Secutor Prime represents a new breed of security tools that are built around government and industry standards. The standards have been developed by the National Institute of Standards and Technology (NIST), the National Security Agency (NSA), Defense Information Systems Agency (DISA), the MITRE Corporation, and industry participants over the course of several years. The series of standards are referred to as the Security Content Automation Protocol (SCAP) and represent standard ways to identify and detect the security compliance and vulnerability posture of networked devices. The National Vulnerability Database at NIST is the clearinghouse for SCAP content and information. Details can be found at: http://nvd.nist.gov/
ThreatGuard's Secutor line of security products embodies this shift towards standards.
It's all about the content. In the past, government and commercial organizations were provided written documentation that described how computers were to be securely configured. To help automate that process, vendors created proprietary tools that approximated the settings in the documents. Each vendor had their own way to test for compliance and they rarely produced the same results.
With SCAP, the regulatory agencies can now provide their compliance documentation in a standard format that can be used directly by security products. Products that properly adhere to the standards can now consume the same content and produce the same results. Organizations can now acquire compliance software based on the features they provide rather than how well they approximate the security guidance.
Secutor Prime implements the advanced features contained in the SCAP v1.2 specifications, including Authenticated Configuration Scanner, Common Vulnerabilities and Exposures (CVE) option, and the
Open Checklist Interactive Language (OCIL) option. Secutor Prime is also backwards compatible with the SCAP v1.0 and v1.1 specifications. This means it can consume and process content written to those standards.
The Advanced Interface is used to allow interaction with OCIL. Questionnaires can be loaded directly by using the benchmark selector. When a compliance type data stream contains references to OCIL question, those questions will be shown in-line with the rest of the benchmark.
There are several license levels for Secutor Prime, each with progressively more features.
Runs interactively on a desktop computer
Directly consumes SCAP-compliant content and performs compliance and vulnerability assessments
Includes several compliance reports
Uses the CPE standard to automatically determine applicable benchmarks
Performs United States Government Configuration Baseline (USGCB) compliance assessments
Free for use by non-commercial organizations
All the features of Secutor Prime Free Edition plus:
Performs automated compliance remediation of failed items
System restore and individual rule undo of remediated rules
Creates Deviation Profiles to document approved exceptions from standard configurations
Export results in a variety of formats
All the features of Secutor Prime plus:
Performs compliance checks of remote computers
Includes tools to generate the OMB-required USGCB Exceptions Report
Able to perform both local and remote assessments, up to a maximum of 50 assets.
All the features of Secutor Prime Pro plus may be installed on a single device to assess an unlimited number of endpoints.
Secutor Prime has three selectable interface styles:
The Multiview Interface lets you do assessments of all applicable benchmarks against multiple assets at the same time with multiple methods of doing assessments such as from a network address range, enumeration of a directory services server, or just reading in a directory full of saved results. With its advanced features Multiview requires a Java runtime of at least 1.5 (an embedded version of 1.7 is included with the full installer).
The Advanced Interface is the traditional interface with full benchmark interaction that current users of Secutor Prime are accustomed to. It contains the full suite of tools such as remediation and deviation profiling with an interface that lets you work in detail with a single benchmark at a time. It features a more interactive approach to each benchmark that lets you fix/restore each rule and define individual deviation entries to find the most secure configuration that still provides all the necessary functionality in your environment.
The Simple Interface lets you test and score all applicable benchmarks at one time with a single button click, or even set the application to automatically find all applicable benchmarks for the local machine and run them when it is started. It makes for a great assessment tool to run off of external media such as a thumb drive.
The interface style can be changed any time by selection your preference from the Tools --> Interface Style menu items and restarting the application.
Secutor Prime includes an automatic upgrade capability to keep the application and content files updated at all times. by default, the application will check for updates once per day. If updates are available, they are downloaded and the user is prompted to have the updates automatically installed. Modification of the auto-update behavior is done using the Settings widget in the Tools menu.
To force Secutor Prime to check for updates, select the Check for Updates item in the Help menu. This utility connects to the ThreatGuard, Inc. website to see if application or content updates are available. If they are, they will be downloaded and the user will be prompted to have the updates automatically installed.
Note: The application installers available from the download section of the ThreatGuard web site also allow for safe updates. That is, they will update the application without changing any user settings.
Windows-based PC (OSX and Linux beta releases available on request to licensees)
256MB available RAM recommended, 1GB for Multiview
10-63MB Hard Drive space (depending on configuration)
Multiview: 1GB minimum for saving results
Purchasing an activation key for Secutor Prime or Secutor Prime Professional unlocks very powerful features including remediation, remediation undo, and system restore. Licenses can be purchased online by visiting: http://threatguard.com/request-a-quote. Larger quantities with significant volume discounts can be purchased by contacting a ThreatGuard sales representative at (210) 490-4018.
