Secutor Magnus represents a new breed of security tools that are built around government and industry standards. The standards have been developed by the National Institute of Standards and Technology (NIST), the National Security Agency (NSA), Defense Information Systems Agency (DISA), the MITRE Corporation, and industry participants over the course of several years. The series of standards are referred to as the Security Content Automation Protocol (SCAP) and represent standard ways to identify and detect the security compliance and vulnerability posture of networked devices. Security products that support these standards can process content written in the SCAP format. The National Vulnerability Database at NIST is the clearinghouse for SCAP content and information. Details can be found at: http://nvd.nist.gov/. This means organizations can expect the same audit results regardless of which SCAP tool is used to perform the assessments.
Secutor Magnus is one of the first products to support SCAP. It was designed from the ground up with SCAP in mind. It can consume and process SCAP content directly and produce standards-based results files. Organizations can use the supplied content or produce their own. As long as the content files are written to the SCAP specification, Secutor Magnus can audit systems using that content.
Magnus Navigator is a desktop application that can be installed on any workstation and is used to manage how the Magnus Server runs, interactively view results, and run reports.
Groups are used to define common attributes against a list of potential assessment targets. Before an assessment can be run, the Magnus server must have a username and password for use in authenticating to the target computer to perform the assessment. Groups and common attributes are the most common way to define assessment credentials.
NOTE: If the Magnus Task Scheduler is run as an account with administrative credentials on each target to be assessed, common attributes do not need to be defined for that purpose. In that case, a scope of targets can be defined in the Task Manager and no groups need to be created.
Select the "Group Manager" item from the Navigator "Tools" menu to launch the Group Manager tool.
Click the "Add" button on the bottom left of the Group Manager tool. A block of text that reads "-- double-click to edit --" will appear on the top left of the window. Double-click that text and enter a name for the group being defined. Press the "OK" button to accept the new name.
The list of targets for which a group applies is called the scope. A scope is an expression used to describe a list of targets of interest. This expression can be as simple as a single IP address or it can be a combination of multiple notation types.
To create a new scope, click on the "Add" button in the "Targets To Apply This To" panel. This will bring up the "Add Scope" window. If a scope already exists, it can be selected by clicking on the scope name. To create a new scope, enter the name in the "Name" text box and click the "Create" button.
Click the "Add" button at the bottom of the "Targets To Apply This To" panel to create the list of targets to comprise the scope. Ensure the scope-list identifier is set to IP (v4) and the Mode is set to "Union".
Now enter the IP address. The address(s) can be entered in any combination of the formats below.
IP (V4): Refers to Internet Protocol version 4 names
CIDR (slashed) Notation (ex: 192.168.18.0/24)
An entire subnet can be designated by indicating the network address and netmask. The netmask is represented as an integer value separated from the network address by a slash ("/"). Valid netmask values are 16 through 30, with 16 representing a class B address space (65536 total addresses, or 65534 after removing the broadcast and network addresses) and 24 representing a class C.
ex: 172.16.0.0/16 (65534 total potentials)
ex: 192.168.10.128/25 (126 total potentials)
Dashed such as:
192.168.1-5.2-10 (45 total potentials)
192.168.12.100-200 (100 total potentials)
Comma-Separate List (ex: 192.168.18.1, 192.168.19.34, 192.168.232.12)
Combination of all (ex: 192.168.18.0/24, 192.168.19.2-30, 192.168.20.125)
Mode Types - There are three modes types from which to choose. These provide better control over the members of a scope.
Union - The combination of all targets represented by the scope entries
Intersection - The targets that are included in each scope entry
Exclusion - The targets listed here are not included in the final list of targets
As previously mentioned, common attributes refer to items that are common across the list of targets defined in the scope. These are generally user accounts that are used to authenticate to these targets to perform assessment activities. In the case of user accounts, multiple accounts can be defined as common attributes. The server will try each account in order against each target until a set of credentials is found that allows the system to authenticate to the target.
To define a common attribute, click the "Add" button in the Common Attributes section of the Group Manager. Select "Normal Account" and enter an account name and password. Press the "Save" button to complete the action.
Press the "Save" button on the bottom right of the Group Manager when finished to save all group manager additions and modifications.
Secutor Magnus includes a tool to ensure the credentials provided in the Common Attributes work for select targets computers. To access the tool, click the "Test" button on the Group Manager window. Selecting a set of common attributes will pre-populate the tool with the selected credentials. The test tool can test the following authentication types:
Secure Shell (SSH)
To use the tool, enter a target IP address and an account name and password with administrative rights to the target computer and press the Test button. A message will be presented that shows if the test passed or failed.
