SecurityCenter 4.
Table of Contents Introduction ......................................................................................................................................... 5 Standards and Conventions ....................................................................................................................... 5 Abbreviations...............................................................................................................................................
User Management ............................................................................................................................. 48 Organizations............................................................................................................................................. 48 Support .............................................................................................................................................. 55 Audit Files ..........................................
ChartDirector Version 5.0......................................................................................................................... 95 Nessus Plugins ........................................................................................................................................ 96 Appendix 2: Manual LCE Key Exchange......................................................................................... 97 Appendix 3: Nessus SSL Configuration .........................................
Introduction This document describes the administrative functions of Tenable Network Security’s SecurityCenter 4.6. Since many of Tenable’s customers have requirements to maintain separation of duties, the SecurityCenter 4.6 documentation has been separated into the following documents to better organize the material based on the organizational role. Note that there is some overlap in roles as well as content provided with each of the following guides: SecurityCenter 4.
Abbreviations The following abbreviations are used throughout this documentation: LCE Log Correlation Engine PVS Passive Vulnerability Scanner SC SecurityCenter SSH Secure Shell IDS Intrusion Detection System SecurityCenter Administrator Functions SecurityCenter administrators have the following responsibilities: Manage the configuration of each SecurityCenter organization and which networks they are allowed to scan Manage scan policies, custom audit files, and credentials for all organizat
# service SecurityCenter start To halt SecurityCenter, enter the following command: # service SecurityCenter stop To restart SecurityCenter, enter the following command: # service SecurityCenter restart SecurityCenter services can also be started and stopped from the admin web management interface. Simply click the status circle (green in the image below) in the lower right-hand corner of the web page.
To launch SecurityCenter, bring up a web browser on a system that has access to the SecurityCenter’s network address space and enter the URL in the following format using SecurityCenter’s IPv4 or IPv6 address or hostname: https:/// The SecurityCenter web interface is available using a secure web connection (https). SecurityCenter 4 does not listen on port 80. TLS 1.0 must be enabled by the browser in order to complete the secure connection to SecurityCenter.
Sample SecurityCenter Administrator Dashboard – LCE Overview System Configuration The “System” link at the top right of the SecurityCenter web interface contains a number of options to configure the desired SecurityCenter system behavior. When logged in as an admin user, additional options are available that are not available for non-admin users. Among the available admin options are “Basic” (licensing and activation), “Mail”, “LDAP”, “Expiration”, “Update”, “Authentication”, and “Miscellaneous”.
To view currently used IPs in your license, log into SecurityCenter as the “admin” user and go to “Repositories” -> “Repositories”. Hover the cursor over the “Total Active IPs” graphic at the bottom of the screen to view currently used IPs, total IP license count, and IPs remaining. Offline repositories are not counted against your IP license count.
LDAP If LDAP authentication is to be used, it is recommended to leave at least one SecurityCenter administrator account and one manager account for each organization in SecurityCenter set to use TNS authentication in the event that the LDAP services becomes unreachable. LDAP configuration settings enable SecurityCenter to utilize any LDAP server for authentication purposes.
It is recommended to use passwords that meet stringent length and complexity requirements. Server Directory Server Enter the IP address or DNS name of the LDAP server in this field. Port Specify the remote LDAP port here. When Encryption is set to “none”, the LDAP port is typically 389, and when TLS or LDAPS is used, port 636 is the typical setting. Confirm the selection with your LDAP server administrators.
Expiration Data expiration determines how long SecurityCenter retains acquired data. Use the table below to determine default and minimum values for these settings: Table 2 – Data Expiration Option Description Active Data SecurityCenter will automatically remove any vulnerability data that was discovered via active scanning after the designated number of days. The default value of this field is 365. If this field is left blank, the value is set to zero (0).
Update The SecurityCenter update settings are used to determine the update schedule for the common tasks of Active and Passive plugin updates, IDS signature updates, and IDS correlation updates. All updates are configured daily by default. The following settings are available: Table 3 – Update Schedules Option Description Active Plugins Enables regular downloads of the Nessus plugins. These plugins will be pushed out to every Nessus server that SecurityCenter is managing.
Use the table below to determine correct values for your environment: Table 4 – SecurityCenter Authentication Settings Option Description Session Timeout The web session timeout in minutes (default: 60 minutes). Maximum Login Attempts The maximum number of user login attempts allowed by SecurityCenter before the account is locked out (default: 20). Setting this value to zero disables this feature.
Classification Type Adds a header and footer banner to SecurityCenter to indicate the classification of the data accessible via the software. Current options are “None”, “Unclassified”, “Confidential”, “Secret”, “Top Secret”, and “Top Secret – No Foreign”. Reporting/Scanning The Reporting/Scanning tab settings offers the option to enable or disable a variety of reporting types that are encountered and needed only in specific situations.
typically used only by select groups and organizations for specific needs that do not apply to many organizations. The ability to enable or disable their usage within SecurityCenter is controlled here. Selecting the checkbox will enable the reporting type and unselecting will disable the reporting type in the report type drop-down for SecurityCenter users. The “Scanning” section sets a global option to enable or disable the ability to download Nessus v1 data from Nessus scanners during scans.
