Task: CPE-based Policy Checks
CPE stands for Common Product Enumeration. It is a structured naming scheme for information technology systems, platforms, and packages.
In other words: CPE provides a unique identifier for virtually any software product that is known for a vulnerability.
The CPE dictionary is maintained by MITRE and NIST. MITRE also maintains CVE (Common Vulnerability Enumeration) and other relevant security standards.
CPE-based, simple checks for security policies
With any executed scan, CPEs for the identified products are stored. This happens independently of whether the product actually reveals a security problem or not.
On this basis it is possible to describe simple security policies and the checks for compliance with these.
With the Greenbone Security Manager it is possible to describe policies to check for the presence as well as for the absence of a product. These cases can be associated with a severity to appear in the scan report.
Finding problematic products
This example demonstrates how the presence of a certain product in an IT infrastructure is classified as a severe problem and reported as such.
-
The information about whether a certain product is present on the target system is gathered by a single Network Vulnerability Test (NVT) or even independently by a number of special NVTs.
This means that for a certain product you can specify an optimized scan configuration that only concentrates on this product and does not do any other scan activity.
The advantage of such a special scan configuration is a considerably faster execution of the scan compared to a comprehensive scan configuration such as "Full and Fast".
The disadvantage of a special scan configuration is that some experience is required to select the right set of NVTs to maximize the probability of success.
Initially it is easier to apply a comprehensive scan configuration. In this case it is not necessary to care about the product character, you just enter its CPE identifier.
This example follows the simple approach. First, a copy of "Full and Fast" is created. This is necessary because "Full and Fast" is a pre-configured scan configuration and thus can not be modified.
-
Edit the newly created scan configuration by clicking on
.
-
On the overview page for this scan configuration you will find a section "Network Vulnerability Test Preferences". Here, all NVTs that allow special configuration are listed. With
you can jump directly to the
edit dialog for a specific NVT. This short-cut avoids having to click through the
family stuctures to get to the desired NVT.
-
You can either specify a single CPE directly (in this example Internet Explorer 7) or use a semicolon as separator for a list of CPEs.
In this example it is configured that severity "High" is issued upon the presence of a CPE.
Confirm your changes with "Save Config".
-
In case the detection efficiency should be increased by applying local security checks it is required to configure remote access via the "Credentials" feature. If not done yet, create a corresponding user account on the Windows systems (a low privileged user account is sufficient).
-
Define the target systems (targets) and, if applicable, choose the respective credentials.
-
Now you can create the actual task. This means to combine the newly created scan configuration with the newly created targets.
-
The scan is started by clicking on
of the respective task.
It can take a while for the scan to complete.
To update the view with the current progress, click on
.
-
As soon as the status changes to "Done" the complete report is available. At any time you can review the intermediate results.
To only show the results of the CPE-based policy checks, you can apply a suitable filter (search text "cpe" and, in this example, Threat category "High").
-
In this example Internet Explorer 7 was found on one of the target systems and reported as a severe problem.
Detecting absence of important products
This example shows how the absence of a certain product in your IT infrastructure is defined as a severe problem and reported as such.
-
Execute steps 1 to 3 of the above described method for finding problematic products.
Note that when choosing a general scan like "Full and Fast" both cases are treated the same, presence of the product as a running service and presence of the product on a hard drive.
This essentially means that if you want to ensure the desired product indeed runs as a service you should avoid running NVTs that check for the simple presence on the file system or in a registry. If you don't want to go into such details right now, you still have the option to look into the report details in order to check for false positives and false negatives.
-
This time, the configuration of "CPE-based Policy Check" sets severity to "High" upon missing Norton Antivirus.
-
In case the pure presence of product should be considered, you should apply local security checks by configuring remote access via the "Credentials" feature. If not done yet, create a corresponding user account on the Windows systems (a low privileged user account is sufficient).
In cases where you search for active network services this does usually not make sense and rather produces false positives.
-
Define the target systems (targets) and, if applicable, choose the respective credentials.
-
Now you can create the actual task. This means to combine the newly created scan configuration with the newly created targets.
-
The scan is started by clicking on
of the respective task.
It can take a while for the scan to complete.
To update the view with the current progress, click on
.
-
As soon as the status changes to "Done" the complete report is available. At any time you can review the intermediate results.
To only show the results of the CPE-based policy checks, you can apply a suitable filter (search text "cpe" and, in this example, Threat category "High").
-
In this example Norton Antivirus was not found on one of the target systems.
