NeXpose User Guide - Free Download PDF Ebook

Nexpose 5.7 User’s Guide Copyright © 2013 Rapid7, LLC. Boston, Massachusetts, USA. All rights reserved. Rapid7 and Nexpose are trademarks of Rapid7, LLC. Other names appearing in this content may be trademarks of their respective owners. This documentation is for internal use only. Revision history Revision Date June 15, 2010 August 30, 2010 Description Created document. Added information about new PCI-mandated report templates to be used by ASVs as of September 1, 2010; clarified how CVSS scores relate to severity rankings. Added more detailed instructions about specifying a directory for stored reports. Added instructions for SSH public key authentication. Added instructions for using Asset Filter search and creating dynamic asset groups. Also added instructions for using new asset search features when creating static asset groups and reports. Added information about new PCI report sections and the PCI Host Details report template. Added information about including organization information in site configuration and managing assets according to host type. Added information about expanded vulnerability exception workflows. Updated information about supported browsers. Updated information about using custom report logos. Added information about viewing and overriding policy results. Added information about downloading scan logs. Nexpose 5.1. Added information about viewing Advanced Policy Engine compliance across your enterprise, using LM/NTLM hash authentication for scans, and exporting malware and exploit information to CSV files. Nexpose 5.2. Added information about drilling down to view Advanced Policy Engine policy compliance results using the Policies dashboard. Corrected the severity ranking values in the Severity column. Updated information about supported browsers. Nexpose 5.3. Added information on scan template configuration, including new discovery performance settings for scan templates; CyberScope XML Export report format; vAsset discovery; appendix on using regular expressions. Nexpose 5.4. Added information vulnerability category filtering in reports and customization of advanced policies. Nexpose 5.5. Added information about working with custom report templates, uploading custom SCAP templates, and working with configuration assessment. Updated workflows for creating, editing and distributing reports. Updated the glossary with new entries for top 10 report templates and shared scan credentials. Nexpose 5.6. Added information about elevating permissions. Updated Web spider scan template settings. October 25, 2010 December 13, 2010 December 20, 2010 January 31, 2011 March 14, 2011 July 11, 2011 July 25, 2011 September 19, 2011 November 15, 2011 December 5, 2011 January 23, 2012 March 21, 2012 June 6, 2012 August 8, 2012 December 10, 2012 April 24, 2013 May 29, 2013 Nexpose User’s Guide 2 Revision Date July 17, 2013 Description Nexpose 5.7. Added information about creating multiple vulnerability exceptions and deleting multiple assets. Added information about Vulnerability Trends Survey report template. Added information about new scan log entries for asset and service discovery phases Deleted references to a deprecated feature. Added information about vulnerability display filters. Added information about validating vulnerabilities. July 31, 2013 September 18, 2013 November 13, 2013 Nexpose User’s Guide 3 Contents About this guide ...................................................................................................................................9 A note about documented features .......................................................................................................9 Other documents and Help ....................................................................................................................9 Document conventions .......................................................................................................................10 For technical support ...........................................................................................................................10 Getting Started Running the application .....................................................................................................................12 Manually starting or stopping in Windows ..........................................................................................12 Changing the configuration for starting automatically as a service .....................................................12 Manually starting or stopping in Linux .................................................................................................13 Working with the daemon ...................................................................................................................13 Using the Web interface .....................................................................................................................14 Performing offline activations and updates .........................................................................................14 Logging on ............................................................................................................................................14 Navigating the Security Console Web interface ...................................................................................18 Using the search feature ......................................................................................................................21 Using configuration panels ...................................................................................................................22 Extending Web interface sessions ........................................................................................................22 Discover Comparing dynamic and static sites ...................................................................................................24 Configuring a basic static site .............................................................................................................25 Choosing a grouping strategy for a static site ......................................................................................25 Starting a static site configuration .......................................................................................................28 Specifying assets to scan in a static site ...............................................................................................29 Excluding specific assets from scans in all sites ....................................................................................30 Adding users to a site ...........................................................................................................................31 Deleting sites .....................................................................................................................................32 Selecting a Scan Engine for a site ........................................................................................................33 Configuring distributed Scan Engines ..................................................................................................34 Reassigning existing sites to the new Scan Engine ...............................................................................35 Configuring additional site and scan settings ......................................................................................36 Selecting a scan template .....................................................................................................................36 Creating a scan schedule ......................................................................................................................37 Setting up scan alerts ...........................................................................................................................39 Including organization information in a site ........................................................................................41 Configuring scan credentials ...............................................................................................................42 Configuring site-specific scan credentials ............................................................................................42 Performing additional steps for certain credential types .....................................................................46 Configuring scan authentication on target Web applications ..............................................................50 Nexpose User’s Guide 4 Managing dynamic discovery of virtual assets ....................................................................................54 Configuring and performing vAsset discovery .....................................................................................55 Configuring a dynamic site ...................................................................................................................63 Running a manual scan ......................................................................................................................66 Monitoring the progress and status of a scan ......................................................................................67 Pausing, resuming, and stopping a scan ...............................................................................................71 Viewing scan results .............................................................................................................................71 Viewing the scan log .............................................................................................................................71 Viewing history for all scans .................................................................................................................76 Assess Locating assets ...................................................................................................................................78 Locating assets by sites ........................................................................................................................79 Locating assets by asset groups ...........................................................................................................80 Locating assets by operating system ....................................................................................................80 Locating assets by services ...................................................................................................................80 Locating assets by software .................................................................................................................81 Viewing the details about an asset ......................................................................................................81 Deleting assets .....................................................................................................................................82 Working with vulnerabilities ..............................................................................................................84 Viewing active vulnerabilities ...............................................................................................................84 Filtering your view of vulnerabilities ....................................................................................................87 Viewing vulnerability details ................................................................................................................91 Working with validated vulnerabilities .................................................................................................92 Working with vulnerability exceptions ...............................................................................................94 Understanding cases for excluding vulnerabilities ...............................................................................94 Understanding vulnerability exception permissions ............................................................................95 Understanding vulnerability exception status and work flow .............................................................95 Working with Policy Manager results ...............................................................................................106 Getting an overview of Policy Manager results .................................................................................107 Viewing results for a Policy Manager policy .......................................................................................108 Viewing information about policy rules .............................................................................................109 Overriding rule test results .................................................................................................................111 Act Working with asset groups ...............................................................................................................120 Comparing dynamic and static asset groups ......................................................................................120 Configuring a static asset group by manually selecting assets ...........................................................122 Performing filtered asset searches ...................................................................................................124 Configuring asset search filters ..........................................................................................................124 Creating a dynamic or static asset group from asset searches ...........................................................136 Changing asset membership in a dynamic asset group .....................................................................138 Working with reports .......................................................................................................................139 Viewing, editing, and running reports ..............................................................................................140 Creating a basic report .....................................................................................................................142 Nexpose User’s Guide 5 Starting a new report configuration ...................................................................................................142 Entering CyberScope information ......................................................................................................145 Configuring an XCCDF report ..............................................................................................................146 Selecting assets to report on ..............................................................................................................146 Filtering report scope with vulnerabilities .........................................................................................148 Configuring report frequency .............................................................................................................152 Saving or running the newly configured report .................................................................................154 Selecting a scan as a baseline .............................................................................................................155 Distributing, sharing, and exporting reports .....................................................................................156 Working with report owners ..............................................................................................................156 Managing the sharing of reports ........................................................................................................157 Granting users the report-sharing permission ...................................................................................159 Restricting report sections .................................................................................................................163 Exporting scan data to external databases ........................................................................................165 Configuring data warehousing settings ..............................................................................................165 For ASVs: Consolidating three report templates into one custom template ......................................166 Configuring custom report templates ...............................................................................................168 Adding a custom logo to your report .................................................................................................171 Working with externally created report templates ...........................................................................172 Working with report formats ...........................................................................................................173 Working with human-readable formats .............................................................................................173 Working with XML formats ................................................................................................................173 Working with CSV export ...................................................................................................................174 How vulnerability exceptions appear in XML and CSV formats .........................................................177 Working with the database export format .........................................................................................178 Understanding report content ..........................................................................................................179 Scan settings can affect report data ...................................................................................................179 Understanding how vulnerabilities are characterized according to certainty ...................................180 Looking beyond vulnerabilities ..........................................................................................................180 Using report data to prioritize remediation .......................................................................................181 Using tickets .....................................................................................................................................182 Viewing tickets ...................................................................................................................................182 Creating and updating tickets ............................................................................................................182 Tune Working with scan templates and tuning scan performance .............................................................185 Defining your goals for tuning ............................................................................................................186 The primary tuning tool: the scan template .......................................................................................190 Configuring custom scan templates ..................................................................................................192 Starting a new custom scan template ................................................................................................193 Selecting the type of scanning you want to do ..................................................................................193 Configuring asset discovery ..............................................................................................................194 Determining if target assets are live ..................................................................................................194 Fine-tuning scans with verification of live assets ...............................................................................195 Ports used for asset discovery ............................................................................................................195 Configuration steps for verifying live assets .......................................................................................195 Nexpose User’s Guide 6 ..............................................................................215 Configuring scans of database servers .....................................................238 Changing your risk strategy and recalculating past scan data ......................................................................196 Fingerprinting TCP/IP stacks ..........................................................................................................................................220 Make your environment “scan-friendly” .........................................................................................................................................................................................................................................................................220 Change Scan Engine deployment .....................................231 Troubleshooting upload errors ................................................................................................................................................216 Configuring scans of mail servers ..........243 Setting the appearance order for a risk strategy ..................................................217 Configuring scans of DHCP servers ................231 Uploading SCAP policies ..............................................................................197 Enabling authenticated scans of SNMP services ..........................................................................................198 Creating a list of authorized MAC addresses ......................210 Configuration steps and options for Web spidering ............................................................................................................................................................206 Configuring verification of standard policies .......................................................................................................................................................................................................................218 Configuring file searches on target systems ............................................199 Changing discovery performance settings ...217 Configuring scans of Telnet servers .......................................................................................................................................................................................199 Performance considerations for port scanning .......................................................................................................................215 Configure scans of Web servers .233 Working with risk strategies to analyze threats ..............................................................................................................................................................................................................................................................................................217 Configuring scans of CVS servers ........................Collecting information about discovered assets ..........................................................196 Reporting unauthorized MAC addresses ....................220 Open firewalls on Windows scan targets .................................230 Version and file name conventions ..........................221 Creating a custom policy ..196 Finding other assets on the network ..................................................................................................................................................245 Understanding how risk scoring works with scans ...........................................................200 Selecting vulnerability checks .............................................241 Using custom risk strategies ....................................................................................................................................................220 Edit site configuration ...............................246 Nexpose User’s Guide 7 .........................................244 Changing the appearance order of risk strategies .......................230 File specifications .........................................................................................204 Selecting Policy Manager checks ......................203 Configuration steps for vulnerability check settings ...........................................................................................219 Using other tuning options ..............................................................................................................................................................................................................................................................................222 Uploading custom SCAP policies ........................................................................................................................................................................................................................................................................................................................................................................................................211 Fine-tuning Web spidering .............................................237 Comparing risk strategies .........................................................214 Configuring scans of various types of servers ..............................................................................................................................................................................................................................................215 Configuring spam relaying settings ......................................................................................................................................................198 Configuring service discovery ................................207 Configuring Web spidering .................................................. ..................................................................................................................................................................................................248 General notes about creating a regex ................................................................................................................................................................................................................................................................................303 Nexpose User’s Guide 8 .............................................250 Using Exploit Exposure .......................................249 How to use regular expressions when logging on to a Web site ..................................................251 Why exploit your own vulnerabilities? .....................................................................252 Scan templates ...........254 Report templates and sections .....................................................................................................................................................................................................................................................251 Performing configuration assessment .....................272 Built-in report templates and included sections ....................................................287 Glossary ...248 How the file name search works with regex .......................................................Resources Using regular expressions ....................................................................................................................................................281 Export template attributes ..............................................................................................................................................................................................................290 Index ........272 Document report sections ............................................................... It provides instruction for doing key administrative tasks: • • • • API guide configuring host systems for maximum performance planning a deployment.rapid7.jsp. Certain features are not available in other editions. Administrator’s guide The administrator’s guide helps you to ensure that Nexpose works effectively and consistently in support of your organization’s security objectives. For a comparison of features available in different editions see http://www. Other documents and Help Click the Help link on any page of the Security Console Web interface to find information quickly. including determining how to distribute scan engines managing users and roles maintenance and troubleshooting The API guide helps you to automate some Nexpose features and to integrate its functionality with your internal systems. You can download any of the following documents from the Support page in Help. It covers the following activities: • • • • • • • logging onto the Security Console and navigating the Web interface setting up a site running a scan viewing asset and vulnerability data creating remediation tickets creating reports reading and interpreting report data A note about documented features All features documented in this guide are available in the Nexpose Enterprise edition. Nexpose User’s Guide 9 .com/products/nexpose/compare-editions.About this guide This guide helps you to gather and distribute information about your network assets and vulnerabilities using Nexpose. and WARNINGS appear in the margin. Steps of procedures are indented and are numbered. WARNINGS provide information about how to avoid potential loss of data or damage to data or a loss of system integrity.com (Enterprise and Express Editions only).rapid7. Nexpose User’s Guide 10 .com. Example: [installer_file_name] Options in commands are separated by pipes. Items in bold Courier font are commands you enter. Example: $ /etc/init. provides additional details that only apply in certain cases. and names of Web interface pages. command examples. best practices. TIPS. Go to community. Nexpose is referred to as the application.Document conventions Words in bold are names of hypertext links and controls. For technical support You have several options for technical support: • • • Send an e-mail to support@rapid7. and directory paths. Variables in command examples are enclosed in box brackets.d/[daemon_name] start|stop|restart Keyboard commands are bold and are enclosed in arrow brackets. Click the Support link on the Security Console Web interface. Words in italics are document titles. Items in Courier font are commands. Example: Press and hold <Ctrl + Delete> NOTES. chapter titles. TIPS provide hints. Throughout this document. 1. NOTES contain information that: • • enhances a description or a procedure. or techniques for completing a task. If you need to stop and start it automatically. Nexpose User’s Guide 11 . and performing other important operations. creating reports. this section shows you how. the application is configured to run automatically in the background. • • Running the application on page 12: By default. which you will need for running scans. navigating the Web interface. or manage the application service or daemon. this section helps you to become familiar with the Web interface. using configuration panels.Chapter 1 Getting Started If you haven’t used the application before. and running searches. Using the Web interface on page 14: This section guides you through logging on. Starting the Security Console for the first time will take 10 to 30 minutes because the database of vulnerabilities has to be initialized. 7. 3. Manually starting or stopping in Windows If you have disabled automatic startup. Open the application folder. Use the following procedure to stop the application manually: 1. Click the Windows Start button. You may log on to the Security Console Web interface immediately after the startup process has completed.Running the application This section includes the following topics to help you get started with the application: • • • • Manually starting or stopping in Windows on page 12 Changing the configuration for starting automatically as a service on page 12 Manually starting or stopping in Linux on page 13 Working with the daemon on page 13 Manually starting or stopping in Windows Nexpose is configured to start automatically when the host system starts. You can disable this feature and control when the application starts and stops. 4. Click OK. Click the Windows Start button. Click the Stop Services icon.. 5. Close Services. Select Start Services. Double-click the icon for the Security Console service in the Services pane. 2. 3. 1. you will need to start it manually. use the following procedure to start the application manually: 1.. If you disabled the initialize/ start option as part of the installation. 6. and select Run. Select Manual from the drop-down list for Startup type: Click OK. Changing the configuration for starting automatically as a service By default the application starts automatically as a service when Windows starts. Click the Windows Start button Go to the application folder. 2. or if you have configured your system to not start automatically as a service when the host system starts. Enter services. 3. 2. Nexpose User’s Guide 12 .msc in the Run dialog box. To start the application from graphical user interface. you need to start the application manually. To detach from a screen session. press <CTRL +A + D>. 2. Go to the directory that contains the script that starts the application: $ cd [installation_directory]/nsc Run the script:.rc in the /etc/init. 2. Manually starting.Manually starting or stopping in Linux If you disabled the initialize/start option as part of the installation. stopping. You can log on to the Security Console Web interface immediately after startup has completed.d/ directory. For the Security Console.sh Working with the daemon The installation creates a daemon named nexposeconsole. double-click the Nexpose icon in the Internet folder of the Applications menu./[service_name] start|stop Preventing the daemon from automatically starting with the host system To prevent the application daemon from automatically starting when the host system starts: $ update-rc. the script file name is nscsvc. it will stop the application. or restart the daemon. take the following steps: 1./nsc. Go to the /nsc directory in the installation directory: cd [installation_directory]/nsc Run the script to start.d [daemon_name] remove Nexpose User’s Guide 13 . stop. Starting the Security Console for the first time will take 10 to 30 minutes because the database of vulnerabilities is initializing. the service name is nsesvc: . WARNING: Do not use <CTRL+C>. or restarting the daemon To manually start. stop. To start the application from the command line. or restart the application as a daemon: 1. For a scan engine. To log on to the Security Console take the following steps: TIP: If there is a usage conflict for port 3780. You can copy the key from the e-mail and paste it into the text box. You will enter the product key during this procedure.0. 8. After you receive the product key. Start a Web browser.x Google Chrome If you received a product key.Using the Web interface This section includes the following topics to help you access and navigate the Security Console Web interface: • • • • • Logging on on page 14 Navigating the Security Console Web interface on page 18 Using the search feature on page 21 Using configuration panels on page 22 Extending Web interface sessions on page 22 Performing offline activations and updates If your Security Console is not connected to the Internet. Your browser displays the Logon window. 1. Doing so will open a page on the Rapid7 Web site. Nexpose User’s Guide 14 .x and 17. go to the following URL: https://localhost:3780 Indicate HTTPS protocol and to specify port 3780. See Managing Security Console settings in the administrator’s guide.0. and 9. where you can register to receive a key by e-mail. do so consistently for all four sets of numerals.x.0. you can specify another available port in the [installation_directory]\nsc\conf \httpd.x. log on to the Security Console interface again and follow this procedure. If you are running the browser on a separate computer. click the link to request one. If you are a first-time user and have not yet activated your license. You also can switch the port after you log on.0 Mozilla Firefox 10. If you do not have a product key. substitute localhost with the correct host name or IP address. or you can enter it with or without hyphens.xml file. If you are running the browser on the same computer as the console. you will need the product key that was sent to you to activate your license after you log on. Logging on The Security Console Web interface supports the following browsers: • • • Internet Explorer 7. you can find directions for performing offline activations and updates in the administrator's guide or in Help. Whether you choose to include or omit hyphens.0. via e-mail use the following steps to log on. Click the Home link to view the Security Console Home page. 5.NOTE: If the logon window indicates that the Security Console is in maintenance mode. which lists all updates and improvements in the installed system. Click the Logon button. have your Global Administrator verify that the source is online and correctly configured. Follow the instructions to enter your product key. 6. Enter your user name and password that you specified during installation. If you are a first-time user and have not yet activated your license. See Running in maintenance mode in the administrator’s guide. the console displays an activation dialog box. Nexpose User’s Guide 15 . then either an error has occurred in the startup process. You can view the News page by clicking the News link that appears near the top right corner of every page of the console interface. clear the check box for automatically displaying this page after every login. The first time you log on. User names and passwords are case-sensitive and non-recoverable. Click the Help link on any page of the Web interface for information on how to use the application. Click Activate to complete this step. See Using external sources for user authentication in the administrator's guide. or a maintenance task is running. and your network uses an external authentication source. you will see the News page. Activate License window NOTE: If the Security Console displays a warning that authentication services are unavailable. including new vulnerability checks. 2. 4. Logon window 3. If you do not wish to see this page every time you log on after an update. com. • Are there issues with my network or operating system? • By running diagnostics. If you received an error message when you tried to activate your license you can try the troubleshooting techniques identified below before contacting Technical Support. domain. contact Technical Support. ensure the Name or address field is specified as updates. User ID. you can find operating system and network issues that could be preventing license activation. verify that your proxy settings are correct because inaccurate settings can cause your license activation to fail. Select Update Proxy to display the Proxy Settings section ensure that the address. and if the Gateway ping returns a ‘DEAD’ response. The results column will provide valuable information such as. Changing this setting to another server address may cause your activation to fail. go to the Administration page – Security Console Configuration panel Update Proxy Settings section. Click Perform diagnostics to see the current status of your installation. Ensure that you have your proxy server configured correctly. Try the following techniques to troubleshoot your activation: Did I enter the product key correctly? • • • • Verify that you entered the product key correctly. Your license must be active so that you can perform operations like running scans and creating reports. if you are performing the installation for a second time or if you receive errors during product activation and these techniques have not worked for you. Is there an issue with my browser? Confirm the browser you are using is supported. See Logging on on page 14 for a list of supported browsers. Contact Technical Support if you require a different server address and you receive errors during activation. Clear the browser cache.Troubleshooting your activation Your product key is your access to all the features you need to start using the application. Select the OS Diagnostics and Network Diagnostics checkboxes. Are my proxy settings correct? If you are using a proxy server. and password are entered correctly. If you are not using a proxy. if firewalls are enabled. Before you can being using the application you must activate your license using the product key you received. Product keys are good for one use. port. • Go to the Administration page and click Manage settings for the Security Console to open the Security Console Configuration panel. • • • Go to the Administration page and click Diagnose and troubleshoot problems with the Security Console.rapid7. Nexpose User’s Guide 16 . if DNS name resolution is successful. If you are using Windows. in some cases a browser anomaly can cause an error message that your activation failed. If you see an error message after adding the IP address to a white-list you will need to determine what is blocking the application. You will see Connected if traffic is allowed. Restarting may be successful in those rare cases.rapid7. open a terminal and enter telnet updates.com. • • • • • If you are using Linux. Are there issues with firewalls in my network? • • Confirm that host-based firewall and antivirus detection are disabled on the system you are installing the application on. Ensure the IP address of the application server is white-listed through firewalls and content filters.rapid7. Have I tried everything? • Restart the application.com. White-list the IP address of the application server on your firewall so that it can send traffic outbound to http://updates. Nexpose User’s Guide 17 . for more information.rapid7.jar files for activation and updates. Make the same rule changes on your proxy server.com. open a browser and enter http://updates.com 80. You should see a blank page.• Confirm that all traffic is allowed out over port 80 to updates.rapid7. This will allow you to reach the update server and pull down any necessary . you see place holders for information. asset groups. and run scans for your entire network on this page. After installation. but no information in them.Navigating the Security Console Web interface The Security Console includes a Web-based user interface for configuring and operating the application. the only information in the database is the account of the default Global Administrator and the product license. Familiarizing yourself with the interface will help you to find and use its features quickly. you can view and edit site and asset group information. When you log on to the to the Home page for the first time. tickets. and statistics about your network that are based on scan data. If you are a Global Administrator. The Home page as it appears in a new installation The Home page as it appears with scan data The Home page shows sites. Nexpose User’s Guide 18 . A row of tabs appears at the top of the Home page. as well as every page of the Security Console.On the Site Listing pane. Use these tabs to navigate to the main pages for each area. The Policies page lists policy compliance results for all assets that have been tested for compliance. and scan and report templates. The Vulnerabilities page lists all discovered vulnerabilities. Home tab bar • • • • • • The Assets page links to pages for viewing assets organized by different groupings. you can click controls to view information about tickets and assets for which those tickets are assigned. you can click controls to view and edit information about asset groups. you can click controls to view and edit site information. such as the sites they belong to or the operating systems running on them. depending on your role and permissions. Information for any currently running scan appears in the pane labeled Current Scan Listings for All Sites. On the Asset Group Listing pane. The Reports page lists all generated reports and provides controls for editing and creating report templates. such as creating and editing user accounts. Only Global Administrators see this tab. The Tickets page lists remediation tickets and their status. run scans. asset groups. On the Ticket Listing pane. and start to create a new asset group. The Administration page is the starting point for all management activities. Nexpose User’s Guide 19 . and start to create a new site. report. Click to display a list of closed panes and open any of the listed panes. Click it to open the User Configuration panel where you can edit account information such as the password and view site and asset group access. You can also click column headings to produce the same result. Log Out link Initiate a filtered search for assets to create a dynamic asset group. Click Home to return to the main dashboard. Close a pane. Exclude a vulnerability from a report. or user account. Copy a built-in report template to create a customized version. The Logon box appears. Pause a scan. Export asset data to a comma-separated value (CSV) file. Edit properties for a site. Click to add items to your dashboard. User: <user name> link Nexpose User’s Guide 20 . View a preview of a report template. you can use various controls for navigation and administration. View the Support page to search FAQ pages and contact Technical Support. Reverse the sort order of listed items in a given column. Only Global Administrators can change roles and permissions. Stop a scan. Log out of the Security Console interface. For security reasons.Throughout the Web interface. Resume a scan. Expand a minimized pane. Start a manual scan. report. View the News page which lists all updates. or a user account. Control Description Minimize any pane so that only its title bar appears. This link is the logged-on user name. Delete a site. View Help. the Security Console automatically logs out a user who has been inactive for 10 minutes. Control Description Initiate vAsset discovery to create a dynamic site. For example. Nexpose User’s Guide 21 . which includes panes for different groupings of results. you can view the total number of results and change settings for how results are displayed. enter ActiveX or activex in the Search text box. With the current example. Search results In the Search Criteria pane. At the bottom of each category pane. ActiveX. Starting a search The application displays search results on the Search page. After refining the criteria. click the Search Again button. you can search the database using a variety of criteria. and click the magnifying glass icon. including full or partial IP addresses. results appear in the Vulnerability Results pane.Using the search feature With the powerful full-text search feature. The search is not case-sensitive. if you want to search for discovered instances of the vulnerabilities that affect assets running ActiveX. you can refine and repeat the search. Enter your search criteria in the Search box on any a page of the Security Console interface. You can change the search phrase and select check boxes to allow partial word matches and to specify that all words in the phrase appear in each result. Contact your Global Administrator. simply log on again. if you choose to log out. You can either use the Previous and Next buttons at the top of the panel page to progress through each page. You will not lose any unsaved work. To discard changes. or you can click a page link listed on the left column of each panel page to go directly to that page. such as configuration changes. By default. Extending Web interface sessions NOTE: You can change the length of the Web interface session. the Security Console displays a logon window. To save configuration changes. you will see an error message. click the Save button that appears on every page. do not leave the page. or close the browser. an idle Web interface session times out after 10 minutes. click the Cancel button. refresh the page. If you have unsaved work. See the section Changing Security Console Web server default settings in the administrator’s guide. Configuration panel navigation and controls NOTE: Parameters labeled in red denote required parameters on all panel pages. However.Using configuration panels Nexpose provides panels for configuration and administration tasks: • • • • • • • creating and editing sites creating and editing user accounts creating and editing asset groups creating and editing scan templates creating and editing reports and report templates configuring Security Console settings troubleshooting and maintenance All panels have the same navigation scheme. you will lose unsaved work. When an idle session expires. Nexpose User’s Guide 22 . To continue the session. If a communication issue between your browser and the Security Console Web server prevents the session from refreshing. A basic site includes assets. you may find it a challenge to keep track of these assets and their activity. This section guides you through starting. and users who have access to site data and operations. • • • • • • • • • Configuring a basic static site on page 25: Before you can run a scan. A feature called vAsset discovery allows you find all the virtual assets in your environment and collect up-to-date information about their dynamically changing states. 23 Nexpose User’s Guide . pausing. This section provides steps and best practices for creating a basic static site. Authenticated scans inspect assets for a wider range of vulnerabilities. as well as viewing the scan log and monitoring scan status. resuming. This section provides guidance for adding credentials to your site configuration. you can create a dynamic site and scan these virtual assets for vulnerabilities. you’re ready to run a scan. since publicly accessible Internet hosts are attractive targets for attack. Configuring distributed Scan Engines on page 34: Before you can select a distributed Scan Engine for your site. By default. a Scan Engine. you need to configure it and pair with the Security Console. Discover provides guidance on operations that enable you to prepare and run scans. Running a manual scan on page 66: After you create a site.Chapter 2 Discover To know what your security priorities are. this section guides you through the steps of selecting it. This section guides you through the steps of initiating and maintaining vAsset discovery. A dynamic site’s asset membership changes depending on continuous vAsset discovery results. They also can collect information on files and applications installed on the target systems. Authenticated scans of Web assets can flag critical vulnerabilities such as SQL injection and cross-site scripting. This section shows you how. or receiving alerts related to specific scan events. as well as policy violations and adware or spyware exposures. a scan template. Configuring scan credentials on page 42: To increase the information that scans can collect. so that the two components can communicate. Configuring a dynamic site on page 63: After you initiate vAsset discovery. It is the component that will do the actual scanning of your target assets. If you want to use a distributed or hosted Scan Engine for a site. You discover this information by running scans. scheduling scans to run automatically. Configuring and performing vAsset discovery on page 55: If your environment includes virtual machines. and stopping a scan. This section guides you through those procedures. Configuring scan authentication on target Web applications on page 50: Scanning Web sites at a granular level of detail is especially important. Selecting a Scan Engine for a site on page 33: A Scan Engine is a requirement for a site. a site configuration includes the local Scan Engine that is installed with the Security Console. This section provides guidance on authenticating Web scans. Configuring additional site and scan settings on page 36: After you configure a basic site. This section provides guidance for creating and updating dynamic sites. you need to create a site. you can authenticate them on target assets. A site is a collection of assets targeted for scanning. you need to discover what devices are running in your environment and how these assets are vulnerable to attack. you may want to alter or enhance it by using a scan template other than the default. as reflected in the results of each scan. Dynamic site configuration begins with vAsset discovery. such as a deployment of virtualized assets. or being turned on and off. See Configuring asset discovery on page 194. Because asset membership in a dynamic site is based on continual discovery of virtual assets. run discovery scans. A static site is ideal for a target environment that is less likely to change often. A dynamic site is ideal for a highly fluid target environment. After you set up a discovery connection and initiate discovery. being supported by different resource pools. You can change asset membership in a dynamic site by changing the discovery connection or the criteria filters that determine which assets are discovered. you have the option to create a dynamic site that will automatically be populated with discovered assets. such as one with physical machines. See Configuring a dynamic site on page 63. The main factor to consider is the fluidity of your scan target environment. Asset membership in a static site is based on a manual selection process.Comparing dynamic and static sites Your first choice in creating a site is whether it will be dynamic or static. To keep track of changes in your environment that might warrant changes in a static site’s membership. the asset list in a dynamic site changes as the target environment changes. Nexpose User’s Guide 24 . It is not unusual for virtual machines to undergo continual changes. such as having different operating systems installed. Grouping assets in this manner makes sense. especially if each physical location has its own dedicated Scan Engine. But if your organization is a medical office. If you are performing scans to test assets for compliance with a particular standard or policy. such as Payment Card Industry (PCI) or Federal Desktop Core Configuration (FDCC). one for each of these cities. For example. Choosing a grouping strategy for a static site There are many ways to divide network assets into sites. Other useful grouping principles include common asset configurations or functions. So. you may wish to run a monthly scan of all your Windows Vista workstations with the Microsoft hotfix scan template to verify that these assets have the proper Microsoft patches installed. Honolulu. which can inflate overhead in time and bandwidth. Remember. You can include an asset in more than one site. each site is assigned to a specific Scan Engine. Being flexible with site membership When selecting assets for sites. With that in mind. static site creation requires manual selection of assets. and Madrid could have four sites. A company with assets in Philadelphia. But once you run a scan. you could create sites based on subnetworks. Similar assets are likely to have similar vulnerabilities. It also makes it easier to track scan results for these assets and include them in reports and asset groups. but you can arrange them differently for asset groups. which you may have to scan annually with the HIPAA compliance template. some of the assets in your “Windows Vista” site might also be part of your “Patient support” site. You may have fairly broad criteria for creating a site.Configuring a basic static site The basic components of a site include target assets and a scan template. for example. This method focuses scanning resources on compliance efforts. you may find it practical simply to base site creation on Scan Engine placement. the more scans you will be compelled to run. The more sites you have. Or you may wish to group all your Windows 2008 Servers in one site and all your Debian machines in another. Scan engines are most effective when they are deployed in areas of separation and connection within your network. Nexpose User’s Guide 25 . You can then assign different asset group members to read these reports for various purposes. you may find it helpful to create a site of assets to be audited for compliance. Osaka. Unlike with a dynamic site. The most obvious grouping principal is physical location. you can parse the asset data into many different “views” using different report templates. You may want have separate sites for all of your workstations and your database servers. flexibility can be advantageous. Avoid getting too granular with your site creation. The selection can be based on one of several strategies and can have an impact on the quality of scans and reports. Another thing to keep in mind is that you combine assets into sites for scanning. See Distribute Scan Engines strategically in the administrator’s guide. or they are likely to present identical logon challenges. 20. Adding more sites reduces scan time and promotes more focused reporting.0/23 10.1/24 25 Security Console 10. Inc.2.20.Grouping options for Example.2.1.0/24 56 Security Console New York DMZ Madrid Sales Madrid Development Madrid Printers Madrid DMZ 172.0/24 172.16.0/22 10.10.0/23 30 65 130 Scan Engine 1 Scan Engine 2 Scan Engine 2 10. Inc.0/22 Number of assets 254 Component Security Console New York IT 10.0/24 172. Inc.0/22 10.16.0/23 10.0. Madrid is subdivided by these criteria as well.2. The scheme provides a very basic guide for scanning and makes use of the entire network infrastructure.0.0/24 25 Security Console New York Administration New York Printers 10.0.1. The following table shows a serviceable high-level site grouping for Example. Site name New York Sales Address space 10. introduces asset function as a grouping principle. Printers.1. The New York site from the preceding configuration is subdivided into Sales.16.2.10.0/22 10.10.2.0.0.1.2.10. In the following configuration. Your grouping scheme can be fairly broad or more granular.20.16.1.0/24 35 15 Scan Engine2 Scan Engine 3 Nexpose User’s Guide 26 . A better configuration groups the elements into smaller scan sites for more refined reporting and asset ownership.10.0/24 Number of assets 360 Component Security Console New York DMZ Madrid 30 Scan Engine #1 233 Scan Engine #1 Madrid DMZ 15 Scan Engine #1 A potential problem with this grouping is that managing scan data in large chunks is time consuming and difficult. Site name New York Address space 10. IT.0/22 10.0/24 172.20.1. Example.10. Administration.10.0/22 10.0. and DMZ..1. 2.1.2.10.0/24 35 Scan Engine 2 172.20.1.128/25 28 Security Console 172.1.0/25 28 Security Console 10.20. Site name New York Sales 1st floor New York Sales 2nd floor New York Sales 3rd floor New York IT New York Administration New York Printers Building 1 New York Printers Building 2 New York DMZ Address space 10.2.0. seen in the following table.An optimal configuration.11.10.2.1.16.10.3.1.0/24 31 31 Scan Engine 2 Scan Engine 2 Madrid Sales Office 3 10.128/25 25 25 Security Console Security Console 10.0/24 15 Scan Engine 3 Nexpose User’s Guide 27 .3.20.2.0/24 85 Security Console 10.0/24 10.1.0/22 30 Scan Engine 1 Madrid Sales Office 1 Madrid Sales Office 2 10.2. Scan times will be even shorter.1.2.0/24 65 Scan Engine 2 10.0/25 10.0/24 65 Scan Engine 2 10.10.1.2.0/24 Number of assets 84 Component Security Console 10.16.0/24 85 Security Console 10. and reporting will be even more focused.0/24 33 Scan Engine 2 Madrid Development Floor 2 Madrid Development Floor 3 Madrid Printers Building 3 Madrid DMZ 10. incorporates the principal of physical separation.1. High and Very High settings increase the risk index to twice and 3 times its initial value. Click the New Static Site button on the Home page. click New Site. The Low setting reduces the risk index to 2/3 of its initial value. click View next to sites. On the Assets page. or Denial of Service. Nexpose User’s Guide 28 . A Normal setting does not change the risk index. 3. such as Full Audit. • • • • The Very Low setting reduces a risk index to 1/3 of its initial value. You may wish to associate the name with the type of scan that you will perform on the site. 4. respectively. take the following steps: 1. The importance level corresponds to a risk factor used to calculate a risk index for each site. On the Sites page.Starting a static site configuration To begin setting up a site. On the Site Configuration – General page. type a name for your site. Home page—starting new a static site OR Click the Assets tab. Type a brief description for the site. Select a level of importance from the drop-down list. 2. host name.1 2001:0000:0000:0000:0000:0000:0000:0001-2001:0000:0000:0000:0000:0000:0000:FFFF 10.0.1. The following are equivalent: 2001:db8::1 == 2001:db8:0:0:0:0:0:1 == You can use CIDR notation in IPv4 and IPv6 formats. 1.2.0. fully qualified domain name. Select the appropriate . 2. and range of devices. Go to the Assets page to list assets for your new site.1 .10.0. See the box labeled More Information. 2.3 You can mix address ranges with individual addresses and host names.1. you may edit or delete addresses already listed in the site detail page.254 You also can import a comma. (Optional) If you are a Global Administrator.3 server1.0. the network identifier and network broadcast address is ignored.example. You can enter IPv4 and IPv6 addresses in any order.or new-line-delimited ASCII-text file that lists IP address and host names of assets you want to scan.0.com IPv6 addresses can be fully.0/24 becomes 10.0.0. Addresses may incorporate any valid Nexpose convention.0. including CIDR notation.or new-linedelimited ASCII-text file that lists addresses and host names that you don’t want to scan. Nexpose User’s Guide 29 . or import a comma.0.2.254 10. take the following steps: 1. Example: 10. Example: 2001:0:0:0:0:0:0:12001::2 10. or uncompressed.2 server1.com 2001:0000:0000:0000:0000:0000:0000:0003 10.example.txt file from the local computer or shared network drive for which read access is permitted. partially.Specifying assets to scan in a static site NOTE: Scanning over IPv6 networks is not supported from a Scan Engine installed on Windows 2003.0. Examples: 10.0. Click Browse in the Included Assets area.1 .0.0/24 2001:db8:85a3:0:0:8a2e:370:7330/124 If you use CIDR notation for IPv4 addresses. Enter addresses and host names in the text box labeled Assets to scan. You can prevent assets within an IP address range from being scanned.0. Each address in the file should appear on its own line.0. and the entire network is scanned: 10. To import an asset list.0.10. manually enter addresses and host names in the text box labeled Assets to Exclude from scanning.0. and it will discontinue scanning it. 4. The Security Console displays the Asset Exclusions page. Go to the Administration page. Click the Manage link for Global Settings The Security Console displays the Global Settings page. Addresses may incorporate any valid convention. it may be able to determine that the asset has been excluded from the scope of the scan. including CIDR notation. such as pinging or port discovery. To exclude an asset from scans in all possible sites. if a determination cannot be made the asset will continue to be scanned. Excluding specific assets from scans in all sites You may want to prevent specific assets from being scanned at all. fully qualified domain name. you can exclude specific assets from scans in the site you are creating. On the Assets page of the Site Configuration panel. Manually enter addresses and host names in the text box. take the following steps: 1. it can be time-consuming to exclude assets from each site.txt file from the local computer or shared network drive for which read access is permitted. you can quickly exclude specific assets from scans in all sites throughout your deployment. However. 2. assets can belong to multiple sites. If you specify a host name for exclusion. take the following steps: 1. click the Asset Exclusions link. it will continue scanning the asset. If it is initially unable to do so. such as pinging or port discovery. Click Save. You also can exclude specific assets from scans in all sites throughout your deployment on the Global Asset Exclusions page. On the Asset Exclusions page. fully qualified domain name. NOTE: Each address in the file should appear on its own line. You must be a Global Administrator to access these settings. the application will attempt to resolve it to an IP address prior to a scan. if it is unable to make that determination. it will perform one or more phases of a scan on the specified asset. it will perform one or more phases of a scan on the specified asset. and range of assets. host name. the application will attempt to resolve it to an IP address prior to a scan. host name. In the left navigation pane. 2. Nexpose User’s Guide 30 . If you are managing many sites. You may want to quickly prevent a particular asset from being scanned under any circumstances.or new-line-delimited ASCII-text file that lists addresses and host names that you don’t want to scan.txt file from the local computer or shared network drive for which read access is permitted. However. click Choose File. Each address in the file should appear on its own line. In the process. either because they have no security relevance or because scanning them would disrupt business operations. and range of devices. 3. Click Browse in the Excluded Devices area Select the appropriate . If it is initially unable to do so. However. Then select the appropriate . the application may be able to determine that the asset has been excluded from the scope of the scan. In the process. and it will discontinue scanning it. Addresses may incorporate any valid convention. If you specify a host name for exclusion. including CIDR notation. OR To import a comma.To prevent assets within an IP address range from being scanned. 5. A global configuration feature makes that possible. Select the check box in the top row to add all users. To add users to a site. 6. Add users to the site access list. OR 5. 2. 3.Adding users to a site You must give users access to a site in order for them to be able view assets or perform asset-related operations. 4. with assets in that site. Go to the Access page in the Site Configuration panel. such as scanning or reporting. 7. Click Save. take the following steps: 1. Click Add Users. Click Save on any page of the panel to save the site configuration. Select the check box for every user account that you want to add to the access list in the Add Users dialog box. Nexpose User’s Guide 31 . NOTE: To delete a site. Site Listing panel All reports. Click the Assets tab and then click View assets by the sites they belong to. If you want to delete this site.clicking View sites. stop all scans first”. NOTE: You cannot delete a site that is being scanned. • Assets tab .Deleting sites To manage disk space and ensure data integrity of scan results. scan templates. Scan results are deleted. By removing unused sites. and scan engines are disassociated. inactive results do not distort scan results and risk posture in reports. Access the Site Listing panel: • OR Click the Home tab. The Site Listing panel displays the sites that you can access based on your permissions. The Delete button is hidden if you do not have permission. Regular site maintenance helps to manage your license so that you can create new sites. If the delete process is interrupted then partially deleted sites will be automatically cleared. Click the Delete button to remove a site. administrators can delete unused sites. you must have access to the site and have Manage Sites permission. You receive this message “Scans are still in progress. In addition. unused sites count against your license and can prevent the addition of new sites. 2. Nexpose User’s Guide 32 . To delete a site: 1. Nexpose User’s Guide 33 . This table can be useful in helping you select a Scan Engine. After you configure the new Scan Engine. The local Scan Engine is also the default selection. your only option for a Scan Engine is the local component that was installed with the Security Console. OR Click Browse. 3. you can select a Scan Engine for this site. To change the Scan Engine selection. if you see that a particular engine has many sites assigned to it. Otherwise. return to the Scan Setup page in the Site Configuration panel and select the engine.. See Configuring distributed Scan Engines on page 34. Go to the Scan Setup page of the Site Configuration panel. to view a window with a table of information about available Scan Engines. you may want to consider a different Scan Engine. click Create.Selecting a Scan Engine for a site If you have installed distributed Scan Engines or are using Rapid7 hosted Scan Engines.. For example. take the following steps: 1. that doesn’t have as much demand load upon it. 2.. to configure a new Scan Engine. Browse Scan Engines window OR To configure a new Scan Engine.. Click the link for the desired Scan Engine to select it. Select the desired Scan Engine from the drop-down list. Click Save on the Scan Setup page. 1. The first step in integrating the Security Console to work and the new Scan Engine is entering information about the Scan Engine. The Security Console displays the Administration page. Click Refresh. Note that the status for the engine is Unknown. This is because each site must be assigned to a Scan Engine in order for scanning to be possible. NOTE: The Engine Priority feature is not currently supported. having a Scan Engine configured and paired with the Security Console should precede creating a site. Configuring the Security Console to work with a new Scan Engine By default. The Administration page displays. If you want to assign a site to a distributed Scan Engine. The console displays the Scan Engines page. 5. Click Save. The Security Console is installed with a local Scan Engine. 2. For the engine name. you can perform this step during site creation. The Engine Address and Port fields refer to the remote computer on which the Scan Engine has been installed. Click the Administration tab. 3. Click Manage to the right of Scan Engines.Configuring distributed Scan Engines If you are working with distributed Scan Engines. The status changes to Pending. Start the remote Scan Engine if it is not running. Nexpose User’s Guide 34 .xml file. 2. 3. The Security Console then creates the consoles. you will need install the distributed Scan Engine first. you can assign sites to the new Scan Engine by going to the Sites page of this panel. You can only add a new Scan Engine if it is running. Enter the information about the new engine in the displayed fields. you can use any text string that makes it easy to identify. If a distributed Scan Engine is behind a firewall. Click the Administration tab in Security Console Web interface. If you have already created sites. make sure that port 40814 is open on the firewall to allow communication between the Security Console and Scan Engine. Click Create to the right of Scan Engines. See the installation guide for instructions. The Security Console displays the General page of the Scan Engine Configuration panel. You can now pair the Security Console with the new Scan Engine by taking the following steps: 1. Locate the Scan Engine you are configuring. 4. 4. the Security Console initiates a TCP connection to Scan Engines over port 40814. If you have not yet created sites. xml file in the following step to pair the Scan Engine with the Security Console. To reassign existing sites to a new Scan Engine: 1. for example because you have changed its location or target assets. You can configure certain performance settings for all Scan Engines on the Scan Engines page of the Security Console configuration panel. 3. Locate the Scan Engine for which you entered information in the preceding step. Nexpose User’s Guide 35 . The Administration page displays. If you have not yet set up sites. To perform this task using the command prompt. Click the Administration tab in the security console Web interface. Go to the Sites page of the Scan Engine Configuration panel and click Select Sites… The console displays a box listing all the sites in your network. Restart the Scan Engine. Reassigning existing sites to the new Scan Engine NOTE: If you ever change the name of the scan engine in the scan engine configuration panel. see Changing default Scan Engine settings in the administrator’s guide. The console will be marked by a unique identification number and an IP address. see Configuring a basic static site on page 25 before performing the following task. Click Save to save the new Scan Engine information. 3. 4. Open the consoles. You can manually apply an available update to the scan engine by clicking Update for that engine. The engine name is critical to the pairing process. 1. you will have to pair it with the console again. The Scan Engines page displays. Click the check boxes for sites you wish to assign to the new Scan Engine and click Save. 2. 2. Click Manage to the right of Scan Engines. The status changes to Active. Consoles. 2. so that the configuration change can take effect. 1.Edit the consoles. Locate the line for the console that you want to pair with the engine. Verify that the console and engine are now paired. You can now assign a site to this Scan Engine and run a scan with it.xml is located in the [installation_directory]/nse/conf directory on the Scan Engine. 4. Change the value for the Enabled attribute from 0 to 1. see Using the command console in the administrator’s guide. Click the Refresh icon for the engine. Note that the status for the engine is Unknown. The sites appear on the Sites page of the Scan Engine Configuration panel. 3. For more information. You can delete a Scan Engine by clicking Delete for that engine. 5. you can also perform the following tasks: • • • You can edit the properties of any listed Scan Engine by clicking Edit for that engine. Save and close the file. On the Scan Engines page.xml file using a text editing program. “Tuning” your scans by customizing a template is. Nexpose User’s Guide 36 . A Global Administrator can customize scan templates for your organization’s specific needs. as you may want to look at your assets from different perspectives. you may want to alter or enhance it by using a scan template other than the default. Exposing them to unsafe checks is a good way to test their stability without affecting workflow in your business environment. If you customize a template to scan more quickly by adding threads. for example. or receiving alerts related to specific scan events. See Configuring custom scan templates on page 192 for more information. their specifications. Alternating templates is a good idea. of course. it might be a good time to scan them with a Denial-of-Service template. such as target assets. and suggestions on when to use them. you might just do a discovery scan to find out what is running on your network. use the HIPAA Compliance template. an option. You may find it helpful to read the scan template descriptions in Scan templates on page 254.Configuring additional site and scan settings After you configure a basic site. Selecting a scan template A scan template is a predefined set of scan attributes that you can select quickly rather than manually define properties. The first time you scan a site. accuracy. For a list of scan templates. If you need to become HIPAA compliant. you may pay a price in bandwidth. themselves. When you modify a template. use the Internet DMZ audit or Web Audit template. The appendix provides a granular look at the components of a scan template and how they are related to various scan events. scheduling scans to run automatically. best practices. If you need to protect your perimeter. services. and resources. scan templates map directly to your security goals and priorities. which includes a broad and comprehensive range of checks. and vulnerabilities. If you have assets that are about to go into production. you could run a vulnerability scan using the Full Audit template. see Scan templates on page 254. and vulnerability checking. such as port discovery. The design of these templates is intended to balance three critical performance factors: time. Then. As with all other deployment options. all sites that use that scan template will use the modified settings. but keep in mind that the built-in templates are. The New Scan Template Configuration panel appears. Click Save. take the following steps: 1. See Configuring custom scan templates on page 192 for more information.Steps for selecting a scan template 1. you may be compelled to scan those assets during office hours. In this case. it’s a good idea to scan during off-hours. Click Save. 4. Change the template as desired. Nexpose User’s Guide 37 . On the other hand. you may schedule certain scans to run on a monthly basis—such as patch verification checks or on an annual basis. or even several times a week. Generally. 3. The Site Configuration panel appears. 2. depending on the importance or risk level of these assets. as it may tax network bandwidth or appear as an attack. 3. 2. such as certain compliance checks. Creating a scan schedule Depending on your security policies and routines. Go to the Scan Setup page of the Site Configuration panel. your workstations may automatically power down at night. or employees may take laptops home. Browse Scan Templates window 4. Make sure to alert staff of an imminent scan. Click the Scan Setup link in the left navigation pane. when more bandwidth is free and work disruption is less likely. Click the link for any Scan Template to select it. Return to the Scan Setup page of the Site Configuration panel. To create or edit a scan template. It's a good practice to run discovery scans and vulnerability checks more often—perhaps every week or two weeks. OR Click Browse to view a table that lists information about each scan template. Click Edit for any listed template to change its settings. You can also click Copy to make a copy of a listed template or click Create to create a new custom scan template and then change its settings. Scheduling scans requires care. Select an existing scan template from the drop-down list. If the scheduled scan runs and exceeds the maximum specified duration. A big. If the preceding job has not completed by the time the next job is scheduled to start. an error message appears in the scan log. Select the check box labeled Enable schedule. Select a number and time unit. Enter a start time in hh:mm format. Checking for patch verification or policy compliance is time-intensive because of logon challenges on the target assets. 6. An Exhaustive template includes more ports in the scope of a scan. OR Click the calendar icon and then click a date to select it. and frequency of repetition. 2. and select AM or PM. A site with a high number of assets will take longer to scan. view its status. If you schedule a scan to run on a repeating basis. Nexpose User’s Guide 38 . Your primary consideration in scheduling a scan is the scan window: How long will the scan take? As noted there. The Security Console displays options for a start date and time. 3.If you plan to run scans at night. Steps for scheduling a scan 1. 4. Enter a start date in mm-dd-yyyy format. complex directory structure or a high number of pages can take a lot of time. maximum scan duration in minutes. as these can eat up a lot of bandwidth. many factors can affect scan times: • • • • • • • A scan with an Exhaustive template will take longer than one with a Full Audit template for the same number of assets. find out if backup jobs are running. Click the Scan Setup link in the left navigation pane. 5. note that a future scheduled scan job will not start until the preceding scheduled scan job has completed. Network latency and loading can lengthen scan times. Scanning Web sites presents a whole subset of variables. select Repeat every. To verify that a scan has completed. The Scan Setup page appears. See Running a manual scan on page 66. A site with more live assets will take longer to scan than a site with fewer live assets. it will pause for an interval that you specify. Go to the Site Configuration panel. To make it a recurring scan. A scan with a high number of services to be discovered will take additional time. 7. an Apache Web server or an IIS Web server). The newly scheduled scan will appear in the Next Scan column of the Site Summary pane of the page for the site that you are creating. If you select the option to continue where the scan left off. a sequence of discoveries is performed for verifying the existence of an asset. the paused scan will stop and then start from the beginning at the next scheduled start time. Setting up scan alerts You can set up alerts for certain scan events: • • • • a scan starting a scan stopping a scan failing to conclude successfully a scan discovering a vulnerability that matches specified criteria When an asset is scanned. You can also filter alerts for vulnerabilities based on the level of certainty that those vulnerabilities exist. Scheduling a recurring scan 8. If you select the option to restart the paused scan from the beginning. service. and variety of service (for example. the paused scan will continue at the next scheduled start time. Then. Select an option for what you want the scan to do after the pause interval. based on the information gathered in the discovery phase. All scheduled scans appear on the Calendar page. Nexpose attempts to test the asset for vulnerabilities known to be associated with that asset. port. Click Save. which you can view by clicking Monthly calendar on the Administration page. Nexpose User’s Guide 39 . The difference between these latter two classifications is the level of probability. 6. enter the name of the SNMP community and the address of the SNMP server to receive alerts. a “confirmed” vulnerability is reported. and Potential check boxes to receive those alerts. The Enable check box is selected by default to ensure that an alert is generated. 4. Unconfirmed vulnerabilities are more likely to exist than potential ones. 7. it reports an “unconfirmed” or “potential” vulnerability. Select a notification method from the drop-down box. Unconfirmed. specify a mail relay server for sending the alert e-mails. If your network restricts outbound SMTP traffic. Select a severity level for vulnerabilities that you want to generate alerts for. enter the address of the Syslog server to receive the messages. 3. 10. If a vulnerability can be verified. 