Once you have obtained a key, the Product Activation tool can be launched by selecting the "License Activation" item from the "Help" menu. Type the Activation key into the box provided (in the Simple and Advanced interfaces you will need to first click the “Install Key” button) or copy (highlight the key then press and hold the "Ctrl" and press the "c" key) and paste (click into the Activation Key box then press and hold the "Ctrl" key and press the "v" key) the purchased Activation Key. Press the "OK" button to display the product license agreement. If you agree with the license agreement, press the "Accept" button. If you do not accept the license agreement, press the "Decline" button to continue operating in Secutor Prime Free Edition mode. Press the "Done" button to close the activation window. Restart Secutor Prime now to take full advantage of the newly unlocked features.
The Multiview main window is divided into four main sections.
Figure 1: Multiview Main Window
Results Displays discovered assets and the most recent benchmark assessments as they are performed. An Offline assessment that is done against a directory containing results files will simply populate the tree with those assets and results without performing an actual assessment. As an assessment is performed this section will update to reflect discovered assets and details about them.
NOTE: The assessment tree only displays and scores the most recent results. In many cases there may be older results available, but for the sake of simplicity and to best represent the current state of any asset, only the most recent assessment for each benchmark will be displayed and included in the scoring information. To find older assessment results you can browse them individually from the File Open Saved Assessment menu option.
Actions Used to define what is to be scanned and start it. The type of scan can be selected by clicking one of the active buttons along the top of this section. Depending on the license level some scan types may not be active. The currently selected scan type will have a green background. Options for each scan type will be shown when the type is selected, and in some cases may be limited by the type of license used. When all options are set, click the “Start” button to begin the assessment.
Selection Details A context-sensitive display that gives more detailed information about the item that is selected in the Results section. What type of data is displayed will depend on what type of item is selected in the Results tree. When a selected asset has results available, the most recent result for each benchmark will be listed as well. Double-click on a benchmark result entry (or select it and click the View button) to view the details of the benchmark results.
Progress Summarizes the number of discovered assets and how many are still pending assessment completion. The Details button will open a log that scrolls actions as they happen. You can choose whether or not the details log will open automatically when the Start button is pressed by checking the option Automatically open the details monitor when an assessment is started on the Assessments tab from the menu option Contexts Context Settings.
Use the File menu to exit the application or to open a saved assessment. When opening saved assessments, any assessment results in the Magnus format can be opened, regardless of which Secutor product produced the results.
Contexts allow you to save the configuration of your assessment options under a context name. You can then switch between contexts at any time to set the application to those settings.
Options stored with each context include benchmark content settings, results location and path naming, and the current Action controls. Any changes you make via the Content, Deviations, and Authentication options will immediately be saved to the current context. Changes to the Action controls will be saved when the Start button is pressed.
Switch Context will present a pick list of saved contexts to switch to (less the current context). Clicking on a name will immediately switch the application to that context.
Create Context will prompt for a name, then make a copy of the current context under that name and switch the application to the new context. Any changes made from that point will be to the new context.
Manage Contexts… presents a list of all contexts and gives you the ability to remove any of them. If you remove all contexts the system will create a new one called “default.”
Context Settings To change settings for how the context performs assessments. Each context has a different set of settings. Switching a context will also enable all the settings for that context.
As each assessment is performed a results document will be created. Use the Results section to control where those results are written and the directory structure to be created to organize the results. A separate subdirectory will be created below the Base Directory for each assessment context, with further subdirectories created depending on what other names you have selected and the order you arranged them in.
The system will create meaningful names for each result file based on the benchmark, but de-selecting some of the subdirectories and/or running multiple assessments against the same asset on the same day will result in multiple results files with the same name. The system will automatically append a sequence number to each duplicate file name if that is the case, but you can check the option Overwrite files with the same name to change this behavior. All options in this section can be different for each assessment context.
The application is capable of performing multiple assessments at the same time to reduce the amount of time to complete the full assessment task. The actual assessments are extremely processor-intensive, so it is recommended to leave the number of Concurrent Assessments set to the default value of two (2). Increasing the number of concurrent assessments will make the application very slow to respond to user input.
Service probes are used by remote assessments to locate services the application can query for the necessary assessment information. These probes are very lightweight, so setting the number that can be checked at one time to a high value will have very little impact on the application and will speed up the process of identifying networked assets that can be assessed.
NOTE 1: This application is not optimized as a network mapping utility. It will only identify and display network assets that have an accessible service that the system can use for data collection. There may be many other assets attached to the network being assessed, but if they do not have an accessible service they will not be displayed in the application. However, for completeness, all computers that match the search criteria when doing a Directory Service enumeration will be displayed, even computers that cannot be resolved to an IP address or do not have an accessible service available. You can, however, check the option Show all local assets for Network actions and the system will attempt to locate all live systems on the local subnet.
NOTE 2: Some operating systems, such as the Microsoft Windows desktop operating systems, have a protection mechanism built into the networking system that limits how many network connections can be in attempted at one time. This greatly limits how quickly the discovery phase of a network assessment can be performed no matter how high the Concurrent Service Probes value is set.
Use the Detect Available Services section to define what services the application should look for during the discovery phase of a network assessment. Each probe can take a fair amount of time to complete so it is best to keep the number of services to check to the bare minimum.
Using the Display tab of the Context Settings you can also change the values that Secutor Prime will use when indicating pass, warning, and fail for calculated scores, measured as a percentage of passing to failing rules.
