You choose an option profile with compliance scan settings every time you start a compliance scan. The profile defines the settings you want to use.
Tell me about Optimized Agent Data Processing for Policies Setup |
Tell me about Instance Data Collection using OS-based Authentication Records |
Make it global. Global profiles created by Managers are made available to all users in the subscription. Global profiles created by Unit Managers are made available to all users in their business unit. If a user has permission to create option profiles, then the user also has permission to save personal copies of global profiles published by their Managers in order to use them as a base-line for new option profiles.
The user who creates a profile is set as the initial owner. Managers and Unit Managers can edit a profile in order to change the owner. The possible assignees listed in the Owner menu depends on the global status of the profile, the role of the manager making the change, and the current owner's role and business unit. Only users with the manage compliance permission can own the profile.
Global Option ProfileGlobal Option Profile
Global option profiles may be owned by Managers and Unit Managers.
User Taking Action |
Current Owner |
Possible New Owner |
Manager |
Manager in the Unassigned business unit |
Manager in the Unassigned business unit |
Manager |
Unit Manager in a custom business unit |
Manager in the Unassigned business
unit |
Unit Manager |
Unit Manager in a custom business unit |
Unit Manager in the same business unit as the current owner |
Non-Global Option ProfileNon-Global Option Profile
Non-global option profiles may be owned by Managers, Unit Managers and Scanners.
User Taking Action |
Current Owner |
Possible New Owner |
Manager |
Manager or Scanner in the Unassigned business unit |
Manager or Scanner in the Unassigned business unit |
Manager |
Unit Manager or Scanner in a custom business unit |
Manager in the Unassigned business
unit |
Unit Manager |
Unit Manager or Scanner in a custom business unit |
Unit Manager or Scanner in the same business unit as the current owner |
Conflicts with Scheduled TasksConflicts with Scheduled Tasks
Changing the option profile owner may lead to conflicts with scheduled tasks. Conflicts occur when an option profile is no longer available to the owner of a scheduled task in which the option profile is selected.
After you save the option profile with the new owner, a confirmation page appears with messages to assist you in resolving conflicts with scheduled tasks. Click the View Report button to view a list of scheduled tasks affected by the change. Then edit each scheduled task to change the option profile selection. If the scheduled task is left without a valid option profile before the next scheduled run time, then the scheduled task is automatically deactivated and the task owner is notified by email.
Tip: If you're changing the owner to a Manager or Unit Manager, then you may consider making the option profile global before making the change. This way you can avoid conflicts and allow users to continue using the profile.
We perform a targeted scan by default, which means we scan a smaller set of ports than the standard ports list. This is the recommended setting, and it is the initial setting for a new compliance profile.
Which ports are included in a targeted scan?Which ports are included in a targeted scan?
For Unix hosts, these well known ports are scanned: 22 (SSH), 23 (telnet) and 513 (rlogin). Any one of these services is sufficient for authentication. If services (SSH, telnet, rlogin) are not running on these well known ports for the hosts you will be scanning, select this option and define a custom ports list in the Unix authentication record. Note: The actual ports scanned also depends on the Ports setting in the Unix authentication record.
For Windows hosts, the service scans a fixed set of required Windows ports (a service defined, internal list).
Which ports are included in a standard scan?Which ports are included in a standard scan?
A standard scan includes these well known ports: 22 (SSH), 23 (telnet) and 513 (rlogin). For Unix hosts, any custom ports specified in the Unix authentication record are also scanned.
Does this setting apply to all technologies?Does this setting apply to all technologies?
No. The Ports setting applies to Unix and Windows scans only. This setting does not apply to Oracle, MS SQL and SNMP. For Oracle and MS SQL, we always scan the ports defined in the corresponding authentication records.
Select ports for host discoverySelect ports for host discovery
Go to the Additional section to select which probes are sent and which ports are scanned during host discovery. The service pings every target host using ICMP, TCP, and UDP probes and then analyzes the packets sent in response to determine which hosts are "alive". By changing the default settings the service may not detect all live hosts and hosts that go undetected cannot be scanned for vulnerabilities. These settings should only be customized under special circumstances. For example, to add ports that are not included in the Standard port list, remove probes that will trigger your firewall/IDS, or only discover live hosts that respond to an ICMP ping.
When you run a compliance scan we scan for all controls in the controls list (except special control types listed in Control Types section - you must explicitly select these). The Scan by Policy option allows you to restrict your scans to the controls in selected policies. You can choose up to 20 policies, one policy at a time. Once you've selected a policy, all controls in that policy will be scanned including any special control types in the policy. This is regardless of the Control Types settings in the profile.
