IBM Partner Pavilion 2.3 Policy inheritance with Enterprise Scanner policies

Policy inheritance with Enterprise Scanner policies

The inheritance properties of policies in SiteProtector provide a flexible and

efficient method for setting up your scanning environment in a hierarchical group

structure.

General inheritance behavior

In general, inheritance works as follows:

vWhen you define a policy for a group in your group structure, the policy

automatically applies to the subgroups for the group unless a subgroup already

has its own version of the policy. Then, that subgroup retainsits version of the

policy.

vYou can break the inheritance at any level in the group structureby redefining

(overriding) the policy for a subgroup. When you define a policy for a

subgroup, the changes apply to its subgroups.

vIf you have defined a policy for a subgroup that you want to apply to groups

above it, you can promote the policy to a higher group.

Inheritance with Enterprise Scanner policies

As you plan your Site grouping structure for vulnerability management, keep these

points in mind:

vMost asset policies follow the general rules of inheritance.

vMany agent policies apply only to a single agent or scanning network interface.

vSome asset and some agent policies have specialized inheritance characteristics.

These differences are described in more detail in the following topics.

Inheritance indicators

When you select a group in the left pane of the SiteProtector Console, policies

applicable to the group are displayed in the right pane. The inheritance indicators

of the policies are displayed in the Inheriting From column as follows:

Table4. Policy inheritance indicators

If the Inheriting From Valueis... Then...

blank The policy is defined at the group

level/agent selected in the left pane.

UNCONFIGURED Youhave chosen to override the policy with

one that is defined higher in the group

structure, but a higher-level policy is not

defined.

a_group_name The policy is inherited from the referenced

group.

Initially blank or unconfigured?

The initial inheritance indicators for agent policies can be blank or unconfigured

depending on whether you override SiteProtector group settings when you register

your agent with SiteProtector:

vIf you override the settings, the settings for the agent are applied to the

SiteProtector policies, so that the Inheriting From column is blank.

