Configuring vulnerability scanner agents

Common Vulnerabilities and Exposures (CVE) scanner agents, such as Nessus and Qualys, gather information about the Guardium® system and send it to their third-party portal, which analyzes and generates reports. If the agent can run as root directly on the Guardium system, the resulting report is much more accurate with fewer false positive results. Use scanner_agent CLI commands to install and manage root access to CVE scan tools.

Before you begin

By default, vulnerability scanner agents do not have root access to the Guardium system. Without root access, the scan tools are limited to network-based scans and can detect basic information such as operating system, open ports, and cross-site scripting vulnerabilities. While a non-root scan is useful, it is limited in scope and accuracy, and as a safeguard, the network-based scans tend to result in pessimistic reports with many false-positive results. For more accurate vulnerability scan reports, allow scan tools to access the underlying Guardium system and its supporting applications and libraries (to check for CVEs) without exposing root access or creating other vulnerabilities.

About this task

Install the scanner agent on one Guardium system for each version and patch level in your environment. The scanner results for that system can represent all other systems that are at the same version and patch level. Guardium supports root access for Nessus and Qualys vulnerability scanner agents.

Procedure

  1. Download a scanner agent RPM from the vendor.
    • For Guardium 11.x, the agent must support Red Hat ES 7 (x86_64).
    • For Guardium 12.x, the agent must support Red Hat ES 9 (x86_64).
    Example scanner agent file names:
    • Nessus - NessusAgent-10.4.2-es7.x86_64.rpm - From the Tenable Nessus Agent page.
    • Qualys -QualysCloudAgent.rpm - Fom the Qualys Cloud Agent page.
  2. Import the scanner agent to a Guardium system by using the CLI.
    For a list of supported agents, run the show scanner_agent supported CLI command. The output lists the currently supported agents (nessus or qualys).
  3. Configure the agent by using the setup scanner_agent configure <agent> CLI command and follow the prompts. The information that you need depends on the scanner agent. For more information, see setup scanner_agent.
  4. For Qualys, run setup scanner_agent enable <agent> to enable the agent.
    Note: The Nessus agent is automatically enabled after it is configured.
  5. Optional: If you use an SSL proxy, you need a certificate from a certificate authority such as Digicert, Symantec, or Geotrust. Use the store certificate scanner ca_bundle CLI command to store the certificate. Call show scanner_agent ca_bundle to get the stored certificate.
    Standard (non-SSL) proxies are configured with the agent in step 3.
    For more information about managing certificates, see Certificates.
  6. After you install and enable the agent, it appears in the vendor's portal after a delay of up to 30 minutes.
    After the agent appears in the vendor's portal, scanning and other activities are done exclusively through the portal.