What if I add more controls to my policy?What if I add more controls to my policy?
If you have configured the Scan by Policy setting then be sure to launch another scan after adding new controls to selected policies. This is needed to collect scan data for all controls in the policy including the new ones.
Note: The System Authentication section is not visible in the compliance profile for subscriptions with SCA only. Your subscription must have PC and PC Agent enabled to use this feature.
Allow the system to create authentication records automatically using the scan data discovered for running instances. Then choose whether to include system created authentication records in scans. Learn about instance discovery and system authentication records
If you've created File Integrity Check controls with the option "Use scan data as expected value" enabled then you'll want to choose "Auto Update expected value" in the profile. This allows us to automatically update the control value after a valid file change. Be sure to also select "File Integrity Monitoring controls enabled" under Control Types in the profile. Learn more
These special control types require additional steps to set up. For example, to perform file integrity monitoring you must add user defined controls that specify the files you want to track.
Select each control type you want to include in the scan:
File Integrity MonitoringFile Integrity Monitoring
Select to perform file integrity monitoring based on user defined file integrity checks. A file integrity check is a user defined control that checks for changes to a specific file. See File Integrity Check (Windows) and File Integrity Check (Unix).
Custom WMI Query ChecksCustom WMI Query Checks
Select to run Windows WMI query checks. When enabled, WMI query checks will be performed for user defined WMI Query Check controls. Learn more
If you have configured the Scan by Policy setting and your policy has these special control types included, then they will be scanned automatically. For control types that require the Dissolvable Agent this must be selected in your subscription in order to be scanned.
The Dissolvable Agent (Agent) is required for certain scan features (like Password Auditing, Windows Share Enumeration and Windows Directory Search). It must be accepted for the subscription - a Manager can do it by going to Scans > Setup > Dissolvable Agent. Once a Manager accepts any user with scan permissions can enable the dissolvable agent for their scans - you just configure the option profile and select "Enable the Dissolvable Agent". How does it work? At scan time, the Agent is installed on Windows devices to collect data, and once the scan is complete it removes itself completely from target systems.
This option profile setting option allows you to remove compliance scan data for hosts that are not found alive. A dead host is unreachable—it didn't respond to any of our pings. Typically, you would want to avoid reporting dead hosts, which can inflate your compliance detection data.
Configure this option in your Compliance Profile to set a number of Policy Compliance scans, after which the data should be removed. When configured, we remove compliance scan data associated with dead hosts after a set number of scans. This helps to get the compliance report only on the active/ live hosts.
Note: The valid range to set a number of Policy Compliance scans after which the data should be removed is 1 to 99.
Use Password Auditing to check for service provided password auditing controls (control IDs 3893, 3894 and 3895). These controls are used to identify 1) user accounts with empty passwords, 2) user accounts with the password equal to the user name, and 3) user accounts with passwords equal to an entry in a user-defined password dictionary. Learn more
Use Windows Share Enumeration to find Windows shares that are readable by everyone, and report details about them like the number of files for each share on each host (Control ID 4528) and whether the files are writable. This is good for identifying groups of files that may need tighter access control. Please make sure a Windows authentication record is defined for the hosts you want to scan. Learn more
Select this option if you've set up Windows Directory Search controls and want to include them in the scan. This custom control allows you to search for files/directories based on various criteria like file name and user access permissions. Learn more
A performance level of Normal is selected initially. This is recommended for most cases. Click Configure to change the individual settings or to select a different performance level. To customize the settings, choose the Custom level. Want to know more about the individual settings? Learn more
If you want to ignore certain packets enable packet options in the Additional section:
Ignore RST packetsIgnore RST packets
Some filtering devices, such as firewalls, may cause a host to appear "alive" when it isn't by sending TCP Reset packets using the host's IP address. When enabled, all TCP Reset packets are ignored for scan tasks and TCP Reset packets generated by one or more filtering devices are ignored for map tasks. In other words, hosts will not be detected as being "alive" if the only responses from them are TCP Reset packets that seem to have originated from a filtering device.
Ignore firewall-generated SYN-ACK packetsIgnore firewall-generated SYN-ACK packets
Some filtering devices, such as firewalls, may cause a host to appear "alive" when it isn't by sending TCP SYN-ACK packets using the host's IP address. When enabled, we attempt to determine if TCP SYN-ACK packets are generated by a filtering device and ignore all SYN-ACK packets that appear to originate from such devices.
Some firewalls are configured to log an event when out of state TCP packets are received. Out of state TCP packets are not SYN packets and do not belong to an existing TCP session. If your firewall is configured in this manner and you do not want such events logged, then you can enable this option to suppress the service from sending out of state ACK and SYN-ACK packets during host discovery for map and scan tasks. If you enable this option and you also enable the "Perform 3-way handshake" option in the Scan section of your profile, then the "Perform 3-way handshake" option takes precedence and this option is ignored.
