integrate nessus vulnerability scanner/securitycenter ...nessus vulnerability scanner/securitycenter...

Integrate Nessus Vulnerability Scanner/SecurityCenter/Professional EventTracker v8.x and above

Publication Date: November 13, 2018

1

Integrate Nessus Vulnerability

Scanner/SecurityCenter/Professional

EventTracker v8.6 and above [Subtitle]

Abstract This guide helps you in configuring Nessus Vulnerability scanner/SecurityCenter/Professional and

EventTracker to receive Nessus events. In this guide, you will find the detailed procedures required for

monitoring Nessus Vulnerability scanner.

Audience Administrators who are assigned the task to monitor and manage Nessus events using EventTracker.

The information contained in this document represents the current view of EventTracker. on the

issues discussed as of the date of publication. Because EventTracker must respond to changing

market conditions, it should not be interpreted to be a commitment on the part of EventTracker,

and EventTracker cannot guarantee the accuracy of any information presented after the date of

publication.

This document is for informational purposes only. EventTracker MAKES NO WARRANTIES,

EXPRESS OR IMPLIED, AS TO THE INFORMATION IN THIS DOCUMENT.

Complying with all applicable copyright laws is the responsibility of the user. Without limiting the

rights under copyright, this paper may be freely distributed without permission from

EventTracker, if its content is unaltered, nothing is added to the content and credit to

EventTracker is provided.

EventTracker may have patents, patent applications, trademarks, copyrights, or other intellectual

property rights covering subject matter in this document. Except as expressly provided in any

written license agreement from EventTracker, the furnishing of this document does not give you

any license to these patents, trademarks, copyrights, or other intellectual property.

The example companies, organizations, products, people and events depicted herein are fictitious.

No association with any real company, organization, product, person or event is intended or

should be inferred.

© 2018 EventTracker Security LLC. All rights reserved. The names of actual companies and

products mentioned herein may be the trademarks of their respective owners.

2




Table of Contents Abstract ............................................................................................................................................................................. 1

Audience ........................................................................................................................................................................... 1

Overview ............................................................................................................................................................................... 3

Prerequisites .......................................................................................................................................................................... 3

1. Integration of Nessus Vulnerability Scanner/SecurityCenter to EventTracker server ................................................. 3

Verify Nessus Vulnerability Scanner Integration in EventTracker ......................................................................................... 5

2. Integration of Nessus Professional to EventTracker server ......................................................................................... 9

Obtaining Nessus Professional credentials ................................................................................................................... 9

Sending Nessus Professional logs to EventTracker. ................................................................................................... 11

Verify Nessus Vulnerability Scanner Integration in EventTracker ....................................................................................... 14

Verify generated credential xml ..................................................................................................................................... 14

Verify Extended DLA configuration ................................................................................................................................. 15

Verify Task is created in Task Scheduler ......................................................................................................................... 16

EventTracker Knowledge Pack ........................................................................................................................................ 16

Categories ................................................................................................................................................................... 16

Flex Reports ................................................................................................................................................................ 18

Import Nessus Vulnerability Scanner knowledge pack into EventTracker .......................................................................... 26

Knowledge Objects ......................................................................................................................................................... 26

Category .......................................................................................................................................................................... 28

Flex Reports .................................................................................................................................................................... 29

Parsing Rule ..................................................................................................................................................................... 30

Verify Nessus Vulnerability Scanner knowledge pack in EventTracker .......................................................................... 32

Knowledge Objects ..................................................................................................................................................... 32

Category ...................................................................................................................................................................... 32

Flex Reports ................................................................................................................................................................ 33

Parsing Rule ................................................................................................................................................................ 34

Create Flex Dashboards in EventTracker ........................................................................................................................ 35

Schedule Reports ............................................................................................................................................................ 35

Create Dashlets ............................................................................................................................................................... 38

Sample Flex Dashboards ................................................................................................................................................. 42

3




Overview Nessus is an open-source network vulnerability scanner that uses the Common Vulnerabilities and Exposures

architecture for easy cross-linking between compliant security tools. Nessus employs the Nessus Attack

Scripting Language (NASL), a simple language that describes individual threats and potential attacks. Nessus

has a modular architecture consisting of centralized servers that conduct scanning, and remote clients that

allow for administrator interaction.

This guide provides procedure only to integrate Nessus scan reports to EventTracker. Additionally, if can

configure EventTracker to alter system vulnerability score according to vulnerability reports.