Secutor Prime three different user interfaces, each geared toward different usages. Select a menu option to restart the application with a different interface style:
Simple: The quick and easy way to do a full compliance and vulnerability audit of the local system.
Advanced: The original interface, focused on interacting directly with a single benchmark with the full suite of tools, including Deviation Profiling and Remediation. Some features are only available with the proper license.
Multiview: For targeting multiple systems in a single assessment from your desktop, and with the use of Assessment Contexts, allows easy segregation of assessment configurations for multiple locations. Many features are only available after activation with the proper license.
The Content Manager gives you control over your collection of benchmarks to be used during assessments.
Figure 4: Multiview Content Manager
All changes made in this dialog are saved to the current assessment context. Secutor Prime uses three pre-defined directories beneath the application installation directory for maintaining assessment content. The oem-content and vulnerability-content directories are maintained by the application from a master repository so adding and removing content from this directory is discouraged. The checkbox labeled OEM Content refers to the application’s oem-content directory and is used for compliance benchmarks. The Vulnerability checkbox is for the application’s vulnerability-content directory and is reserved for application-maintained vulnerability benchmarks.
To make custom content globally available to the application, you can use the user-content directory under the application installation directory. The User checkbox is used to indicate whether the application should look in this directory when searching for applicable benchmarks. This directory should be used for compliance benchmarks only – any vulnerability benchmarks in this directory will be ignored.
You can also use the Other Locations… button to add more directories anywhere on the system. Any directory you add as well as its subdirectories will be searched for applicable assessment content when the assessment is run. After adding a directory you will need to indicate what type of content that directory contains by clicking in the Type column. Choose OVAL if this directory is used for vulnerability content, or XCCDF if the directory contains compliance content. Documents that do not match the selected type will be ignored.
NOTE: As of the initial release the Multiview interface does not directly process OVAL content. To perform an OVAL vulnerability use the Simple or Advanced interface.
If the checkbox Use the most recent only is checked, then only the most recent revision of any benchmark will be used in cases where multiple copies of the same benchmark are found. If this box is unchecked then all benchmarks will be added, possibly resulting in multiple assessments.
When you click the Show >> button the system will perform a search according to the options you have set and display the results in the table on the right. You can toggle the Enabled option for any listed benchmark by double-clicking in that column for the benchmark. That choice will be saved as part of the current assessment context. In this way you can further refine which benchmarks will be used when the assessment is performed.
A rule-based system for defining what deviation profiles are applied during the assessment, if any. To create a deviation profile, use Secutor Prime in Advanced view.
Figure 5: Multiview Deviation Manager
The rules in the Deviation Manager are evaluated in the order they appear. The first rule that matches is used.
Figure 6: Deviation Manager Rule Editor
Use the Deviation Rule Editor to create and edit the conditions under which a deviation profile will be applied.
Use the Browse button to select the XML file that contains the deviation profile you created. If the file contains more than one profile you will be shown a pick list for which profile to use for this rule, otherwise the profile will be automatically selected for you.
You can create multiple terms for each rule with matches based on IP addresses, a specific benchmark, the operating system, or a component of a directory service distinguished name (DN). When Benchmark is selected as the match field type clicking in the Condition cell will show you a list of all benchmarks currently known to the system (as controlled by the Content Manager). Likewise, with OSFamily selected, clicking in the Condition cell will show a list of supported operating system.
The Authentication Manager uses a rule-based system for applying authentication information during an assessment. Explicit authentication is not needed for assessment of the local system or for processing offline data files, but is needed for remote assessments. In some cases you can perform remote assessments in a Windows environment without explicitly authenticating to each remote target, but in that case some tests will not be able to be performed.
Figure 7: Multiview Authentication Manager
Authentication information is stored on the local computer in an encrypted format and requires a password to access. A separate authentication database with a separate password is kept for every assessment context, enforcing isolation of all authentication information. Changing assessment contexts completely unloads the current authentication information and forces the need to re-authenticate to do the next assessment.
For each candidate assessment target, rules are applied in sequential order until a match is found that can be used to perform the assessment. If all matching entries are tried and none are found to work, the system will prompt up to three (3) times for an account/password for that target.
When being prompted for a password, all other assessments that also require manual authentication will be suspended until prompting for the current target asset is complete.
By using the checkboxes on the bottom of the manual authentication prompt you can tell the system to stop prompting for authentication for the duration of the current assessment, in which case each candidate target that does not have a valid entry already in the authentication database will be marked with an error status and skipped. You can also have the credentials added to the authentication database if authentication is successful. In that case they will be added to the end of the list with a type of default, so you should edit the authentication database before exiting the application.
Each credential entry can contain multiple match conditions to refine the rule, including which target(s) it should never apply to. You can also indicate which software component the rule applies to (currently only Operating System and Default are supported). The Default applicability indicates that the authentication information should be attempted in all cases.
The match field for each rule term can be an IP address or DN (Distinguished Name) component, or any combination of the two. For IP addresses, the Condition uses the same syntax as the notation used for Network assessments. For DN matching the Condition is a free-text field with a comma-separate list of DN terms in the format term=value, such as CN=sample.com to match on the domain name.