If our scan triggers your IDS, then it will likely be firewalled and we won't be able to continue our search for vulnerabilities on your network. Therefore, we need to know which IPs you have protected and which ports are blocked. Go to the Blocked Resources section and select the ports that are blocked and IP addresses that are protected by your firewall/IDS.
Other options to considerOther options to consider
1) Add hosts that you don't want scanned to the global excluded hosts list under Scans > Setup > Excluded Hosts.
2) Add our scanner IP addresses to the allow list or exception list in your firewall/IDS configuration. You can view a current list of IP addresses for our cloud external scanners on the About page (Help > About). Refer to your firewall/IDS documentation for specific details on how to configure an exceptions list.
3) Are you using Watchguard? If yes, add our scanner IP addresses to the "Blocked Sites Exception" list. This list is configured in the System Configuration for the WatchGuard Firebox Vclass series, and in the Policy Manager for the WatchGuard Firebox System series. Note: The "WatchGuard default blocked ports" option is only applicable to the WatchGuard Firebox System series. Setting this option is not necessary if you added our scanner IP addresses to the WatchGuard exception list.
You can set a limit on the number of rows to be returned per scan for the user defined database controls. The default value for MS SQL Database checks is 256 rows and for Oracle Database checks is 5000 rows.
(This option is available only for PC Agents.) To enhance data processing you can choose to store only information collected by the cloud agent scan that is required to process the account’s applicable policies. From the PC application, navigate to Users > Setup > Optimized CA Data Processing and enable the Optimize Agent Data Processing for Policies option. Once enabled, we'll only consider the information collected for controls that are relevant to the policies in your subscription. If new controls are added to a policy, then you won't have data available immediately. You’ll need to wait until the next agent scan to collect and process data for those controls. Only Managers can enable or disable this option.
On the Instance Data Collection tab, you can select the database technologies as well as other OS-based applications and technologies for which you want to enable data collection without creating an authentication record for respective technologies. Data collection for the selected technologies happens on host assets by using the underlying OS authentication records.
In case of database technologies, only OS-dependent database controls are used in data collection and evaluation. To see the list of available OS-dependent database controls, go to Policies > Controls > Search and then, in the Search dialog box, select the Instance Data Collection box for DB OS CIDs. The search returns OS-dependent database controls that are system-defined and supported by Scanner.
Databases
To select the database technologies, first select the Databases box. Currently, we support the following databases in this feature.
- IBM DB2
- InformixDB
- MongoDB
- Microsoft SQL Server (MS SQL)
- MySQL
- Neo4j
- Oracle
- Pivotal Greenplum
- PostgreSQL
- Sybase / SAP ASE
For data collection on IBM DB2 instances, you can use your UNIX (with Sudo as root delegation) or Windows authentication record depending on the host operating system.
For data collection on IBM Informix, MongoDB, MySQL, Neo4j, Oracle, Pivotal Greenplum, PostgreSQL, and Sybase / SAP ASE instances, you need a UNIX authentication record (with sudo or dzdo as root delegation).
For data collection on MS SQL instances, you need a Windows authentication record.
Note: If you are using database authentication records for compliance scans already, we recommend that you do not enable this option. Because if you enable it, you will see duplicate results in your compliance reports, one by using database authentication records and the other by using OS-based authentication records. This functionality is useful in a scenario where you have a team responsible for compliance assessment of host operating systems, which does not have access to database authentication records. In this case, if they want to scan database instances running on host assets, they can go ahead by using OS-based authentication records.
Applications and Other Technologies
To select OS-based applications and other technologies, first select the Applications and Other Technologies box.
Currently, we support the following applications and technologies in this feature:
- Red Hat OpenShift Container Platform
- Oracle JRE
- IBM WebSphere Liberty
- Verint Financial Compliance
For data collection on Oracle JRE instances, you need UNIX authentication record (with Sudo as root delegation) or Windows authentication record depending on the host operating system.
For data collection on Red Hat Openshift Container Platform and IBM WebSphere Liberty instances, you need a Unix authentication record (with sudo or dzdo as root delegation).
For the supported versions of databases as well as OS-based applications and other technologies, see Authentication Technologies Matrix.
Some of these technologies are auto-discovered by Cloud Agents for Policy Compliance (PC). For the most current list of middleware technologies auto-discovered by Cloud Agent, please refer to this article: Middleware Technologies Auto-discovered by Cloud Agents for PC