2. an alert is generated every time the application pauses or resumes a scan. Enter an email address in the From email address field to identify who initiated the alert and where a reply can be directed. If the system is unable to verify a vulnerability known to be associated with that asset. • • Nexpose User’s Guide 40 .Steps for setting up alerts 1. Enter a value in the Send at most field if you wish to limit the number of this type of alert that you receive during the scan. Go to the Site Configuration panel. Select the Confirmed. Enter a name for the alert. If you select the option to send SNMP alerts. if you select Paused and Resumed. 5. Click the Alerting link in the left navigation pane. Your selection will control which additional fields appear below this box. If you select the option to send a Syslog message. • If you select the e-mail method. based on the asset’s profile. The Security Console displays a New Alert dialog box. enter the addresses of your intended recipients. or Syslog message. Alerts can be sent via SMTP e-mail. Click Add alert. You can clear the check box at any time to disable the alert if you prefer not to receive that alert temporarily without having to delete it. SNMP message. 9. For example. Select the check boxes for types of events that you want to generate alerts for. 8. see Viewing active vulnerabilities on page 84. For information about severity levels. Web site URL. make sure to incorporate the Organization element. Configuring an alert 12. If you enter information in the Organization page and you are also using the Site configuration API. Click the Limit alert text check box to send the alert without a description of the alert or its solution. Click Save. even though it's optional. and if the Option element is not parsed. This is a security option for alerts sent over the Internet or as text messages to mobile devices. Click Save. Click the Organization link in the left navigation pane. To include organization information in a site: 1. The new alert appears on the Alert Listing table. Go to the Site Configuration panel. Enter any desired information. Limited-text alerts only include the name and severity. Populated organization fields in the site configuration may cause the API to return the Organization element in a response to site configuration request. Filling all fields is not required. See the topics about SiteSaveRequest and Site DTD in the API guide.11. 2. primary contact. Including organization information in a site The Organization page in the Site Configuration panel includes optional fields for entering information about your organization. such as its name. Nexpose User’s Guide 41 . Enter organization information. and business address. 3. the API client may generate parsing errors. The application incorporates this information in PCI reports. 4. 5. depending on the role or permissions of the user creating them: • • Shared credentials can be used in multiple sites. A Global Administrator or Site Owner creates it in the configuration for a specific site. Site-specific credentials can only be used in the site for in which they are configured. Shared credentials vs. To learn about credential types. Credentials type shared How it is created A Global Administrator or user with the Manage Site permission creates it on the Administration > Shared Scan Credentials page. Within a specific site to which the Site Owner has access: Create. restrict to an asset. assign to a site. enable or disable the use of the credentials in that site. delete. delete. Enable or disable the use of the credentials in any site. target assets in that site authenticate the Scan Engine as they would an authorized user. Actions that can be performed by a Site Owner Enable or disable the use of the credentials in sites to which the Site Owner has access. The range of actions that a user can perform with each type depends on the user’s role or permissions. see Shared credentials vs. you have two options: • • Create a new set of credentials. site-specific credentials Two types of scan credentials can be created in the application. Enable a set of previously created credentials to be used in the site. Credentials created within a site are called site-specific credentials and cannot be used in other sites. authenticated scans can check for software applications and packages and verify patches. Additionally. site-specific Within a specific site to which the Site Owner has access: Create. This is an option if site-specific credentials have been previously created in your site or if shared credentials have been previously created and then assigned to your site. inspecting assets for a wider range of vulnerabilities or security policy violations. edit. edit. edit.Configuring scan credentials Configuring logon credentials for scans enables you to perform deep checks. Nexpose User’s Guide 42 . Configuring site-specific scan credentials When configuring scan credentials in a site. enable or disable the use of the credentials in that site. delete. When you configure credentials for a site. as indicated in the following table: Actions that can be performed by a Global Administrator or user with Manage Site permission Create. site-specific credentials on page 42. especially if you have to manage many sets of credentials. See Managing shared scan credentials on page69. Starting configuration for a new set of site-specific credentials The first action in creating new site-specific scan credentials is naming and describing them. The Security Console displays the Site Credential Configuration panel. 5. It includes a table that lists any site-specific credentials that were created for the site or any shared credentials that were assigned to the site. see Shared credentials vs. 1. Enter a name for new set of credentials. Click the New button. site-specific credentials on page 42. Configure any other settings as desired. The Security Console displays the Credentials page. you cannot do so from a site configuration. 3. 4. 3. Click the Credentials link in the Site Configuration panel. which you can access on the Administration page. Think of a name and description that will help you recognize at a glance which assets the credentials will be used for. 2. Enabling a set of credentials for a site NOTE: If you are a Global Administrator. The Security Console displays the Credentials configuration panel. You can only edit shared credentials in the Shared Scan Credentials Configuration panel. This will be helpful. Select the Use in Scans check box for any desired set of credentials.Enabling a previously created set of credentials for use in a site 1. When you have finished configuring the set of credentials. For more information. 2. Click the Credentials link in the Site Configuration panel. Click Save. click Save. Enter a description for the new set of credentials. Nexpose User’s Guide 43 . even though you have permission to edit shared credentials. Go to the Account page of the Site Credential Configuration panel. 5. Click Test credentials. Configuring an account for site credentials 4. Enter all requested information in the appropriate text fields. both credentials will be tested. click Save. Enter the name or IP address of the authenticating asset. Select the Scan Engine with which you will perform the test. 3. See Performing additional steps for certain credential types on page 46 for more information about the following types: • • SSH public keys LM/NTLM hash Testing the credentials You can verify that a target asset in your site will authenticate the Scan Engine with the credentials you’ve entered. enter a port number. 4. 6. and a message appears if the credentials failed. If you don’t know any of the requested information. To test authentication on a single port. It is a quick method to ensure that the credentials are correct before you run the scan. 2. Select an authentication service or method from the drop-down list. If you are testing Secure Shell (SSH) or Secure Shell (SSH) Public Key credentials and you have assigned elevated permissions. 1. 3.Configuring the account for authentication NOTE: All credentials are protected with RSA encryption and triple DES encryption before they are stored in the database. Permission elevation failures are reported in a separate message. Nexpose User’s Guide 44 . consult your network administrator. Credentials for authentication on the target are tested first. Configure any other settings as desired. 1. Go to the Account page of the Site Credential Configuration panel. Expand the Test Credentials section. 2. When you have finished configuring the set of credentials. See Working with log files in the administrator’s guide. Restricting the credentials to a single asset and/or port If a particular set of credentials is only intended for a specific asset and/or port. 2. Go to the Restrictions page of the Site Credential Configuration panel. click Save. Configure any other settings as desired. If it was not successful. you can specify only those assets with a specific port. they will not be used on other assets or ports. OR Enter the number of the port that you want to restrict the credentials to. OR Enter host name or IP address of the asset and the number of the port that you want to restrict the credentials to. Doing so can prevent scans from running unnecessarily longer due to authentication attempts on assets that don’t recognize the credentials. Enter the host name or IP address of the asset that you want to restrict the credentials to.7. If you restrict credentials to a specific asset and/or port. Configure any other settings as desired. Specifying a port allows you to limit your range of scanned ports in certain situations. review and change your entries as necessary. The Security Console and scan logs contain information about the credential failure when testing or scanning with these credentials. A successful test of site credentials 8. and test them again. 3. When you have finished configuring the set of credentials. Note the result of the test. you can restrict the use of the credentials accordingly. To avoid scanning all Web services within a site. you may want to scan Web applications using HTTP credentials. click Save. When you have finished configuring the set of credentials. For example. 1. Nexpose User’s Guide 45 . It is recommended that you use a pass phrase to protect the key if you plan to use the key elsewhere. DSA keys must be 1024 bits. Nexpose User’s Guide 46 . 3. It includes a table that lists any site-specific credentials that were created for the site or any shared credentials that were assigned to the site. See Editing shared credentials that were previously created on page72.Editing a previously created set of site credentials NOTE: You cannot edit shared scan credentials in the Site Configuration panel. This method. The ssh-keygen process will provide the option to enter a pass phrase. 1. For specific steps. Keys must be OpenSSH-compatible and PEM-encoded. also known as asymmetric key encryption. • • SSH public keys LM/NTLM hash Using SSH public key authentication You can use Nexpose to perform credentialed scans on assets that authenticate users with SSH public key authentication. especially if passwords change frequently. Click the Edit icon for any credentials that you want to edit. You can only edit site-specific credentials in the Site Configuration panel. You must be a Global Administrator or have the Manage Site permission to edit shared scan credentials. Starting configuration for a new set of site-specific credentials on page 43 Configuring the account for authentication on page 44 Testing the credentials on page 44 Restricting the credentials to a single asset and/or port on page 45 When you have finished editing the credentials. consult the documentation for the particular system that you are using. keep the following guidelines in mind: • • • • The application supports SSH protocol version 2 RSA and DSA keys. The Security Console displays the Site Credential Configuration panel. Performing additional steps for certain credential types Certain credential types require additional steps. or large. This topic provides general steps for configuring an asset to accept public key authentication. The ability to edit credentials can be very useful. click Save. go to the Administration page and select the manage link for Shared scan credentials. Click the Credentials link in the Site Configuration panel. random numbers: • • a public key that any entity can use to encrypt authentication information a private key that only trusted entities can use to decrypt the information encrypted by its paired public key When generating a key pair. See this section for additional steps on configuring the following credential types: NOTE: You can elevate permissions for both Secure Shell (SSH) and Secure Shell (SSH) Public Key services. See the following topics for more information: • • • • 4. RSA keys can range between 768 and 16384 bits. To edit shared credentials. 2. involves the creation of two related keys. Change the configuration as desired. sudo+su– uses the combination of sudo and su together to gain information that requires privileged access from your target assets. Configuring this option involves selecting a permission elevation method. To authenticate using su. Using su requires the administrator password. you can elevate Scan Engine permissions to administrative or root access. When attempts at permission elevation fail. Unix-based CIS benchmark checks often require administrator-level permissions. You can choose to elevate permissions using one of the following options: • • • su– enables you to authenticate remotely using a non-root account without having to configure your systems for remote root access through a service such as SSH. sudo (super-user do) or a combination of these methods ensures that permission elevation is secure. enter the password of the user that you are trying to elevate permissions to. For example. Using sudo protects your administrator password and the integrity of the server by not requiring an administrative password. if you are trying to elevate permissions to the root user. if you are trying to elevate permission to the root user and you logged in as jon_smith. In addition. To authenticate using sudo. error messages appear in these logs so that administrators can address and correct errors and run the scans again. enter the password of the user that you are trying to elevate permission from. it enables system administrators to explicitly control what programs an authenticated user can run using the sudo command. The sudo+su option will not be able to access the required information if access to the su command is restricted. Nexpose User’s Guide 47 .Elevating permissions If you are using SSH authentication when scanning. sudo– enables you to authenticate remotely using a non-root account without having to configure your systems for remote root access through a service such as SSH. which is required for obtaining certain data. Permission elevation is an option available with the configuration of SSH credentials. without having to enter in the root password anywhere. Incorporating su (super-user). enter the password for the root user in the password field in Permission Elevation area of the Shared Scan Credential Configuration panel. the application will use sudo authentication to run commands using su. For example. When you log on. Using system logs to track permission elevation Administrators of target assets can control and track the activity of su and sudo users in system logs. For example. enter the password for jon_smith in the password field in Permission Elevation area of the Shared Scan Credential Configuration panel. Generating a key pair 1. Go to the credentials page of the Site Configuration panel. After you provide the private key you must provide the application with SSH public key authentication.ssh/authorized_keys file in the home directory of a user with the appropriate access-level permissions that are required for complete scan coverage.ssh/ authorized_keys 5. 3. Copy the contents of the public key that you created by running the command in step 1. If not.pub file to the . ssh-keygen -t rsa -b 2048 -f /tmp/id_rsa This command generates the private key files. Run the ssh-keygen command to create the key pair. id_rsa. Make sure that the computer with which you are generating the key has a .ssh 4. Site Credential Configuration panel Nexpose User’s Guide 48 . cat /[directory]/id_rsa. This example involves a 2048-bit RSA key and incorporates the /tmp directory.pub file. specifying a secure directory for storing the new file.ssh directory. Make the public key available for the application on the target asset. The console displays the Site Credential Configuration panel. but you should use any directory that you trust to protect the file. Providing SSH public key authentication 1. 2. Append the contents on the target asset of the /tmp/id_rsa. and the public key file. 2. The file is in /tmp/id_rsa. id_rsa. Edit or create a site that you want to scan with SSH public key authentication.pub >> /home/[username]/.pub. run the mkdir command to create it: mkdir /home/[username]/. NOTE: Some checks require root access. Provide the private key. 9. You can make changes to the credentials by clicking Edit. Click Save if you have no other site configuration tasks to complete.3. This authentication method is different from the method listed in the dropdown as Secure Shell (SSH). Enter a user name. 4. Confirm the private key password. 7. (Optional) Elevate the permission type using sudo or su. which allows automated retrieval of hashes. Verify the credentials in the Test credentials area. 11. For information about Metasploit. (Optional) Enter the user name. See Testing the credentials on page 44. Select Microsoft Windows/Samba LM/NTLM Hash (SMB/CIFS) from the Login type drop-down list. The application will ignore the permission elevation credentials when any account. This latter method incorporates passwords instead of keys. go to www. Click Save to save the new credentials. root or otherwise named. even if the root account has been renamed. 10. is the /tmp/ id_rsa file on the target asset.com. The new credentials appear on the Credentials page. Nexpose User’s Guide 49 . 4. take the following steps: 1. 8. 12. If the SSH credential provided is a root credential. Enter and confirm the password for elevated permissions.rapid7.” it is unnecessary to “crack” the password hash to gain access to the service. Consult the documentation for your Linux distribution to verify the appropriate file. Several tools are available for extracting hashes from Windows servers. Enter the appropriate user name.and Drop downbased SSH daemons. The private key that you created by running the command in step 1. 3. Copy the contents of that file into the PEM-format private key text box. When you have the hashes available. To restrict credentials see Restricting the credentials to a single asset and/or port on page 45. Using LM/NTLM hash authentication Nexpose can pass LM and NTLM hashes for authentication on target Windows or Linux CIFS/ SMB services. You can elevate permissions for both Secure Shell (SSH) and Secure Shell (SSH) Public Key services. user ID =0. NOTE: ssh/authorized_keys is the default file for most OpenSSH. which can be empty or root for sudo credentials. (Optional) Enter the Private key password used when generating the keys. with user ID 0 is specified. known as “pass the hash. (Optional) Enter the appropriate domain. One solution is Metasploit. the permission elevation credentials will be ignored. 5. 6. 2. Select Secure Shell (SSH) Public Key as the from Service drop-down list. Go to the Credentials page of the Site Configuration panel. If you are using credentials with no user name the credentials will default to root as the user name. 13. With this method. 9. You cannot change credentials that appear on this page.5. configure a set of scan credentials using the method called Web Site HTTP Authentication in the Credentials. Configuring scan authentication on target Web applications NOTE: For HTTP servers that challenge users with Basic authentication or Integrated Windows authentication (NTLM). You cannot change credentials that appear on this page. For example. Click Save after you finish configuring your site. You can only delete credentials or configure new ones. a form may use JavaScript. Or. a Scan Engine presents those credentials to a Web site before scanning it. The new credentials appear on the Credentials page. 10. 8. It may involve some trial and error to determine which method works better. using the NTLM hash alone is acceptable as most servers disregard the LM response: 0CB6948805F797BF2A82807973B89537 7. Perform additional credential configuration steps as desired. it may not be possible to use a form. It is advisable to consult the developer of the Web site before using this feature. In some cases. as a human user would fill out. Nexpose User’s Guide 50 . See Creating a logon for Web site session authentication with HTTP headers on page52. The authentication method you use depends on the Web server and authentication application you are using. You specify credentials for that form that the application will accept. a form may use a CAPTCHA test or a similar challenge that is designed to prevent logons by computer programs. Click Save to save the new credentials. Then. since publicly accessible Internet hosts are attractive targets for attack. a form is retrieved from the Web application. See Restricting the credentials to a single asset and/or port on page 45 and Testing the credentials on page 44. Two authentication methods are available for Web applications: • Web site form authentication: Credentials are entered into an HTML authentication form. Scanning Web sites at a granular level of detail is especially important. If these circumstances apply to your Web application. which is not supported for security reasons. Click Save to save the new credentials 11. Make sure there are no spaces in the entry. With authentication. Many Web authentication applications challenge would-be users with forms. • Web site session authentication: The Scan Engine sends the target Web server an authentication request that includes an HTTP header—usually the session cookie header—from the logon page. The new credentials appear on the Credentials page. The following example includes hashes for the password test: 01FC5A6BE7BC6929AAD3B435B51404EE:0CB6948805F797BF2A8280797 3B89537 6. You can only delete credentials or configure new ones. Enter or paste in the LM hash followed by a colon (:) and then the NTLM hash. you may be able to authenticate the application with the following method. Click Save if you have no other site configuration tasks to complete. Alternatively. Web assets can be scanned for critical vulnerabilities such as SQL injection and cross-site scripting. With this method. you must select the option button to customize a new value. Click Save. consult the developer of the target Web site. TIP: If you do not know any of the required information for configuring a Web form logon. it displays a failure notification. 3. Enter the logon page URL for the actual page in which users log on to the site. If you do not see a failure notification.Creating a logon for Web site form authentication 1. 6. The Security Console displays the General page for Web Application Configuration panel. continue with verifying and customizing (if necessary) the logon form: 1. In the Base URL text box. Examples: http://example. 2.com 5. the Security Console displays a table of fields for that particular form. If you are not certain of what value to use. If it fails to make contact or retrieve any forms. The application contacts the Web server to retrieve any available forms. 3. starting with the base URL.com or https://example. contact your Web administrator. Select from the drop-down list the form with which the Scan Engine will log onto the Web application. The credentials you enter for logging on to the site will apply to any page on the site. The Security Console displays the field table with any changed values according to your edits. Based on your selection. You must include the protocol with the address. Only change the value to match what the server will accept from the Scan Engine when it logs on to the site. 7. enter the main address from which all paths in the target Web site begin. 2.html Click Next to expand the section labeled Step 2: Configure form fields. It should also include the protocol. Click Edit for any field value that you want to edit. 4. If the value was provided by the Web server.com/logon. Click the Configuration link in the left navigation area of the panel. Examples: http://example. Go to the Web Applications page of the configuration panel for the site that you are creating or editing. Repeat the editing steps for any other values that you want to change. Nexpose User’s Guide 51 . Enter a name for the new HTML form logon settings. Click Add HTML form. The Security Console displays a configuration page for the Web form logon. The Security Console displays a pop-up window for editing the field value. For more information about the session ID header. The default value works in most logon cases. Click Next to expand the section labeled Step 3: Test logon failure regular expression. The console displays a text field for the base URL Enter the base URL. continue with creating a regular expression for logon failure and testing the logon: 1.When all the fields are configured according to your preferences. Click the Configuration link in the left navigation area of the panel. If the Security Console displays a success notification. Click Add HTTP Header Configuration. consult your Web administrator. TIP: If you do not know any of the required information for configuring a Web form logon. If you are unsure of what regular expression to use. Change the regex if you want to use one that is different from the default value. For more information. 3. If logon failure occurs. click Save and proceed with any other site configuration actions. Enter a name for the new server header configuration settings. which is the main address from which all paths in the target site begin. 2. The Security Console displays the General page for Web Application Configuration panel. Nexpose User’s Guide 52 . 3.com or https://example. see Using regular expressions on page 248. Creating a logon for Web site session authentication with HTTP headers When using HTTP headers to authenticate the Scan Engine. Go to the Web Applications page of the configuration panel for the site that you are creating or editing. consult the developer of the target Web site.com. The Security Console displays a text field for a regular expression (regex) with a default value in it. make sure that the session ID header is valid between the time you save this ID for the site and when you start the scan. Click Test logon to make sure that the Scan Engine can successfully log on to the Web application. Examples: http://example. change any settings as necessary and try again. 5. 1. consult the Web administrator. You must include the protocol with the address. 2. 4. Click Test logon to make sure that the Scan Engine can successfully log on to the Web application. Every header consists of two elements. The Security Console displays a pop-up window for entering an HTTP header. The Security Console displays an empty table that will list the headers that you add in the following steps. Nexpose User’s Guide 53 . the value for a session ID (SID) might be a uniform resource identifier (URI). The default value works in most logon cases. If logon failure occurs. If you are unsure of what regular expression to use. If the Security Console displays a success notification. or supported languages. change any settings as necessary and try again. If you are not sure what header to use. consult your Web administrator. Value corresponds to the actual value string that the console sends to the server for that data type. Change the regex if you want to use one that is different from the default value. The name/value pair appear in the header table.Continue with adding a header: 1. 2. Continue with creating a regular expression for logon failure and testing the logon: 1. 2. such as the Web host name. 3. • • Name corresponds to a specific data type. See Using regular expressions on page 248. which are referred to jointly as a name/value pair. and click Save. For example. Web server type. consult the Web administrator. Enter the desired name/value pair. For more information. click Save and proceed with any other site configuration actions. Click Add Header. 3. The Security Console displays a text field for a regular expression (regex) with a default value in it. Click Next to expand the section labeled Step 3: Test logon failure regular expression. session identifier. Click Next to expand the section labeled Step 2: Define HTTP header values. ” without manual intervention on your part. As long as discovery connection is active. they're not being managed. This approach has several benefits: • • • You can concentrate scanning resources for vulnerability checks instead of running discovery scans.Managing dynamic discovery of virtual assets It may not be unusual for your organization’s assets to fluctuate in number. See Configuring and performing vAsset discovery on page 55. Nexpose User’s Guide 54 .. In fact.” The application provides two methods for tracking assets: • • You can perform discovery scans on a regular basis. Employees who are travelling or working from home plug into the network at various times using virtual private networks (VPNs). Gartner. if they’re not on the list. As staff numbers grow or recede. See Configuring a dynamic site on page 63.” (Source: A Vulnerability management Success Story” published by Gartner. You can create dynamic sites and have them update automatically based on vAsset discovery. the two must work in tandem: “The network discovery process is continuous. This fluidity underscores the importance of having a dynamic asset inventory.) The paper further states that an asset inventory is a “foundation that enables other vulnerability technologies” and with which “remediation becomes a targeted exercise. on a fairly regular basis. and state. Result: added risk. the application continuously discovers assets “in the background. The benefit of scans is that they provide a snapshot of your asset inventory as of the time of the scan. According to a paper by the technology research and advisory company. so does the number of workstations. There will always be assets on the network that are not on the list. You can initiate vAsset discovery. an up-to-date asset inventory is as essential to vulnerability management as the scanning technology itself. in which the application discovers assets in a target environment without running a scan. type. Inc. Servers go on line and out of commission. And. Relying on a manually maintained spreadsheet is risky. while the vulnerability assessment scanning cycles through the environment during a period of weeks. Inc. which virtual machines have Windows operating systems? Which ones belong to a particular resource pool? Which ones are currently running? Having this information available keeps you in synch with the continual changes in your virtual asset environment. such as the following: • • • • • management consoles management servers administrative virtual machines guest virtual machines hypervisors Merely keeping track of virtual assets and their various states and classifications is a challenge in itself. The feature.1. To manage their security effectively you need to keep track of important details: For example. known as vAsset discovery involves four major actions: • • • • Preparing the target environment for vAsset discovery on page 55 Creating and managing vAsset discovery connections on page 57 Initiating vAsset discovery on page 58 Using filters to refine vAsset discovery on page 59 Once you initiate vAsset discovery it continues automatically as long as the discovery connection is active. Preparing the target environment for vAsset discovery To perform vAsset discovery. Update 1 vCenter 5.1 ESXi 4.1 vCenter 4. The application supports direct connections to the following vCenter versions for vAsset discovery: • • • • • • • • vCenter 4.1.1 ESX 4. Update 1 ESXi 4. In response to these challenges the application supports dynamic discovery of virtual assets. which also helps you to manage scanning resources more efficiently. An increasing number of high-severity vulnerabilities affect virtual targets and devices that support them.0 The application supports direct connections to the following ESX(i) versions for vAsset discovery: ESX 4. Update 1 ESXi 5. If you know what scan targets you have at any given time.0 Nexpose User’s Guide 55 . you know what and how to scan.Configuring and performing vAsset discovery An environment with virtual assets presents special security-related challenges.1. Nexpose can connect to either a vCenter server or directly to standalone ESX(i) hosts. Assets can be discovered and will appear in discovery results if they do not have VMware Tools installed. 4. with VMware Tools. 3. To determine if the application supports a connection to an ESX(i) host that is managed by vCenter. The console displays the Security Console Configuration panel. you will need to specify account credentials so that the application can connect to vCenter or the ESX/ESXi host. Make sure that the account has permissions at the root server level to ensure all target virtual assets are discoverable. Click the Manage link for Security Console. Click the Administration tab. consult VMware’s interoperability matrix at http://partnerweb. Make sure that virtual machines in the target environment have VMware Tools installed on them. your license enables vAsset discovery. Nexpose User’s Guide 56 .vmware.php. The console displays the Administration page. This has significant advantages for scanning.The preceding list of supported ESX(i) versions is for direct connections to standalone hosts. it is recommended that the account have readonly access. The console displays the Licensing page.com/comp_guide2/sim/ interop_matrix. If so. the Security Console initiates vConnections to the vSphere application program interface (API) via HTTPS. you will need to make arrangements with your network administrator to enable communication. Make sure that port 443 is open on the vCenter or virtual machine host because the application needs to contact the target in order to initiate the connection. See Configuring a dynamic site on page 63. you will not see the contained assets unless permissions are also defined on the parent resource pool. Note if the Virtualization feature is checked. However. these target assets can be included in dynamic sites. To perform vAsset discovery. Click the Licensing link. To verify your license enables vAsset discovery: 1. When creating a discovery connection. If Nexpose and your target vCenter or virtual asset host are in different subnetworks that are separated by a device such as a firewall. so that the application can perform vAsset discovery. As a best practice. You must configure your vSphere deployment to communicate through HTTPS. To ensure optimal results with the vAsset discovery process make sure your license enables vAsset discovery. If you assign permissions on a folder in the target environment. 2. The console displays the Discovery Connections page. 3. take the following steps: Go to the Asset Discovery Connection panel in the Security Console Web interface. Click Create for Discovery Connections. To create a connection. Click Create for connections. 2. The console displays the Credentials page.Creating and managing vAsset discovery connections This action provides Nexpose the information it needs to contact a vCenter server or virtual machine host. 5. Enter a fully qualified domain name for the server that the application will contact in order to discover assets. 1. Nexpose User’s Guide 57 . 2. 3. 2. OR 1. To view available connections or change a connection configuration take the following steps: 1. 4. The console displays Asset Discovery Connection panel. The Administration page displays. 4. Click Save. The console displays the Filtered asset discovery page. 3. Click Edit for a connection that you wish to change. You must have Global Administrator permissions to create or manage vAsset Discovery connections. Click the vAsset Discovery icon that appears in the upper-right corner of the Security Console Web interface. Make sure that the account has access to any virtual machine that you want to discover. The console displays the Filtered asset discovery page. Click Credentials. Enter the information for a new connection. Enter information in the Asset Discovery Connection panel. Click the Administration tab. Click Save. 2. Enter a unique name for the new connection on the General page. Click Save. below the user name. 2. OR Click the vAsset Discovery link that appears in the upper-right corner of the Security Console Web interface. 1. Click manage for Discovery Connections. The console displays Asset Discovery Connection panel. Enter a user name and password with which the application will use log on to the server. 5. See Managing users and authentication in the administrator’s guide. The console displays the Asset Discovery Connection panel Enter the information in the appropriate fields. 1. 4. Go to the Administration page. Click the Manage for connections. Select the appropriate discovery connection name from the drop-down list labeled vConnection. You cannot delete a connection that has a dynamic site or an in-progress scan associated with it. Nexpose User’s Guide 58 . You can determine which dynamic sites are associated with any connection by going to the Discovery Management page. You can also check the status of all vConnections on the Discovery Connections page. The console displays the Filtered asset discovery page. which you can view in a spreadsheet for internal purposes. There may be a slight delay before new results appear in the Web interface. the discovery process must complete before new discovery results become available. See Configuring a dynamic site on page 63. See Creating and managing vAsset discovery connections on page 57. changed. 2. The console displays a notification of any inactive vConnections in the bar at the top of the Security Console Web interface. OR Click the New Dynamic Site button on the Home page. you must have the Manage sites permission.On the Discovery Connections page. Information is only dynamically updated for machines to which the connecting account has access. Initiating vAsset discovery This action involves having Nexpose contact a vCenter server or virtual machine host and begin discovering virtual assets. See Configuring roles and permissions in the administrator’s guide To initiate vAsset discovery: 1. the application continues to discover assets as long as the discovery connection remains active. it may affect your discovery results depending which virtual machines the new account has access to. Your dynamic site and discovery results will still include the advertising department’s virtual machines. To perform vAsset discovery. For example: You first create a connection with an account that only has access to all of the advertising department’s virtual machines. Click the vAsset Discovery icon that appears in the upper-right corner of the Security Console Web interface. See Monitoring vAsset discovery on page 63. Click Discover Assets. You then initiate discovery and create a dynamic site. Later. A table appears and lists the following information about each discovered asset: • • • • • • • • the asset’s name the asset’s IP address the VMware datacenter in which the asset is managed the asset’s host computer the cluster to which the asset belongs the resource pool path that supports the asset the asset’s operating system the asset’s power status After performing the initial discovery. 3. If you change a connection by using a different account. After the application performs initial discovery and returns a list of discovered assets. NOTE: With new. you update the connection configuration with credentials for an account that only has access to the human resources department’s virtual machines. as described in the following topic. information about those machines will no longer be dynamically updated. you can also delete connections or export connection information to a CSV file. you can refine the list based on criteria filters. however. changing connection settings may affect asset membership of a dynamic site. Nexpose contacts the server that manages the virtual assets and performs discovery. or reactivated discovery connections. Also. If you create a vAsset discovery connection but don’t initiate vAsset discovery with that connection. you also select an operator that determines how that filter is applied. you can discover all of Windows 7 virtual assets on a particular host that are powered on. You can limit the sheer number of assets that appear in the discovery results table. Selecting filters and operators For every filter that you select. all assets that belong to a particular resource pool. This filter works with the following operators: • • • • • is returns all assets that belong to clusters whose names match an entered string exactly. you enter a string or select a value for that operator to apply. Also. does not contain returns all assets that belong to clusters whose names do not contain an entered string. or all assets that are powered on or off. Then. left corner of the Web interface page. you will see an advisory icon in the top. starts with returns all assets that belong to clusters whose names begin with the same characters as an entered string. See Configuring a dynamic site on page 63. NOTE: If a set of filters is associated with a dynamic site. • • • • • • • • Cluster Cluster Datacenter Guest OS family Host IP address range Power state Resource pool path Virtual machine name With the Cluster filter. contains returns all assets that belong to clusters whose names contain an entered string. is not returns all assets that belong to clusters whose names do not match an entered string. For example. and if you change filters to include more assets than the maximum number of scan targets in your license. This can be useful in an environment with a high number of virtual assets. you will see an error message instructing you to change your filter criteria to reduce the number of discovered assets. filters can help you discover very specific assets. or if you initiate a vAsset discovery but the connection becomes inactive. Eight filters are available. you can limit discovery to assets that are managed by a specific resource pool or those with a specific operating system. depending on the filter and operator. Using filters has a number of benefits. You can combine filters to produce more granular results. You can discover all assets within an IP address range. you can discover assets that belong. or don’t belong. to specific clusters. Roll over the icon to see a message about inactive connections. The message includes a link that you can click to initiate discovery. Using filters to refine vAsset discovery You can use filters to refine vAsset discovery results based on specific discovery criteria. Nexpose User’s Guide 59 . For example. You can create dynamic sites based on different sets of discovery results and track the security issues related to these types of assets by running scans and reports. 1 to 192. This filter works with the following operators: • • • • • IP address range is returns all assets that are guests of hosts whose names match an entered string exactly. within a specific range. starts with returns all assets that are guests of hosts whose names begin with the same characters as an entered string. The format for the IP addresses is a “dotted quad. you will see two blank fields separated by the word to. When you select the IP address range filter. or are not managed.” Example: 192.2. is not returns all assets that are managed by datacenters whose names do not match an entered string. With the IP address range filter.2. you can discover assets that have. of specific host systems. you can discover assets that are managed. you can discover assets that have IP addresses.168. and end of the range in the right field. is not returns all assets whose IP addresses do not fall into the entered IP address range. is not returns all assets that are guests of hosts whose names do not match an entered string. This filter works with the following operators: • • Guest OS family is returns all assets that are managed by datacenters whose names match an entered string exactly.254 Nexpose User’s Guide 60 .Datacenter With the Datacenter filter. This filter works with the following operators: • • is returns all assets with IP addresses that falls within the entered IP address range. you can discover assets that are guests. contains returns all assets that are guests of hosts whose names contain an entered string. Enter the start of the range in the left field. This filter works with the following operators: • • Host contains returns all assets that have operating systems whose names contain an entered string.168. does not contain returns all assets that are guests of hosts whose names do not contain an entered string. does not contain returns all assets that have operating systems whose names do not contain an entered string. or do not have IP addresses. by specific datacenters. or are not guests. or do not have. With the Host filter. specific operating systems. With the Guest OS family filter. you can discover assets that are in. This filter works with the following operators: • • contains returns all assets that are supported by resource pool paths whose names contain an entered string. This filter works with the following operators: • • • • • is returns all assets whose names match an entered string exactly. contains returns all assets whose names contain an entered string. or you can specify multiple levels. the application will discover all virtual machines that belong to the Management and Workstations levels in both resource pool paths. you can discover assets that belong. However. does not contain returns all assets whose names do not contain an entered string. to specific resource pool paths. you may have two resource pool paths with the following levels: Human Resources Management Workstations Advertising Management Workstations The virtual machines that belong to the Management and Workstations levels are different in each path. is not returns all assets that are not in a power state selected from a drop-down list. the application will only discover virtual assets that belong to the Workstations pool in the path with Advertising as the highest level. You can specify any level of a path. Power states include on. off. starts with returns all assets whose names begin with the same characters as an entered string. or do not have. you can have the application discover assets that match all the criteria specified in the filters. if you specify Advertising -> Management -> Workstations. This is helpful if you have resource pool path levels with identical names. Resource pool path With the Resource pool path filter. or assets that match any of the criteria specified in the filters. or do not belong. This filter works with the following operators: • • is returns all assets that are in a power state selected from a drop-down list. does not contain returns all assets that are supported by resource pool paths whose names do not contain an entered string. each separated by a hyphen and right arrow: ->. For example. Virtual machine name With the Virtual machine name filter. or suspended.Power state With the Power state filter. a specific name. Nexpose User’s Guide 61 . or are not in. If you only specify Management in your filter. Combining discovery filters If you use multiple filters. you can discover assets that have. is not returns all assets whose names do not match an entered string. a specific power state. take the following steps to configure and apply filters: Configure the filters. 3. 2. See Configuring a dynamic site on page 63. Suppose you create two filters. Select an operator from the right drop-down list. Click Create Dynamic Site to create a dynamic site based on the discovery results. Five of the assets run Ubuntu. and Nexpose displays the results table. 6. Win02. 1. If you discover assets with the two filters using the all setting. 1. and Win05. A new filter row appears. Enter or select a value in the field to the right of the drop-down lists. Configuring and applying filters NOTE: If a virtual asset doesn’t have an IP address. Nexpose User’s Guide 62 . it can only be discovered and identified by its host name. Assets without IP addresses cannot be scanned. Ubuntu02. the application discovers assets that run Windows or have “Ubuntu” in their names. Click Filter. if you use the same filters with the any setting. Apply the filters. Select the option to match any or all of the filters from the drop-down list below the filters. Ubuntu04. It will appear in the discovery results. The second filter is an asset filter. 2. The other five run Windows. whereas the any setting returns assets that match any given filter. Select a filter type from the left drop-down list. the application discovers assets that run Windows and have “Ubuntu” in their asset names. Add more filters as desired. you can apply them to the discovery results. click the appropriate . Since no such assets exist. and it returns a list of assets that run Windows. Win04. However. the result set contains all of the assets. click the + icon. but it will not be added to a dynamic site. Therefore. 4. and their names are Ubuntu01. After you configure the filters. A filter row appears.icon. and it returns a list of assets that have “Ubuntu” in their names. Click Add Filters. and their names are Win01. no assets will be discovered. 5. The first discovery filter is an operating system filter. After you initiate vAsset discovery as described in the preceding section. Ubuntu03. a target environment includes 10 assets.The difference between these options is that the all setting only returns assets that match the discovery criteria in all of the filters. Win03. For this reason. a search with all selected typically returns fewer results than any. Set up the new filter as described in the preceding step. For example. and the other five assets have “Ubuntu” in their names. The discovery results table now displays assets based on filtered discovery. Or. To delete any filter. and Ubuntu05. click Reset to clear all filters and start again. Five of the assets run Windows. To add a new filter. take the following steps: 1. You must initiate vAsset discovery. See Initiating vAsset discovery on page 58. as displayed on the scan results page for that asset. • • You must have a live vAsset discovery connection. 3. See Using filters to refine vAsset discovery on page 59. so dynamic sites will only contain virtual assets. hosts. all assets that meet the site’s filter criteria will not be correlated to assets that are part of existing sites. or being added to or deleted from hosts. If you attempt to create a dynamic site based on a number of discovered assets that exceeds the maximum number of scan targets in your license. Go to the Discovery Statistics page in the Security Console Web interface. So. The Security Console displays the Site Configuration panel. such as virtual machines being powered on or off. Possible host types include Virtual machine and Hypervisor. NOTE: Listings in the vEvents table reflect discovery over the preceding 30 days. you may find it useful to monitor events related to discovery. The only way to determine the host type of an asset is by performing a credentialed scan. renamed. Initiate vAsset discovery as instructed in Initiating vAsset discovery on page 58. See Performing filtered asset searches on page 124. The application categorizes each asset it discovers as a host type and uses this categorization as a filter in searches for creating dynamic asset groups. The Discovery Statistics page includes several informative tables: • • • vAssets lists the number of currently discovered virtual machines. any asset that you discover through vAsset discovery and do not scan with credentials will have an Unknown host type. Nexpose User’s Guide 63 . vEvents lists every relevant change in the target discovery environment. Dynamic Site Statistics lists each dynamic site. To monitor vAsset discovery. 2. Configuring a dynamic site To create a dynamic site you must meet the following prerequisites: NOTE: When you create a dynamic site. you will see an error message instructing you to change your filter criteria to reduce the number of discovered assets. data centers. It also indicates how many virtual machines are online and offline. The results table appears.Monitoring vAsset discovery Since vAsset discovery is an ongoing process as long as the vConnection is active. Click the Create Dynamic Site button on the vAsset Discovery page. An asset that is listed in two sites is essentially regarded as two assets from a license perspective. and vConnections. the number of scanned assets. vAsset discovery only finds virtual assets. Enter a name and brief description for your site in the configuration fields that appear. To create a dynamic site take the following steps: 1. and the vConnection through which vAsset discovery is initiated for the site’s assets. Click the Administration tab. the number of assets it contains. The Administration page appears. 3. Click the View link for Discovery Statistics. 2. vAsset discovery is not meant to enumerate the host types of virtual assets. 5. that change is reflected in the dynamic site asset list. such as new virtual machines being added or removed. Nexpose User’s Guide 64 . asset membership in a dynamic site is subject to change whenever changes occur in the target environment. 4. Whenever a change occurs in the target discovery environment. The Site Configuration panel appears for the new dynamic site. Go to the Assets page of the configuration panel for the dynamic site. You can also change asset membership by changing the discovery connection or filters. If you want to exclude any of those from the scan. Use this panel to configure other aspects of the site and its scans. Click Save on the Filtered asset discovery page for the dynamic site. Change the discovery connection or filters as described in Configuring and performing vAsset discovery on page 55. To view and change asset membership: 1. enter their names or IP addresses in Excluded Assets text box. 3. • • • • The Very Low setting reduces a risk index to 1/3 of its initial value. respectively. A Normal setting does not change the risk index. The importance level corresponds to a risk factor that the application uses as part of the Weighted risk strategy calculation for the assets in the site.4. 2. This keeps your visibility into your target environment current. Click Save. Click the Change Connections/Filters button to change asset membership. Select a level of importance from the drop-down list. View the list of assets to be scanned. See Using filters to refine vAsset discovery on page 59. See Weighted strategy on page 241. See the following topics: • • • • • • Selecting a Scan Engine for a site on page 33 Selecting a scan template on page 36 Creating a scan schedule on page 37 Setting up scan alerts on page 39 Configuring scan credentials on page 42 Including organization information in a site on page 41 Managing assets in a dynamic site As long as the connection for an initiated vAsset discovery is active. The Filtered asset discovery page for the dynamic site appears. High and Very High settings increase the risk index to twice and 3 times its initial value. The Low setting reduces the risk index to 2/3 of its initial value. Change the discovery connection or filters. 5. See Using filters to refine vAsset discovery on page 59. the scan will target assets that were previously discovered. This ensures that you do not run a scan and exclude certain assets. If you run a scan without adjusting the asset count. asset membership will be affected in the following ways: All assets that have not been scanned and no longer meet new discovery filter criteria. All assets that have been scanned and have scan data associated with them will remain on the site list whether or not they meet new filter discovery criteria. Nexpose User’s Guide 65 .Another benefit is that if the number of discovered assets in the dynamic site list exceeds the number of maximum scan targets in your license. you will see a warning to that effect before running a scan. All newly discovered assets that meet new filter criteria will be added to the dynamic site list. You can adjust the asset count by refining the discovery filters for your site. will be deleted from the site list. If you change the discovery connection or discovery filter criteria for a dynamic site that has been scanned. If you select the option to scan specific assets. The Security Console displays the Start New Scan dialog box. or if a full site scan has been automatically started by the scheduler. click the Scan icon for a given site in the Site Listing pane of the Home page. select either the option to scan all assets within the scope of a site. Refer to the lists of included and excluded assets for the IP addresses and host names. In the Manual Scan Targets area. the application will not permit you to run another full site scan. to check for critical vulnerabilities or verify a patch installation. for example. Starting a manual scan Or. or to exclude from the scan. if you have manually started a scan of all assets in a site. Nexpose User’s Guide 66 . which lists all the assets that you specified in the site configuration to scan. You can copy and paste the addresses. Specifying the latter is useful if you want to scan a particular asset as soon as possible. However. enter their IP addresses or host names in the text box.Running a manual scan To start a scan manually at any time. you can click the Scan button on the Sites page or on the page for a specific site. NOTE: You can start as many manual scans as you require. or to specify certain target assets. Nexpose User’s Guide 67 . You can even see how long it takes for the scan to complete on an individual asset. These metrics can be useful to help you anticipate whether a scan is likely to complete within an allotted window. you can keep track of how long it has been running and the estimated time remaining for it to complete. The Start New Scan window When the scan starts. The status page for a newly started scan Monitoring the progress and status of a scan Viewing scan progress When a scan starts. which will display more information as the scan continues. the Security Console displays a status page for the scan.Click the Start Now button to begin the scan immediately. locate the site that is being scanned. locate the site that is being scanned. 3. for example. Nexpose User’s Guide 68 . To view the progress of a scan: 1. When you click the progress link in any of these locations. 2. click the Scan in progress link. click the In Progress link. In the table. In the Status column. OR Locate the Current Scan Listing for All Sites table on the Home page. 3. the Security Console displays a progress page for the scan. Locate the Site Listing table on the Home page. In the Progress column. In the table. 2.You also can view the assets and vulnerabilities that the in-progress scan is discovering if you are scanning with any of the following configurations: • • • Hosted Scan Engines distributed Scan Engines (if the Security Console is configured to retrieve incremental scan results) the local Scan Engine (which is bundled with the Security Console) Viewing these discovery results can be helpful in monitoring the security of critical assets or determining if. The progress links for scans that are currently running You will also find progress links in the Site Listing table on the Sites page or the Current Scan Listing table on the page for the site that is being scanned. an asset has a zero-day vulnerability. 1. Nexpose User’s Guide 69 . If a scan has this state but there are no scan results displayed. and specific site and scan pages. • The Pending column lists the number of assets that have been discovered. In the Status column. as well as the following asset information: The Active column lists the number of assets that are currently being scanned for vulnerabilities. and total discovered vulnerabilities. but not yet scanned for vulnerabilities. its fingerprinted operating system (if available). and its scan duration and status. if a scan’s status remains In progress for an unusually long period of time. and the Security Console has finished processing the scan results. the number of vulnerabilities discovered on it. elapsed time. a scan may appear to be in any one of the following states: In progress A scan is gathering information on a target asset. see Determining if scans with normal states are having problems on page 70 to diagnose this issue. it may indicate a problem. The Security Console is importing data from the Scan Engine and performing data integration operations such as correlating assets or applying vulnerability exceptions. start date and time. Completed successfully The Scan Engine has finished scanning the targets in the site. estimated remaining time to complete. You can click the address or name for any asset to view more details about. see Viewing the scan log on page 71.The Scan Progress table shows the scan’s current status. While some of these states are fairly routine. • The Completed column lists the number of assets that have been scanned for vulnerabilities. others may point to problems that you can troubleshoot to ensure better performance and results for future scans. • NOTE: Remember to use bread crumb links to go back and forth between the Home. It is also helpful to know how certain states affect scan data integration or the ability to resume a scan. In certain instances. For more information. See Determining if scans with normal states are having problems on page 70. Sites. such as all the specific vulnerabilities discovered on it. The Discovered Assets table lists every asset discovered during the scan. A scan progress page Understanding different scan states It is helpful to know the meaning of the various scan states listed in the Status column of the Scan Progress table. It lists the number of assets that have been discovered. You can click the icon for the scan log to view detailed information about scan events. you will see an error message. Failed A scan has been disrupted due to an unexpected event.log file located in the \nsc directory of the Security Console and look for error-level messages for the Scan Engine associated with the failure. In this case. You cannot resume a stopped scan. it will resume where it paused instead of restarting at its next start date/time. the Security Console will display a message that a scan is already running with a given ID. Another cause could be a communication issue between the Security Console and Scan Engine. the Security Console will display a message indicating that no scan with a given ID exists. but no data is visible for that scan. It cannot be resumed. To test whether this is the case.Stopped A user has manually stopped the scan before the Security Console could finish importing data from the Scan Engine. One cause of failure can be the Security Console or Scan Engine going out of service. An explanatory message will appear with the Failed status. You will need to run a new scan. Click the Administration tab and then go to the Scan Engines page. You will need to run a new scan. You can determine if this has occurred by one of the following methods: • • • Aborted Check the connection between your Security Console and Scan Engine with an ICMP (ping) request. try starting the scan again manually. • A scan has exceeded the Security Console’s memory threshold before the Security Console could finish importing data from the Scan Engine In all cases. try to stop the scan. Open the nsc. You cannot resume an aborted scan. Nexpose User’s Guide 70 . Click on the Refresh icon for the Scan Engine associated with the failed scan. The data that the Security Console had imported before the stop is integrated into the scan database. If a communication failure has occurred. the Security Console cannot recover the data from the scan that preceded the disruption. If it is a recurring scan. contact Technical Support. The data that the Security Console had imported before the scan was aborted is integrated into the scan database. The Security Console typically can recover scan data that preceded the disruption. • A scan has exceeded its scheduled duration window. this may indicate that the Security Console cannot determine the actual state of the scan due to a communication failure with the Scan Engine. this may indicate that the Scan Engine has stopped associating with the scan job. A scan has been interrupted due to system disruption or other unexpected events. To test whether this is the case. In either of these cases. If this issue has occurred. Determining if scans with normal states are having problems If a scan has an In progress status for an unusually long time. Paused One of the following events occurred: • A scan was manually paused by a user. If a scan has a Completed successfully status. If there is a communication issue. You can use this information to troubleshoot the issue with Technical Support. You can resume a paused scan manually. the Security Console processes results for targets that have a status of Completed Successfully at the time the scan is paused. Sites. resume or stop manual scans and scans that have been started automatically by the application scheduler. Viewing scan results The Security Console lists scan results by ascending or descending order for any category. In the Asset Listing table. Click the site name link to view assets in the site. To stop a scan.Pausing. or click the Pause Scan button on the specific scan page. The column with the TM icon enumerates the number of vulnerability exploits known to exist for each asset. but asset groups can include assets that also are included in sites. Click OK. click the Pause icon for the scan on the Home. To resume a paused scan. or click the Stop Scan button on the specific scan page. or stop scans in several areas: • • • • the Home page the Sites page the page for the site that is being scanned the page for the actual scan To pause a scan. click the desired category column heading. depending on your sorting preference. NOTE: Remember to use bread crumb links to go back and forth between the Home. click the link for a site’s name on the Home page. or specific site page. Nexpose User’s Guide 71 . click the Stop icon for the scan on the Home. or specific site page. or click the Resume Scan button on the specific scan page. Click the link for an asset name or address to view scan-related. click the Resume icon for the scan on the Home. and other. The console displays a message. resuming. The console displays a message. Viewing the scan log To troubleshoot problems related to scans or to monitor certain scan events. On this page. you also can view information about any asset within the site by clicking the link for its name or address. to sort results by that category. To view the results of a scan. such as Address or Vulnerabilities. asking you to confirm that you want to stop the scan. A message displays asking you to confirm that you want to pause the scan. information about that asset. The number may include exploits available in Metasploit and/or the Exploit Database. Sites. you can download and view the log for any scan that is in progress or complete. not asset groups. Click OK. Remember that the application scans sites. The column with the icon enumerates the number of malware kits that can be used to exploit the vulnerabilities detected on each asset. and stopping a scan If you are a user with appropriate site permissions. asking you to confirm that you want to resume the scan. along with pertinent information about the scan results. site. resume. and scan pages. or specific site page. you can pause. Sites. Two columns in the Asset Listing table show the numbers of known exposures for each asset. Click OK. The stop operation may take 30 seconds or more to complete pending any in-progress scan activity. You can pause. if your browser is configured to prompt you to specify the name and location of download files. This is recommended in case the scan information is ever deleted from the scan database. If a site name contains more than 64 characters. find the Scan Log column. Consult the documentation for your browser to find out how to select a default program. You can change the log file name after you download it. subject to your permissions. A pop-up window displays the option to open the file or save it to your hard drive.log file. these characters are converted to hexadecimal equivalents. • • • On the Home page. The Scan History page lists all scans that have been run in your deployment. A scan log’s file name consists of three fields separated by hyphens: the respective site name. in the Site Listing table. Any text editing program. you can change the file name as you save it to your hard drive. In the Scan History table. If you do not see an option to open the file. On any site page. such as Notepad or gedit. Finding the scan log You can find and download scan logs wherever you find information about scans in the Web interface. click any link in the Scan Status column for in-progress or most recent scan of any site. On the Administration page.log extension and can be opened in any text editing program. the site name my site would be rendered as my_20site in the scan log file name. You can only download scan logs for sites to which you have access. find the Scan Log column. click the Administration tab. On any page of the Web interface. choose the option to save it. Or. change your browser configuration to include a default program for opening a . To ensure that you have a permanent copy of the scan log. the scan’s start date. can open a . Doing so opens the Scans page for that site. find the Scan Log column. Example: localsite-20111122-1514. If the site name includes spaces or characters not supported by the name format. click the View scan history button in the Site Summary table. For example. the file name only includes the first 64 characters.log file. The following characters are supported by the scan log file format: • • • • numerals letters hyphens (-) underscores (_) The file name format supports a maximum of 64 characters for the site name field. Doing so opens the summary page for that scan. click the view link for Scan History. Downloading the scan log To download a scan log click the Download icon for a scan log. You may select either option.Understand scan log file names Scan log files have a .log. In the Scan History table. and scan’s start time in military format. In the Scan Progress table. Nexpose User’s Guide 72 . These are the work units assigned to each Nmap process. If this number is less than the maximum in the preceding entry. a severity level (DEBUG. Information about scan threads 2013-06-26T15:02:59 [INFO] [Thread: Scan default:1] [Site: Chicago_servers] Nmap will scan 1024 IP addresses at a time. for example. if enabled in the scan template. Only 1 Nmap process exists per scan. You may want to verify that the prolonged scan is running normally and isn't “hanging”. you can use scan logs to learn more details about the scan and track individual scan events. this number can be equal to the maximum listed in the preceding entry. You may also want to use certain log information to troubleshoot the scan. The beginning and completion of a scan phase 2013-06-26T15:02:59 [INFO] [Thread: Scan default:1] [Site: Chicago_servers] Nmap phase started. this phase includes IP stack fingerprinting. The Nmap (Network Mapper) phase of a scan includes asset discovery and port-scanning of those assets. Also. INFO. and information that identifies the scan thread and site. certain phases of the scan are taking a long time. Each entry is preceded with a time and date stamp. ERROR). which means the scan will proceed to vulnerability or policy checks. This is especially helpful if. This entry states the number of IP addresses that the current Nmap process for this scan is scanning. The Nmap phase has completed. 2013-06-26T15:25:32 [INFO] [Thread: Scan default:1] [Site: Chicago_servers] Nmap phase complete. Nexpose User’s Guide 73 . This entry states the maximum number of IP addresses each individual Nmap process will scan before that Nmap process exits and a new Nmap process is spawned. At a maximum. Therefore. 2013-06-26T15:04:12 [INFO] [Thread: Scan default:1] [Site: Chicago_servers] Nmap scan of 1024 IP addresses starting.Downloading the scan log Tracking scan events in logs While the Web interface provides useful information about scan progress. the process reflected in this entry is the last process used in the scan. This section provides common scan log entries and explains their meaning. that means the number of IP addresses remaining to be scanned in the site is less than the maximum. WARN. Some common tasks include the following: • • • • Ping Scan: Asset discovery SYN Stealth Scan: TCP port scan using the SYN Stealth Scan method (as configured in the scan template) Connect Scan:TCP port scan using the Connect Scan method (as configured in the scan template) UDP Scan: UDP port scan 2013-06-26T15:04:44 [INFO] [Thread: Scan default:1:nmap:stdin] [Site: Chicago_servers] Nmap task Ping Scan is an estimated 25. See the RFC4443 and RFC 792 specifications for more information.06% complete with an estimated 93 second(s) remaining.4:137/UDP] OPEN (reason=udp-response:TTL=124) The preceding two entries provide status of a scanned port and the reason for that status. it could mean that a man-in-the-middle device between the Scan Engine and the scan target is affecting the scan.2] DEAD (reason=host-unreach) The scan reports the targeted IP address as DEAD because it received an ICMP host unreachable response.0.0. administratively prohibited.0. Regarding TTL references. the latency between the Scan Engine and the host. This is a sample progress entry for an Nmap task.0. Nexpose User’s Guide 74 .0.3:3389/TCP] OPEN (reason=syn-ack:TTL=124) 2013-06-26T15:07:45 [INFO] [Thread: Scan default:1:nmap:stdin] [Site: Chicago_servers] [10. 2013-06-26T15:07:45 [INFO] [Thread: Scan default:1:nmap:stdin] [Site: Chicago_servers] [10. For example.0. a host is reported ALIVE.0. This entry indicates that the scan found the host through a TCP response.5] ALIVE (reason=echo-reply:latency=85ms:variance=13ms:timeout=138ms) This entry provides information on the reason that the scan reported the host as ALIVE. if two open ports have different TTLs.0.0. Discovery and port scan status 2013-06-26T15:06:04 [INFO] [Thread: Scan default:1:nmap:stdin] [Site: Chicago_servers] [10. and the timeout Nmap selected when waiting for responses from the target. but does not reply to ping requests. as well as the quality of the network the host is on. the variance in that latency.0.1] DEAD (reason=no-response) The scan reports the targeted IP address as DEAD because the host did not respond to pings. protocol unreachable. Other ICMP responses include network unreachable.Information about scan tasks within a scan phase 2013-06-26T15:04:13 [INFO] [Thread: Scan default:1:nmap:stdin] [Site: Chicago_servers] Nmap task Ping Scan started. A specific task in the Nmap scan phase has started. 2013-06-26T15:06:04 [INFO] [Thread: Scan default:1:nmap:stdin] [Site: Chicago_servers] [10. This type of entry is typically used by Technical Support to troubleshoot unexpected scan behavior. 2013-06-26T15:07:45 [INFO] [Thread: Scan default:1:nmap:stdin] [Site: Chicago_servers] [10. SYN-ACK reflects a SYN-ACK response to a SYN request. host-unreach: This is an ICMP response indicating that the target asset was unreachable. In other words.This occurs during the asset discovery phase on the local network segment. the scan does not verify that target hosts are alive. it “assumes” that the targets are alive. reset: The scan received an RST (reset) response to a TCP packet. perm-denied: The Scan Engine operating system denied a request sent by the scan. See the RFC4443 and RFC 792 specifications for more information. user-set: As specified by the user in the scan template configuration. For example. as in the case of a filtered port or dead host. syn-ack: The scan received a SYN|ACK response to a TCP SYN packet. and it is scanning itself.The following list indicates the most common reasons for discovery and port scan results as reported by the scan: • • • • • • • • • • • • • • conn-refused: The target refused the connection request. host discovery was disabled. See the RFC4443 and RFC 792 specifications for more information. See the RFC4443 and RFC 792 specifications for more information. admin-prohibited: This is an ICMP response indicating that the target asset would not allow ICMP echo requests to be accepted. Nexpose User’s Guide 75 . no-response: The scan received no response. the firewall on the Scan Engine host is enabled and prevents Nmap from sending the request.It occurs during the asset discovery phase. arp-response: The scan received an ARP response. See the RFC4443 and RFC 792 specifications for more information. port-unreach: This is an ICMP response indicating that the target port was unreachable. localhost-response: The scan received a response from the local host. the local host has a Scan Engine installed.This can occur in a full-connect TCP scan. net-unreach: This is an ICMP response indicating that the target asset's network was unreachable. In this case. udp-response: The scan received a UDP response to a UDP probe. echo-reply: This is an ICMP echo response to an echo request. plus the total number of scanned assets. which lists all scans.Viewing history for all scans You can quickly browse the scan history for your entire deployment by seeing the Scan History page. You can click the date link in the Completed column to view details about any scan. On any page of the Web interface. click the Administration tab. The interface displays the Scan History page. and other information pertaining to each scan. click the view link for Scan History. discovered vulnerabilities. On the Administration page. Scan History page Nexpose User’s Guide 76 . You can download the log for any scan as discussed in the preceding topic. and override rule results. Working with vulnerabilities on page 84: Depending on your environment. potential malware exposures. Working with Policy Manager results on page 106: If you work for a U. For example. or policy violations. affected assets.S. you can find all assets that run a particular operating system or that belong to a certain site. This section shows you how to track your overall compliance. This section covers these different paths. view scan results for policies and the specific rules that make up those policies. The section also covers how to exclude vulnerabilities from reports and risk score calculations. It also discusses how to sort asset data by different security metrics and how to look at the detailed information about each asset. such as high-risk assets. and other criteria.Chapter 3 Assess After you discover all the assets and vulnerabilities in your environment. it is important to parse this information to determine what the major security threats are. Nexpose User’s Guide 77 . This section shows you how to sort vulnerabilities based on various security metrics. you may be running scans to verify that your assets comply with United States Government Configuration Baseline (USGCB) or Federal Desktop Core Configuration (FDCC) policies. Or you may be testing assets for compliance with customized policies based on USGCB or FDCC policies. Assess gives you guidance on viewing and sorting your scan results to determine your security priorities. government agency or a vendor that transacts business with the government. your scans may discover thousands of vulnerabilities. so that you can find the threats that require immediate attention. It includes the following sections: • • • Locating assets on page 78: There are several ways to drill down through scan results to find specific assets. vulnerabilities. Click the Export to CSV icon ( ). it is a best practice to create asset groups to control which users can see which asset information in your organization. TIP: While it is easy to view information about scanned assets. You can view assets by various categories: • • • • • sites to which they are assigned asset groups to which they are assigned operating systems that they are running services that they are running software that they are running You can view all discovered assets that you have access to by simply clicking the Assets tab and viewing the Asset Listing table on the Assets page. you can perform quick assessments of your environment and any security issues affecting it. Depending on your browser settings.Locating assets By viewing and sorting asset information based on scans. You can generate a comma-separated values (CSV) file of the asset kit list to share with others in your organization. as well as the number of sites and asset groups to which you have access. you will see a pop-up window with options to save the file or open it in a compatible program. click the top row of the Risk column to sort numerically by the total risk score for all vulnerabilities discovered on each asset. You can sort assets in the Asset Listing table by clicking a row heading for any of the columns. Nexpose User’s Guide 78 . For example. The number of all discovered assets to which you have access appears at the top of the page. See Using asset groups to your advantage on page 120. a column labeled Scan Status appears in the table. To view information about that scan. click the Scan in progress link.You can control the number of assets that appear in the table by selecting a value in the Rows per page dropdown list in the bottom. right frame of the table. If a scan is in progress for any site. a column labeled Last Nexpose User’s Guide 79 . If no scans are in progress. The Security Console displays the Sites page. From this page you can create a new site. The Assets page (with some rows removed for display purposes) Locating assets by sites To view assets by sites to which they have been assigned. Use the navigation options in that area to view more asset records. Charts and graphs at the top of the Sites page provide a statistical overview of sites. click the hyperlinked number of sites displayed at the top of the Assets page. including risks and vulnerabilities. Scan appears in the table. This does not necessarily mean that these assets do not have any available exploits. Locating assets by asset groups To view assets by asset groups to which they have been assigned. For more information. See Viewing the details about an asset on page 81. Click the date link in the Last Scan column for any site to view information about the most recently completed scan for that site. risk. Charts and graphs at the top of the Asset Groups page provide a statistical overview of asset groups. release. Click the link for any site in the Site Listing pane to view its assets. The table lists all the operating systems running in your network and the number of instances of each operating system. including risks and vulnerabilities. In the Asset Listing table. which includes the Exploit Exposure feature. From this page you can create a new asset group. risk. The table lists all the services running in your network and the number of instances of each service. and vulnerability information about any asset. You also can start a scan for that asset. See Viewing the details about an asset on page 81. The Asset Listing table shows the name and IP address of every scanned asset. You can click a link for the site to which the asset belongs to view information about the site. including recent scan information. You can view scan. Click the link for an operating system to view the assets that are running it. see the Operating System Listing table on the Assets page. Click the link for a service to view the assets that are running it. see Using Exploit Exposure on page 251. If your site includes IPv4 and IPv6 addresses. you can view the scan. Nexpose User’s Guide 80 . click the hyperlinked number of sites displayed at the top of the Assets page. See Using asset groups to your advantage on page 120. You also can click the link for any asset address to view information about it. You can click a link for the site to which the asset belongs to view information about the site.The Security Console displays a page for that site. The Security Console displays the Asset Groups page. the number of vulnerabilities. To view information about an asset listed in the Asset Listing table. click the link for that asset. Click the link for any group in the Asset Group Listing pane to view its assets. You can change the order of appearance for these address groups by clicking the sorting icon in the Address column. See Viewing the details about an asset on page 81. In the Asset Listing pane. From the details page of an asset. 