Abit License Scanner Guide d'installation

SecurityCenter 4.6 Administration Guide April 11, 2013 (Revision 5)

10 To view currently used IPs in your license, log into SecurityCenter as the “admin” user and go to “Repositories” -> “Repositories”. Hover the

100 Creating and Deploying SSL Authentication for Nessus An example SSL Certificate configuration for Nessus to SecurityCenter authentication is inc

101 # /opt/nessus/sbin/nessus-mkcert-client Do you want to register the users in the Nessus server as soon as you create their certificates ? [n]: y

102 # cd /tmp/nessus-043c22b5 # cat cert_paul.pem key_paul.pem > nessuscert.pem The nessuscert.pem file will be used when configuring the Nessu

103 Using Custom Certificates During an upgrade, SecurityCenter will check for the presence of custom SSL certificates. If certificates are found an

104 C:\Program Files\Tenable\Nessus\nessus\CA\servercert.pem This is the public certificate for the Nessus server that is sent in response to a CSR.

105 Next, create the user ID for the Nessus client, which is SecurityCenter in this case, to log in to the Nessus server with, key and certificate.

106 The certificates created contain the username entered previously, in this case “admin”, and are located in the directory as listed in the examp

107 The nessuscert.pem file will be used when configuring the Nessus scanner on SecurityCenter. This file needs to be copied to somewhere accessibl

108 Appendix 4: Using a Custom SSL Certificate SecurityCenter ships with its own default SSL certificate; however, in many cases it is desirable to

109 Appendix 5: Offline SecurityCenter Plugin Updates Nessus 1. If not already in place, install a Nessus scanner on the same host as SecurityCente

11 LDAP If LDAP authentication is to be used, it is recommended to leave at least one SecurityCenter administrator account and one manager account

110 Appendix 6: Configuring LDAP with Multiple Organizational Units Tenable’s SecurityCenter LDAP configuration does not currently support the direc

111 c. Log out as the admin user and then log in as the organizational user who will be managing the user in question. d. Create the new user and

112 Option 2 Use a high level “Search Base” in the LDAP configuration. For example: DC=devlab,DC=domain,DC=com The example above could be used along

113 Choose LDAP:

114 Appendix 7: Configuring SecurityCenter and the LCE for Audit Data Selection SecurityCenter can be configured in conjunction with the LCE to prov

115 # ls -la tenable_sc4_logs.prm -rwxr-x--- 1 lce lce 17191 Oct 17 14:40 tenable_sc4_logs.prm As a user with permissions to manipulate files in thi

116 After ownership and permissions are set, restart the “lce” service: # service lce restart To view the current selection and/or de-selection of a

117 About Tenable Network Security Tenable Network Security, the leader in Unified Security Monitoring, is the source of the Nessus vulnerability sc

12 It is recommended to use passwords that meet stringent length and complexity requirements. Server Directory Server Enter the IP address or DNS

13 Expiration Data expiration determines how long SecurityCenter retains acquired data. Use the table below to determine default and minimum values

14 Update The SecurityCenter update settings are used to determine the update schedule for the common tasks of Active and Passive plugin updates, I

15 Use the table below to determine correct values for your environment: Table 4 – SecurityCenter Authentication Settings Option Description Sessio

16 Classification Type Adds a header and footer banner to SecurityCenter to indicate the classification of the data accessible via the software. Cur

17 typically used only by select groups and organizations for specific needs that do not apply to many organizations. The ability to enable or disab

18 The Notifications field defines the SecurityCenter web address used when notifications are generated for alerts and tickets. Diagnostics On the u

19 the “Diagnostics File Chapters” selected. If selected, the “Sanitize” option will remove IP addresses from the log files before generating the di

2 Table of Contents Introduction ...

20 Keys On the upper right-hand of the SecurityCenter web interface, the System option contains a drop-down that includes a Keys section. Keys allo

21 Clicking on “Add” brings up the dialog box below: In the “Type” drop-down, select DSA or RSA as the key type. In the “Comment” box, enter a stri

22 Configuring the publishing sites starts with clicking the “Add” button to open the “Add Publishing Site” window as shown below: Table 6 – Publis

23 SSL Client Certificate Authentication SecurityCenter 4.6 allows users to use SSL client certificate authentication. This allows use of SSL clien

24 Connect with SSL Certificate Enabled Browser The following information is provided with the understanding that your browser is configured for S

25 Only one SecurityCenter user may be associated with a single certificate. If one user holds multiple user names and roles, a unique certificate

26 8. If a new certificate is available the next time the user logs in, SecurityCenter will again attempt to associate the user with the certifica

27 Next, SecurityCenter’s /opt/sc4/support/conf/cosign.conf must be edited for the correct settings for your environment. In the following example,

28 Managed A “Managed” scanner is one that is managed by SecurityCenter. Managed scanners are logged into using Nessus admin credentials, and Securi

