Adding an IBM Guardium vulnerability scanner

Adding a scanner allows QRadar® to collect SCAP vulnerability files from IBM InfoSphere Guardium.

About this task

Administrators can add multiple IBM Guardium® scanners to IBM® QRadar, each with a different configuration. Multiple configurations provide QRadar the ability to import vulnerability data for specific results. The scan schedule determines the frequency with which the SCAP scan results are imported from IBM InfoSphere Guardium.

Procedure

  1. Click the Admin tab.
  2. Click the VA Scanners icon.
  3. Click Add.
  4. In the Scanner Name field, type a name to identify your IBM Guardium scanner.
  5. From the Managed Host list, select an option that is based on one of the following platforms:
    • On the QRadar Console, select the managed host that is responsible for communicating with the scanner device.
    • On QRadar on Cloud, if the scanner is hosted in the cloud, the QRadar Console can be used as the managed host. Otherwise, select the data gateway that is responsible for communicating with the scanner device.
  6. From the Type list, select IBM Guardium SCAP Scanner.
  7. Choose one of the following authentication options:
    Option Description
    Login Username
    To authenticate with a user name and password:
    1. In the Login Username field, type a username that has access to retrieve the scan results from the remote host.
    2. In the Login Password field, type the password associated with the user name.
    Enable Key Authorization
    To authenticate with a key-based authentication file:
    1. Select the Enable Key Authentication check box.
    2. In the Private Key File field, type the directory path to the key file.
    The default is directory for the key file is/opt/qradar/conf/vis.ssh. If a key file does not exist, you must create the vis.ssh key file.
    Important: The vis.ssh.key file must have vis qradar ownership. For example,
    # ls -al /opt/qradar/conf/vis.ssh.key
    -rw------- 1 vis qradar 1679 Aug  7 06:24 /opt/qradar/conf/vis.ssh.key
  8. In the Remote Directory field, type the directory location of the scan result files.
  9. In the File Name Pattern field, type a regular expression (regex) required to filter the list of SCAP vulnerability files specified in the Remote Directory field. All matching files are included in the processing.
    By default, the Report Name Pattern field contains .*\.xml as the regex pattern. The .*\.xml pattern imports all xml files in the remote directory.
  10. In the Max Reports Age (Days) field, type the maximum file age for your scan results file. Files that are older than the specified days and timestamp on the report file are excluded when the schedule scan starts. The default value is 7 days.
  11. To configure the Ignore Duplicates option:
    • Select this check box to track files that have already been processed by a scan schedule. This option prevents a scan result file from being processed a second time.
    • Clear this check box to import vulnerability scan results each time the scan schedule starts. This option can lead to multiple vulnerabilities being associated with an asset.
    If a result file is not scanned within 10 days, the file is removed from the tracking list and is processed the next time the scan schedule starts.
  12. To configure a CIDR range for your scanner:
    1. In the text field, type the CIDR range you want this scanner to consider or click Browse to select a CIDR range from the network list.
    2. Click Add.
  13. Click Save.
  14. On the Admin tab, click Deploy Changes.

What to do next

You are now ready to create a scan schedule for IBM InfoSphere Guardium. See Scheduling a vulnerability scan