Common Vulnerabilities and Exposures (CVE) scanner agents, such as Nessus and Qualys,
gather information about the Guardium®
system and send it to their third-party portal, which analyzes and generates reports. If the agent
can run as root directly on the Guardium
system, the resulting report is much more accurate with fewer false positive results. Use
scanner_agent CLI commands to install and manage root access to CVE scan
tools.
Before you begin
By default, vulnerability scanner agents do not have root access to the Guardium
system. Without root access, the scan tools are limited to network-based scans and can detect basic
information such as operating system, open ports, and cross-site scripting vulnerabilities. While a
non-root scan is useful, it is limited in scope and accuracy, and as a safeguard, the network-based
scans tend to result in pessimistic reports with many false-positive results. For more accurate
vulnerability scan reports, allow scan tools to access the underlying Guardium
system and its supporting applications and libraries (to check for CVEs) without exposing root
access or creating other vulnerabilities.
About this task
Install the scanner agent on one Guardium system for each version and patch level in your
environment. The scanner results for that system can represent all other systems that are at the
same version and patch level. Guardium
supports root access for Nessus and Qualys vulnerability scanner agents.
Procedure
- Download a scanner agent RPM from the vendor.
- For Guardium 11.x, the agent must support Red Hat ES 7 (x86_64).
- For Guardium 12.x, the agent must support Red Hat ES 9 (x86_64).
Example scanner agent file names:
- Nessus - NessusAgent-10.4.2-es7.x86_64.rpm - From the Tenable
Nessus Agent page.
- Qualys -QualysCloudAgent.rpm - Fom the Qualys Cloud
Agent page.
-
Import the scanner agent to a Guardium system by using the CLI.
For a list of
supported agents, run the
show scanner_agent supported
CLI command. The output lists the currently
supported agents (
nessus or
qualys).
- Configure the agent by using the
setup scanner_agent configure <agent>
CLI command and follow the
prompts. The information that you need depends on the scanner agent. For more information, see setup scanner_agent.
- For Qualys, run
setup scanner_agent enable <agent>
to enable the
agent.
Note: The Nessus agent is automatically enabled after it is configured.
- Optional: If you use an SSL proxy, you need a certificate from a certificate
authority such as Digicert, Symantec, or Geotrust. Use the
store certificate scanner ca_bundle
CLI command to store the certificate.
Call show scanner_agent ca_bundle
to get the stored
certificate. Standard (non-SSL) proxies are configured with the agent in step
3.
For more information about managing
certificates, see
Certificates.
- After you install and enable the agent, it appears in the vendor's portal after a delay
of up to 30 minutes.
After the agent appears in the vendor's portal, scanning and other
activities are done exclusively through the portal.