Prerequisites EventTracker v8.x should be installed.

Nessus Vulnerability Scanner/SecurityCenter version Nessus 6.X series (Nessus 6.0 – Nessus 6.9.3) or

Nessus Professional should be installed.

Windows Version 7 or later should be installed.

Integration script must run on EventTracker Manager.

1. Integration of Nessus Vulnerability

Scanner/SecurityCenter to EventTracker server Following are the steps to integrate Nessus Vulnerability Scanner/SecurityCenter to EventTracker Manager.

Please contact the EventTracker support team for obtaining Nessus Integrator pack.

The Integrator package will be obtained in a Zip file format.

Extract provided file to following location:

<ET_INSTALL_Path>\ScheduledActionScripts\Nessus\

Extracted ZIP file will contain the following files:

Figure 1

4




Double-click on the Nessus Integrator.bat to start the integration process.

Once clicked the “.bat” starts running and you will get a pop-up window as shown in below image.

Figure 2

In the pop-up window, enter the Nessus URL that you are accessing and your Nessus Username and

Password.

After entering the details, click on OK.

Once clicked on OK, an authentication pop up window will appear asking for the Username and Password

as shown below:

An authentication pop up window will appear asking for administrator username and password for Task

Scheduling as shown below:

Figure 3

Please enter your System Username and Password to proceed with the Task Scheduling.

Click OK to continue.

5




Verify Nessus Vulnerability Scanner Integration in

EventTracker Login to EventTracker web->Admin->Manager.

Figure 4

Go to the Direct Log Archiver Tab and check if the configurations are replicating as shown in the below

figure.

6




Figure 5

Confirm if the configurations are set right by clicking the Edit button. The below screen gets displayed

after you click the Edit button.

7




Figure 6

Click on Configure to check the Computer Name, Configuration name and system description.

8




Figure 7

Click on Save & Close.

Now,

Go to Start and open Task Scheduler to confirm if the scheduling action is created or not.

Below given image shows the Nessus Task that is created for scheduling.

9




Figure 8

Check if the Task Scheduler is configured correctly with the right conditions to trigger the task, with the

specified date and time when it needs to be run.

Nessus Integration is now completed with EventTracker to receive Nessus Events.

2. Integration of Nessus Professional to EventTracker

server

Obtaining Nessus Professional credentials

Log in to Nessus professional web console.

10




Figure 9

Click on Settings Tab and choose My Account option.

Now click on API Keys Tab as shown the below image.

Figure 10

Now click on Generate button.

Access key and Secret Key will be displayed now as shown below:

11




Figure 11

Please make a note of it as it is required for further integration process.

Sending Nessus Professional logs to EventTracker.

Download and apply the latest KP update from link given KP_Update_Link.

Once downloaded the Nessus integrator package can be found in %ET_INSTALL_PATH%\Knowledge

Packs\Nessus Vulnerability Scanner.

The Integrator package will be obtained in a Zip file format. Extract the files. A folder named

NessusProfessional_Script will be present, and it would contain files as show below.

Extract the files to get the below file contents as shown in the image below:

Figure 12

Double-click on the Nessus_Professional_Integrator.bat to start the integration process.

Once clicked the “.bat” starts running and you will get a pop-up window as shown in below image.

12




Figure 13

It will check if EventTracker Agent and PowerShell version 5.0 or above is installed on the

computer where the .bat is running. If status shows as installed, click on Next to proceed, else you

will not be able to proceed further.

NOTE: Manual installation of the EventTracker Agent and PowerShell version 5.0 needs to be done if it

is not present.

Once clicked on Next, you will get another pop-up window as shown below.

13




Figure 14

In the pop-up window that appears, enter the details that are obtained during configuration, as discussed in

the above steps. Once the credentials are entered, click on Finish button as shown in figure above.

Figure 15

14




Please enter your System Username and Password to proceed with the Task Scheduling.

Click OK to continue.

Verify Nessus Vulnerability Scanner Integration in

EventTracker

Verify generated credential xml

Once the script run is complete, the first thing that would be done is a Details.xml will be created

within

“%ETINSATLL_PATH%\KnowledgePacks\NessusVulnerabilityScanner\Integrator\NessusProfessional_S

cripts” which would contain details entered in the integrator and will be stored in an encrypted

format. Also, a folder Nessus_Reports will be created in the same path as shown below:

Figure 16

Once that is done, within Nessus_Reports folder, a folder by the name Csv_Files and Xml_Files will be

created.