2010. The console displays a page for that asset group. statistical charts and graphs. Locating assets by services To view assets by the services running on them. It means that they were scanned before the feature was available. the Address column groups these addresses separately. You also can click the link for any asset address to view information about it. see the Services Listing table on the Assets page. You will see an exploit count of 0 for assets that were scanned prior to the January 29. you can view important security-related information about each asset to help you prioritize remediation projects: the number of available exploits. Locating assets by operating system To view assets by the operating systems running on them. The console displays a page that lists all the assets running that operating system. including statistical charts and graphs and a list of assets. and the risk score. and vulnerability information about any asset. you can manage site assets and create site-level reports. policy listings. services. the column displays the vulnerabilities on page 92. You can click a link for the site to which the asset belongs to view information about the site. see Viewing active vulnerabilities on page 84 and Working with vulnerability exceptions on page 94. such as CVSS rating. On this page. The application only lists software for which it has credentials to scan. An exception to this would be when it discovers a vulnerability that permits root/admin access. and the type of program. and directories on that asset as discovered by the application. so you included only that address to be scanned in the site configuration. Viewing the discovered IPv6 address on the asset page allows you to include it for future scans. you can open a ticket for tracking the remediation of the vulnerabilities. For more information. For more information about the Vulnerabilities Listing table and how you can use it. See Using tickets on page 182. You also can click the link for any asset address or name to view information about it. In the Asset Properties table. Locating assets by software To view assets by the software running on them. risk score. You can view any asset fingerprints. The Security Console displays a page that lists all the assets running that program. the timing of a response. it can identify indicators about the asset’s hardware and operating system. the column displays the icon. risk. In the Discovered Instances pane. you can view a list of addresses. A description of the service appears in the top pane of the page. You can sort vulnerabilities according to any of these metrics Nexpose User’s Guide 81 . and ports for assets running the service. the table displays a special icon for any vulnerability that has been validated with an exploit. You also can click the link for any asset address or name to view information about it. Viewing the details about an asset The Security Console displays a page for each discovered asset. and severity rating. If a vulnerability has been validated with an exploit via a Metasploit module. You can also view information about software. Click the link for a program to view the assets that are running it. See Viewing the details about an asset on page 81. This may include addresses that have not been scanned. see the Software Listing table on the Assets page. The table lists any software that the application found running in your network. as well as products that are using them. the number of instances of program. Fingerprinting is a set of methods by which the application identifies as many details about the asset as possible. databases. you can view any reported vulnerabilities and any vulnerabilities excluded from reports. The page lists any exploits or malware kits associated with vulnerabilities to help you prioritize remediation based on these exposures. In the Vulnerability Listing table. and vulnerability information about any asset.The console displays a page for that service. see Working with validated base. If a vulnerability has been validated with an exploit published in the Exploit Dataicon. you may have only been aware of the IPv4 address. The table lists different security metrics. The Addresses field in the Asset Properties pane displays all addresses (separated by commas) that have been discovered for the asset. You can view any users or groups associated with the asset. By inspecting properties such as the specific bit settings in reserved areas of a buffer. You can view scan. increasing your security coverage. names. vulnerability publication date. you can run a scan or create a report for the asset. See Viewing the details about an asset on page 81. files. or a unique acknowledgement interchange. When configuring scan targets for your site. Additionally. For example: A given asset may have an IPv4 address and an IPv6 address. you can review the results of those checks in the Standard Policy Listing table. If results from a scan on a particular date reflect misconfigurations. For more information. Then you can locate the assets in that group using the steps described in Locating assets on page 78. Network misconfigurations result in higher asset counts. you can view more information about it. If you delete an asset from an asset group. Using the bulk asset deletion feature described in this topic. as well as any other asset groups in which it was previously included. see Working with Policy Manager results. If a scan on a particular date "rediscovered" these assets. NOTE: Deleting an asset from an asset group is different from removing an asset from an asset group. If you have scanned the asset with standard policy checks. The latter is performed in asset group management. it will also be deleted from the site that contained it. If any of the preceding situations apply to your environment. The deleted asset will no longer appear in the Web interface or reports other than historical reports. If you click the name of any listed policy. See Working with asset groups on page 120. it will no longer be included in the site or any asset groups in which it was previously included. Assets may have dynamic IP addresses that are constantly changing. you may want to delete assets scanned on that date. If you have scanned the asset with Policy Manager Checks. The page for a specific asset Deleting assets You may want to delete assets for one of several reasons: • • • Assets may no longer be active in your network. you may want to delete assets scanned on that date. such as trend reports. See Working with asset groups. Doing so allows you to order vulnerabilities according to these different metrics and get a quick view of your security posture and priorities. you can delete multiple inactive assets in one step. Nexpose User’s Guide 82 . a best practice is to create a dynamic asset group based on a scan date. such as other assets that were tested against that policy or the results of compliance checks for individual rules that make up the policy. you can view the results of those checks in the Policy Listing table. If you delete an asset from a site. If the asset is rediscovered in a future scan it will be regarded in the Web interface and future reports as a new asset. such as for Oracle or Lotus Domino.by clicking the column headings. To cancel your selection. take the following steps: 1. Click Delete Assets. After locating assets you want to delete. not all the assets in the site or asset group. 3. take the following steps: 1. 1. take the following step. 2. but your table is configured to display 25. click the Delete icon for each asset. Click Select Visible in the pop-up that appears. After locating assets you want to delete. software. or all-assets drill-downs. service. you can only select those 25 at one time. top row in the Asset Listing table. This step selects all of the assets currently displayed in the table. Deleting multiple assets in one step NOTE: Bulk asset deletion is not currently available for Asset Listing tables that you locate using operating system. 2.You can only delete assets in sites or asset groups to which you have access. click the top row in the Asset Listing table. For example. To delete individual assets that you locate by using the site or asset group drill-down described in Locating assets on page 78. Click Delete Assets. The Total Assets Selected field on the right side of the table indicates how many assets are contained in the site or asset group. or Service listing table as described in the preceding section. To delete assets that you locate by using the Asset. You will need repeat this procedure or increase the number of assets that the table displays to select all assets. click the top row in the Asset Listing table. select the row for each asset in the Asset Listing table. if a site contains 100 assets. To delete all the displayed assets that you locate by using the site or asset group drill-down. Then click Clear All in the popup that appears. NOTE: This procedure deletes only the assets displayed in the table. Operating System. After locating assets you want to delete. Deleting assets located via the operating system drill-down Nexpose User’s Guide 83 . Software. remote execution capability. depending on that user’s permissions. downloadable fixes. See Using Exploit Exposure on page 251. The application keeps the database current through a subscription service that maintains and updates vulnerability definitions and links. You also can find out which vulnerabilities have exploits available.0 to 10. Since Global Administrators have access to all assets in your organization. Viewing active vulnerabilities Viewing vulnerabilities and their risk scores helps you to prioritize remediation projects. credentialed access requirement.first. searchable database also stores information on patches. Click the Vulnerabilities tab that appears on every page of the console interface. An application algorithm computes the CVSS score based on ease of exploit.html).0. This extensive. they will see all the vulnerabilities in the database.Working with vulnerabilities Analyzing the vulnerabilities discovered in scans is a critical step in improving your security posture. is used in Payment Card Industry (PCI) compliance testing.org/cvss/cvss-guide. which lists all the vulnerabilities for assets that the currently logged-on user is authorized to see. risk level. go to the FIRST Web site (http://www. enabling you to verify those vulnerabilities. The score. By examining the frequency. and reference content about security weaknesses. The index rates vulnerabilities according to MITRE’s Common Vulnerabilities Scoring System (CVSS) Version 2. which ranges from 1. It contacts this service for new information every six hours. affected assets. you can prioritize its remediation and manage your security resources effectively. which standardizes the names of vulnerabilities across diverse security products and vendors. Every vulnerability that Nexpose discovers in the scanning process is added to vulnerability database. exploitability and other characteristics of a vulnerability. and other criteria. Nexpose User’s Guide 84 . The database has been certified to be compatible with the MITRE Corporation’s Common Vulnerabilities and Exposures (CVE) index. For more information about CVSS scoring. The Security Console displays the Vulnerabilities page. full-text. The Title column lists the name of each vulnerability. Two columns indicate whether each vulnerability exposes your assets to malware attacks or exploits. In the context of the application a published exploit is one that has been developed in Metasploit or listed in the Exploit Database. the console displays the Threat Listing pop-up window that lists all the malware kits that attackers can use to write and deploy malicious code for attacking your environment through the vulnerability. Click the Export to CSV icon . the console displays a malware exposure icon . Nexpose User’s Guide 85 . If you click the icon. If you click this icon the console displays the Threat Listing pop-up window that lists descriptions about all available exploits. and their online sources. You can also click the Exploits tab in the pop-up window to view published exploits for the vulnerability. Sorting entries according to either of these criteria helps you to determine at a glance which vulnerabilities may require immediate attention because they increase the likelihood of compromise. Depending on your browser settings. the console displays the ™ icon and a link to a Metasploit module that provides detailed exploit information and resources. For each discovered vulnerability that has at least one malware kit (also known as an exploit kit) associated with it. If a Metasploit exploit is available.The Vulnerabilities page You can change the sorting criteria by clicking any of the column headings in the Vulnerability Listing table. For each discovered vulnerability with an associated exploit the console displays a exploit icon. The Exploit Database is an archive of exploits and vulnerable software. you will see a pop-up window with options to save the file or open it in a compatible program. You can generate a comma-separated values (CSV) file of the malware kit list to share with others in your organization. their required skill levels. If the application previously discovered certain vulnerabilities because an asset permitted greater access. The Security Console displays a page listing all pertinent vulnerabilities. Make sure that your assets permit the highest level of access required for the scans you are running to prevent these problems. You can also click the Malware tab in the pop-up window to view any malware kits that attackers can use to write and deploy malicious code for attacking your environment through the vulnerability. The application provides two risk scoring models. Intermediate maps to Normal through Good. and risk scoring FAQs. you will see a pop-up window with options to save the file or open it in a compatible program. Your scan template configuration settings determine which categories or check types the application will scan for. you can view which specific assets are affected by the vulnerability. Expert maps to Manual through Low through Average. and Expert. Click the Export to CSV icon . vulnerability age and prevalence. indicating the potential danger that each vulnerability poses to an attacker exploits it. If you click the link for the vulnerability name. The CVSS Score column lists the score for each vulnerability. which you can access in the Support page. which lists any affected assets.com/redmine/projects/framework/wiki/Exploit_Ranking). and risk scoring FAQs. The risk model you select controls the scores that appear in the Risk column. For more information. The three severity levels—Critical. See the PCI. The application assigns each vulnerability a severity level. and whether exploits are available. CVSS. Nexpose User’s Guide 86 . The Risk column lists the risk score that the application calculates. NOTE: The severity ranking in the Severity column is not related to the severity score in PCI reports. may change the level of access that an asset permits during its next scan. even if no remediation has occurred. See Selecting a model for calculating risk scores in the administrator's guide. 1 to 3 = Moderate 4 to 7 = Severe 8 to 10 = Critical The Instances column lists the total number of instances of that vulnerability in your site. This may result in a lower number of reported vulnerabilities. See Viewing vulnerability details on page 91. Severe. that vulnerability data will no longer be available due to diminished access. see the PCI. such as new credentials.metasploit. These map to Metasploit's seven-level exploit ranking. see the Metasploit Framework page (http:// www. Using baseline comparison reports to list differences between scans may yield incorrect results or provide more information than necessary because of these changes. You can click the icon in the Exclude column for any listed vulnerability to exclude that vulnerability from a report. Depending on your browser settings. click the appropriate link. The Vulnerability Categories and Vulnerability Check Types tables list all categories and check types that the Application can scan for. • • • Novice maps to Great through Excellent. To determine if your environment has a vulnerability belonging to one of the listed checks or types. Click the link for any vulnerability to see its detail page. which is listed in the Severity column.There are three levels of exploit skill: Novice. To learn more about risk scores and how they are calculated. You can generate a comma-separated values (CSV) file of the exploit list and related data to share with others in your organization. which you can configure. CVSS. The application uses various factors to rate severity. which you can access in the Support page. and Moderate—reflect how much risk a given vulnerability poses to your network security. The Published On column lists the date when information about each vulnerability became available. An administrative change to your network. Intermediate. including CVSS scores. By filtering your view of vulnerabilities. Using the SHIFT key. For example. Filtering your view of vulnerabilities Your scans may discover hundreds. depending on the size of your scan environment. Working with filters and operators in vulnerability displays Filtering your view of vulnerabilities involves selecting one or more filters. Using the SHIFT key. Click a name to display vulnerabilities that affect assets in that asset group. which are criteria for displaying specific vulnerabilities. you can select multiple names. or even thousands. such as those with higher risk scores or CVSS rankings. For each filter you then select an operator. so that they are not displayed. Or you can restrict the view to vulnerabilities that pose a greater threat to your organization. Or you can restrict the view to vulnerabilities that pose a greater threat to your organization. of vulnerabilities. a Security Manager may only want to see vulnerabilities that affect assets in sites or asset groups that he or she manages. you can select multiple names. Site name is a filter for vulnerabilities that affect assets in specific sites. Click a name to filter out vulnerabilities that affect assets in that site. The is not operator displays a drop-down list of asset group names. you can select multiple names. Asset group name is a filter for vulnerabilities that affect assets in specific asset groups. and restrict the view to vulnerabilities that affect certain assets. The is not operator displays a drop-down list of site names. such as those with higher risk scores or CVSS rankings. and restrict the view to vulnerabilities that affect certain assets. you can select multiple names. For example. or even thousands. It works with the following operators: • • The is operator displays a drop-down list of site names. It works with the following operators: • • The is operator displays a drop-down list of asset group names. so that they are not displayed. Nexpose User’s Guide 87 . you can reduce the sheer number of those displayed. Using the SHIFT key. which controls how the filter is applied. A high number of vulnerabilities displayed in the Vulnerability Listing table may make it difficult to assess and prioritize security issues. Click a name to filter out vulnerabilities that affect assets in that asset group. of vulnerabilities. Click a name to display vulnerabilities that affect assets in that site. depending on the size of your scan environment. By filtering your view of vulnerabilities. you can reduce the sheer number of those displayed.Your scans may discover hundreds. A high number of vulnerabilities displayed in the Vulnerability Listing table may make it difficult to assess and prioritize security issues. Using the SHIFT key. a Security Manager may only want to see vulnerabilities that affect assets in sites or asset groups that he or she manages. The is not operator displays all vulnerabilities that do not have a specified CVSS score. enter a score in the blank field. If you enter more than one digit. Nexpose User’s Guide 88 . The is in the range of operator displays all vulnerabilities that fall within the range of two specified CVSS scores and include the high and low scores in the range. After you select an operator. the score is automatically rounded up.CVSS score is a filter for vulnerabilities with specific CVSS rankings. if you enter a score of 2. Acceptable values include any numeral from 0. you would enter a low score and a high score to create the range.25.0 to 10.3. The is lower than operator displays all vulnerabilities that have a CVSS score lower than a specified score. The is higher than operator displays all vulnerabilities that have a CVSS score higher than a specified score. It works with the following operators: • • • • • The is operator displays all vulnerabilities that have a specified CVSS score. You can only enter one digit to the right of the decimal. For example. If you select the range operator. the score is automatically rounded up to 2. 2. filters do not change the number of displayed instances for each vulnerability. you cannot select the Site name filter twice. In the Vulnerability Listing table. take the following steps: 1. click the Export to CSV link at the bottom of the Vulnerability Listing table.Risk score is a filter for vulnerabilities with certain risk scores. 4. operator. and value.000.button to remove filters. 3. For example. Nexpose User’s Guide 89 . 7. 6. Keep in mind your currently selected risk strategy when searching for assets based on risk scores. Use the . Click the Vulnerabilities tab of the Security Console Web interface. It works with the following operators: The is operator displays all vulnerabilities that have a specified risk score. After you select an operator. The Security Console displays the Vulnerabilities page. Repeat the steps for selecting the filter. Click Filter. Currently. The Security Console displays vulnerabilities that meet all filter criteria in the table. TIP: You can export the filtered view of vulnerabilities as a comma-separated values (CSV) file to share with members of your security team. If you want to specify more than one site name or asset name in the display criteria. Select a filter from the drop-down list. Enter or select a value based on the operator. expand the section to Apply Filters. you would type a low score and a high score to create the range. • The is higher than operator displays all vulnerabilities that have a risk score higher than a specified score. To do so. if the currently selected strategy is Real Risk. enter a score in the blank field. Applying vulnerability display filters To apply vulnerability display filters. • The is in the range of operator displays all vulnerabilities that fall within the range of two specified risk scores and include the high and low scores in the range. you will not find assets with scores higher than 1. For example. The is not operator displays all vulnerabilities that do not have a specified risk score. Learn about different risk score strategies. 5. Select an operator for the filter. • • NOTE: You can only use each filter once. • The is lower than operator displays all vulnerabilities that have a risk score lower than a specified score. Refer to the risk scores in your vulnerability and asset tables for guidance. use the SHIFT key to select multiple names when configuring the filter. Use the + button to add filters. If you select the range operator. Filtering the display of vulnerabilities Nexpose User’s Guide 90 . See Using tickets on page 182. The page for a specific vulnerability At the top of the page is a description of the vulnerability. such as its remediation steps. and the most recent date that Rapid7 modified information about the vulnerability. You also can click the site link to view information about the site.Viewing vulnerability details Click the link for any vulnerability listed on the Vulnerabilities page to view information about it. its severity level and CVSS rating. Below these items is a table listing each affected asset. You can click on the link for the device name or address to view all of its vulnerabilities. port. Nexpose User’s Guide 91 . The Status column lists a Vulnerable status for an asset if the application confirmed the vulnerability. The Port column in the Affected Assets table lists the port that the application used to contact the affected service or software during the scan. On the device page. The Security Console displays a page for that vulnerability. you can create a ticket for remediation. and the site on which a scan reported the vulnerability. the date that information about the vulnerability was made publicly available. It lists a Vulnerable Version status if the application only detected that the asset is running a version of a particular program that is known to have the vulnerability. including vulnerabilities. and other indicators of susceptibility.rapid7. or proven to exist. inspecting registry keys. which lists remediation steps and links for downloading patches and fixes. Nexpose User’s Guide 92 . If a Metasploit exploit is available. 5. It uses exploitation methods typically associated with hackers. and you know its name. Working with validated vulnerabilities There are many ways to sort and prioritize vulnerabilities for remediation. The Security Console displays the details page for the asset. After performing exploits in Metasploit. banners. At the very bottom of the page is the Solution pane. The References table. 2. icon. As discussed in the topic Viewing active vulnerabilities on page 84.com/docs/ DOC-2554) for performing vulnerability validation with Metasploit. 4. View the Exploits column ( the column displays the ) in the Vulnerability Listing table. click the Assets tab of the Nexpose Security Console Web interface. software version numbers. type all or part of the name in the Search box that appears on every page of the console interface. If a vulnerability has been validated with an exploit published in the Exploit Database. The Exploit Database is an archive of exploits and vulnerable software. These methods provide varying degrees of certainty that a vulnerability exists. The Malware table lists any malware kit that attackers can use to write and deploy malicious code for attacking your environment through the vulnerability. To sort the vulnerabilities according to whether they have been validated. 3. any vulnerability that has a published exploit associated with it is marked with a Metasploit or Exploit Database icon. lists links to Web sites that provide comprehensive information about the vulnerability. Locate an asset that you would like to see validated vulnerabilities for.The Proof column lists the method that the application used to detect the vulnerability on each asset. The application uses a number of methods to flag vulnerabilities during scans. To work in Nexpose with vulnerabilities that have been validated with Metasploit. which appears below the Affected Assets pane. If you wish to query the database for a specific vulnerability. One way is to give higher priority to vulnerabilities that have been validated. You can integrate Rapid7 Metasploit as a tool for validating vulnerabilities discovered in Nexpose scans and then have Nexpose indicate that these vulnerabilities have been validated on specific assets. Double-click the asset's name or IP address. take the following steps: 1. If a vulnerability has been validated with an exploit via a Metasploit module. which involves deploying code that penetrates your network or gains access to a computer through that specific vulnerability. The console displays a page of search results organized by different categories. the column displays the 6. click the title row in the Exploits column. icon. such as fingerprinting software versions known to be vulnerable. the console displays the ™ icon and a link to a Metasploit module that provides detailed exploit information and resources. See Locating assets on page 78. You can increase your certainty that a vulnerability exists by exploiting it. and click the magnifying glass icon. The Exploits table lists descriptions of available exploits and their online sources. NOTE: Metasploit is the only exploit application that the vulnerability validation feature supports. See a tutorial (https:// community. 2) vulnerabilities that can be validated with a Metasploit exploit. the descending sort order for this column is 1) vulnerabilities that have been validated with a Metasploit exploit. The asset details page with the Exposures legend highlighted Nexpose User’s Guide 93 . 3) vulnerabilities that have been validated with an Exploit database exploit. 4) vulnerabilities that can be validated with an Exploit database exploit.As seen in the following screen shot. applying a specific patch for a vulnerability may prevent an application from functioning. Below are scenarios in which it would be appropriate to exclude a false positive from an audit report. Understanding cases for excluding vulnerabilities There are several possible reasons for excluding vulnerabilities from reports. especially if the vulnerability poses minimal risk. Nexpose User’s Guide 94 . further reducing risk. Acceptable use: Organizations may have legitimate uses for certain practices that the application would interpret as vulnerabilities. an Apache update installed on an older Red Hat server may produce vulnerabilities that should be excluded as false positives. a merchant should be able to report a false positive. the application may discover a vulnerable service on an asset behind a firewall because it has credentialed access through the firewall. it may be preferable not to remediate a vulnerability if the vulnerability poses a low security risk and if remediation would be too expensive or require too much effort. anonymous FTP access may be a deliberate practice and not a vulnerability.or network-based intrusion prevention systems in place. the network may have host. a QSA or ASV would need to approve the exception. which can then be verified and accepted by a Qualified Security Assessor (QSA) or Approved Scanning Vendor (ASV) in a PCI audit. For example. For example. technically. False positives: According to PCI criteria. In all cases. which. Re-engineering the application to work on the patched system may require too much time. or other resources to be justified. Additionally. money. If an exploit reports false positives on one or more assets. could prevent their organization from being PCI compliant. For example. it would be appropriate to exclude these results. Compensating controls: Network managers may mitigate the security risks of certain vulnerabilities. the merchant could argue that the firewall reduces any real risk under normal circumstances. • • Backporting may cause false positives. While this vulnerability could result in the asset or site failing the audit. It may be acceptable to exclude these vulnerabilities from the report under certain circumstances. For example.Working with vulnerability exceptions All discovered vulnerabilities appear in Vulnerabilities Listing table of the security console web interface. Your organization can exclude certain vulnerabilities from appearing in reports or affecting risk scores. Acceptable risk: In certain situations. you can take the following action: submit an exception request Submit Exception Request submit an exception request Review Vulnerability Exceptions approve or reject the request Submit Exception Request submit an exception request recall the exception delete the request Review Vulnerability Exceptions view and change the details of the approval. The range of actions you can take with respect to exceptions depends on the exception status. relevant dates. consult your system administrator. as well as your permissions. or site under review (and submitted by you) under review (submitted.. Submit Exception Request . as indicated in the following table: If the vulnerability has the following exception status. such as the personnel involved in requesting and approving the exception. but not approved or rejected) excluded for another instance. never been submitted for an exception previously approved and later deleted or expired under review (submitted. but not approved or rejected) approved Delete Vulnerability Exceptions . If you do now know what your permissions are. Understanding vulnerability exception permissions Your ability to work with vulnerability exceptions depends on your permissions. a user with this permission can wield a check and balance against users who have permission to review requests.. thus overturing the approval rejected approved or rejected Submit Exception Request Delete Vulnerability Exceptions Nexpose User’s Guide 95 .and you have the following permission.. Three permissions are associated with the vulnerability exception workflow: • • • Submit Vulnerability Exceptions: A user with this permission can submit requests to exclude vulnerabilities from reports. Understanding vulnerability exception status and work flow Every vulnerability has an exception status.NOTE: In order to comply with federal regulations. such as the Sarbanes-Oxley Act (SOX). and information about the exception. but not overturn the approval submit another exception request delete the exception.. This permission is significant in that it is the only way to overturn a vulnerability request approval. Review Vulnerability Exceptions: A user with this permission can approve or reject requests to exclude vulnerabilities from reports. Delete Vulnerability Exceptions: A user with this permission can delete vulnerability exceptions and exception requests... asset.. including vulnerabilities that have never been considered for exception. In that sense. it is often critically important to document the details of a vulnerability exception.. see Understanding cases for excluding vulnerabilities on page 94. The console displays the Vulnerabilities page. Only a Global Administrator can submit requests for global exceptions. 1. Select All instances if it is not already displayed from the Scope drop-down list. For example one of the assets affected by a particular vulnerability may be located in a DMZ. one of those ports is behind a firewall. review how many instances of the vulnerability have been discovered and how many assets are affected. Locate the vulnerability for which you want to request an exception. However. For example.Understanding different options for exception scope A vulnerability may be discovered once or multiple times on a certain asset. It’s also important to understand the circumstances surrounding each affected asset. 5. Select a reason for the exception from the drop-down list. 2. such as a firewall. You can create an exception for a single instance of a vulnerability. You can create an exception for all instances of a vulnerability in a site. Nexpose User’s Guide 96 . you may want to exclude that vulnerability globally. The following way is easiest for a global exception. Or perhaps it only runs for very limited periods of time for a specific purpose. You may want to exclude the vulnerability instance that affects that protected port. If an exception request was previously submitted and then rejected. Look at the Exceptions column for the located vulnerability. This column displays one of several possible actions. if in all instances a compensating control is in place. You can control the scope of the exception by using one of the following options when submitting a request: • • • • You can create an exception for all instances of a vulnerability on all affected assets. Before you submit a request for a vulnerability exception. 4. As with global exceptions. If an exception request has not previously been submitted for that vulnerability. However. see Understanding cases for excluding vulnerabilities on page 94. 3. making it less sensitive. read the displayed reasons for the rejection and the user name of the reviewer. you may have many instances of a vulnerability related to an open SSH port. If it was submitted and then rejected. Locate the vulnerability in the Vulnerability Listing table. 7. For information about exception reasons. TIP: If a vulnerability has an action icon other than Exclude. A Vulnerability Exception dialog box appears. Submitting or re-submitting a request for a global vulnerability exception A global vulnerability exception means that the application will not report the vulnerability on any asset in your environment that has that vulnerability. Click the Vulnerabilities tab of the Security Console Web interface. For example. The vulnerability may also be discovered on hundreds of assets. Click the icon. 6. There are several ways to locate to a vulnerability. such as all of a site’s assets being located behind a firewall. Create and submit the exception request. a typical reason for a site-specific exclusion is a compensating control. the column displays an Exclude icon. a vulnerability may be discovered on each of several ports on a server. You can create an exception for all instances of a vulnerability on a single asset. the column displays a Resubmit icon. This is helpful for tracking previous decisions about the handling of this vulnerability. If an exception request has not previously been submitted for that vulnerability. the vulnerability no longer appears in the list on the Vulnerabilities page. Verify the exception (if you submitted and approved it). 4. Nexpose User’s Guide 97 . See Locating assets by sites on page 79. the column displays a Resubmit icon. (Optional) Click the Assets tab and use the Sites option to find a vulnerability on an asset in a specific site. additional comments are required. 11. see Understanding cases for excluding vulnerabilities on page 94. There are several ways to locate to a vulnerability. These are especially helpful for a reviewer to understand your reasons for the request. Click the Administration tab. Locate the exception in the Vulnerability Exception Listing table. 10. Click the icon. Enter additional comments. 12. the column displays an Exclude icon. Submitting or re-submitting an exception request for all instances of a vulnerability on a specific site Locate the vulnerability for which you want to request an exception. If an exception request was previously submitted and then rejected. Create and submit an individual exception request. Click the Vulnerabilities tab of the Security Console Web interface. NOTE: If a vulnerability has an action link other than Exclude. 4. 14. These are especially helpful for a reviewer to understand your reasons for the request. 1. NOTE: Only a Global Administrator can submit and approve a vulnerability exception. 9. If you select Other as a reason from the drop-down list. NOTE: If you select Other as a reason from the drop-down list. The console displays the Administration page. Locate the vulnerability in the Vulnerability Listing table. 2. Enter additional comments. additional comments are required. Find an asset in a particular site for which you want to exclude vulnerability instances in the Affects table of the vulnerability details page. This is helpful for tracking previous decisions about the handling of this vulnerability. The console displays the Vulnerabilities page. If it was submitted and then rejected. 3. Locate the vulnerability in the Vulnerability Listing table. 5. Select All instances in this site from the Scope drop-down list. Click the Manage link for Vulnerability Exceptions. 13. Select a reason for the exception from the drop-down list. A Vulnerability Exception dialog box appears. 2. Click Submit & Approve to have the exception take effect. Look at the Exceptions column for the located vulnerability. After you approve an exception. 3. read the displayed reasons for the rejection and the user name of the reviewer. and click the link for it. For information about exception reasons. (Optional) Click Submit to place the exception under review and have another individual in your organization review it.8. and click the link for it. The following ways are easiest for a site-specific exception: 1. 5. see Understanding cases for excluding vulnerabilities on page 94. for example. or click Resubmit for vulnerabilities that have been rejected for exception. 1. 4. After going to the Vulnerability Listing table as described in the preceding section. it will only apply to vulnerabilities that have not been excluded. For example. they all have the same compensating control. 1. After you approve an exception. Click Submit to place the exception under review and have another individual in your organization review it. The following ways are easiest for an asset-specific exception. Then select the pop-up option Select Visible. Click Submit & Approve to have the exception take effect. Then select the pop-up option Clear All. Locate the exception in the Vulnerability Exception Listing table. Click the Manage link for Vulnerability Exceptions. if the Vulnerabilities Listing table includes vulnerabilities that are under review or rejected. 2. 4. click the check box in the top row. Click the Vulnerabilities tab of the security console Web interface. 2. This procedure is useful if you want to exclude a large number of vulnerabilities because. 3. simultaneous exception requests. There are several ways to locate to a vulnerability. The console displays the Vulnerabilities page. Submitting or re-submitting an exception request for all instances of a vulnerability on a specific asset Locate the vulnerability for which you want to request an exception. The console displays the Administration page. 2. NOTE: If you select all listed vulnerabilities for exclusion. Locate the vulnerability in the Vulnerability Listing table. Click the Administration tab. select the row for each vulnerability that you want to exclude. Click Exclude for vulnerabilities that have not been submitted for exception.6. the global exclusion will not apply to them. the vulnerability no longer appears in the list on the Vulnerabilities page. The same applies for global resubmission: It will only apply to listed vulnerabilities that have been rejected for exclusion. OR To select all the vulnerabilities displayed in the table. 7. and click the link for it. Nexpose User’s Guide 98 . 1. Selecting multiple vulnerabilities Verify the exception (if you submitted and approved it). Create and submit multiple. click the top row. If you've selected multiple vulnerabilities but then want to cancel the selection. Proceed with the vulnerability exception workflow as described in the preceding section. 3. 8. 6. After you approve an exception. On the details page of the affected asset. 6. the vulnerability no longer appears in the list on the Vulnerabilities page. If an exception request was previously submitted and then rejected. or click Resubmit for vulnerabilities that have been rejected for exception. If it was submitted and then rejected. (Optional) Click the Assets tab and use one of the displayed options to find a vulnerability on an asset. Proceed with the vulnerability exception workflow as described in the preceding section. Create and submit multiple. These are especially helpful for a reviewer to understand your reasons for the request. This column displays one of several possible actions. 3. Enter additional comments. 6. simultaneous exception requests. Create and submit an individual exception request. 4. If you've selected multiple vulnerabilities but then want to cancel the selection. Select All instances on this asset from the Scope drop-down list. Click Submit & Approve to have the exception take effect. See Locating assets on page 78. A Vulnerability Exception dialog box appears. Click the Manage link for Vulnerability Exceptions. for example. 2. Click the link for the asset that includes the instances of the vulnerability that you want to have excluded in the Affects table of the vulnerability details page. select the row for each vulnerability that you want to exclude. Locate the vulnerability in the Vulnerability Listing table on the asset page. it will only apply to vulnerabilities that have not been excluded. read the displayed reasons for the rejection and the user name of the reviewer. The same applies for global resubmission: It will only apply to listed vulnerabilities that have been rejected for exclusion. 2. For example. Look at the Exceptions column for the located vulnerability. Locate the exception in the Vulnerability Exception Listing table. if the Vulnerabilities Listing table includes vulnerabilities that are under review or rejected. NOTE: If you select Other as a reason from the drop-down list. the column displays a Resubmit icon. see Understanding cases for excluding vulnerabilities on page 94. 3. Verify the exception (if you submitted and approved it). 4. 5. 5. Click Exclude for vulnerabilities that have not been submitted for exception. Click the icon. 7. the column displays an Exclude icon. (Optional) Click Submit to place the exception under review and have another individual in your organization review it. click the check box in the top row. NOTE: If you select all listed vulnerabilities for exclusion. 5. This is helpful for tracking previous decisions about the handling of this vulnerability. OR To select all the vulnerabilities displayed in the table. Then select the pop-up option Select Visible. and click the link for it. Nexpose User’s Guide 99 . additional comments are required. After going to the Vulnerability Listing table as described in the preceding section. they all have the same compensating control. 1. 4. locate the vulnerability in the Vulnerability Listing table. If an exception request has not previously been submitted for that vulnerability.3. click the top row. 1. This procedure is useful if you want to exclude a large number of vulnerabilities because. NOTE: If a vulnerability has an action link other than Exclude. the global exclusion will not apply to them. Then select the pop-up option Clear All. The console displays the Administration page. Click the Administration tab. Locate the instance of the vulnerability for which you want to request an exception. additional comments are required. 1. Select a reason for requesting the exception from the drop-down list. Click the icon. the column displays a Resubmit icon. see Understanding cases for excluding vulnerabilities on page 94.Submitting or re-submitting an exception request for a single instance of a vulnerability When you create an exception for a single instance of a vulnerability. Create and submit an individual exception request. and additional data match. 5. Locate the vulnerability in the Vulnerability Listing table on the asset page. the application will not report the vulnerability against the asset if the device. If an exception request has not previously been submitted for that vulnerability. For information about exception reasons. 3. the column displays an Exclude icon. and click the link for it. See Locating assets on page 78. NOTE: If a vulnerability has an action link other than Exclude. 6. Locate the affected asset in the in the Affects table on the details page for the vulnerability. and click the link for it. This column displays one of several possible actions. port. 1. 2. Click Submit & Approve to have the exception take effect. Select Specific instance on this asset from the Scope drop-down list. Click the Vulnerabilities tab of the security console Web interface. 4. If you select Other as a reason from the drop-down list. 2. 5. (Optional) Click Submit to place the exception under review and have another individual in your organization review it. Nexpose User’s Guide 100 . 4. If it was submitted and then rejected. Look at the Exceptions column for the located vulnerability. If an exception request was previously submitted and then rejected. see Understanding cases for excluding vulnerabilities on page 94. Locate the vulnerability in the Vulnerability Listing table on the Vulnerabilities page. There are several ways to locate to a vulnerability. you can view the reasons for the rejection and the user name of the reviewer in a note at the top of the box. Enter additional comments. These are especially helpful for a reviewer to understand your reasons for the request. 3. A Vulnerability Exception dialog box appears. The following way is easiest for a site-specific exception. (Optional) Click the Assets tab and use one of the displayed options to find a vulnerability on an asset. if the exception is for all instances of the vulnerability on a single asset. locate that asset in the Affects table on the details page for the vulnerability. 2. if the Vulnerabilities Listing table includes vulnerabilities that are under review or rejected. Nexpose User’s Guide 101 . Click Recall in the Vulnerability Exception dialog box. The console displays the Administration page. Then select the pop-up option Clear All. 2. Click the Under Review link. Proceed with the vulnerability exception workflow as described in the preceding section. Click the Administration tab. The location depends on the scope of the exception. After going to the Vulnerability Listing table as described in the preceding section. 4. or cancel. the vulnerability no longer appears in the list on the Vulnerabilities page. 1. for example. they all have the same compensating control. Locate the exception request. For example.Create and submit multiple. Verify the exception (if you submitted and approved it). 1. you can recall it. If the link in the Exceptions column is Under review. The link in the Exceptions column changes to Exclude. If you've selected multiple vulnerabilities but then want to cancel the selection. 2. 4. This procedure is useful if you want to exclude a large number of vulnerabilities because. a vulnerability exception request that you submitted if its status remains under review. simultaneous exception requests. it will only apply to vulnerabilities that have not been excluded. OR To select all the vulnerabilities displayed in the table. Recalling an exception request that you submitted You can recall. Recall an individual vulnerability exception request. 1. 3. NOTE: If you select all listed vulnerabilities for exclusion. select the row for each vulnerability that you want to exclude. and verify that it is still under review. For example. 5. the global exclusion will not apply to them. After you approve an exception. Then select the pop-up option Select Visible. click the top row. Locate the exception in the Vulnerability Exception Listing table. click the check box in the top row. Click the Manage link for Vulnerability Exceptions. The same applies for global resubmission: It will only apply to listed vulnerabilities that have been rejected for exclusion. or click Resubmit for vulnerabilities that have been rejected for exception. 3. Click Exclude for vulnerabilities that have not been submitted for exception. Locate the exception request. you can either approve or reject it.Recall multiple. 1. that you want to accept or reject multiple requests for the same reason. For example. for example. 3. Doing so may be helpful for the submitter. if the Vulnerabilities Listing table includes vulnerabilities that have not been excluded. 1. 3. to select all requests for review. This procedure is useful if you want to recall a large number of requests because. select each desired row. simultaneous exception requests. 3. Proceed with the recall workflow as described in the preceding section. click the Manage link next to Vulnerability Exceptions. On the Administration page. After locating the exception request as described in the preceding section. Enter comments in the Reviewer’s Comments text box. click the check box in the top row. Then select the pop-up option Select Visible. click the calendar icon and select a date. you may want the exception to be in effect only until a PCI audit is complete. select the row for each vulnerability that you want to exclude. Click Recall. 1. To select multiple requests for review. depending on your decision. Locate the request in the Vulnerability Exception Listing table. you've learned that since you submitted them it has become necessary to include them in a report. The result of the review appears in the Review Status column. Then select the pop-up option Clear All. for example. 4. If you've selected multiple vulnerabilities but then want to cancel the selection. 2. 5. or have been rejected for exclusion. Click the Under review link in the Review Status column. Click Approve or Reject. 2. For example. Nexpose User’s Guide 102 . click the top row. Review the request(s). the global recall will not apply to them. Click the Administration tab of the security console Web interface. Read the comments by the user who submitted the request and decide whether to approve or reject the request. NOTE: If you select all listed vulnerabilities for recall. If you want to select an expiration date for the review decision. OR To select all the vulnerabilities displayed in the table. select the top row. 2. Selecting multiple requests is useful if you know. OR. Reviewing an exception request Upon reviewing a vulnerability exception request. it will only apply to vulnerabilities that are under review. 2. Delete the request(s). to select all requests for deletion. which means that a user with appropriate permission can submit an exception request for it. 3. select each desired row. Nexpose User’s Guide 103 . Locate the request in the Vulnerability Exception Listing table. To select multiple requests for deletion. 4. Locate the exception or exception request. Click the Administration tab of the Security Console Web interface. Viewing vulnerability exceptions in the Report Card report When you generate a report based on the default Report Card template. The entry(ies) no longer appear in the Vulnerability Exception Listing table. Click the Manage link next to Vulnerability Exceptions. Click the Delete icon. The Security Console displays the Administration page. select the top row. 1.Selecting multiple requests for review Deleting a vulnerability exception or exception request Deleting an exception is the only way to override an approved request. each vulnerability exception appears on the vulnerability list with the reason for its exception. OR. The affected vulnerability(ies) appear in the appropriate vulnerability listing with an Exclude icon. 1. Exception suppressed version-checked vulnerability exception-vulnerable-potential . See Vulnerability Exceptions on page 286.Exception suppressed potential vulnerability CSV: The vulnerability result-code column will be set to one of the following values for vulnerabilities suppressed due to an exception. XML: The vulnerability test status attribute is set to one of the following values for vulnerabilities suppressed due to an exception: exception-vulnerable-exploited . exception information is also available.Exception suppressed exploited vulnerability exception-vulnerable-version . Report templates include a section dedicated to exceptions. Each code corresponds to results of a vulnerability check: Nexpose User’s Guide 104 . In XML and CSV reports.How vulnerability exceptions appear in XML and CSV formats Vulnerability exceptions can be important for the prioritization of remediation projects and for compliance audits. Nexpose User’s Guide 105 . sd (skipped because of DoS settings): sd (skipped because of DOS settings)—If unsafe checks were not enabled in the scan template. nt (no tests): There were no checks to perform. version check): A check was excluded. vv (vulnerable. version check): The check was positive. vp (vulnerable. nv (not vulnerable): The check was negative. ep (excluded. ov (overridden. version check): A check for a vulnerability that would ordinarily be positive because the version of the target service or application is associated with known vulnerabilities was negative due to information from other checks. disabled): A check was not performed because it was disabled in the scan template. er (error during check): An error occurred during the vulnerability check. The version of the scanned service or software is associated with known vulnerabilities. It is for a vulnerability that can be identified because the version of the scanned service or application is associated with known vulnerabilities. uk (unknown): An internal issue prevented the application from reporting a scan result. An exploit verified the vulnerability. exploited): A check for an exploitable vulnerability was excluded. ve (vulnerable. exploited): The check was positive. sv (skipped because of inapplicable version): the application did not perform a check because the version of the scanned item is not in the list of checks. ee (excluded.Each code corresponds to results of a vulnerability check: • • • • • • • • • • • • • • ds (skipped. potential): The check for a potential vulnerability was positive. ev (excluded. potential): A check for a potential vulnerability was excluded. the application skipped the check because of the risk of causing denial of service (DOS). See Configuration steps for vulnerability check settings on page 204. Standard policies are available with all licenses and include the following: • • • • • Oracle policy Lotus Domino policy Windows Group policy AS/400 policy CIFS/SMB Account policy You can view the results of standard policy checks on a page for a specific asset that has been scanned with one of these checks. government agency. You can also view test results of individual policies and rules to determine where specific remediation efforts are required so that you can make assets compliant. Distinguishing between Policy Manager and standard policies NOTE: You can only view policy test results for assets to which you have access. a vendor that transacts business with the government. The Policy Manager is a license-enabled feature that includes the following policy checks: • • • • • USGCB 2.0 policies (only available with a license that enables USGCB scanning) USGCB 1. This section specifically addresses Policy Manager results. Or you may be testing assets for compliance with customized policies based on these standards. or a company with strict configuration security policies. Center for Internet Security (CIS) benchmarks. you can view information that answers the following questions: • • • • • What is the overall rate of compliance for assets in my environment? Which policies are my assets compliant with? Which policies are my assets not compliant with? If my assets have failed compliance with a given policy. you may be running scans to verify that your assets comply with United States Government Configuration Baseline (USGCB) policies. which specific policy rules are they not compliant with? Can I change the results of a specific rule compliance test? Viewing the results of configuration assessment scans enables you to quickly determine the policy compliance status of your environment.S.Working with Policy Manager results If you work for a U. Nexpose User’s Guide 106 . or Federal Desktop Core Configuration (FDCC).0 policies (only available with a license that enables USGCB scanning) Center for Internet Security (CIS) benchmarks (only available with a license that enables CIS scanning) FDCC policies (only available with a license that enables FDCC scanning) Custom policies that are based on USGCB or FDCC policies or CIS benchmarks (only available with a license that enables custom policy scanning) You can view the results of Policy Manager checks on the Policies page or on a page for a specific asset that has been scanned with Policy Manager checks. Standard policies are not covered in this section. This is true for Policy Manager and standard policies. After running Policy Manager scans. or other criteria. go to the Policies page by clicking the Policies tab on any page of the Web interface. Another example of a category might be Custom. Categories are listed under the Category heading. Each policy consists of specific rules. Statistical graphics on the Policies pages The Policy Listing table shows the number of assets that passed and failed compliance checks for each policy. Any percentage below 100 indicates failure to comply with the policy The Policy Listing table also includes columns for copying. The category for any USGCB 2. and deleting policies. and checks are run for each rule. You can use these statistics to gauge your overall compliance status and identify compliance issues. The page lists tested policies for all assets to which you have access. a pie chart shows the ratio of passed and failed policy checks.0 policy is listed as USGCB. For more information about these options. The table also includes a Rule Compliance column. editing. See Creating a custom policy on page 222. which would include custom policies based on built-in Policy Manager policies. A line graph shows compliance trends for the most tested policies over time. purpose. Home tool bar Policies tab At the top of the page. The Rule Compliance column shows the percentage of rules with which assets comply for each policy. Nexpose User’s Guide 107 .Getting an overview of Policy Manager results If you want to get a quick overview of all the policies for which you’ve run Policy Manager checks. depending on its source.0 or USGCB 1. It also includes the following columns: • • • • • Each policy is grouped in a category within the application. The y-axis shows the percentage of assets that comply with each listed policy. The Asset Compliance column shows the percentage of tested assets that comply with each policy. The Asset Compliance column lists each asset’s percentage of compliance with all the rules that make up the policy. For example. Nexpose User’s Guide 108 . For information about overrides. The table also includes an Override column. The Tested Assets table lists each asset that was tested against the policy and the results of each test. a particular policy shows less than 100 percent rule compliance (which indicates failure to comply with the policy) or less than 100 percent asset compliance . The table also lists general asset and rule compliance statistics for the policy. An Overview table lists general information about how the policy is identified. A Not Applicable result means that the policy compliance test doesn’t apply to the asset. See Viewing the details about an asset on page 81. see Overriding rule test results on page 111. The Policy Rule Compliance Listing table lists every rule that is included in the policy. and general information about each asset. Understanding results for policies and rules • • • A Pass result means that the asset complies with all the rules that make up the policy. You can click the link for any listed asset to view more details about it. Assets with lower compliance percentages may require more remediation work than other assets. and the number of assets that failed. a pie chart shows the ratio of assets that passed the policy check to those that failed. Two line graphs show the five most and least compliant assets. the number of assets that passed compliance tests. For example.Viewing results for a Policy Manager policy After assessing your overall compliance on the Policies page. you can view details about a policy in the Policy Listing table by clicking the name of that policy. some of which are included in the policy. The Policy Compliance column indicates the percentage of policy rules with which the asset does comply. At the top of the page. a check for compliance with Windows Vista configuration policies would not apply to a Windows XP asset. On the Policies page. A Fail result means that the asset does not comply with at least one of the rules that makes up the policy. Clicking a policy name to view information about it The Security Console displays a page about the policy. you may want to view more specific information about a policy. The benchmark ID refers to an exhaustive collection of rules. TIP: You can also view results of Policy Manager checks for a specific asset on the page for that asset. You may want to learn why assets failed to comply or which specific rule tests resulted in failure. the application tests an asset for compliance with each of the rules of the policy. you can isolate the configuration issues that are preventing your assets from being policy-compliant. In the Policy Listing table. 3. The Security Console displays the page for the rule. By viewing results for each rule test. click the link for any rule that you want to view details for. The Security Console displays the page for the policy. This information can be useful if some remediation work has been done on the asset since the scan date. which might warrant overriding a Fail result or rescanning. Viewing a rule’s results for all tested assets By viewing the test results for all assets against a rule. When performing a Policy Manager check. you can quickly determine which assets require remediation work in order to become compliant. The table also lists the date of the most recent scan for each rule test. The Security Console displays the Policies page. as well as the name and benchmark ID for the policy that the rule is a part of.Viewing information about policy rules Every policy is made up of individual configuration rules. The Tested Assets table lists each asset that was tested for compliance with the rule and the result of the result of each test. In the Policy Rule Compliance Listing table. TIP: Mouse over a rule name to view a description of the rule. Click the Policies tab. The Overview table displays general information that identifies the rule. 2. including its name and category. 1. click the name of a policy for which you want to view rule details. Policy Rule Compliance Listing table on a policy page Nexpose User’s Guide 109 . and the most recent date that the rule was updated in the National Vulnerability Database. The Security Console displays the page for the policy. the specific platform to which the rule applies. The References table lists documentation sources to which the rule refers for detailed source information as well as values that indicate the specific information in the documentation source. The Security Console displays the page for the asset. CCE is a standard for identifying and correlating configuration data. The application applies any current CCE updates with its automatic content updates. The Security Console displays the Policies page. The Security Console displays the page for the rule. In the Configuration Policy Rules table. affected platform.Viewing CCE data for a rule Every rule has a Common Configuration Enumerator (CCE) identifier. click the name of the rule for which you want to view CCE data. and most recent date that the rule was modified in the National Vulnerability Database. The page provides the following information: NOTE: The application applies any current CCE updates with its automatic content updates. In the Configuration Policy Rule CCE Data table. 5. Click the link for the rule’s CCE identifier. The Parameters table lists the parameters required to implement the rule on each tested asset. Click the Policies tab. 1. Or. Nexpose User’s Guide 110 . 2. The Technical Mechanisms table lists the methods used to test compliance with the rule. it may be simply useful to have the data available for reference. click the IP address or name of an asset that has been tested against the policy. The Configuration Policy Rules table lists the policy and the policy rule name for every imported policy in the application. 3. description. The Security Console displays the page for the rule. The Security Console displays the CCE data page. You may find it useful to analyze a policy rule’s CCE data. 4. allowing this data to be shared by multiple information sources and tools. view the rule’s CCE identifier. 6. • • • • • The Overview table displays the rule Common Configuration Enumerator (CCE) identifier. In the Tested Assets table. The information may help you understand the rule better or to remediate the configuration issue that caused an asset to fail the test. click the name of a policy for which you want to view rule details. In the Policy Listing table. When overriding a result. you will have a number of options for the scope of the override: Global: You can override a rule for all assets in all sites. This override will apply to all future scans. All overrides and their reasons are incorporated. you will be required to enter your reason for doing so. NOTE: These permissions also include access to activities related to vulnerability exceptions. For this reason. government reviews in the certification process. These permissions apply specifically to Policy Manager policies. Another user can also override your override. along with the policy check results. unless you override it again.S. Overrides are not identified as such in the XCCDF Human Readable CSV Report format. a test result for a particular rule on a particular asset for any of several reasons: • • • You disagree with the result. See Managing users and authentication in the administrator’s guide. you can override a Fail result for the remote desktop rule in that site. Review Vulnerability Exceptions and Policy Overrides: A user with this permission can approve or reject requests to override policy rule results. consult your Global Administrator. unless you override it again. If all of the engineering department’s assets are contained within a site. This rule does not make sense for your organization if your IT department administers all workstations via remote desktop access. For example. Understanding Policy Manager override permissions Your ability to work with overrides depends on your permissions.Overriding rule test results You may want to override. This override will apply to all future scans. The most recent override for any rule is also identified in the XCCDF Results XML Report format. Understanding override scope options When overriding a rule result. See Working with report formats on page 173. If you do not know what your permissions are. This scope is useful if assets are failing a policy that includes a rule that isn’t relevant to your organization. and so on. All assets in a specific site: This scope is useful if a policy includes a rule that isn’t relevant to a division within your organization and that division is encompassed in a site. Three permissions are associated with policy override workflow: • • • Submit Vulnerability Exceptions and Policy Overrides: A user with this permission can submit requests to override policy test results. Nexpose User’s Guide 111 . your organization disables remote desktop administration except for the engineering department. For example. Yet another user can perform another override. into the documentation that the U. You have remediated the configuration issue that produced a Fail result. The CSV format displays each current test result as of the most recent override. The rule does not apply to the tested asset. you can track all the overrides for a rule test back to the original result in the Security Console Web interface. or change. Delete Vulnerability Exceptions and Policy Overrides: A user with this permission can delete policy test result overrides and override requests. an FDCC policy includes a rule for disabling remote desktop access. 2. your organization disables remote desktop administration. A rule’s override history Nexpose User’s Guide 112 . This override will apply to all future scans. You can override the Fail result for that specific scan. The Override Status column lists whether the override has been submitted.All scan results for a single asset: This scope is useful if a policy includes a rule that isn’t relevant for small number of assets. See the rule’s Override History table. Select the rule you want to view the override history of in the Configuration Policy Rules table. 3. approved. and the result after the override. or expired. Click the Policies tab. and the asset failed the test for the remote desktop rule. Select the policy you want to review. the date it occurred. During that time window. Click the name or IP address of an asset in the Tested Assets table. For example. rejected. a policy scan was run. However. and it will not apply to future scans. For example. The Security Console displays the page for the asset. A specific scan result on a single asset: This scope is useful if a policy includes a rule that wasn’t relevant at a particular point in time but will be relevant in the future. The Security Console displays the Policies page. 4. unusual circumstances required the feature to be enabled temporarily on an asset so that a remote IT engineer could troubleshoot it. your organization disables remote desktop administration except for three workstations. The Security Console displays the page for the rule. Viewing a rule’s override history It may be helpful to review the overrides of previous users to give you additional context about the rule or a tested asset. You can override a Fail result for the remote desktop rule for each of those three specific assets. unless you override it again. 1. which lists each override for the rule. 5. click Submit and approve. The Security Console displays the page for the policy. In the Policy Listing table. Fixed indicates that the issue that caused a Fail result has been remediated. 3. The Security Console displays the Policies page. In the Policy Rule Compliance Listing table. The override request appears in the Override History table of the rule page. 2. If you only have override request permission. Nexpose User’s Guide 113 . Click the Policies tab. click the name of the policy that includes the rule for which you want to override the result. A reason is required. 4. The Security Console displays a Create Policy Override pop-up window. 6. Pass indicates that you consider an asset to be compliant with the rule. OR If you have override approval permission. click Submit to place the override under review and have another individual in your organization review it. A Fixed override will cause the result to appear as a Pass in reports and result listings. click the Override icon for the rule that you want to override. Select an override type from the drop-down list: • • • • 5. Enter your reason for requesting the override. Not Applicable indicate that the rule does not apply to the asset. Fail indicates that you consider an asset to be non-compliant with the rule.Submitting an override of a rule for all assets in all sites 1. Fixed indicates that the issue that caused a Fail result has been remediated. 2. click the name or IP address of an asset. The Security Console displays a Create Policy Override pop-up window. The Security Console displays the Policies page. 6. Note that the navigation bread crumb for the page includes the site that contains the asset. • • • • Pass indicates that you consider an asset to be compliant with the rule. In the Policy Listing table.Submitting an override of a rule for all assets in a site 1. click the Override icon for the rule that you want to override. The Security Console displays the page for the asset. The Security Console displays the page for the policy. In the Tested Assets table. Not Applicable indicate that the rule does not apply to the asset. In the Configuration Policy Rules table. Fail indicates that you consider an asset to be non-compliant with the rule. Click the Policies tab. The page for an asset selected from a policy page 4. Nexpose User’s Guide 114 . 3. A Fixed override will cause the result to appear as a Pass in reports and result listings. Select an override type from the drop-down list: 5. Select All assets from the Scope drop-down list. click the name of the policy that includes the rule for which you want to override the result. click the name or IP address of an asset. Enter your reason for requesting the override. Nexpose User’s Guide 115 .7. Click the Policies tab. Submitting an override of a rule for all scans on a specific asset 1. 3. The Security Console displays the page for the policy. click the name of the policy that includes the rule for which you want to override the result. click Submit and approve. click the Override icon for the rule that you want to override. 6. Note that the navigation bread crumb for the page includes the site that contains the asset. Submitting a site-specific override 8. In the Policy Listing table. The override request appears in the Override History table of the rule page. Select This asset only from the Scope drop-down list. 4. Fail indicates that you consider an asset to be non-compliant with the rule. A reason is required. The Security Console displays a Create Policy Override pop-up window. In the Configuration Policy Rules table. A Fixed override will cause the result to appear as a Pass in reports and result listings. The Security Console displays the page for the asset. Fixed indicates that the issue that caused a Fail result has been remediated. In the Tested Assets table. click Submit to place the override under review and have another individual in your organization review it. The Security Console displays the Policies page. 5. Not Applicable indicate that the rule does not apply to the asset. Select an override type from the drop-down list: • • • • Pass indicates that you consider an asset to be compliant with the rule. If you only have override request permission. OR If you have override approval permission. 2. 5. The Security Console displays a Create Policy Override pop-up window. 6. The Security Console displays the page for the policy. The override request appears in the Override History table of the rule page. Select This rule on this asset only from the Scope drop-down list. Submitting an override of a rule for a specific scan on a single asset 1. If you only have override request permission. Note that the navigation bread crumb for the page includes the site that contains the asset. In the Configuration Policy Rules table. A Fixed override will cause the result to appear as a Pass in reports and result listings. Select an override type from the drop-down list: • • • • Pass indicates that you consider an asset to be compliant with the rule. OR If you have override approval permission. The Security Console displays the page for the asset. The Security Console displays the Policies page. click Submit and approve. click the name or IP address of an asset. 3. 4. Fixed indicates that the issue that caused a Fail result has been remediated. Nexpose User’s Guide 116 . click the Override icon for the rule that you want to override. Enter your reason for requesting the override. Fail indicates that you consider an asset to be non-compliant with the rule. Submitting an asset-specific override 8. click the name of the policy that includes the rule for which you want to override the result. A reason is required. click Submit to place the override under review and have another individual in your organization review it. Not Applicable indicate that the rule does not apply to the asset. 2. In the Tested Assets table. In the Policy Listing table.7. Click the Policies tab. 7. Enter your reason for requesting the override. A reason is required. Submitting an asset-specific override 8. If you only have override request permission, click Submit to place the override under review and have another individual in your organization review it. The override request appears in the Override History table of the rule page. OR If you have override approval permission, click Submit and approve. Reviewing an override request Upon reviewing an override request, you can either approve or reject it. 1. 2. 3. 4. 5. 6. Click the Administration tab of the Security Console Web interface. On the Administration page, click the Manage link next to Exceptions and Overrides. Locate the request in the Configuration Policy Override Listing table. To select multiple requests for review, select each desired row. OR, to select all requests for review, select the top row. Click the Under review link in the Review Status column. In the Review Status dialog box, read the comments by the user who submitted the request and decide whether to approve or reject the request. Selecting an override request to review 7. 8. Enter comments in the Reviewer’s Comments text box. Doing so may be helpful for the submitter. If you want to select an expiration date for override, click the calendar icon and select a date. Nexpose User’s Guide 117 9. Click Approve or Reject, depending on your decision. Approving an override request The result of the review appears in the Review Status column. Also, if the rule has never been previously overridden and the override request has been approved, its entry will switch to Yes in the Active Overrides column in the Configuration Policy Rules table of the page. The override will also be noted in the Override History table of the rule page. Deleting an override or override request You can delete old override exception requests. 