The Notifications field defines the SecurityCenter web address used when notifications are generated for alerts and tickets. Diagnostics On the upper right-hand corner of the SecurityCenter web interface, the System option contains a drop-down that includes Diagnostics. This page displays and creates information that assists in troubleshooting issues that may arise while using SecurityCenter. In the “System Status” section, the following items are indicated by a green icon for a properly working status.
the “Diagnostics File Chapters” selected. If selected, the “Sanitize” option will remove IP addresses from the log files before generating the diagnostics file. Preferences On the upper right-hand of the SecurityCenter web interface, the System option contains a drop-down that includes Preferences. This option includes both location and notification settings. Basic The “Basic” option tab allows the admin to configure the local time zone.
Keys On the upper right-hand of the SecurityCenter web interface, the System option contains a drop-down that includes a Keys section. Keys allow the administrator to use key-based authentication with a remote SecurityCenter (remote repository) or between a SecurityCenter and an LCE server. This also removes the need for the SecurityCenter administrator to know the administrator login or password of the remote system.
Clicking on “Add” brings up the dialog box below: In the “Type” drop-down, select DSA or RSA as the key type. In the “Comment” box, enter a string of text that describes the purpose of the key being added to the system. In the “Public Key” box, paste the text of the public key from the remote SecurityCenter and click “Submit”. If a valid public key was entered, a “Success” message is displayed and the key will show up in the key list.
Configuring the publishing sites starts with clicking the “Add” button to open the “Add Publishing Site” window as shown below: Table 6 – Publishing Site Options Option Description Name Enter a name for the publishing site. Description Enter a description of the publishing site. Type This is the method SecurityCenter will use to publish to the site. Available options are “HTTP Post” or “CMRS”. Use the selection appropriate for the configuration of the publishing site.
SSL Client Certificate Authentication SecurityCenter 4.6 allows users to use SSL client certificate authentication. This allows use of SSL client certificates, smart cards, and CAC authentication when the browser is configured for this method. By default, SecurityCenter uses a password to authenticate. To configure SecurityCenter to allow SSL client certificate authentication the web server must be configured to allow such connections. To do this, the /opt/sc4/support/conf/sslverify.
Connect with SSL Certificate Enabled Browser The following information is provided with the understanding that your browser is configured for SSL certificate authentication. Please refer to your browser’s help files or other documentation to configure this feature. The process to configure a certificate login begins when a user connects to SecurityCenter for the first time. The process is completed by the user and does not require Administrator intervention. 1.
Only one SecurityCenter user may be associated with a single certificate. If one user holds multiple user names and roles, a unique certificate must be provided for each login name. 5. Once logged in, a window titled “Certificate Authentication” is presented, asking if the current certificate is to be used to authenticate the current user. If “Yes” is selected, the certificate will be associated with this user. If “No” is selected, the certificate will be ignored for the current session.
8. If a new certificate is available the next time the user logs in, SecurityCenter will again attempt to associate the user with the certificate. If you log out of the session, you will be presented with the standard SecurityCenter login screen. If you wish to log in again with the same certificate, refresh your browser window. If you need to use a different certificate, you must restart your browser session.
Next, SecurityCenter’s /opt/sc4/support/conf/cosign.conf must be edited for the correct settings for your environment. In the following example, 192.168.5.5 is used as the CoSign server’s IP address and 192.168.7.44 is the IP address of the SecurityCenter server. Only the configured lines of the configuration file are displayed. The configuration below is an example only. Please obtain the correct configuration parameters for your environment from your CoSign administrator.
Managed A “Managed” scanner is one that is managed by SecurityCenter. Managed scanners are logged into using Nessus admin credentials, and SecurityCenter has the ability to send plugin updates to the scanner. SecurityCenter also maintains the Activation Code for Managed scanners. Unmanaged An “Unmanaged” scanner is one that has been logged into using a standard Nessus user’s credentials.
The table below goes into more detail about the available options for adding a Nessus scanner: Table 8 – Nessus Scanner Options Option Description Name Descriptive name for the Nessus scanner. Description Scanner description, location, or purpose. Host Hostname or IP address of the scanner. Port TCP port that the Nessus scanner listens on for communications from SecurityCenter. The default is port 8834. Authentication Type Password Based or SSL Certificate.
# service SecurityCenter restart After SecurityCenter has been configured with the proper CA certificate(s), the Verify Hostname will verify the SSL certificate presented against the proper CA certificate. Nessus Perimeter Service Scanners SecurityCenter 4.6 supports the use of the Nessus Perimeter Service as a Nessus scanner within SecurityCenter.
To add a Nessus Perimeter Service scanner to SecurityCenter, a valid and active Nessus Perimeter Service subscription must be used. In SecurityCenter, select the “Resources” tab, “Nessus Scanners”, and then “Add”: Enter a name (mandatory) and description (optional) for the Nessus Perimeter Service scanner to be used with SecurityCenter. Enter the web address used for the browser-based version of the Nessus Perimeter Service as “Host”, with the “Port” specified as 443 (HTTPS).