A task represents work that is to be done on a scheduled interval. A task contains schedule information that says how often and when it is to be performed, a scope that defines what potential targets the work is to be applied to, and an action list that describes what work is to be done at the scheduled time.
Select the "Task Scheduler" item from the "Tools" menu to launch the Task Scheduler tool.
Click the "Add" button on the bottom left of the Task Schedule tool. A block of text that reads "-- double-click to edit --" will appear on the top left of the window. Double-click that text and enter a name for the task being defined. Press the "OK" button to accept the new name.
Tasks can be active or inactive. When a task is inactive, it does not perform any compliance activities. To activate a task, click on the "Active" checkbox on the Task Schedule tool. This will enable the scheduling options.
Tasks can be scheduled to run daily, weekly, or monthly depending on organizational requirements. Multiple tasks can be defined to run at different times for different groups of computers. The scheduler provides the flexibility to schedule automatic compliance activities to suit various requirements.
To have this task schedule apply only to systems using the Reporting Service that match the scope, check the option Apply to reporting service. Tasks that have Apply to reporting service checked will be ignored by the assessment scheduler. They can still be manually initiated. This will run discovery and assessment from the server for this task in the same manner as any other scheduled task.
See the section "Define a Group and Assessment Credentials" for instructions on defining the target list (scope).
Once a task, scope, and group have been defined, the system is now ready to perform an assessment. The task scheduler is used for this purpose. There are two ways to perform an assessment.
Create a task schedule and wait for Secutor Magnus to automatically start the assessment once the scheduled time is reached.
Launch the Task Scheduler, select the task you wish to start, and press the right arrow in the "When To Do This" panel of the screen. That will start the assessment immediately.
While an assessment is being performed, the Secutor Magnus display will not automatically update to reflect the progression of the assessment. The refresh button on the Secutor Magnus main window should be periodically pressed to view the latest assessment results.
In addition, the Status Viewer tool can provide feedback on the progress of the assessment. This tool can be launched automatically when a task is forced to start using step 2 above. It can also be started by selecting "Status Viewer" from the Tools menu.
The Status Viewer is updated by pressing the refresh button on its display or by selecting an auto-refresh option on the bottom of its display panel.
To reassess a single computer, select it from the list of matching targets, right-click and select Run Assessment Now from the menu. If no target in the list is selected when you right-click and select Run Assessment Now you will be prompted for the address of a machine to run an immediate assessment against. That address does not need to be one that is already in the database.
The Navigator’s main window displays a summary dashboard of assessment results. The colored bars on the left side of the window represent the results of the current filter that is being used. The dials represent the system-wide results.
In addition to the dashboard matching targets list, Secutor Magnus includes additional methods to select and view results. The following three options are available from the "Results" menu. Analysis of the results is performed in the same way as the "Aggregate View" described above.
From Selected Filter - this option displays the aggregate viewer of all benchmarks run against targets that match the currently selected dashboard filter.
By Benchmark - this option launches a tool that allows the user to select a single benchmark or select multiple benchmarks (by holding down the SHIFT key and selecting more than one benchmark) and clicking the "Show" button. A list of targets on which the selected benchmarks have run will be shown. Select a single target or multiple targets (hold down SHIFT again) and click the "Details" button to launch the Aggregate Viewer. You can also use the "Show Rules" button to display the list of rules that is assessed for a benchmark and see the pass/fail status for every host that was tested on that rule.
By Task - this option presents a list of all tasks that are configured on this server. Select the desired task and press the "Show" button to display the Aggregate Viewer for that task (including all benchmarks and hosts associated with the task).
Filters provide a flexible way to organize the results from assessments. These filters are configured on the top of the Navigator application. The system includes several pre-built filters including:
All - this produces a list of all targets that have been discovered. The green section of the bar represents systems that were successfully assessed while the red section represents systems that were not properly assessed.
Failed Compliance - The green section of the bar represents those systems that have failing compliance scores while the yellow section represents all systems that passed.
Assessment Error - The red section of the bar lists those systems that were not properly assessed while the yellow section lists those that were successfully assessed.
FIPS 199 Categories - If FIPS 199 is enabled in the Server Settings and computers have FIPS 199 categories configured, then the green section will list systems in that particular FIPS category and the yellow represents all others.