1. 2. TIP: You also can click the top row check box to select all requests and then delete them all in one step. Click the Administration tab of the Security Console Web interface. On the Administration page, click the Manage link next to Exceptions and Overrides. In the Configuration Policy Override Listing table, select the check box next to the rule override that you want to delete. Click the Delete icon. The entry no longer appears in the Configuration Policy Override Listing table. 3. 4. Nexpose User’s Guide 118 Chapter 4 Act After you discover what is running in your environment and assess your security threats, you can initiate actions to remediate these threats. Act provides guidance on making stakeholders in your organization aware of security priorities in your environment so that they can take action. Working with asset groups on page 120: Asset groups allow you to control what asset information different stakeholders in your organization see. By creating asset groups effectively, you can disseminate the exact information that different executives or security teams need. For this reason, asset groups can be especially helpful in creating reports.This section guides you in creating static and dynamic asset groups. Working with reports on page 139: With reports, you share critical security information with different stakeholders in your organization. This section guides you through creating and customizing reports and understanding the information they contain. Using tickets on page 182: This section shows you how to use the ticketing system to manage the remediation work flow and delegate remediation tasks. Nexpose User’s Guide 119 Working with asset groups Asset groups provide different ways for members of your organization to grant access to, view, and report on, asset information. You can use the same grouping principles that you use for sites, create subsets of sites, or create groups that include assets from any number of different sites. Using asset groups to your advantage Asset groups also have a useful security function in that they limit what member users can see, and dictate what non-member users cannot see. The asset groups that you create will influence the types of roles and permissions you assign to users, and vice-versa. One use case illustrates how asset groups can “spin off” organically from sites. A bank purchases Nexpose with a fixed-number IP address license. The network topology includes one head office and 15 branches, all with similar “cookie-cutter” IP address schemes. The IP addresses in the first branch are all 10.1.1.x.; the addresses in the second branch are 10.1.2.x; and so on. For each branch, whatever integer equals .x is a certain type of asset. For example .5 is always a server. The security team scans each site and then “chunks” the information in various ways by creating reports for specific asset groups. It creates one set of asset groups based on locations so that branch managers can view vulnerability trends and high-level data. The team creates another set of asset groups based on that last integer in the IP address. The users in charge of remediating server vulnerabilities will only see “.5” assets. If the “x” integer is subject to more granular divisions, the security team can create more finally specialized asset groups. For example .51 may correspond to file servers, and .52 may correspond to database servers. Another approach to creating asset groups is categorizing them according to membership. For example, you can have an “Executive” asset group for senior company officers who see high-level businesssensitive reports about all the assets within your enterprise. You can have more technical asset groups for different members of your security team, who are responsible for remediating vulnerabilities on specific types of assets, such as databases, workstations, or Web servers. Comparing dynamic and static asset groups One way to think of an asset group is as a snapshot of your environment. This snapshot provides important information about your assets and the security issues affecting them: • • • • • their network location the operating systems running on them the number of vulnerabilities discovered on them whether exploits exist for any of the vulnerabilities their risk scores With Nexpose, you can create two different kinds of “snapshots.” The dynamic asset group is a snapshot that potentially changes with every scan; and the static asset group is an unchanging snapshot. Each type of asset group can be useful depending on your needs. Nexpose User’s Guide 120 Using dynamic asset groups A dynamic asset group contains scanned assets that meet a specific set of search criteria. You define these criteria with asset search filters, such as IP address range or hosted operating systems. The list of assets in a dynamic group is subject to change with every scan. In this regard, a dynamic asset group differs from a static asset group. See Comparing dynamic and static sites on page 24. Assets that no longer meet the group’s Asset Filter criteria after a scan will be removed from the list. Newly discovered assets that meet the criteria will be added to the list. Note that the list does not change immediately, but after the application completes a scan and integrates the new asset information in the database. An ever-evolving snapshot of your environment, a dynamic asset group allows you to track changes to your live asset inventory and security posture at a quick glance, and to create reports based on the most current data. For example, you can create a dynamic asset group of assets with a vulnerability that was included in a Patch Tuesday bulletin. Then, after applying the patch for the vulnerability, you can run a scan and view the dynamic asset group to determine if any assets still have this vulnerability. If the patch application was successful, the group theoretically should not include any assets. You can create dynamic asset groups using the filtered asset search. See Performing filtered asset searches on page 124. You grant user access to dynamic asset groups through the User Configuration panel. A user with access to a dynamic asset group will have access to newly discovered assets that meet group criteria regardless of whether or not those assets belong to a site to which the user does not have access. For example, you have created a dynamic asset group of Windows XP workstations. You grant two users, Joe and Beth, access to this dynamic asset group. You scan a site to which Beth has access and Joe does not. The scan discovers 50 new Windows XP workstations. Joe and Beth will both be able to see the 50 new Windows XP workstations in the dynamic asset group list and include them in reports, even though Joe does not have access to the site that contains these same assets. When managing user access to dynamic asset groups, you need to assess how these groups will affect site permissions. To ensure that a dynamic asset group does not include any assets from a given site, use the site filter. See Locating assets by sites on page 79. Using static asset groups A static asset group contains assets that meet a set of criteria that you define according to your organization’s needs. Unlike with a dynamic asset group, the list of assets in a static group does not change unless you alter it manually. Static asset groups provide useful time-frozen views of your environment that you can use for reference or comparison. For example, you may find it useful to create a static asset group of Windows servers and create a report to capture all of their vulnerabilities. Then, after applying patches and running a scan for patch verification, you can create a baseline report to compare vulnerabilities on those same assets before and after the scan. You can create static asset groups using either of two options: • • the Group Configuration panel; see Configuring a static asset group by manually selecting assets on page 122 the filtered asset search; see Performing filtered asset searches on page 124 Nexpose User’s Guide 121 Configuring a static asset group by manually selecting assets NOTE: Only Global Administrators can create asset groups. Manually selecting assets is one of two ways to create a static asset group. This manual method is ideal for environments that have small numbers of assets. For an approach that is ideal for large numbers of assets, see Creating a dynamic or static asset group from asset searches on page 136. Start a static asset group configuration: 1. Go to the Assets :: Asset Groups page by one of the following routes: Click the Assets tab to go to the Assets page, and then click view next to Asset groups. OR Click the Administration tab to go to the Administration page, and then click manage next to Asset Groups. Home tool bar Administration tab 2. 3. Click New Static Asset Group to create a new static asset group. Click Edit to change any group listed with a static asset group icon. The Asset Group Configuration panel appears. NOTE: You can only create an asset group after running an initial scan of assets that you wish to include in that group. 4. Click New Static Asset Group. Creating a new static asset group OR Click Create next to Asset Groups on the Administration page. The console displays the General page of the Asset Group Configuration panel. 5. Type a group name and description in the appropriate fields. Nexpose User’s Guide 122 You can repeat the asset search to include multiple sets of search results in an asset group. or most recently edited. Select the assets you wish to add to the asset group. Nexpose User’s Guide 123 . the next search will clear that set. Go to the Assets page of the Asset Group Configuration panel. then click Display matching assets to run the search. The assets appear on the Assets page. Click Display all assets. Click Save to save the new asset group information.Adding assets to the static asset group: 1. When you use this asset selection feature to create a new asset group. If you do not save a set of selected search results. Click Save. 2. Selecting assets for a static asset group OR 3. NOTE: There may be a delay if the search returns a very large number of assets. When you use this asset selection feature to edit an existing report. Use any of these filters to find assets that meet certain criteria. For example. To include all assets. you can select all of the assets within an IP address range that run on a particular operating system. the report. 5. you will not see any assets displayed. You will need to save a set of results before proceeding to the next results. you will see the list of assets that you selected when you created. 4. which is convenient if your database contains a small number of assets. 6. select the check box in the header row. The console displays a page with search filters. See Combining filters on page 135. OR Click New Dynamic Asset Group if you are on the Asset Groups page. The filtered asset search feature allows you to search for assets based on criteria that can include IP address. Nexpose User’s Guide 124 . You can add multiple filters for more precise searches. Click the Administration tab to go to the Administration page. See Using the search feature on page 21. a particular operating system. To start a filtered asset search: 1. . and a particular site. and asset name. Click the Asset Filter icon Web interface. site. which appears next to the Search box in the The Filtered asset search page appears. vulnerabilities. Configuring asset search filters A search filter allows you to choose the attributes of the assets that you are interested in. software. Or you can combine filters so that the search result set contains any asset that meets all of the criteria in any given filter (leading to a larger result set). and then click the dynamic link next to Asset Groups. OR 2. services. Using fewer filters typically increases the number of search results. You can then save the results as a dynamic asset group for tracking and reporting purposes. you can find assets of immediate interest to you. For example. NOTE: Performing a filtered asset search is the first step in creating a dynamic asset group 3. you may find it necessary or helpful to concentrate on a specific subset. and then combine these filters to return a list of all the assets that simultaneously meet all the specified criteria. This helps you to focus your remediation efforts and to manage the sheer quantity of assets running on a large network. you could create filters for a given IP address range. You can combine filters so that the search result set contains only the assets that meet all of the criteria in all of the filters (leading to a smaller result set). operating system.Performing filtered asset searches When dealing with networks of large numbers of assets. Using search filters. button to remove filters. Asset search filters Nexpose User’s Guide 125 .The following asset search filters are available: • • • • • • • • • • • • • • • • • • • • • • Asset name (page 126) Host type (page 126) IP address range (page 127) IP address type (page 126) Last scan date (page 127) Other IP address (page 128) Operating system name (page 129) PCI compliance status (page 129) Presence of validated vulnerabilities (page 130) Service name (page 129) Site name (page 129) Software name (page 130) vAsset cluster (page 130) vAsset datacenter (page 131) vAsset host (page 131) vAsset power state (page 131) vAsset resource pool path (page 132) Vulnerability CVSS risk vectors (page 132) Vulnerability CVSS score (page 133) Vulnerability exposure (page 134) Vulnerability risk score (page 134) Vulnerability title (page 135) To select filters in the Filtered asset search panel take the following steps: 1. the configuration options. Use the . 2. Use the first drop-down list. Use the + button to add filters. 3. Select the appropriate operator. 4. operators. Click Reset to remove all filters. 5. for that filter dynamically become available. When you select a filter. Filtering by asset name The asset name filter lets you search for assets based on the asset name. After you select an operator. starts with returns all assets whose names begin with the same characters as the search string. ends with returns all assets whose names end with the same characters as the search string. or do not match. Hypervisor is a host of one or more virtual machines. The filter applies a search string to the asset names. where assets can be any one or more of the following types: • • • • Bare metal is physical hardware. you can find assets with either address format. Unknown is a host of an indeterminate type. the selected host types. You can use this filter to track. It works with the following operators: • • • • • • is returns all assets whose names match the search string exactly. After selecting the filter and desired operator. For example. security issues that are specific to host types. For example. This allows you to track and report on specific security issues in these different segments of your network. does not contain returns all assets whose names do not contain the search string. Nexpose User’s Guide 126 . you can create a filter for “is Hypervisor” and another for “is virtual machine” to find allsoftware hypervisors. • is not returns all assets that do not match the host type that you select from the adjacent drop-down list. so that the search returns assets that meet the specified criteria. is not returns all assets that do not have the specified address formats. Filtering by IP address type If your environment includes IPv4 and IPv6 addresses. contains returns all assets whose names contain the search string anywhere in the name. a hypervisor may be considered especially sensitive because if it is compromised then any guest of that hypervisor is also at risk. select the desired format: IPv4 or IPv6. and report on. is not returns all assets whose names do not match the search string. You can combine multiple host types in your criteria to search for assets that meet multiple criteria. It works with the following operators: • is returns all assets that match the host type that you select from the adjacent drop-down list. so that the search returns a list of assets that either match. The IP address type filter works with the following operators: • • is returns all assets that have the specified address format. you type a search string for the asset name in the blank field. Virtual machine is an all-software guest of another computer. The filter applies a search string to host types. Filtering by host type The Host type filter lets you search for assets based on the type of host system. When you select the IP address range filter. Nexpose User’s Guide 127 .m. For example. After selecting this operator. Then click the calendar icon next to the right field to select the last date in the range. After selecting this operator. You select this operator and enter 3 in the days ago field. The starting point of the search is midnight of the day that the search is performed. for example. and including.2.Filtering by IP address range The IP address range filter lets you specify a range of IP addresses.168. so that the search returns a list of assets that are either in the IP range. and use the right to enter the end of the range. The search returns all assets that were last scanned prior to midnight on January 20.2. For example: You initiate the search at 3 p. After selecting this operator. is not returns all assets whose IP addresses do not fall into the IP address range.168. You select this operator and enter 1 in the days field. on January 23. You may want. The filter works with the following operators: • • • • • on or before returns all assets that were last scanned on or before a particular date. on January 23.m. on or after returns all assets that were last scanned on or after a particular date. you may want to find assets that have not been scanned in a long time and then delete them from the database because they are no longer be considered important for tracking purposes. between and including returns all assets that were last scanned between. earlier than returns all assets that were last scanned earlier than a specified number of days preceding the date on which you initiate the search. After selecting this operator. After selecting this operator. within the last returns all assets that were last scanned within a specified number of preceding days. enter a number in the days ago field.1 to 192. you will see two blank fields separated by the word to. The starting point of the search is midnight of the day that the search is performed. click the calendar icon to select the date. you initiate a search at 3 p. or not in the IP range. click the calendar icon to select the date.” Example: 192. The search returns all assets that were last scanned since midnight on January 22. It works with the following operators: • • is returns all assets with an IP address that falls within the IP address range. to run a report on the most recently scanned assets. click the calendar icon next to the left field to select the first date in the range. enter a number in the days field. You use the left field to enter the start of the IP address range. Or.254 Filtering by last scan date The last scan date filter lets you search for assets based on when they were last scanned. two dates. The format for IPv4 addresses is a “dotted quad. Filtering by operating system name The operating system name filter lets you search for assets based on their hosted operating systems. If an operating system is not listed for a scanned asset in the Web interface or reports. When you run the scan. you choose from a list of operating systems. failure to fingerprint indicates that the credentials were not authenticated on the target asset. so you included only that address to be scanned in the site configuration. The filter works with one operator: • is returns all assets that have other IP addresses that are either IPv4 or IPv6. When configuring scan targets for your site. Therefore. If an asset was scanned within the time frame specified in the filter. By using this asset search filter. is not empty returns all assets that have an operating system identified in their scan results. you select either IPv4 or IPv6 from the drop-down list. If you create a dynamic asset group based on searches with the relative-day operators (earlier than or within the last). When the application scans an IP address that has been included in a site configuration. or enter a search string. You can add the discovered address to a site for a future scan to increase your security coverage. it discovers any other addresses for that asset. is empty returns all assets that do not have an operating system identified in their scan results. this means that the asset may not have been fingerprinted. This operator is useful for finding assets that were scanned with authenticated credentials and fingerprinted. you may have only been aware of the IPv4 address. it will not appear in the search results. this operator is useful for finding assets that were scanned with failed credentials or without credentials. You can use an asterisk (*) as a wildcard character.Keep several things in mind when using this filter: • • • The search only returns last scan dates. The filter returns a list of assets that meet the specified criteria. Dynamic asset group membership is recalculated daily at midnight. You enter the search string in the adjacent field. does not contain returns all assets running on the operating system whose name does not contain the characters specified in the search string. Filtering by other IP address type This filter allows you to find assets that have other IPv4 or IPv6 addresses in addition to the address(es) that you are aware of. This may include addresses that have not been scanned. Nexpose User’s Guide 128 . For example: A given asset may have an IPv4 address and an IPv6 address. You can use an asterisk (*) as a wildcard character. and if that scan was not the most recent scan. you can search for all assets to which this scenario applies. the application discovers the IPv6 address. Dynamic asset group membership can change as new scans are run. It works with the following operators: • • • • contains returns all assets running on the operating system whose name contains the characters specified in the search string. If the asset was scanned with credentials. Depending on the search. You enter the search string in the adjacent field. After you select the filter and operators. the asset membership will change accordingly. This is an important filter to use if you want to control users’ access to newly discovered assets in sites to which users do not have access. After you select an operator. The filter applies a search string to service names. It works with two operators: • • is returns all assets that have a Pass or Fail status. Filtering by site name The site name filter lets you search for assets based on the name of the site to which the assets belong. the specified sites. You select one or more sites from the adjacent list. Filtering by service name The service name filter lets you search for assets based on the services running on them. It works with the following operators: • • is returns all assets that belong to the selected sites. so that the search returns a list of assets that either belong to. Nexpose User’s Guide 129 . After you select an operator. does not contain returns all assets that do not run a service whose name contains the search string. is not returns all assets that do not have a Pass or Fail status. You can use an asterisk (*) as a wildcard character. is not returns all assets that do not belong to the selected sites. See the note in Using dynamic asset groups on page 121. select the Pass or Fail option from the drop-down list. You can use an asterisk (*) as a wildcard character.Filtering by PCI compliance status The PCI status filter lets you search for assets based on whether they return Pass or Fail results when scanned with the PCI audit template. you type a search string for the service name in the blank field. so that the search returns a list of assets that either have or do not have the specified service. It works with the following operators: • • contains returns all assets running a service whose name contains the search string. You select one or more sites from the adjacent list. The filter applies a search string to site names. or do not belong to. Finding assets that fail compliance scans can help you determine at a glance which require remediation in advance of an official PCI audit. The filter applies a search string to software names.Filtering by software name The software name filter lets you search for assets based on software installed on them. or don’t belong. see Configuring and performing vAsset discovery on page 55. Filtering by presence of validated vulnerabilities The Validated vulnerabilities filter lets you search for assets with vulnerabilities that have been validated with exploits through Rapid7 Metasploit integration. so that the search returns a list of assets that either runs or does not run the specified software. is not returns all assets that belong to clusters whose names do not match an entered string. Creating dynamic asset groups for virtual assets based on specific criteria can be useful for analyzing different segments of your virtual environment. By using this filter. returns all assets without validated vulnerabilities. After you select an operator. It works with the following operators: • • contains returns all assets with software installed so that the search returns the software’s name contains the search string. see Working with validated vulnerabilities on page 92. After you select an operator. For information about vAsset discovery. you can isolate assets with vulnerabilities that have been proven to exist with a high degree of certainty. combined with the present drop-down list option. returns all assets with validated vulnerabilities. This filter works with the following operators: • • • • • is returns all assets that belong to clusters whose names match an entered string exactly. combined with the not present drop-down list option. and they are supported by a one resource pool. contains returns all assets that belong to clusters whose names contain an entered string. For example. you enter the search string for the cluster in the blank field. to specific clusters. You can use an asterisk (*) as a wildcard character. starts with returns all assets that belong to clusters whose names begin with the same characters as an entered string. Using vAsset filters The following vAsset filters let you search for virtual assets that you track with vAsset discovery. For more information. The filter works with one operator: • • The are operator. You can use an asterisk (*) as a wildcard character. Nexpose User’s Guide 130 . does not contain returns all assets that do not have software installed so that the search returns the software’s name contains the search string. you enter the search string for the software name in the blank field. Filtering by vAsset cluster The vAsset cluster filter lets you search for virtual assets that belong. does not contain returns all assets that belong to clusters whose names do not contain an entered string. you may want to run reports or assess risk for virtual assets used by your accounting department. The are operator. This filter works with the following operators: • • is returns all assets that are in a power state selected from a drop-down list. Filtering by vAsset power state The vAsset power state filter lets you search for assets that are in. of specific host systems. After you select an operator. Nexpose User’s Guide 131 . you select a power state from the drop-down list. is not returns all assets that not are in a power state selected from a drop-down list. After you select an operator. or are not managed. or are not guests. After you select an operator. you enter the search string for the datacenter name in the blank field. This filter works with the following operators: • • • • • is returns all assets that are guests of hosts whose names match an entered string exactly. Power states include on. a specific power state. This filter works with the following operators: • • is returns all assets that are managed by datacenters whose names match an entered string exactly.Filtering by vAsset datacenter The vAsset datacenter filter lets you search for assets that are managed. off. is not returns all assets that are guests of hosts whose names do not match an entered string. by specific datacenters. does not contain returns all assets that are guests of hosts whose names do not contain an entered string. or suspended. is not returns all assets that are managed by datacenters whose names do not match an entered string. contains returns all assets that are guests of hosts whose names contain an entered string. starts with returns all assets that are guests of hosts whose names begin with the same characters as an entered string. Filtering by vAsset host The vAsset host filter lets you search for assets that are guests. or are not in. you enter the search string for the host name in the blank field. or do not belong.nist. This is helpful if you have resource pool path levels with identical names. Filtering by CVSS risk vectors The filters for the following Common Vulnerability Scoring System (CVSS) risk vectors let you search for assets based on vulnerabilities that pose different types or levels of risk to your organization’s security: • • • • • • CVSS Access Complexity (AC) CVSS Access Vector (AV) CVSS Authentication Required (Au) CVSS Availability Impact (A) CVSS Confidentiality Impact (C) CVSS Integrity Impact (I) These filters refer to the industry-standard vectors used in calculating CVSS scores and PCI severity levels.gov/cvss. For detailed information about CVSS vectors. the search will return all virtual machines that belong to the Management and Workstations levels in both resource pool paths. you may have two resource pool paths with the following levels: Human Resources Management Workstations Advertising Management Workstations The virtual machines that belong to the Management and Workstations levels are different in each path.cfm. They are also used in risk strategy calculations for risk scores. However. you enter the search string for the resource pool path in the blank field. Nexpose User’s Guide 132 .Filtering by vAsset resource pool path The vAsset resource pool path filter lets you discover assets that belong. go to the National Vulnerability Database Web site at nvd. to specific resource pool paths. After you select an operator. You can specify any level of a path. This filter works with the following operators: • • contains returns all assets that are supported by resource pool paths whose names contain an entered string. For example. each separated by a hyphen and right arrow: ->. the search will only return virtual assets that belong to the Workstations pool in the path with Advertising as the highest level. if you specify Advertising -> Management -> Workstations. does not contain returns all assets that are supported by resource pool paths whose names do not contain an entered string. If you only specify Management in your filter. or you can specify multiple levels. or based on the different types and degrees of impact to the asset in the event of compromise through the vulnerabilities found on them. Adjacent (A). You can only enter one digit to the right of the decimal. Medium.0 to 10. the score is automatically rounded up to 2. type a score in the blank field. Integrity. is higher than returns all assets with vulnerabilities that have a CVSS score higher than a specified score.Using these filters. After you select an operator. Partial. For example. the options are Low. or Multiple.25. the options are Complete. Acceptable values include any numeral from 0. the score is automatically rounded up. or Network (N). For CVSS Access Vector. or None.9). is not returns all assets with vulnerabilities that do not have a specified CVSS score. medium (4. select the desired impact level or likelihood attribute from the drop-down list: • • • • For each of the three impact vectors (Confidentiality. Isolating these assets can help you to make more informed decisions on remediation priorities or to prepare for a PCI audit. or High. Filtering by vulnerability CVSS score The vulnerability CVSS score filter lets you search for assets with vulnerabilities that have a specific CVSS score or fall within a range of scores. and Availability). you would type a low score and a high score to create the range.3. is in the range of returns all assets with vulnerabilities that fall within the range of two specified CVSS scores and include the high and low scores in the range. After you select a filter and an operator. is lower than returns all assets with vulnerabilities that have a CVSS score lower than a specified score. the options are Local (L). you can find assets based on different exploitability attributes of the vulnerabilities found on them. The filter works with the following operators: • • • • • is returns all assets with vulnerabilities that have a specified CVSS score. For CVSS Authentication Required.0-3. Doing so can help you prioritize assets for remediation. Nexpose User’s Guide 133 . the options are None.0-6.9). You may find it helpful to create asset groups according to CVSS score ranges that correspond to PCI severity levels: low (0. if you enter a score of 2. and high (7. If you enter more than one digit. For CVSS Access Complexity. is not returns all assets that do not match a specific risk level or attribute associated with the CVSS vector.0-10). Single. If you select the range operator. All six filters work with two operators: • • is returns all assets that match a specific risk level or attribute associated with the CVSS vector. 000. hold down the <Ctrl> key and click all desired types. Keep in mind your currently selected risk strategy when searching for assets based on risk scores. can help you prioritize remediation for those assets. you will not find assets with scores higher than 1. for example. enter a score in the blank field. It works with the following operators: • • includes returns all assets that have vulnerabilities associated with specified exposure types. if the currently selected strategy is Real Risk. you would type a low score and a high score to create the range. After you select an operator. The filter applies a search string to one or more of the vulnerability exposure types. After you select an operator. is higher than returns all assets with vulnerabilities that have a risk score higher than a specified score. The filter works with the following operators: • • • is in the range of returns all assets with vulnerabilities that fall within the range of two specified risk scores and include the high and low scores in the range. does not include returns all assets that do not have vulnerabilities associated with specified exposure types. so that the search returns a list of assets that either have or do not have vulnerabilities associated with the specified exposure types. For example. Isolating and tracking assets with higher risk scores. Nexpose User’s Guide 134 . To select multiple types. Filtering by vulnerability risk scores The vulnerability risk score filter lets you search for assets with vulnerabilities that have a specific risk score or fall within a range of scores. If you select the range operator. is lower than returns all assets with vulnerabilities that have a risk score lower than a specified score. select one or more exposure types in the drop-down list. Refer to the risk scores in your vulnerability and asset tables for guidance.Filtering by vulnerability exposures The vulnerability exposures filter lets you search for assets based on the following types of exposures known to be associated with vulnerabilities discovered on those assets: • • • Malware kit exploits Metasploit exploits Exploit Database exploits This is a useful filter for isolating and prioritizing assets that have a higher likelihood of compromise due to these exposures. Suppose you create two filters. linux03. and their names are win01. you can have Nexpose return a list of assets that match all the criteria specified in the filters. win02. assets have a particular high-risk vulnerability. The filter applies a search string to vulnerability titles. You can use an asterisk (*) as a wildcard character.Filtering by vulnerability title The vulnerability title filter lets you search for assets based on the vulnerabilities that have been flagged on them during scans. The difference between All and Any is that the All setting will only return assets that match the search criteria in all of the filters. and linux05. Nexpose User’s Guide 135 . This is a useful filter to use for verifying patch applications. The second filter is an asset filter. and which. there will be no search results. After you select an operator. and it returns a list of assets that run Windows. The first filter is an operating system filter. the search will return a list of assets that run Windows or have “linux” in their names. or finding out at a quick glance how many. if you use the same filters with the Any setting. the search will return a list of assets that run Windows and have “linux” in their asset names. and it returns a list of assets that have “linux” in their names. and the other five assets have “linux” in their names. suppose you are scanning a site with 10 assets. For this reason. You can make this selection in a drop-down list at the bottom of the Search Criteria panel. and win05. win04. For example. you type a search string for the vulnerability name in the blank field. the result set will contain all of the assets. Five of the assets run Windows. Therefore. However. Combining filters If you create multiple filters. or a list of assets that match any of the criteria specified in the filters. Five of the assets run Linux. If you perform a filtered asset search with the two filters using the All setting. and their names are linux01. It works with the following operators: • • contains returns all assets with a vulnerability whose name contains the search string. does not contain returns all assets that do not have a vulnerability whose name contains the search string. linux04. The other five run Windows. so that the search returns a list of assets that either have or do not have the specified service. Since no such assets exist. whereas the Any setting will return assets that match any given filter. You can use an asterisk (*) as a wildcard character. win03. linux02. a search with All selected typically returns fewer results than Any. (Optional) Click the Export to CSV link at the bottom of the table to export the results to a comma-separated values (CSV) file that you can view and manipulate in a spreadsheet program. so only these users can save Asset Filter search results. After you configure asset search filters. It is one of two ways to create a static asset group and is more ideal for environments with large numbers of assets. For a different approach. See Using dynamic asset groups on page 121. the asset list is subject to change with every scan. Select either the Dynamic or Static option. Click Create Asset Group. If you create a dynamic asset group.Creating a dynamic or static asset group from asset searches NOTE: If you have permission to create asset groups. Using the assets search is the only way to create a dynamic asset group. Controls for creating an asset group appear. After you configure asset search filters as described in the preceding section. Nexpose User’s Guide 136 . you can save asset search results as an asset group. 3. 2. depending on what kind of asset group you want to create. A table of assets that meet the filter criteria appears. see Configuring a static asset group by manually selecting assets on page 122. click Search. Asset search results NOTE: Only Global Administrators or users with the Manage Group Assets permission can create asset groups. you can create an asset group based on the search results. 1. See Comparing dynamic and static asset groups on page 120. which involves manually selecting assets. 5. The Add Users dialog box appears. such as reporting.4. 6. Select the check box for every user account that you want to add to the access list or select the check box in the top row to add all users. You must give users access to an asset group for them to be able view assets or perform asset-related operations. 8. The new group will include the assets listed in the search results table. Click OK. Nexpose User’s Guide 137 . Click Add Users. Creating a new dynamic asset group NOTE: You must be a Global Administrator or have Manage Asset Group Access permission to add users to an asset group. 7. Enter a unique asset group name and description. All asset groups appear in the Asset Group Listing table on the Assets :: Asset Groups page. Click Save in the bottom-right corner of the Asset Group configuration area. with assets in that group. OR Click the link for the name of the desired asset group. Go to the Assets :: Asset Groups page by one of the following routes: Click the Administration tab to go to the Administration page. See Configuring asset search filters on page 124. 3. and run a search. Nexpose User’s Guide 138 . Click Edit to find a dynamic asset group that you want to modify. and then click the manage link next to Asset Groups. Starting to edit a dynamic asset group The console displays the page for that group. and then click view next to Asset Groups. 4. OR Click the Assets tab to go to the Assets page. Click Save. Click Edit Asset Group or click View Asset Filter to review a summary of filter criteria. To change criteria for a dynamic asset group: 1. 5. Home tool bar Assets tab 2.Changing asset membership in a dynamic asset group You can change search criteria for membership in a dynamic asset group at any time. Any of these approaches causes the application to display the Filtered asset search panel with the filters set for the most recent asset search. Change the filters according to your preferences. including all of your scanned enterprise assets. CSV. You can parse assets in a report any number of ways. which you can download from the Support page in Help. Nexpose User’s Guide 139 . It may be unnecessary or undesirable for these stakeholders to access the application itself. If you are verifying compliance with PCI. or you can click a page link listed on the left column of each panel page to go directly to that page. By generating reports. Creating reports is very similar to creating scan jobs. but reports are not tied to sites. You select or customize a report template. create a report that only lists those assets.Working with reports You may want any number of people in your organization to view asset and vulnerability data without actually logging on to the Security Console. NOTE: For information about other tools related to compliance with Policy Manager policies. when to run the reports. If you have an asset group for Windows 2008 servers. a chief information security officer (CISO) may need to see statistics about your overall risk trends over time. To save configuration changes. it’s a best practice to organize reports according to the needs of asset group members. you will use the following report templates in the audit process: • • • Attestation of Compliance PCI Executive Summary Vulnerability Details If you are verifying compliance with United States Government Configuration Baseline (USGCB) or Federal Desktop Core Configuration (FDCC) policies. or just one. Government’s Federal Information Security Management Act (FISMA) reporting requirements. Reports provide many. or database formats. select an output format. It’s a simple process involving a configuration panel. For example. and choose assets for inclusion. Reports are primarily how your asset group members view asset data. You can create a report on a site. All panels have the same navigation scheme.. see What are you compliance requirements in the administrator’s guide. XCCDF Human Readable CSV Report XCCDF Results XML Report You can also generate an XML export reports that can be consumed by the CyberScope application to fulfill the U. and how to distribute them. or you can just list the services are running on your network assets.S. click Save that appears on every page. You can learn everything you need to know about vulnerabilities and how to remediate them. you can use the following report formats to capture results data: • • NOTE: You also can click the top row check box to select all requests and then approve or reject them in one step. Therefore. To discard changes. NOTE: Parameters labeled in red denote required parameters on all panel pages. Or members of your security team may need to see the most critical vulnerabilities for sensitive assets so that they can prioritize remediation projects. You can either use the navigation buttons in the upperright corner of each panel page to progress through each page of the panel. You also have to decide what information to include about these assets. you can distribute critical information to the people who need it via email or integration of exported formats such as XML. click Cancel. from business-centric perspectives to detailed technical assessments. varied ways to look at scan data. and include a section on policy compliance. You may need to change a report configuration. You apply the patch for that flaw and run a verification scan. or run existing report configurations for various reasons: • • On occasion. Home toolbar Reports tab The Security Console displays the Reports page. you have configured a recurring report on Microsoft Windows vulnerabilities. Click the Reports tab. Report names are unique in the application. Click the View reports panel to see all the reports of which you have ownership. NOTE: On the View Reports panel. you may need add assets to your report scope as new workstations come online. and running reports You may need to view. you can start a new report configuration by clicking the New button. The View Reports panel Nexpose User’s Guide 140 . The application lists all report configurations in a table. For example. A Global Administrator can see all reports. 1. For example. or view the histories of when they were run in the past. where you can view run or edit them. Microsoft releases an unscheduled security bulletin about an Internet Explorer vulnerability. A table list reports by name and most recent report generation date. you may need to run an automatically recurring report immediately.Viewing. 2. You can sort reports by either criteria by clicking the column heading. take the following steps. editing. To view existing report configurations. You will want to run the report to demonstrate that the vulnerability has been resolved by the patch. edit. which is a hyperlink. it changes the date in the Most Recent Report column. hover over the row for that report. • You also change a report configuration. • Nexpose User’s Guide 141 . Clicking Delete will remove the report configuration and all generated instances from the application database. It is a quick way to create a new report configuration that will have properties similar to those of another. the Security Console displays the Configure a Report panel for that configuration. You may still want to create another report for those assets. Whether you click Edit or Copy. You can also see the history for a report that has previously run at least once by clicking the report name. For example. By reviewing the history.To edit or run a listed report. click History in the tools drop-down menu for that report. Copying a template allows you to create a modified version that incorporates some the original template’s attributes. Copying the report configuration would make the most sense if no other attributes are to be changed. You can click the link for that date to view the most recent instance of the report. click Run. If a report name is not a hyperlink. and click the tool icon that appears. Accessing report tools • To run a report. • To view all instances of a report that have been run. See Creating a basic report on page 142. focusing only on Adobe vulnerabilities. Every time the application writes a new instance of a report. you may have a report that only includes Windows vulnerabilities for a given set of assets. it is because an instance of the report has not yet run successfully. you can see any instances of the report that failed. The Security Console displays the Create a report panel. Starting a new report configuration 1. If you want to run the report immediately on a one-time basis. you will have the option to configure additional properties. such as those for distributing the report. If you configure the report to run in the future. and running reports on page 140. See Viewing. and exporting reports on page 1 Baseline reports see Selecting a scan as a baseline on page 155 Risk trend reports see Working with risk trends in reports on page 12 After you complete a basic report configuration. the Security Console will automatically save the report configuration for future use. editing. sharing. The Create a report panel Nexpose User’s Guide 142 . you will be able to save it when you have completed the configuration. Click the Reports tab.Creating a basic report Creating a basic report involves the following steps: • • • • • • • • • Selecting a report template and format (see Starting a new report configuration) Selecting assets to report on on page 146 Filtering report scope with vulnerabilities on page 148 (optional) Configuring report frequency on page 152 (optional) There are additional configuration steps for the following types of reports: CyberScope XML Export (see Entering CyberScope information on page 145 XCCDF reports see Configuring an XCCDF report on page 146 Database Export see Distributing. and CSV. and HTML—are convenient for sharing information to be read by stakeholders in your organization. see Working with report formats on page 173. You can roll over the name of any template to view a description. Search results are dependent on the template type. Click Close on the Search templates field to reset the search or enter a new term. (Optional) Enter a search term. • 6. depending on the template type you selected. such as executives or security team members tasked with performing remediation. PDF. or a few letters of the template you are looking for. in the Search templates field to see all available templates that contain that keyword or phrase. Search report templates NOTE: Resetting the Search templates field by clicking the close X displays all templates in alphabetical order. The formats available for this type include various XML formats. Database Export. If you selected the All option. either Document or Export templates. enter pci and the display will change to display only PCI templates. Enter a name for the new report. Nexpose User’s Guide 143 . Some of the formats available for this template type—Text. RTF. For more information. Export templates are designed for integrating scan information into external systems. make sure you select All to search all available templates. The Security Console displays template thumbnail images that you can browse. but allows for the time localization of generated reports. Select a template type: • Document templates are designed for section-based. Click the scroll arrows on the left and the right to browse the templates. human-readable reports that contain asset and vulnerability information. 3.2. Select a time zone for the report. 5. The name must be unique in the application. you will be able to browse all available templates. This setting defaults to the local Security Console time zone. 4. If you are unsure which template type you require. For example. click the thumbnail. 7. When you see the see the desired template. Formats not only affect how reports appear and are consumed. Select a format for the report. These two templates require ASVs to fill in certain sections manually. but they also can have some influence on what information appears in reports. This can be helpful to see what kind of sections or information the template provides. see Working with report formats on page 173. right corner. Nexpose User’s Guide 144 . TIP: For descriptions of all available report template see Report templates and sections on page 272 to help you select the best template for your needs. you can only use the RTF format. It becomes highlighted and displays a Selected label in the top. or a custom template made with sections from either of these templates.Selecting a report template You also can click the Preview icon in the lower right corner of any thumbnail (highlighted in the preceding screen shot) to enlarge and click through a preview of template. For more information. If you are using the PCI Attestation of Compliance or PCI Executive Summary template. Consult the CyberScope Automated Data Feeds Submission Manual for more information. an individual Federal Information Security Management Act (FISMA) reporting entity under the component. Configuring a CyberScope XML Export report Entering CyberScope information When configuring a CyberScope XML Export report.S. or National Institute of Standards and Technology. Nexpose User’s Guide 145 . bureau. continue with specifying the scope of your report. an enclave under Department of Justice might be United States Mint. you must enter additional information. Office of Management and Budget. Bureau refers to a component-bureau. Otherwise. enter the names for the component. a bureau under Department of Justice might be Justice Management Division or Federal Bureau of Investigation. You must enter information in all three fields.8. and enclave in the appropriate fields. Enclave refers to an enclave under the component or bureau. Agency administrators and agency points of contact are responsible for creating enclaves within CyberScope. For example. For example. The information identifies the entity submitting the data: • • • Component refers to a reporting component such as Department of Justice. If you are using the CyberScope XML Export format. Department of Transportation. as indicated in the CyberScope Automated Data Feeds Submission Manual published by the U. For more information see Entering CyberScope information on page 145. Configuring an XCCDF report If you are creating one of the XCCDF reports. Select an XCCDF report template on the Create a report panel. the report will include all historical scan data in the report. Proceed with asset selection. Asset selection is only available with the XCCDF Human Readable CSV Export. Select the policy results to include from the drop-down list. The Policies option only appears when you select one of the XCCDF formats in the Template section of the Create a report panel. Click Select sites. To use only the most recent scan data in your report. Nexpose User’s Guide 146 . 4. Selecting assets to report on 1. Select an XCCDF formatted report template 2. and you have selected one of the XCCDF formatted templates on the Create a report panel take the following steps: NOTE: You cannot filter vulnerabilities by category if you are creating an XCCDF or CyberScope XML report. or asset groups in the Scope section of the Create a report panel. assets. 2. Otherwise. select Use the last scan data only check box. 3. Enter a name in the Organization field. 1. 4. Selecting assets to report on 5. You also can click the check box in the top row to select all options. Select an option to match any or all of the specified filters. the Security Console displays search filters. click the + icon and configure your new filter. If you selected Assets. Matching all filters typically returns a smaller set of results because multiple criteria make the search more specific. an operator. and then a value. if you want to report on assets running Windows operating systems. The Scope section Nexpose User’s Guide 147 . Select a filter. If you selected Sites or Asset Groups. Then enter Windows in the text field. select the operating system filter and the contains operator. Click OK to save your settings and return the Create a report panel. You also can click the check box in the top row to select all options. To add more filters to the search. or Assets from drop-down list. asset groups. Asset Groups. and individual assets. You can combine selections of sites. click the check box for any displayed site or asset group to select it. 3. The selections are referenced in the Scope section. Matching any filters typically returns a larger set of results.Select Report Scope panel TIP: The asset selection options are not mutually exclusive. For example. Click the check box for any displayed asset to select it. Select Sites. This provides a report that is easier to read as unnecessary information has been filtered out.Filtering report scope with vulnerabilities Filtering vulnerabilities means including or excluding specific vulnerabilities in a report. For example. See Fine-tuning information with custom report templates on page 168. The security administrator can also include a list of historical vulnerabilities on an asset after a scan template has been edited. if there is an Adobe Acrobat vulnerability in your environment that is addressed with a scheduled patching process. Doing so makes the report scope more focused. a chief security officer may only want to see critical vulnerabilities when assessing risk. you can run a report that contains all vulnerabilities except those Adobe Acrobat vulnerabilities. report templates that contain these sections can include filtered vulnerability information. Vulnerability filtering is not supported in the following report templates: • • • • Cyberscope XML Export XCCDF XML XCCDF CSV Database Export Nexpose User’s Guide 148 . a security administrator can produce remediation reports for the Oracle database team that only include vulnerabilities that affect the Oracle database. For the information in those reports to be the most effective. These reports can be used to monitor compliance status and to ensure that remediation efforts are effective. For example. For example. Organizations that have distributed IT departments may need to disseminate vulnerability reports to multiple teams or departments. You can also filter vulnerabilities based on category to improve your organization’s remediation process. Reports can also be created to exclude a type of vulnerability or a list of categories. See the API guide for more information. These streamlined reports will enable the team to more effectively prioritize their remediation efforts. A security administrator can filter by vulnerability category to create reports that indicate how widespread a vulnerability is in an environment. The security administrator can create reports that contain information about a specific type of vulnerability or vulnerabilities in a specific list of categories. allowing stakeholders in your organization to see securityrelated information that is most important to them. or which assets have vulnerabilities that are not being addressed during patching. NOTE: You can manage vulnerability filters through the API. A security administrator can filter vulnerabilities to make a report specific to a team or to a risk that requires attention. The following report sections can include filtered vulnerability information: • • • • • • • • Discovered Vulnerabilities Discovered Services Index of Vulnerabilities Remediation Plan Vulnerability Exceptions Vulnerability Report Card Across Network Vulnerability Report Card by Node Vulnerability Test Errors Therefore. Or you may want to filter out potential vulnerabilities from a CSV export report that you deliver to your remediation team. the information should be specific for the team receiving it. Top 10 Assets by Vulnerabilities.To filter vulnerability information. select the Critical vulnerabilities or Critical and severe vulnerabilities option. XML Export 2. Otherwise. 4-7=Severe. Options appear for vulnerability filters. To learn more. These are not PCI severity levels or CVSS scores. XML Export. They map to numeric severity rankings that are assigned by the application and displayed in the Vulnerability Listing table of the Vulnerabilities page. Top Remediations with Details.0. see Working with validated vulnerabilities on page 92. Top 10 Assets by Vulnerability Risk. and Vulnerability Trends. and 8-10=Critical. Select Vulnerability Filters section Certain templates allow you to include only validated vulnerabilities in reports: Basic Vulnerability Check Results (CSV). take the following steps: 1. Select Vulnerability Filters section with option to include only validated vulnerabilities 2. Top Remediations. Click Filter by Vulnerabilities on the Scope section of the Create a report panel. Scores range from 1 to 10: 1-3=Moderate. To filter vulnerabilities by severity level. select All severities. Nexpose User’s Guide 149 . If you want to include or exclude specific vulnerability categories. select the Vulnerable option. You can select categories with two different methods: 5. you type Adobe or ado. If you choose to include all categories. all those categories appear. Selecting vulnerability categories by clicking check boxes • Click the text box to display a window that lists all available categories. and Mozilla. TIP: Categories that are named for manufacturers. 4. Scroll down the list and select the check box for each desired category. Vulnerabilities with this result type appear with the ve (vulnerable exploited) result code in CSV reports. You can filter positive results based on how they were determined by selecting any of the check boxes for result types: • • • Vulnerabilities found: Vulnerabilities were flagged because asset-specific vulnerability tests produced positive results. several Adobe categories appear. select the Vulnerable and non-vulnerable option next to Results. Nexpose User’s Guide 150 . If you selected a CSV report template. To include all vulnerability check results (positive and negative). they appear in the text field at the bottom of the window. such as Microsoft Path and Microsoft Windows. such as Adobe. can serve as supersets of categories that are named for their products. This applies to other "company" categories. As you select categories. Vulnerable versions found: Vulnerabilities were flagged because versions of the scanned services or software are known to be vulnerable.3. such as Microsoft. • Click the text box to display a window that lists all available categories. and select the categories from the list that appears. Potential vulnerabilities found: Vulnerabilities were flagged because checks for potential vulnerabilities were positive. if you filter by the Microsoft category. select the appropriate option button in the Categories section. To view the vulnerabilities in a category see Configuration steps for vulnerability check settings on page 204. Apple. If you choose to include or exclude specific categories. you have the option to filter vulnerability result types. the Security Console displays a text box containing the words Select categories. For example. For example. skip the following step. If you enter a name that applies to multiple categories. Each selection appears in a text field a the bottom of the window. Enter part or all a category name in the Filter: text box. you inherently include all Microsoft product categories. If you want to include only positive check results. Selected vulnerability categories appear in the Scope section NOTE: Existing reports will include all vulnerabilities unless you edit them to filter by vulnerability category. Click OK to save scope selections. all your selections appear in a field at the bottom of the selection window. 6. When the list includes all desired categories. click outside of the window to return to the Scope page. The selected categories appear in the text box.Filter by category list If you use either or both methods. Nexpose User’s Guide 151 . it makes sense to run recurring reports automatically. take the following steps: 1. Since these assets will be scanned frequently. Enter an hour and minute for the start time. If you selected the scheduling option. on a one-time basis. 5. 7. or schedule it to run on a repeating basis. the report will run on October 15 every month. Enter a value in the field labeled Repeat every. each with a different scan template. 3. Go to the Create a report panel. Select a frequency option from the drop-down list: • • • Select Run a one-time report now to generate a report immediately. Click Frequency. For example. the Security Console displays controls for configuring a schedule. 4. Click Configure advanced settings. ignore the following steps. To configure report frequency. Nexpose User’s Guide 152 . if you schedule a report to run on October 15. Select Run a recurring report on a repeated schedule if you wish to schedule reports for regular time intervals. Enter a start date using the mm/dd/yyyy format. If you selected either of the first two options.to set a time interval for repeating the report. the report will run every month on the selected calendar date. If you select months on the specified date. and click the Up or Down arrow to select AM or PM... Select Run a recurring report after each scan to generate a report every time a scan is completed on the assets defined in the report scope. configure it to run after every scan. and select a time unit from the drop-down list. OR Click the calendar icon to select a start date. 2. 6.Configuring report frequency You can run the completed report immediately on a one-time basis. The third option is useful if you have an asset group containing assets that are assigned to many different sites. impose their own schedules. there is no limit on the number supported concurrent reports. enter “0” in the field labeled Repeat every. the report will run every month on the same ordinal weekday. Creating a report schedule Best practices for scheduling reports The frequency with which you schedule and distribute reports depends your business needs and security policies. which is the third Monday of the month. Remediated vulnerabilities with known exploits. the report will run every third Monday of the month. You can also specify the criteria for sorting data in your report. This means that you can schedule reports to run simultaneously as needed. To run a report only once on the scheduled date and time. You may want to run quarterly executive reports. Remediated vulnerabilities. with each report request spawning a new thread. such as PCI.If you select months on the specified day of the month. Solutions can be sorted by Affected asset. Keep in mind that if the number is too high you may have a report with an unwieldy level of data and too low you may miss some important solutions for your assets. Note that generating a large number of concurrent reports—20 or more—can take significantly more time than usual. if you schedule the first report to run on October 15. Best practices for using remediation plan templates The remediation plan templates provide information for assessing the highest impact remediation solutions. but you can set the number from 1 to 1000 as you require. and Remediated vulnerabilities with malware kits. Risk score. The default is 25 solutions. Generating a PDF report for 100-plus hosts with 2500-plus vulnerabilities takes fewer than 10 seconds. The amount of time required to generate a report depends on the number of included live IP addresses the number of included vulnerabilities—if vulnerabilities are being included—and the level of details in the report template. You may want to run monthly vulnerability reports to anticipate the release of Microsoft hotfix patches. The application can generate reports simultaneously. Technically. You can use the Remediation Display settings to specify the number of solutions you want to see in a report. Compliance programs. Remediation display settings Nexpose User’s Guide 153 . For example. If you configured the report to run immediately on a one-time basis. Click Run the report. Past 3 months. For example. 2. you will have the option to configure additional properties. and you will have eight data points in your report.Best practices for using the Vulnerability Trends report template The Vulnerability Trends template provides information about how vulnerabilities in your environment have changed have changed over time. use the following procedure: 1. 3. Each data point is the equivalent of a complete report. Vulnerability trend data range 4. you can save the report configuration by clicking Save the report. you can set your date range for a weekly interval for a two-month period. you will see a button for running the report. either by selecting Run a recurring report after every scan or Run a recurring report in a schedule in the Frequency section (see Configuring report frequency on page 152). Configure other settings that you require for the report. editing. or years. and running reports on page 140. Select Vulnerability Trend Date Range. Saving or running the newly configured report After you complete a basic report configuration. Past 6 months. editing. or Custom range. The time range you set controls the number of data points that appear in the report. If you have configured the report to run in the future. and specify the interval. To ensure readability of the report and clarity of the charts there is a limit of 15 data points that can be included in the report. It may take a long time to complete.. Even if you configure the report to run automatically with one of the frequency settings. and running reports on page 140. such as those for distributing the report. enter a start date. Select from pre-set ranges of Past 1 year. When you click it. You can configure the time range for the report to see if you are improving your security posture and where you can make improvements. See Viewing. end date. months. To set a custom range. To configure the time range of the report. See Viewing.. Running a one-time report immediately Nexpose User’s Guide 154 . you can run the report manually any time you want if the need arises.. Click Configure advanced settings. 5.. either days. You can access those properties by clicking Configure advanced settings. NOTE: Ensure you schedule adequate time to run this report template because of the large amount of data that it aggregates. the Security Console will automatically save the report configuration for future use. See Starting a new report configuration on page 142. Baseline scan selection 4.Selecting a scan as a baseline Designating an earlier scan as a baseline for comparison against future scans allows you to track changes in your network. or Use scan from a specific date to specify which scan to use as the baseline scan. and vulnerabilities that were mitigated or remediated. assets and services that are no longer available. 5. 1. 3. Use previous scan. Click Use first scan. services and vulnerabilities. Possible changes between scans include newly discovered assets. 2. Nexpose User’s Guide 155 . Go to the Create a report panel. 6.. Click Save the report when you are finished configuring the report template. You must select the Baseline Comparison report template in order to be able to define a baseline. Click Configure advanced settings.. Click Baseline Scan selection. Click the calendar icon to select a date if you chose Use scan from a specific date. Nexpose User’s Guide 156 . and it is given the report owner's user name..Distributing. 2. you will automatically become the report owner. it stores it in the reports directory on the Security Console host: [installation_directory]/nsc/reports/[user_name]/ You can configure the application to also store a copy of the report in a user directory for the report owner. You can control how reports are distributed to users.. only a Global Administrator and the designated report owner can see that report on the Reports page. Report File Storage 3. you can certain properties related to the data export. whether they are sent in e-mails or stored in certain directories. See Storing reports in report owner directories on page 156. you can assign ownership of the report one of a list of users. You also can have a copy of the report stored in the report owner’s directory. Enter the report owner’s name in the directory field $(install_dir)/nsc/ reports/$(user). 1. You can restrict report access to one user or a group of users. you have a number of options related to how the information will be consumed and by whom. sharing. If you are exporting report information to external databases. If you are a Global Administrator. and exporting reports When configuring a report. If you are not a Global Administrator. You can restrict sections of reports that contain sensitive information so that only specific users see these sections. Replace (user) with the report owner’s name. It is a subdirectory of the reports folder. Click Report File Storage. See the following sections for more information: • • • • • • Working with report owners on page 156 Managing the sharing of reports on page 157 Granting users the report-sharing permission on page 159 Restricting report sections on page 163 Exporting scan data to external databases on page 165 Configuring data warehousing settings on page 165 Working with report owners After a report is generated. Storing reports in report owner directories When the application generates a report. on the Create a report panel. Click Configure advanced settings. which was created on the General section of the Create a Report panel After you create the path and run the report. if you specify the path windows_scans/$(date). This expands a report owner’s ability to provide important security-related updates to a targeted group of stakeholders. However. he or she can select a report owner. In the console Web interface. For example. NOTE: The granting of this report-sharing permission potentially means that individuals will be able to view asset data to which they would otherwise not have access. you can access the newly created report at: reports/[report_owner]/windows_scans/$(date)/[hex_number]/ [report_file_name] Consider designing a path naming convention that will be useful for classifying and organizing reports. the application creates the report owner’s user directory and the subdirectory path that you specified on the Output page. Click the Distribution link in the left navigation column to go the Distribution page. Within this subdirectory will be another directory with a hexadecimal identifier containing the report copy. Administering the sharing of reports involves two procedures for administrators: • • configuring the application to redirect users who click the distributed report URL link to the appropriate portal granting users the report-sharing permission Report owners who have been granted report-sharing permission can then create a report access list of recipients and configure report-sharing settings. This will become especially useful if you store copies of many reports. NOTE: If a report owner creates an access list for a report and then copies that report. When a Global Administrator creates a report. For example. Available variables include: • • • • $(date): the date that the report is created. variables. a report owner may want members of an internal IT department to view vulnerability data about a specific set of servers in order to prioritize and then verify remediation tasks. When any other user creates a report. a report and any generated instance of that report. he or she automatically becomes the owner of the new report. the copy will not retain the access list of the original report. is visible only to the report owner or a Global Administrator.You can use string literals. Another option for sharing reports is to distribute them via e-mail. The owner would need to create a new access list for the copied report. it is possible to give a report owner the ability to share instances of a report with other individuals via e-mail or a distributed URL. See Managing the sharing of reports on page 157. or a combination of these to create a directory path. Nexpose User’s Guide 157 . format is yyyy-MM-dd $(time): the time that the report is created. Managing the sharing of reports Every report has a designated owner. format is HH-mm-ss $(user): the report owner’s user name $(report_name): the name of the report. xml configuration file.net/directory_path${variable}?loginRedir="/> </reports> 2. </reportMessage> </reportEmail> <reportLinkURL altURL="base_url. See the branding guide. The element reportLinkURL includes an attribute called altURL. See attached zip file. Add or edit the reports sub-element to include the reportLinkURL element with the altURL attribute set to the appropriate destination.xml file. Open the oem. you can create the file. Save and close the oem. To specify a redirected URL: 1. which is located in [product_installation-directory]/nsc/ conf. See attached files. </reportMessage> <reportMessage type="zip">Your Nexpose (${report-name}) was generated on ${report-date}. with which you can specify the redirect destination.com</reportSender> <reportSubject>Nexpose: ${report-name} </reportSubject> <reportMessage type="link">Your report (${report-name}) was generated on ${report-date}: ${report-url} </reportMessage> <reportMessage type="file">Your report (${report-name}) was generated on ${report-date}. as in the following example: <reports> <reportEmail> <reportSender>account@exampleinc. you have to add an element to the oem. 4.xml file.Configuring URL redirection By default. If the file does not exist. To redirect users who click the distributed report URL link to the appropriate portal. Restart the application. Nexpose User’s Guide 158 . which you can request from Technical Support. 3. URLs of shared reports are directed to the Security Console. Select the check box labeled Add Users to Report. They can also assign this permission to others users or roles. 1. Select the permission Add Users to Report. 4. To assign the permission to an existing user use the following procedure: 1. and click the manage link next to Users. Select the Custom role from the drop-down list on the Roles page. 2. 2. They will not be able to edit or copy it. or if you have been granted permission to share reports. Click Save when you have finished configuring the account settings.Granting users the report-sharing permission Global Administrators automatically have permission to share reports. 6. Nexpose User’s Guide 159 . 5. (Optional) Go to the Users page and click the Edit icon for one of the listed accounts. Click Save when you have finished configuring the account settings. you can create an access list of users when configuring a report. Assigning the permission to a new user involves the following steps. 3. Select any other permissions as desired. Go to the Administration page. Go to the Administration page. Select any other permissions as desired. 3. (Optional) Go to the Users page and click New user. Creating a report access list If you are a Global Administrator. 5. Click the Roles link in the User Configuration panel. and click the Create link next to Users. 4. Select the Custom role from the drop-down list on the Roles page. Configure the new user’s account settings as desired. Click the Roles link in the User Configuration panel. NOTE: You also can grant this permission by making the user a Global Administrator. These users will only be able to view the report. Click Configure advanced settings. Click Run the report when you have finished configuring the report. including the settings for sharing it. on the Create a report panel. The selected users appear in the report access list. Click Configure advanced settings. Click Distribution. NOTE: Adding a user to a report access list potentially means that individuals will be able to view asset data to which they would otherwise not have access.. Click Access. Using the Web-based interface to configure report-sharing settings You can share a report with your access list either by sending it in an e-mail or by distributing a URL for viewing it. you can select a report owner. Report Distribution Nexpose User’s Guide 160 . you are automatically the report owner. use the following procedure: 1.. take the following steps: 1.Using the Web-based interface to create a report access list To create a report access list with the Web-based interface. 2. 4. you must configure URL redirection.. Select the check box for each desired user. Report Access 3. Click Done. 2. 5. Click Add User to select users for the report access list. If you are a Global Administrator or have Super-User permissions. A list of user accounts appears. Otherwise. 6.. on the Create a report panel. NOTE: Before you distribute the URL. To share a report. or select the check box in the top row to select all users. With the Delivery sub-element of ReportConfig. For example. Select the method to send the report as: File or Zip Archive. 10. Adding a user to a report access list potentially means that individuals will be able to view asset data to which they would otherwise not have access.3. you can use the sendToAclAs attribute to specify how to distribute reports to your selected users.com and SMTP relay server: mail. zip. including the settings for sharing it. Enter the recipient’s e-mail addresses in the Other recipients field. Select the check box to send the report to the report owner.com. File. Select the check box to send the report to users on a report access list. see the API guide. 11. For specific instructions on using API v1. the Security Console does not send the e-mails and will report an error in the log files. Additional Report Recipients 8. or Zip Archive. Enter the addresses of e-mail recipients. E-mail sender address: j_smith@example. 4. or url. the application searches for a suitable mail server for sending reports. The elements for creating an access list are part of the ReportSave API. you can specify the IDs of the users whom you want add to the report access list. Creating a report access list and configuring report-sharing settings with the API NOTE: This topic identifies the API elements that are relevant to creating report access lists and configuring report sharing. 6. Select the method to send the report as: URL. which is part of the API v1. a firewall may prevent the application from accessing your network’s mail server. 9. NOTE: You cannot distribute a URL to users who are not on the report access list. Click Run the report when you have finished configuring the report.1: • • With the Users sub-element of ReportConfig. Possible values include file. which you can download from the Support page in Help. 7. For example. (Optional) Select the check box to send the report to all users with access to assets in the report.2.server. If no SMTP server is available. You may require an SMTP relay server for one of several reasons. Enter the sender’s e-mail address and SMTP relay server. 