30 Enterprise Scanner: User Guide

Contents

Main Page Trademarks and Disclaimer Page Contents Trademarks and Disclaimer ......iii About this book...........vii Part 1. Scanning from the Proventia Manager ..............1 Chapter 1. Ad hoc scanning in the Proventia Manager ..........3 Chapter 2. Interpreting scan results in the Proventia Manager ........21 Part 3. Maintenance........139 Part 4. Appendixes ........163 About this book Related publications Publications viii License agreement Technical support contacts Page Page Chapter 1. Ad hoc scanning in the Proventia Manager Section A: Network configuration Section B: Policy configuration Section A: Network configuration Configuring the management network interface 4 Configuring the scanning network interface Configuring scanning interface DNS settings 6 Assigning perspective to a scanning interface Configuring routes for perspective Section B: Policy configuration Defining assets for a discovery scan 8 Displaying assessment checks by groups Displaying information about assessment checks 10 Selecting assessment checks with filters Configuring common assessment settings for an Assessment policy 12 9. Configure options for using OS information in the Use of OS Information section: 14 12. Configure the options for locking out accounts in the Account Lockout Control section: Page Defining assessment credentials for a policy 16 Important: To avoid locking an account, do not add the account more than once. Defining the service names associated with TCP and UDP ports 18 Defining ports or assets to exclude from a scan Configuring and saving a scan policy in the Proventia Manager 20 Chapter 2. Interpreting scan results in the Proventia Manager Running an ad hoc scan 22 Monitoring the status of a scan Viewing the results of an ad hoc scan Exporting scan results from Proventia Manager 24 Purging scan data from the database Page Part 2. Scanning from the SiteProtector Console Chapters Page Chapter 3. Enterprise Scanner policies Policy inheritance with Enterprise Scanner policies General inheritance behavior 30 Inheritance with Enterprise Scanner policies Inheritance indicators Deploying an Enterprise Scanner policy from the policy repository Migrating a locally managed Enterprise Scanner agent into SiteProtector 32 Viewing asset or agent policies for Enterprise Scanner Getting vulnerability help for a SiteProtector Console without Internet access 34 Agent policies for Enterprise Scanner Agent policy descriptions for Enterprise Scanner Contents of an agent policy Policy inheritance with agent policies Network Locations policy What is perspective? 36 Default perspective When to use additional perspectives Assigning perspective to a scanning interface Configuring routes for perspective Notification policy Event notification settings for Enterprise Scanner 38 Configuring advanced parameters for event notification Access policy Networking policy Configuring the management network interface 40 Configuring the scanning network interface Configuring scanning interface DNS settings 42 Services policy Time policy 44 Update Settings policy Asset policies for Enterprise Scanner Asset policy descriptions for Enterprise Scanner Scope of scanning Contents of an asset policy Discovery policy Policy contents 46 Defining assets to discover Before you begin Assessment policy Displaying information about assessment checks 48 Displaying assessment checks by groups Selecting assessment checks with filters 50 Configuring common assessment settings 8. Configure options for using OS information in the Use of OS Information section: 52 11. Configure the options for locking out accounts in the Account Lockout Control section: 54 Assessment Credentials policy Defining assessment credentials for a policy Important: To avoid locking an account, do not add the account more than once. 56 Scan Control policy What is perspective? Defining scanning cycles and assigning perspectives to scans 58 Scan Window policy Important consideration for multiple agents Defining when scanning is allowed 60 Scan Exclusion policy Defining ports or assets to exclude from a scan Network Services policy Default settings 62 Policy inheritance Service definition Configuring a Network Services policy Ad Hoc Scan Control policy Configuration options 64 Running an ad hoc discovery scan with Enterprise Scanner Running an ad hoc assessment scan with Enterprise Scanner 66 Chapter 4. Understanding scanning processes in SiteProtector What is perspective? Perspective identifies network location 68 Default perspective Technical requirements Defining perspectives Perspectives in policies 70 Scan jobs and related terms Definitions Assets with unassigned criticality Scheduled and running scans The importance of tasks and subtasks Types of tasks Common management tasks Base management tasks Tasks per type of scan Priorities for running tasks Criticality and assessment tasks Task prioritization Stages of a scanning process 74 Dynamic prioritization The process for a scanning cycle The following table describes the general process for a scanning cycle: Optimizing cycle duration, scan windows, and subtasks for Enterprise Size of scan windows 76 Calibration considerations Discovery cycle duration Achieving the right balance Page Chapter 5. Background scanning in SiteProtector Determining when background scans run Scanning refresh cycle 80 Important points about refresh cycles Scanning windows How policies apply to ad hoc and background scans Asset policies and ad hoc scans Changing assessment and discovery policies Scan Control policy Scan window and refresh cycle examples 82 Background scanning checklists for Enterprise Scanner Checklist for background discovery scanning Checklist for background assessment scanning Enabling background scanning 84 Defining when scanning is allowed 86 Defining ports or assets to exclude from a scan Defining network services 88 Defining assessment credentials for a policy Important: To avoid inadvertently locking an account, do not add the account more than once. 90 Page Viewing your scan jobs Viewing discovery job results 92 Viewing assessment job results Page Chapter 7. Managing scans in SiteProtector Stopping and restarting scan jobs Impact of stopping scan jobs 96 Impact of restarting scan jobs Suspending and enabling all background scans Minimum scanning requirements 98 Registration and authentication Steps to initiate a scan The following table provides a brief reminder of the steps needed to initiate a scan: Scanning behaviors for ad hoc scans Inheritance Priority Troubleshooting scanning behaviors for ad hoc scans Expected scanning behaviors for background scans 100 Page 102 Chapter 8. Interpreting scan results in SiteProtector OS identification (OSID) certainty What determines certainty? 104 Sources of OSID Certainty of OSID sources How OSID is updated in Enterprise Scanner Conditions for reassessing OSID Exception Rules for updating OSID About user-supplied OSIDs Setting up a Summary view for vulnerability management Summary page for vulnerability management 106 Vulnerability management options Page Viewing vulnerabilities in the SiteProtector Console using Enterprise About vulnerability assessment 108 Creating custom views Viewing vulnerabilities by asset in Enterprise Scanner Page 110 Viewing vulnerabilities by detail in Enterprise Scanner 112 Viewing vulnerabilities by object in Enterprise Scanner Viewing vulnerabilities by target operating system in Enterprise Scanner Use this view to identify weaknesses that affect specific operating systems. 114 You can analyze specific operating systems that are more affectedby vulnerabilities. Viewing vulnerabilities by vulnerability name in Enterprise 116 Running reports in the SiteProtector Console Types of assessment reports Report descriptions 118 Viewing an Enterprise Scanner report in the SiteProtector Console Page Chapter 9. Logs and alerts Log files and alert notification Two types of log files 122 Two types of information Log size System logs Use the System Event Log page in the Proventia Manager to examine entries in the system logs. System log descriptions The following table describes the system logs for Enterprise Scanner: Getting log status information Enterprise Scanner (ES) logs 124 Log descriptions Changing logging detail Downloading Enterprise Scanner (ES) log files 126 Alerts log Risk level icons Event information icons Downloading and saving an Alerts log 128 Clearing the Alerts log Finding specific events in the Alerts log 130 Page Page Page Ticketing and Enterprise Scanner Tickets 134 Vulnerability auto ticketing Custom categories Remediation process overview for Enterprise Scanner Scanning recommendations Remediation tasks for Enterprise Scanner Task overview 136 Page 138 Page Page Chapter 11. Performing routine maintenance Shutting down your Enterprise Scanner 142 Removing an agent from SiteProtector Options for backing up Enterprise Scanner Types of backups 144 If you restore a system before you make backups Date of last system backup Backing up configuration settings Making full system backups 146 Chapter 12. Updating Enterprise Scanner XPU basics 148 Types of updates The following table describes the contents of firmware and assessment content updates: Update locations Updating options Update options Installation options with scheduled updates Rollbacks and backups Configuring explicit-trust authentication with an XPU server 150 Configuring an Alternate Update location 5. Click Save Changes. 152 Configuring an HTTP Proxy Configuring notification options for XPUs Scheduling a one-time firmware update Configuring automatic updates 154 Page Manually installing updates 156 Page Proventia Manager Home page 158 System status The system status group box describes the current status of the system: Network interface status Updates status The update status group box provides the latest update information of the appliance: Protection status The protection status area provides the current operational status of the modules for the appliance: Viewing agent status in the SiteProtector Console Viewing agent status 160 Viewing the status of the CAM modules Troubleshooting the Enterprise Scanner sensor 162 Page Page Appendix. Safety, environmental, and electronic emissions notices DANGER notices CAUTION notices 166 Product handling information Product safety labels World trade safety information 168 Laser safety information Laser compliance Product recycling and disposal Battery return program 170 Page Electronic emissions notices 172 Page 174 Page Page Index A B C D E F G 178 H I T U V W X