Used to adjust application settings for all users of Secutor Prime on this system. Changes made using this control will also affect the other interface styles.
When using the Multview interface style the only application-wide settings available are for the auto-update system.
Options in the Proxy Settings section apply only to the auto-update system.
Use of a custom update source is available for organizations that want to simplify keeping Secutor Prime installs current, but access to the ThreatGuard web site is not available. To set up such a service, contact ThreatGuard support at Support@ThreatGuard.com.
All options controlled by this dialog apply only to the current user.
This tab is used to change the appearance of assets and assessment results lists on the main display.
You can select which field values will be included in the title for listed assets and results on the main display and what order these fields are displayed in as well as the rules for how to sort the list of assets and asset results. You can also change how assets are sorted from the main window by using the right-click menu option.
Settings will be applied to the current display immediately when the “Save” button is pressed.
Defines the location of the log files and what information level to persist to the logs. Logging is divided into two separate categories: the Assessment Engine and the Secutor Prime application itself.
The Logging tab also contains a View button for each log category that will open the current log file the default text viewer for your system.
In general, the application log is the one most likely to contain useful information. The assessment engine log will primarily contain detailed information about interpretation of the benchmarks and collection of the necessary data items from each asset to apply to the benchmarks.
Use the items under the Analysis menu to look at assessment results for multiple assets in more detail. To start, select at least one item in the Results list on the main application window, then select the item from under the Analysis menu that matches how you want to organize the results.
Refer to the section on Data Analysis in this document for more details.
Uses the default application for your system to open and display this User’s Guide. If no application can be found to open the User’s Guide document an error message will be displayed.
You can manually trigger a check to see if there are any applications to the Secutor Prime application or the supplied benchmarks. If updates are available they will be automatically downloaded and you will be prompted to install them or not.
To activate the licensed features of the application a license must be installed. Which options become active and visible depends on the type of license installed.
Shows information about this release of the Secutor Prime application.
Multiview supports doing multiple concurrent actions using the network and directory service action types, as well as offline actions using the Offline action type. In all cases the strategy is to separate discovery from the actual action type. As candidate targets are identified actions are immediately started, up to the maximum number of simultaneous actions set via the user options.
The actual action types and options available to you will depend on the level of installed license.
Multiple strategies are supported, depending on the license level. All action types are performed within the settings of the current Context, to include authentication information, available benchmarks, etc. The context will also retain the details of the last run as well, such as the action type and target scope definition, so the next time you switch to that context (or open the application if that context was active when Secutor Prime was last closed) the same action and details will be shown.
All action types that use additional options (Network, Offline, Directory Service) will also retain the history of up to 14 of the most recent actions for that type. Access the previous settings by moving the slider bar. The history will only retain the most recent 14 settings for each type (and will not retain authentication information), with older settings being discarded as the number of different actions exceeds 14. Any history point that has the “Preserve” checkbox checked will never be discarded. If all 14 history points have “Preserve” selected then no more history points will be retained.
Run a single action against the local machine only. No other options are available for this action type.
Figure 14: Multiview Main Window Local Action Detail
The offline action descends a directory of data files and performs work on each recognized data file. The type of work will depend on the file type. Files found during an offline action that contain audit data from a recognized system (Polycom devices or Blackberry security profiles, for example) will trigger an immediate assessment of the data in that file. The system will automatically determine the correct set of benchmarks to use for each data file from the active set available for the current context.
Figure 15: Multiview Main Window Offline Action Detail
This is the preferred method for doing assessments of critical infrastructure and embedded systems, such as routers and firewalls and can also be used for BES (Blackberry Enterprise Server) IT security policies. This allows you to perform assessments without fear of affecting operational infrastructure, to check the integrity of backups, and so on.
To do an offline action set the Data Source field to the topmost directory under which your data files are stored, then edit the Source Name Filter, if necessary, to keep the system from attempting to interpret inappropriate files within that same directory tree or to refine the collection of data files to a subset. If a filter rule is not defined the system will use a default of “*.xml”.
Use IP addresses to define the target scope of the action. The notation will be expanded into a list of all possible IP addresses and the system will then locate every live host in that list where a network action can be attempted. The total number of candidate target addresses is capped at 65535 – expansion of the address notation will stop when that limit is reached.
Figure 16: Multiview Main Window Network Action Detail
You can use a variety of notations to define the target scope of the action:
One or more discrete IP address(es)
Dashed (address range)
CIDR (Classless Inter-Domain Routing)
You can also use any combination of notations by separating each term with a comma. In all cases the number of potential targets is capped at 65536.
Notation types cannot be mixed in the same term, but you can combine different notation types in a comma-separated list. That is to say, using both a “-“ and a “*” in the same address such as “10.11.12*.1-100” would be an error, but “220.127.116.11-100, 1.2.4.*” is perfectly legit.
NOTE: The IP-based network discovery is not intended as an exhaustive network-mapping tool. The identified assets listed in the main application window will only be those that meet the minimum requirements for an action to be attempted, such as having at least one usable service available.