Figure 17

15




Within the Csv_Files folder you will have all the Nessus report csv files present, xml files within the

Xml_Folder which confirms the integration is a success. This is shown below:

Figure 18

Verify Extended DLA configuration

Log in to EventTracker console.

Go to the Admin dropdown and click on Manager option as shown below.

Figure 19

Navigate to Direct Log Archiver tab.

Make sure if there is DLA configured on XML files as shown in the below image.

16




Figure 20

Verify Task is created in Task Scheduler

Go to Start and open Task Scheduler to confirm if the scheduling action is created or not.

Below given image shows the Nessus-Scheduler that is created for scheduling.

Figure 21

Nessus Integration is now completed with EventTracker to receive Nessus Events.

EventTracker Knowledge Pack Once logs are received into EventTracker, Categories reports can be configured into EventTracker. The

following Knowledge Packs are available in EventTracker Enterprise to support Windows.

Categories

Nessus-Basic network scan: This category provides details about a basic network scan that is done.

17




Nessus-Credentialed Patch Audit: This category provides details about the patches that are missing in the

windows and UNIX systems which an attacker can use for exploits.

Nessus-Badlock Detection: This category provides details about all the badlock instances occurring in the

network. Badlock detection can be identified by their CVE. Badlock CVE’s are as follows (CVE-2015-

5370|CVE-2016-2110|CVE-2016-2111|CVE-2016-2112|CVE-2016-2113|CVE-2016-2114|CVE-2016-

2115|CVE-2016-2118|CVE-2016-0128).

Nessus-Bash Shellshock Detection: This category provides details about the vulnerabilities that affect the

bash. These vulnerabilities can be identified by their respective CVE’s. Shellshock CVEs are as follows CVE-

2015-5370 |CVE-2016-2110 |CVE-2016-2111 |CVE-2016-2112 |CVE-2016-2113 |CVE-2016-2114 |CVE-

2016-2115|CVE-2016-2118|CVE-2016-0128).

Nessus-Drown Detection: This category provides details about the drown attacks that take place in a

network, this vulnerability affects the Https services that rely on SSL and TLS. These vulnerabilities can be

identified by their respective CVE’s. Drown CVEs are as follows (CVE-2016-0702|CVE-2016-0705|CVE-

2016-0797|CVE-2016-0798|CVE-2016-0799|CVE-2016-0800).

Nessus-Malware Detection: This category provides details about the vulnerable malware that are present

in the Linux and windows machine.

Nessus-Host Discovery: This category provides the number of alive hosts and active ports on a network.

Nessus-MDM config audit: This category provides the Audit scan result configurations of mobile device

managers.

Nessus-Mobile device scan: This category provides details about the scan results of mobile devices that

are accessed via Microsoft Exchange or MDM.

Nessus-Offline Config audit: This category provides the audit configurations of network devices.

Nessus-Scap and Oval detection: This category provides details on how to generate SCAP and Oval

content audit scan results.

Nessus-Web application test: This category provides details about the scan results for published and

unknown web vulnerabilities.

18




Flex Reports

1. Nessus-Basic Network Scan: This report provides a full system scan suitable for any host.

Figure 22

Logs Considered:

Figure 23

2. Nessus-Credentialed Patch Audit: This report provides the ways that a host can be authenticated and

enumerates missing patch updates.

Figure 24

19




Logs Considered:

Figure 25

3. Nessus-Badlock Detection: This report provides the badlock vulnerability for Windows and the Linux/Unix

application Samba for network file sharing.

Figure 26

Logs Considered:

Figure 27

4. Nessus-Host Discovery: This report provides a simple scan to discover live host and open ports.

20




Figure 28

Logs Considered:

Figure 29

5. Nessus-Malware Detection: This report provides the scan results of malware on windows and Unix

systems.

Figure 30

21




Logs Considered:

Figure 31

6. Nessus-Bash Shellshock Detection: This report provides the vulnerability that affects Bash, a common

component known as a shell that appears in many versions of Linux and UNIX. It allows the user to type

commands into a simple text-based window, which the operating system will then run.

Figure 32

Logs Considered:

Figure 33

22




7. Drown Detection: DROWN is a serious vulnerability that affects HTTPS and other services that rely on SSL

and TLS, some of the essential cryptographic protocols for Internet security.

Figure 34

Logs Considered:

Figure 35

8. Nessus-MDM Config Audit: This report provides the Audit scan result configurations of mobile device

managers.