Nessus Scanner Details When the “Detail” button is clicked, information about the selected scanner is displayed. The information includes the basic information of name, description, IP address or hostname, port, username used to connect to the scanner, and when the scanner was created and last modified. The Nessus scanner version, web server version, type, and zones it is a part of are also displayed.
When in “selectable” mode, at scan time, the zones associated with the Organization and “default” are available to the user. When a scan is configured to use a specific zone in either selectable or forced mode, the zone’s ranges are ignored and any IPs in the managed ranges for that user will be scanned by the Nessus scanners associated with the chosen zone.
PVS records its detected vulnerabilities to a .nsr or .nessus, file(s), depending on the configuration of the PVS. When used with SecurityCenter 4.6 or IPv6 networks, the PVS scanner must use the .nessus file format to record its data. When deployed for operation with SecurityCenter, the PVS uses an agent named the PVS Proxy. This agent is a server that waits for inbound connections from SecurityCenter. By default, the PVS Proxy listens on port 1243.
Log Correlation Engines Tenable’s Log Correlation Engine (LCE) is a software module that aggregates, normalizes, correlates, and analyzes event log data from the myriad of devices within the infrastructure. LCE 4.2 also has the ability to analyze logs for vulnerabilities and allows SecurityCenter to retrieve the data. Since LCE is closely integrated with SecurityCenter, log analysis and vulnerability management can be centralized for a complete view of an organization’s security posture.
To configure LCE servers, select “Log Correlation Engines” under the “Resources” tab. A screen will be displayed similar to the following: Click “Add” to display the dialog in the screen capture below. Default viewable fields include Name, Description, Host, Organizations, and an unchecked checkbox for Import Vulns. When the Import Vulns option is selected, additional fields become available for Repositories selection and Vulnerability Log Host settings. LCE server 4.
Table 9 – LCE Options Option Description Name Name used to describe the Log Correlation Engine. Description Descriptive text for the Log Correlation Engine. IP IP address of the Log Correlation Engine. Organizations Determines which Organizations will be able to access data from the configured Log Correlation Engine. Import Vulns When enabled, allows Event vulnerability data to be retrieved from the configured LCE 4.2 server.
Note that configured clients prior to version 4.x are displayed on the list without OS and policy information. However, these clients cannot have their policy files centrally managed from SecurityCenter. LCE Clients are initially configured to send their data to a particular LCE server, but must be authorized by the LCE sever for the server to accept the data. The client’s authorization status is displayed in the “Authorized” column as “Yes” or “No”.
“Import” allows customized LCE Client policy files to be added to the LCE server and made available for use. The prefix field is appended to the beginning of the file name and is used to offer a description of the function or use of the policy file. The OS Type is used in the file name to easily identify the OS for which the policy is designed. The Client Type indicates the LCE Client for which the policy is written. The Source field is used to select and upload the custom policy file to the LCE server.
Once a policy has been selected for use with the chosen client, click the “Assign” button to associate the policy file with the client. When the client makes its next connection to the LCE server, it will acquire its new policy file, apply it to its configuration, and restart with the new settings. For more information on creating LCE Client Policy files, please see the LCE Client Guide available on the Tenable Support Portal.
When creating SecurityCenter repositories, LCE event source IP ranges must be included along with the vulnerability IP ranges or the event data and event vulnerabilities will not be accessible from the SecurityCenter UI. There are three types of repositories: “Local”, “Remote”, and “Offline”. Local repositories are active repositories of SecurityCenter data collected via scanners attached to the local SecurityCenter.
Table 10 – Local Repository Options Option Description Name The repository name. Description Descriptive text for the repository. Type Local IP Version Determines if the repository will store IPv4 or IPv6 results. SecurityCenter repositories cannot store a mix of IPv4 and IPv6 addresses. Trending If trending is not selected, any query that uses comparisons between repository snapshots (e.g., trending line charts) will not be available. This option allows for a periodic snapshot of the .
Table 11 – Remote Repository Options Option Description Name The repository name. Description Descriptive text for the repository. Type Remote Remote Repository Host to synchronize with to obtain the repository data. After entering the hostname or IP address of the remote SecurityCenter, click the “Retrieve Repositories” link to enter an admin username and password for the SecurityCenter to exchange the SSH keys. Once completed, a list of available repositories will be populated.
To share data, enter the IP address of the remote SecurityCenter in the “Host” field and click “Retrieve Repositories”. If a key for the current SecurityCenter has not been added to the remote SecurityCenter key list, the retrieve process will prompt for the SecurityCenter admin credentials of the remote host. If the key authentication is not configured (System -> Keys), a prompt for the administrator username and password for the remote host will be displayed.
Type Offline IP Version Determines if the repository will store IPv4 or IPv6 results. SecurityCenter repositories cannot store a mix of IPv4 and IPv6 addresses. Trending If trending is not selected, any query that uses comparisons between repository snapshots (e.g., trending line charts) will not be available. This option allows for a periodic snapshot of the .nessus data for vulnerability trending purposes. This option is particularly useful in cases where trending is important.