Dashed notation specified a range of addresses by using a dash in any of the parts of the address. For example 10.11.12.1-100 will expand to the possible addresses of 10.11.12.1 through 10.11.12.100, inclusive, for a total of 100 possible IP addresses.
Unlike the other notation types dashed notation will not automatically remove the network and broadcast addresses. This might cause unexpected results during network discovery and assessment, so you might need to break the notation up into multiple terms to avoid this.
A dash can appear in any of the parts of the address, but any term that would expand to more than 65536 candidate addresses will be ignored.
The “*” is used as a wildcard character to represent any missing values for that part of the address. In the simplest case this would be used to indicate all possible addresses in a range. For example 10.11.12.* would expand to all addresses from 10.11.12.1 through 10.11.12.254 (Note that the network address of 10.11.12.0 and broadcast address of 10.11.12.255 are automatically removed from the list).
But you can also limit this by indicating some of the address range to include. For example 10.11.12.1* would be every address from 10.11.12.100 through 10.11.12.199 and 10.11.12.12* would be every address from 10.11.12.120 through 10.11.12.129.
If you think of the address part as a three-digit number padded with leading zeros you can also use this notation to indicate ranges less than 100. So 0* indicates a three-digit number where the first number is always zero, which would be 000 through 099 (or 001 through 099 when it appears as the last term as 000 would be the network address and therefore automatically removed from the list). Similarly 00* expands to 000 through 009 (or 001 through 009).
In this manner 2* expands to 200 through 255 (or 254 when used in the last term) while 02* expands to 020 through 029.
As a special case, since there are no IPv4 addresses with a value greater than 255, you do not need to explicitly add the leading zero when you want indicate a range in the 30’s, 40’s and so on through the 90’s. Simply indicating 5* will expand to 50 through 59.
For the purposes of removing network and broadcast addresses, wildcard notation assumes that all addresses are class C (that is, they have a netmask of 255.255.255.0 or CIDR notation of /24). If you need to express a range of addresses that don’t fall on a traditional class C boundary, use dashed or CIDR notation instead.
A wildcard can occur in any of the parts of the address, but if the notation would result in more than 65534 candidates addresses that term will be ignored.
CIDR (Classless Inter-Domain Routing)
Use a trailing slash and number to specify the subnet. For example, 10.11.12.0/24 indicates a traditional class C subnet of 256 addresses (254 host addresses, plus the network address of 10.11.12.0 and the broadcast address of 10.11.12.255).
When using CIDR notation the network and broadcast addresses will automatically be removed from the resulting candidate list, so a /24 network will have 254 candidate addresses, a /25 mask will have 126 candidates, and so on. A mask of /32 indicates a single explicit host (that is, 10.11.12.13/32 will be treated as if you had typed 10.11.12.13). A mask of /31 would have a total of 2 addresses, but after removing the broadcast and network addresses that leaves no candidate addresses, so expanding a /31 mask will result in no addresses to assess.
If you specify the full IP address along with the mask the system will treat that address as the starting point within the subnet and create a list starting with that address and continuing to the last possible target address in that subnet. For example, a mask of /28 would have 16 possible addresses in each subnet (or 14 possible targets after removing the network and broadcast addresses). The possible blocks of addresses would then run from 0 – 15, 16 – 31, 32 – 47, and so on up through 248 – 255. If you specify the notation as 10.11.12.0/28 the system will then expand that into the addresses for the first block, which would be 10.11.12.1 through 10.11.12.14 (again, the network and broadcast addresses for that subnet have been removed). Similarly if your notation is 10.11.12.16/28 then the resulting candidate addresses would be 10.11.12.17 through 10.11.12.30. However, if your notation is 10.11.12.21/28 then the list of candidate addresses would be in the same subnet, but would be the addresses of 10.11.12.21 through 10.11.12.30, for a total of 10 possible addresses instead of the full subnet of 14.
CIDR notation is capped at a mask of /16, limiting the maximum number of addresses in a single term to 65534.
Exceptions are indicated by using any of the other notations, but putting a minus (“-“) sign in front of the term, indicating that the IP addresses that match that term are removed from the final list.
10.11.12.13 The single IP address of 10.11.12.13
10.11.12.13/32 As above, the single IP address of 10.11.12.13
10.11.12.13, 10.11.12.15, 10.11.12.93 Explicitly just these three IP addresses
10.11.0-1.3-4 Expands to 10.11.0.3, 10.11.0.4, 10.11.1.3, and 10.11.1.4
10.11.0-1.3-4, 10.11.12.93 Same as above also includes 10.11.12.93
10.11.10*.* All class C addresses (1-254) for every subnet from 10.11.100.0/24 through 10.11.109.0/24
10.11.12.*, -10.11.12.0-10 All addresses from 10.11.12.0 through 10.11.12.255 except for 10.11.12.0 through 10.11.12.10
Multiview can also query an LDAP server for a list of candidate targets, including Microsoft Active Directory (AD) servers. After authenticating to the specified server every object that matches the Asset Filter is enumerated from the server and an assessment of each begins.
