Home > User Interface > Configuration > Compliance > Scans

Scans

Menu path: Configuration > Compliance Overview > Scans.

Scans are used to evaluate the health and conformance of client during the registration process. A3 supports a number of scanners, including Nessus, OpenVAS, and WMI. Scanners are installed and configured independently through their GUI and command line interfaces. WMI is enabled through Active Directory GPO policy. WMI rules are created through A3.

The general format and usage of this page is discussed in General GUI Usage.

Two tabs are displayed on the Scans page:

• Scan Engines - defines the Nessus, OpenVAS, Rapid7 and WMI interfaces
• WMI Rules - defines and maintains WMI rules

Scan engines are added by selecting the button. The choices are:

• Nessus and Nessus6
• OpenVAS
• Rapid7
• WMI

Nessus and Nessus6

The fields in a Nessus definition are:

Field	Usage	Example
Name	Name of the scanner.	Nessus
Host Name or IP Address	The hostname or IP address where Nessus is running	10.1.2.3
User Name	The user name used to connect to the Nessus server.	admin
Password	The password corresponding to User Name
Port	The port to connect to for the Nessus service.	8834
Nessus Client Policy	The name of the Nessus-configured policy to apply.	Employee_Scan
Roles	The list of roles for which the scan will be applied. Multiple roles can be selected from the list of all Roles defined.	guests students
OS	A list of operating system indicating which operating systems the provisioner will be applied to. Matches are displayed as characters are entered.	iOS
Duration	The approximate duration of the scan, used for a progress bar.	60 seconds
Scan Before Registration	If enabled, the client will be scanned before registration.
Scan on Registration	If enabled, the client will be scanned after successful registration.
Scan After Registration	If enabled, the client will be scanned after it is placed on the production VLAN.

Event IDs used in security events are defined in https://www.tenable.com/plugins/search?q=Nessus%20ids&sort=&page=1.

OpenVAS

The fields in a OpenVAS definition are:

Field	Usage	Example
Name	Name of the scanner.	Nessus
Host Name or IP Address	The hostname or IP address where OpenVAS is running.	10.1.2.3
User Name	The user name used to connect to the OpenVAS server.	admin
Password	The password corresponding to User Name
Port	The port to connect to for the OpenVAS service.	9390
Alert ID	The alert ID as configured on the OpenVAS service
Scan Configuration ID	The scan ID as configured on the OpenVAS service	Student_Scan
Report Format ID	The report format ID as configured on the OpenVAS service.
Roles	The list of roles for which the scan will be applied. Multiple roles can be selected from the list of all Roles defined.	guests students
OS	A list of operating system indicating which operating systems the provisioner will be applied to. Matches are displayed as characters are entered.	iOS
Duration	The approximate duration of the scan, used for a progress bar.	60 seconds
Scan Before Registration	If enabled, the client will be scanned before registration.
Scan on Registration	If enabled, the client will be scanned after successful registration.
Scan After Registration	If enabled, the client will be scanned after it is placed on the production VLAN.

The Event IDs used in security events are referred to as NVT OIDs in OpenVAS documentation.

Rapid7

The fields in a Rapid7 definition are:

Field	Usage	Example
Name	Name of the scanner.	Nessus
Host Name or IP Address	The hostname or IP address where Rapid7 is running	10.1.2.3
User Name	The user name used to connect to the Rapid7 server.	admin
Password	The password corresponding to Username
Port	The port to connect to for the Rapid7 service.	3780
Verify Host Name	If enabled, the server's hostname will be verified when connecting to the API.	A3
Scan Engine	A selection from the list of scan engines configured in Rapid7.
Scan Template	A selection from the list of scan templates configured in Rapid7.
Site	A selection from the list of sites configured in Rapid7.
Roles	The list of roles for which the scan will be applied. Multiple roles can be selected from the list of all Roles defined.	guests students
OS	A list of operating system indicating which operating systems the provisioner will be applied to. Matches are displayed as characters are entered.	iOS
Duration	The approximate duration of the scan, used for a progress bar.	60 seconds
Scan Before Registration	If enabled, the client will be scanned before registration.
Scan on Registration	If enabled, the client will be scanned after successful registration.
Scan After Registration	If enabled, the client will be scanned after it is placed on the production VLAN.

WMI

Multiple steps are required to use WMI with A3 for each security event. For example, OS version out of date, no anti-virus software, or anti-virus software is out of date.

1. In Security Events set up a new security event with an ID number of xxxx, where the trigger type is internal and the value is xxxx. The ID number and trigger value need not be the same, but it is easier to troubleshoot when they are the same. Set up a desired enforcement action for the violation.
2. In WMI Rules, Rules Actions add in a snippet for the violation. For example, the following snippet detects if Google is running. The items in bold will trigger the violation established in step 1 above.
3. Set up the WMI scanner adding the rules from step 1.
4. Associate the WMI scanner with a connection profile.

[Google]
        attribute = Caption
        operator = match
        value = Google
        [1:Google]
        action=trigger_violation
        action_param = mac = $mac, tid = xxxx, type = INTERNAL

The fields in a WMI definition are:

Field	Usage	Example
Name	Name of the scanner.	WMI
User Name	The user name used to connect to the AD server.	admin
Domain	The name of the AD domain.	abc-widgets
Password	The password corresponding to User Name.
Roles	The list of roles for which the scan will be applied. Multiple roles can be selected from the list of all Roles defined.	guests students
OS	A list of operating system indicating which operating systems the provisioner will be applied to. Matches are displayed as characters are entered.	<blank>
Duration	The approximate duration of the scan, used for a progress bar.	60 seconds
Scan Before Registration	If enabled, the client will be scanned before registration.
Scan on Registration	If enabled, the client will be scanned after successful registration.
Scan After Registration	If enabled, the client will be scanned after it is placed on the production VLAN.
WMI Rules	A list of WMI Rules to be associated with the WMI scan. The first rule is added by clicking Add a WMI rule. Others are added by selecting the sign at end of any row. Rows are deleted by selecting the . WMI rules are executed in order; the order can be changed by selecting the rule number and moving it to its selected place.

WMI rules are applied to all Windows computers configured to run WMI. Several rules are predefined in A3 :

• AntiSpyware - matches the name of the running anti- spyware product
• Antivirus - matches the name of the running anti-virus product
• FireWall - matches the name of the running firewall product
• logged_user - obtains the user name for the computer, registering the client with the user name
• Process_Running - checks if explorer.exe is running, bypassing the scan
• SCCM - Microsoft System Center Configuration Manager
• Software_installed - checks for Google installation, triggering a security event

Additional rules are added by clicking . The fields in the definition dialog are: