Adding an IBM Guardium vulnerability scanner

Adding a scanner allows QRadar to collect SCAP vulnerability files from IBM InfoSphere Guardium.

1. Click the Admin tab.
2. Click the VA Scanners icon.
3. Click Add.
4. In the Scanner Name field, type a name to identify your IBM Guardium scanner.
5. From the Managed Host list, select an option that is based on one of the following platforms:
   • On the QRadar Console, select the managed host that is responsible for communicating with the scanner device.
   • On QRadar on Cloud, if the scanner is hosted in the cloud, the QRadar® Console can be used as the managed host. Otherwise, select the data gateway that is responsible for communicating with the scanner device.
6. From the Type list, select IBM Guardium SCAP Scanner.
7. Choose one of the following authentication options:

   Option	Description
   Login Username	To authenticate with a user name and password: In the Login Username field, type a username that has access to retrieve the scan results from the remote host. In the Login Password field, type the password associated with the user name.
   Enable Key Authorization	To authenticate with a key-based authentication file: Select the Enable Key Authentication check box. In the Private Key File field, type the directory path to the key file. The default is directory for the key file is/opt/qradar/conf/vis.ssh. If a key file does not exist, you must create the vis.ssh key file. Important: The vis.ssh.key file must have vis qradar ownership. For example, # ls -al /opt/qradar/conf/vis.ssh.key -rw------- 1 vis qradar 1679 Aug 7 06:24 /opt/qradar/conf/vis.ssh.key

8. In the Remote Directory field, type the directory location of the scan result files.
9. In the File Name Pattern field, type a regular expression (regex) required to filter the list of SCAP vulnerability files specified in the Remote Directory field. All matching files are included in the processing.
   By default, the Report Name Pattern field contains .*\.xml as the regex pattern. The .*\.xml pattern imports all xml files in the remote directory.
10. In the Max Reports Age (Days) field, type the maximum file age for your scan results file. Files that are older than the specified days and timestamp on the report file are excluded when the schedule scan starts. The default value is 7 days.
11. To configure the Ignore Duplicates option:
    • Select this check box to track files that have already been processed by a scan schedule. This option prevents a scan result file from being processed a second time.
    • Clear this check box to import vulnerability scan results each time the scan schedule starts. This option can lead to multiple vulnerabilities being associated with an asset.
    If a result file is not scanned within 10 days, the file is removed from the tracking list, and is processed the next time the scan schedule starts.
12. The Enable Strict HostKey Checking option enables the public key of the target host to match an entry in the Host Key list parameter.
    1. In HostKey field, provide Base64 encoded host keys to accept when connecting to the target host. The supported host key type is ssh-rsa. This key can be obtained by running the OpenSSH ssh-keyscan command in Linux or ssh-keyscan.exe in Windows or getting the public key from the target system directly from location like /root/.ssh/known_hosts or /etc/ssh/ssh_host_rsa_key.pub file path. You must use the Base64 hash only and not the hostname or algorithm. For example:

       AAAAB3NzaC1yc2EAAAADAQABAAABAQCkT8TfV0oPWOVihTKKtORG2DQVbbFocUvGct9lN4auSIADp4Ubi\nOzm44k0mIZtMOGfYBTHVzyI6A9nCROLiMrJ00QzwG1IihYwaTqlYbZJ3FSiSY2tz1G2C51SG9OeziDMxcnEY2cHkwGSrGowydz20KPbgzTedOQCp41PafmMlb7TMmJtjU23cfCmPAQQHWIFOLWe1hg3RMtWfj1sE+Fe7Tu+/XZvT4GPSM5YQECXIzXmrhENWo+tIlnCGq01sLNPQ2Fo8qI97uAOm0kx/wkWfJLEj9dsHl7kO6D1x3YESVrr+e\nOc2xDvAStJIb4qCks2CGZDI1I2pivoqjX+JTRL

13. To configure a CIDR range for your scanner:
    1. In the text field, type the CIDR range you want this scanner to consider or click Browse to select a CIDR range from the network list.
    2. Click Add.
14. Click Save.
15. On the Admin tab, click Deploy Changes.