5. If you leave the SMTP relay server field blank.1 and Extended API v1. Nexpose User’s Guide 161 . (Optional) Select the check box to send the report to users that are not part of an access list. one per line. see the section API overview in the API guide.To create a report access list: NOTE: To obtain a list of users and their IDs. Log on to the application. 1. which you can download from the Support page in Help. For general information on accessing the API and a sample LoginRequest. use the MultiTenantUserListing API. For a LogoutRequest example. Specify the user IDs you want to add to the report access list and the manner of report distribution using the ReportSave API.2. which is part of the Extended API v1. see the API guide. For additional. see the API guide. 2. detailed information about the ReportSave API. Nexpose User’s Guide 162 . as in the following XML example: <ReportSaveRequest generate-now="1" sync-id="String" session-id="48D86A19D786361DE4B862C69EE0768BCC69396B"> <ReportConfig name="r6" timezone="" owner="15" template-id="baseline-comparison" id="11" format="pdf"> <description> <a href="String"> <p>text</p> </a> </description> <Filters> <filter id="1" type="site"> </filter> </Filters> <Users> <user id="16"/> <user id="17"/> </Users> <Baseline compareTo=""/> <Delivery> <Storage storeOnServer="1"> </Storage> 3. log off. If you have no other tasks to perform. see the section API overview in the API v1. Nexpose User’s Guide 163 .1 guide. <SiloProfileUpdateRequest session-id="E6B508C469F4EE1988985C49BE36D1CD0FACAEE6" sync-id="SILO-PROFILE-CREATE-0001-004"> <SiloProfileConfig all-global-report-templates="1" all-global-engines="1" all-global-scan-templates="1" all-licensed-modules="1" description="silo profile description" id="myprofile-10" name="My SiloProfile Name 10"> <RestrictedReportSections> <RestrictedReportSection name="BaselineComparison"/> </RestrictedReportSections> </SiloProfileConfig> </SiloProfileUpdateRequest> 3. or which users can create reports with certain sections. whether it is one of the preset templates that ship with the product or a customized template created by a user in your organization. In the following example. It contains the sub-element RestrictedReportSection for which the value string is the name of the report section that you want to restrict. Restricting report sections involves two procedures: NOTE: Only a Global Administrator can perform these procedures. This XML example of SiloProfileUpdateRequest includes the RestrictedReportSections element.Restricting report sections Every Nexpose report is based on a template. which you can download from the Support page in Help. Identify the report section you want to restrict. the Baseline Comparison report section will become restricted. • • setting the restriction in the API granting users access to restricted sections Setting the restriction for a report section in the API The sub-element RestrictedReportSections is part of the SiloProfileCreate API for new silos and SiloProfileUpdate API for existing silos. For example. allowing you to look at scan data in a specific way. log off. 1. A template consists of one or more sections. If you have no other tasks to perform. For general information on accessing the API and a sample LoginRequest. if your company is an Approved Scanning Vendor (ASV). Security policies in your organization may make it necessary to control which users can view certain report sections. Log on to the application. you may only want a designated group of users to be able to create reports with sections that capture Payment Card Industry (PCI)-related scan data. Each section contains a subset of information. 2. 2. The Baseline Comparison section is now restricted. Click Roles in the User Configuration panel. Select any other permissions as desired. NOTE: You also can grant this permission by making the user a Global Administrator. Click Save when you have finished configuring the account settings. 5. Nexpose User’s Guide 164 . they will see an error message indicating that they do not have permission to do so. 2. 4. The console displays the Roles page. The console displays the Roles page. 3. (Optional) Go to the Users page and click New user. Go to the Administration page. Select the check box labeled Generate Restricted Reports. For additional. For a LogoutRequest example. Select the Custom role from the drop-down list. Click Save when you have finished configuring the account settings. and click the manage link next to Users. Permitting users to generate restricted reports Global Administrators automatically have permission to generate restricted reports. 5. Click the Roles link in the User Configuration panel. 7. Select the Custom role from the drop-down list. They can generate reports that include the Baseline Comparison section. 1. use the SiloProfileConfig API. see API guide. Go to the Administration page. 3. This has the following implications for users who have permission to generate reports with restricted sections: • • They can see Baseline Comparison as one of the sections they can include when creating custom report templates. detailed information about the SiloProfile API. Select the check box labeled Generate Restricted Reports.NOTE: To verify restricted report sections. 6. Select any other permissions as desired. The restriction has the following implications for users who do not have permission to generate reports with restricted sections: • • These users will not see Baseline Comparison as one of the sections they can include when creating custom report templates. 7. 4. 6. Configure the new user’s account settings as desired. They can also assign this permission to others users. See the API guide. If these users attempt to generate reports that include the Baseline Comparison section. see the API guide. To assign the permission to a new user: 1. Assigning the permission to an existing user involves the following steps. and click the Create link next to Users. OR (Optional) Go to the Users page and click the Edit icon for one of the listed accounts. 6. Click Save. Enter a server port if you want to specify one other than the default. Go to the Schedule page. the warehousing process may take a long time to complete. In Oracle. Click manage next to Data Warehousing on the Administration page. To configure data warehouse settings: 1. Select a date and time to start automatic exports. 3. NOTE: Due to the amount of data that can be exported. 5. MySQL. 4. the Report Configuration—Output page contains fields specifically for transferring scan data to a database. Select an interval to repeat exports. You can use this feature to obtain a richer set of scan data for integration with your own internal reporting systems. and select the check box to enable data export. 6. Check the database to make sure that the scan data has populated the tables after the application completes a scan. 2.Exporting scan data to external databases If you selected Database Export as your report format. 5. 3. create a new database called nexpose with administrative rights. Nexpose User’s Guide 165 . 4. You can configure warehousing settings to store scan data or to export it to a PostgreSQL database. Enter the IP address of the database server. This is a technology preview of a feature that is undergoing expansion. 2. or Microsoft SQL Server. you must set up a JDBC-compliant database. 1. You can also disable this feature at any time. Enter the IP address and port of the database server. Configuring data warehousing settings NOTE: Currently. Before you type information in these fields. Enter database server settings on the Database page. Enter the administrative user ID and password for logging on to that database. Go to the Database Configuration section that appears when you select the Database Export template on the Create a Report panel. this warehousing feature only supports PostgreSQL databases. 7. Enter a name for the database. you must use the following PCI-mandated report templates for PCI scans as of September 1. 2010: • • • Attestation of Compliance PCI Executive Summary Vulnerability Details You may find it useful and convenient to combine multiple reports into one template. when the post-scan phase is completed. and Host Details templates into one report that you can present to the customer for the initial review. NOTE: PCI Attestation of Scan Compliance is one self-contained section. Cover Page Payment Card Industry (PCI) Scan Information Payment Card Industry (PCI) Component Compliance Summary Payment Card Industry (PCI) Vulnerabilities Noted Payment Card Industry (PCI) Special Notes PCI Vulnerability Details includes the following sections: Cover Page Table of Contents Payment Card Industry (PCI) Scan Information Payment Card Industry (PCI) Vulnerability Details PCI Host Detail contains the following sections: Table of Contents Payment Card Industry (PCI) Scan Information Payment Card Industry (PCI) Host Details To consolidate reports into one custom template: NOTE: Due to PCI Council restrictions. Select the Manage report templates tab on the Reports page. Nexpose User’s Guide 166 . you can create another template that includes the PCI Attestation of Compliance with the other two templates for final delivery of the complete report set. a customized report that mixes PCI report sections with non-PCI report sections may have section numbers that appear out of sequence. Afterward. section numbers of PCI reports are static and cannot change to reflect the section structure of a customized report. For example you can create a template that combines sections from the Executive Summary. Click New to create a new report template. 2. The console displays the Create a New Report Template panel.For ASVs: Consolidating three report templates into one custom template If you are an approved scan vendor (ASV). PCI Executive Summary includes the following sections: • • • • • • • • • • • • 1. Vulnerability Details. Therefore. Enter a name and description for your custom report on the View Reports page. Select a level of vulnerability detail to be included in the report from the dropdown list. The Security Console displays the Manage report templates page with the new report template. an error message is displayed. Locate the PCI report sections and click Add>.Consolidated report template for ASVs. 7. 3. Click Save. Nexpose User’s Guide 167 . REMEMBER: If you use sections from PCI Executive Summary or PCI Attestation of Compliance templates. Select the document template type from the drop-down list. 6. 5. 2010. REMEMBER: Do not use sections related to “legacy” reports. These are deprecated and no longer sanctioned by PCI as of September 1. The report name is unique. If you attempt to select a different format. 4. you will only be able to use the RTF format. 8. Specify if you want to display IP addresses or asset names and IP addresses on the template. you may create a document template with the Discovered Vulnerabilities section or create a data export template with vulnerability-related attributes. After you create or upload a custom report template. if you want a report that lists assets organized by risk level. Otherwise. see Report templates and sections on page 272. For example. For example. scan information in your reports as your needs dictate. If you are new to the application. You can also upload a custom report template that has been created by Rapid7 at your request to suit your specific needs. Each template includes a specific set of information sections. Fine-tuning information with custom report templates Creating custom report templates enables you to include as much. Templates that have been created for you will be provided to you. you will find built-in templates especially convenient for creating reports. Nexpose User’s Guide 168 .Contact your account representative for information about having custom report templates designed for your needs. This template would include only the Discovered System Information section. or as little. it appears in the list of available templates on the Template section of the Create a report panel.rapid7. These templates organize and emphasize asset and vulnerability data in different ways to provide multiple looks at the state of your environment’s security.com/. To learn about built-in report templates and the information they include. if you want a report that only lists vulnerabilities. Or.Configuring custom report templates The application includes a variety of built-in templates for creating reports. As you become more experienced with the application and want to tailor reports to your unique informational needs. custom report templates can be designed to provide high-level information presented in a dashboard format with charts for quick reference that include asset or vulnerability information that can be tailored to your requirements. you may find it useful to create or upload custom report templates. you can download additional report templates in the Rapid7 Community Web site https://community. a custom report might be the best solution. See Working with externally created report templates on page 172. you can further manipulate the data using pivot tables or other spreadsheet features. The Create a New Report Template panel Start to create a new report template. • • Nexpose User’s Guide 169 . You will select the file to upload in the Content section of the Create a New Report Template panel. and HTML— are convenient for sharing information to be read by stakeholders in your organization. Enter a name and description for the new template on the General section of the Create a New Report Template panel. The Manage report templates panel appears. PDF. Select the template type from the Template type drop-down list: • With a Document template you will generate section-based. contact your account representative for license options. See Working with externally created report templates on page 172.You must have permission to create a custom report template. that you can share with stakeholders in your organization. 1. the format is identified in the template name. Click New. With an export template. With the Upload a template file option you can select a template file from a library. click the Licensing link. 2. Click the Reports tab. CSV format is useful for integrating check results into spreadsheets. Because the output is CSV. Some of the formats available for this template type—Text. you must have the Customizable CSV export featured enabled. In the Security Console Configuration panel. you can find out if your license enables a specific feature. See Using Excel pivot tables to create custom reports from a CSV file on page 174. The Security Console displays the Create a New Report panel. To create a custom report template. To find out if you do. To use this template type. consult your Global Administrator. TIP: If you are a Global Administrator. 3. such as executives or security team members tasked with performing remediation. either comma-separated-value (CSV) or XML files. If it is not. RTF. human-readable reports that contain asset and vulnerability information. Click Manage report templates. Click the Administration tab and then the Manage link for the Security Console. 2. take the following steps: 1. Complete except for solutions includes basic information about vulnerabilities. See Selecting a scan as a baseline on page 155 for information about designating a scan as a baseline. 11. CVSS score.NOTE: The Vulnerability details setting only affects document report templates. (Optional) Add the Baseline Comparison section to select the scan date to use as a baseline. Click Save. Nexpose User’s Guide 170 . and date published. 10. 7. 9. Vulnerability details filter the amount of information included in document report templates: • • • • 4. Complete includes all vulnerability-related data. 3. See Report templates and sections on page 272. 8. such as title. (Optional) Click <Remove to take sections out of the report. logo. scan date. Minimal (title and risk metrics) excludes vulnerability solutions. None excludes all vulnerability-related data. It does not affect data export templates. (Optional) Add the Executive Summary section to enter an introduction to begin the report. and headers and footers. (Optional) Add the Cover Page section to include a cover page. (Optional) Clear the check boxes to Include scan data and Include report date if you do not want the information in your report. Set the order for the sections to appear by clicking the up or down arrows. report date. See Adding a custom logo to your report on page 171 for information on file formats and directory location for adding a custom logo. Select a level of vulnerability details from the drop-down list in the Content section of the Create a New Report Template panel. severity level. Select the sections to include in your template and click Add>. 6. Display asset names only Display asset names and IP addresses Select your display preference: • • 5. and the date that the report was generated. 4. 3. You can easily customize a cover page to include your own title and logo. depending on the report template. Example: image:file_name. the date of the scan that provided the data for the report. Enter a title in the Add title field. Restart the Security Console. Do not insert a space between the word “image:” and the file name. Nexpose User’s Guide 171 . NOTE: Logos can be JPEG and PNG logo formats. • • 2. Click Save.png. a document report cover page includes a generic title. Go to the Cover Page Settings section of the Create a New Report Template panel. 6. Copy the logo file to the designated directory of your installation.Adding a custom logo to your report By default. In Windows: C:\Program Files\[installation_directory]\shared\reportImages\custom\silo\default. In Linux: /opt/[installation_directory]/shared/reportImages/custom/silo/ default. It also may include the Rapid7 logo or no logo at all. See Cover Page on page 282. Enter the name of the file for your own logo. 5. preceded by the word “image:” in the Add logo field. the name of the report. To display your own logo on the cover page: 1. 2. 4. externally created custom template files must be approved by Rapid7 and archived in the . These templates may have been provided directly to your organization or they may have been posted in the Rapid7 Community at https://community. See Fine-tuning information with custom report templates on page 168 for information about requesting custom report templates. Nexpose User’s Guide 172 . Click the Reports tab in the Web interface. Select the report template file and click Open. Making one of these externally created templates available in the Security Console involves two actions: 1. downloading the template to the workstation that you use to access the Security Console uploading the template to the Security Console using the Reports configuration panel After you have downloaded a template archive. Select Upload a template file from the Template type drop-down list.JAR format. The Manage report templates panel appears. Also. Click Save. Enter a name and description for the new template on the General section of the Create a New Report Template panel. 2. 5. Upload a report template file 6. 3. The report template file appears in the Select file field in the Content section. Click Manage report templates.Working with externally created report templates NOTES: Your license must enable custom reporting for the template upload option to be available.rapid7. Beyond these options. NOTE: Contact Technical Support if you see errors during the upload process.com/community/nexpose/report-templates. take the following steps: 1. Click New. Click Browse in the Select file field to display a directory for you to search for custom templates. 8. you may want to use compatible templates that have been created outside of the application for your specific business needs. 7. The Security Console displays the Create a New Report Template panel. The custom report template file will now appear in the list of available report templates on the Manage report templates panel. The application provides built-in report templates and the ability to create custom templates based on those built-in templates. or Vulnerability Details). but contains additional attributes: • • • • • Exploit Title Malware Kit Name(s) PCI Compliance Status Scan ID Scan Template • • • • Site Name Site Importance Vulnerability Risk Vulnerability Since Exploit IDs Exploit Skill Needed Exploit Source Link Exploit Type • NexposeTM Simple XML is also a “raw XML” format. HTML can be opened and viewed in a Web browser.Working with report formats The choice of a format is important in report creation. and edited in any text editing program.0 is similar to XML Export. and edited in Microsoft Word. 2010 (Attestation of Compliance. RTF can be opened. Working with human-readable formats Several formats make report data easy to distribute. viewed. Working with XML formats Various XML formats make it possible to integrate reports with third-party systems. TIP: For information about XML export attributes. PDF can be opened and viewed in Adobe Reader. That section describes similar attributes in the CSV export template. PDF reports with UTF-8 fonts tend to be slightly larger in file size. but they also can have some influence on what information appears in reports. open. or a custom template made with sections from these templates. viewed. Its contents must be parsed so that other systems can use its information. This format is preferable if you need to edit or annotate the report. If you are using one of the three report templates mandated for PCI scans as of September 1. PCI Executive Summary. Formats not only affect how reports appear and are consumed. make sure that UTF-8 fonts are properly installed on your host computer. • • • • • • • Asset Risk XML Export. also known as “raw XML. see Export template attributes on page 287.” contains a comprehensive set of scan data with minimal structure. you can only use the RTF format. Text can be opened. XML Export 2. some of which have slightly different names. It contains a subset of the data available in the XML Export format: • • • • hosts scanned vulnerabilities found on those hosts services scanned vulnerabilities found in those services Nexpose User’s Guide 173 . and read immediately: • • • • NOTE: If you wish to generate PDF reports with Asian-language characters. It is ideal for integration of scan data with the Metasploit vulnerability exploit framework. These three templates require ASVs to fill in certain sections manually. However. If you have Microsoft Excel installed on the computer with which you are connecting to the Security Console. the output lists results based on the most recent overrides as of the time the output was generated. These instructions reflect Excel 2007. Working with CSV export You can open a CSV (comma separated value) report in Microsoft Excel. Certain entities are required by the U. download the CSV file from the Reports page. Other versions of Excel provide similar workflows. The CSV Export format works only with the Basic Vulnerability Check Results template and any Data-type custom templates. CyberScope XML Export organizes scan data for submission to the CyberScope application. XML arranges data in clearly organized. the output identifies the most recent override as of the time the report was run. See Overriding rule test results on page 111. Following are instructions for using pivot tables. If any results were overridden. Then.S. Using Excel pivot tables to create custom reports from a CSV file The pivot table feature in Microsoft Excel allows you to process report data in many different ways. XCCDF Results XML Report provides information about compliance tests for individual USGCB or FDCC configuration policy rules. Use it to help you understand how the data is organized and how you can customize it for your own needs. Office of Management and Budget to submit CyberScope-formatted data as part of a monthly program of reporting threats. human-readable XML and is ideal for exporting to other document formats. XML Export 2. the output does not identify overrides as such or include the override history. In fact. click the link for the CSV file on the Reports page. Nexpose User’s Guide 174 . The XML output includes details about the rule itself followed by data about the scan results. See Overriding rule test results on page 111. See Fine-tuning information with custom report templates on page 168. If you do not have Excel installed on the computer with which you are connecting to the console. essentially creating multiple reports one exported CSV file. It is a powerful and versatile format. If any results were overridden.• • • • • SCAP Compatible XML is also a “raw XML” format that includes Common Platform Enumeration (CPE) names for fingerprinted platforms. Not only does it contain a significantly greater amount of scan information than is available in report templates. This will start Microsoft Excel and open the file. *Qualys is a trademark of Qualys. and transfer it to a computer that has Excel installed. This format supports compliance with Security Content Automation Protocol (SCAP) criteria for an Unauthenticated Scanner product. Two CSV formats are available: • • CSV Export includes comprehensive scan data XCCDF Human Readable CSV Report provides test results on individual assets for compliance with individual USGCB or FDCC configuration policy rules. use the following procedure. but you can easily use macros and other Excel tools to manipulate this data and provide multiple views of it.0 contains the most information. Its schema can be downloaded from the Support page in Help. Qualys* XML Export is intended for integration with the Qualys reporting framework. Inc. Each report is dedicated to one rule. it contains all the information captured during a scan. Click OK. NOTE: The severity field is not related to the severity score in PCI reports. 7. Example 1: Creating a report that lists the five most numerous exploited vulnerabilities 1. and then select the PivotTable icon. To the right of this sheet is a bar with the title PivotTable Field List. which is listed in the Severity column. 3. 3. 9. The application assigns each vulnerability a severity level. Click the drop-down arrow in column A to change the number of listed vulnerabilities to five. A count of vulnerability IDs appears in column B. Enter 5 in the Top 10 Filter dialog box and click OK. and then Top 10. See How vulnerability exceptions appear in XML and CSV formats on page 177 for a list of result codes and their descriptions. Most of these fields re self-explanatory. 5. and whether exploits are available. Severe. vulnerability age and prevalence. Drag vuln-id to the Row Labels pane. Excel opens a new. 4.. as in the three following examples.. 10. appears. blank sheet. which you will use to create reports. Click OK to accept the default settings. Select ve for exploited vulnerabilities. The resulting report lists the five most numerous exploited vulnerabilities. 8. 4. Start the process for creating a pivot table. Click the Insert tab. The Create Pivot Table dialog box. 2. Click drop-down arrow in column B to display result codes that you can include in the report. Drag vuln-id to the Values pane. Select all the data. The severity field provides numeric severity ratings. Nexpose User’s Guide 175 . 2. • • • 8 to 10 = Critical 4 to 7 = Severe 1 to 3 = Moderate The next steps involve choosing fields for the type of report that you want to create. Select the option for multiple items. and Moderate—reflect how much risk a given vulnerability poses to your network security. including CVSS scores. The application uses various factors to rate severity. Select Value Filters. The three severity levels—Critical. 6. Drag result-code to the Report Filter pane. The result-code field provides the results of vulnerability checks. Row labels appear in column A.To create a custom report from a CSV file: 1. In the top pane of this bar is a list of fields that you can add to a report. 20. Click the drop-down arrow appears in column B and select Label Filters.Example 2: Creating a report that lists required Microsoft hot-fixes for each asset 1. 8. 11.. Drag host to the Row Labels pane. Click OK. Select ve for exploited vulnerabilities. 16. Drag host to the Column Labels pane. Click OK. 4. Drag result-code to the Report Filter pane. confirm that the value is 10. in the Label Filter dialog box. Click the drop-down arrow that appears in column B to display result codes that you can include in the report. Enter the value windows-hotfix. 9. 6. Select Contains. 14. and 10. Click OK. 6. Another of the sheet. 13. Select 8. 19. 7. 15. 9. Drag vuln-titles to the Row Labels pane. 8. in the Label Filter dialog box. in the Top 10 Filter dialog box. 12. Select the option for multiple items. Click vuln-id once in the pane for choosing fields in the PivotTable Field List bar. Click the drop-down arrow appears that column B to display ratings that you can include in the report. 4. Another of the sheet. Select the option for multiple items. 11. Select the option for multiple items. Drag vuln-titles to the Values pane. 9. Select Top 10. enter a value of 1. 7. Nexpose User’s Guide 176 . Click OK. Click the drop-down arrow in column B of the sheet it to display result codes that you can include in the report. Select ve for exploited vulnerabilities and vv for vulnerable versions. 2. Click OK. Drag result-code to the Report Filter pane. The resulting report lists required Microsoft hot-fixes for each asset. The resulting report lists the most critical vulnerabilities and the assets that are at risk.. Drag vuln-id to the Row Labels pane.. Click the drop-down arrow that appears in column A and select Value Filters. Select Greater Than. 18. 12. 17. Click the drop-down arrow that appears next to it and select Label Filters. Drag severity to the Report Filter pane. 5. 5. 10. for critical vulnerabilities... Click OK. 10. Example 3: Creating a report that lists the most critical vulnerabilities and the systems that are at risk 1. 2. 3. 3.. vv (vulnerable. It is for a vulnerability that can be identified because the version of the scanned service or application is associated with known vulnerabilities. exploited): The check was positive as indicated by asset-specific vulnerability tests. Report templates include a section dedicated to exceptions. Vulnerability result codes Each code corresponds to results of a vulnerability check: • • • • • • • • • • • • • • ds (skipped. Nexpose User’s Guide 177 . sd (skipped because of DoS settings): sd (skipped because of DOS settings)—If unsafe checks were not enabled in the scan template. disabled): A check was not performed because it was disabled in the scan template. See Vulnerability Exceptions on page 286. The version of the scanned service or software is associated with known vulnerabilities. ve (vulnerable. In XML and CSV reports. See Configuration steps for vulnerability check settings on page 204.How vulnerability exceptions appear in XML and CSV formats Vulnerability exceptions can be important for the prioritization of remediation projects and for compliance audits. version check): The check was positive. XML: The vulnerability test status attribute will be set to one of the following values for vulnerabilities suppressed due to an exception: exception-vulnerable-exploited . ee (excluded. See Filtering report scope with vulnerabilities on page 148. version check): A check was excluded. potential): The check for a potential vulnerability was positive. vp (vulnerable. ov (overridden. er (error during check): An error occurred during the vulnerability check. uk (unknown): An internal issue prevented the application from reporting a scan result.Exception suppressed version-checked vulnerability exception-vulnerable-potential . ep (excluded. version check): A check for a vulnerability that would ordinarily be positive because the version of the target service or application is associated with known vulnerabilities was negative due to information from other checks. nv (not vulnerable): The check was negative. ev (excluded. exploited): A check for an exploitable vulnerability was excluded. potential): A check for a potential vulnerability was excluded. nt (no tests): There were no checks to perform. exception information is also available. sv (skipped because of inapplicable version): the application did not perform a check because the version of the scanned item is not included in the list of checks. the application skipped the check because of the risk of causing denial of service (DOS). Vulnerabilities with this result appear in the CSV report if the Vulnerabilities found result type was selected in the report configuration.Exception suppressed exploited vulnerability exception-vulnerable-version .Exception suppressed potential vulnerability CSV: The vulnerability result-code column will be set to one of the following values for vulnerabilities suppressed due to an exception. the Database Export format is fairly comprehensive in terms of the data it contains.Working with the database export format You can output the Database Export report format to Oracle. It is not possible to configure what information is included in. and Microsoft SQL Server. or excluded from. MySQL. Like CSV and the XML formats. Nexpose User’s Guide 178 . the database export. Consider CSV or one of the XML formats as alternatives. which is helpful in helping you understand how to you can work with the data. You can request the database export schema from Technical Support. Nexpose provides a schema to help you understand what data is included in the report and how the data is arranged. CSV. is most likely attributable to changes in your environment since the last report. because it is from the most recent scan. Policy checks not enabled: Another reason that policy settings may not appear in a report is that policy checks were not enabled in the scan template. On the other hand. Discovery-only templates: If no vulnerability data appears in a report. The data displayed in the Web interface changes with every scan. The human-readable formats. Scan settings can affect report data Scan settings affect report data in several ways: • • • • • • Lack of credentials: If certain information is missing from a report. showing only one asset. check to see if the scan was configured with proper logon information. such as discovered files. but what data is presented. check to see if the scan was preformed with a discovery-only scan template. spidered Web sites. The application cannot perform many checks without being able to log onto target systems as a normal user would. such as PDF and HTML. an automatically scheduled report that only includes recent scan data is related to a specific. For stakeholders in your organization who need fresh data but don’t have access to the Web interface. then unsafe checks were not enabled in the scan template. Nexpose User’s Guide 179 . such as in the number of discovered assets or vulnerabilities. The data in a report is a static snapshot in time. are intended to display data that is organized by the document report templates. Different report formats can influence report data If you are disseminating reports using multiple formats.0. Manual scans: A manual scan performed under unusual conditions for a site can affect reports. In environments that are constantly changing. consider several factors that may have skewed the data. Variance between the two. For example. run reports more frequently. XML Export 2. XML Export. keep in mind that different formats affect not only how data is presented. Or use the report scheduling feature to automatically synchronize report schedules with scan schedules. Certain vulnerability checks enabled or disabled: If your report shows vulnerabilities than you expected. so that they can help you make more informed security-related decisions. which does not check for vulnerabilities. as with the sd result code in CSV reports. or policy evaluations. multiple-asset site that has automatically scheduled scans.Understanding report content Reports contain a great deal of information. These templates are more “selective” about data to include. Baseline Comparison reports an be very useful. check the scan template to see which checks have been enabled or disabled. The report may include that scan data. Unsafe checks not enabled: If a report shows indicates that a check was skipped because of Denial of Service (DOS) settings. A user runs a manual scan of a single asset to verify a patch update. and export templates essentially include all possible data from scans. It’s important to study them carefully for better understanding. If your report data turns out to be much different from what you expected. for any reason. However. which also lists information about the test that the application performed for each vulnerability on each asset. potential and confirmed vulnerabilities are not differentiated. Again. See Working with vulnerabilities on page 84. A high level of fingerprinting certainty may indicate a greater likelihood of vulnerability. And don’t dismiss these as false positives. and not-vulnerable. instead of redirecting them to an HTTPS server. which includes certainty characteristics. it cannot absolutely verify that the vulnerability is there. Looking beyond vulnerabilities When reviewing reports.Understanding how vulnerabilities are characterized according to certainty Remediating confirmed vulnerabilities is a high security priority. A telnet service is not a vulnerability. so it’s important to look for confirmed vulnerabilities in reports. However. The fact that a vulnerability is a “potential” vulnerability or otherwise not officially confirmed does not diminish the probability that it exists or that some related security issue requires your attention. Study reports to help you manage risk proactively. such as vulnerable-exploited. For example. Potential. The application will flag a vulnerability if it discovers certain conditions that make it probable that the vulnerability exists. you can view the certainty characteristics of a vulnerability on the page that lists details about the vulnerability. You also can examine the scan log for the certainty with which a potentially vulnerable item was fingerprinted. The Report Card report includes a similar status column in one of its tables. In another example. which appears in the Audit report. this is not technically a vulnerability. but this practice may be exposing sensitive data. Status refers to the certainty characteristic. The CSV report includes result codes related to certainty characteristics. If a server on your network is using this protocol to exchange information with a remote computer. If. don’t get thrown off by listings of potential or unconfirmed vulnerabilities. The XML Export and XML Export 2. it's easy for an uninvited party to monitor the transmission. the application may discover a telnet service and list it in a report. look beyond vulnerabilities for other signs that may put your network at risk. You can confirm a vulnerability by running an exploit if one is available. telnet is an unencrypted protocol. or Vulnerable Version. Note that the Discovered and Potential Vulnerabilities section.0 reports include an attribute called test status. How to find out the certainty characteristics of a vulnerability You can find out the certainty level of a reported vulnerability in different areas: • • • • • The PCI Audit report includes a table that lists the status of each vulnerability. it may discover a Cisco device that permits Web requests to go to an HTTP server. Or it may indicate that the version of the scanned operating system or application is vulnerable. it will list the vulnerability as potential or unconfirmed. Nexpose User’s Guide 180 . If you have access to the Web interface. such as Exploited. You may want to consider using SSH instead. A vulnerability with known exploits poses a very concrete risk to your network. check the report configuration to see which sites and assets have been included and omitted. check the report schedule against the scan schedule. Make sure that reports are automatically generated to follow scans if they are intended to show patch verification. make sure to enable the check box labeled Use the last scan data only. The Exploit ExposureTM feature flags vulnerabilities that have known exploits and provides exploit information links to Metasploit modules and the Exploit Database. It also uses the exploit ranking data from the Metasploit team to rank the skill level required for a given exploit. and your scans may reveal more vulnerabilities than you have time to correct. Risk scores are calculated according to different risk strategies. See Working with risk strategies to analyze threats on page 237.000 vulnerabilities. The application calculates risk scores for every asset and vulnerability that it finds during a scan. Report creation settings can affect report data Report settings can affect report data in various ways: • • • • Using most recent scan data: If old assets that are no longer in use still appear in your reports. and you may wonder which problem to tackle first. The scores indicate the potential danger that the vulnerability poses to network and business security based on impact and likelihood of exploit. check the report configuration to vulnerabilities that have been filtered from the report. it is a strongly recommend best practice to immediately remediate any vulnerability that has a live exploit. Report schedule out of sync with scan schedule: If a report is showing no change in the number of vulnerabilities despite the fact that you have performed substantial remediation since the last report was generated. The vulnerability database contains checks for over 12. click Filter report scope based on vulnerabilities and verify the filters are set appropriately to include the categories and severity level you need. On the Scope section of the Create a report panel. regardless of the skill level required for an exploit or the number of known exploits. One effective way to prioritize vulnerabilities is to note which have real exploits associated with them. Assets not included: If a report is not showing expected asset data. so you can see right away Since you can’t predict the skill level of an attacker. Nexpose User’s Guide 181 .Using report data to prioritize remediation A long list of vulnerabilities in a report can be a daunting sight. A higher score warrants higher priority. This information appears in vulnerability listings right in the Security Console Web interface. and if this is not desirable. Prioritize according to risk score Another way to prioritize vulnerabilities is according to their risk scores. Vulnerabilities not included: If a report is not showing an expected vulnerability. They appear in ticket notifications. Options include Problem fixed. Click a link for a ticket name to view or update the ticket. Click the Select Vulnerabilities. click the Close Ticket button on this page. click the Open a ticket button. Assign the ticket to a user who will be responsible for overseeing the remediation work flow. button.. and the list of tickets on the Tickets page. To do so. ranging from Critical to Low. Nexpose User’s Guide 182 .Using tickets You can use the ticketing system to manage the remediation work flow and delegate remediation tasks. NOTE: If you need to assign the ticket to a user who does not appear on the drop down list. reports. Select the check boxes for all the vulnerabilities you wish to include in the ticket. and click the Save button. See the following section for details about editing tickets. The priority of a ticket is often associated with external ticketing systems. Adding vulnerabilities Go to the Ticket Configuration—Vulnerabilities page. you must first add that user to the associated asset group. Each ticket is associated with an asset and contains information about one or more vulnerabilities discovered during the scanning process. The status of the ticket appears in the Ticket State field. Opening a ticket When you want to create a ticket for a vulnerability. The console displays the General page of the Ticket Configuration panel. Viewing tickets Click the Tickets tab to view all active tickets. You can get to that page by selecting a view option on the Assets page and following the sequence of console pages that ends with asset. Assign a priority to the ticket. The console displays the Tickets page. type name for the new ticket. From the Tickets page. These names are not unique. On the Ticket Configuration–General page. The selected vulnerabilities appear on the Vulnerabilities page. and open a new ticket.. depending on factors such as the vulnerability level. including remediation guidance. See Locating assets by sites on page 79. You can click the link for any vulnerability to view details about it. you also can click the link for an asset's address to view information about that asset. Only accounts that have access to the affected asset appear in the list. The state changes as the ticket issue is addressed. The console displays a box that lists all reported vulnerabilities for the asset. To do so. You cannot modify this field in the panel. which appears at the bottom of the Vulnerability Listings pane on the detail page for each asset. The console displays a box with a drop down list of reasons for closing the ticket. Add any other relevant information in the dialog box and click the Save button. See Locating assets on page 78. Problem not reproducible. You can close the ticket to stop any further remediation action on the related issue. and Problem not considered an issue (policy reasons). select a user name from the drop down list labeled Assigned To. Creating and updating tickets The process of creating a new ticket for an asset starts on the Security Console page that lists details about that asset. Click Save. Go to the Ticket Configuration—History page. Click the Add Comments. 2. As Nexpose users and administrators add comments related to the work flow. or other issues. The console displays all comments on the History page. 3. you can track the remediation progress..Updating ticket history You can update coworkers on the status of a remediation project. by annotating the ticket history. 1. where you can type a comment. or note impediments. button. questions. Nexpose User’s Guide 183 . The console displays a box.. This section provides best practices for scan tuning and guides you through the steps of creating a custom scan template. This section guides you through configuration steps. Working with risk strategies to analyze threats on page 237: The application provides several strategies for calculating risk. It also provides guidance for changing risk strategies and supporting custom strategies. Nexpose User’s Guide 184 . Tune provides guidance on adjusting or customizing settings for scans. This section explains how each strategy emphasizes certain characteristics. and configuration assessment. view. allowing you to check your environment for compliance with your organization’s unique configuration policies. Creating a custom policy on page 222: You can create custom configuration policies based an USGCB and FDCC policies. allowing you to analyze risk according to your organization’s unique security needs or objectives. you may want to adjust settings of features that these operations. • • • Working with scan templates and tuning scan performance on page 185: After familiarizing yourself with different built-in scan templates. risk calculation. and share security information.Chapter 5 Tune As you use the application to gather. you may want to customize your own scan templates for maximum speed or accuracy in your network environment. The following section provides best practices for scan tuning and instructions for working with scan templates. and familiarity with how the application works. finesse. Most importantly. Doing so will help you look at scan template configuration in the more meaningful context of your environment. This introductory section talks about why you would tune scan performance and how different builtin scan templates address different scanning needs: • • • Defining your goals for tuning on page 186 The primary tuning tool: the scan template on page 190 See also the appendix that compares all of our built-in scan templates and their use cases: Scan templates on page 254 Familiarizing yourself with built-in templates is helpful for customizing your own templates. you need to understand your unique network environment. If you change one setting to attain a certain performance boost. You can create a custom template that incorporates many of the desirable settings of a built-in template and just customize a few settings vs. Tuning scans is a sensitive process. Make sure to familiarize yourself with scan template elements before changing any settings. Before you tweak any scan templates. creating a new template from scratch.Working with scan templates and tuning scan performance You may want to improve scan performance. You may want to make scans faster or more accurate. Also. keep in mind that tuning scan performance requires some experimentation. it is important for you to know two things: • • What your goals or priorities for tuning scans? What aspects of scan performance are you willing to compromise on? Identify your goals and how they’re related to the performance “triangle. go to the following section: • Configuring custom scan templates on page 192 Nexpose User’s Guide 185 .” See Keep the “triangle” in mind when you tune on page 187. you may find another aspect of performance diminished. Or you may want scans to use fewer network resources. To create a custom scan template. The security console runs out of memory if you perform too many simultaneous scans. make sure you know why you’re doing it. as in the following scenarios: • • • • Scans are missing assets. Vulnerability checks are not occurring at a sufficient depth. Scans are missing services. or other network resources. as in the following scenarios: • • • Your scans are taking up too much bandwidth and interfering with network performance for other important business processes. requiring you to perform “deeper” authenticated scans. Nexpose User’s Guide 186 . The application is reporting too many false positives or false negatives. such as for a site with 300 Windows workstations. You need to able to schedule more scans within the same time window. The computers that host your Scan Engines are maxing out their memory if they scan a certain number of ports. Policy or compliance rules have become more stringent for your organization. is taking an especially long time with no end in sight. but scans may still be in progress when employees in your organization need to use workstations. You need to reduce consumption of network or system resources Your goal may be to lower the hit on resources. You need more accurate scan data Scans may not be giving you enough information. You have to scan more assets in the same amount of time.Defining your goals for tuning Before you tune scan performance. A particular type of scan. servers. You have to scan more assets in less time. terminate the scan and contact Technical Support. What do you want to change? What do you need it to do better? Do you need scans to run more quickly? Do you need scans to be more accurate? Do you want to reduce resource overhead? The following sections address these questions in detail. You need to finish scanning more quickly Your goal may be to increase overall scan speed. You have to scan the same number of assets in less time. This could be a “scan hang” issue rather than simply a slow scan. Your organization may schedule scans for non-business hours. • • • • • Actual scan-time windows are widening and conflicting with your scan blackout periods. as in the following scenarios: • • NOTE: If a scan is taking an extraordinarily long time to finish. but you don't have additional time to do this. One use case is that of a company that holds auctions in various locations around the world. The company's best solution is to use a lot of bandwidth so that scan can finish as quickly as possible. Increasing time availability Providing more time to run scans typically means making scans run faster. It is unrealistic to expect a tuning adjustment to lengthen all three sides of the triangle. In this case it’s possible to reduce scan time without sacrificing accuracy. for example. This company cannot run scans while auctions are in progress because time-sensitive data must traverse the network at these times without interruptions. you often can lengthen two of the three sides.Keep the “triangle” in mind when you tune Any tuning adjustment that you make to scan settings will affect one or more main performance categories. it may be necessary to reduce the level of accuracy by. a high workload may tap resources to the point that the scanning mechanisms could become unstable.000. If you lengthen one side of the triangle—that is. It is helpful to visualize them as a triangle. However. if you favor one performance category—you will shorten at least one of the other two sides. However. Its asset inventory is slightly over 1. The fact that the company holds auctions in various time zones complicates scan scheduling. These categories reflect the general goals for tuning discussed in the preceding section: • • • accuracy resources time These three performance categories are interdependent. Nexpose User’s Guide 187 . turning off credentialed scanning. Scan windows are extremely tight. In this case. When the application attempts to connect to a service. This will take more time. Again. peripheral network assets. services. Add Scan Engines. If the application cannot connect to a service to scan it. Doing so will impact network bandwidth. If you have one hour to scan 200 assets over low bandwidth. are more susceptible to attack because they are exposed to the Internet. These types of checks require credentials and can take considerably more time. Doing so will either require more bandwidth or more time. it appears to that service as another “client. It’s advisable to scan them often. can get bogged down with traffic. or position them in the network strategically. Scan assets more frequently. There are many ways to this. The network infrastructure that the application runs on. each with its own “cost” according to the performance triangle: Increase the number of discovered assets. which can have deep file structures. The time issue especially applies to Web sites. or vulnerability checks. Any one of or more of these can become bottlenecks: • • • • The computer that hosts the application can get bogged down processing responses from target assets. refer to the administrator’s guide. can get bogged down with traffic. Nexpose User’s Guide 188 . choose a location that maximizes bandwidth and minimizes latency. placing a Scan Engine on the same side of the firewall as those assets can speed up the process. For example. Use a less exhaustive scan template. “Deepen” scans with checks for policy compliance and hotfixes. If service has reached that client capacity when the application attempts a connection. When deploying a Scan Engine relative to target assets. The service may have a defined limit for how many simultaneous client connections it can support. Allocate more scan threads. Be aware that this will tax RAM on Scan Engines and the Security Console. Be aware of license limits when scanning network services. especially on 32-bit operating systems. Increasing accuracy Making scans more accurate means finding more security-related information. this will diminish the accuracy of the scan. It can also involve lowering RAM use. The target assets can get bogged down processing requests from the application. including firewalls and routers. For more information on Scan Engine placement.There are many various ways to increase scan speeds. The network on which target assets run. This is often the case with telnet-based services. such as Web servers or Virtual Private Network (VPN) concentrators. Increasing resource availability Making more resources available primarily means reducing how much bandwidth a scan consumes. Consider bandwidth availability in four major areas of your environment.” or user. including the following: • • • NOTE: Deploying additional Scan Engines may lower bandwidth availability. the service will reject the attempt. which means lower scan accuracy. • Increase the number of assets that are scanned simultaneously. that service won’t be included in the scan data. including firewalls and routers. Doing so primarily reduces scan times. services. including the following: • • • Reduce the number of target assets. There are various other ways to increase resource availability. Two related bandwidth metrics to keep an eye on are the number of data packets exchanged during the scan. but it also frees up threads. it can exceed a firewall’s capacity to track connection states. Nexpose User’s Guide 189 . The cost of conserving bandwidth typically is time. The cost is accuracy. as well as the maximum amount of bandwidth it can handle. and the correlating firewall states. Because the number of assets in each location is lower than 25. when workstations are running and laptops are plugged into the network. Reduce the number of assets that are scanned simultaneously. especially during the service discovery and vulnerability check phases of a scan.000 pps without service disruptions. when backup processes are in progress. and your normal business processes average about 3. You have to know how much bandwidth your enterprise uses on average. or the response packets from target assets. Bandwidth sharing also can be an issue during off hours. Bandwidth is considerably low due to the types of network connections. So.000 pps. taxing bandwidth can trigger a drop in accuracy. If the application sends too many packets per second (pps).Of particular concern is the network on which target assets run. The danger here is that the firewall will start dropping request packets. if your network can handle a maximum of 10. This is especially true if you schedule scans to run during business hours. You also have to monitor how much bandwidth the application consumes and then adjust the level accordingly. or vulnerability checks. simply because some portion of total bandwidth is always in use for business purposes. which is well below the default value of 10. a company operates full-service truck stops in one region of the United States. For example. Its security team scans multiple remote locations from a central office. your goal is to have the application work within a window of 7. There is no formula to determine how much bandwidth should be used. The cost is time. Perform less exhaustive scans. resulting in false negatives. A viable solution in this situation is to reduce the number of scan threads to between two and five.000 pps at any given time. adding remote Scan Engines is not a very efficient solution. For example. The primary scan template settings for controlling bandwidth are scan threads and maximum simultaneous ports scanned. You can find detailed information about scan templates in the section titled Scan templates on page 254. on the Asset Discovery and Discovery Performance pages of the Scan Template Configuration panel. searching for specific vulnerabilities. You can select which vulnerabilities to scan for in Vulnerability Checking page of the Scan Template Configuration panel. it is recommended that you use built-in templates. Supervisory Control And Data Acquisition (SCADA) equipment audits. Most tuning procedures involve editing scan template settings. Use particular caution when changing any of these built-in values. but they also reflect the delicate balance of factors in the performance triangle: time. operating systems and network hardware. as well as other parameters. resources. Understanding configurable phases of scanning Understanding the phases of scanning is helpful in understanding how scan templates are structured. You will notice that if you select the option to create a new template. and Web site scans. only need to change a thread number or a range of ports and leave all other settings untouched. it has many opportunities for attempting access. Nexpose User’s Guide 190 . Each scan occurs in three phases: • • • NOTE: The discovery phase in scanning is a different concept than that of asset discovery. If you customize a template based on a built-in template. Upon locating the asset. This section includes use cases and settings for each scan template. databases. You may. attempting to connect to various ports and to verify services for establishing valid connections. and accuracy. or create custom templates based on built-in templates. asset discovery service discovery vulnerability checks During the asset discovery phase. Not only do built-in templates address specific use cases. and adjusting network bandwidth usage. You also can create new custom templates. The following section is a comparison of four sample templates. a Scan Engine sends out simple packets at high speed to target IP addresses in order to verify that network assets are live. it’s a good idea to perform any customizations based on built-in templates. You can configure timing intervals for these communication attempts. the Scan Engine begins the service discovery phase. such as port discovery and packet delays. For these reasons. Other configuration options include limiting the types of services that are scanned. If you opt for customization. for example. the application attempts to confirm vulnerabilities listed in the scan template. You can configure attributes related to this phase on the Service Discovery and Discovery Performance pages of the Scan Template Configuration panel. The built-in scan templates are designed for different use cases. many basic configuration settings have built-in values. You can use built-in templates without altering them. Microsoft Hotfix patch verification. It is recommended that you do not change these values unless you have a thorough working knowledge of what they are for. During the third phase. keep in mind that built-in scan templates are themselves best practices. Because the application scans Web applications. known as the vulnerability check phase. which is a method for finding potential scan targets in your environment. Start by familiarizing yourself with built-in scan templates and understanding what they have in common and how they differ. you may not need to change every single scan setting. Templates are best practices NOTE: Until you are familiar with technical concepts related to scanning. such as PCI compliance.The primary tuning tool: the scan template Scan templates contain a variety of parameters for defining how assets are scanned. For example. They provide you with a reliable. so it takes longer. Turn off credentialed checks if you are not interested in running them. Or. An important note here is that you need to know exactly what's running on your network in order to know what to turn off. your scan will be less comprehensive. Reports help you to reap the biggest possible returns from that investment. make sure you are only running necessary ones. the less time or bandwidth you'll need to complete a scan. you could alternate target ports in a similar fashion. You could. you will sacrifice the conveniences of scheduling scans to run at automatic intervals with the same template. and so. as they make it possible to perform “deep” system scans. Be absolutely certain that you don't need credentialed checks before you turn them off. TIP: Use your variety of report templates to parse your scan results in many useful ways. It will take time and bandwidth but. You could also schedule a Microsoft hotfix scan on a monthly basis for patch verification. if you learn. that you have no servers running Lotus Notes/Domino. instead of scanning all your workstations on a nightly basis. If you don't have to verify hotfix patches. turn off Web spidering. If you do run credentialed checks. or even more frequently. it's a less frequent scan that you can plan for in advance Another way to maximize time and resources without compromising on accuracy is to alternate target assets. The fewer things you check for. or a unique acknowledgement interchange. NOTE: If you change templates regularly. Do you need to alter templates or just alter-nate them? When you become familiar with the built-in scan templates. especially “deeper” scans. disable any hotfix checks. If the scope of your scan does not include Web assets. you can exclude those policy checks from the scan. tuning scan performance is a simple matter of turning off one or two settings in a template. For example. This is where discovery scans become so valuable. applications running under the system. its identity. you may find that they meet different performance needs at different times. Nexpose User’s Guide 191 . for example. the timing of a response. again. you could schedule an exhaustive scan on a quarterly basis do get a detailed. operating system. Finally. This is a faster scan and less of a drain on resources. scan a third of them and then scan the other two thirds over the next 48 hours. dynamic asset inventory. However. A well-protected asset can mask its existence. and disable Webrelated vulnerability checks. Quick tuning: What can you turn off? Sometimes. to monitor your Internet-facing assets. Scans are a resource investment.In every phase of scanning. the application identifies as many details about the asset as possible through a set of methods called fingerprinting. and its components from a network scanner. NOTE: Credentialed checks are critical for accuracy. By inspecting properties such as the specific bit settings in reserved areas of a buffer. perhaps. and. But the trade-off is that it doesn't have to occur as frequently. the application can identify indicators about the asset's hardware. This scan requires credentials. from a discovery scan. less accurate. all-encompassing view of your environment. schedule a Web audit to run on a weekly basis. and network hardware using the following protocols: • • • • • • • • • • • • • • CVS Sybase AS/400 DB2 SSH Oracle Telnet CIFS (Windows File Sharing) FTP POP HTTP SNMP SQL/Server SMTP Nexpose User’s Guide 192 . and click manage for Scan Templates. operating systems. make a copy of the template and edit that copy. Familiarize yourself with built-in scan templates and how they work before changing any settings or customizing templates from scratch. don’t increase thread allocation dramatically if you know that backup operations are in progress. The console displays the Scan Template Configuration panel. You cannot directly edit a built-in template. Windows users may not disable the guest account in their system. The console displays the Scan Templates pages. See Configuration steps for vulnerability check settings on page 204 for information on enabling and disabling vulnerability check types. Instead. Fine-tuning: What can you turn up or down? Configuring templates to fine-tune scan performance involves trial and error and may include unexpected results at first. The FDCC template is only available with a license that enables FDCC policy scanning. The usage spike might impact bandwidth. but they require purchase of a license in order to be visible and available for use. applications. and your organization’s schedule and business practices. You can prevent some of these by knowing your network topology. NOTE: The PCI-related scanning and reporting templates are packaged with the application. See Scan templates on page 254. All attribute fields are blank. the application can perform checks for these items.Configuring custom scan templates To begin modifying a default template go to the Administration page. For example. And always keep the triangle in mind. Default and customized credential checking Many products provide default login user IDs and passwords upon installation. the console displays the Scan Template Configuration panel. your asset inventory. If you don’t disable the default account vulnerability check type when creating a scan template. Oracle ships with over 160 default user IDs. go to the Administration page. and click create for Scan Templates. The application performs checks against databases. When you click Copy for any default template listed on the page. To create a custom scan template from scratch. 3. To select the type of scanning you want to do. You must select the vulnerabilities option first in order to select Web spidering. On the Administration page. You will need to select individual checks and configure other settings. Configuring verification of standard policies on page 207 and Performing configuration assessment on page 252. If a specific service is not selected then it will attempt to use the supplied credentials to access all services. If you select only Asset Discovery. Starting a new custom scan template If you are creating a new scan template from scratch. the template will not include any vulnerability or policy checks. 1. When you have finished configuring the scan template. If you want to perform Web spidering checks only. you will need to click the Vulnerability Checks link in the left navigation pane of the configuration panel and disable non-Web spidering checks. Configure any other template settings as desired. click Save. See Configuration steps for vulnerability check settings on page 204 Web Spidering—Select this option if you want the scan to include checks that are performed in the process of Web spidering. click Save. See See Configuration steps for vulnerability check settings on page 204. click the Create link for Scan templates. To select or exclude specific checks.To specify users IDs and passwords for logon. depending on the policy. click Create. including Policy Manager. 2. Vulnerabilities—Select this option if you want the scan to include vulnerability checks. When you have finished configuring the scan template. start with the following steps: 1. click the Vulnerability Checks link in the left navigation pane of the configuration panel. Select one or more of the following options: • Asset Discovery—Asset discovery occurs with every scan. On the Scan Template Configuration—General page. Selecting the type of scanning you want to do You can configure your template to include all available types of scanning. Go to the Scan Template Configuration—General page. or you can limit the scope of the scan to focus resources on specific security needs. so you need to clear the other option check boxes to select asset discovery only. If a specific asset is not chosen to restrict credential attempts then the application will attempt to use these credentials on all assets. OR If you are in the Browse Scan Templates window for a site configuration. Nexpose User’s Guide 193 . See Configuring scan credentials on page 42. so this option is always selected. 2. By default. you must enter appropriate credentials during site configuration. all other options are selected. take the following steps. See Selecting Policy Manager checks on page 206. Configure any other template settings as desired. • • • 3. enter a name and description for the new template. Policies—Select this option if you want the scan to include policy checks. which includes a message type called ECHO REQUEST. NOTE: Selecting both TCP and UDP for device discovery causes the application to send out more packets than with one protocol. also known as a ping. So for these types of scans. which can be difficult to keep track of. to seek out an asset during device discovery. If the application cannot verify that an asset is live with one method. whether or not they are live. By default. You can select TCP and/or UDP as additional or alternate options for locating lives hosts. it will revert to another. it’s more efficient to have the application “assume” that a target asset is live and proceed to the next phase of a scan. the application reports the asset to be DEAD in the scan log. the application attempts to verify the presence of assets online by opening connections. Three methods are available to contact assets: • • • ICMP echo requests (also known as “pings”) TCP packets UDP packets The potential downside is that firewalls or other protective devices may block discovery connection requests. either because it is configured to block network access for any packets that meet certain criteria. This method costs time. The benefit is accuracy. This at least establishes that the asset is online and that port scans can occur. to the Scan Engine. because the application checks ports on all target assets. since it is checking all possible targets. Using more than one discovery method promotes more accurate results. Nexpose User’s Guide 194 . Filtering out dead assets from the scan job helps reduce scan time and resource consumption. With these protocols. In this case. the scan will begin with service discovery. If nothing is registered on port 80. In either case. which supports Web services. Be mindful of where you deploy Scan Engines and how Scan Engines interact with firewalls. or no response. or because it regards any scan as a potential attack. the application reports the asset to be ALIVE in scan logs. the target asset will send a “port closed” response. or because it regards any scan as a potential attack. causing target assets to appear dead even if they are live. which blunts the effectiveness of asset discovery. Note: The Web audit and Internet DMZ audit templates do not include any of these discovery methods. Determining if target assets are live Determining whether target assets are live can be useful in environments that contain large numbers of assets. it may block the requests. This can reduce the overall accuracy of your scans. and reports it as DEAD in the scan log. If a firewall is on the network. which uses up more network bandwidth. A firewall may discard the pings. Firewalls are often configured to allow traffic on port 80. Peripheral networks usually have very aggressive firewall rules in place.Configuring asset discovery Asset discovery configuration involves three options: • • • determining if target assets are live collecting information about discovered assets reporting any assets with unauthorized MAC addresses If you choose not to configure asset discovery in a custom scan template. since it is the default HTTP port. In either case. service discovery. the application infers that the device is not present. See Make your environment “scan-friendly” on page 220. the Scan Engine uses ICMP protocol. either because it is configured to block network access for any packets that meet certain criteria. If you select TCP or UDP for device discovery. enter one or more port numbers for each selection. If the host name does not resolve. If you do not select any discovery methods. Select one or more of the displayed methods to locate live hosts. if a UDP port doesn’t respond to a communication attempt. make sure to designate ports in addition to 80. it can eliminate unnecessary port scans. TCP is more reliable than UDP for obtaining responses from target assets. it moves on. weigh the value of thoroughness (accuracy) against that of time. Fine-tuning scans with verification of live assets Asset discovery can be an efficient accuracy boost. It is also used by more services than UDP. it is considered UNRESOLVED. as target devices are also more likely to block the more common TCP and ICMP packets. Make sure that TCP is also enabled for asset discovery. 4. it is usually regarded as being open. Configure any other template settings as desired. Enabling UDP may be excessive. To make the judgment call with UDP ports. If you select TCP or UDP. such as Discovery scan and Discovery scan (aggressive) to get an idea of commonly used port numbers. given the dependability issues of UDP ports. UDP is a less reliable protocol for asset discovery since it doesn’t incorporate TCP’s handshake method for guaranteeing data integrity and ordering. With PCI scans. disabling asset discovery can actually bump up scan times. Configuration steps for verifying live assets 1. You may wish to use UDP as a supplemental protocol. For example. If a scan target is listed as a host name in the site configuration. click Save. If the application contacts a port and receives a response that the port is open. if it can first verify that 50 hosts are live on a sparse class C network. scans assume that all target assets are live. it sends request packets to specific ports. depending on the services and operating systems running on the target assets. When you have finished configuring the scan template. You can view TCP and UDP port settings on default scan templates. The application only scans an asset if it verifies that the asset is live. the application attempts DNS resolution. Otherwise. Ports used for asset discovery If the application uses TCP or UDP methods for asset discovery. It is a good idea to enable ICMP and to configure intervening firewalls to permit the exchange of ICMP echo requests and reply packets between the application and the target network. especially if you have strict firewall rules in your internal networks. Unlike TCP. is the equivalent of DEAD. it reports the host to be “live” and proceeds to scan it. 3. it’s critical not to miss any live assets. The PCI audit template includes extra TCP ports for discovery. Go to the Scan Template Configuration—Asset Discovery page. The application will send the TCP or UDP packets to these ports. Also. for the purposes of scanning. Nexpose User’s Guide 195 . which. 2. and immediately begin service discovery. IP fingerprinting takes up to a minute per asset. it may not be worth additional time make a second attempt. Collecting Whois information NOTE: Whois does not work with internal RFC1918 addresses. The certainty value.Collecting information about discovered assets You can collect certain information about discovered assets and the scanned network before performing vulnerability checks. the application discards the IP fingerprinting information for that asset. these settings were carefully defined with best practices in mind. Microsoft developed Windows Internet Name Service (WINS) for name resolution in the LAN manager environment of NT 3. Finding other assets on the network The application can query DNS and WINS servers to find other network assets that may be scanned. the application will discover and interrogate DNS and WINS servers for the IP addresses of all supported assets. and. the application uses other fingerprinting methods.0 and 1. WINS usually is not required. which ranges between 0. it can identify indicators about the asset’s hardware. you can set it to retry IP fingerprinting any number of times. Nexpose User’s Guide 196 . All of these discovery settings are optional. For example. The application can interrogate this broadcast protocol to locate the names of Windows workstations and servers.0 reflects the degree of certainty with which and asset is fingerprinted. operating system. such as the name of the entity that owns it. it can determine that the asset is a Windows Web server. However.5. If it can’t fingerprint the IP stack the first time. As with the performance settings related to asset discovery. The retries setting defines how many times the application will repeat the attempt to fingerprint the IP stack. which is why they are identical. such as analyzing service data from port scans. By scanning an asset’s IP stack. Whether or not you do enable IP fingerprinting. perhaps. Whois is an Internet service that obtains information about IP addresses. It will include those assets in the list of scanned systems. Fingerprinting TCP/IP stacks The application identifies as many details about discovered assets as possible through a set of methods called IP fingerprinting. Settings for IP fingerprinting affect the accuracy side of the performance triangle. by discovering Internet Information Services (IIS) on a target asset. The default retry value is 0. It was developed originally as a system database application to support conversion of NETBIOS names to IP addresses. applications running on the system. If you enable the option to discover other network assets. If a particular fingerprint is below the minimum certainty value. You can improve Scan Engine performance by not requiring interrogation of a Whois server for every discovered asset if a Whois server is unavailable in the network. 6. 4. When you have finished configuring the scan template. Nexpose User’s Guide 197 . select the check box to discover other assets on the network. enter a retry value. See Enabling reporting of MAC addresses in the scan template on page 198. If desired. 7. enter a minimum certainty level. In IEEE 802 networks. 2. If desired.Configuration steps for collecting information about discovered assets: 1. and include them in the scan. Go to the Scan Template Configuration—Asset Discovery page. 5. On networks that do not conform to the IEEE 802 standards but do conform to the OSI Reference Model. click Save.The MAC layer interfaces directly with the network media. The Media Access Control (MAC) address is a hardware address that uniquely identifies each node in a network. select the option to fingerprint TCP/IP stacks. If desired. See Creating a list of authorized MAC addresses on page 198. Each different type of network media requires a different MAC layer. the Data Link Control (DLC) layer of the OSI Reference Model is divided into two sub layers: the Logical Link Control (LLC) layer and the Media Access Control (MAC) layer. certain conditions must be present for the successful detection of unauthorized MAC addresses: • • • • • SNMP must be enabled on the router or switch managing the appropriate network segment. The Scan Engine performing the scan must reside on the same segment as the systems being scanned. In secure environments it may be necessary to ensure that only certain machines can connect to the network. Reporting unauthorized MAC addresses You can configure scans to report unauthorized MAC addresses as vulnerabilities. If you enabled the fingerprinting option. select the option to collect Whois information. which is the number of repeated attempts to fingerprint IP stacks if first attempts fail. The scan template must have MAC address reporting enabled. If a particular fingerprint is below the minimum certainty level. the node address is called the Data Link Control (DLC) address. it is discarded from the scan results. 