When importing the repository archive, the default maximum file import size is 160MB. This is specified by the “post_max_size” directive in /opt/sc4/support/etc/php.ini. If larger file uploads are required, increase the default value. To load the repository archive to the offline repository, copy it to a location where the offline repository is accessible via the SecurityCenter GUI, open the “Repositories” page, highlight the offline repository and click “Sync”.
After clicking “Delete”, click the “Apply Rules” button in the top left for the changes to take effect. Once completed, any vulnerabilities that had been modified by the accept risk rule are displayed unfiltered in the cumulative database. Recast Risk Rules Similar to “Accept Risk Rules”, “Recast Risk Rules” are rules that have been recast to a different risk level by a nonadmin user. The admin user can display and delete these rules if desired.
After clicking “Delete”, click the “Apply Rules” button in the top left for the changes to take effect. Once completed, any vulnerabilities that had been modified by the recasted risk rule are returned to their original state. User Management Organizations Many of the concepts in this section such as zones, multiple organizations, and repositories apply only to SecurityCenter and not the LCE Manager. An Organization is defined as a set of distinct Users.
In Organization A, the Org Head user has control over all Users and Managers in Organization A. Manager 1 similarly has control over all Users and Managers (except the Org Head user). Manager 2, however, only has control over Users B through G since User A and Manager 1 are not in their hierarchy. In Organization B, Manager 3 has control over all Organizational Users except for the Org Head user. We have created two users with custom roles.
Address Organization address City Organization city State Organization state Country Organization country Phone Organizational telephone number The following table describes the options available on the “Scanning” tab. Table 14 – Scanning Options Option Description Restricted Scan Ranges IP range(s) that the scanner will not scan (20K character limit). Zone Selection Forced or Selectable.
The following table describes the options available on the “Analysis” tab. Table 15 – Analysis Options Option Description Accessible LCEs LCE(s) to which this Organization has access. Accessible Repositories Repositories to which the Organization will have access. Next to each repository checkbox is a key image that is used to determine repository access.
repository. Likewise, choose “Organization Head” if only the Organization Head will have access. Choose “Existing Users” to maintain the current user permissions (applicable when editing an existing Organization). Vulnerability Weights Low The vulnerability weighting to apply to “Low” criticality vulnerabilities for scoring purposes. (Default: 1) Medium The vulnerability weighting to apply to “Medium” criticality vulnerabilities for scoring purposes.
This link is useful for organizations that want to reference an internal web page with IP specific information. For example, an analyst may need more information about a specific host available in another application. This link could be configured to that external application to provide further information about the host in question, which could assist with vulnerability or event analysis.
their account until an administrator unlocks them. This option is only available once the Organization Head user is created. Authentication Information Type – TNS Username Unique organizational login name The username value is case-sensitive. Password and Confirm Password Organization Head password creation fields Type – LDAP Search String This is the LDAP search string to use to narrow down user searches. Proper format is: “attribute=”.
Support Audit Files The Nessus vulnerability scanner includes the ability to perform compliance audits of numerous platforms including databases, Cisco, Unix, and Windows configurations as well as sensitive data discovery based on regex contained in “.audit” files. Audit files are XML-based text files that contain the specific configuration, file permission, and access control tests to be performed. Tenable provides a wide range of audit files and new ones are easy to write.
File An interface that allows you to browse your local system or file shares for the audit file Once an audit file has been uploaded, it can be referenced from within scan policies for enhanced security policy auditing. For more information about SecurityCenter compliance auditing and audit files, refer to the Nessus Compliance Checks document located at https://support.tenable.com. Credentials Credentials are reusable objects that facilitate scan target login.
SNMP community string – Enter the SNMP community string used for authentication. Kerberos – The Kerberos IP, Port, Protocol, and Realm are available for this type of authentication. An example Windows credential with options is displayed below: Some aspects of credential options are based on Nessus plugins, therefore, specific credential options may differ from the descriptions documented here.
Add a Scan Policy Clicking “Add” opens the following screen, which is used to configure the new scan policy. Four tabs are displayed including: Basic Audit Files Plugins Preferences Basic The “Basic” tab contains basic scan policy settings and allows the user to load a predefined scan policy template.
Type Family or Plugin. If “Family” is chosen, then when plugin updates occur, new plugins will automatically be enabled for plugin families that are enabled. If “Plugin” is enabled, only the currently enabled plugins are enabled. New plugins must be manually enabled by the user. This is beneficial where strict control over new plugins is required. Changing from “Family” to “Plugin”, or vice-versa, clears all currently enabled plugins.
for SYN-ACK reply, and then determines port state based on a reply – or lack of. SNMP Scan Direct Nessus to scan targets for a SNMP service. Nessus will guess relevant SNMP settings during a scan. If the settings are provided by the user under “Preferences”, this will allow Nessus to better test the remote host and produce more detailed audit results. For example, there are many Cisco router checks that determine the vulnerabilities present by examining the version of the returned SNMP string.
example, if the Max Hosts Per Scan is set to 5 and there are five scanners per zone, each scanner will accept five hosts to scan, allowing a total of 25 hosts to be scanned between the five scanners. Max Scan Time in hours This setting limits the length of time a scan is allowed to run. If a scan reaches this limit, the unscanned targets are captured in a new “rollover” scan that can be run manually or scheduled at a later time.