Figure 17: Multiview Main Window Directory Service Action Detail
As with network actions, the first stage of a Directory Service action is to determine if each target is alive and has at least one available service for running an action against, but unlike the network action, every computer known to the directory server will be listed whether or not it is currently on the network or able to be assessed.
Another important difference between IP-based networked scanning and Directory Service scanning is that each enumerated target computer is referenced by network name on the directory server and must be resolved to an IP address before an assessment can begin, so the computer where Multiview is running must be configured to resolve these names to IP addresses. More information about NetBIOS name resolution is available at http://technet.microsoft.com. If it cannot resolve the machine names then the enumerated assets will be listed but there will be no assessment activity.
For best results Directory Service assessments should be run on a machine that is a member of the domain and using a DNS server that is integrated with the domain to help assure that enumerated machine names can be resolved to IP addresses. When doing assessments from a computer that is not a member of the domain name resolution is likely to only work for assets in the same local subnet.
When enumerating assets out of a directory server you can create a filter to assess a subset of assets by editing the Asset Filter field. You can edit this directory as a text field, but it is recommended that you use the Build button to avoid syntax errors. It is also recommended that you always include the term (objectclass=computer) as part of the filter to avoid enumerating user accounts, groups, and other non-computer assets.
If you leave the Asset Filter field empty the system will assume a default filter of (objectclass=computer).
When using the Directory Service type of action it is very helpful to have the Activity Monitor open as error messages about the validity of authentication or filter syntax will be displayed there.
The import action will descend the active directories you specify looking for files that contain assessment results and loading them into the current display. It can recognize both Magnus and XCCDF results format.
Figure 18: Import Action
You can predefine a set of directories that contain results files and use the Active checkbox to turn each directory on and off. If the control in the main window is too small to work with easily, use the button on the bottom right side of the table to fly out the controls to a much larger dialog window. Exit that dialog before starting the action.
Imported asset results will contain data from all assessments located from each directory. The main display will only show the most recent of each known benchmark results, but you can use the History: Graph and History: Table buttons as well as the tools from the Analysis main menu category to show the complete history for any selection.
NOTE: Importing the details for individual assessments requires a lot of memory. Prime will automatically stop the import when available memory is getting low. If you have a need to maintain statistics on that many assessments, or more, we recommend using an enterprise assessment solution such as Secutor Magnus. Also note that with all memory in use you will not be able to generate Advanced Reports for multiple benchmarks and attempting to do so may cause application problems.
Secutor Prime will use what details are available in each result file to attempt to correlate it with any asset already loaded in the system or create a new one when a good enough match is not found. This makes it possible to mix and match Action types. For instance, you can import results for your current context, then run a live Network assessment against the same set of assets, which should result in each asset in the Results list having both historical assessment data as well as current results loaded in the system.
NOTE: When using the Results context menu item Re-Queue for Assessment, the target of the assessment will be the IP address as currently loaded. If the IP address for that asset has changed the result of the assessment will be for whatever asset is currently using that IP address, if any. Also, some asset types, such as those from an offline assessment, cannot be re-queued for assessment: check the Activity Monitor for information messages.
In general, using Magnus results files as your data source will result in a high degree of correlation with XCCDF results files being less reliable, so it is possible that the list of assets shown in the Results section of the main window will contain some duplication.
The process of importing and correlating a large number of assessment files can be very time consuming. The Activity Monitor will give feedback on the progress of the import.
Contexts allow you to create a set of system settings and quickly switch between them so that you don’t have to re-enter information for common tasks.
This includes authentication information. Each context uses a completely separate data file to store its authentication information and a different password to encrypt the authentication information, so auditors can maintain completely isolated setups for each location or customer they visit.
Making changes to the settings for each context is transparent. As you interact with the application, any change you make (such as defining a new network range to assess) will be saved to the current context.
The Switch Context… menu option will show you a list of all available contexts, other than the one that is currently active. Clicking on a name will immediately switch the application to the settings for that context. If the authentication database had been accessed under the previous assessment context, that information will be cleared from the application.
Use the Create Context menu option to start a new context. After naming the context the application will switch to the new blank context.
The Manage Contexts… menu option will let you delete or rename a context.
Note 1: Deleting a context will not delete any of the results files created while using that context.
Note 2: The name of the context is used to identify a subdirectory below the base directory for storing results using that context. Renaming a context will not rename the existing directory, but it will create a new directory using the new context name the next time an action is run.
The Activity Monitor is used to display messages as the system is performing an action.
Figure 19: Multiview Activity Monitor
Activity messages consist of four parts: A timestamp, an importance level, a message type, and the message itself. Use the check selections under the Importance and Type menus at the top of the Activity Monitor window to show/hide messages that are generated under that importance level or type.
You can filter the list of displayed messages by typing in the Text Filter. When the cursor is on this text box and you hit the Enter key only messages that exactly match what you have typed (ignoring upper/lower case) will be displayed. Remove all text from the Text Filter box and hit Enter again to remove the filter.