3. The application must be able to perform authenticated scans on the SNMP service for the router or switch that is controlling the appropriate network segment. The application must have a list of trusted MAC address against which to check the set of assets located during a scan. See Enabling authenticated scans of SNMP services on page 198. Also. Configure any other template settings as desired. If you enabled the fingerprinting option. Test the credential if desired. This will allow the application to retrieve the MAC addresses from the router using ARP requests. click Save. With the trusted MAC file in place and the scanner value set. The console displays a New Login box. 3. Then. The console displays the Site Configuration panel for that site. Go to the Credentials page and click Add credentials. Save the file in the application directory on the host computer for the Security Console. Click Save. The application will not report these addresses as violating the trusted MAC address vulnerability. Nexpose User’s Guide 198 . the application will perform trusted MAC vulnerability testing. take the following steps: 1. Creating a list of authorized MAC addresses To create a list of trusted MAC addresses. Enter logon information for the SNMP service for the router or switch that is controlling the appropriate network segment. 2. When you have finished configuring the scan template. You can give the file any valid name. 5. Click the Save tab to save the change to the site configuration. Enter the full directory path location and file name of the file listing trusted Mac addresses. create a file listing trusted MAC addresses. Using a text editor. Go to the Scan Template Configuration—Asset Discovery page. The default path in a Windows installation is: C:Program Files\[installation_directory]\plugins\java\1\NetworkScanners\1\[file_name] The default location under Linux is: /opt/[installation_directory]/java/1/NetworkScanners/1/[filename] 2. see Configuring scan credentials on page 42. Select the option to report unauthorized MAC addresses. For detailed information about configuring credentials. 2. 6. Enabling reporting of MAC addresses in the scan template To enable reporting of unauthorized MAC addresses in the scan template.Enabling authenticated scans of SNMP services To enable the application to perform authenticated scans to obtain the MAC address. 4. To do this it first makes a direct ARP request to the target asset to pick up its MAC address. Configure any other template settings as desired. 3. Click Edit of the site for which you are creating the new scan template on the Home page of the console interface. It also retrieves the ARP table from the router or switch controlling the segment. 4. The new logon information appears on the Credentials page. take the following steps: 1. it uses SNMP to retrieve the MAC address from the asset and interrogates the asset using its NetBIOS name to retrieve its MAC address. take the following steps: 1. The range of ports may be extended beyond Well Known Port range. If the scan occurs through a firewall. Rogue programs and hackers use these ports to access the compromised computers. Nexpose User’s Guide 199 . Each vulnerability check may add a set of ports to be scanned. The more ports you scan. you can include more UDP ports. By default. It's also fast. it may be necessary to change additional parameters. and DHCP. The target range for service discovery can include TCP and UDP ports. but doing so will increase scan time. TFTP. Be aware. And scanning the maximum number of ports is not necessarily more accurate. use the target list of TCP ports from more aggressive templates. though. than a full-port scan may span several hours to several days. If you simply are not sure of which ports to scan. the longer the scan will take. trojan horses. depending on bandwidth and the number of target assets. If you want to be a little more thorough. Performance considerations for port scanning Scanning all possible ports takes a lot of time. it begins to scan ports to collect information about services running on the computer. Various types of port scan methods are available as custom options. This option makes it possible to scan through firewalls in some cases. the application will only send two UDP packets per second to avoid triggering the ICMP rate-limiting mechanisms that are built into TCP/IP stacks for most network devices. These ports are not predefined. that attackers may avoid these ports on purpose or probe additional ports for service attack opportunities. If you want to be absolutely thorough in your scanning. The application sends out hundreds of thousands of packets to scan ports on a mere handful of assets. and the firewall has been set up to drop packets sent to non-authorized devices. Although most templates include UDP ports in the scope of a scan. TCP ports (RFC 793) are the endpoints of logical connections through which networked computers carry on “conversations. If you plan to scan UDP ports. however. This is the most reliable method. use well known numbers. NOTE: The application relies on network devices to return “ICMP port unreachable” packets for closed UDP ports. and other worms create ports after they have installed themselves on computers. In fact. It is a best practice select target ports based on discovery data. such as the exhaustive or penetration test template. or running. If you configure the application to scan all ports.Configuring service discovery Once the application verifies that a host is live. and they may change over time. viruses. scanning UDP ports can take a significant amount of time. Most built-in scan templates incorporate the Stealth scan (SYN) method. including maliciously created ports. it is somewhat less reliable. a SYN port scan is approximately 20 times faster than a scan with the full-connect method. Various back doors. Services that run on UDP ports include DNS. in which the port scanner process sends TCP packets with the SYN (synchronize) flag. they limit UDP ports to wellknown numbers. which is one of the other options for the TCP port scan method. keep in mind that aside from the reliability issues discussed earlier. Service discovery is the most resource-sensitive phase of scanning. Sending more packets could result in packet loss. A full UDP port scan can take up to nine hours. The exhaustive template and penetration tests are exceptions in that they allow the application to determine the optimal scan method.” Well Known ports are those most commonly found to be open on the Internet. Output reports will show which ports were scanned during vulnerability testing. In a UDP scan. service names will be derived from this file in scan results. You can replace the file with a custom version that lists your own port/service mappings. but it also can lead to network congestion depending on bandwidth. is located in the following directory: <installation_directory/plugins/java/1/NetworkScanners/1. so this scanning in this environment can be very slow in some cases. Select which TCP ports you wish to scan from the drop-down list. Changing packet-related settings can affect the triangle. However. See Keep the “triangle” in mind when you tune on page 187. When configured to perform UDP scanning. 5. When you have finished configuring the scan template.properties. Select which UDP ports you want to scan from the drop-down list. If you do not change any of these discovery performance settings. 6. If you want to scan additional UDP ports. 2. which slows the process. If scans cannot identify actual services on ports.To reduce scan time. UDP port scanning generally takes longer than TCP port scanning because UDP is a “connectionless” protocol. If you want to scan additional TCP ports. Changing discovery performance settings You can change default scan settings to maximize speed and resource usage during asset and service discovery. NOTE: Consult Technical Support to change the default service file setting. The default file. the application will be unable to discover services. enter the numbers or range in the Additional ports text box. This properties file lists each port and the service that commonly runs on it. Nexpose User’s Guide 200 . if you do so. 4. Also. 3. Shortening send-delay intervals theoretically increases scan speeds. default-services. do not run full UDP port scans unless it is necessary. Configuration steps for service discovery TIP: You can achieve the most “stealthy” scan by running a vulnerability test with port scanning disabled. click Save. Select a TCP port scan method from the drop-down list. enter the new file name in the text box. the application interprets non-response from the asset as an indication that a port is open or filtered. which will hamper fingerprinting and vulnerability discovery. scans will auto-adjust based on network conditions. Configure any other template settings as desired. 1. Lengthening send-delay intervals increases accuracy. the application matches the packet exchange pace of the target asset. Go to the Scan Template Configuration—Service Discovery page. enter the desired range in the Additional ports text box. longer delays may be necessary to avoid blacklisting by firewalls or IDS devices. Oracle Solaris only responds to 2 UDP packet failures per second as a rate limiting feature. If you want to change the service names file. The default number of UDP retries is 5. which is the first setting that the scan will use. the scan occurs more rapidly because the asset will respond that ports are closed. You can set an initial timeout interval. the given asset is not scanned. TCP port scanning can exceed five hours. try reducing the retry value to 2 or 3. Try not to perform full TCP port scans outside a device that will drop the packets like a firewall unless necessary. Nexpose User’s Guide 201 . sends another 10 packets. If the limit is exceeded with no response. or becoming blacklisted by Intrusion Detection Systems (IDS). it will proceed with the next phase of scanning: service discovery. You can increase the accuracy of port scans by slowing them down with 10. Increasing the delay interval for sending packets is another measure that increases accuracy at the expense of time. any value lower than 5 ms disables manual settings. the default value of 0 disables manual settings. it sends another round of packets and waits 10 milliseconds for each block of packets that have not received a response. The application sends a block of 10 packets to a target port. At the end of the scan. Try to scan the asset on the local segment inside the firewall. and simultaneous connection requests. waits 10 milliseconds. in which case. If UDP scanning is taking longer than expected. packet-per-second rate. You also can set a range. If it does not receive a response after exhausting all discovery methods defined in the template. especially if it includes full-port scans of 65K ports. which consumes packets so that they do not return to the Scan Engine. The difficulty occurs when the device is behind a firewall. the application auto-adjusts the settings. and continues this process for each port in the range. Note that the scan will take longer. it’s easier to lose packets. the numbers indicated are default settings and can be changed. which is high for a scan through a firewall. in which case. If the application receives a response within the defined number of retries. the application auto-adjusts the settings. When the target asset is on a local system segment (not behind a firewall). Increasing the delay interval for sending TCP packets will prevent scans from overloading routers. NOTE: Reducing these settings may cause scan results to become inaccurate. To enable manual settings. In this case the application will wait the maximum time between port scans.How ports are scanned In the following explanation of how ports are scanned.to 25-millisecond delays. Scan delay This is the number of milliseconds to wait between sending packets to each target host. You can change the following performance settings: NOTE: For minimum retries. Lowering the number of retries for sending packets is a good accuracy adjustment in a network with high-traffic or strict firewall rules. Maximum retries This is the maximum number of attempts to contact target assets. it reports the asset as being DEAD in the scan log. You may be able speed up the scanning process by reducing the maximum retry count from the default of 4. The discovery may auto-adjust interval settings based on varying network conditions. For maximum timeout interval. enter a value of 1 or greater. In an environment like this. triggering firewalls. The application repeats these attempts for each port five times. Timeout interval Set the number of milliseconds to wait between retries. Consider setting the retry value at 3. Packet-per-second rate This is the number of packets to send each second during discovery attempts. Increasing this rate can increase scan speed. However, more packets are likely to be dropped in congestion-heavy networks, which can skew scan results. NOTE: To enable the defeat rate limit, you must have the Stealth (SYN) scan method selected. See Scan templates on page 254. An additional control, called Defeat Rate Limit (also known as defeat-rst-rate limit), enforces the minimum packet-per-second rate. This may improve scan speed when a target host limits its rate of RST (reset) responses to a port scan. However, enforcing the packet setting under these circumstances may cause the scan to miss ports, which lowers scan accuracy. Disabling the defeat rate limit may cause the minimum packet setting to be ignored when a target host limits its rate of RST (reset) responses to a port scan. This can increase scan accuracy. Parallelism (simultaneous connection requests) This is the number of discovery connection requests to be sent to target hosts simultaneously. More simultaneous requests can mean faster scans, subject to network bandwidth. This setting has no effect if values have been set for scan delay. Configuration steps for tuning discovery performance 1. 2. 3. 4. 5. 6. 7. 8. Go to the Scan Template Configuration—Discovery Performance page. For Maximum retries, drag the slider to the left or right to adjust the value if desired. For Timeout interval, drag the sliders to the left or right to adjust the Initial, Minimum, and Maximum values if desired. For Scan Delay, drag the sliders to the left or right to adjust the values if desired. For Packet-per-second rate, drag the sliders to the left or right to adjust the Minimum and Maximum values if desired. Select the Defeat Rate Limit checkbox to enforce the minimum packet-persecond rate if desired. For Parallelism, drag the sliders to the left or right to adjust the Minimum and Maximum values if desired. Configure any other template settings as desired. When you have finished configuring the scan template, click Save. Nexpose User’s Guide 202 Selecting vulnerability checks When the application fingerprints an asset during the discovery phases of a scan, it automatically determines which vulnerability checks to perform, based on the fingerprint. On the Vulnerability Checks page of the Scan Template Configuration panel, you can manually configure scans to include more checks than those indicated by the fingerprint. You also can disable checks. Unsafe checks include buffer overflow tests against applications like IIS, Apache, services like FTP and SSH. Others include protocol errors in some database clients that trigger system failures. Unsafe scans may crash a system or leave a system in an indeterminate state, even though it appears to be operating normally. Scans will most likely not do any permanent damage to the target system. However, if processes running in the system might cause data corruption in the event of a system failure, unintended side effects may occur. The benefit of unsafe checks is that they can verify vulnerabilities that threaten denial of service attacks, which render a system unavailable by crashing it, terminating a service, or consuming services to such an extent that the system using them cannot do any work. You should run scheduled unsafe checks against target assets outside of business hours and then restart those assets after scanning. It is also a good idea to run unsafe checks in a pre-production environment to test the resistance of assets to denial-of-service conditions. If you want to perform checks for potential vulnerabilities, select the appropriate check box. For information about potential vulnerabilities, see Setting up scan alerts on page 39. If you want to correlate reliable checks with regular checks, select the appropriate check box. With this setting enabled, the application puts more trust in operating system patch checks to attempt to override the results of other checks that could be less reliable. Operating system patch checks are more reliable than regular vulnerability checks because they can confirm that a target asset is at a patch level that is known to be not vulnerable to a given attack. For example, if a vulnerability check is positive for an Apache Web server based on inspection the HTTP banner, but an operating system patch check determines that the Apache package has been patched for this specific vulnerability, it will not report a vulnerability. Enabling reliable check correlation is a best practice that reduces false positives. The application performs operating-system-level patch verification checks on the following targets: • • • • • NOTE: To use check correlation, you must use a scan template that includes patch verification checks, and you must typically include logon credentials in your site configuration. See Configuring scan credentials on page 42. Microsoft Windows Red Hat CentOS Solaris VMware A scan template may specify certain vulnerability checks to be enabled, which means that the application will scan only for those vulnerability check types or categories with that template. If you do not specifically enable any vulnerability checks, then you are essentially enabling all of them, except for those that you specifically disable. A scan template may specify certain checks as being disabled, which means that the application will scan for all vulnerabilities except for those vulnerability check types or categories with that template. In other words, if no checks are disabled, it will scan for all vulnerabilities. While the exhaustive template includes all possible vulnerability checks, the full audit and PCI audit templates exclude policy checks, which are more time consuming. The Web audit template appropriately only scans for Web-related vulnerabilities. Nexpose User’s Guide 203 Configuration steps for vulnerability check settings 1. Go to the Vulnerability Checks page. Note the order of precedence for modifying vulnerability check settings, which is described at the top of the page. 2. Click the appropriate check box to perform unsafe checks. A safe vulnerability check will not alter data, crash a system, or cause a system outage during its validation routines. Click Add categories.... The console displays a box listing vulnerability categories. 4. NOTE: If you enable any specific vulnerability categories, you are implicitly disabling all other categories. Therefore, by not enabling specific categories, you are enabling all categories TIP: To see which vulnerabilities are included in a category, click the category name. 3. Click the check boxes for those categories you wish to scan for, and click Save. The console lists the selected categories on the Vulnerability Checks page. Click Remove categories... to prevent the application from scanning for vulnerability categories listed on the Vulnerability Checks page. Click the check boxes for those categories you wish to exclude from the scan, and click Save. The console displays Vulnerability Checks page with those categories removed. 5. 6. To select types for scanning, take the following steps: TIP: To see which vulnerabilities are included in a check type, click the check type name. 1. 2. Click Add check types.... The console displays a box listing vulnerability types. Click the check boxes for those categories you wish to scan for, and click Save. The console lists the selected types on Vulnerability Checks page. To avoid scanning for vulnerability types listed on the Vulnerability Checks page, click types listed on the Vulnerability Checks page: 1. 2. Click Remove check types.... Click the check boxes for those categories you wish to exclude from the scan, and click Save. The console displays Vulnerability Checks page with those types removed. The following table lists current vulnerability types and the number of vulnerability checks that are performed for each type. The list is subject to change, but it is current at the time of this guide’s publication. Vulnerability types Default account Local Microsoft hotfix Patch Policy RPM Vulnerability types Safe Sun patch Unsafe Version Windows registry Nexpose User’s Guide 204 To select specific vulnerability checks, take the following steps: 1. Click Enable vulnerability checks... The console displays a box where you can search for specific vulnerabilities in the database. 2. NOTE: The application only checks vulnerabilities relevant to the systems that it scans. It will not perform a check against a non-compatible system even if you specifically selected that check. Type a vulnerability name, or a part of it, in the search box. Click check boxes to modify search settings as desired. Click Search. The box displays a table of vulnerability names that match your search criteria. Click the check boxes for vulnerabilities that you wish to include in the scan, and click Save. The selected vulnerabilities appear on the Vulnerability Checks page. Click Disable vulnerability checks... to exclude specific vulnerabilities from the scan. Search for the names of vulnerabilities you wish to exclude. The console displays the search results. Click the check boxes for vulnerabilities that you wish to exclude from the scan, and click Save. The selected vulnerabilities appear on the Vulnerability Checks page. A specific vulnerability check may be included in more than one type. If you enable two vulnerability types that include the same check, it will only run that check once. 3. 4. 5. 6. 7. 8. 9. Configure any other template settings as desired. When you have finished configuring the scan template, click Save. Fine-tuning vulnerability checks The fewer the vulnerabilities included in the scan template, the sooner the scan completes. It is difficult to gauge how long exploit test actually take. Certain checks may require more time than others. Following are a few examples: • • • The Microsoft IIS directory traversal check tests 500 URL combinations. This can take several minutes against a busy Web server. Unsafe, denial-of-service checks take a particularly long time, since they involve large amounts of data or multiple requests to target systems. Cross-site scripting (CSS/XSS) tests may take a long time on Web applications with many forms. Be careful not to sacrifice accuracy by disabling too many checks—or essential checks. Choose vulnerability checks in a focused way whenever possible. If you are only scanning Web assets, enable Webrelated vulnerability checks. If you are performing a patch verification scan, enable hotfix checks. The application is designed to minimize scan times by grouping related checks in one scan pass. This limits the number of open connections and time interval that connections remain open. For checks relying solely on software version numbers, the application requires no further communication with the target system once it extracts the version information. Nexpose User’s Guide 205 Selecting Policy Manager checks If you work for a U.S. government agency, a vendor that transacts business with the government or for a company with strict configuration security policies, you may be running scans to verify that your assets comply with United States Government Configuration Baseline (USGCB) policies, Center for Internet Security (CIS) benchmarks, or Federal Desktop Core Configuration (FDCC). Or you may be testing assets for compliance with customized policies based on these standards. The built-in USGCB, CIS, and FDCC scan templates include checks for compliance with these standards. See Scan templates on page 254. These templates do not include vulnerability checks, so if you want to run vulnerability checks with the policy checks, create a custom version of a scan template using one of the following methods: • • • Add vulnerability checks to a customized copy of USGCB, CIS, or FDCC template. Add USGCB, CIS, or FDCC checks to one of the other templates that includes the vulnerability checks that you want to run. Create a scan template and add USGCB, CIS, or FDCC checks and vulnerability checks to it. To use the second or third method, you will need to select USGCB, CIS, or FDCC checks by taking the following steps. You must have a license that enables the Policy Manager and FDCC scanning. 1. 2. 3. 4. 5. 6. Select Policies in the General page of the Scan Template Configuration panel. Go to the Policy Manager page of the Scan Template Configuration panel. Select a policy. Review the name, affected platform, and description for each policy. Select the check box for any policy that you want to include in the scan. Configure any other template settings as desired. When you have finished configuring the scan template, click Save. For information about verifying USGCB, CIS, or FDCC compliance, see Working with Policy Manager results on page 106. Nexpose User’s Guide 206 Configuring verification of standard policies Configuring testing for Oracle policy compliance To configure the application to test for Oracle policy compliance you must edit the default XML policy template for Oracle (oracle.xml), which is located in [installation_directory]/plugins/java/1/OraclePolicyScanner/1. To configure the application to test for Oracle policy compliance: 1. 2. 3. Copy the default template to a new file name. Edit the policy elements within the XML tags. Move the new template file back into the [installation_directory]/plugins/java/ 1/OraclePolicyScanner/1 directory. To add credentials for Oracle Database policy compliance scanning: 1. 2. 3. 4. Go to the Credentials page for the site that will incorporate the new scan template. Select Oracle as the login service domain. Type a user name and password for an Oracle account with DBA access. See Configuring scan credentials on page 42. Configure any other template settings as desired. When you have finished configuring the scan template, click Save. Configure testing for Lotus Domino policy compliance To configure the application to test for Lotus Domino policy compliance you must edit the default XML policy template for Lotus Domino (domino.xml), which is located in [installation_directory]/ plugins/java/1/NotesPolicyScanner/1. To configure the application to test for Lotus Domino policy compliance: 1. 2. 3. 4. Copy the default template to a new file name. Edit the policy elements within the XML tags. Move the new template file back into the [installation_directory]/plugins/java/ 1/NotesPolicyScanner/1. Go to the Lotus Domino Policy page and enter the new policy file name in the text field. Nexpose User’s Guide 207 The basicdc. Configure testing for Windows Group Policy compliance You can configure Nexpose to verify whether assets running with Windows operating systems are compliant with Microsoft security standards. Each template contains all of the policy elements for one of the three types of Windows target assets: workstation. general server. To save the new scan template.inf template is for general servers. and enter the . Go to the Windows Group Policy page. 4. and then saving each as an . These templates are the same as those associated with Windows Policy Editor and Active Directory Group Policy. Select Lotus Notes/Domino as the login service domain. See Configuring scan credentials on page 42. click Save. The installation package includes three different policy templates that list security criteria against that you can use to check settings on assets. Go to the Credentials page for the site that will incorporate the new scan template. 1. The templates are . You must provide the application with proper credentials to perform Windows policy scanning. When you have finished configuring the scan template. A target asset must meet all the criteria listed in the respective template for the application to regard it as compliant with Windows Group Policy. Or. To view the results of a policy scan.inf files located in the plugins/java/1/WindowsPolicyScanner/1 path relative to the application base installation directory: • • • NOTE: Use caution when running the same scan more than once with less than the lockout policy time delay between scans. For Lotus Notes/Domino policy compliance scanning. 2. 3.To add credentials for Lotus Domino policy compliance scanning. You also can import template files using the Security Templates Snap-In in the Microsoft Group Policy management Console. you can create a custom report template that includes the Policy Evaluation section. See Fine-tuning information with custom report templates on page 168. you must install a Notes client on the same host computer that is running the Security Console.inf file with a specific name corresponding to the type of target asset. Doing so could also trigger account lockout. Type a Notes ID password in the text field. Nexpose User’s Guide 208 . The basicwk. general server.inf file names for workstation. See Configuring scan credentials on page 42. Configure any other template settings as desired. create a report based on the Audit or Policy Evaluation report template. and domain controller. The basicsv. and domain controller policy names in the appropriate text fields.inf template is for domain controllers.inf template is for workstations. click Save. When you have finished configuring the scan template. and IBM AS/400: 1. 4. This setting controls the permissions that the target system grants to any new files created on it.Configure testing for CIFS/SMB account policy compliance Nexpose can test account policies on systems supporting CIFS/SMB. Type an account lockout threshold value in the appropriate text field. This level corresponds to the minimum value that the QSECURITY system value should be set to. Type a number in the text field labeled Minimum account umask value. 3. This the maximum number of failed logins a user is permitted before the asset locks out the account. 2. Go to the AS/400 Policy page. 2. such as Microsoft Windows. 5. 3. The number corresponds to the QMAXSIGN system value. Type an account lockout threshold value in the appropriate text field. 4. Go to the Unix Policy page. When you have finished configuring the scan template. 3. Nexpose User’s Guide 209 . This number corresponds to the QPWDMINLEN system value and specifies the minimum length of the password field required. Type a minimum password length in the appropriate text field. Configure any other template settings as desired. click Save. This the maximum number of failed logins a user is permitted before the asset locks out the account. Select a minimum security level from the drop-down list. click Save. Configure testing for AS/400 policy compliance To configure Nexpose to test for AS/400 policy compliance: 1. Configure testing for UNIX policy compliance To configure Nexpose to test for UNIX policy compliance: 1. When you have finished configuring the scan template. The level values range from Password security (20) to Advanced integrity protection (50). Configure any other template settings as desired. click Save. Samba. it will report a policy violation. Go to the CIFS/SMB Account Policy page. If the application detects broader permissions than those specified by this value. 2. Type a minimum password length in the appropriate text field. Configure any other template settings as desired. crosssite scripting (CSS/XSS). broken links. It does this by sending the server a Web page request as a browser would. User-Agent represents the application to the Web site as a specific browser. in the address www.com/index. such as its version number and the Web application technologies it supports. defines the characteristics of a user’s browser. insecure password use. the spider will only check the base URL without the ?id=6 parameter. Nexpose User’s Guide 210 . followed by a parameter directed-link. To gain access to a Web site for scanning.Configuring Web spidering Nexpose can spider Web sites to discover their directory structures. because some Web sites will refuse HTTP requests from browsers that they do not support. The request includes pieces of information called headers. The application then analyzes this data for evidence of security flaws. One of the headers. If you enable the setting to include query strings. and other issues resulting from software defects or configuration errors. readable CGI scripts.html?id=6. inaccessible links. the files and applications on their servers. Some built-in scan templates use the Web spider by default: • • • • • Web audit HIPAA compliance Internet DMZ audit Payment Card Industry (PCI) audit Full audit You can adjust the settings in these templates. and other information. For example. default directories. backup script files. called UserAgent. the spider will check the full string www.com/index. pages that are yet to be scanned will show a base URL. such as SQL injection. The spider examines links within each Web page to determine which pages have been scanned. In many Web sites. If you do not enable the setting. You can also configure Web spidering settings in a custom template.html?id=6 against all URL pages that have been already retrieved to see whether this page has been analyzed.exampleinc. the ?id=6 parameter probably refers to the content that should be delivered to the browser. in the address bar.exampleinc. the application makes itself appear to the Web server application as a popular Web browser. The default User-Agent string represents the application to the target Web site as Internet Explorer 7. consult your Web site developer. Enter the amount of time. 2. 1. Select the appropriate check box to include query strings when spidering if desired. To delay the spider’s requests to Web servers. and select the check box labeled Check use of common user names and passwords. This option sets the maximum number of unique host names that the spider may resolve.Configuration steps and options for Web spidering Configure general Web spider settings: 1. This function adds substantial time to the spidering process. NOTE: Changing the default user agent setting may alter the content that the application receives from the Web site. If you are unsure of what to enter for the User-Agent string. 3. the application attempts to log onto Web applications by submitting common user names and passwords to discovered authentication forms. Multiple logon attempts may cause authentication services to lock out accounts with these credentials. With this setting enabled. The acceptable range is 1-60000 milliseconds. Select the option to check the use of common user names and passwords if desired. select the check box for that option. The default value is 120000 ms (2 minutes). If you want the spider to test for persistent cross-site scripting during a single scan. As the Web spider discovers logon forms during a scan. which would make them vulnerable to automated attacks that exploit this practice. 4. or leave the default value of 100. The acceptable host range is 1 to 500. Select the check box to enable Web spidering. 5. The Web spider will retry the request based on the value specified in the Maximum retries for spider requests field. especially with large Web sites. You can enter a value from 1 to 3600000 ms (1 hour). If you want to change the default value in the Browser ID (User-Agent) field enter a new value. Enter a maximum number of foreign hosts to resolve. The application reports the use of these credentials as a vulnerability. It is an insecure practice because attackers can easily guess them. Go the Weak Credential Checking area on the Web spidering configuration page. in the Spider response timeout field to wait for a response from a Web server. in milliseconds. Go to the Web Spidering page of the Scan Template Configuration panel. the Web spider attempts to log on through these forms with commonly used credentials. because of frequent cross-link checking involved. Configure Web spider performance settings: 1. it can determine if any of these forms accept commonly used user names or passwords. Nexpose User’s Guide 211 . Any successful attempt counts as a vulnerability. To perform the check. enter a number of milliseconds in the appropriate field. NOTE: Including query strings with Web spidering check box causes the spider to make many more requests to the Web server. 6. (Optional) Enable the Web spider to check for the use of weak credentials: NOTE: This check may cause authentication services with certain security policies to lock out accounts with these commonly used credentials. Enabling it may increase Web spider scan times. Web servers with sensitive firewalls may require a delay before fulfilling spider requests. 3. This test helps to reduce the risk of dangerous attacks via malicious code stored on Web servers. 2. This will increase overall scan time and possibly affect the Web server's performance for legitimate users. A significant increase in threads may affect another scan that is occurring simultaneously. especially with large sites. The default value is 2 retries. Separate each name with a comma (.000. For unlimited directory traversal. 7. 8. or leave the default value of 3. The acceptable range is 1 to 999. 9.000 pages. Enter in the field the maximum number of spider threads that the application will deploy per Web server. Limiting directory depth can save significant time. portions of the target site may remain unscanned at the end of the time limit. The default value is 6. Enter the names of any HTTP daemons that you would like the spider to bypass. This is a time-saving measure for large sites. Increasing the number of threads can speed up the scan. 5. Subsequent scans will not resume where the Web spider left off. Enter a number in the field labeled Maximum directory levels to spider to set a directory depth limit for Web spidering. especially with large target Web sites. The acceptable range is 1 to 1.4. Enter the number of time to retry a request after a failure in the Maximum retries for spider requests field. Enter a number in the field to limit the number of pages that the spider requests. The acceptable range is 1 to 500. no time limit is applied. Enter a number in the field to set a maximum number of minutes for scanning each Web site. the Web spider will stop scanning the target Web site when the first limit is reached. 6. the application avoids the following daemons by default: • • • • • • • • • • • • • • • • • Virata-EmWeb Allegro-Software-RomPager JetDirect HP JetDirect HP Web Jetadmin HP-ChaiSOE HP-ChaiServer CUPS DigitalV6-HTTPD Rapid Logic Agranat-EmWeb cisco-IOS RAC_ONE_HTTP RMC Webserver EWS-NIC3 EMWHTTPD IOS Nexpose User’s Guide 212 . Enter a value from 0 to 100. A value of 0 means do not retry a failed request. type 0 in the field. so it is possible that the target Web site may never be scanned in its entirety.). NOTE: If you set both a time limit and a page limit. If you leave the default value of 0. A time limit prevents scans from taking longer than allotted time windows for scan jobs. NOTE: If you run recurring scheduled scans with a time limit. If you leave the field blank. it will not scan those paths. scanning a printer may actually cause it to print unexpectedly. Enter a regular expression for sensitive content. click Save. select the appropriate check box in the Restrictions section. If you specify excluded paths. Reducing the depth reduces coverage but speeds up the scan. For example. or leave the default string. or leave the default value of 6. Any matches to the regular expression will be considered sensitive data field names. NOTE: Scan coverage of any included bootstrap paths is subject to time and page limits that you set in the Web spider configuration. the spider does not include bootstrap paths in the scan. Select the check box to instruct the spider to adhere to standards set forth in the robots. If you leave the field blank.txt protocol. Configure Web spider settings related to directory paths: 1. print servers. When you have finished configuring the scan template.10. the spider does not exclude any paths from the scan. Separate multiple entries with commas. The application reports as vulnerabilities strings that are designated to be sensitive. Also. (Optional): To avoid scanning Web-connected printers. Nexpose User’s Guide 213 . 2. scanning these devices can disrupt their operations. Robots. The application reports field names that are designated to be sensitive as vulnerabilities: Form action submits sensitive data in the clear. 3. Enter a regular expression for sensitive data field names. Enter the base URL paths to exclude in the Excluded paths field. or multiuse devices such as a printer/scanner/fax machine. If you leave the field blank. Separate multiple entries with commas. 11. Enter a number in the field to set a maximum link depth. If the scan reaches your specified time or page limit before scanning bootstrap paths. 2. Enter the base URL paths for applications that are not linked from the main Web site URLs in the Bootstrap paths field if you want the spider to include those URLS. Enforcing this restriction can reduce scan times. it does not search for sensitive strings. Configure Web spider settings related to regular expressions: 1. This setting controls how many hyperlinks the spider will follow as it crawls through a site. Configure any other scan template settings as desired. the application does not attempt to spider those URLs or discovery any vulnerabilities or files associated with them. Example: /myapp. The acceptable range is 1 to 100.txt is a convention that prevents spiders and other Web robots from accessing all or part of Web site that are otherwise publicly viewable. If you leave the field blank. cross-site scripting (CSS/XSS). A scan against the same server hosting 10. or depth. you can safely increase the scan speed by lowering the delay to 0. These values can limit the amount of time that Web spidering takes. as well as the maximum number of pages to crawl per Web site. the spider ignores cross-site links and stays only on the end point it is scanning. Nexpose uses spider data evaluate custom Web applications for common problems such as SQL injection. readable CGI scripts. the Web spider crawls a site using three threads and a per-request delay of 20 ms. Nexpose User’s Guide 214 . insecure use of passwords. assuming the target asset can serve one page on average per 150 ms with a default delay of 20ms per request. By default.Fine-tuning Web spidering The Web spider crawls Web servers to determine the complete layout of Web sites. The amount of traffic that this generates depends on the amount of discovered. A complete Web spider scan will take slightly less than 90 seconds against a responsive server hosting 500 pages. If your asset inventory doesn’t include Web sites. Don't change the default delay setting on high-traffic networks. enter the maximum number of directories. be sure to turn this feature off. If you’re running the application on a multiple-processor system. It is a thorough process. On an under-utilized network. It can be very time consuming.000 pages would take approximately 28 minutes. Most Web application vulnerability tests are dependent on Web spidering. By default. linked site content. backup script files. or 25 minutes with no delay. increase the number of spider threads to three per processor. which makes it valuable for protecting Web sites. With no delay the spidering would take 75 seconds. and many other issues resulting from custom software defects or incorrect configurations. When you configure a scan template for Web spidering. 2005. 2008 Oracle versions 6 through 10 Sybase Adaptive Server Enterprise (ASE) versions 9. When you have finished configuring the scan template. it tests table access. Nexpose User’s Guide 215 . and decompilation. stored procedure access. often target mail relay for exploitation. who send millions of unwanted spam e-mails. If the application receives the e-mail. 7. Commercial operators. This e-mail address should be external to your organization. Go to the Spam Relaying page: Type an e-mail address in the appropriate text field. 2000. 10 and 11 DB2 AS/400 PostgreSQL versions 6. this indicates that the servers are vulnerable. Configuring scans of database servers Nexpose performs several classes of vulnerability and policy checks against a number of databases. the application discovers tables and checks system access.Configuring scans of various types of servers Configuring spam relaying settings Mail relay is a feature that allows SMTP servers to act as open gateways through which mail applications can send e-mail. 4. such as a Yahoo! or Hotmail address. including: • • • • • • • MS SQL/Server versions 6. The application will attempt to send e-mail from this account to itself using any mail services and mail scripts that it discovers during the scan. and default scripts. Configure any other template settings as desired. Type a URL in the HTTP_REFERRER to use field. This is typically a Web form that spammers might use to generate Spam emails. default credentials. Additionally. To configure spam relay settings: 1. Most organizations now restrict mail relay services to specific domain users. 8 MySQL For all databases. 2. 7. click Save. 3. Nexpose alternately detects Web servers by using behavioral analysis in addition to banner checking. Separate multiple SIDs with commas. and error types as defined by the universal specification for Web servers. Enter the name of a DB2 database in the appropriate text field that the database can connect to. You can configure the application to fingerprint Web servers. Go to the Web Servers page. Enter the name of a Postgres database in the appropriate text field that the application can connect to. Nexpose identifies the type of server targeted by how the server behaves if its header information is missing or inaccurate. Websphere and IIS to detect these behavioral adaptations to detect the Web server type. Configure any other template settings as desired. Resin. 3. The application tracks various versions of Apache. JBOSS. 4. You should disable this option if Web servers in your environment return reliable server banners. 2. Note that this process can be slow. Nexpose User’s Guide 216 . click Save. Early versions of Apache provide different responses to non-existent URLs than later versions. click Save. and has been known to crash poorly developed HTTP servers. Tomcat. Click the check box labeled Enable adaptive HTTP fingerprinting. Go to the Database Servers page. Configure scans of Web servers Web designers and programmers may obscure site banners to help prevent attacks by outsiders against known or unknown vulnerabilities in the Web servers. To configure scanning Web servers: 1. It will only use the banner checker if the behavioral engine is unable to detect the appropriate Web server version. such as discovering common configuration errors and default guesses. As specifications for Web services have changed over time. 5. You can now specify additional SIDs for verification. so the responses of Web servers has changed to keep track of those protocols. for example. Doing so enables it to test for a series of known and unknown vulnerabilities. 3. Nexpose attempts to verify an SID on a target asset through various methods. Fine-tuning Web site scanning Adaptive HTTP fingerprinting can be useful method for gathering security-related information about a Web server. NOTE: The application will use the fingerprinting mechanism instead of the banner checker when you enable this setting. to which it can connect. Configure any other template settings as desired. When you have finished configuring the scan template.To configure to scan database servers: 1. When you have finished configuring the scan template. Enter the names of Oracle SIDs in the appropriate text field. 2. To configure scanning CVS servers: 1. 3. click Save.Configuring scans of mail servers You can configure Nexpose to scan mail servers. Go to the Mail Servers page. When you have finished configuring the scan template. Configure any other template settings as desired. 3. Go to the CVS Servers page. To configure to scan mail servers: 1. The default value is 30 seconds. in versions prior to v1. To configure Nexpose to scan DHCP servers: 1. This setting is a threshold outside of which the application will report inaccurate time readings by system clocks. click Save. Configuring scans of CVS servers Nexpose tests a number of vulnerabilities in the Concurrent Versions System (CVS) code repository. which may be used to reach hosts that are otherwise unknown. 4. click Save. When you have finished configuring the scan template. Configure any other template settings as desired. Type a read timeout value in the appropriate text field. and Address Resolution Protocol (ARP) table information. Type a DHCP address range in the text field. Configuring scans of DHCP servers DHCP Servers provide Border Gateway Protocol (BGP) information. Hackers exploit vulnerabilities in these servers for address information. When you have finished configuring the scan template. domain naming help.11 of the official CVS server. The inaccuracy will be reported in the system log. Nexpose User’s Guide 217 . 2.11. 2. 2. Go to the DHCP servers page. The application will then target those specific servers for DHCP interrogation. it is possible for an attacker with write access to the CVSROOT/passwd file to execute arbitrary code as the cvsd process owner. For example. which usually is root. Configure any other template settings as desired. Enter the name of the CVS repository root directory in the text box. This setting is the interval at which the application retries accessing the mail server. 3. Type an inaccurate time difference value in the appropriate text field. 6. Type a regex for failed logon attempts in the appropriate text field. For more information. 7. Type a regex for a password prompt in the appropriate text field. with many varying implementations.Configuring scans of Telnet servers Telnet is an unstructured protocol. Go to the Telnet Servers page. When you have finished configuring the scan template. Type a character set in the appropriate text field. Nexpose User’s Guide 218 . To configure scanning of Telnet servers: 1. see Using regular expressions on page 248. Type a regex for a logon prompt in the appropriate text field. 5. click Save. Configure any other template settings as desired. 3. You can improve scan accuracy by providing Nexpose with regular expressions. 2. This renders Telnet servers prone to yielding inaccurate scan results. Type a regex for questionable logon attempts in the appropriate text field. 4. File name searching is useful for finding software programs that are not detected by fingerprinting. You can view the names of scanned file names in the File and Directory Listing pane of a scan results page.Configuring file searches on target systems If Nexpose gains access to an asset’s file system by performing an exploit or a credentialed scan. and it does not retrieve them. it can search for the names of files in that system. such as patient file data in the case of HIPAA compliance unauthorized software The application reads the contents of these files. It also is a good way to verify compliance with policies in corporate environments that don't permit storage of certain types of files on workstation drives: • • • copyrighted content confidential information. Nexpose User’s Guide 219 . and it can improve accuracy. but if you want to bump up maximum number of scan threads. Bandwidth is also important to consider. Edit site configuration Tailor your site configuration to support your performance goals. adding Scan Engines can reduce scan time over all. such as firewalls. If not. It’s helpful to place Scan Engines on both sides of network dividing points. Change Scan Engine deployment Depending on bandwidth availability. as opposed to a maximum of approximately 4 GB on 32-bit systems. This usually indicates memory problems. Try pairing sites with different scan templates. consider installing the 64-bit version of Nexpose. The installation guide lists minimum system requirements for installation. If increasing scan threads is critical to meeting your performance goals. A Scan Engine running on a 64-bit operating system can use as much RAM as the operating system supports. If you can find ways to make it easier for the application to coexist with your security infrastructure— without exposing your network to risk or violating security policies—you can enhance scan speed and accuracy. such as firewalls. Try increasing the number of sites and making sites smaller. The vertical scalability of 64-bit Scan Engines significantly increases the potential number simultaneous scans that Nexpose can run. Nexpose User’s Guide 220 . Make your environment “scan-friendly” Any well constructed network will have effective security mechanisms in place. Increase resources Resources fall into two main categories: • • Network bandwidth RAM and CPU capacity of hosts If your organization has the means and ability. Always keep in mind that best practices for Scan Engine placement. See the topic Distribute Scan Engines strategically in the administrator's guide. Where you put Scan Engines is as important as how many you have. you may find your host system slowing down or becoming unstable. you can do other things to improve scan performance.Using other tuning options Beyond customizing scan templates. Adjust your scan schedule to avoid bandwidth conflicts. find ways to reduce bandwidth conflicts when running scans. Your system may meet those requirements. See the topic Distribute Scan Engines strategically in the administrator's guide. These devices will regard Nexpose as a hostile entity and attempt to prevent it from communicating with assets that they are designed to attack. enhance network bandwidth. Increasing the capacity of host computers is a little more straightforward. Maintaining this setting is generally a smart security practice. a Windows domain administrator would perform this procedure. Give the application the proper domain credentials. Nexpose User’s Guide 221 .For example. security-related data as required for patch or compliance checks. you can take a few simple measures to improve performance: • • • • Make the application a part of the local domain. Vista. Configure the XP firewall to allow it to connect to Windows and perform patch-checking Edit the domain policy to give the application communication access to the workstations. Opening a firewall gives it access to critical. To find out how to open a firewall without disabling it on a Windows platform. However. By default. when scanning Windows XP workstations. see Microsoft’s documentation for that platform. and Server 2008 enable firewalls to block incoming TCP/IP packets. Open firewalls on Windows scan targets You can open firewalls on Windows assets to allow Nexpose to perform deep scans on those targets within your network. a closed firewall limits the application to discovering network assets during a scan. Server 2003. Typically. Microsoft Windows XP SP2. you need a different way to present vulnerability data to show compliance percentages to your auditors. FDCC. Or you show what percentage of computers are compliant for a specific vulnerability. You create a custom policy to track one vulnerability to measure the risks over time and show improvements. or CIS). reestablish a session and then save your changes to the policy. • Custom policies are editable copies of built-in policies. You create a custom policy by editing copies of built-in configuration policies or other custom policies. You can make copies of a custom policy if you need custom policies with similar changes. A policy consists of rules that may be organized within groups or sub-groups. Policy Manager is a license-enabled scanning feature that performs checks for compliance with United States Government Configuration Baseline (USGCB) policies. If your session times out when you try to save a policy. Edit and Delete buttons display for only custom policies for users with Manage Policies permission. Contact your account representative if you want to add this feature. You can determine which policies are editable (custom) on the Policy Listing table. The Source column displays which policies are built-in and custom.Creating a custom policy NOTE: To edit policies you must have the Policy Editor license. Policy — viewing the policy source column Editing policies during a scan You can edit policies during a scan without affecting your results. manual or scheduled scans that are in process or paused scans that are resumed use the policy configuration settings in effect when the scan initially launched. Center for Internet Security (CIS) benchmarks. such as policies for different locations. Changes saved to a custom policy are applied during the next scheduled scan or a subsequent manual scan. The Copy. You can create a custom policy and then periodically check the settings to improve scan results or adapt to changing organizational requirements. and Federal Desktop Core Configuration (FDCC) policies. You edit a custom policy to fit the requirements of your environment by changing the values required for compliance. These policies are not editable. While you modify policies. Nexpose User’s Guide 222 . There are two policy types: • Built-in policies are installed with the application (Policy Manager configuration policies based on USGCB. For example. Contact your administrator about your user permissions. such as XYZ Org -USGCB 1. Policy — creating a custom policy A unique ID (UID) is assigned to built-in and saved custom policies. For example. 2. add your organization name or abbreviation. You can edit the following items: • • • custom policy—customize name and description groups—customize name and description rules—customize name and description and modify the values for checks To create an editable policy. This helps you select the correct policy for the scan template. The following section demonstrates how to edit the different items in a custom policy. If you use the same name for multiple policies then a UID icon ( ) displays when you save the custom policy. complete these steps: 1.2. Click Copy next to a built-in or custom policy.1.0 . you need Manage Policies permissions.Editing a policy NOTE: To edit policies. You can modify the Name to identify which policies are customized for your organization. When you are adding policies to a scan template. refer to the UID if there are multiple policies with the same name.Windows 7 Firewall. Policy — copying a built-in policy The application creates a copy of the policy. Nexpose User’s Guide 223 . Policy — viewing the UID for policies with duplicate names Hover over the UID icon to display the unique ID for the policy. Click Save. 3. By opening the groups. you drill down to an individual group or rule in a policy. (Optional) You can modify the Description to explain what settings are applied in the custom policy using this policy. Viewing policy hierarchy The Policy Configuration panel displays the groups and rules in item order for the selected policy. Policy Editor — editing custom policy name and description 4. Policy — viewing the policy hierarchy Nexpose User’s Guide 224 . Click the icon to expand groups or rules to display details on the Policy Configuration panel. Select the Password Complexity rule to view the checks used during a scan to verify password compliance. See Using policy find on page 226.To view policy hierarchy for password rules. your organization has specific requirements for password compliance. If your organization policy does not enforce strong passwords then you can change the value to Disabled. For example. Select an item (rule or group) in the policy tree (hierarchy) to display the detail in the right panel. Policy — clicking View to display the policy 2. Nexpose User’s Guide 225 . Click View on the Policy Listing table to display the policy configuration. Policy — viewing the policy hierarchy 3. Use the policy Find box to locate a specific rule. complete these steps: 1. For example. type password.Using policy find Use the policy find to quickly locate the policy item that you want to modify. Type a word or phrase in the policy Find box. 3. Policy — typing search criteria For example. 4. Click the Up ( ) and Down ( ) arrows to move to the next or previous items that match the find criteria. Nexpose User’s Guide 226 . For example. Policy — browsing find results 2. To clear the find results. click Clear ( ). To find an item in a policy. replace password with password age. Click the Up ( ( ) arrows to display the next or previous instance of IPv6 found by the policy find. the application searches then highlights all matches in the policy hierarchy. complete these steps: 1. ) and Down As you type. (Optional) Refine your criteria if you receive too many results. type IPv6 to locate all policy items with that criteria. To edit a rule value. You select a rule in the Policy Configuration hierarchy to see the list of editable checks and values related to that rule. Editing policy rules You can modify policy rules to get different scan results. The rule details display. complete these steps: 1. You can modify this text to identify which groups contain modified (custom) rules and add a description of what type of changes. Select a rule in the policy hierarchy. Policy — selecting a rule Nexpose User’s Guide 227 . The policy find uses this text to locate items in the policy hierarchy. See Using policy find on page 226.Editing policy groups You modify the group Name and Description to change the description of items that you customized. Policy — editing group name or description You select a group in the policy hierarchy to display the details. If you try to delete a policy while running a scan. Nexpose User’s Guide 228 . disable the Use FIPS compliant algorithms for encryption. Policy — modifying rule values 2. Click Save. 4. See Using policy find on page 226. Contact your administrator about your user permissions. change the Behavior of the elevation prompt for administrators in Admin Approval Mode check by typing a value for the total seconds. The policy must be removed from scan templates and report configurations before deleting. Repeat these steps to edit other rules in the policy. hashing and signing rule by typing ‘0’ in the text box. Policy — disabling a rule For example. Text in the Name is used by policy find. Policy — entering the value for a check option.(Optional) Customize the Name and Description for your organization. you need Manage Policies permissions. then a warning message displays indicating that the policy can not be deleted. The guidelines list the options for each value. When you delete a policy. Refer to the guidelines about what value to apply to get the correct result. 3. Click Delete for the custom policy that you want to remove. Modify the checks for the rule using the fields displayed. all scan data related to the policy is removed. You can remove custom policies that you no longer use. For example. Deleting a policy NOTE: To delete policies. You add custom policies to the scan templates to apply your modifications across your sites. The Policy Manager list contains the custom policies. See Working with scan templates and tuning scan performance on page 185 for more detail about fine tuning scan templates. 2012 release. Policy — enabling a custom policy in the scan template Click Custom Policies to display the custom policies.Adding Custom Policies in Scan Templates NOTE: To perform policy checks in scans. Select the custom policies to add. Nexpose User’s Guide 229 . make sure that your Scan Engines are updated to the August 8. XYZ-oval. then the application does not upload the policy. If unsupported OVAL check types are in the policy. It must have a unique name (title) and ID (benchmark ID). such as: • • • • • • • • • • • • accesstoken_test auditeventpolicysubcategories_test auditeventpolicy_test family_test fileeffectiverights53_test lockoutpolicy_test passwordpolicy_test registry_test sid_test unknown_test user_test variable_test Nexpose User’s Guide 230 . You must log on as Global Administrator to upload policies. The archive file must contain the following XML files: • • XCCDF file—This file contains the structure of the policy.Uploading custom SCAP policies NOTE: To upload policies you must have the Policy Editor capability enabled in your license. If the archive contains other file types.xml). The SCAP XCCDF benchmark file name must end with -xccdf. The policy files must contain supported OVAL check types. the policy fails to upload. The application provides policies that you can apply to scan your environments. This file is required. These file names must end with -oval. You can create policies from scratch. File specifications Policy files must be compressed to an archive (ZIP or JAR file format) with no folder structure.xml). OVAL file—These files contain policy checks. upload your custom content to use in policy scans.xml (For example. such as health check scripts that prioritize security settings. and run it with your other policy and vulnerability checks. you may create custom scripts to verify items specific to your company. XYZ-xccdf.xml (For example. There is no one-size-fits-all solution for managing configuration security. The archive can contain only XML or TXT files. such as CSV. Contact your account representative if you want to update your license. However. 2. Click the Policies tab.The following XML files can be included in the archive file to define specific policy information. The application verifies that the benchmark version to identifies a benchmark (v1. You must create unique names and IDs in your benchmark file to upload them successfully. These files are not required for a successful upload. CCE files—These files contain CCE identifiers for known system configurations to facilitate fast and accurate correlation of configuration data across multiple information sources and tools. See Creating a custom policy on page 222. the operating system facet. Version and file name conventions NOTE: The application does not upload custom policies with the same name and benchmark ID as an existing policy. You can name your custom policies to meet your company’s needs. complete the following steps: 1. Nexpose User’s Guide 231 . The file must begin with cpe: and includes segments for the hardware facet. • • • CPE files—These files contain the Uniform Resource Identifiers (URI) that correspond to fingerprinted platforms and applications.1. The application identifies policies by the benchmark ID and title. Uploading SCAP policies NOTE: Custom policies uploaded to the application can be edited using the Policy Manager. To upload a policy. 2. cpe:/o:microsoft:windows_xp:-:sp3:professional).0) that is supported. Clicking the Upload Policy button The system displays the Upload a policy panel. If you cannot see this button then you must log on as Global Administrator. Click the Upload Policy button. CVE files—These files contain CVE (Common Vulnerabilities and Exposures) identifiers to known vulnerabilities and exposures. and the application environment facet of the fingerprinted item (For example. To identify which policies are customized for your organization you can devise a file naming convention. After restarting. For example. For more information about errors.Entering SCAP policy file information 3. Nexpose User’s Guide 232 . Enter a name to identify the policy. such as XYZ Org -USGCB 1.Windows 7 Firewall. Click the Upload button to upload the policy. See Adding Custom Policies in Scan Templates on page 229.0 . You can edit these policies using the Policy Manager. • • If the policy uploads successfully. If you receive an error message the policy is not loaded. Click the Browse button to locate the archive file. This is a required field. 8. see Troubleshooting upload errors on page 233. Add your custom policies to the scan templates to apply to future scans. You must resolve the issue noted in the error message then repeat these steps until the policy loads successfully. You must restart the application to complete the upload and apply your uploaded policies. your custom policies appear in the Policy Listing panel on the Policies page. 4.1.2. See Creating a custom policy on page 222. 7. add your organization name or abbreviation. Enter a description that explains what settings are applied in the custom policy. go to step 7. 6. 5. • The SCAP XCCDF benchmark file contains unsupported character encoding.xml” and is not under a folder in the archive. • If the XML encoding declaration is missing then it will default to the server’s default encoding.0" encoding="UTF-8"> • There are hidden characters at the beginning of the SCAP XCCDF benchmark file. For example: abc<?xml version="1. Verify that the SCAP XCCDF benchmark file exists in the archive using the required naming convention.White space . [value] is a placeholder for a specific reference in the error message. The SCAP XCCDF benchmark file name must end with -xccdf. (Sheet 1 of 4) Nexpose User’s Guide 233 . The SCAP XCCDF benchmark file must contain a benchmark ID. The following items are hidden characters: . Verify that there are no blank spaces. The application currently supports version 1. • There is a mismatch in the encoding declaration and the SCAP XCCDF benchmark file. • There are characters positioned before the first bracket (<). For example. Resolution The following list describes some issues to verify in the SCAP XCCDF benchmark file: • The SCAP XCCDF benchmark file is not an XML file.Troubleshooting upload errors Policies are not uploaded to the application unless certain criteria are met. there is a UTF8 declaration for a UTF16 XML file. 1.1. that is caused by text editors like Microsoft® Notepad. The SCAP XCCDF Benchmark version [value] is unsupported. The application cannot find the SCAP XCCDF benchmark file in the archive. Error The SCAP XCCDF Benchmark file [value] cannot be parsed.1. Add the schema version (SCAP policy) to the SCAP XCCDF benchmark file. This table lists common errors and resolutions.4). If the XML content contains characters that are not supported by the default character encoding then the SCAP XCCDF benchmark file cannot be parsed. The SCAP XCCDF benchmark file must contain a valid schema version. Content is not allowed in prolog. . The archive (ZIP or JAR) cannot have a folder structure.xml). Add a benchmark ID to the SCAP XCCDF benchmark file. Add a UTF8 declaration to the SCAP XCCDF benchmark file. You must resolve the issues and upload the policy successfully to apply your custom SCAP policy to scans.Any other type of invisible characters. The SCAP XCCDF Benchmark version could not be found in [value]. The SCAP XCCDF Benchmark file cannot be found. NOTE: In this table. Replace the version number using a valid format. Error messages identify the criteria that have not been met.xml (For example. Use a hex editor to remove the hidden characters. Verify that the SCAP XCCDF benchmark file name ends in “-xccdf. The SCAP XCCDF benchmark file must contain a version in supported format (for example.Byte Order Mark character in UTF8 encoded XML file. XYZ-xccdf. The SCAP XCCDF Benchmark file must contain an ID for the Benchmark to be uploaded.4 or earlier. Please only use OVAL check systems. The format of the archive is invalid. Remove the test from the SCAP XCCDF benchmark file . [value] is a placeholder for a specific reference in the error message. A conflict in the SCAP XCCDF benchmark file is referencing an item that is not recognized or is the wrong item. The test must be removed for the policy to be uploaded. Replace the benchmark ID using a valid format. Review the conflict specified in the error message to determine what group or rule to add. The archive (ZIP or JAR) cannot have a folder structure. Verify that the archive file contains all policy definition files referenced in the SCAP XCCDF benchmark file. Resolution The benchmark ID has an invalid character. The Benchmark cannot be uploaded The SCAP XCCDF Benchmark contains two profiles with the same Profile ID [value]. The SCAP XCCDF benchmark file includes a test that the application does not support. There are unsupported items (such as OVAL check types). Review the conflict specified in the error message to determine which item to replace. The uploaded archive is not a valid zip or jar archive. Revise the SCAP XCCDF benchmark file. The SCAP XCCDF Benchmark file contains a rule [value] that refers to a check system that is not supported. Compress your policy files to an archive (ZIP or JAR) with no folder structure. The SCAP XCCDF Benchmark file [value] contains a test [value] that is not supported within the product. Only XCCDF Benchmarks or Groups can contain other items. NOTE: In this table. A requirement in the SCAP XCCDF benchmark file is missing a reference to a group or rule. so only benchmarks or groups contain other benchmark items. The Benchmark cannot be uploaded. The SCAP XCCDF item [value] requires a group or rule [value] to be enabled that is not present in the Benchmark and cannot be uploaded. Revise the SCAP XCCDF benchmark file so that each <profile> has a unique ID. such as a blank space. Review the requirement specified in the error message to determine what group or rule to add. The SCAP XCCDF item [value] requires a group or rule [value] to not be enabled that is not present in the Benchmark and cannot be uploaded. The SCAP XCCDF item [value] requires a group or rule [value] to not be enabled.Error The SCAP XCCDF Benchmark file [value] contains a Benchmark ID that contains an invalid character: [value]. but the item reference is neither a group or rule. Or remove the reference to the missing definition file. A conflict in the SCAP XCCDF benchmark file is missing a reference to a group or rule. There are two profiles in the SCAP XCCDF benchmark file that have the same ID. The SCAP XCCDF Benchmark file [value] contains a reference to an OVAL definition file [value] that is not included in the archive. (Sheet 2 of 4) Nexpose User’s Guide 234 . The item [value] is not a XCCDF Benchmark or Group. Remove the unsupported items from the SCAP XCCDF benchmark file. This is illegal and the Benchmark cannot be uploaded. There is an check referenced in the SCAP XCCDF benchmark file that is not included in the Benchmark. [value] is a placeholder for a specific reference in the error message. The Benchmark cannot be parsed.Error The SCAP XCCDF Benchmark contains a value [value] that does not have a default value set. Resolution A default selection must be included for items with multiple options for an element. you can only upload one benchmark at a time. A requirement in the SCAP XCCDF benchmark file is referencing an item that is not recognized or is the wrong item. The value [value] must have a default value defined if there is no selector tag. [value] benchmark files were found within the archive. The SCAP XCCDF Benchmark file contains a XCCDF Value [value] that has no value provided. NOTE: In this table. [value] The SCAP XCCDF item [value] does not reference a valid value [value] and the Benchmark cannot be parsed. The SCAP XCCDF benchmark file cannot be parsed due to the issue indicated at the end of the error message. or is an illegal extension. If the item has multiple options that can be selected then you must specify the default option. Revise the SCAP XCCDF benchmark file to remove the reference to the missing check or add the check to the Benchmark. Remove the CPE platform reference from the SCAP XCCDF benchmark file. The application does not recognize CPE platform reference in the SCAP XCCDF benchmark file. The Benchmark failed to upload. There is an item referenced in the SCAP XCCDF benchmark file that is not included in the Benchmark. The Benchmark cannot be uploaded. The SCAP XCCDF Benchmark cannot be uploaded. The SCAP XCCDF Benchmark Value [value] cannot be created within the policy [value]. Revise the SCAP XCCDF benchmark file to remove the reference to the missing item or add the item to the Benchmark. Create a separate archive for each benchmark and upload each archive to the application. The referenced check [value] in [value] is invalid or missing. The SCAP XCCDF Benchmark file [value] cannot be parsed. The SCAP XCCDF Benchmark file [value] contains an infinite loop and is illegal. Review the requirement specified in the error message to determine which item to replace. The SCAP XCCDF Benchmark file [value] contains an item that attempts to extend another item that does not exist. (Sheet 3 of 4) Nexpose User’s Guide 235 . Review the SCAP XCCDF benchmark file to locate the infinite loop and revise the code to correct this error. The Benchmark cannot be uploaded. The application cannot resolve the value within the policy. such as a rule. The archive must contain only one benchmark or it cannot be uploaded. Add a value to XCCDF value reference in the SCAP XCCDF benchmark file. Review the benchmark and revise the value. The SCAP XCCDF Benchmark [value] contains reference to a CPE platform [value] that is not referenced in the CPE Dictionary. xml. Resolution This parsing error identifies the issue preventing the SCAP OVAL file from loading. The application cannot find the SCAP OVAL Source file in the archive. Review the SCAP OVAL file and located the issue listed in the error message to determine the appropriate revision.Error The SCAP OVAL file [value] cannot be parsed. [value] is a placeholder for a specific reference in the error message. [value] The SCAP OVAL Source file [value] could not be found. Verify that the SCAP OVAL Source file exists in the archive and the file name ends in the correct format. This file must end with -oval.xml or -patches. (Sheet 4 of 4) Nexpose User’s Guide 236 . NOTE: In this table. View risk trends over time in reports. allowing you to analyze risk according to your organization’s unique security needs or objectives. These characteristics make up the vulnerability’s risk to your organization. For example.Working with risk strategies to analyze threats One of the biggest challenges to keeping your environment secure is prioritizing remediation of vulnerabilities. By sorting vulnerabilities you can make a quick visual determination as to which vulnerabilities need your immediate attention and which are less critical. based on how sensitive it is to your organization’s security. The application provides several strategies for calculating risk. If Nexpose discovers hundreds or even thousands of vulnerabilities with each scan. You can also create custom strategies and integrate them with the application. which allows you to track progress in your remediation effort or determine whether risk is increasing or decreasing over time in different segments of your network. Every asset also has risk associated with it. Working with risk strategies involves the following activities: • • • Changing your risk strategy and recalculating past scan data on page 241 Using custom risk strategies on page 243 Changing the appearance order of risk strategies on page 245 Nexpose User’s Guide 237 . Each strategy emphasizes certain characteristics. if a database that contains credit card numbers is compromised. how do you determine which vulnerabilities or assets to address first? Each vulnerability has a number of characteristics that indicate how easy it is to exploit and what an attacker can do to your environment after performing an exploit. the damage to your organization will be significantly greater than if a printer server is compromised. After you select a risk strategy you can use it in the following ways: • • Sort how vulnerabilities appear in Web interface tables according to risk. Impact is comprised of three factors: • • • • Confidentiality impact indicates the disclosure of data to unauthorized individuals or systems. • Nexpose User’s Guide 238 . Each formula produces a different range of numeric values. both in terms of the skill required and the circumstances which must exist in order for the exploit to be feasible. See Changing your risk strategy and recalculating past scan data on page 241. Lower access complexity maps to higher risk. and is comprised of three factors: • • Access vector indicates how close an attacker needs to be to an asset in order to exploit the vulnerability. Integrity impact indicates unauthorized data modification. The common risk factors are grouped into three categories: vulnerability impact. • Vulnerability impact is a measure of what can be compromised on an asset when attacking it through the vulnerability. while the Temporal strategy has no upper bounds. and threat exposure. The factors that comprise vulnerability impact and initial exploit difficulty are the six base metrics employed in the Common Vulnerability Scoring System (CVSS). Fewer required authentications map to higher risk. with some high-risk vulnerability scores reaching the hundred thousands.Comparing risk strategies Each risk strategy is based on a formula in which factors such as likelihood of compromise. Authentication requirement is the likelihood of exploit based on the number of times an attacker must authenticate in order to exploit the vulnerability. Availability impact indicates loss of access to an asset's data. Lesser required proximity maps to higher risk. each strategy evaluating and aggregating the relevant factors in different ways.000. the risk level is low. Many of the available risk strategies use the same factors in assessing risk. For example. This is important to keep in mind if you apply different risk strategies to different segments of scan data. impact of compromise. and asset importance are calculated. Access complexity is the likelihood of exploit based on the ease or difficulty of perpetrating the exploit. Initial exploit difficulty is a measure of likelihood of a successful attack through the vulnerability. and the degree of that compromise. the Real Risk strategy produces a maximum score of 1. initial exploit difficulty. If the attacker must have local access. Exploit exposure is the rank of the highest-ranked exploit for a vulnerability. and availability impact of the vulnerability. The likelihood factor has an initial value that is based on the vulnerability's initial exploit difficulty metrics from CVSS: access vector. This ranking measures how easily and consistently a known exploit can compromise a vulnerable asset. The likelihood is modified by threat exposure: likelihood matures with the vulnerability's age.000. Higher exploit exposure maps to higher risk. Older vulnerability age maps to higher risk.000 based on the confidentiality impact. Developers create such kits to make it easier for attackers to write and deploy malicious code for attacking targets through the associated vulnerabilities. The impact is multiplied by a likelihood factor that is a fraction always less than 1. Nexpose User’s Guide 239 . also known as exploit kits. the more likely that the threat community has devised a means of exploiting it and the more likely an asset will encounter an attack that targets the vulnerability.