Plugins The “Plugins” tab gives the user the option to customize which plugins are used during the policy’s Nessus scan. Clicking the circle next to a plugin family allows you to enable or disable the entire family. The circles next to the name under Families will show green when some or all of the plugins for that family are enabled.
When a policy is created and saved, it records all of the plugins that are initially selected. When new plugins are received via a plugin feed update, they will automatically be enabled if the family they are associated with is enabled. If the family has been disabled or partially enabled, new plugins in that family will automatically be disabled as well.
The Database settings (plugin 33815) options apply to database compliance audits and are used to specify the type of database to be tested, relevant settings, and credentials: Table 25 – Database Settings Option Description Login The username for the database. Password The password for the supplied username. DB Type Oracle, SQL Server, MySQL, DB2, Informix/DRDA, and PostgreSQL are supported. Database SID Database system ID to audit (Oracle only).
SQL Server: 1433 Informix: 1526 DB2: 50000 Oracle auth type NORMAL, SYSOPER, and SYSDBA are supported. Depending on the privileges required by the .audit commands, enhanced privileges such as “SYSOPER” or “SYSDBA” may be required. In most cases, however, the “NORMAL” auth type will suffice. SQL Server auth type Windows or SQL are supported. Do not scan fragile devices (plugin 22481) instructs the Nessus scanner not to scan network printers or Novell Netware hosts if unselected.
Do not log in with user accounts not specified in the policy Used to prevent account lockouts if your password policy is set to lock out accounts after several invalid attempts. Enable CGI scanning Activates CGI checking. Disabling this option will greatly speed up the audit of a local network. This option must be enabled in conjunction with the web application testing plugin for a full web audit to occur.
Table 27 – HTTP Login Page Settings Option Description Login page The base URL to the login page of the application. Login form The “action” parameter for the form method. For example, the login form for
Automated login page search Gives Nessus the option to parse the login page for form options and attempt to log in based on detected fields. This option works in conjunction with the HTTP cookies import (plugin 42893) to simplify form-based authentication. If more than one form is available on a web page (uncommon), use the manual login form parameters specified above instead. Re-authenticate delay (seconds) The time delay between authentication attempts.
Malicious Process Detection (plugin 59275) allows you to upload a custom list of MD5 hashes to identify running processes on scanned hosts when plugin 65548 is enabled. The format of the file is one MD5 hash per line without any surrounding whitespace. Optionally, a description may be added by putting a comma after the hash and the text of the description to be displayed in the scan results. Lines beginning with a # symbol are treated as comments and are ignored. All other items are considered invalid.
Table 28 – Nessus SYN and TCP Scanner Settings Value Description Automatic (normal) This option can help identify if a firewall is located between the scanner and the target (default). Disabled (softer) Disables the Firewall detection feature. Do not detect RST rate limitation (soft) Disables the ability to monitor how often resets are set and to determine if there is a limitation configured by a downstream network device.
No archive If this option is selected, Nessus will request to not archive the test message being sent to the news server(s). Otherwise, the message will be archived like any other posting. Oracle settings (plugin 22076) allows the user to enter the Oracle database SID to specify which database to test. In addition, “Test default accounts (slow)” enables the Nessus scan to probe for default accounts within the remote database for vulnerabilities.
Table 30 – Ping the Remote Host Settings Option Description TCP ping destination port(s) Specifies the list of ports that will be checked via TCP ping. If you are not sure of the ports, leave this setting to the default of “built-in”. Do an ARP ping Utilize the ARP protocol for pings. Do a TCP ping Utilize the TCP protocol for pings. Do an ICMP ping Utilize the ICMP protocol for pings. Number of Retries (ICMP) Allows you to specify the number of attempts to try to ping the remote host.
SMB Use Domain SID to Enumerate Users (plugin 10399) specifies the SID range to use to perform a reverse lookup on usernames on the domain. The default setting (1000 to 1200) is recommended for most scans. SMB Use Host SID to Enumerate Local Users (plugin 10860) specifies the SID range to use to perform a reverse lookup on local usernames. The default setting (1000 to 1200) is recommended for most scans.
Table 33 – SNMP Settings Option Description UDP port Direct Nessus to scan a different port in the event that SNMP is running on a port other than 161. SNMPv3 user name The username for a SNMPv3 based account. SNMPv3 authentication password The password for the username specified. SNMPv3 authentication algorithm Select MD5 or SHA1 based on which algorithm the remote service supports. SNMPv3 privacy password A password used to protect encrypted SNMP communication.