When you select an asset in the Results area of the main window and select the right-click menu item Filter Event Details… the Activity Monitor will be filtered to show only messages that apply to that asset. Change the filter focus by selecting a different asset and using the right-click menu again, or click the Clear button on the Activity Monitor to revert to showing messages for all assets.
Normally the Activity Monitor will automatically scroll to the most recent message as new events occur, but you can toggle the Pause button to enable/disable this.
In many cases when a control or menu option does not produce the action you are expecting the reason will be logged in the activity monitor.
As assessments are performed the Results section of the main window will be populated with assets and the amount of detail available for each asset will depend on what type of assessment has been performed for it as well as any additional information that can be gained from the assessment results.
Selecting an asset, either via mouse click or keyboard navigation, will population the selection details with more information about that asset, including the most recent assessment results. You can view the full details for any assessment results by either double-clicking on its entry in the list, or selecting it and clicking the View button. Additionally, for licensed Prime users (Offline, Pro, Pro+, and Auditor) the buttons History: Graph and History: Table will be available on the results list. These will be clickable any time multiple assessment results are selected (that is, by selecting more than one benchmark, by selected a benchmark that has multiple assessment results available, or both).
Figure 20: Benchmark Viewer
Immediately below the benchmark and asset identification details on the top section of the benchmark viewer is a drop-down selector for selecting from available profiles, if any. Some benchmarks include additional profiles for organizing the results according the 800-53 controls, in which case that view will be available in the drop-down list as an additional profile. For more information on how to interpret the rule results, refer to the Assessment Profile Tree section from the Getting Around the Interface topic of the Advanced Interface section of this document.
In addition to the traditional Category View, the benchmark viewer contains an additional Flat View tab for viewing the benchmark details as a tabular list. In this view the rules can be sorted by clicking on any column heading. Clicking again on the same column header will reverse the sort order.
Selecting any rule in the benchmark will populate the bottom section with additional details, such as a description of the rule, references, and detailed findings from the assessment process.
By default, the view will hide categories that have no subordinate items, which includes descriptive text items for some benchmarks. To display this “empty” category, check the Show Empty Categories item at the bottom of the window.
If Secutor Prime has been activated with a valid license the Advanced Reports menu item will appear at the top of the Benchmark Results window. For more details on using this, refer to the Advanced Reports topic in the Results section of this document.
The Results Context Menu is accessed by right-clicking inside the list of results on the main application window. Certain options will be disabled depending on whether no, one, or multiple assets are selected from the list of results.
Follow the submenus beneath the Sort menu item to select how you would like the list of assets sorted. The list will be updated immediately and this sort option will be saved as the new default sort option.
When this menu item is selected the Activity Monitor will be updated to only show messages that apply to the selected asset.
Opens the Assessment History graph view for the selected asset. This option will only be available after activation with a valid Secutor Prime license key of Offline, Pro, Pro+, or Auditor.
Select one or more assets in the Results list to start a new assessment for those assets. The system only allows a single action to be in process at one time so this option will not be available until the current action has completed (or has been cancelled).
This option also only applies to assets that are the result of an assessment. An entry created via a Network action, for example, can be re-queued for an assessment. On the other hand, if the asset you selected is a result of using the Offline action to load previous results files then this menu option will not trigger an assessment.
Copies the selected items, as displayed, to the clipboard, suitable for pasting into other applications such as spreadsheets, including column titles. You can also cut and paste by using Control-C on the selection, but in that case there will be no column titles.
Selects all items in the Results list.
Clears all selections in the Results list.
Asset(s) currently selected will be completely removed from the display. This will only remove them from the display and the count of assets and will not affect any data files.
You can permanently delete selected items from the hard drive, including all history for that item currently loaded. The system will not search out all possible data for the selected on your hard drive. Once an item is deleted this way there is no recovery. For more control over what is deleted, open the History: Table view for a selection, then select one or more assessment results, then right-click to get the context menu and select Delete.
When viewing an asset that has more than one result for a benchmark you can view and compare the results from each assessment using the history viewers, presented either as a tabular view or a simple line graph. From the list of benchmark results on the main window you can select one or more benchmark to view history for.
Figure 21: Tabular History View
The background color for the scores shown in this cell will change based on how that score compares to the previous assessment, regardless of the amount of time since the previous assessment: green to indicate a better score, red for a worse score, or no change to the background color to indicate the score has not changed.
You can select individual cells in this table by clicking on them, multiple cells by painting them while the mouse button is held down, or individually by holding down the control (CTRL) key while left-clicking on cells.
If exactly two cells are selected that have scores the Compare button will be enabled. Whichever cell was selected first will be shown on the left side of the comparison viewer, with the second selection on the right.
The Details button will be enabled any time at least one cell with results is selected. Clicking this button will show the full assessment details for the selected benchmark: you can also view the full assessment details by double-clicking on any cell or by hitting Enter on the keyboard after using the arrow keys to select a cell. When multiple cells are selected the Details button will open assessment details for the first selection (that is, the selection in the upper leftmost corner of the table).