NOTE: Clicking on any color on the bars will produce the list of matching computers for that section of the bar.
New filters can be created and edited by clicking the "Edit" button. To create a new filter, press the "New" button on the Preset Editor window. Enter a name for the filter and press the "OK" button. To define the filter, click the "Add" button. This launches the Edit rules tool. More than one rule can be defined per filter. Once the desired rules are defined, press the "Save" button. The filter is now available on the Navigator filter drop-down. Existing rules can be edited by launching the Preset Editor, selecting the filter from the drop-down list, and clicking the "Edit" button. Remember to save any modifications.
Secutor Magnus provides a common tool for viewing results of assessment activities for hosts. The Target Detail viewer is launched by double-clicking a host in the Matching Targets window or by selecting the host(s) and clicking on the "Detail" button on the "Select Targets" section of the Matching Targets window. The detail viewers are used to view context-sensitive benchmark assessment results, generate reports, and export data.
The top of the Target Details tool lists the benchmarks against which the target or task was assessed. A detailed results view can be created that displays detailed results of each benchmark. Double-click on a benchmark title to launch the Detailed Assessment Results window for that benchmark. This presents a status window that shows the pass/fail status of tested rules and the effect of any applied deviations.
By default the results browser will display the benchmark organized into a tree structure as defined by the profile in the benchmark it was assessed as. You can also view the results as a flat list by changing to that tab, allowing you to easily sort by rule name, pass/fail status, or CCE identifier. When changing from one tab to the other the display will jump to the last rule you selected.
You can also export the results to an XML document by clicking on the "Export" button at the bottom right of the Results Browser window. The format of the export will match the currently selected view. That is, if the "Tree View" tab is selected, the XML export will be in the tree format, and same for when the "Flat View" tab is selected.
The following details associated with each rule are provided on the bottom of the screen when a rule is selected:
Rule Details - a brief description of the selected rule
Findings - Identified settings associated with the selected rule
References - External standards references
Deviation policies are created using ThreatGuard Inc.'s Secutor Prime product. This product is run on a machine that is configured to represent an organizations standard configuration. These deviations represent local exceptions to authoritative guidance such as the United States Government Configuration Baseline (USGCB) or the Defense Information Systems Agency’s Security Technical Implementation Guides (STIGs). In many cases, local considerations require deviations from this guidance. A benchmark and profile are run against this computer. Items that failed compliance checks can be documented as deviations. This XML-based deviations file is created and saved. When subsequent assessments are run, the deviation profile can be applied. Rules that failed the authoritative guidance will now pass with an exception (a graphical representation that differentiates passed rules from those that pass as a result of an applied policy exception).
The deviation profile that was created in Secutor Prime can be imported into Secutor Magnus and applied against an entire network of computers. This is done using the Secutor Magnus Deviation Manager. This tool is launched by selecting "Deviation Manager" from the tools menu in the Magnus Navigator.
To use a deviation profile, it must first be imported into the Secutor Magnus system. Click on the "File Manager" button to launch the Deviation Importer. Click the "Browse" button and navigate to the location of the deviation profile file that was created in Secutor Prime. Select the file and press the "Upload" button. Press the "Done" button when finished.
Click the "Add" button on the bottom left of the Deviation Rule Manager and select the new deviation profile that was just added. If this is the first profile added to the system, it might take a few seconds before it becomes available. Next, select an existing Scope or create a new one that represents the list of computers to which this deviation profile can potentially apply.
Now that the list of potential computers is selected, conditions for the application of the deviation profile are created. Click the "Add" button in the "Use Under These Conditions" panel. There are currently two types of conditions that can be defined; Benchmark and Operating System. Select the appropriate condition type and select the mode (equals or not equals). Next press the "Pick" button to select the appropriate operating system or benchmark to which the deviation profile should be applied. Press the "Done" button to complete the assignment. Finally, press the "Save" button to save the deviation rule definition. The new definition will be applied to all future assessments.
Once a deviation profile has been applied to a target or group of targets, a report is available to view the details of the policy exceptions. This report is launched from the Deviation Manager by selecting a deviation profile on the left and pressing the "Details" button. This will launch a report that can be saved and viewed.
Secutor Magnus reports are context sensitive to the current selection of the user. The reports are launched in several ways as outlined below. The product is also capable of export results into standard and proprietary formats. This is useful for importing into other products, archiving results, or producing custom reports.