VMware vCenter SOAP API Settings (plugin 63060) provides Nessus with the credentials required to authenticate to VMware vCenter management systems via their own SOAP API. The API is intended to audit vCenter, not the virtual machines running on the hosts. This authentication method can be used to perform credentialed scans or perform compliance audits.
The screen capture below is the “Web Application Tests Settings” input page: Table 34 – Web Application Tests Settings Option Description Enable web applications tests This check box enables web application tests and causes the settings below to be evaluated during the test. Maximum run time (min) This option manages the amount of time in minutes spent per NASL script performing web application tests. These NASL scripts are listed above.
“non-attack” variations for additional parameters. For example, Nessus would attempt “/test.php?arg1=XSS&b=1&c=1” where “b” and “c” allow other values, without testing each combination. This is the quickest method of testing with the smallest result set generated. some pairs – Like “all pairs” testing, this will try to test a representative data set based on the “All-pairs” method. However, for each parameter discovered, Nessus will only test using a maximum of three valid input variables.
URL for Remote File Inclusion During Remote File Inclusion (RFI) testing, this option specifies a file on a remote host to use for tests. By default, Nessus will use a safe file hosted on Tenable’s web server for RFI testing. If the scanner cannot reach the Internet, using an internally hosted file is recommended for more accurate RFI testing. Web mirroring (plugin 10662) sets configuration parameters for Nessus’ native web server content mirroring utility.
Administrators The administrative user can create other administrator users; however, they may only modify the “Basic” fields for the new user being created. “Access” and “Resources” tabs are displayed, but administrative users cannot edit them. All administrators have the same permission level and resources.
Error creating email notifying user 'test'. Invalid address: noreply@localhost Check the System -> Configuration -> Mail -> Return Address settings. The email address defaults to “noreply@localhost” if left blank. Many email servers will disallow emails from this address. Email user their password There is an option to include the user’s password within the email if desired. If this is not included, contact information of the security manager will be included.
1. The Organization Head can add/edit/delete roles, while the Manager cannot. 2. The Organization Head can add users that are the subordinate of any Manager or User with the “Manage Users” permission. The Manager can only add users as a subordinate of themselves. 3. The Organization Head has visibility of scan schedules and report definitions for the entire Organization, while Managers can only see those of their subordinates.
Create Organization Assets Create assets X X X Create Organization Credentials Create credentials X X X Create Organization Policies Create scan policies with Organizational visibility. This option must be used in conjunction with the “Create Policies” permission. X X X Create Organization Queries Create queries X X X Create Policies Create scan policies with “User” visibility. X X X X X This option must be set for the “Create Organizational Policies” option to function.
Share Credentials Share credentials with other users. X X X Share Dashboard Tabs Share dashboard tabs with other users. X X X Share Policies Share policies with other users. X X X Share Queries Share queries with other users. X X X Update Plugins Update Active, Passive, and Custom plugins. X X X Upload Nessus Scan Results Upload Nessus scan results. X X X View Event Data View event data. X X X View Organization Logs View Organization logs.
Available fields include Job ID, Type, Obj ID, Status, PID, Organization, Initiator, Start Time, and Targeted Time. This information is not generally required for the day to day operations of SecurityCenter, but may be requested by Tenable Support when troubleshooting issues. Job options include “Detail”, which lets you view individual job details and “Kill Job”, which lets you kill a currently running job. Killing any process is not recommended except at the request of Tenable Support.
Accessing the Audit Records To access the user activity data via the web interface, you must be logged into the Security Center console as the admin user and, from the “Status” tab, select the “Logs” option. Login records are written every time a SecurityCenter user attempts to access SecurityCenter. The following screen capture shows some examples of this activity: In addition to login activity, information regarding successful and unsuccessful attempts to launch scans is displayed.
Logs can be searched and filtered by type of SecurityCenter event, event success or event failure by using relevant filters and keywords for each particular type of search.
Logs can also be searched and viewed to show errors received from Nessus, the LCE, and the PVS. In the example below, a keyword of “plugin” was used in conjunction with a severity of “Critical” to list errors related to the updates of PVS plugins: The flat ASCII log file used to store the customer activity data is rolled over every month and may be archived in accordance with local site backup procedures. For example, a log file for the month of November 2012 would be named /opt/sc4/orgs/1/logs/201211.log.
Within the Plugins interface, the user has the ability to perform a wide variety of plugin-related functions including updating active, passive and event plugins, upload custom plugins, view plugin details/source, and search for specific plugins. Clicking on the “Plugins” tab displays a page similar to the one below: Update Plugins Immediately after installing SecurityCenter, plugins are automatically updated on a regular basis.
After browsing for the plugin archive and uploading it, confirm the plugin type and then click “Add” to extract the plugins to SecurityCenter. Shortly after completion a notification message is displayed indicating a successful plugin upload. Other Plugin Options Other plugin options include “Detail” and “Source”.
/dev/sda1 tmpfs 101086 1037732 0 24455 71412 26% /boot 1037732 0% /dev/shm # service SecurityCenter restart Shutting down SecurityCenter services: Starting SecurityCenter services: # [ [ OK OK ] ] Forgot login credentials Contact Tenable Support (support@tenable.com). Invalid license error If you receive an invalid license error while attempting to log in as an Organization Head or lower, an administrator must log in and upload a new valid license key.