Figure 36

23




Logs Considered:

Figure 37

9. Nessus-Mobile Device Scan: This report provides scan results of mobile devices that are accessed via

Microsoft Exchange or MDM.

Figure 38

Logs Considered:

Figure 39

24




10. Nessus-Offline Config Audit: This report provides the audit configurations of network devices.

Figure 40

Logs Considered:

Figure 41

11. Nessus-Scap and Oval Auditing: This report provides the SCAP and Oval content audit scan results.

25




Figure 42

Logs Considered:

Figure 43

12. Nessus-Web Application Test: This report provides the scan results for published and unknown web

vulnerabilities.

Figure 44

26




Logs Considered:

Figure 45

Import Nessus Vulnerability Scanner knowledge pack

into EventTracker NOTE: Import and Export the knowledge pack items in the following sequence:

Knowledge Objects

Categories

Flex Reports

Parsing Rule

Knowledge Objects 1. Login to EventTracker web->Admin.

2. Click Knowledge objects under Admin option.

3. In the Knowledge Object page, click the “Import” icon.

27




Figure 46

4. Locate the All Nessus Vulnerability Scanner group of Knowledge object.etko, and then click on Upload.

Figure 47

The below screen gets displayed.

28




Figure 48

Knowledge objects are imported successfully.

Figure 49

Category 1. Go to EventTracker Control Panel.

2. Double click Export Import Utility.

3. Click the Import tab.

4. Click Category option, and then click the browse button.

5. Locate the All Nessus Vulnerability Scanner group of categories.iscat file, and then click Open button.

29




Figure 50

6. To import categories, click the Import button.

Figure 51

Flex Reports

1. Click Reports option, and then click the browse button.

2. Locate the All Nessus Vulnerability Scanner group of flex reports.issch file, and then click the Open

button.

30




Figure 52

3. Click the Import button to import the scheduled reports. EventTracker displays success message.

Figure 53

Parsing Rule

1. Click Token Value option, and then click the browse button.

2. Locate the All Nessus Vulnerability Scanner group of Token Value.issch file, and then click the Open

button.

31




Figure 54

4. Click the Import button to import the tokens. EventTracker displays success message.

Figure 55

32




Verify Nessus Vulnerability Scanner knowledge pack in

EventTracker

Knowledge Objects

1. In the EventTracker Enterprise web interface, click the Admin dropdown, and then click Knowledge

Objects

2. In the Knowledge Object tree, expand Nessus Vulnerability Scanner group folder to see the imported

Knowledge objects.

Figure 56

Category

1. In the EventTracker Enterprise web interface, click the Admin dropdown, and then click Categories.

2. In the Category Tree, expand Nessus Vulnerability Scanner group folder to see the imported categories

33




Figure 57

Flex Reports

1. In the EventTracker Enterprise web interface, click the Reports menu, and then select Configuration.

2. In Reports Configuration pane, select Defined option.

3. In search box enter ‘Nessus Vulnerability Scanner, and then click the Search button.

EventTracker displays Flex reports of ‘Nessus Vulnerability Scanner’

34




Figure 58

Parsing Rule

1. Logon to EventTracker Enterprise web interface.

2. Click the Admin menu, and then click Parsing Rules.

35




Figure 59

Create Flex Dashboards in EventTracker NOTE: To configure the flex dashboards, schedule and generate the reports. Flex dashboard feature is

available from EventTracker Enterprise v8.0.

Schedule Reports 1. Open EventTracker in browser and logon.

Figure 60

2. Navigate to Reports>Configuration.

3. Select Nessus Vulnerability Scanner in report groups. Check Defined dialog box.

36




Figure 61

4. Click on ‘schedule’ to plan a report for later execution.

5. Click Next button to proceed.

6. In review page, check Persist data in EventVault Explorer option.

37




Figure 62

7. In next page, check column names to persist using PERSIST checkboxes beside them. Choose suitable

Retention period.

38




Figure 63

8. Proceed to next step and click Schedule button.

9. Wait till the reports get generated.

Create Dashlets 1. Open EventTracker Enterprise in browser and logon.

39




Figure 64

2. Navigate to Dashboard>Flex.

Flex Dashboard pane is shown.