• Threat exposure includes three variables: • Vulnerability age is a measure of how long the security community has known about the vulnerability. growing ever closer to 1 over time. • • Review the summary of each model before making a selection. and authentication requirement. the model computes a maximum impact between 0 and 1. modified by initial likelihood of compromise. integrity impact. The Real Risk algorithm applies unique exploit and malware exposure metrics for each vulnerability to CVSS base metrics for likelihood and impact. The Real Risk strategy can be summarized as base impact. A vulnerability's risk will never mature beyond the maximum impact dictated by its CVSS impact metrics. modified by maturity of threat exposure over time. A security hole that exposes your environment to an unsophisticated exploit or an infection developed with a widely accessible malware kit is likely to require your immediate attention. Malware exposure is a measure of the prevalence of any malware kits. The longer a vulnerability has been known to exist. The rate at which the likelihood matures over time is based on exploit exposure and malware exposure. access complexity. according to the Metasploit Framework. Real Risk strategy This strategy is recommended because you can use it to prioritize remediation for vulnerabilities for which exploits or malware kits have been developed. Specifically. The highest possible Real Risk score is 1. associated with a vulnerability. using confidentiality impact. The Temporal strategy has no upper bounds. The TemporalPlus risk strategy aggregates proximity-based impact of the vulnerability. so it could be useful for prioritizing older vulnerabilities for remediation. it provides a more granular analysis of vulnerability impact by expanding the risk contribution of partial impact vectors. The TemporalPlus strategy has no upper bounds. Making this switch will increase the risk scores for many vulnerabilities already detected in your environment. integrity impact. However. This strategy distinguishes risk associated with vulnerabilities with “partial” impact values from risk associated with vulnerabilities with “none” impact values for the same vectors. Temporal strategy This strategy emphasizes the length of time that the vulnerability has been known to exist. The Temporal risk strategy aggregates proximity-based impact of the vulnerability. and availability impact in conjunction with access vector. This is especially important to keep in mind if you switch to TemporalPlus from the Temporal strategy. Some high-risk vulnerability scores reach the hundred thousands. The risk then grows over time with the vulnerability age.TemporalPlus strategy Like the Temporal strategy. Older vulnerabilities are regarded as likelier to be exploited because attackers have known about them for a longer period of time. Also. Some high-risk vulnerability scores reaching the hundred thousands. which are access complexity and authentication requirement. which treats them equally. the longer a vulnerability has been in an existence. and availability impact in conjunction with access vector. which are access complexity and authentication requirement. The impact is tempered by an aggregation of the exploit difficulty metrics. integrity impact. Nexpose User’s Guide 240 . The impact is tempered by dividing by an aggregation of the exploit difficulty metrics. the greater the chance that less commonly known exploits exist. The risk then grows over time with the vulnerability age. TemporalPlus emphasizes the length of time that the vulnerability has been known to exist. using confidentiality impact. see Configuring a dynamic site on page 63 or Configuring a basic static site on page 25. If you are creating reports with risk trend charts. you also have the option to recalculate risk scores for past scan data. This ensures continuity in your risk trend reporting. and vulnerability types. Doing so provides continuity in risk tracking over time. which is the number—ranging from 1 to 10—that the application calculates for each vulnerability number of vulnerability instances number and types of services on the asset.Weighted strategy The Weighted strategy can be useful if you assign levels of importance to sites or if you want to assess risk associated with services running on target assets. Nexpose User’s Guide 241 . you will want to calculate Real Risk scores for all scan data since April 1. So. when you select Real Risk as your strategy. The score is expressed in single. asset data. Calculation time varies. You cannot cancel a recalculation that is in progress. Weighted risk scores scale with the number of vulnerabilities. you can recalculate scores for a specific scan date range to make those scores consistent with scores for future scans.or double-digit numbers with decimals. The strategy is based primarily on site importance. A higher number of vulnerabilities on an asset means a higher risk score. For example. you may change your risk strategy from Temporal to Real Risk on December 1 to do exposure-based risk analysis. the process may take hours. Changing your risk strategy and recalculating past scan data You may choose to change the current risk strategy to get a different perspective on the risk in your environment. or weight. Depending on the amount of scan data that is being recalculated. that you assign to a site when you configure it. Because making this change could cause future scans to show risk scores that are significantly different from those of past scans. You may want to demonstrate to management in your organization that investment in resources for remediation at the end of the first quarter of the year has had a positive impact on risk mitigation. for example. a database has higher business value the level of importance. and it emphasizes the following factors: • • • • • vulnerability severity. NOTE: You can perform regular activities, such as scanning and reporting while a recalculation is in progress. However, if you run a report that incorporates risk scores during a recalculation, the scores may appear to be inconsistent. The report may incorporate scores from the previously used risk strategy as well as from the newly selected one. To change your risk strategy and recalculate past scan data, take the following steps: Go to the Risk Strategies page. 1. 2. 3. Click the Administration tab in the Security Console Web interface. The console displays the Administration page. Click Manage for Global Settings. The Security Console displays the Global Settings panel. Click Risk Strategy in the left navigation pane. The Security Console displays the Risk Strategies page Select a new risk strategy. 1. Click the arrow for any risk strategy on the Risk Strategies page to view information about it. Information includes a description of the strategy and its calculated factors, the strategy’s source (built-in or custom), and how long it has been in use if it is the currently selected strategy. 2. 3. 4. Click the radio button for the desired risk strategy. Select Do not recalculate if you do not want to recalculate scores for past scan data. Click Save. You can ignore the following steps. (Optional) View risk strategy usage history. This allows you to see how different risk strategies have been applied to all of your scan data. This information can help you decide exactly how much scan data you need to recalculate to prevent gaps in consistency for risk trends. It also is useful for determining why segments of risk trend data appear inconsistent. 1. 2. Click Usage history on the Risk Strategies page. Click the Current Usage tab in the Risk Strategy Usage box to view all the risk strategies that are currently applied to your entire scan data set. Note the Status column, which indicates whether any calculations did not complete successfully. This could help you troubleshoot inconsistent sections in your risk trend data by running the calculations again. 3. Click the Change Audit tab to view every modification of risk strategy usage in the history of your installation. The table in this section lists every instance that a different risk strategy was applied, the affected date range, and the user who made the change. This information may also be useful for troubleshooting risk trend inconsistencies or for other purposes. 4. (Optional) Click the Export to CSV icon to export the change audit information to CSV format, which you can use in a spreadsheet for internal purposes. Nexpose User’s Guide 242 Recalculate risk scores for past scan data. 1. Click the radio button for the date range of scan data that you want to recalculate. If you select Entire history, the scores for all of your data since your first scan will be recalculated. Click Save. The console displays a box indicating the percentage of recalculation completed. 2. Using custom risk strategies You may want to calculate risk scores with a custom strategy that analyzes risk from perspectives that are very specific to your organization’s security goals. You can create a custom strategy and use it in Nexpose. Each risk strategy is an XML document. It requires the RiskModel element, which contains the id attribute, a unique internal identifier for the custom strategy. RiskModel contains the following required sub-elements. • • NOTE: The Rapid7 Professional Services Organization (PSO) offers custom risk scoring development. For more information, contact your account manager. • name: This is the name of the strategy as it will appear in the Risk Strategies page of the Web interface. The datatype is xs:string. description: This is the description of the strategy as it will appear in the Risk Strategies page of the Web interface. The datatype is xs:string. VulnerabilityRiskStrategy: This sub-element contains the mathematical formula for the strategy. It is recommended that you refer to the XML files of the builtin strategies as models for the structure and content of the VulnerabilityRiskStrategy sub-element. A custom risk strategy XML file contains the following structure: <?xml version="1.0" encoding="UTF-8" standalone="yes"?> <RiskModel id="custom_risk_strategy"> <name>Primary custom risk strategy</name> <description> This custom risk strategy emphasizes a number of important factors. </description> <VulnerabilityRiskStrategy> [formula] </VulnerabilityRiskStrategy> </RiskModel> Nexpose User’s Guide 243 NOTE: Make sure that your custom strategy XML file is wellformed and contains all required elements to ensure that the application performs as expected. To make a custom risk strategy available in Nexpose, take the following steps: 1. 2. Copy your custom XML file into the directory [installation_directory]/shared/riskStrategies/custom/global. Restart the Security Console. The custom strategy appears at the top of the list on the Risk Strategies page. Setting the appearance order for a risk strategy To set the order for a risk strategy, add the optional order sub-element with a number greater than 0 specified, as in the following example. Specifying a 0 would cause the strategy to appear last. <?xml version="1.0" encoding="UTF-8" standalone="yes"?> <RiskModel id="janes_risk_strategy"> <name>Jane’s custom risk strategy</name> <description> Jane’s custom risk strategy emphasizes factors important to Jane. </description> <order>1</order> <VulnerabilityRiskStrategy> [formula] </VulnerabilityRiskStrategy> </RiskModel> To set the appearance order: 1. Open the desired risk strategy XML file, which appears in one of the following directories: • • 2. 3. 4. for a custom strategy: [installation_directory]/shared/riskStrategies/custom/global for a built-in strategy: [installation_directory]/shared/riskStrategies/builtin Add the order sub-element with a specified numeral to the file, as in the preceding example. Save and close the file. Restart the Security Console. Nexpose User’s Guide 244 Changing the appearance order of risk strategies You can change the order of how risk strategies are listed on the Risk Strategies page. This could be useful if you have many strategies listed and you want the most frequently used ones listed near the top. To change the order, you assign an order number to each individual strategy using the optional order element in the risk strategy’s XML file. This is a sub-element of the RiskModel element. See Using custom risk strategies on page 243. For example: Three people in your organization create custom risk strategies: Jane’s Risk Strategy, Tim’s Risk Strategy, and Terry’s Risk Strategy. You can assign each strategy an order number. You can also assign order numbers to built-in risk strategies. A resulting order of appearance might be the following: • • • • • • • NOTE: The order of built-in strategies will be reset to the default order with every product update. Jane’s Risk Strategy (1) Tim’s Risk Strategy (2) Terry’s Risk Strategy (3) Real Risk (4) TemporalPlus (5) Temporal (6) Weighted (7) Custom strategies always appear above built-in strategies. So, if you assign the same number to a custom strategy and a built-in strategy, or even if you assign a lower number to a built-in strategy, custom strategies always appear first. If you do not assign a number to a risk strategy, it will appear at the bottom in its respective group (custom or built-in). In the following sample order, one custom strategy and two built-in strategies are numbered 1. One custom strategy and one built-in strategy are not numbered: • • • • • • • Jane’s Risk Strategy (1) Tim’s Risk Strategy (2) Terry’s Risk Strategy (no number assigned) Weighted (1) Real Risk (1) TemporalPlus (2) Temporal (no number assigned) Note that a custom strategy, Tim’s, has a higher number than two numbered, built-in strategies; yet it appears above them. Nexpose User’s Guide 245 Understanding how risk scoring works with scans An asset goes through several phases of scanning before it has a status of completed for that scan. An asset that has not gone through all the required scan phases has a status of in progress. Nexpose only calculates risk scores based on data from assets with completed scan status. If a scan pauses or stops, The application does not use results from assets that do not have completed status for the computation of risk scores. For example: 10 assets are scanned in parallel. Seven have completed scan status; three do not. The scan is stopped. Risk is calculated based on the results for the seven assets with completed status. For the three in progress assets, it uses data from the last completed scan. To determine scan status consult the scan log. See Viewing the scan log on page 71. Nexpose User’s Guide 246 Chapter 6 Resources This section provides useful information and tools to help you get optimal use out of the application. • • • • • • Using regular expressions on page 248: This sections provides tips on using regular expressions in various activities, such as configuring scan authentication on Web targets. Using Exploit Exposure on page 251: This section describes how the application integrates exploitability data for vulnerabilities. Performing configuration assessment on page 252: This section describes how you can use the application to verify compliance with configuration security standards such as USGCB and CIS. Scan templates on page 254: This section lists all built-in scan templates and their settings. It provides suggestions for when to use each template. Report templates and sections on page 272: This section lists all built-in report templates and the information that each contains. It also lists and describes report sections that make up document report templates and data fields that make up CSV export templates. This information is useful for configuring custom report templates. Glossary on page 290: This section lists and defines terms used and referenced in the application. Nexpose User’s Guide 247 the pattern requires special characters. also known as a “regex.” is a text string used for searching for a piece of information or a message that an application will display in a given situation. a. Regex notation patterns can include letters. and asterisks. but how to search for it. There is no match in the string an aperture because it does not contain the substring nap. and p occur together and in that exact sequence. Nexpose User’s Guide 248 . These patterns instruct a search application not only what string to search for. The asterisk is one example of how you can use a special character to modify a search. parentheses. see Configuring scans of Telnet servers on page 218 determining if a logon attempt to a Web server is successful. see How the file name search works with regex on page 249 searching for certain results of logon attempts to Telnet servers. The asterisk indicates 0 or more occurrences of the preceding character. question marks. In both cases the match is with the substring nap. the pattern nap matches character combinations in strings only when exactly the characters n. A search on this pattern would return matches with strings such as snap and synapse. You can create various types of search parameters using other single and combined special characters. numbers. see How to use regular expressions when logging on to a Web site on page 250 General notes about creating a regex A regex can be a simple pattern consisting of characters for which you want to find a direct match. such as one or more n's or white space. For example. plus signs. In the string cbbabbbbcdebc. and special characters. such as dots. the pattern matches the substring abbbbc.Using regular expressions A regular expression. Regular expressions are useful in configuring scan activities: • • • searching for file names on local drives. When a search requires a result other than a direct match. the pattern ab*c matches any character combination in which a single a is followed by 0 or more bs and then immediately followed by c. For example. Refer to the following examples to further understand how the search algorithm works with regular expressions. Note that the search matches are in bold typeface.doc results in no matches • the following search input.xls results in one match: C$/Documents and Settings/user/My Documents/patientData.*xls • the following search input. C$/Documents and Settings/user/My Documents/xls/patientData. If you don't include regex anchors. C$/Documents and Settings/user/My Documents/xls/patientData. C$/Documents and Settings/user/My Documents/patientData.xls results in one match: C$/Documents and Settings/user/My Documents/xls/patientData. Files and directories appear in the results table if they have any greedy matches against the search pattern.xls results in one match: C$/Documents and Settings/user/My Documents/xls/patientData.xls • the following search input. C$/Documents and Settings/user/My Documents/xls/patientData.doc results in no matches Nexpose User’s Guide 249 .xls results in one match: C$/Documents and Settings/user/My Documents/patientData. the search can result in multiple matches.*xls$: • the following search input. C$/Documents and Settings/user/My Documents/patientData. With search pattern .xls • the following search input.xls • • the following search input.xls • the following search input. C$/Documents and Settings/user/My Documents/patientData. C$/Documents and Settings/user/My Documents/patientData. such ^ and $.docresults in no matches the following search input. See Configuring file searches on target systems on page 219. C$/Documents and Settings/user/My Documents/xls/patientData.doc results in one match: C$/Documents and Settings/user/My Documents/xls/patientData.doc With search pattern^.How the file name search works with regex Nexpose searches for matching files by comparing the search string against the entire directory path and file name. it attempts to match the regex against the HTML page with the failure message. If there is a match. the Web server returns an HTML page that a user typically sees after a successful logon. the Web server returns an HTML page with a failure message. If there is no match. such as “Invalid password.” Configuring the application to log on to a Web application with an HTML form or HTTP headers involves specifying a regex for the failure message.How to use regular expressions when logging on to a Web site When Nexpose makes a successful attempt to log on to a Web application. During the logon process. the application recognizes that the attempt was successful and proceeds with the scan. If the logon attempt fails. It then displays a failure notification in the scan logs and in the Security Console Web interface. the application recognizes that the attempt failed. Nexpose User’s Guide 250 . the application indicates whether there is an associated exploit and the required skill level for that exploit. Managers also want metrics to help them determine whether or not security consultants and vulnerability management tools are good investments. Why exploit your own vulnerabilities? On a logistical level. if they refrain from taking action on reported vulnerabilities. If a Metasploit exploit is available. Also. and applications for penetration testing. exploits can provide critical access to operating systems. Also. they may expose the organization to serious breaches. False positives can cause them to allocate security resources where they are not needed. Verifying vulnerabilities through exploits helps you to focus remediation tasks on the most critical gaps in security. exploits can afford better visibility into network security.Using Exploit Exposure With Nexpose Exploit Exposure™. On the other hand. For each discovered vulnerability. eliminating any question of a false positive. the console displays the ™ icon and a link to a Metasploit module that provides detailed exploit information. System administrators who view vulnerability data for remediation purposes want to be able to verify vulnerabilities quickly. services. Exploits provide the fastest proof. you can now use the application to target specific vulnerabilities for exploits using the Metasploit exploit framework. Senior managers demand accurate security data that they can act on with confidence. Nexpose User’s Guide 251 . which has important implications for different stakeholders within your organization: • • • Penetration testers and security consultants use exploits as compelling proof that security flaws truly exist in a given environment. the data they collect during exploits can provide a great deal of insight into the seriousness of the vulnerabilities. and middleware and software applications.0 standards.S. Using the application. you can scan your assets as part of a configuration assessment audit.nist. go to fdcc. best-practice security configuration guidelines developed by the not-for-profit Center for Internet Security (CIS). with input and approval from the U.0 policies The United States Government Configuration Baseline (USGCB) is an initiative to create security configuration baselines for information technology products deployed across U. government. which it replaces as the configuration security mandate in the U. Whether you work for a United States government agency.S. your company may require that all of your workstations lock out users after a given number of incorrect logon attempts. the application includes USGCB 1. The benchmarks include technical control rules and values for hardening network devices.S. A license-enabled feature named Policy Manager provides compliance checks for several configuration standards: USGCB 2. For more information. government networks must conform to USGCB 2.S. For more information.gov. operating systems. go to usgcb. the security industry. policy scans are useful for gauging your security posture.0. The two versions are considered separate entities. They help to verify that your IT department is following secure configuration practices. Nexpose User’s Guide 252 .0 evolved from FDCC (see below). or a company with strict security rules.0 is not an “update” of 1. government agencies. Like vulnerability scans. For more information. They are widely held to be the configuration security standard for commercial businesses. government.gov.S. USGCB 1. USGCB 2. FDCC policies The Federal Desktop Core Configuration (FDCC) preceded USGCB as the U. For example.0 policies USGCB 2.cisecurity. Companies that do business with the federal government or have computers that connect to U. a company that does business with the federal government.gov. go to usgcb. go to www. government-mandated set of configuration standards. private-sector businesses. you may need to verify that your assets meet a specific set of configuration standards.0 checks in addition to those of the later version.nist.org.nist. and academia.Performing configuration assessment Performing regular audits of configuration settings on your assets may be mandated in your organization. For more information. CIS benchmarks These benchmarks are consensus-based. For that reason. the application provides built-in USGCB. Depending on your license. activating. See Viewing. go to the Rapid7 Community at https://community.com/docs/DOC-2061. where you can view results of policy scans. How do I view Policy Manager scan results? Go to the Policies page. and CIS templates. See Creating a custom policy on page 222. See the following sections for more information: • • Selecting the type of scanning you want to do on page 193 Selecting Policy Manager checks on page 206 How do I know if my license enables Policy Manager? To verify that your license enables Policy Manager and includes the specific checks that you want to run. or changing your license in the administrator’s guide. What platforms are supported by Policy Manager checks? For a complete list of platforms that are covered by Policy Manager checks. you can configure a custom scan template that includes vulnerability checks and Policy Manager policies or benchmarks. If you prefer to run a combined vulnerability/policy scan. Nexpose User’s Guide 253 . You can also override rule results. go the Licensing page on the Security Console Configuration panel. including those of individual rules that make up policies. Can I create custom checks based on Policy Manager manager checks? You can customize policy checks based on Policy Manager checks. FDCC. renewing. See Working with Policy Manager results on page 106.rapid7.How do I run configuration assessment scans? Configure a site with a scan template that includes Policy Manager checks. These templates do not include vulnerability checks. Scan templates This appendix lists all built-in scan templates available in Nexpose It provides descriptions, specifications, and suggestions for when to use each template. CIS template This template incorporates the Policy Manager scanning feature for verifying compliance with Center for Internet Security (CIS) benchmarks. The scan runs application-layer audits. Policy checks require authentication with administrative credentials on targets. Vulnerability checks are not included. Nexpose User’s Guide 254 Denial of service template This basic audit of all network assets uses both safe and unsafe (denial-of-service) checks. This scan does not include in-depth patch/hotfix checking, policy compliance checking, or application-layer auditing. You can run a denial of service scan in a preproduction environment to test the resistance of assets to denial-of service conditions. Setting Asset/vulnerability/Web spidering/policy scan Maximum # scan threads ICMP (Ping hosts) TCP ports used for asset discovery Value Y/Y/Y/Y 10 Y 21, 22, 23, 25, 53, 80, 110, 111, 135, 139, 143, 443, 445, 993, 995, 1723, 3306, 3389, 5900, 8080 53, 67, 68, 69, 123, 135, 137, 138, 139, 161, 162, 445, 500, 514, 520, 631, 1434, 1900, 4500, 49152 Stealth scan (SYN) Well known numbers + 1-1040 Well-known numbers 3 100 ms 100 ms 3000 ms 0 ms 0 ms 0 0 UDP ports used for asset discovery TCP port scan method TCP ports to scan UDP ports to scan Maximum retries Initial timeout interval Minimum timeout interval Maximum timeout interval* Minimum scan delay** Maximum scan delay Minimum rate of packets to send each second** Maximum rate of packets to send each second** Minimum simultaneous discovery requests** Maximum simultaneous discovery requests** Specific vulnerability check types or categories enabled (which disables all other checks) Specific vulnerability check types or categories disabled 0 0 None Local, patch, policy check types * Any value of lower than 5 ms disables manual settings, in which case, the application auto-adjusts the settings. ** The default value of 0 disables manual settings, in which case, the application auto-adjusts the settings. To enable manual settings, enter a value of 1 or greater. Nexpose User’s Guide 255 Discovery scan template This scan locates live assets on the network and identifies their host names and operating systems. This template does not include enumeration, policy, or vulnerability scanning. You can run a discovery scan to compile a complete list of all network assets. Afterward, you can target subsets of these assets for intensive vulnerability scans, such as with the Exhaustive scan template. Setting Asset/vulnerability/Web spidering/policy scan Maximum # scan threads ICMP (Ping hosts) TCP ports used for asset discovery Value Y/N/N/N 10 Y 21, 22, 23, 25, 53, 80, 88, 110, 111, 113, 135, 139, 143, 220, 264, 389, 443, 445, 449, 524, 585, 636, 993, 995, 1433, 1521, 1723, 3306, 3389, 5900, 8080, 9100 53, 67, 68, 69, 111, 123, 135, 137, 138, 139, 161, 162, 445, 500, 514, 520, 631, 1434, 1701, 1900, 4500, 49152 Stealth scan (SYN) 21, 22, 23, 25, 80, 110, 113, 139, 143, 220, 264, 443, 445, 449, 524, 585, 993, 995, 1433, 1521, 1723, 8080, 9100 123, 161, 500 3 100 ms 100 ms 3000 ms 0 ms 0 ms 0 0 UDP ports used for asset discovery TCP port scan method TCP ports to scan UDP ports to scan Maximum retries Initial timeout interval Minimum timeout interval Maximum timeout interval* Minimum scan delay** Maximum scan delay Minimum rate of packets to send each second** Maximum rate of packets to send each second** Minimum simultaneous discovery requests** Maximum simultaneous discovery requests** Specific vulnerability check types or categories enabled (which disables all other checks) Specific vulnerability check types or categories disabled 0 0 None None * Any value lower than 5 ms disables manual settings, in which case, the application auto-adjusts the settings. ** The default value of 0 disables manual settings, in which case, the application auto-adjusts the settings. To enable manual settings, enter a value of 1 or greater. Nexpose User’s Guide 256 Discovery scan (aggressive) template This fast, cursory scan locates live assets on high-speed networks and identifies their host names and operating systems. The system sends packets at a very high rate, which may trigger IPS/IDS sensors, SYN flood protection, and exhaust states on stateful firewalls. This template does not perform enumeration, policy, or vulnerability scanning. This template is identical in scope to the discovery scan, except that it uses more threads and is, therefore, much faster. The trade-off is that scans run with this template may not be as thorough as with the Discovery scan template. Setting Asset/vulnerability/Web spidering/policy scan Maximum # scan threads ICMP (Ping hosts) TCP ports used for asset discovery Value Y/N/N/N 25 Y 21, 22, 23, 25, 53, 80, 88, 110, 111, 113, 135, 139, 143, 220, 264, 389, 443, 445, 449, 524, 585, 636, 993, 995, 1433, 1521, 1723, 3306, 3389, 5900, 8080, 9100 53, 67, 68, 69, 111, 123, 135, 137, 138, 139, 161, 162, 445, 500, 514, 520, 631, 1434, 1701, 1900, 4500, 49152 Stealth scan (SYN) 21,22,23,25,80,110,113,139,143,220,264,443,445,449,524,585,993,9 95,1433,1521,1723,8080,9100 123, 161, 500 6 500 ms 50 ms 1250 ms 0 ms 0 ms 0 0 UDP ports used for asset discovery TCP port scan method TCP ports to scan UDP ports to scan Maximum retries Initial timeout interval Minimum timeout interval Maximum timeout interval* Minimum scan delay** Maximum scan delay Minimum rate of packets to send each second** Maximum rate of packets to send each second** Minimum simultaneous discovery requests** Maximum simultaneous discovery requests** Specific vulnerability check types or categories enabled (which disables all other checks) Specific vulnerability check types or categories disabled 0 0 None None * Any value lower than 5 ms disables manual settings, in which case, the application auto-adjusts the settings. ** The default value of 0 disables manual settings, in which case, the application auto-adjusts the settings. To enable manual settings, enter a value of 1 or greater. Nexpose User’s Guide 257 Exhaustive template This thorough network scan of all systems and services uses only safe checks, including patch/hotfix inspections, policy compliance assessments, and application-layer auditing. This scan could take several hours, or even days, to complete, depending on the number of target assets. Scans run with this template are thorough, but slow. Use this template to run intensive scans targeting a low number of assets. Setting Asset/vulnerability/Web spidering/policy scan Maximum # scan threads ICMP (Ping hosts) TCP ports used for asset discovery Value Y/Y/Y/Y 10 Y 21, 22, 23, 25, 53, 80, 110, 111, 135, 139, 143, 443, 445, 993, 995, 1723, 3306, 3389, 5900, 8080 53, 67, 68, 69, 123, 135, 137, 138, 139, 161, 162, 445, 500, 514, 520, 631, 1434, 1900, 4500, 49152 The system determines optimal method All possible (1-65535) Well-known numbers 3 100 ms 100 ms 3000 ms 0 ms 0 ms 0 0 UDP ports used for asset discovery TCP port scan method TCP ports to scan UDP ports to scan Maximum retries Initial timeout interval Minimum timeout interval Maximum timeout interval* Minimum scan delay** Maximum scan delay** Minimum rate of packets to send each second** Maximum rate of packets to send each second** Minimum simultaneous discovery requests** Maximum simultaneous discovery requests** Specific vulnerability check types or categories enabled (which disables all other checks) Specific vulnerability check types or categories disabled 0 0 None None * Any value lower than 5 ms disables manual settings, in which case, the application auto-adjusts the settings. ** The default value of 0 disables manual settings, in which case, the application auto-adjusts the settings. To enable manual settings, enter a value of 1 or greater. Nexpose User’s Guide 258 FDCC template This template incorporates the Policy Manager scanning feature for verifying compliance with all Federal Desktop Core Configuration (FDCC) policies. The scan runs application-layer audits on all Windows XP and Windows Vista systems. Policy checks require authentication with administrative credentials on targets. Vulnerability checks are not included. Only default ports are scanned. If you work for a U.S. government organization or a vendor that serves the government, use this template to verify that your Windows Vista and XP systems comply with FDCC policies. Setting Asset/vulnerability/Web spidering/policy scan Maximum # scan threads ICMP (Ping hosts) TCP ports used for asset discovery UDP ports used for asset discovery TCP port scan method TCP ports to scan UDP ports to scan Maximum retries Initial timeout interval Minimum timeout interval Maximum timeout interval* Minimum scan delay** Maximum scan delay** Minimum rate of packets to send each second** Maximum rate of packets to send each second** Minimum simultaneous discovery requests** Maximum simultaneous discovery requests** Specific vulnerability check types or categories enabled (which disables all other checks) Specific vulnerability check types or categories disabled Value Y/N/N/Y 10 Y 135,139, 445 None The system determines optimal method 135,139,445 None 3 100 ms 100 ms 3000 ms 0 ms 0 ms 0 0 0 0 None None * Any value lower than 5 ms disables manual settings, in which case, the application auto-adjusts the settings. ** The default value of 0 disables manual settings, in which case, the application auto-adjusts the settings. To enable manual settings, enter a value of 1 or greater. Nexpose User’s Guide 259 514. This template does not check for potential vulnerabilities. 135. which makes scans faster than with the Exhaustive scan. 162. Use it to run a fast. in which case. 995. 445. 139. 993.Full audit template This full network audit of all systems uses only safe checks. thorough vulnerability scan right “out of the box. 123. 68. patch/hotfix checking. 53. 4500. 631. 520. 143. 1434. The system scans only default ports and disables policy checking. in which case. Nexpose User’s Guide 260 . 8080 53. 137.” Setting Asset/vulnerability/Web spidering/policy scan Maximum # scan threads ICMP (Ping hosts) TCP ports used for asset discovery Value Y/Y/Y/Y 10 Y 21. the application auto-adjusts the settings. 23. including network-based vulnerabilities. 49152 Stealth scan (SYN) Well known numbers + 1-1040 Well-known numbers 3 100 ms 100 ms 3000 ms 0 ms 0 ms 0 0 UDP ports used for asset discovery TCP port scan method TCP ports to scan UDP ports to scan Maximum retries Initial timeout interval Minimum timeout interval Maximum timeout interval* Minimum scan delay** Maximum scan delay** Minimum rate of packets to send each second** Maximum rate of packets to send each second** Minimum simultaneous discovery requests** Maximum simultaneous discovery requests** Specific vulnerability check types or categories enabled (which disables all other checks) Specific vulnerability check types or categories disabled 0 0 None Policy check type * Any value lower than 5 ms disables manual settings. the application auto-adjusts the settings. ** The default value of 0 disables manual settings. 1900. 110. and application-layer auditing. 161. 25. This is the default scan template. 3306. 139. 67. 69. 22. 1723. 443. 500. 111. 445. enter a value of 1 or greater. 80. 135. To enable manual settings. 138. Also. 5900. 3389. Nexpose User’s Guide 261 . enter a value of 1 or greater.143 4. 143.4500. 3306. To enable manual settings. or inadequate transmission security (encryption).161. 5900. 139.67. inadequate auditing. 25. 110.137. 3389. the application auto-adjusts the settings.135. as part of a HIPAA compliance program.139.HIPAA compliance template This template uses safe checks in this audit of compliance with HIPAA section 164. inadequate authentication. 22. 443.312 (“Technical Safeguards”). in which case. 995. 993. 135.520.123. the application auto-adjusts the settings.69. ** The default value of 0 disables manual settings. 8080 53.500.1900. in which case. loss of integrity.49152 Stealth scan (SYN) Well-known numbers + 1-1040 Well-known numbers 3 100 ms 100 ms 3000 ms 0 ms 0 ms 0 0 UDP ports used for asset discovery TCP port scan method TCP ports to scan UDP ports to scan Maximum retries Initial timeout interval Minimum timeout interval Maximum timeout interval* Minimum scan delay** Maximum scan delay** Minimum rate of packets to send each second** Maximum rate of packets to send each second** Minimum simultaneous discovery requests** Maximum simultaneous discovery requests** Specific vulnerability check types or categories enabled (which disables all other checks) Specific vulnerability check types or categories disabled 0 0 None None * Any value lower than 5 ms disables manual settings. 111.138.162. 80. Use this template to scan assets in a HIPAA-regulated environment.68. 1723. 23.445. 445. Setting Asset/vulnerability/Web spidering/policy scan Maximum # scan threads ICMP (Ping hosts) TCP ports used for asset discovery Value Y/Y/Y/Y 10 Y 21. 53. The scan will flag any conditions resulting in inadequate access control.514.631. Lotus Notes/Domino. To enable manual settings. mail (SMTP/POP/ IMAP/Lotus Notes). the application auto-adjusts the settings. and VPN. SSH. Telnet. This template does not include indepth patch/hotfix checking and policy compliance audits. in which case. database. ** The default value of 0 disables manual settings. Telnet. enter a value of 1 or greater. DNS. FTP. database. Use this template to scan assets in your DMZ. Web check categories None * Any value lower than 5 ms disables manual settings. the application auto-adjusts the settings. Setting Asset/vulnerability/Web spidering/policy scan Maximum # scan threads ICMP (Ping hosts) TCP ports used for asset discovery UDP ports used for asset discovery TCP port scan method TCP ports to scan UDP ports to scan Maximum retries Initial timeout interval Minimum timeout interval Maximum timeout interval* Minimum scan delay** Maximum scan delay** Minimum rate of packets to send each second** Maximum rate of packets to send each second** Minimum simultaneous discovery requests** Maximum simultaneous discovery requests** Specific vulnerability check types or categories enabled (which disables all other checks) Specific vulnerability check types or categories disabled Value Y/Y/Y/Y 10 N None None Stealth scan (SYN) Well-known numbers None 3 100 ms 100 ms 3000 ms 0 ms 0 ms 0 0 0 10 DNS. Nexpose User’s Guide 262 . Mail. FTP. TFTP. VPN. such as Web.Internet DMZ audit template This penetration test covers all common Internet services. in which case. SSH. 443. 8080 53. 123. 49152 Stealth scan (SYN) 22. 4500. 80. 445. 22. 138. 993. 631. 135. in which case. 1723. 67. 1900. 110. 514. enter a value of 1 or greater. 69. 137. 23. Setting Asset/vulnerability/Web spidering/policy scan Maximum # scan threads ICMP (Ping hosts) TCP ports used for asset discovery Value Y/Y/Y/Y 10 Y 21. in which case. 520. 111. 162. 445. Nexpose User’s Guide 263 . 139. 139. 161. 68. 25. 995. 23 None 3 100 ms 100 ms 3000 ms 0 ms 0 ms 0 0 UDP ports used for asset discovery TCP port scan method TCP ports to scan UDP ports to scan Maximum retries Initial timeout interval Minimum timeout interval Maximum timeout interval* Minimum scan delay** Maximum scan delay** Minimum rate of packets to send each second** Maximum rate of packets to send each second** Minimum simultaneous discovery requests** Maximum simultaneous discovery requests** Specific vulnerability check types or categories enabled (which disables all other checks) Specific vulnerability check types or categories disabled 0 0 RPM check type None * Any value lower than 5 ms disables manual settings. 3389. the application auto-adjusts the settings. use administrative credentials. 5900. ** The default value of 0 disables manual settings. Use this template to scan assets running the Linux operating system. 3306. 1434. For best results. 135. the application auto-adjusts the settings. 143.Linux RPMs template This scan verifies proper installation of RPM patches on Linux systems. 500. 53. To enable manual settings. 137. Nexpose User’s Guide 264 . 443. 8080 53. 135. 993. 445. Setting Asset/vulnerability/Web spidering/policy scan Maximum # scan threads ICMP (Ping hosts) TCP ports used for asset discovery Value Y/Y/Y/Y 10 Y 21. Use this template to verify that assets running Windows have hotfix patches installed on them. To enable manual settings. 445. the application auto-adjusts the settings. 2433. 5900.Microsoft hotfix template This scan verifies proper installation of hotfixes and service packs on Microsoft Windows systems. 23. 111. 143. 53. 445. 139. 138. 500. 3389. 2433 None 3 100 ms 100 ms 3000 ms 0 ms 0 ms 0 0 UDP ports used for asset discovery TCP port scan method TCP ports to scan UDP ports to scan Maximum retries Initial timeout interval Minimum timeout interval Maximum timeout interval* Minimum scan delay** Maximum scan delay** Minimum rate of packets to send each second** Maximum rate of packets to send each second** Minimum simultaneous discovery requests** Maximum simultaneous discovery requests** Specific vulnerability check types or categories enabled (which disables all other checks) Specific vulnerability check types or categories disabled 0 0 Microsoft hotfix check type None * Any value lower than 5 ms disables manual settings. 22. 161. 139. 49152 Stealth scan (SYN) 135. 80. 139. 25. 1433. 67. 1723. 631. the application auto-adjusts the settings. 69. 514. 3306. in which case. use administrative credentials. enter a value of 1 or greater. 1900. 123. 995. 110. 162. 68. ** The default value of 0 disables manual settings. 135. 1434. in which case. 1433. For optimum success. 520. 4500. 110. 68. the application auto-adjusts the settings. in which case. Policy checks are not included. 23. 135. 1723. 25. 4500. 445. 995. 22. 123. 49152 Stealth scan (SYN) All possible (1-65535) Well-known numbers 3 100 ms 100 ms 3000 ms 0 ms 0 ms 0 0 UDP ports used for asset discovery TCP port scan method TCP ports to scan UDP ports to scan Maximum retries Initial timeout interval Minimum timeout interval Maximum timeout interval* Minimum scan delay** Maximum scan delay** Minimum rate of packets to send each second** Maximum rate of packets to send each second** Minimum simultaneous discovery requests** Maximum simultaneous discovery requests** Specific vulnerability check types or categories enabled (which disables all other checks) Specific vulnerability check types or categories disabled 0 10 None Policy check types * Any value lower than 5 ms disables manual settings. Nexpose User’s Guide 265 . 80. patch /hotfix verification. ** The default value of 0 disables manual settings. 993. the application auto-adjusts the settings. 143. enter a value of 1 or greater. 1434. 500. 443. including networkbased vulnerabilities. 8080 53.Payment Card Industry (PCI) audit template This audit of Payment Card Industry (PCI) compliance uses only safe checks. 5900. 69. 139. Setting Asset/vulnerability/Web spidering/policy scan Maximum # scan threads ICMP (Ping hosts) TCP ports used for asset discovery Value Y/Y/Y/Y 10 Y 21. and application-layer testing. 135. 445. All TCP ports and wellknown UDP ports are scanned. 631. in which case. 514. 137. 138. 3389. 1900. To enable manual settings. 161. 111. 53. 139. Use this template to scan assets as part of a PCI compliance program. 3306. 67. 520. 162. This template does not include in-depth patch/hotfix checking. 445. 443. Also. enter a value of 1 or greater. 135. 139. 1434.Penetration test template This in-depth scan of all systems uses only safe checks. Nexpose User’s Guide 266 . Setting Asset/vulnerability/Web spidering/policy scan Maximum # scan threads ICMP (Ping hosts) TCP ports used for asset discovery Value Y/Y/Y/Y 10 Y 21. 25. the application auto-adjusts the settings. 143. 3306. 5900. 520. 123. 53. ** The default value of 0 disables manual settings. in which case. in which case. 4500. 110. 68. you may discover assets that are out of your initial scan scope. 631. 80. the application auto-adjusts the settings. 139. 445. 514. 137. 138. Host-discovery and network penetration features allow the system to dynamically detect assets that might not otherwise be detected. 8080 53. 500. running a scan with this template is helpful as a precursor to conducting formal penetration test procedures. 69. policy check types * Any value lower than 5 ms disables manual settings. 67. 23. With this template. policy compliance checking. 161. 995. 993. To enable manual settings. 3389. 135. 1723. 49152 The system determines optimal method Well known numbers + 1-1040 Well-known numbers 3 100 ms 100 ms 3000 ms 0 ms 0 ms 0 0 UDP ports used for asset discovery TCP port scan method TCP ports to scan UDP ports to scan Maximum retries Initial timeout interval Minimum timeout interval Maximum timeout interval* Minimum scan delay** Maximum scan delay** Minimum rate of packets to send each second** Maximum rate of packets to send each second** Minimum simultaneous discovery requests** Maximum simultaneous discovery requests** Specific vulnerability check types or categories enabled (which disables all other checks) Specific vulnerability check types or categories disabled 0 0 None Local. 162. or applicationlayer auditing. 22. 111. patch. 1900. 514. 143. 23. 49152 Stealth scan (SYN) Well known numbers + 1-1040 Well-known numbers 3 100 ms 100 ms 3000 ms 400 ms 1000 ms 0 0 UDP ports used for asset discovery TCP port scan method TCP ports to scan UDP ports to scan Maximum retries Initial timeout interval Minimum timeout interval Maximum timeout interval* Minimum scan delay Maximum scan delay Minimum rate of packets to send each second** Maximum rate of packets to send each second** Minimum simultaneous discovery requests** Maximum simultaneous discovery requests** Specific vulnerability check types or categories enabled (which disables all other checks) Specific vulnerability check types or categories disabled 0 0 None Local. Nexpose User’s Guide 267 . This template does not include indepth patch/hotfix checking. 135. 1723. 139. 25. ** The default value of 0 disables manual settings. patch. 111. in which case. in which case. 69. 631. 1900. 80. 162. 3306. enter a value of 1 or greater. 500. 137. 138. 445. 123. 993. Setting Asset/vulnerability/Web spidering/policy scan Maximum # scan threads ICMP (Ping hosts) TCP ports used for asset discovery Value Y/Y/Y/Y 10 Y 21. 68. 22. 161. or application-layer auditing. 520. To enable manual settings. the application auto-adjusts the settings. 1434. 53. 5900. 139. 445. 3389. 443. 4500. the application auto-adjusts the settings. policy compliance checking. 67. 135. 110. general scan of your network. 995. policy check types * Any value lower than 5 ms disables manual settings. 8080 53. This template is useful for a quick.Safe network audit template This non-intrusive scan of all network assets uses only safe checks. 1434. in which case. 161. the application auto-adjusts the settings. 67. 1900. Nexpose User’s Guide 268 . 3306. ** The default value of 0 disables manual settings. 443. 5900. in which case. 995. 139. the application auto-adjusts the settings. 123. 4500. 53. 68. as mandated in Section 302 (“Corporate Responsibility for Fiscal Reports”). 993. 445. It detects threats to digital data integrity. 135. 8080 53. accountability. data access auditing. 69. 445. 111. 162.Sarbanes-Oxley (SOX) compliance template This is a safe-check Sarbanes-Oxley (SOX) audit of all systems. 514. Section 404 (“Management Assessment of Internal Controls”). and availability. 49152 Stealth scan (SYN) Well known numbers +1-1040 Well-known numbers 3 100 ms 100 ms 3000 ms 0 ms 0 ms 0 0 UDP ports used for asset discovery TCP port scan method TCP ports to scan UDP ports to scan Maximum retries Initial timeout interval Minimum timeout interval Maximum timeout interval* Minimum scan delay** Maximum scan delay** Minimum rate of packets to send each second** Maximum rate of packets to send each second** Minimum simultaneous discovery requests** Maximum simultaneous discovery requests** Specific vulnerability check types or categories enabled (which disables all other checks) Specific vulnerability check types or categories disabled 0 0 None None * Any value lower than 5 ms disables manual settings. and Section 409 (“Real Time Issuer Disclosures”) respectively. 631. 25. 23. 1723. 143. Setting Asset/vulnerability/Web spidering/policy scan Maximum # scan threads ICMP (Ping hosts) TCP ports used for asset discovery Value Y/Y/Y/Y 10 Y 21. enter a value of 1 or greater. 137. 22. 138. 110. 500. 520. 139. To enable manual settings. 3389. Use this template to scan assets as part of a SOX compliance program. 135. 80. Packet block delays have been increased. Nexpose User’s Guide 269 . network audit of sensitive Supervisory Control And Data Acquisition (SCADA) systems. ** The default value of 0 disables manual settings.SCADA audit template This is a “polite. using only safe checks. time between sent packets has been increased. the application auto-adjusts the settings. enter a value of 1 or greater. in which case. Setting Asset/vulnerability/Web spidering/policy scan Maximum # scan threads ICMP (Ping hosts) TCP ports used for asset discovery UDP ports used for asset discovery TCP port scan method TCP ports to scan UDP ports to scan Maximum retries Initial timeout interval Minimum timeout interval Maximum timeout interval* Minimum scan delay Maximum scan delay Minimum rate of packets to send each second** Maximum rate of packets to send each second** Minimum simultaneous discovery requests** Maximum simultaneous discovery requests** Specific vulnerability check types or categories enabled (which disables all other checks) Specific vulnerability check types or categories disabled Value Y/Y/Y/Y 5 Y None None Stealth scan (SYN) Well known numbers + 1-1040 Well-known numbers 4 5000 ms 1000 ms 5000 ms 1000 ms 2000 ms 0 0 0 0 None Policy check type * Any value lower than 5 ms disables manual settings. protocol handshaking has been disabled. and simultaneous network access to assets has been restricted. the application auto-adjusts the settings.” or less aggressive. in which case. Use this template to scan SCADA systems. To enable manual settings. Nexpose User’s Guide 270 . Setting Asset/vulnerability/Web spidering/policy scan Maximum # scan threads ICMP (Ping hosts) TCP ports used for asset discovery UDP ports used for asset discovery TCP port scan method TCP ports to scan UDP ports to scan Maximum retries Initial timeout interval Minimum timeout interval Maximum timeout interval* Minimum scan delay** Maximum scan delay** Minimum rate of packets to send each second** Maximum rate of packets to send each second** Minimum simultaneous discovery requests** Maximum simultaneous discovery requests** Specific vulnerability check types or categories enabled (which disables all other checks) Specific vulnerability check types or categories disabled Value N/N/N/Y 10 Y 135. 139. government organization or a vendor that serves the government. 445 None The system determines optimal method 135. in which case. 139. Policy checks require authentication with administrative credentials on targets. use this template to verify that your Windows 7 systems comply with USGCB policies. To enable manual settings. 45 None 3 100 ms 100 ms 3000 ms 0 ms 0 ms 0 0 0 0 None None * Any value lower than 5 ms disables manual settings. The scan runs applicationlayer audits on all Windows 7 systems. If you work for a U.S. enter a value of 1 or greater. ** The default value of 0 disables manual settings. in which case.USGCB template This template incorporates the Policy Manager scanning feature for verifying compliance with all United States Government Configuration Baseline (USGCB) policies. the application auto-adjusts the settings. Only default ports are scanned. Vulnerability checks are not included. the application auto-adjusts the settings. the application auto-adjusts the settings. mail servers. enter a value of 1 or greater. in which case. To enable manual settings. in which case. Use this template to scan public-facing Web assets. the application auto-adjusts the settings. Setting Asset/vulnerability/Web spidering/policy scan Maximum # scan threads ICMP (Ping hosts) TCP ports used for asset discovery UDP ports used for asset discovery TCP port scan method TCP ports to scan UDP ports to scan Maximum retries Initial timeout interval Minimum timeout interval Maximum timeout interval* Minimum scan delay** Maximum scan delay** Minimum rate of packets to send each second** Maximum rate of packets to send each second** Minimum simultaneous discovery requests** Maximum simultaneous discovery requests** Specific vulnerability check types or categories enabled (which disables all other checks) Specific vulnerability check types or categories disabled Value Y/Y/Y/Y 10 N None None Stealth scan (SYN) Well-known numbers None 3 100 ms 100 ms 3000 ms 0 ms 0 ms 0 0 0 10 Web category check None * Any value lower than 5 ms disables manual settings. as is the case with the DMZ Audit scan template. ASPs. The template does not include patch checking or policy compliance audits. ** The default value of 0 disables manual settings. including application servers. and CGI scripts. Nor does it scan FTP servers. Nexpose User’s Guide 271 . or database servers.Web audit template This audit of all Web servers and Web applications is suitable public-facing and internal assets. including those that appear in built-in report templates and those that you can include in a customized template. if you want a report that only lists all assets organized by risk level. create a template with the Discovered Vulnerabilities section. information in your reports as your needs dictate. This template would include only the Discovered System Information section. making it unnecessary to create a custom template. Or. if you want a report that only lists vulnerabilities. Configuring a document report template involves selecting the sections to be included in the template. This appendix includes the following information: • • • Built-in report templates and included sections on page 272 Document report sections on page 281 Export template attributes on page 287 Built-in report templates and included sections Creating custom document templates enables you to include as much.Report templates and sections Use this appendix to help you select the right built-in report template for your needs. which is helpful for creating custom templates. Built-in reports and sections are listed below: • • • • • • • • • • • • • • • • • • • Audit Report Baseline Comparison Executive Overview Highest Risk Vulnerabilities PCI Attestation of Compliance PCI Audit (legacy) PCI Executive Overview (legacy) PCI Executive Summary PCI Host Details PCI Vulnerability Details Policy Evaluation Remediation Plan Report Card SANS Top 20 Top 10 Assets by Vulnerability Risk Top 10 Assets by Vulnerabilities Top Remediations Top Remediations with Details Vulnerability Trends Nexpose User’s Guide 272 . You may find that a given built-in template contains all the sections that you require in a particular report. You can also learn about the individual sections or data fields that make up report templates. or as little. a custom report might be the best solution. Each report template in the following section lists all sections available for each of the document report templates. For example. You can use it to provide a detailed look at the state of security in your environment. including ports. * To gather this “deep” information the application must have logon credentials for the target assets. like security advisories general solution information Additionally. See PCI Audit (legacy) on page 276. the Audit Report template includes charts with general statistics on discovered vulnerabilities and severity levels. An Audit Report based on a non-credentialed scan will not include this information. and general security issues risk scores. • • • • • • • • • • • • • • The Audit Report template provides a great deal of granular information about discovered assets: host names and IP addresses discovered services. it must have policy testing enabled in the scan template configuration. protocols. The Audit report template includes the following sections: • • • • • • • • • • • Cover Page Discovered Databases Discovered Files and Directories Discovered Services Discovered System Information Discovered Users and Groups Discovered Vulnerabilities Executive Summary Policy Evaluation Spidered Web Site Structure Vulnerability Report Card by Node Nexpose User’s Guide 273 . Note that the Audit Report template is different from the PCI Audit template. the Audit is the most comprehensive in scope. Also. See Configuring scan credentials on page 42 and Testing the credentials on page 44.Audit Report Of all the built-in templates. depending on the scoring algorithm selected by the administrator users and asset groups associated with the assets discovered databases* discovered files and directories* results of policy evaluations performed* spidered Web sites* It also provides a great deal of vulnerability information: affected assets vulnerability descriptions severity levels references and links to important information sources. Being the first scan. Comparing current scan results to those of the first scan will help you determine how effective your remediation work has been. make sure that the compared scans occurred under identical conditions: • • • the same site was scanned the same scan template was used if the baseline scan was performed with credentials. such as the following: • • • • new assets and services assets or services that are no longer running since the last scan new vulnerabilities previously discovered vulnerabilities did not appear in the most current scan Trending information is useful in gauging the progress of remediation efforts or observing environmental changes over time. as in the following examples.Baseline Comparison You can use the Baseline Comparison to observe security-related trends or to assess the results of a scan as compared with the results of a previous scan that you are using as a baseline. It includes general summaries and charts of statistical data related to discovered vulnerabilities and assets. The Executive Overview template includes the following sections: • • • • Baseline Comparison Cover Page Executive Summary Risk Trends Nexpose User’s Guide 274 . The Baseline Comparison report template includes the following sections: • • Cover Page Executive Summary Executive Overview You can use the Executive Overview template to provide a high-level snapshot of security data. the recent scan was performed with the same credentials. Trending information indicates changes discovered during the scan. For trending to be accurate and meaningful. Note that the Executive Overview template is different from the PCI Executive Overview. You may use the last scan preceding the current one to verify whether a certain patch removed a vulnerability in that scan. it may have revealed a high number of vulnerabilities that you subsequently remediated. See PCI Executive Overview (legacy) on page 276. • • • You may use the first scan that you performed on a site as a baseline. You may use a scan that revealed an especially low number of vulnerabilities as a benchmark of good security “health”. which you can request from Technical Support. you must enter create appropriate settings in the oem. the form will be auto-populated with that information. The Scan Status section lists a high-level summary of the scan. It includes the attestation date. including whether the overall result is a Pass or Fail. 2010. See Including organization information in a site in the user's guide or Help.xml configuration file. QA-tested. and scan expiration date. The second statement is for the ASV to attest that the scan was properly conducted. Risk scores are based on the types and numbers of vulnerabilities on affected assets. This template is useful for targeting the biggest threats to security as priorities for remediation. and reviewed. Each vulnerability is listed with risk and CVSS scores. In the top right area is a form with auto-populated fields for the ASV’s information. The Highest Risk Vulnerabilities report template includes the following sections: • • • Cover Page Highest Risk Vulnerability Details Table of Contents PCI Attestation of Compliance This is one of three PCI-mandated report templates to be used by ASVs for PCI scans as of September 1. and an indicated area to fill in the customer’s name.Highest Risk Vulnerabilities The Highest Risk Vulnerabilities template lists the top 10 discovered vulnerabilities according to risk level. In this section. See The ASV guide. The PCI Attestation report template includes the following section: • Asset and Vulnerabilities Compliance Overview Nexpose User’s Guide 275 . The PCI Attestation of Compliance is a single page that serves as a cover sheet for the completed PCI report set. as well references and links to important information sources. which is the date after which the results are no longer valid. In the top left area of the page is a form for entering the customer’s contact information. Two separate statements appear at the bottom. the ASV must note the number of components left out of the scope of the scan. some statistics about what the scan found. The first is for the customer to attest that the scan was properly scoped and that the scan result only applies to external vulnerability scan requirement of PCI Data Security Standard (DSS). It includes the following auto-populated information: • • • • attestation date for scan customer ASV name* certificate number* ASV reviewer name* (the individual who conducted the scan and review process) To support auto-population of these fields*. If the ASV added scan customer organization information in the site configuration on which the scan data is based. the date the scan was completed. The Vulnerabilities Noted for each IP Address section includes a table listing each discovered vulnerability with a set of attributes including PCI severity. The Component Compliance Summary section lists each scanned IP address with a Pass or Fail result. 2010. If the ASV marked a vulnerability for exception in the application. the customer’s company name will be auto-populated. The PCI Audit (Legacy) report template includes the following sections: • • • • • • Cover Page Payment Card Industry (PCI) Scanned Hosts/Networks Payment Card Industry (PCI) Vulnerability Details Payment Card Industry (PCI) Vulnerability Synopsis Table of Contents Vulnerability Exceptions PCI Executive Overview (legacy) This is one of two reports no longer used by ASVs in PCI scans as of September 1. which lists the dates that the scan was completed and on which it expires. and whether the vulnerability passes or fails the scan. If the ASV added scan customer organization information in the site configuration on which the scan data is based. or Compensating Controls field in the PCI Executive Summary report is auto-populated with the user name of the individual who excluded a given vulnerability. This section includes the auto-populated ASV name and an area to fill in the customer’s company name. The assets are sorted by IP address. The Asset and Vulnerabilities Compliance Overview section includes charts that provide compliance statistics at a glance. 2010. False Positives. Note that the PCI Executive Overview template is different from the template PCI Executive Summary. It provides high-level scan information. See Including organization information in a site on page 41. See Audit Report on page 273. The PCI Executive Overview (Legacy) report template includes the following sections: • • • Cover Page Payment Card Industry (PCI) Executive Summary Table of Contents PCI Executive Summary This is one of three PCI-mandated report templates to be used by ASVs for PCI scans as of September 1. The PCI Executive Summary begins with a Scan Information section. Note that the PCI Audit template is different from the Audit Report template. ranking each discovered vulnerability according to its Common Vulnerability Scoring System (CVSS) ranking. 2010. the exception is indicated here. See PCI Executive Summary on page 276. It provides detailed scan results.PCI Audit (legacy) This is one of two reports no longer used by ASVs in PCI scans as of September 1. CVSS score. Nexpose User’s Guide 276 . The column labeled Exceptions. written according to PCIco (see the PCI ASV Program Guide v1. Vulnerabilities are grouped by severity level.2) information about the issue such as name or location of the affected software the customer’s declaration of secure implementation or description of action taken to either remove the software or secure it Any instance of remote access software or directory browsing is automatically noted. understand. The PCI Executive Overview report template includes the following sections: • • • • Payment Card Industry (PCI) Component Compliance Summary Payment Card Industry (PCI) Scan Information Payment Card Industry (PCI) Special Notes Payment Card Industry (PCI) Vulnerabilities Noted (sub-sectioned into High. This perspective allows a scanned merchant to consume. sorted scan information about each asset. and whether the vulnerability passes or fails the scan. and Small) PCI Host Details This template provides detailed. ASVs must disclose the presence of any software that may pose a risk due to insecure implementation. ASVs must add any information pertaining to point-of-sale terminals and absence of synchronization between load balancers. or host. CVSS score. which lists the dates that the scan was completed and on which it expires. The PCI Vulnerability Details report begins with a Scan Information section. ASVs must obtain and insert customer declarations or description of action taken for each special note before officially releasing the Attestation of Compliance.In the concluding section. and within grouping vulnerabilities are listed according to CVSS score. it may be helpful to note that a non-PCI-compliant asset may have a number of vulnerabilities specifically related to its operating system or a particular network communication service running on it. The PCI Vulnerability Details report template includes the following sections: • • • Nexpose User’s Guide Payment Card Industry (PCI) Scan Information Payment Card Industry (PCI) Vulnerability Details Table of Contents 277 . Special Notes. For example. PCI severity. rather than an exploitable vulnerability. 2010. including affected IP address. NOTE: The PCI Vulnerability Details report takes into account approved vulnerability exceptions to determine compliance status for each vulnerability instance. covered in a PCI scan. The Vulnerability Details section includes statistics and descriptions for each discovered vulnerability. Common Vulnerability Enumeration (CVE) identifier. and address all the PCIrelated issues on an asset-by-asset basis. This section includes the auto-populated ASV name and an area to fill in the customer's company name. The PCI Host Details report template includes the following sections: • • Payment Card Industry (PCI) Host Details Table of Contents PCI Vulnerability Details This is one of three PCI-mandated report templates to be used by ASVs for PCI scans as of September 1. The notes should include the following information: • • • • the IP address of the affected asset the note statement. Medium. vulnerabilities have been verified.Policy Evaluation The Policy Evaluation displays the results of policy evaluations performed during scans. Possible test results include the following: • • • not vulnerable not vulnerable version exploited For any vulnerability that has been excluded from reports. See Establishing scan credentials and Modifying and creating scan templates in the administrator's guide. such as acceptable risk. Note that this template provides a subset of the information in the Audit Report template. The application must have proper logon credentials in the site configuration and policy testing enabled in the scan template configuration. The Policy Evaluation report template includes the following sections: • • Cover Page Policy Evaluation Remediation Plan The Remediation Plan template provides detailed remediation instructions for each discovered vulnerability. Note that the report may provide solutions for a number of scenarios in addition to the one that specifically applies to the affected target asset. The Remediation Plan report template includes the following sections: • • • • Cover Page Discovered System Information Remediation Plan Risk Assessment Report Card The Report Card template is useful for finding out whether. The template also includes detailed information about each vulnerability. the test result will be the reason for the exclusion. The Report Card report template includes the following sections: • • • Cover Page Index of Vulnerabilities Vulnerability Report Card by Node Nexpose User’s Guide 278 . The template lists information about the test that Nexpose performed for each vulnerability on each asset. and how. The SANS Top 20 report template includes the following sections: • • • • • • Cover Page SANS Top 20 Device Listing SANS Top 20 Device Synopsis SANS Top 20 Executive Summary SANS Top 20 Vulnerability Details SANS Top 20 Vulnerability Synopsis Top 10 Assets by Vulnerability Risk NOTE: The Top 10 Assets by Vulnerability Risk and Top 10 Assets by Vulnerabilities report templates do not contain individual sections that can be applied to custom report templates. You can use this report to view the most vulnerable services to determine if services should be turned off to reduce risk. For more information about ranking see Viewing active vulnerabilities on page 84. Network.sans. the percentage of vulnerabilities with known exploits. This report is useful for prioritizing your remediation efforts by providing your remediation team with an overview of the assets in your environment that pose the greatest risk. Security (SANS) Institute (www. and the number of assets affected when the top remediation solutions are applied. Top Remediations The Prioritized Remediations template provides high-level information for assessing the highest impact remediation solutions. This report template is complete. The Prioritized Remediation Plan includes information in the following areas: • • • • • • the number of vulnerabilities that will be remediated. Audit. The Top 10 Assets by Vulnerability Risk lists the 10 assets with the highest risk scores. including vulnerabilities with no exploits or malware that will be remediated vulnerabilities and total risk score associated with the solution the number of targeted vulnerabilities that have known exploits associated with them the number of targeted vulnerabilities with available malware kits the number of assets to be addressed by remediation the amount of risk that will be reduced by the remediations Nexpose User’s Guide 279 . Top 10 Assets by Vulnerabilities The Top 10 Assets by Vulnerabilities report lists 10 the assets in your organization that have the most vulnerabilities. This template is useful for viewing serious security issues in your environment from the perspective of this widely recognized provider of information and security training. This report is also useful for prioritizing remediation efforts by listing the assets that have the most vulnerable services. the percentage of vulnerabilities with malware kits. The template includes the percentage of total vulnerabilities resolved. This report does not account for cumulative risk.org) as of the last update.SANS Top 20 The SANS Top 20 template lists discovered vulnerabilities that appear on the most recent list compiled and posted by the SysAdmin. it does not contain individual sections. how asset groups have been affected when compared to other asset groups. Nexpose User’s Guide 280 . You can configure the period of time for the report to see if you are improving your security posture and where you can make improvements. Each data point is the equivalent of a complete report. how assets have changed over time. The Prioritized Remediations with details includes the information from the Prioritized remediations template with information in the following areas: • • • remediation steps that need to be performed vulnerabilities and total risk score associated with the solution the assets that require the remediation steps Vulnerability Trends The Vulnerability Trends template provides information about how vulnerabilities in your environment have changed. and you will have eight data points in your report. It may take a long time to complete. The Vulnerability Trends template provides charts and details in the following areas: • • • • assets scanned and vulnerabilities severity levels trend by vulnerability age vulnerabilities with malware or exploits The Vulnerability Trends template helps you improve your remediation efforts by providing information about the number of assets included in a scan and if any have been excluded. and if there are new vulnerability definitions that have been added to the application. if your remediation efforts have succeeded. you can set your date range for a weekly interval for a two-month period. For example. To manage the readability and size of the report. when you configure the date range there is a limit of 15 data points that can be included on a chart. NOTE: Ensure you schedule adequate time to run this report template because of the large amount of data that it aggregates. The Vulnerability Trends template differs from the vulnerability trend section in the Baseline report by providing information for more in-depth analysis regarding your security posture and remediation efforts provides. The template includes the percentage of total vulnerabilities resolved and the number of assets affected when remediation solutions are applied. and how effective your asset scanning process is. if vulnerability exceptions have been applied or expired.Top Remediations with Details The Prioritized Remediations with details template provides expanded information for assessing remediation solutions and implementation steps. This means that specific vulnerabilities can be included or excluded in these sections based on the report Scope configuration. sections with filtered vulnerabilities will be so identified. The document report sections are listed below: • • • • • • • • • • • • • • • • • • • • • • • • • • • • • • • • • • • • • • • Asset and Vulnerabilities Compliance Overview Baseline Comparison Cover Page Discovered Databases Discovered Files and Directories Discovered Services Discovered System Information Discovered Users and Groups Discovered Vulnerabilities Executive Summary Highest Risk Vulnerability Details Index of Vulnerabilities Payment Card Industry (PCI) Component Compliance Summary Payment Card Industry (PCI) Executive Summary Payment Card Industry (PCI) Host Details Payment Card Industry (PCI) Scan Information Payment Card Industry (PCI) Scanned Hosts/Networks Payment Card Industry (PCI) Special Notes Payment Card Industry (PCI) Vulnerabilities Noted for each IP Address Payment Card Industry (PCI) Vulnerability Details Payment Card Industry (PCI) Vulnerability Synopsis Policy Evaluation Remediation Plan Risk Assessment Risk Trend SANS Top 20 Device Listing SANS TOP 20 Device Synopsis SANS TOP 20 Executive Summary SANS TOP 20 Vulnerability Details SANS Top 20 Vulnerability Synopsis Scanned Hosts and Networks Table of Contents Trend Analysis Vulnerabilities by IP Address and PCI Severity Level Vulnerability Details Vulnerability Exceptions Vulnerability Report Card by Node Vulnerability Report Card Across Network Vulnerability Test Errors Nexpose User’s Guide 281 . Document report templates that do not contain any of these sections do not contain filtered vulnerability data.Document report sections Some of the following documents report sections can have vulnerability filters applied to them. When the report is generated. the scan on which the report is based must meet the following conditions: • • database server scanning must be enabled in the scan template the application must have correct database server logon credentials Discovered Files and Directories This section lists files and directories discovered on scanned assets. For information to appear in this section. Baseline Comparison This section appears when you select the Baseline Report template. Nexpose User’s Guide 282 . Discovered Databases This section lists all databases discovered through a scan of database servers on the network. and the date that the report was generated. the scan on which the report is based must meet the following conditions: • • file searching must be enabled in the scan template the application must have correct logon credentials See Configuring scan credentials on page 42 for information on configuring these settings. the date of the scan. For information to appear in this section. Cover Page The Cover Page includes the name of the site. Other display options include a customized title and company logo.Asset and Vulnerabilities Compliance Overview This section includes charts that provide compliance statistics at a glance. enumerating the following changes: • • • • • • discovered assets that did not appear in the baseline scan assets that were discovered in the baseline scan but not in the most recent scan discovered services that did not appear the baseline scan services that were discovered in the baseline scan but not in the most recent scan discovered vulnerabilities that did not appear in the baseline scan vulnerabilities that were discovered in the baseline scan but not in the most recent scan Additionally. For example. this section appears with the heading Trend Analysis. this section provides suggestions as to why changes in data may have occurred between the two scans. In generated reports. It provides a comparison of data between the most recent scan and the baseline. newly discovered vulnerabilities may be attributable to the installation of vulnerable software that occurred after the baseline scan. the IP addresses of the assets running each service. Vulnerability filters can be applied. If you selected a High level of technical detail. Each vulnerability is classified by severity. This section does not distinguish between potential and confirmed vulnerabilities. Vulnerability filters can be applied. It also lists the Common Vulnerabilities and Exposures (CVE) identifier for each vulnerability that has an available CVE identifier. Vulnerability filters can be applied. as well as remediation options. Discovered Users and Groups This section provides information about all users and groups discovered on each node during the scan. Discovered System Information This section lists the IP addresses. operating systems. Discovered Vulnerabilities This section lists all vulnerabilities discovered during the scan and identifies the affected assets and ports. and risk scores for scanned assets. If you selected a Medium technical detail level for your report template. NOTE: In generated reports. the application provides a basic description of each vulnerability and a list of related reference documentation. The section also provides references for obtaining more information about each vulnerability. including numbers and types of network vulnerabilities. the Discovered Vulnerabilities section appears with the heading Discovered and Potential Vulnerabilities. and their Common Vulnerability Scoring System (CVSS) Version 2 scores. Executive Summary This section provides statistics and a high-level summation of the scan data. and the number of vulnerabilities discovered on each asset. it adds a narrative of how it found the vulnerability to the description. Index of Vulnerabilities This section includes the following information about each discovered vulnerability: • • • • • • severity level Common Vulnerability Scoring System (CVSS) Version 2 rating category URLs for reference description solution steps In generated reports. Nexpose User’s Guide 283 . Highest Risk Vulnerability Details This section lists highest risk vulnerabilities and includes their categories. Use this section to help you understand and fix vulnerabilities.Discovered Services This section lists all services running on the network. this section appears with the heading Vulnerability Details. risk scores. alias names. Payment Card Industry (PCI) Scanned Hosts/Networks This section lists the range of scanned assets.Payment Card Industry (PCI) Component Compliance Summary This section lists each scanned IP address with a Pass or Fail result. For more information. If the ASV marked a vulnerability for exception. PCI compliance status. The customer's name must be entered manually. it will contain the ASV’s name. Payment Card Industry (PCI) Special Notes In this PCI report section.2) the type of special note.xml file to auto-populate the name field. Payment Card Industry (PCI) Host Details This section lists information about each scanned asset. and whether the vulnerability passes or fails the scan. the exception is indicated here. see the ASV guide. The assets are sorted by IP address. which you can request from Technical Support. and granular vulnerability information tailored for PCI scans. which is the last day that the scan results are valid from a PCI perspective. Otherwise. CVSS score. ASVs manually enter the notes about any scanned software that may pose a risk due to insecure implementation. It also lists each scanned asset and indicates whether that asset passes or fails to comply with the standards. The column labeled Exceptions. which is one of four types specified by PCIco (see the PCI ASV Program Guide v1. NOTE: Any instance of remote access software or directory browsing is automatically noted. the ASV’s name must be entered manually as well. False Positives. written according to PCIco (see the PCI ASV Program Guide v1. names. This section also includes the date the scan was completed and the scan expiration date. Payment Card Industry (PCI) Scan Information This section includes name fields for the scan customer and approved scan vendor (ASV). If the ASV has configured the oem. including its hosted operating system. rather than an exploitable vulnerability. Nexpose User’s Guide 284 .2) the scan customer’s declaration of secure implementation or description of action taken to either remove the software or secure it Payment Card Industry (PCI) Vulnerabilities Noted for each IP Address This section includes a table listing each discovered vulnerability with a set of attributes including PCI severity. Payment Card Industry (PCI) Executive Summary This section includes a statement as to whether a set of assets collectively passes or fails to comply with PCI security standards. or Compensating Controls field in the PCI Executive Summary report is auto-populated with the user name of the individual who excluded a given vulnerability. The notes should include the following information: • • • • the IP address of the affected asset the note statement. file ACLs. A score of 4. Vulnerability filters can be applied.NOTE: The PCI Vulnerability Details report takes into account approved vulnerability exceptions to determine compliance status for each vulnerability instance. Nexpose User’s Guide 285 .html. Payment Card Industry (PCI) Vulnerability Synopsis This section lists vulnerabilities by categories. or you can select all assets in your report scope. SANS TOP 20 Device Synopsis This section includes a matrix of network assets and the number of discovered vulnerabilities discovered in each SANS category from the current SANS Top 20 list. according to the CVSS v2 metrics. The database of vulnerabilities feeds the Remediation Plan section with information about patches and fixes. registry ACLs. Possible scores range from 1. It quantifies the vulnerability according to its severity level and its Common Vulnerability Scoring System (CVSS) Version 2 rating. and other remediation measures. such as whether Microsoft security templates are in effect on scanned systems. including Web links for downloading them. Remediation Plan This section consolidates information about all vulnerabilities and provides a plan for remediation. with some exceptions. An asset’s confirmed and unconfirmed vulnerabilities affect its risk score. the database provides a time estimate.org/cvss/cvss-guide. Risk Trend This section enables you to create graphs illustrating risk trends in reports in your Executive Summary. registry settings. assets. and account privileges. patches.0. Use this section to research fixes. work-arounds. this section appears with the heading Device Details. Section contents include system settings. group membership. Risk Assessment This section ranks each node (asset) by its risk index score.first. SANS Top 20 Device Listing This section includes detailed network information about each scanned asset and lists its vulnerabilities that appear on the current SANS Top 20 vulnerabilities list. This latter number is used to determine whether the vulnerable assets in question comply with PCI security standards.0 to 10. Payment Card Industry (PCI) Vulnerability Details This section contains in-depth information about each vulnerability included in a PCI Audit report. For more information about CVSS scoring or go to the FIRST Web site at http://www. such as types of client applications and server-side software. Policy Evaluation This sections lists the results of any policy evaluations. For each remediation. The reports can include your five highest risk sites.0 or higher indicates failure to comply. In generated reports. which indicates the risk that asset poses to network security. asset groups. They may be excluded for certain reasons. but the exclusions must be noted. Use this section to gauge progress in reducing vulnerabilities improving network's security. summarizing the incidence of SANS Top 20 discovered vulnerabilities on scanned assets that appear on the current SANS Top 20 list. the affected assets. and remediation steps. Common Vulnerability Enumeration (CVE) identifier. The section also includes remediation information. Vulnerability Details The Vulnerability Details section includes statistics and descriptions for each discovered vulnerability. such as types of client applications.SANS TOP 20 Executive Summary This section includes high-level network information. and whether the vulnerability passes or fails the scan. CVSS score. You may not wish to see certain vulnerabilities listed with others. It compares the vulnerabilities discovered in a scan against those discovered in a baseline scan. A typical example is the PCI Audit report. Trend Analysis This section appears when you select the Baseline report template. but business policies may dictate that you list excluded vulnerabilities if only to indicate that they were excluded. PCI severity. and within grouping vulnerabilities are listed according to CVSS score. Vulnerability Exceptions This section lists each vulnerability that has been excluded from report and the reason for each exclusion. server-side software. Table of Contents This section lists the contents of the report. including affected IP address. indicating whether it has passed or failed in terms of meeting PCI compliance criteria. which appears in PCI Audit reports. lists each vulnerability. SANS TOP 20 Vulnerability Details This section includes exhaustive information about each discovered SANS Top 20 vulnerability that appears on the current SANS Top 20 list. sorted by various criteria. Vulnerabilities of a certain severity level may result in an audit failure. Vulnerabilities by IP Address and PCI Severity Level This section. Vulnerabilities are grouped by severity level. Nexpose User’s Guide 286 . and other categories. If the IP addresses are consecutive. the console displays the list as a range. SANS Top 20 Vulnerability Synopsis This section includes a list of all discovered SANS Top 20 vulnerabilities that appear on the current SANS Top 20 list. such as those to be targeted for remediation. The section also includes. Scanned Hosts and Networks This section lists the assets that were scanned. The following table lists the name and description of each attribute that you can include. Example: 00:50:56:39:06:F5. which means the check was enabled. which is the specific risk score associated with the vulnerability. This is the fingerprinted version number of the scanned asset’s operating system. Vulnerability Report Card Across Network This section lists all tested vulnerabilities. Export template attributes When creating a custom export template. Windows This is the fingerprinted operating system of the scanned asset. Note that this is different from the vulnerability risk score. In the case of multi-homed assets. This is the overall risk score of the scanned asset when the vulnerability test was run. you can select from a full set of vulnerability data attributes. Examples: Linux. Use this section as an overview of the network's susceptibility to each vulnerability. asset names may be referred to as aliases. Vulnerability filters can be applied.Do not confuse an excluded vulnerability with a disabled vulnerability check. 