Check the lce.conf configuration file at “/opt/lce/daemons/lce.conf” in accordance with the LCE documentation. Check the individual LCE client configuration and authorization in the LCE Clients screen. If syslog is being used to collect information and events, ensure that the syslog service is running and configured correctly on the target syslog server in accordance with LCE documentation. Check for NTP time synchronization between the SecurityCenter, LCE, and LCE clients.
Nessus plugins fail to update Under “System” and “Configuration” in SecurityCenter, ensure that the Nessus Activation Code is marked as “Valid”. Ensure that the user used to connect to the Nessus server is configured as an ‘admin’ class user. Ensure that the SecurityCenter system is allowed outbound HTTP(S) connectivity to the Nessus Plugin Update Site. If it is not, refer to the Nessus 5.0 Installation and Configuration Guide for information on offline plugin updates.
Ensure that the SecurityCenter host is allowed outbound HTTP(S) connectivity to the PVS Plugin Update Site. For all other PVS plugin update issues, contact Tenable Support at support@tenable.com.
Appendix 1: Non-Tenable License Declarations Below you will find third-party software packages that Tenable provides for use with SecurityCenter 4. Section 1 (b) (ii) of the SecurityCenter License Agreement reads: (ii) The Software may include code or other intellectual property provided to Tenable by third parties, including Plug-Ins that are not owned by Tenable, (collectively, “Third Party Components”).
Tenable Third-Party Licensed Software ChartDirector Version 5.0 ChartDirector Version 5.0.2 Copyright (C) 2009 Advanced Software Engineering Limited All Rights Reserved ************************* LICENSE AGREEMENT ************************* You should carefully read the following terms and conditions before using the ChartDirector software. Your use of the ChartDirector software indicates your acceptance of this license agreement.
- You may embed the unmodified trial version of the ChartDirector software (or part of it), in a product and distribute the product, provided you do not charge for the product. If you do not want the yellow banner messages appearing in the charts, or you want to embed the ChartDirector software (or part of it) in a product that is not free, you must purchase a commercial license to use the ChartDirector software from Advanced Software Engineering Limited.
Appendix 2: Manual LCE Key Exchange A manual key exchange between SecurityCenter and the LCE is normally not required; however, in some cases where remote root login is prohibited or key exchange debugging is required, you will need to manually exchange the keys. For the remote LCE to recognize SecurityCenter, you need to copy the SSH public key of SecurityCenter and append it to the “/opt/lce/.ssh/authorized_keys” file. The “/opt/lce/daemons/lce-install-key.sh” script performs this function.
Appendix 3: Nessus SSL Configuration Introduction This section describes how to generate and exchange SSL certificates for the Nessus vulnerability scanner to use with SecurityCenter. For this procedure, you will need to have administrative (root) access to the SecurityCenter system, as well as all Nessus scanner systems. Please note that users should be familiar with PKI deployments and it is not recommended that the Nessus server be used as the site’s PKI system.
File Name Created Purpose Where to Copy to /opt/nessus/com/nessus /CA/cacert.pem This is the certificate for the Certificate Authority. If using an existing PKI, this will be provided to you by the PKI and must be copied to this location. /opt/nessus/com/nessus/CA on the initial Nessus server and any additional Nessus servers that need to authenticate using SSL. /opt/nessus/com/nessus /CA/servercert.pem This is the public certificate for the Nessus server that is sent in response to a CSR.
Creating and Deploying SSL Authentication for Nessus An example SSL Certificate configuration for Nessus to SecurityCenter authentication is included below: In the example described here, SecurityCenter and the Nessus scanner are defined as follows. Your configuration will vary: SecurityCenter: IP: 192.168.10.10 OS: Red Hat ES 5 Nessus Scanner: IP: 192.168.11.30 OS: Red Hat ES 5 Create Keys and User on Nessus Server Log in to the Nessus scanner and use the su command to become the root user.
# /opt/nessus/sbin/nessus-mkcert-client Do you want to register the users in the Nessus server as soon as you create their certificates ? [n]: y -------------------------------------------------------------------------Creation Nessus SSL client Certificate -------------------------------------------------------------------------This script will now ask you the relevant information to create the SSL client certificates for Nessus.
# cd /tmp/nessus-043c22b5 # cat cert_paul.pem key_paul.pem > nessuscert.pem The nessuscert.pem file will be used when configuring the Nessus scanner on SecurityCenter. This file needs to be copied to somewhere accessible for selection from your web browser during the Nessus configuration. Configure Nessus Daemons To enable certificate authentication on the Nessus server, the force_pubkey_auth setting must be enabled. Once enabled, log in to the Nessus server may only be completed by SSL certificates.