29 The table below goes into more detail about the available options for adding a Nessus scanner: Table 8 – Nessus Scanner Options Option Descriptio

3 User Management ... 48 O

30 # service SecurityCenter restart After SecurityCenter has been configured with the proper CA certificate(s), the Verify Hostname will verify the

31 To add a Nessus Perimeter Service scanner to SecurityCenter, a valid and active Nessus Perimeter Service subscription must be used. In SecurityCe

32 Nessus Scanner Details When the “Detail” button is clicked, information about the selected scanner is displayed. The information includes the ba

33 When in “selectable” mode, at scan time, the zones associated with the Organization and “default” are available to the user. When a scan is confi

34 PVS records its detected vulnerabilities to a .nsr or .nessus, file(s), depending on the configuration of the PVS. When used with SecurityCenter

35 Log Correlation Engines Tenable’s Log Correlation Engine (LCE) is a software module that aggregates, normalizes, correlates, and analyzes event

36 To configure LCE servers, select “Log Correlation Engines” under the “Resources” tab. A screen will be displayed similar to the following: Click

37 Table 9 – LCE Options Option Description Name Name used to describe the Log Correlation Engine. Description Descriptive text for the Log Correlat

38 Note that configured clients prior to version 4.x are displayed on the list without OS and policy information. However, these clients cannot hav

39 “Import” allows customized LCE Client policy files to be added to the LCE server and made available for use. The prefix field is appended to the

4 ChartDirector Version 5.0...

40 Once a policy has been selected for use with the chosen client, click the “Assign” button to associate the policy file with the client. When the

41 When creating SecurityCenter repositories, LCE event source IP ranges must be included along with the vulnerability IP ranges or the event data

42 Table 10 – Local Repository Options Option Description Name The repository name. Description Descriptive text for the repository. Type Local IP V

43 Table 11 – Remote Repository Options Option Description Name The repository name. Description Descriptive text for the repository. Type Remote Re

44 To share data, enter the IP address of the remote SecurityCenter in the “Host” field and click “Retrieve Repositories”. If a key for the curre

45 Type Offline IP Version Determines if the repository will store IPv4 or IPv6 results. SecurityCenter repositories cannot store a mix of IPv4 and

46 When importing the repository archive, the default maximum file import size is 160MB. This is specified by the “post_max_size” directive in /opt

47 After clicking “Delete”, click the “Apply Rules” button in the top left for the changes to take effect. Once completed, any vulnerabilities that

48 After clicking “Delete”, click the “Apply Rules” button in the top left for the changes to take effect. Once completed, any vulnerabilities that

49 In Organization A, the Org Head user has control over all Users and Managers in Organization A. Manager 1 similarly has control over all Users an

5 Introduction This document describes the administrative functions of Tenable Network Security’s SecurityCenter 4.6. Since many of Tenable’s custom

50 Address Organization address City Organization city State Organization state Country Organization country Phone Organizational telephone number

51 The following table describes the options available on the “Analysis” tab. Table 15 – Analysis Options Option Description Accessible LCEs LCE(s

52 repository. Likewise, choose “Organization Head” if only the Organization Head will have access. Choose “Existing Users” to maintain the current

53 This link is useful for organizations that want to reference an internal web page with IP specific information. For example, an analyst may nee

54 their account until an administrator unlocks them. This option is only available once the Organization Head user is created. Authentication In

55 Support Audit Files The Nessus vulnerability scanner includes the ability to perform compliance audits of numerous platforms including databases,

56 File An interface that allows you to browse your local system or file shares for the audit file Once an audit file has been uploaded, it can be

57  SNMP community string – Enter the SNMP community string used for authentication.  Kerberos – The Kerberos IP, Port, Protocol, and Realm are

58 Add a Scan Policy Clicking “Add” opens the following screen, which is used to configure the new scan policy. Four tabs are displayed including: 

59 Type Family or Plugin. If “Family” is chosen, then when plugin updates occur, new plugins will automatically be enabled for plugin families that

6 Abbreviations The following abbreviations are used throughout this documentation: LCE Log Correlation Engine PVS Passive Vulnerability Scanner SC

60 for SYN-ACK reply, and then determines port state based on a reply – or lack of. SNMP Scan Direct Nessus to scan targets for a SNMP service. Ness

61 example, if the Max Hosts Per Scan is set to 5 and there are five scanners per zone, each scanner will accept five hosts to scan, allowing a tota

62 Plugins The “Plugins” tab gives the user the option to customize which plugins are used during the policy’s Nessus scan. Clicking the circle nex

63 When a policy is created and saved, it records all of the plugins that are initially selected. When new plugins are received via a plugin feed up

64 The Database settings (plugin 33815) options apply to database compliance audits and are used to specify the type of database to be tested, rele

65  SQL Server: 1433  Informix: 1526  DB2: 50000 Oracle auth type NORMAL, SYSOPER, and SYSDBA are supported. Depending on the privileges requi