Reports that include aggregate information from the entire database are available in Secutor Magnus. Current system wide reports include:
System Summary - this report provides an aggregate score of all computers assessed by Secutor Magnus and related summary information. This report is launched from the Results menu.
Cyberscope Report – this report renders the Cybercope results file (federal agencies are requirement to submit this to the Office of Management and Budget each month) into a human-readible HTML report. It includes the list of benchmarks that were assessed, types of operating systems, and number of non-compliant systems for each rule, the number of policy exceptions, and number of failed vulnerability rules. This report is launched from the Results menu.
Deviations Report - this report presents the details of compliance policy deviations that have been applied to targets on the system. This report is available in the Deviation Manager tool.
Snapshot Trending Report - this report provide a high-level view of compliance changes over time. It is available in the Snapshots tool.
The snapshot feature enables organizations to track assessment scores over time. Snapshots provide the aggregated score of every system that has been assessed on the network. These scores can be compared over time to determine compliance trends. In the future, the product will include scoring trends for individual systems as well as aggregated scores for user-defined lists of systems.
The snapshot tool is launched by selecting "Snapshots" from the Tools menu. To create a snapshot of the current status of the network, press the "Create Snapshot" button. A descriptive name can be entered if desired. There is no limit on the number of snapshots that can be created. However, older snapshots can be deleted by selecting the snapshot and pressing the "Purge" button.
To view the Snapshot Trending Report, select a range of dates and press the "Trending Report" button. This will generate a report that includes the snapshots in the date range. The outer bar represents the aggregated score and the inner bar represents the currency (the number of systems that were assessed during the snapshot period).
When a host or a list of hosts is selected in the dashboard matching targets list, further details for that selection can be viewed by clicking on the Composited Selection "Detail" button. If the “Details” button is not active, hold the <shift> button down and select multiple targets. This will activate the “Details” button.
The top of the aggregate details viewer lists the benchmarks that were run against the selected target or list of targets. Summary reports can be created that include results of a single benchmark and all targets to which it has been applied. Select the desired benchmark and press the "Summary Report" button to generate the report. When a report is launched it can be saved to the file system for later reference or saved as an XML document for easier import into other applications.
Individual target details can be viewed by double-clicking on a target from the list. When viewing assessment details for a single target you can render additional reports. Cyberscope reports are available for individual benchmarks or when multiple benchmarks are selected. This report is accessed from the Reports menu.
Individual benchmark reports are also available. To access these, select a single compliance benchmark and click on ReportsCompliance then select one of the following reports:
Summary – A high-level report with summary information about the security posture of the target
Basic Results - A concise report of the assessment results including the pass/fail status of each rule
Assessment Details - Scoring and details about specific benchmark-related findings
Cyberscope – A report showing the Cyberscope status of an individual benchmark for a single target
If vulnerability scanning was performed, a separate vulnerability report is available. To view it, select the vulnerabilities benchmark and choose ReportsVulnerabilities. This report can also be launched by double-clicking on the vulnerabilities benchmark in the Target Details window to open the Vulnerabilities window. Click the “Report” button on the bottom of the screen to generate the report.
Also available when viewing aggregate results for a single target is the option to select a benchmark and export the details to one of two XML formats:
XCCDF Format - The XCCDF Report Format standard
Magnus Format - A proprietary format more suitable for XML data exchange
Target History and Comparison Reports
Secutor Magnus includes two addition reports that can be launched directly from any list of targets (such as the Aggregate Viewer).
Target History Report - this report shows any changes that have occurred between the most recent assessment and any previous assessment. Select a target, right-click the mouse and select "Run History Report" to generate this report.
Target Comparison Report - this report shows the differences between two targets. It can be useful in identifying any difference between a golden image and another system. To launch the report, hold down the SHIFT key and select the two targets to be compared, right-click the mouse and select "Run Comparison Report".
Benchmark and Results Exporting
Secutor Magnus can export results in SCAP standard XCCDF format or the Secutor Magnus format. To do this, select the desired benchmark(s) in the target or host detail viewer, and select FileExportXCCDF or Magnus. Browse to the location where you wish to save the file and enter a filename. The file extension "xml" will be added to the filename automatically. Press the "Save" button to complete the action.
The XCCDF Standard represents results that conform to the XCCDF specification while the Magnus format is a propriety format used among ThreatGuard’s Secutor products. Benchmark Tree or List Exporting
While viewing a tree or list associated with a benchmark all of the results being viewed can be exported to a file. To do this, press the "Export" button on the bottom of the list or tree window. The file that is generated will be in XML format. This can be directly imported into many applications such as Microsoft Excel.
