprise 116 Running reports in the SiteProtector Console Types of assessment reports Report descriptions 118 Viewing an Enterprise Scanner report in the SiteProtector Console Page Chapter 9. Logs and alerts Log files and alert notification Two types of log files 122 Two types of information Log size System logs Use the System Event Log page in the Proventia Manager to examine entries in the system logs. System log descriptions The following table describes the system logs for Enterprise Scanner: Getting log status information Enterprise Scanner (ES) logs 124 Log descriptions Changing logging detail Downloading Enterprise Scanner (ES) log files 126 Alerts log Risk level icons Event information icons Downloading and saving an Alerts log 128 Clearing the Alerts log Finding specific events in the Alerts log 130 Page Page Page Ticketing and Enterprise Scanner Tickets 134 Vulnerability auto ticketing Custom categories Remediation process overview for Enterprise Scanner Scanning recommendations Remediation tasks for Enterprise Scanner Task overview 136 Page 138 Page Page Chapter 11. Performing routine maintenance Shutting down your Enterprise Scanner 142 Removing an agent from SiteProtector Options for backing up Enterprise Scanner Types of backups 144 If you restore a system before you make backups Date of last system backup Backing up configuration settings Making full system backups 146 Chapter 12. Updating Enterprise Scanner XPU basics 148 Types of updates The following table describes the contents of firmware and assessment content updates: Update locations Updating options Update options Installation options with scheduled updates Rollbacks and backups Configuring explicit-trust authentication with an XPU server 150 Configuring an Alternate Update location 5. Click Save Changes. 152 Configuring an HTTP Proxy Configuring notification options for XPUs Scheduling a one-time firmware update Configuring automatic updates 154 Page Manually installing updates 156 Page Proventia Manager Home page 158 System status The system status group box describes the current status of the system: Network interface status Updates status The update status group box provides the latest update information of the appliance: Protection status The protection status area provides the current operational status of the modules for the appliance: Viewing agent status in the SiteProtector Console Viewing agent status 160 Viewing the status of the CAM modules Troubleshooting the Enterprise Scanner sensor 162 Page Page Appendix. Safety, environmental, and electronic emissions notices DANGER notices CAUTION notices 166 Product handling information Product safety labels World trade safety information 168 Laser safety information Laser compliance Product recycling and disposal Battery return program 170 Page Electronic emissions notices 172 Page 174 Page Page Index A B C D E F G 178 H I T U V W X