66 Do not log in with user accounts not specified in the policy Used to prevent account lockouts if your password policy is set to lock out accounts

67 Table 27 – HTTP Login Page Settings Option Description Login page The base URL to the login page of the application. Login form The “action” par

68 Automated login page search Gives Nessus the option to parse the login page for form options and attempt to log in based on detected fields. This

69 Malicious Process Detection (plugin 59275) allows you to upload a custom list of MD5 hashes to identify running processes on scanned hosts when

7 # service SecurityCenter start To halt SecurityCenter, enter the following command: # service SecurityCenter stop To restart SecurityCenter, enter

70 Table 28 – Nessus SYN and TCP Scanner Settings Value Description Automatic (normal) This option can help identify if a firewall is located betwee

71 No archive If this option is selected, Nessus will request to not archive the test message being sent to the news server(s). Otherwise, the messa

72 Table 30 – Ping the Remote Host Settings Option Description TCP ping destination port(s) Specifies the list of ports that will be checked via TCP

73 SMB Use Domain SID to Enumerate Users (plugin 10399) specifies the SID range to use to perform a reverse lookup on usernames on the domain. The d

74 Table 33 – SNMP Settings Option Description UDP port Direct Nessus to scan a different port in the event that SNMP is running on a port other th

75 VMware vCenter SOAP API Settings (plugin 63060) provides Nessus with the credentials required to authenticate to VMware vCenter management syste

76 The screen capture below is the “Web Application Tests Settings” input page: Table 34 – Web Application Tests Settings Option Description Enable

77 “non-attack” variations for additional parameters. For example, Nessus would attempt “/test.php?arg1=XSS&b=1&c=1” where “b” and “c” allow

78 URL for Remote File Inclusion During Remote File Inclusion (RFI) testing, this option specifies a file on a remote host to use for tests. By defa

79 Administrators The administrative user can create other administrator users; however, they may only modify the “Basic” fields for the new user be

8 To launch SecurityCenter, bring up a web browser on a system that has access to the SecurityCenter’s network address space and enter the URL in th

80 Error creating email notifying user 'test'. Invalid address: noreply@localhost Check the System -> Configuration -> Mail -> R

81 1. The Organization Head can add/edit/delete roles, while the Manager cannot. 2. The Organization Head can add users that are the subordinate o

82 Create Organization Assets Create assets X X X Create Organization Credentials Create credentials X X X Create Organization Policies Create sca

83 Share Credentials Share credentials with other users. X X X Share Dashboard Tabs Share dashboard tabs with other users. X X X Share Policies Sh

84 Available fields include Job ID, Type, Obj ID, Status, PID, Organization, Initiator, Start Time, and Targeted Time. This information is not gener

85 Accessing the Audit Records To access the user activity data via the web interface, you must be logged into the Security Center console as the ad

86 Logs can be searched and filtered by type of SecurityCenter event, event success or event failure by using relevant filters and keywords for eac

87 Logs can also be searched and viewed to show errors received from Nessus, the LCE, and the PVS. In the example below, a keyword of “plugin” was u

88 Within the Plugins interface, the user has the ability to perform a wide variety of plugin-related functions including updating active, passive a

89 After browsing for the plugin archive and uploading it, confirm the plugin type and then click “Add” to extract the plugins to SecurityCenter. S

9 Sample SecurityCenter Administrator Dashboard – LCE Overview System Configuration The “System” link at the top right of the SecurityCenter web in

90 /dev/sda1 101086 24455 71412 26% /boot tmpfs 1037732 0 1037732 0% /dev/shm # servic

91  Check the lce.conf configuration file at “/opt/lce/daemons/lce.conf” in accordance with the LCE documentation.  Check the individual LCE cli

92 Nessus plugins fail to update  Under “System” and “Configuration” in SecurityCenter, ensure that the Nessus Activation Code is marked as “Valid

93  Ensure that the SecurityCenter host is allowed outbound HTTP(S) connectivity to the PVS Plugin Update Site.  For all other PVS plugin update

94 Appendix 1: Non-Tenable License Declarations Below you will find third-party software packages that Tenable provides for use with SecurityCenter

95 Tenable Third-Party Licensed Software ChartDirector Version 5.0 ChartDirector Version 5.0.2 Copyright (C) 2009 Advanced Software Engineering Limi

96 - You may embed the unmodified trial version of the ChartDirector software (or part of it), in a product and distribute the product, provided you

97 Appendix 2: Manual LCE Key Exchange A manual key exchange between SecurityCenter and the LCE is normally not required; however, in some cases whe

98 Appendix 3: Nessus SSL Configuration Introduction This section describes how to generate and exchange SSL certificates for the Nessus vulnerabili

99 File Name Created Purpose Where to Copy to /opt/nessus/com/nessus/CA/cacert.pem This is the certificate for the Certificate Authority. If using a