The Server Settings tool (launched from the Tools menu), provide a variety of server configuration features. The tool consists of the following five tabs:
Assessment - features associated with the assessment engine
Content - view, modify, activate/de-active compliance benchmarks
Permissions - Manage Read-Only user account assess to the system
FIPS - Enable and configure FIPS 199 scoring
Licensing - View and install product activation keys
Connection Preferences - These options determine how the server treats agent-based and agentless ("Direct") assessments. By default, the system checks for agents and performs agent-based assessments if they agent exists. If an agent is not found, the system attempts a direct agentless assessment. This process can be changed by selecting Agent Only, Direct first then agent, or Direct only.
Agent Settings - This option provides some control over how the server and agents communicate. By default, the agent opens up TCP port 2650 to permit communications from the server. If the target-computer agents have been configured to listen on a different port, that can be configured by select "Custom" and entering the desired TCP port number.
Each time the server communicates with the target computer agent, it can check to see if it the agent software or assessment content is out of date. If so, by default it will automatically update the agent and content. This feature keeps all of the agents on the network current. To disable this, uncheck the "Enable Agent Updating" option. These settings apply to the Passive Agent and not Reporting Service.
Additional Assessment Types - In addition to compliance assessments, the SCAP standards also include the ability to assess for security vulnerabilities. To enable this feature, check the "Vulnerabilities" item. The OVAL vulnerability content is located in the "vulnerability-content" subdirectory under the server installation directory.
The "Use enhanced discovery" option (on by default), activates additional system discovery techniques. These techniques include attempted connections to the remote assessment agent port (TCP 2650 by default), the Windows administrative port (TCP 445), and secure shell (TCP 22). Enhanced discovery can slow down the discovery process slightly.
Concurrent Task Assessments – By default, Secutor Magnus can perform assessments on 4 targets at a time. This setting allows this number to increase. The higher this number, the more system resources and network bandwidth will be required. Also, as this number is increased, agentless assessments will require significantly more system and network resource than Passive Agent assessments.
Optimize for Speed – This setting sets some constraints on the assessment engine to improve speed. For example, it limits the depth of directory recursion. While this can speed up assessments, it can also reduce the accuracy of some tests.
The content tab shows the status of the available compliance assessment benchmarks. By default, the associated SCAP files for these benchmarks are stored in the "oem-content" subdirectory under the installation directory.
The "Active" checkbox indicates if the selected benchmark will be used for assessments. The "Display" checkbox tells the system whether or not to display the results generated by the selected benchmark. Some benchmarks have multiple profiles. These profiles determine which tests are run and what the settings are expected to be for each test. The "Default Profile" indicated the profile that will be used when an assessment is performed using the benchmark. To change the default profile, double click on a benchmark or select a benchmark and press the "Change Default" button. This will display a list of available profiles for the selected benchmark. Select the desired profile and press the "Save" button to change the default.
The permissions tab contains the tools to add read-only users to the system. These users can view information throughout the system but are unable to make any modifications or run assessments. The system uses Windows user accounts that are available as local accounts on the server or domain accounts if the server is a member of a domain.
To add an account, click the "Add" button. Type in the user account name into the space provided and press "OK". When using domain accounts, use the convention "domain name\user name". This adds the account with "Read-Only" access. To disable an account without deleting it, select the account and press the "Toggle" button. This same process will switch between "No Access" and "Read-Only". Double clicking on the account name will also switch between the two access settings.
Secutor Magnus supports FIPS 199 scoring. This is an optional feature that can be used to assign relative criticality of assessed systems. FIPS Scoring can be enabled using the Server Settings tool.
This window lets the user activate FIPS 199 scoring (high, medium, low). This is disabled by default. When FIPS is enabled and the FIPS setting has been configured for each computer, the user can configure the FIPS 199 category for each computer using the Target Detail tool. Once configured, the FIPS filters will list computers that share the same FIPS 199 categories. The FIPS setting is used to organize and view groups of computers that share the same FIPS 199 category.
Scoring Weighting - FIPS doesn't modify the score of an individual target, rather it applies a multiplier so that target's score has more or less influence relative to others. IOW, you've got System-A and System-B that score 9/10 (90%) and 6/10 (60%) respectively. Overall, that's 15/20 (75%).