00:50:56:39:06:F6 These are the host names of the scanned asset. and indicates how each node (asset) in the network responded when the application attempted to confirm a vulnerability on it. Only the operating system with the highest-certainty fingerprint is listed. Use this section to assess the vulnerability of each asset. These are the MAC addresses of the scanned asset. This is the set of alternate IPv6 addresses of the scanned asset. Asset Names Asset OS Family Asset OS Name Asset OS Version Asset Risk Score (Sheet 1 of 3) Nexpose User’s Guide 287 . This is the IP address of the scanned asset. Only the family with the highest-certainty fingerprint is listed. Vulnerability filters can be applied. This is the fingerprinted operating system family of the scanned asset. On the Assets page. multiple MAC addresses are separated by commas. Use this section to anticipate or prevent system errors and to validate that scan parameters are set properly. Export template attributes Attribute name Asset Alternate IPv4 Addresses Asset Alternate IPv6 Addresses Asset IP Address Asset MAC Addresses Description This is the set of alternate IPv4 addresses of the scanned asset. Vulnerability Report Card by Node This section lists the results of vulnerability tests for each node (asset) in the network. Vulnerability filters can be applied. Vulnerability filters can be applied. An excluded vulnerability has been discovered by the application. Vulnerability Test Errors This section displays vulnerabilities that were not confirmed due to unexpected failures. Only the version with the highest-certainty fingerprint is listed. 0 specification. the value is Pass. this column is blank. Different assets within the same site may point to different scan IDs as of individual asset scans (as opposed to site scans). SSH In the case of operating system checks. labeled as URL. It may or may not be the template used for the scan during which the vulnerability was discovered. This is the name of the scan template currently applied to the scanned asset’s site. since a user could have changed the template since the scan was last run. all HTTP-related vulnerabilities are mapped to the port on which the Web server was found. each value is separated by a comma and space. You may need to expand the column in the spreadsheet program for better reading. the 10 most recent IDs are listed. each value is separated by a comma and space. This is the network protocol of the scanned port. UDP This is the site importance according to the current site configuration at the time of the CSV export. Examples: TCP. These are the Common Vulnerabilities and Exposure (CVE) IDs associated with the vulnerability. This is useful information about the vulnerability as displayed in the vulnerability details page. If an asset is found to be vulnerable. For example. the PCI severity level is not calculated. This is the name of the site to which the scanned asset belongs.0 specification. For multiple values. This is the fingerprinted product that was running the scanned service on the port where the vulnerability was found. It is the last scan during which the asset was scanned. CIFS. This is the port on which the vulnerability was found. This is the PCI status if the asset is found to be vulnerable. In the case of operating system checks. Examples: HTTP. Multiple kits are separated by commas. There are the URLs that provide information about the vulnerability in addition to those cited as Vulnerability Reference URLs. and the value is Not Applicable. Scan Template Service Name Service Port Service Product Service Protocol Site Importance Site Name Vulnerability Additional URLs Vulnerability Age Vulnerability CVE IDs Vulnerability CVE URLs Vulnerability CVSS Score Vulnerability CVSS Vector Vulnerability Description Vulnerability ID Vulnerability PCI Compliance Status (Sheet 2 of 3) Nexpose User’s Guide 288 . and the value is either Pass or Fail. They appear in References table of vulnerability details page. the PCI severity is calculated. This is the vulnerability’s Common Vulnerability Scoring System (CVSS) score according to CVSS 2. This is the unique identifier for the vulnerability as assigned by Nexpose. This is the vulnerability’s Common Vulnerability Scoring System (CVSS) vector according to CVSS 2. In the case of operating system checks. For multiple values. the service name is listed as System. These are the URLs for all exploits as published by Metasploit or the Exploit Database. the port number is 0. This is the URL of the CVE’s entry in the National Institute of Standards and Technology (NIST) National Vulnerability Database (NVD). These are the malware kits associated with the vulnerability. Multiple URLs are separated by commas. This value can include line breaks and appears in double quotation marks. This is the minimum skill level required to exploit the vulnerability. This is the fingerprinted service type of the port on which the vulnerability was tested. Descriptions can include a substantial amount of text. If an asset is not found to be vulnerable. This is the ID for the scan during which the vulnerability test was performed as displayed in a site’s scan history. If the vulnerability instance on the asset is excluded. This is the number of days since the vulnerability was first discovered on the scanned asset.Export template attributes (Continued) Attribute name Exploit Count Exploit Minimum Skill Exploit URLs Malware Kit Names Malware Kit Count Scan ID Description This is the number of exploits associated with the vulnerability. See Starting a static site configuration on page 28. If the vulnerability has multiple CVE IDs. This is the number of malware kits associated with the vulnerability. Security (SANS) Institute. It is the same as the last date that asset was scanned.cert. Example: BID:4241.Export template attributes (Continued) Attribute name Vulnerability Proof Description This is the method used to prove that the vulnerability exists or doesn’t exist as reported by Scan Engine. Scores range from 1 to 10 and map to severity rankings in the Vulnerability Listing table of the Vulnerabilities page: 1-3=Moderate. typically assigned by vendors such as Microsoft. These appear in the References table of the vulnerability details page. http://secunia. This value can include line breaks and appears in double quotation marks. REDHAT:RHSA-2002:043. SANS-02:U3. MANDRAKE:MDKSA2002:019. This value can include line breaks and appears in double quotation marks. which is the overall risk score of the asset. OSVDB:730.org/security/DSA-/DSA-1571. Multiple values separated by commas. Solutions can include a substantial amount of text. The format of this attribute is Source:Identifier.html. NETBSD:NetBSD-SA2002-004. Format: mm/dd/YYYY This is the result code for the vulnerability test. XF:openssh-channelerror(8383) These are reference URLs for information about the vulnerability.0. CONECTIVA:CLA-2002:467. Computer Emergency Readiness Team (CERT). http://www. and Redhat or security groups such as Secunia. Currently. Note that this is different from the asset risk score. 4-7=Severe.kb. These are tags assigned by Nexposefor the vulnerability. This is the name of the vulnerability. CALDERA:CSSA-2002-012. http://secunia.com/bid/29179. This is the vulnerability’s numeric severity level assigned by Nexpose. http://www. They appear in the References table of the vulnerability details page. You may need to expand the column in the spreadsheet program for better reading. Apple. DEBIAN:DSA-119. a solution is exported even if the vulnerability test result was negative. and 8-10=Critical. Vulnerability Published Date Vulnerability Reference IDs Vulnerability Reference URLs Vulnerability Risk Score Vulnerable Since Vulnerability Solution Vulnerability Tags Vulnerability Test Result Description Vulnerability Test Date This is the date when the vulnerability test was run. Example: http://www. and SecurityFocus. This is the word or phrase describing the vulnerability test result. Vulnerability Test Result Code Vulnerability Severity Level Vulnerability Title (Sheet 3 of 3) Nexpose User’s Guide 289 .com/advisories/30136/. SysAdmin.org/advisories/TA08-137A.debian. This is the date when the vulnerability was first discovered on the scanned asset. http:// www. Proofs can include a substantial amount of text. Network.com/advisories/30220/ This is the risk score assigned to the vulnerability.cert. This is not the PCI severity level. This is the date when information about the vulnerability was first released. This is the solution for remediating the vulnerability. These are reference identifiers of the vulnerability. Multiple values are separated by commas and spaces. Audit.securityfocus.org/security/ DSA-/DSA-1576. You may need to expand the column in the spreadsheet program for better reading.debian.org/vuls/id/925211. See Vulnerability result codes on page 177. See Vulnerability result codes on page 177. http://www. See Node on page 295. and create and run reports in accessible sites and asset groups. each with its own included operations: API v1. so it can be listed in sites and asset groups.Glossary For more detailed information on any term in this glossary. Asset An asset is a single device on a network that the application discovers during a scan. Asset Owner Asset Owner is one of the preset roles. An asset group is not a site. By default the application authenticates users with an internal process. which you can download from the Support page of Help. Authentication Authentication is the process of a security application verifying the logon credentials of a client or user that is attempting to gain access. see the API documentation.1 and Extended API v1. an asset may also be referred to as a device. Appliance An Appliance is a set of Nexpose components shipped as a dedicated hardware/software unit.2. See Managed asset on page 295 and Unmanaged asset on page 300. API (application programming interface) An API is a function that a developer can integrate with another software application by using program calls. Asset search filter An asset search filter is a set of criteria with which a user can refine a search for assets to include in a dynamic asset group. run manual scans. search for the term in Help. See Site on page 299. A user with this role can view data about discovered assets. An asset search filter is different from a vAsset discovery filter on page 301. An asset group is either static or dynamic. An asset group may contain assets that belong to multiple sites or other asset groups. In this regard. To learn about each API. Appliance configurations include a Security Console/Scan Engine combination and an Scan Engine-only version. it differs from a node. and Static asset group on page 300. but you can configure it to authenticate users with an external LDAP or Kerberos source. An asset’s data has been integrated into the scan database. Nexpose User’s Guide 290 . In the Web interface and API. Asset group An asset group is a logical collection of managed assets to which specific members have access for creating or viewing reports or tracking remediation tickets. Dynamic asset group on page 293. The term API also refers to one of two sets of XML APIs. The check type setting is used in scan template configurations to refine the scope of a scan. Nexpose User’s Guide 291 . Check type A check type is a specific kind of check to be run during a scan. For example. the Policy check type is used for verifying compliance with policies. and other criteria. It is based on a calculation of your risk scores on assets over a report date range. a benchmark is a combination of policies that share the same source data. Category In the context of scanning for FDCC policy compliance. and middleware and software applications.Average risk Average risk is a setting in risk trend report configuration. CIS serves a leadership role in the shaping of key security policies and decisions at the national and international levels. purpose. and United States Government Configuration Baseline (USGCB) on page 300. Center for Internet Security (CIS) Center for Internet Security (CIS) is a not-for-profit organization that improves global security posture by providing a valued and trusted environment for bridging the public and private sectors. See Policy Manager on page 296. Each policy in the Policy Manager contains some or all of the rules that are contained within its respective benchmark. Some assets have higher risk scores than others. Federal Desktop Core Configuration (FDCC) on page 294. To access the command console page. Breadth Breadth refers to the total number of assets within the scope of a scan. average risk gives you an overview of how vulnerable your assets might be to exploits whether it’s high or low or unchanged. Command console The command console is a page in the Security Console Web interface for entering commands to run certain operations. Benchmark In the context of scanning for FDCC policy compliance. operating systems. click the Run console commands link next to the Troubleshooting item on the Administration page. See Policy Manager on page 296. Performing these checks requires a license that enables the Policy Manager feature and CIS scanning. See Federal Desktop Core Configuration (FDCC) on page 294 and United States Government Configuration Baseline (USGCB) on page 300. Examples: The Unsafe check type includes aggressive vulnerability testing methods that could result in Denial of Service on target assets. When you use this tool. The Policy Manager provides checks for compliance with CIS benchmarks including technical control rules and values for hardening network devices. a category is a grouping of policies in the Policy Manager configuration for a scan template. Calculating the average score provides a high-level view of how vulnerable your assets might be to exploits. A policy’s category is based on its source. you can see real-time diagnostics and a behind-the-scenes view of Security Console activity. The application tests assets for compliance with a number of different security standards. in which the application finds potential scan targets on a network. Coverage Coverage indicates the scope of vulnerability checks. Nexpose User’s Guide 292 . Depth Depth indicates how thorough or comprehensive a scan will be. A coverage improvement listed on the News page for a release indicates that vulnerability checks have been added or existing checks have been improved for accuracy or other criteria. Discovery (scan phase) Discovery is the first phase of a scan. CVSS is implemented as part of its compliance with SCAP criteria for an Unauthenticated Scanner product. such as those mandated by the Payment Card Industry (PCI) and those defined by the National Institute of Standards and Technology (NIST) for Federal Desktop Core Configuration (FDCC). Common Vulnerability Scoring System (CVSS) Common Vulnerability Scoring System (CVSS) is an open framework for calculating vulnerability risk scores. CCE is implemented as part of its compliance with SCAP criteria for an Unauthenticated Scanner product. This is a site configuration setting. Continuous scan A continuous scan starts over from the beginning if it completes its coverage of site assets within its scheduled window. Compliance Compliance is the condition of meeting standards specified by a government or respected industry entity. Common Vulnerabilities and Exposures (CVE) The Common Vulnerabilities and Exposures (CVE) standard prescribes how the application should identify vulnerabilities. Common Platform Enumeration (CPE) Common Platform Enumeration (CPE) is a method for identifying operating systems and software applications.Common Configuration Enumeration (CCE) Common Configuration Enumeration (CCE) is a standard for assigning unique identifiers known as CCEs to configuration controls to allow consistent identification of these controls in different environments. Its naming scheme is based on the generic syntax for Uniform Resource Identifiers (URI). Depth refers to level to which the application will probe an individual asset for system information and vulnerabilities. making it easier for security products to exchange vulnerability data. CCE is implemented as part of its compliance with SCAP criteria for an Unauthenticated Scanner product. Discovery as a scan phase is different from vAsset discovery on page 301. CVE is implemented as part of its compliance with SCAP criteria for an Unauthenticated Scanner product. especially one that makes an asset susceptible to attack via malware or a known exploit. such as executives or security team members tasked with performing remediation. RTF. A Scan Engine pool is a group of shared Scan Engines that can be bound to a site so that the load is distributed evenly across the shared Scan Engines. and vAsset discovery on page 301. You define these criteria with asset search filters. and HTML— are convenient for sharing information to be read by stakeholders in your organization. Nexpose User’s Guide 293 . Penetration testers use benign exploits only to verify that vulnerabilities exist. See Static site on page 300. Dynamic site A dynamic site is a collection of assets that are targeted for scanning and that have been discovered through vAsset discovery. Exposure An exposure is a vulnerability. Database Export. The list of assets in a dynamic group is subject to change with every scan or when vulnerability exceptions are created. The Metasploit product is a tool for performing benign exploits. Asset membership in a dynamic site is subject to change if the discovery connection changes or if filter criteria for asset discovery change. a dynamic asset group differs from a static asset group. such as IP address range or operating systems. Malicious exploits can result in system disruptions or theft of data. The formats available for this type include various XML formats. In this regard. or vulnerability. Some of the formats available for this template type—Text.Document report template Document templates are designed for human-readable reports that contain asset and vulnerability information. See Asset group on page 290 and Static asset group on page 300. You can configure scan pools using the Extended API v1. Site on page 299. Dynamic asset group A dynamic asset group contains scanned assets that meet a specific set of search criteria. See Metasploit on page 295 and Published exploit on page 297. and CSV. Dynamic Scan Pool The Dynamic Scan Pool feature allows you to use Scan Engine pools to enhance the consistency of your scan coverage. PDF.2. Exploit An exploit is an attempt to penetrate a network or gain access to a computer through a security flaw. Export report template Export templates are designed for integrating scan information into external systems. and compliance scoring. A false negative is an instance in which the application fails to flag a vulnerability that does exist.” Policy Manager checks for FDCC policy compliance are written in this format. False positive A false positive is an instance in which the application flags a vulnerability that doesn’t exist. The term node has a different context in the application. Performing these checks requires a license that enables the Policy Manager feature and FDCC scanning. gain unauthorized access to resources. Low latency means short delays. Fingerprinting Fingerprinting is a method of identifying the operating system of a scan target or detecting a specific version of an application. An XCCDF document represents a structured collection of security configuration rules for some set of target systems. a host may also be referred to as a node. A user with this role can perform all operations that are available in the application and they have access to all sites and asset groups.Extensible Configuration Checklist Description Format (XCCDF) As defined by the National Institute of Standards and Technology (NIST). automated compliance testing. See Node on page 295. The specification is designed to support information interchange. Nexpose User’s Guide 294 . In a high-availability virtual environment. Host A host is a physical or virtual server that provides computing resources to a guest virtual machine. Federal Desktop Core Configuration (FDCC) The Federal Desktop Core Configuration (FDCC) is a grouping of configuration security settings recommended by the National Institute of Standards and Technology (NIST) for computers that are connected directly to the network of a United States government agency. Latency Latency is the delay interval between the time when a computer sends data over a network and another computer receives it. or perform other similar types of abuse. benchmarks. The application can determine if a vulnerability renders an asset susceptible to malware attacks. steal or compromise data. and related documents. The Policy Manager provides checks for compliance with these policies in scan templates. Global Administrator Global Administrator is one of the preset roles. organizational and situational tailoring. Extensible Configuration Checklist Description Format (XCCDF) “is a specification language for writing security checklists. document generation. Malware Malware is software designed to disrupt or deny a target systems’s operation. Open Vulnerability and Assessment Language (OVAL) Open Vulnerability and Assessment Language (OVAL) is a development standard for gathering and sharing security-related data. See Asset on page 290. A number of MITRE standards are implemented. Only managed assets can be checked for vulnerabilities and tracked over time. such as FDCC policy checks. according to your license. the device is regarded as an asset that can be listed in sites and asset groups. either automatically or manually. MITRE The MITRE Corporation is a body that defines standards for enumerating security-related concepts and languages for security development initiatives.Malware kit Also known as an exploit kit. Examples of MITRE-defined languages include Open Vulnerability and Assessment Language (OVAL). it counts against the maximum number of assets that can be scanned. Managed asset A managed asset is a network device that has been discovered during a scan and added to a site’s target list. Nexpose User’s Guide 295 . National Institute of Standards and Technology (NIST) National Institute of Standards and Technology (NIST) is a non-regulatory federal agency within the U. Node A node is a device on a network that the application discovers during a scan. Manual scan A manual scan is one that you start at any time. Synonyms include ad-hoc scan and unscheduled scan. Examples of MITRE-defined enumerations include Common Configuration Enumeration (CCE) and Common Vulnerability Enumeration (CVE). each OVAL file that the application imports during configuration policy checks is available for download from the SCAP page in the Security Console Web interface.S. In compliance with an FDCC requirement. The agency mandates and manages a number of security initiatives. See Security Content Automation Protocol (SCAP) on page 299. Once an asset becomes a managed asset. See Exploit on page 293. including Security Content Automation Protocol (SCAP). Metasploit Metasploit is a product that performs benign exploits to verify vulnerabilities. After the application integrates its data into the scan database. a malware kit is a software bundle that makes it easy for malicious parties to write and deploy code for attacking target systems through vulnerabilities. even if it is scheduled to run automatically at other times. Department of Commerce. especially in verification of FDCC compliance. Possible results include Pass. Federal Desktop Core Configuration (FDCC) on page 294. United States Government Configuration Baseline (USGCB) on page 300. Policy Manager Policy Manager is a license-enabled scanning feature that performs checks for compliance with Federal Desktop Core Configuration (FDCC). Others are not subject to this kind of access. Policy Result In the context of FDCC policy scanning. See Policy on page 296 and Standard policy on page 299. and Scan on page 298. which you can access by clicking the Policies tab in the Web interface. The application includes a scan template and report templates that are used by Approved Scanning Vendors (ASVs) in official merchant audits for PCI compliance. See Federal Desktop Core Configuration (FDCC) on page 294. Two general types of polices are identified in the application for scanning purposes: Policy Manager policies and standard policies. and other configuration policies. See Policy Manager on page 296. operating system. The application's Policy Manager (a license-enabled feature) scans assets to verify compliance with policies encompassed in the United States Government Configuration Baseline (USGCB) and the Federal Desktop Core Configuration (FDCC). and Policy on page 296. Policy Manager results appear on the Policies page. or database. Permission A permission is the ability to perform one or more specific operations. For example. Payment Card Industry (PCI) The Payment Card Industry (PCI) is a council that manages and enforces the PCI Data Security Standard for all merchants who perform credit card transactions. software application. a result is a state of compliance or non-compliance with a rule or policy. United States Government Configuration Baseline (USGCB).Override An override is a change made by a user to the result of a check for compliance with a configuration policy rule. Some permissions only apply to sites or asset groups to which an assigned user has access. as well as user-configured custom policies based on these policies. or Not Applicable. They also appear in the Policy Listing table for any asset that was scanned with Policy Manager checks. The application also scans assets to verify compliance with standard policies. United States Government Configuration Baseline (USGCB) on page 300. Policy Manager policies are different from standard policies. Nexpose User’s Guide 296 . Policy Rule A rule is one of a set of specific guidelines that make up an FDCC configuration policy. Fail. a user may override a Fail result with a Pass result. Policy A policy is a set of primarily security-related configuration guidelines for a computer. See Scan on page 298 and Standard policy on page 299. which can be scanned with a basic license. See Document report template on page 293 and Export report template on page 293. Report template Each report is based on a template. and availability). Although a patch is installed on the asset. The code for a potential vulnerability in XML and CSV reports is vp (vulnerable. Risk score A risk score is a rating that the application calculates for every asset and vulnerability. In this case.1 is vulnerable.1. TemporalPlus risk strategy on page 300TemporalPlus risk strategy. the version remains 1. an asset is running version 1. it can only flag the host asset as being potentially vulnerable. including theft or corruption of data and disruption to service. or you can create custom risk strategies. see Vulnerability check on page 302. For other positive result types. Nexpose User’s Guide 297 . potential). The vendor publishes a security advisory indicating that version 1. and it characterizes the anticipated consequences of the compromise. risk also reflects the potential damage to a compromised entity’s financial well-being and reputation. Real Risk strategy Real Risk is one of the built-in strategies for assessing and analyzing risk. a published exploit is one that has been developed in Metasploit or listed in the Exploit Database. Implicitly. You can configure the application to rate risk according to one of several built-in risk strategies. Each strategy emphasizes certain risk factors and perspectives.1. access complexity.1 of a database. Risk strategy A risk strategy is a method for calculating vulnerability risk scores. risk reflects the likelihood that a network or computer environment will be compromised. potential vulnerability checks are enabled in the template for the scan. Four built-in strategies are available: Real Risk strategy on page 297. It is also the recommended strategy because it applies unique exploit and malware exposure metrics for each vulnerability to Common Vulnerability Scoring System (CVSS) base metrics for likelihood (access vector. integrity. For example.Potential vulnerability A potential vulnerability is one of three positive vulnerability check result types. whether it is one of the templates that is included with the product or a customized template created for your organization. The score indicates the potential danger posed to network and business security in the event of a malicious exploit. if the application is running checks for potential vulnerabilities. Second. The application reports a potential vulnerability during a scan under two conditions: First. Temporal risk strategy on page 300. Risk In the context of vulnerability assessment. the application determines that a target is running a vulnerable software version but it is unable to verify that a patch or other type of remediation has been applied. Published exploit In the context of the application. See Risk strategy on page 297.1. See Exploit on page 293. You can also create custom risk strategies. and authentication requirements) and impact to affected assets (confidentiality.1. and Weighted risk strategy on page 302. Global Administrator on page 294. Various preset scan templates are available for different scanning scenarios. Tracking risk trends helps you assess threats to your organization’s standings in these areas and determine if your vulnerability management efforts are satisfactorily maintaining risk at acceptable levels or reducing risk over time. Scan engines can be distributed within or outside a firewall for varied coverage. Many different authentication mechanisms are supported for a wide variety of platforms. See Shared scan credentials on page 299 and Site-specific scan credentials on page 299. You also can create custom scan templates. See Average risk on page 291 and Total risk on page 300. including safe and unsafe Web application scanning properties verification of compliance with policies and standards for various platforms Scheduled scan A scheduled scan starts automatically at predetermined points in time. Scan Engine The Scan Engine is one of two major application components. The scheduling of a scan is an optional setting in site configuration. Five preset roles are available. Scan template A scan template is a set of parameters for defining how assets are scanned. Nexpose User’s Guide 298 . Role A role is a set of permissions. Site Owner on page 299. and User on page 301. Scan credentials Scan credentials are the user name and password that the application submits to target assets for authentication to gain access and perform deep checks. Security Manager on page 299.Risk trend A risk trend graph illustrates a long-term view of your assets’ probability and potential impact of compromise that may change over time. or asset level. Each installation of the Security Console also includes a local engine. Scan A scan is a process by which the application discovers network assets and checks them for vulnerabilities. which can be used for scans within the console’s network perimeter. The highest-risk graphs in your report demonstrate the biggest contributors to your risk on the site. It performs asset discovery and vulnerability detection operations. Parameters of scan templates include the following: • • • • methods for discovering assets and services types of vulnerability checks. Risk trends can be based on average or total risk scores. You also can create custom roles by manually selecting permissions. See Exploit on page 293 and Vulnerability check on page 302. group. See Asset Owner on page 290. It is also possible to start any scan manually at any time. See Policy on page 296 and Policy Manager on page 296. Each site is associated with a list of target assets. unlike with a Policy Manager policy. See Dynamic site on page 293 and Static site on page 300. and view asset data in accessible sites and asset groups. It controls Scan Engines and retrieves scan data from them. The application complies with SCAP criteria for an Unauthenticated Scanner product. Security Manager Security Manager is one of the preset roles. a scan template. Standard policy A standard policy is one of several that the application can scan with a basic license. Security Content Automation Protocol (SCAP) Security Content Automation Protocol (SCAP) is a collection of standards for expressing and manipulating security data. AS/400. Unix. See Site-specific scan credentials on page 299.S. A user with this role can configure and run scans. Standard policy scanning is available to verify certain configuration settings on Oracle. Nexpose User’s Guide 299 . one or more Scan Engines. See Scan credentials on page 298 and Shared scan credentials on page 299. Shared credentials can be applied to multiple assets in any number of sites. A site is not an asset group. Site Owner Site Owner is one of the preset roles. create reports. Standard policies are displayed in scan templates when you include policies in the scope of a scan. Site-specific scan credentials One of two types of credentials that can be used for authenticating scans. shared scan credentials are created by Global Administrators or users with the Manage Site permission. and other scan-related settings. It also controls all operations and provides a Web-based user interface. and Windows systems. government and maintained by the National Institute of Standards and Technology (NIST). Shared scan credentials One of two types of credentials that can be used for authenticating scans. a set of single-instance credentials is created for an individual site configuration and can only be used in that site. It is mandated by the U. and view asset data in accessible sites. Standard policy scan results appear in the Advanced Policy Listing table for any asset that was scanned for compliance with these policies.Security Console The Security Console is one of two major application components. Lotus Domino. A user with this role can configure and run scans. create reports. Site A site is a collection of assets that are targeted for a scan. See Asset group on page 290. It is an aggregated score of vulnerabilities on assets over a specified period. the list of assets in a static group does not change unless you alter it manually. integrity. Total risk Total risk is a setting in risk trend report configuration. and authentication requirements) and asset impact (confidentiality. while indicating how time continuously increases likelihood of compromise. See Risk strategy on page 297. The application is designed to provide sufficient information about unmanaged assets so that you can decide whether to manage them. and authentication requirements) and asset impact (confidentiality. and availability). access complexity. For more information. government agencies.S. and Internet Explorer for compliance with USGCB baselines. See Dynamic asset group on page 293.S. See Policy Manager on page 296 and Federal Desktop Core Configuration (FDCC) on page 294. Temporal risk scores will be lower than TemporalPlus scores because Temporal limits the risk contribution of partial impact vectors. An unmanaged asset does not count against the maximum number of assets that can be scanned according to your license. USGCB evolved from FDCC. It applies a vulnerability's age as a multiplier of CVSS base metrics for likelihood (access vector. which it replaces as the configuration security mandate in the U. see Dynamic site on page 293 and Site on page 299. Asset membership in a static site does not change unless a user changes the asset list in the site configuration. Nexpose User’s Guide 300 . access complexity. Unlike with a dynamic asset group. Static site A static site is a collection of assets that are targeted for scanning and that have been manually selected. integrity. The Policy Manager provides checks for Microsoft Windows 7. Unmanaged asset An unmanaged asset is a device that has been discovered during a scan but not correlated against a managed asset or added to a site’s target list. Windows 7 Firewall. and availability). as a multiplier of CVSS base metrics for likelihood (access vector. TemporalPlus provides a more granular analysis of vulnerability impact. based on its date of public disclosure.Static asset group A static asset group contains assets that meet a set of criteria that you define according to your organization's needs. government. The calculation applies the age of each vulnerability. Temporal indicates how time continuously increases likelihood of compromise. TemporalPlus risk strategy One of the built-in risk strategies. Performing these checks requires a license that enables the Policy Manager feature and USGCB scanning. See Risk strategy on page 297. TemporalPlus risk scores will be higher than Temporal scores because TemporalPlus expands the risk contribution of partial impact vectors. United States Government Configuration Baseline (USGCB) The United States Government Configuration Baseline (USGCB) is an initiative to create security configuration baselines for information technology products deployed across U. Temporal risk strategy One of the built-in risk strategies. An individual with this role can view asset data and run reports in accessible sites and asset groups. it is possible to disable automatic product updates and update the product manually. The code for a vulnerable version in XML and CSV reports is vv (vulnerable. Validated vulnerability A validated vulnerability is a vulnerability that has had its existence proven by an integrated Metasploit exploit. Unlike content updates. vAsset discovery is different from Discovery (scan phase) on page 292. This type of filter is different from an Asset search filter on page 290. and new product features. see Vulnerability check on page 302. Content updates always occur automatically when they are available. User User is one of the preset roles. It is recommended that you only perform unsafe checks on test systems that are not in production. patch verification. two types of updates are automatically downloaded and applied: • • Content updates include new checks for vulnerabilities. You can refine or limit asset discovery with criteria filters. See Exploit on page 293. See vAsset discovery filter on page 301. as well. A Global Administrator can configure a vConnection. vAsset discovery filter A vAsset discovery filter is a set of criteria refining or limiting vAsset discovery results. bug fixes. Product updates include performance improvements. and security policy compliance. vConnection A vConnection is a connection that is initiated with a server that manages virtual machines in order to discover those assets. Update An update is a released set of changes to the application.Unsafe check An unsafe check is a test for a vulnerability that can cause a denial of service on a target system. version check). The application reports a vulnerable version during a scan if it determines that a target is running a vulnerable software version and it can verify that a patch or other type of remediation has not been applied. See vAsset discovery filter on page 301 and vConnection on page 301. vAsset discovery vAsset discovery is a process by which the application automatically discovers virtual assets through a connection with a vSphere server or virtual machine host. Be aware that the check itself can cause a denial of service. Vulnerable version Vulnerable version is one of three positive vulnerability check result types. By default. For other positive result types. Nexpose User’s Guide 301 . Vulnerability check results can also be filtered according category for refining the scope of reports. and it takes into account the level of importance. see Vulnerability check on page 302. Vulnerability exception A vulnerability exception is the removal of a vulnerability from a report and from any asset listing table. such as an exploit. and Acrobat/Reader. such as Microsoft. For example. For other positive result types. Weighted risk strategy One of the built-in risk strategies. You can see positive check result types in XML or CSV export reports. There are also categories for specific Adobe products. Excluded vulnerabilities also are not considered in the computation of risk scores. Check results are either negative (no vulnerability found) or positive. such as Microsoft Path and Microsoft Windows. For example. such as Air. that you assign to a site when you configure it. such as Adobe. and Mozilla. can serve as supersets of categories that are named for their products.Vulnerability A vulnerability is a security flaw in a network or computer. The code for a vulnerability found in XML and CSV reports is ve (vulnerable. if you filter by the Microsoft category. Flash. in a site configuration. Vulnerable version on page 301. Apple. Vulnerability check categories are used to refine scope in scan templates. exploited). and Potential vulnerability on page 297. Weighted is based primarily on asset data and vulnerability types. The application reports a vulnerability found during a scan if it verified the flaw with asset-specific vulnerability tests. A positive result is qualified one of three ways: See Vulnerability found on page 302. Nexpose User’s Guide 302 . Also. Vulnerability check A vulnerability check is a series of operations that are performed to determine whether a security flaw exists on a target asset. Vulnerability category A vulnerability category is a set of vulnerability checks with shared criteria. Categories that are named for manufacturers. you inherently include all Microsoft product categories. Vulnerability found Vulnerability found is one of three positive vulnerability check result types. See Risk strategy on page 297. or weight. the Adobe category includes checks for vulnerabilities that affect Adobe applications. This applies to other “company” categories. you can set up alerts for when a scan reports different positive results types. live 194 vAsset discovery 24 vulnerabilities detected 71 asset groups 120 asset information. viewing 120 display all assets 123 dynamic asset group. unauthorized 194 risk factors 238 risk strategies 238 scan target 195 search by IP address range 127 by IP address type 126 by operating system name 127 by other IP address type 128 by service name 129 by site name 129 by software name 130 search by host type 126 search by last scan date 127 search by PCI compliance status 129 single asset 45 target asset. inclusion in 138 dynamic asset group. reporting 120 asset information. using 121 using 120 vulnerabilities 120 assets Asset Compliance 107 Asset Exclusions page 30 blocked discovery connection 194 configuring search filters 124 dead 194 discovered assets 196 discovery data collection 196 DNS servers 196 fingerprinting 196 firewalls 194 information 196 MAC addresses. live asset inventory 121 dynamic asset group. unauthorized 197 other assets 196 Whois 196 WINS servers 196 discovery method 195 exclude from scans 30 filtered searches 124 filtering search results 136 fingerprinting 81 Nexpose User’s Guide 303 . authorized 198 PCI audit template 195 port 80 194 ports used 195 Scan Engine 194 TCP handshake 195 DNS resolution 195 dynamic asset group. vulnerability 71 configuring discovery 194 discovery 194 MAC addresses.Index A Access page add users to a site 31 add host name to site 29 adding address to site 29 adding IP address to site 29 adding IPv4 assets 29 adding IPv6 assets 29 administration deleting sites 32 Security Console. criteria 121 dynamic asset group. using 121 exploits 120 network location 120 operating system 120 risk scores 120 scanning 120 snapshot 120 static asset groups. Asset Filter 121 file searches 219 filter by asset name 126 filtering by vulnerability CVSS score 133 by vulnerability exposures 134 by vulnerability risk scores 134 by vulnerability title 135 combining filters 135 CVSS risk vectors 132 IP fingerprinting 196 MAC address. using 20 alerts confirmed 40 potential 40 setting up 39 unconfirmed 40 API report sharing 161 archive file uploading policies 230 asset Asset Listing table 71 Asset Listing table. 215 reports 285 Attestation of Compliance 275 rules 107 UNIX policy 209 USGCB 139 Web servers 216 Windows Group Policy 208 Compliance programs. 231 Nexpose User’s Guide 304 .Global Asset Exclusion 30 ICMP echo requests 194 IP stack 196 locating 78 by asset groups 80 by operating system 80 by services 80 by sites 79 by software 81 managing assets in a dynamic site 64 managing dynamic sites 63 non responsive assets not responding 194 not include in reports 181 pings 194 Policy Manager 107 all assets in a site 114 override rules 113. 107 Policy Rules. 115. fine-tuning 195 search filter attributes 124 service discovery 199 simultaneous scan 188 specifying assets to scan 29 specifying in a report 146 subset 124 TCP packets 194 Tested Assets 108 UDP packets 194 vAsset filters 130 viewing details 81 vulnerable 279 ASV PCI Attestation of Compliance 275 Attestation of Compliance 166 B basic report. 253 CIS benchmarks configuration assessment 252 CIS template 254 compliance AS/400 policy 209 CIFS/SMB account policy 209 CSV export 174 CyberScope 139 database servers 215 FDCC 139 Lotus Domino policy 207 Oracle policy 207 PCI Audit 180 Policy Manager 106. creating 142 benchmark 230 benchmark file ID 231 benchmark ID 230 policy 231 benchmarks 253 Best practices for scheduling reports 153 C CCE 230 Configuration Policy Rules table 110 Overview table 110 Parameters table 110 Policy Manager 110 References table 110 Technical Mechanisms table 110 Center for Internet Security (CIS) 252 Center for Internet Security (CIS) benchmarks 106 checks Advanced Policy Engine 206 CIDR using CIDR notation in sites 29 CIS 252. using 22 editing sites 220 report settings 141 report sharing settings 160 resources 220 URL redirection 158 configuration assessment 252 configuration panels 22 configure Web spider 210 configuring a static site 28 consoles. PCI 153 compressed IPv6 addresses 29 configuration configuration panels. Policy Manager 108 policy settings 207.xml Configuring the Security Console to work with a new Scan Engine 35 conventions document 10 Cover Page 166 CPE 230. results 109 reports asset and vulnerabilities compliance overview 282 scan schedule 186 scanning retries 201 scanning. 116 Policy Manager tested assets. resource pool path 59. IP address range 59. 231 CVSS (Common Vulnerability Scoring System) 132 CyberScope Automated Data Feeds Submission Manual 145 Bureau 145 Component 145 Enclave 145 entering information 145 CyberScope reports 139 CyberScope XML 144 CyberScope XML bureau 145 CyberScope XML configuration 145 CyberScope XML enclave 145 CyberScope XML Export report 145 D Data export template 169 data template attributes 287 database export 178 Database Export 165 delete custom report template 141 delete report template 141 delete sites 32 directory paths Web spider 213 discovery asset 194 Asset Discovery Connection panel 57 asset membership 58 configure filters 62 connection 54 connection settings. vAsset discovery 55 export connections. site 46 for sites 42 key pair. 61 filter. paired 46 SSH public keys 44 testing 44 using SSH public key authentication 46 using. guest OS family 59. host 59. creating for Web site session authentication 52 new 43 scan authentication 50 shared 42 site-specific 42. cluster 59 filter. combining discovery filters 61 filter.Create a new report panel 169. changing 58 continuous 54 create dynamic site 62 credentials. datacenter 59. 61 Filtered asset discovery page 57 filters and operators 59 filters. 60 filter. 172 Create a report panel 168 creating a basic report 142 credential types configuring LMNTLM hash 46 SSH public keys 46 credentials checking custom settings 192 default settings 192 configuring account 44 configuring new set 43 editing. 60 filter. configuring 199 Nexpose User’s Guide 305 . 55 echo request (ping) 194 ESX(i) versions. adding 62 filters. 60 filter. 43 specific port 45 SSH public key authentication 48 SSH public key. 60 filter. virtual machine name 59. applying discovery. CSV file 58 filter. 61 filter. generating 48 LM/NTLM hash 44 LM/NTLM hash authentication 49 log on 42 logon creating for Web site form 51 logon. using 59 initiate vAsset discovery 55 list of discovered assets 58 Manage sites permissions 58 monitoring 63 New Dynamic Site 58 scans 54 service configuration 200 service. Credentials page 57 delete connections 58 Discovery Management page 58 Discovery Statistics page 63 dynamic discovery of virtual assets 54. apply filters 62 filter. power state 59. credentials enabling 43 Web site form authentication 50 Web site session authentication 50 web site session with HTTP headers 52 CSV export reports 180 custom logo report template 171 custom policy 230. 231 customizable CSV 169 CVE 230. 54 vAsset discovery icon 57 vAsset discovery. performing 55 vAsset. 215 exploit exposure 239 exploit skill 86 information 92 initial difficulty 238 initial exploit difficulty 238 malware exposure 239 Nexpose User’s Guide 306 .target environments 54 vAsset connections. managing 57 vAsset discovery 24. initiating 58 vAsset. 252. account credentials 56 vAsset. port 443 56 vAssets. creating 57 vAsset connections. 253 custom Policy Manager scans 106 Policy Manager 106 Policy Manager scans 106 FDCC policies 252 FDCCconfiguration assessment 252 Federal Desktop Core Configuration (FDCC) 252 federal government agency 252 filter by host type bare metal 126 Hypervisor 126 unknown host type 126 Virtual machine 126 filters asset searches 124 attributes 124 by asset name 126 by host type 126 by IP address range 127 by IP address type 126 by last scan date 127 by operating system name 127 by other IP address type 128 by PCI compliance status 129 configuring asset search filters 124 search by service name 129 by site name 129 by software name 130 search filters 124 selecting filters 125 vulnerability information 148 Discovered Services 148 E Editing a policy 223 Editing policies during a scan 222 elevated permissions 47 Engine Address Configuring the Security Console to work with a new Scan Engine 34 Engine Address and Port fields in Scan Engine configuration 34 errors 233 exploit access complexity 238 access vector 238 authentication requirement 238 email spam relaying settings 207. discoverable 56 vCenter versions. vAsset discovery 55 virtual assets 54 Web spider 210 without running a scan 54 distributed Scan Engine selecting a Scan Engine for a site 33 DNS Web spider 211 document conventions 10 document template type 143 dynamic asset groups criteria 121 criteria for inclusion 138 inventory 121 user access 121 User Configuration panel 121 using 121 dynamic site discovery delete connections 58 dynamic sites update 54 vAsset discovery 54 malware kits 239 Malware tab 86 Metasploit module 92 pen test 251 penetration test 251 remediation 239 threat exposure 239 verify vulnerabilities 251 vulnerabilities 92 vulnerability age 239 well-known 240 Exploit Exposure using 251 Export 85 export database 178 export template attributes 287 export template type 143 Exporting scan data to external databases 165 F FDCC 139. Licensing page 56 vAsset discovery 56 vAsset. 172 Manage Site permissions creating shared scan credentials 42 Managing the sharing of reports 157 Media Access Control (MAC address) 197 Metasploit 71. starting 12 starting automatically as a service 12 starting in Linux 13 starting in Windows 12 stopping in Linux 13 stopping in Windows 12 working with the daemon 13 getting starting daemon stopping 13 give users access to a site 31 Global Administrator creating shared scan credentials 42 uploading policies 230 global settings exclude assets from scans 30 M mail servers scanning 217 malware exposure 239 malware kits 71 Manage report templates 169. 85 Exploit Exposure.0 252 O Other documents and Help 9 OVAL 230 OVAL check types 230 P pair Security Console and Scan Engine 35 pairing Scan Engines and Security Consoles 34 pairing Security Console and Scan Engine 35 Payment Card Industry (PCI) Component Compliance Summary 166 Payment Card Industry (PCI) Host Details 166 Payment Card Industry (PCI) Scan Information 166 Payment Card Industry (PCI) Special Notes 166 Payment Card Industry (PCI) Vulnerabilities Noted 166 Payment Card Industry (PCI) Vulnerability Details 166 H host names Specifying assets to scan 29 How do I know if my license enables Policy Manager? 253 How do I run configuration assessment scans? 253 How do I view Policy Manager scan results? 253 HTTPS vAsset discovery 56 hyperlink Web spider 213 Nexpose User’s Guide 307 . using 251 exploit ranking 86 N Navigating the Security Console Home page 18 not an update of USGCB 1. 231 TCP/IP stacks 196 firewall block discovery of an asset 194 formats CSV export formats 174 vulnerability exceptions in XML and CSV 177 frequency of schedule 152 I Including organization information in a site 41 IP fingerprinting 196 IP address Specifying assets to scan 29 IPv4 notation configuring a static site 29 IPv6 notation configuring a static site 29 L license Administration tab 56 Security Console Configuration panel.Discovered Vulnerabilities 148 Index of Vulnerabilities 148 Remediation Plan 148 Vulnerability Exceptions 148 Vulnerability Report Card Across Network 148 Vulnerability Report Card by Node 148 Vulnerability Test Errors 148 fingerprinting 196. virtualization 56 logging on 14 login root 47 su 47 sudo 47 G gauging your security posture configuration assessment 252 getting started 12 configuration 12 daemon host system 13 restarting 13 first time duration 13 host system 12 logging on 14 Security Console Linux 13 Security Console. editing 200 increasing accuracy 188 port scanning 199 resource availability 188 tuning scan template 190 Web site scanning 216 tuning discovery 202 tuning options 220 Web spider fine tuning 214 performing discovery scans 54 permissions 47 generating restricted reports 164 report sharing 159 policies 253 policy 230 Advanced Policy Engine checks 206 archive file 230 AS/400 policy 106 benchmark ID 231 CIFS/SMB Account policy 106 database servers. A specific scan result on a single asset 112 override scope options. scanning 216 Windows Group policy 106 policy checks 252 Policy Manager asset compliance 107 assets in a all sites 113 benchmark ID 109 category 109 CCE data 110 configuration assessment 252 copy policy 107 custom policies 106 delete policy 107 edit policy 107 FDCC 106 license 106 name 109 override history. viewing 112 override permissions 111 override requests 117 override rule. working with 106 reviewing override requests 117 Rule Compliance 107 rule results 109 rules. 112 standard policies 106 submitting an override 113 test results. override 111 Standard 106 standard policy checks 106 uploading 230 Web servers. delete request 118 override scope options 111 override scope options. global 111 permissions 111 Policies tab 107 policy checks 106 Policy Listing table 107 policy results 108 Policy Rule Compliance 108 policy rules 109 results overview 107 results. scanning 215 Lotus Domino policy 106 Oracle policy 106 Policy Manager rule test results. all assets in a site 114 scanning 109 scope options 111.PCI Audit template asset discovery 195 TCP ports 195 PCI compliance filtering by status 129 PCI Council restrictions 166 PCI Executive Summary 166 PCI Host Detail 166 PCI Vulnerability Details 166 PDF report 153 Pen test 266 penetration test 251 performance bandwidth metrics 189 bottlenecks 188 credentialed scans 188 discovery settings. All assets in a specific site 111 override scope options. All scan results for a single asset 112 override scope options. all scan on one asset 116 override rule. override 111 Tested Assets 108 USGCB 106 view details 108 Policy Manager checks 252 configuration assessment 253 policy scan 253 policy scanning 253 port scanning 201 Prioritized Remediations template 279 Prioritized Remediations with Details template 280 R Real Risk strategy 239 regex creating 248 Nexpose User’s Guide 308 . all scans on an asset 115 override rule. 0 as U. 287 data template attributes 287 Nexpose User’s Guide 309 . missing 179 CSV export 174. 181 Report Card 180 report data 179 scan settings 179 report formats 179 risk score 181 risk strategies 181 risk trends 237 scan data 181 schedule 181 section. 286 custom vulnerabilities sections 286. permission 159 sharing. 285 custom SANS Top 20 sections 285. government standard 252 replaces FDCC 252 Report Configuration—Output page 165 report data settings 181 report format 169 report history 141 Report Template Configuration—General page 167 reporting MAC address 198 scan MAC address 198 reports access list 159 API 161 assets 146 assets not included 181 Attestation of compliance 139 baseline 155 baseline comparison 274 trends 274 configuration 141. using 153 replaced USGCB 2. understanding 179 creating 142 credentials. 173 text 173 vulnerability filtering not supported 148 working with 173 XCCDF Human Readable CSV report 139 XCCDF XML report 139 XML 144 generating restricted reports 164 manual scans 179 metrics 251 Microsoft Excel pivot tables 174 new 142 PCI audit 180 PCI Executive Summary 139 pivot tables 174 policy checks not enabled 179 remediation 180. 173 human-readable 173 PDF 173 RTF 144. settings 157 table of contents 286 templates 139 asset and vulnerabilities compliance overview 282 audit report 273 Baseline comparison 286 baseline report 282 cover page 282 custom logo 171 custom PCI sections 284.S.file name search 249 using 248 Web site logon 250 Web spider 213 regular expression (regex) 248 remediation prioritizing 181 reports 181 templates 285 tickets 182 remediation efforts 279 remediation plan templates. 142 URL redirection 158 configuring 139 content. 180 CSV export formats 174 custom 139 cover page 282 CyberScope 139 Bureau 145 Component 145 Enclave 145 CyberScope information 145 data remediation 181 database export 178 deleting sites 32 designated owner 157 discovery-only templates 179 FDCC 139 FISMA 139 formats 144 CyberScope 145 database export 178 HTML 144. restricting 163 settings 181 sharing 157 administrative tasks 157 configuration 160 sharing. 285 Remediation plan 278. 187 accuracy. 251 remediation 181 vulnerabilities not checked 179 vulnerabilities not included 181 vulnerability certainty 180 Vulnerability Details 139 vulnerability exceptions 177 vulnerability information 148 vulnerability result codes 177 working with 139 XCCDF Human Readable CSV Report 174 XML export 180 XML schema 178 risk assets with the most risk 279 report template trends 285 Top 10 Riskiest Asset report 279 risk factors strategies 238 availability impact 238 confidentiality impact 238 integrity impact 238 vulnerability impact 238 risk strategies analysis 237 appearance order. built-in 272 templates. 240 Temporal Plus 238 TemporalPlus 240 threats 237 trends 237 usage history 242 VulnerabilityRiskStrategy sub-element 243 Weighted 238 weighted 241 weighted risk scores 241 risk trends baseline comparison 274 reports templates 285 root 47 S scan accuracy 186. improved 220 asset discovery 190 Asset Exclusions page 30 asset groups 120 Asset Listing table 71 assets in a site 66 authenticated scans 42 authenticated scans of SMTP services 198 Nexpose User’s Guide 310 . 239 recalculating scan data 241 risk factors 238 risk trends 237 reports 237 RiskModel element 243 scoring 246 Temporal 238. setting 244 calculating risk 237 calculation times 241 changing 241 changing the appearance order 245 custom risk strategies 243 custom. Web interface 140 vulnerabilities 180. XML file 243 description sub-element 243 maximum impact 239 name element 243 new strategy 242 Real Risk 238.Risk assessment 285 top 10 riskiest assets 279 top 10 vulnerable assets 279 unsafe checks not enabled 179 USGCB 139 viewing. custom 168 templates.discovered databases 282 discovered files and directories 282 discovered services 283 discovered system information 283 discovered users and groups 283 discovered vulnerabilities 283 Executive Overview 274 Executive summary 283 fine-tuning information 168 Highest Risk Vulnerabilities 275 highest risk vulnerability details 283 index of vulnerabilities 283 PCI Attestation of Compliance 275 PCI Audit (legacy) 276 PCI Executive Overview (legacy) 276 PCI Executive Summary 276 PCI Host Details 277 PCI Vulnerability Details 277 Policy evaluation 278. 285 Report Card 278 Risk trends 285 SANS Top 20 279 Scanned hosts and networks 286 sections 163 Table of Contents templates 286 Top 10 Riskiest Assets 279 Top 10 Vulnerable Assets 279 Trend analysis 286 vulnerability filters 281 templates. open 221 full audit template 38 Global Asset Exclusions page 30 goals 186 hanging scan 186 hung scan 186 live assets 195 log file. 207. 215 Policy Manager 106. downloading 72 scan log. host name 66 manual. limiting 191 templates 185. 76 scan log file name 72 scan log. viewing 71 resume 71 retries 201 running a manual scan 66 scan attributes 36 Scan Engine placement 188 scan history. changing 191 templates. viewing 72. Home page 66 Sites page 66 specific ports 45 specific targets 66 specifying assets to scan 29 speed 186 stop 71 targets 221 Telnet servers 218 template FDCC 206 MAC address 198 PCI audit 195 selecting 36 settings 191 template. default 192 time 186.bandwidth 186. 215 simultaneous assets 188 Site Listing pane. 109 port discovery 36 port scanning 201 quickly 186 recalculating scan data 241 remove vulnerability check types 204 report templates scanned hosts and networks 286 resources 187 results. slow 186 timeout interval 201 Nexpose User’s Guide 311 . compliance 207. site-specific 42 custom FDCC 106 CVS servers 217 data 186 reports 181 database servers 215 dead assets 194 Defeat Rate Limit 202 delay 201 DHCP servers 217 disable vulnerability checks 205 discovery phase 190 enable schedule 38 enable vulnerability checks 205 exclude assets 30 excluding assets by host name 30 exhaustive template 38 FDCC 106 fine-tune 216 fine-tuning 195 firewalls. IP address 66 memory usage 186 metasploit 71 packet-per-second rate 202 parallelism 202 pause 71 performance 185. shared 42 credentials. downloading 72 log files 71 mail servers 217 manual scan 66 manual scan targets 66 manual. 187 time availability 187 time. creating 37 service discovery 190 settings report data 179 settings. 186 adjustment 187 goals 186 improved 186 improvement 191 improving 185 port scanning 199 schedule 186 phases 190 policy compliance 36. viewing 71 scan set up 38 scan template selection 188 schedule 181. 186 alerts 39 schedule. 187 baseline 155 baseline comparison 274 configuring 190 configuring credentials 42 credentials. 190 custom 193 templates. tuning system resources 186 tuning. HIPAA compliance 261 scanning pausing. resuming. and stopping a scan 71 scan logs 72 scan results 71 services scanned 173 viewing the scan log 71 scans completed 246 discovery scans 54 risk scoring 246 SCAP uploading policies 230 SCAP policy 230. 231 upload errors 233 SCAP reports SCAP compatible XML 174 schedule alerts 39 enabling 38 policy compliance 38 scan 37 scan times 38 schedule reports 152 Scheduling reports 152 Nexpose User’s Guide 312 . 203 Web applications 50 Web servers 216 Web spider 210 Windows targets 221 Scan Engine asset discovery 194 performance 188 placement 188 static site. working with 34 selecting 33 updating 35 Scan Engines (NSE) 34 scan log download 72 log file 72 reading 72 viewing 71. 72 scan long scan history. create a site 25 Scan Engine. paired 33 Security Consoles. custom policies 106 vulnerability checking 36 vulnerability checks 190. adjustment 187 types asset discovery 193 vulnerabilities 193 USGCB 106 USGCB. 34 logon credentials 42 new 35 paired with Security Consoles 34 pairing 34 pairing with Security Consoles 34 reassigning sites 35 remote 34 Security Consoles. viewing 72 scan template Defeat Rate Limit 202 packet-per-second rate 202 parallelism 202 scan delay 201 timeout interval 201 Scan templates 254 scan templates built-in 192 CIS template 254 creating 192 custom 193 default 192 deleting sites 32 editing 192 fine-tuning 192 modifying 192 parameters 192 Web spider 210 scan type Discovery scan 256 Discovery scan (aggressive) 258 Exhaustive 258 Internet DMZ audit 262 Linux RPMs 263 Microsoft hotfix 264 Payment Card Industry (PCI) audit 265 Penetration test 266 Safe network audit 267 Sarbanes-Oxley (SOX) compliance 268 SCADA audit 269 Web audit 271 scan types. new 35 Scan Engines assigning sites 35 availability 33 changing deployment 220 configuring 34 deleting 35 deleting sites 32 deploying 220 distributed 34 editing properties 35 hosted 33 local 33. using 249 selecting filters 125 search feature using 21 searches target systems 219 Security Console administration 20 browsers 14 configuration panels. associated with a connection 58 editing credentials 46 filter by site name 129 general information for static site 28 Global Asset Exclusions page 30 grouping for a static site 25 managing assets in a dynamic site 64 managing assets in a static site 25 organization information 41 policy compliance 38 Policy Manager override rule 114 Scan Engine 33 Scan Engines 35 scan times 38 Site Configuration panel. 28 static site configuration 28 target environment 24 using credentials 43 site importance static site 28 sites deleting 32 dynamic sites 54 SMTP services scans. editing 220 configuring scan credentials 42 configuring site-level scan credentials 42 create dynamic site 62 creating dynamic 63 creating static sites 25 credentials 43 dynamic site 24 dynamic site based on discovery results 59 dynamic site configuration 24 dynamic sites 24 dynamic sites. using 22 Current Scan Listings for All Sites 19 logging on 14 navigation 20 search feature 21 viewing reports 140 Web interface 18 reports 157 Web interface sessions. extending 22 Security Consoles pairing 34 Security Consoles (NSC) 34 selecting a template 144 Setting up scan alerts 39 settings Web spider performance 211 site 35 account authentication 44 comparing dynamic and static sites 24 configuration Scan Engines 33 configuration. performing 121 Group Configuration panel. exclude assets 30 site membership 25 specify assets in a static site 29 static site 24 Scan Engine placement 25.scheduling reports 152 scope assets in a report 146 search filter by IP address range 127 by IP address type 126 by last scan date 127 by operating system name 127 by other IP address type IPv4 128 IPv6 128 filter by asset name 126 filtered asset searches 124 filters by host type 126 regex. technical 10 T Table of Contents 166 target system Nexpose User’s Guide 313 . authenticated 198 SOX 268 Standard policies license 106 standard policies 207 standard policy 207 static asset groups display all assets 123 filtered asset search. using 121 new static asset group 122 using 121 static site create a site 28 Storing reports in report owner directories 156 su 47 sudo 47 sudoers 47 support. 287 data template attributes 287 discovered databases 282 discovered files and directories 282 discovered services 283 discovered system information 283 discovered users and groups 283 discovered vulnerabilities 283 Executive summary 283 Highest Risk Vulnerabilities 275 highest risk vulnerability details 283 index of vulnerabilities 283 PCI Audit (legacy) 276 PCI Executive Overview (legacy) 276 PCI Executive Summary) 276 PCI Host Details 277 PCI Vulnerability Details) 277 Policy evaluation 278. 285 Remediation plan 278. 272 compliance 36 discovery-only 179 exhaustive 38 full audit 38 performance 190 policy compliance 36 policy evaluation 285 report baseline 155 custom logo 171 Executive Overview 274 fine-tuning information 168 reports 139 asset vulnerabilities and compliance overview 282 Attestation of Compliance 275 audit report 273 cover page 282 custom PCI sections 284. custom 168 reports. 286 custom vulnerabilities sections 286. 285 Report Card 278 restricting sections 163 Risk trends 285 SANS Top 20 279 scanned hosts and networks 286 Top 10 Riskiest Assets 279 Top 10 Vulnerable Assets 279 trend analysis 286 reports. 285 custom SANS Top 20 sections 285. government agency 252 Nexpose User’s Guide 314 . increasing 220 scan performance 185 scan templates 185.file searches 219 TCP/IP stacks fingerprinting 196 technical support 10 template HIPAA compliance template 36 import Security Templates Snap-In 208 Internet DMZ template 36 scan attributes 36 service discovery settings 200 Web audit template 36 template type 169.Risk assessment 285 scan baseline 155 Web spider 210 scan template 36 testing AS/400 compliance 209 CIFS/SMB account policy 209 Lotus Domino policy 207 Oracle policy compliance 207 UNIX policy compliance 209 Web spider 214 Windows Group policy 208 ticket configuration 182 history 183 history. 192 site configuration 220 speed 220 vulnerability checks 205 Web site scanning 216 Web spider 214 U U. 172 document template 169 templates Baseline Report 282 built-in 190. improved 220 discovery performance 202 environment 220 firewalls 221 open firewalls 221 other options 220 resources.S. updating 183 tickets creating 182 opening 182 remediation 182 updating 182 using 182 viewing 182 top 10 riskiest assets 279 top 10 vulnerable assets 279 tuning accuracy. target 56 vConnections 56 virtual asset hosts 56 virtualization 56 VMware interoperability matrix 56 VMware Tools 56 vSphere 56 vSphere API 56 vAssets Administrative virtual machines 55 filtering by cluster 130 guest virtual machines 55 hypervisors 55 management consoles 55 management servers 55 using filters 130 vulnerabilities 281 acceptable risk 94 acceptable use 94 affected assets 91 analysis 237 availability impact 238 categories 86 certainty 180 check codes 105 check settings.S. preparing 55 update dynamic sites 54 vAsset Discovery icon 57 vCenter 55 vCenter versions 55 vCenter. discoverable 56 target environment.0 listed as "USGCB" in Policy Manager results 107 USGCB 2. government mandate 252 uncompressed IPv6 addresses 29 United States government agency federal government mandate 252 United States Government Configuration Baseline (USGCB) 106. port 443 56 vCenter. 252 unsafe check 301 update Update Scan Engine 35 Upload template file 169 URI 231 URL redirection 158 Use the last scan data check box 146 USGCB 139. open 56 target assets.0 252 USGCB 2.0 252 USGCB 2. 253 custom Policy Manager scans 106 Policy Manager 106 Policy Manager scans 106 USGCB 1. creating 57 connections. 55 discovery.0 policies 252 USGCB 2. 192 checks 193 Common Vulnerabilities and Exposures (CVE) index 84 Common Vulnerabilities Scoring System (CVSS) v2. 252. filters and operators 59 discovery. using filters 59 dynamic sites 54 ESX(i) direct connection to standalone hosts 56 ESX(i) hosts 55 ESX(i) versions 55 filtering by datacenter 131 by host 131 by power state 131 by resource pool path 132 initiate discovery 55 initiating discovery 58 Licensing page 56 New Dynamic Site 58 permissions.U. selecting vulnerability checks 203 check types 86. monitoring 63 discovery.0 is not an update of USGCB 1. managing 57 discovered assets 58 discovery 54. Global Administrator 57 port 443.0 or USGCB 1. 84 compensating controls 94 confidentiality impact 238 confirmed 40 CVS servers 217 CVSS risk scoring 86 CVSS score 84 description 91 details 91 details report 139 DHCP servers 217 disable checks 205 discovered 85 enable checks 205 exceptions 94 all instances 96 all instances in a site 96 all instances on an asset 96 by asset 98 Nexpose User’s Guide 315 .0 policies 252 using CIDR notation in site configuration 29 using remediation plan templates 153 Using the search function 21 V vAsset account credentials 56 connections. review 95 recall request 101 Report Card 103 request by site 97 results 105 review 102 scope 96 single instance 96. 181. exceptions 96 vulnerability result codes 177 Web spidering 214 well-known 240 working with 84 vulnerability certainty characteristics 180 Vulnerability Details 166 Vulnerability Trends Survey template 280 vulnerable assets 279 W Web interface search 21 session time out 22 sessions. 94 Exploit Database 85 exploit database 71 Exploit Exposure 251 exploit information 92 exploit. 180. 100 site-specific 97 status 95 submit 96 viewing 103 Vulnerabilities page 96 workflow 95 XML format 104 excluding 86. extending 22 Nexpose User’s Guide 316 . export to CSV 85 malware kits 71. 287 reports 251 asset and vulnerabilities compliance overview 282 CVE 283 CVSS 283 discovered vulnerabilities 283 Highest Risk Vulnerabilities 275 index of vulnerabilities 283 risk score 181 risk strategies 237 scan templates 36 checks 203 scan types 193 scores 86 severity 241 severity scores 86 Telnet servers 218 TemporalPlus risk strategy 240 threat exposure 238. ranking 86 exploitable 71 exploits 85 false positives 94 Exploits tab 85 false positives 94. unauthorized 197 mail servers 217 malware exposure 85 malware kit. 85 Malware tab 86 Malware table 92 Metasploit 85 Metasploit module 92 metrics 251 not included in reports 181 partial impact 240 patch verification checks 203 PCI risk scoring 86 priority 181 proximity-based impact 240 published exploit 85 remediation 91. columns 85 Vulnerability Listing table. 239 remove check types 204 report templates custom sections 286. active 84 virtual assets 55 virtual targets 55 Vulnerabilities Checks page 204 Vulnerabilities Listing table 96 Vulnerability Listing table. 239 Threat Listing 85 threats 237 ticket configuration 182 Top 10 Vulnerable Assets report 279 tuning checks 205 validated vulnerabilities 92 verified 40 verify 251 viewing details 91 viewing reports 180 viewing.CSV format 104 delete 103 global 96 permissions 95 permissions. 251 backporting 94 exclude 94 filtering information in a report 148 found on hosts 173 found on services 173 instances 241 integrity impact 238 MAC address. 182. delete 95 permissions. Web robots Web spider 213 Web spider 210 configuring 210 crawls 213 Cross-link checking 211 directory paths 213 directory structure 210 DNS 211 fine tuning 214 foreign hosts 211 maximum directory levels to spider 212 options 211 performance settings 211 query strings 211 regex 213 regular expressions 213 settings 210. 211 using the Web spider 210 vulnerability testing 214 Web robots 213 What platforms are supported by Policy Manager checks 253 X XCCDF 230 XCCDF Benchmark file 230 XML Export reports 180 XML formats attributes 173 CSV export 174 CyberScope XML Export 174 Qualys XML Export 174 raw XML 173 SCAP compatible XML 174 Simple XML 173 XCCDF Results XML Report 174 XML 174 XML Export 173 XML Export 2.0 173 Nexpose User’s Guide 317 .