Figure 65

3. Fill suitable title and description and click Save button.

4. Click to configure a new flex dashlet. Widget configuration pane is shown.

40




Figure 66

5. Locate earlier scheduled report in Data Source dropdown.

6. Select Chart Type from dropdown. 7. Select extent of data to be displayed in Duration dropdown.

8. Select computation type in Value Field Setting dropdown.

9. Select evaluation duration in As Of dropdown. 10. Select comparable values in X Axis with suitable label.

11. Select numeric values in Y Axis with suitable label.

12. Select comparable sequence in Legend.

13. Click Test button to evaluate. Evaluated chart is shown.

41




Figure 67

14. If satisfied, click Configure button.

Figure 68

15. Click ‘customize’ to locate and choose created dashlet.

16. Click to add dashlet to earlier created dashboard.

42




Sample Flex Dashboards For below dashboard DATA SOURCE: Nessus-Basic Network Scan

1. Nessus Vulnerability Scanner - Nessus-Basic Network Scan

WIDGET TITLE: Nessus-Basic Network Scan CHART TYPE: Line AXIS LABELS [X-AXIS]: CVE LEGEND[SERIES]: Host

Figure 69

43




For below dashboard DATA SOURCE: Nessus-Credentialed Patch Audit

2. Nessus Vulnerability Scanner - Nessus-Credentialed Patch Audit

WIDGET TITLE: Nessus-Credentialed Patch Audit CHART TYPE: Donut AXIS LABELS [X-AXIS]: Description

Figure 70

44




For below dashboard DATA SOURCE: Nessus-Badlock Detection

3. Nessus Vulnerability Scanner - Nessus-Badlock Detection

WIDGET TITLE: Nessus-Badlock Detection CHART TYPE: Donut AXIS LABELS [X-AXIS]: CVE

Figure 71

45




For below dashboard DATA SOURCE: Nessus-Host Discovery

4. Nessus Vulnerability Scanner - Nessus-Host Discovery

WIDGET TITLE: Nessus-Host Discovery CHART TYPE: Stacked Column AXIS LABELS [X-AXIS]: IP Address LEGEND[SERIES]: Message

Figure 72

46




For below dashboard DATA SOURCE: Nessus-Malware Detection

5. Nessus Vulnerability Scanner - Nessus-Malware Detection

WIDGET TITLE: Nessus-Malware Detection CHART TYPE: Donut AXIS LABELS [X-AXIS]: Message

Figure 73

47




For below dashboard DATA SOURCE: Nessus-Bash Shellshock Detection

6. Nessus Vulnerability Scanner - Nessus-Bash Shellshock Detection

WIDGET TITLE: Nessus-Bash Shellshock Detection CHART TYPE: Donut AXIS LABELS [X-AXIS]: CVE

Figure 74

48




For below dashboard DATA SOURCE: Nessus-Drown Detection

7. Nessus Vulnerability Scanner - Nessus- Drown Detection

WIDGET TITLE: Nessus- Drown Detection CHART TYPE: Donut AXIS LABELS [X-AXIS]: CVE LEGEND[SERIES]: Risk

Figure 75

49




For below dashboard DATA SOURCE: MDM Config Audit

8. Nessus Vulnerability Scanner - Nessus- MDM Config Audit

WIDGET TITLE: Nessus- MDM Config Audit CHART TYPE: Donut AXIS LABELS [X-AXIS]: Message

Figure 76

50




For below dashboard DATA SOURCE: Mobile Device Scan

9. Nessus Vulnerability Scanner - Nessus- Mobile Device Scan

WIDGET TITLE: Nessus- Mobile Device Scan CHART TYPE: Donut AXIS LABELS [X-AXIS]: Message

Figure 77

51




For below dashboard DATA SOURCE: Offline Config Audit

10. Nessus Vulnerability Scanner - Nessus- Offline Config Audit

WIDGET TITLE: Nessus- Offline Config audit CHART TYPE: Donut AXIS LABELS [X-AXIS]: Message

Figure 78

52




For below dashboard DATA SOURCE: Scap and Oval Auditing

11. Nessus Vulnerability Scanner - Nessus- Scap and Oval Auditing

WIDGET TITLE: Nessus- Scap and Oval Auditing CHART TYPE: Donut AXIS LABELS [X-AXIS]: Mac Address LEGEND[SERIES]: Severity

Figure 79

53




For below dashboard DATA SOURCE: Web Application Test

12. Nessus Vulnerability Scanner - Nessus- Web Application Test

WIDGET TITLE: Nessus- Web Application Test CHART TYPE: Donut AXIS LABELS [X-AXIS]: Message

Figure 80

integrate nessus vulnerability scanner/securitycenter ...nessus vulnerability scanner/securitycenter...

Documents