If you apply a FIPS multiplier of 5 to System-A, it will now score 45/50 (still 90%). However, put the two together and you now have an overall score of 51/60 (85%).
The Navigator client allows each user to customize scoring thresholds and target selection methods. These settings are saved locally for each user so they do not impact other users. The personal settings tool is accessed from the ToolsPersonal Settings menu.
Select the Scoring/Colors tab on the Personal Settings tool to change the scoring threshold, currency, and colors. To change the scoring and currency thresholds for passing and warning, simply drag the sliders left or right. To change the colors show on the dashboard, click the Pass, Warning, or Failure buttons and select a desired color. To reset all settings, press the “Reset Defaults” button.
Select the Target Selection tab to change how target lists are displayed, how many are selected, and which columns to display. “Multiple Select Lists” is the default value. This allows the user to have multiple lists of hosts displayed at the same time. Changing this to “Single Select List Only” forces the system to only display one list of hosts at a time. Also, to increase or decrease the number of systems available in a list, change the “Maximum Selection Size”. This can improve the performance of Navigator when a large number of hosts have been assessed (over 1,000). Finally, the unchecking “Vulnerability Scoring” and “Last Assessment Date” will remove those columns from the target lists. If vulnerability scanning is disabled, it is a good idea to uncheck that item. Again, press the “Reset Defaults” to set these values to their default settings.
Assessment results can be imported into Secutor Magnus simply by copying the files into the “Magnus Server\Results” directory. The Importer Service monitors that directory and imports the results files after verifying they are valid formats. Currently supported formats are
Polycom Configuration File
Original ARF Format
Assessment results for individual computers or a list of computers can be removed from the system. To do this, open a list of selected targets. Select an individual computer or a list of computers (using the Shift or Ctrl buttons on the keyboard while selecting the computers to be removed), right-click, and select "Delete" from the menu. All results associated with the deleted computer(s) will be permanently removed from the system.
Importing new SCAP content into the Secutor Magnus system for use in assessments or deleting existing content is done using the Content Manager tool. Before using the tool, copy the new content into the ..Magnus Server\oem-content directory on the Secutor Magnus server. If deleting content, use the Content Manager to remove the references from the system and then delete the appropriate content files from the oem-content directory.
The Content Manager is launched from the Start Menu of the Secutor Magnus server by selecting Start-->All Programs-->Secutor-->Magnus Server-->Content Manager.
When the tool launches, press the "Connect" button to connect it to the database. This will present a list of benchmarks that are referenced in the database. Benchmarks can be activated or deactivated from this list. The "Display" option determines if the results of the benchmark assessments will be displayed in the system. Select a Benchmark title and press the "Change Profile" button to change the default profile used by Secutor Magnus for that benchmark.
To delete a benchmark from Secutor Magnus, select the benchmark from the list and press the "Delete" button. After doing this, press the "Save Changes" button. It is now safe to remove the benchmark XML files from the oem-content directory.
Before adding new content, the files should be placed in the oem-content directory. After doing this, select "From Local Files" from the "Prepare Content" menu. From the Content Importer window, select the new benchmark filename and press the "Import" button.
Content can also be loaded from "packages". These bundles of managed content can be loaded by selecting "From Package" from the "Prepare Content" directory. Click the "Browse" button to select the file that contains the content package. This will generate a list of benchmark file names. Select the desired name and select the "Import" button to load the content into the system.
In all cases, selecting the "Custom" content type will allow the user to import proprietary benchmark content. These content files should be copied to the "user-content" directory.
OVAL-based vulnerability content files should be copied to the vulnerability-content directory. To load this content, select content type "Vulnerability" from the "From Local Files" or "From Package" importer tools. Select the desired vulnerability content file and press the "Import" button to load the content into the system. The naming of the content files is import for the system to be able to select the correct bundles of vulnerability checks at assessment time.
Secutor Magnus stores all assessment data, assessment settings, and benchmark metadata in a database. To simplify common database tasks a Database Manager tool is included as part of the Magnus Server installation.
Secutor Magnus also includes a separate database for storing analytics data, including any analytics data from subordinate Magnus servers. For each of the primary operations of backup, restore, or rebuild, you will be prompted for which database to perform that operation for. To do a full backup, then, you will need to perform the backup operation twice: once for each database.
Makes a complete backup of the database. Because the SQL Server service has limited permissions make sure you choose a directory that is not protected – any folder under Program Files, for example, will cause the backup to fail.
Replaces the current database with the contents from a previous backup. In order to work correctly the destination database must already exist.
