Adding a scanner allows QRadar® to
collect SCAP vulnerability files from IBM InfoSphere Guardium.
About this task
Administrators can add multiple IBM Guardium® scanners
to IBM®
QRadar, each with a
different configuration. Multiple configurations provide QRadar the ability to import
vulnerability data for specific results. The scan schedule determines the frequency with which the
SCAP scan results are imported from IBM InfoSphere Guardium.
Procedure
- Click the Admin tab.
- Click the VA Scanners icon.
- Click Add.
- In the Scanner Name field, type
a name to identify your IBM Guardium scanner.
-
From the Managed Host list, select an option that is based on one of the
following platforms:
- On the QRadar
Console, select the
managed host that is responsible for communicating with the scanner device.
- On QRadar on Cloud, if the scanner is
hosted in the cloud, the QRadar Console can be
used as the managed host. Otherwise, select the data gateway that is responsible for communicating
with the scanner device.
- From the Type list, select IBM
Guardium SCAP Scanner.
- Choose one of the following authentication options:
Option |
Description |
Login Username |
To authenticate with a user name and password:
- In the Login Username field, type a username
that has access to retrieve the scan results from the remote host.
- In the Login Password field, type the password
associated with the user name.
|
Enable Key Authorization |
To authenticate with a key-based authentication file:
- Select the Enable Key Authentication check
box.
- In the Private Key File field, type the
directory path to the key file.
The default is directory for the key file is /opt/qradar/conf/vis.ssh. If a
key file does not exist, you must create the vis.ssh key file. Important: The vis.ssh.key file must have vis qradar
ownership. For example,
# ls -al /opt/qradar/conf/vis.ssh.key
-rw------- 1 vis qradar 1679 Aug 7 06:24 /opt/qradar/conf/vis.ssh.key
|
- In the Remote Directory field, type
the directory location of the scan result files.
- In the File Name Pattern field,
type a regular expression (regex) required to filter the list of SCAP
vulnerability files specified in the Remote Directory field.
All matching files are included in the processing.
By default,
the Report Name Pattern field contains .*\.xml as
the regex pattern. The .*\.xml pattern imports
all xml files in the remote directory.
- In the Max Reports Age (Days) field,
type the maximum file age for your scan results file. Files that are
older than the specified days and timestamp on the report file are
excluded when the schedule scan starts. The default value is 7 days.
-
To configure the Ignore Duplicates option:
- Select this check box to track files that have already been processed by
a scan schedule. This option prevents a scan result file from being
processed a second time.
- Clear this check box to import vulnerability scan results each time the
scan schedule starts. This option can lead to multiple vulnerabilities being
associated with an asset.
If a result file is not scanned within 10 days, the file is removed from the
tracking list and is processed the next time the scan schedule starts.
- To configure a CIDR range for your scanner:
- In the text field, type the CIDR range you want this
scanner to consider or click Browse to select
a CIDR range from the network list.
- Click Add.
- Click Save.
- On the Admin tab, click Deploy
Changes.
What to do next
You are now ready to create a scan schedule for IBM InfoSphere
Guardium. See Scheduling a vulnerability scan