Using Custom Certificates During an upgrade, SecurityCenter will check for the presence of custom SSL certificates. If certificates are found and the owner is not Tenable, any newly generated certificates will be named with a “.new” extension and placed in the /opt/sc4/support/conf directory to avoid overwriting existing files. Deploy to other Nessus Scanners Configure any other Nessus scanners for SecurityCenter use and certificate authentication prior to performing the following tasks.
C:\Program Files\Tenable\Nessus\ nessus\CA\servercert. pem This is the public certificate for the Nessus server that is sent in response to a CSR. C:\Program Files\Tenable\Nessus\nessus\CA\ on any additional Nessus servers that need to authenticate using SSL. C:\Program Files\Tenable\Nessus\ nessus\CA\cakey.pem This is the private key of the Certificate Authority. It may or may not be provided by the Certificate Authority, depending on if they allow the creation of sub users.
Next, create the user ID for the Nessus client, which is SecurityCenter in this case, to log in to the Nessus server with, key and certificate. This is done with the nessus-mkcert-client.exe executable located in C:\Program Files\Tenable\Nessus. If the user does not exist in the Nessus user database, it will be created. If it does exist, it will be registered to the Nessus server and have a distinguished name (dname) associated with it.
The certificates created contain the username entered previously, in this case “admin”, and are located in the directory as listed in the example screen capture above (e.g., C:\Documents and Settings\\Local Settings\Temp\nessus-00007fb1). In the specified directory, the certificate and key files in this example are named “cert_admin.pem” and “key_admin.pem”. Transfer Certificates and Keys to SecurityCenter Transfer the “cert_admin.pem” and “key_admin.
The nessuscert.pem file will be used when configuring the Nessus scanner on SecurityCenter. This file needs to be copied to somewhere accessible for selection from your web browser during the Nessus configuration. Configure Nessus Daemons To enable certificate authentication on the Nessus server, the force_pubkey_auth setting must be enabled. Once enabled, log in to the Nessus server may only be completed by SSL certificates. Username and password login will be disabled.
Appendix 4: Using a Custom SSL Certificate SecurityCenter ships with its own default SSL certificate; however, in many cases it is desirable to obtain a custom SSL certificate for enhanced security. In the example below, two certificate files were received from the CA: “host.crt” and “host.key”. These file names will vary depending on the CA used. The custom certificate email address must not be “SecurityCenter@SecurityCenter” or subsequent upgrades will not retain the new certificate.
Appendix 5: Offline SecurityCenter Plugin Updates Nessus 1. If not already in place, install a Nessus scanner on the same host as SecurityCenter. It does not need to be started or used though. 2. Run this command and save the challenge string: # /opt/nessus/bin/nessus-fetch --challenge 3. Go to https://plugins-customers.nessus.org/offline.php. 4. Take the challenge string from Step 2 and your Activation Code, and place those values in the appropriate fields on the web page. Click the “Submit” button. 5.
Appendix 6: Configuring LDAP with Multiple Organizational Units Tenable’s SecurityCenter LDAP configuration does not currently support the direct addition of multiple Organizational Units (OUs) in the LDAP configuration screen. Two deployment options are possible for those with multiple OUs: Option 1 (Preferred) Add a container (i.e., Group) only for SecurityCenter users and allow existing Active Directory users to become members of the newly created group.
c. Log out as the admin user and then log in as the organizational user who will be managing the user in question. d.
Option 2 Use a high level “Search Base” in the LDAP configuration. For example: DC=devlab,DC=domain,DC=com The example above could be used along with a “Search String” for global usage. This search string, when used in the configuration, will apply to all LDAP searches. memberOf=CN=nested1,OU=cftest1,DC=devlab,DC=domain,DC=com This field is currently limited to 128 characters; we will extend the viewable window and increase the allowed length going forward. Option 2 Example Step One: a.
Choose LDAP: 113
Appendix 7: Configuring SecurityCenter and the LCE for Audit Data Selection SecurityCenter can be configured in conjunction with the LCE to provide for the selection of audit data to be viewed through the Raw Syslog Data section of SecurityCenter’s Analysis Tool. To accomplish this, SecurityCenter admin logs must be configured to be sent to an LCE server via an LCE client.
# ls -la tenable_sc4_logs.prm -rwxr-x--- 1 lce lce 17191 Oct 17 14:40 tenable_sc4_logs.prm As a user with permissions to manipulate files in this directory, such as ‘root’ or ‘lce’, copy the tenable_sc4_logs.prm file to a file with a similar but new name: # cp tenable_sc4_logs.prm tenable_sc4_audit_logs.prm Open the new file with a text editor to make changes to the new file.
After ownership and permissions are set, restart the “lce” service: # service lce restart To view the current selection and/or de-selection of auditable events through the new PRM file, log into SecurityCenter as an Organization Head (you may wish to create a new unique Organization Head account specifically for this function).
About Tenable Network Security Tenable Network Security, the leader in Unified Security Monitoring, is the source of the Nessus vulnerability scanner and the creator of enterprise-class, agentless solutions for the continuous monitoring of vulnerabilities, configuration weaknesses, data leakage, log management, and compromise detection to help ensure network security and FDCC, FISMA, SANS CAG, and PCI compliance.