NOTE: The current database version must be the same as the version where the backup was made.
Replaces the current database with a clean version of the database. This will remove all assessment data, snapshots, assessment settings, etc. It will also be necessary to re-import all assessment content before the new database can be used.
Secutor Magnus uses a configuration file to determine how to connect to the database. Normally this configuration file will be created based on options selected when the installer is run, but you can use this tool to view or change those settings. These settings will affect connection options for both the primary and the analytics databases.
To access the database from another tool, such as SQL Server Management Studio, configure the tool to use the same connection method as is defined in the Magnus Database Manager connection settings, then select the appropriate database by name:
Magnus database: Magnus
Analytics database: magnus_omni
By selecting Local Machine Only you can limit the agent to only allow connections that originate on the local machine. This will mean that you will not be able to use the Magnus Navigator management client from a separate machine. This will also block the ability for Reporting Service to upload assessment results and for other Magnus systems to upload analytics information. Select All Requests to allow these remote connections.
The default port the Magnus agent uses is 2650, but you can change this if necessary. Note that you will also need to make the same change in everything that will connect to this server – Reporting Service, ThreatView analytics, and the Magnus Navigator client.
How compliant the Magnus Agent is with regard to the SOAP standard. The choices are:
Normal The Magnus Agent operates in accordance with the SOAP standard. In this mode the agent can respond to some information requests even without authentication.
Reduced Minimizes the amount of information offered by the agent.
Stealth The agent will only respond to authenticated client making a legitimate request.
Allows the agent to be used by a remote Magnus Server to initial agent-based assessments.
Must be selected to allow the Navigator client to be used for management of a Magnus Server.
When Server is selected, you can use the Server Function to change the functionality of the agent. The default value of Full means the agent will allow a remote client to perform all management functions, while selecting Monitor means the agent will only allow read-only access.
Allows you to change the values for read and write timeouts to the agent. For local networks, the default values should be fine and allow the agent to quickly detect dropped connections, but if connections to the agent are over networks with low bandwidth or high latency it may be necessary to increase these values to keep the agent from erroneously dropping connections.
A separate service, the Importer can be used to monitor a folder/folder structure on the Magnus server and automatically process recognized files that are placed under that folder.
Which folder to monitor. Any file placed in this folder will be automatically processed. Recognized file types will be imported into the database. Any file type that is not recognized will be moved to an error directory. You can choose to either monitor a specific directory or if SMS is installed you can monitor the SMS inventory inbox, which allows you to use SMS as the facility to perform assessments.
You can also choose whether or not to monitor subdirectories. Generally this is not necessary, but should be selected when the Importer is monitoring SMS inboxes.
The New file grace time option determines how long a file should remain unchanged before the importer considers the file transfer complete. This may need to be adjusted upwards when files are being uploaded to the Magnus Server over slow connections.
The Magnus server is capable of computing assessment analytics and pushing that data to another Magnus server. Use the options on this tab to set that behavior. No analytics will be performed if the Active checkbox is not checked.
How often analytics should be calculated and at what time. A time should be selected that occurs after all assessment activity is complete so that the analytics will be current. Also, the analytics analysis is an expensive computation, so it should be scheduled for a time of day when the server will not otherwise be under a load.
Once analytics have been computed you have the option to upload the results to another Magnus server. Use the fields here to configure which server these results should be reported to.
The account and password used to authenticate the upload are the same account and password used when configuring authentication for Reporting Service clients. The Magnus server will use built-in authentication information if the remote server has not been configured using the Reporting Service Configuration Editor, but this is an insecure mode to operate in. Even if the remote Magnus server does not have any Reporting Service client you should still use the editor to change the default password and record the same information on this form.
Resets all settings to their default values. Using this button will not take effect until the settings have been changed and the Importer service restarted.
If you make any changes to these settings it will be necessary to stop and restart the Scheduler service before those changes will take effect. This button makes it easy to stop and restart the service.
If the Scheduler is currently running it will have a label of “Stop Scheduler”, otherwise it will have a label of “Start Scheduler”.
NOTE: The scheduler controls other activity as well, such as scheduled assessments. Stopping the scheduler service will interrupt any current assessment activity, causing it to be started over again.
Causes the system to perform the analytics analysis immediately. This will include uploading the results to another Magnus server if the Upload Copy checkbox is selected and the server information fields are filled in.
Used to select which directory that will be used when exporting ARF results.
The Magnus Services can be started and stopped using the Windows Services tool. However, Secutor Magnus includes the Secutor Magnus Process Query tool to start/stop/queary all Magnus services. This command-line tool may be run from the Magnus Server directory. The command options are:
Process Query Utility
Usage: smpq -[qks]
q = Query status of known services and tools
s = Start all known services
k = Kill all known services and tools
Secutor Magnus includes a Log Monitor tool that enables detailed analysis and troubleshooting of the assessment engine and server. This tool is launched from the Magnus Server's Start button by selecting Start-->All Programs-->Secutor-->Magnus Server-->Log Monitor. This tool supports various levels of debugging for both the assessment engine and the server software. "Fatal" will generate the least amount of status messages while "Debug" generates the most.
Action: One or more tasks to be performed against a scope of targets. Actions are defined using the Task Schedule tool and include activities like vulnerability assessments.
Currency: The percentage of systems that have been assessed during the period defined in the Personal Settings Tool (30 days by default). This helps to identify systems that have stale (see below) results. This percentage also includes systems that cannot be assessed such as various network devices so it is important to delete them from the results (or exclude those targets in the scope definition tool).
CCE: Common Configuration Enumeration (CCE) references. CCE provides a standard notation and reference to configuration settings.
CPE: Common Platform Enumeration (CPE) standard. CPE provides a standard notation and reference to operating systems and applications
CVE: Common Vulnerabilities and Exposures (CVE) names. CVE provides standardized references to known vulnerabilities. This unique identifier provides a common way to refer to vulnerabilities.
CVSS: Common Vulnerability Scoring System (CVSS). CVSS provides a standardized approach to measuring the impacts of IT vulnerabilities. Each CVE includes an associated CVSS vector for use in calculating the relative severity of vulnerabilities.
Cyberscope: A standard reporting format to replace unsecure e-mail or paper-based reporting. Federal agencies are now required to submit monthly cybersecurity status reports to the OMB in CyberScope format. This format allows for greater insight into certain data, and negates the need to combine reports submitted in various formats.
Deviation Profile: A file that contains documented deviations from authoritative guidance. ThreatGuard's Secutor Prime is used to create the deviation profile XML files. These are imported into Secutor Magnus using the Deviation Manager and applied to target computers.
Filter: Provide a flexible way to organize the results from assessments. Filters are configured on the top of the Navigator application. Results can be “filtered” a variety of ways including by operating system, distinguished name, score, etc.
Group: A group is used to define common attributes for a scope of targets. Common attributes include a list of username and passwords for use in performing authenticated assessments against the targets in the scope.
Navigator: The client application that is used to configure and manage the Secutor Magnus server.
Orphan: A target that exists in the database but no longer shows up under any task.
OVAL: Open Vulnerability and Assessment Language (OVAL) standard. OVAL specifies a standardized approach for assessing each system setting. While XCCDF describes what to check, OVAL specifies how to perform the check.
Passive Agent: A traditional agent that requires a single open inbound TCP port on each target (port 2650 by default). The Magnus Server contacts that Passive Agent to instruct it to perform an assessment.
Potential Target: A target that matches the Scope expression but that has not yet been found on the network.
Reporting Service: Software that runs locally on each target that does not require an inbound port. Instead, it utilizes its own scheduler and runs periodically on its own. It reaches back to the Magnus Server periodically to check/update its schedule, software, and content, performs assessments, and sends the assessment results back to the server where they are automatically imported into Magnus using the importer service.
SCAP: Security Content Automation Protocol (SCAP). SCAP is a collection of six open standards developed jointly by the government and private sector. Security content written to the SCAP standard can be used by any product that supports the standard.
Scope: An expression used to describe a list of targets of interest. This expression can be as simple as a single IP address or it can be a combination of multiple notation types.
Snapshot: A representation of the security posture of the network at a point in time. Secutor Magnus allows snapshots to be saved and compared to show changes in security posture over time.
Stale: A target that exists in the database and under a task but has not been assessed for an extended period of time.
Target: A network device (computer, router, print server, etc) for which some level of evaluation is to be performed.
Task: Work that is to be done on a scheduled interval. A task contains schedule information that controls how often and when it is to be performed, an Action list that describes what work is to be done at that time, and a Scope that defines what potential targets the work is to be applied to.
XCCDF: eXtensible Configuration Checklist Description Format (XCCDF). XCCDF specifies system settings for automated tools to assess. XCCDF specifies what to check.