After selecting one or more cells in the table you can also activate the context menu by right-clicking anywhere in the table. From this context menu you can choose Hide to remove the selected items from the loaded data in Prime, or Delete to permanently delete the data files from your computer. When using Hide the data will still be available in the future, but you will need to re-run an Import action to reload the data. Until then the hidden items will be completely removed from the loaded data set and will not appear in any other viewers or reports you run.
The Copy to Clipboard button will make a copy the entire contents of the Tabular History View window to the clipboard include the table column headers in a format that is suitable for pasting directly into spreadsheet cells.
Figure 22: Line Graph History View
An individual data point in the graph can be selected by clicking on it. You can select multiple data points by holding down the CTRL key while click on any data points. Select all data points for a single benchmark by double-clicking on any data point for that benchmark in the graph.
Once a selection has been made the Details button will show the complete details for the most recently selected benchmark results. When exactly two data points are selected, you can use the Compare button to see the difference between the two. The first selected data point will be shown on the left with the second selection on the right. When multiple data points are selected using the Details button will open the History: Table view with that data rather than the detailed benchmark viewer.
The background colors on the table correspond to the score thresholds you set in the Context Settings.
The Copy to clipboard button will make a copy of the graph, as it is shown, to the system clipboard, enabling you to past that image into other applications.
At some points Secutor Prime will give you an option to select two benchmark results from a selection of other results and allow you to compare the results for both side-by-side.
This window primarily uses the CCE identifier to correlate rules between the right and left result sets with the underlying rule ID as a secondary match criteria. This means that in many cases it is possible to compare results from different benchmarks that have overlapping rules. Even so, there will be cases where duplicate rules will be listed. Sorting the table by the Rule header by clicking on it can help spot such duplicates.
By default only rules where the result differs will be displayed but you can choose to show all rules by de-selecting the checkbox Do not show rules with matching results at the bottom of the window.
The background color-coding for each row is based on the results on the right-hand side: green for passing, red for failing, yellow for not having a matching rule, and grey if the results are the same.
If an icon is not displayed on either side that means that there is no corresponding rule in that set of results.
You can click on any table header to sort by that column. Clicking on the same column again will reverse the sort. Click on the Sort by difference button at the bottom-right of the window will re-sort the results based on the difference between the right and left sides.
Using the menu items under the Analysis main menu you can show information from multiple assessments organized either by operating system or benchmark. The table at the top of the resulting display will show the number if assessments from the selection that fall into that group and the average score for that group.
From here you can select any or all of the displayed items and view the details or use the Refine Results section on the bottom of the display to reduce the list of results to the exact data set you are looking for.
The History: Graph and History: Table buttons work exactly the same as they do on the main application window, but now they can be used to show data for more than asset or more than one benchmark, with a few restrictions.
The viewers started by the History: buttons are limited in the number of selections they can effectively display and therefore can only be used on a single selection at a time when your summary results are organized by Asset or Operating System. Even so, it’s possible to select more items than can be effectively handled by these tools so it may be necessary to select fewer items or use the Advanced Reports menu item.
Using the controls at the bottom you can select filters that refine the data from the items selected at the top of the Summary Results viewer.
For each filter type (Date Range, Asset, Benchmark, and Operating System) the list of filterable items will be drawn from the full set of data in the Summary Results viewer. Use the Select button for each filter type to edit the current filter conditions. A filter condition with nothing selected will not have any effect on the results.
To refine results by a range of dates you will need to first activate that filter by selecting the Active checkbox for it, then setting the start and end dates you are interested in.
The choices in the Grouping section determine how you want to organize the selected items. At least one item must be selected before the Show button is enabled, as well as at least one data category from the top section. To keep from cluttering your desktop with multiple windows as you refine your data set you can check the View in this window checkbox before pressing the Show button. However, when doing this you will lose the ability to go back to the previous data set. Also, when using the View in this window option, all filter selections will be retained.
If your combination of filtering and data item selection results in no assessment data no new view will be opened, but a message will be displayed at the bottom of the current viewer instead.
The Advanced Reports system available from the Summary Results view is very similar to the Advanced Reports available when viewing details of individual benchmarks, only this time it is acting on a summary of all data selected.
Use the top two sections to select what items you want to appear in the final report. You can also select what format you want the generated report to be in (PDF, RTF, or CSV).
Import Note: Using the Summary Results system it is possible to create extremely large data sets and rendering these data sets to PDF and RTF requires a very large amount of memory. Secutor Prime limits the amount of memory it will use so it is therefore possible to generate a report that exceeds the amount of available memory. If that should happen a warning message will be displayed and you will need to reduce the size of the data set in order to generate a report.
The biggest factor in memory usage is the number of benchmarks in the report: regrouping your data selection to produce multiple reports will be the easiest way around this. A memory issue is considerably less likely when using the CSV format.
The Organization section gives you options on how the report will be organized and what table of contents entries will be created. Selecting By Benchmark will put benchmarks at the top level, alphabetized by benchmark title. Using By Operating System will create a top-level organization organized by operating system with entries below each operating system for all benchmarks that have assessment results for that operating system, which will also be reflected in the table of contents.
If your selected data only contains a single benchmark then the resulting report will have no table of contents.
In addition you can also choose how the rules for each benchmark are organized using the subordinate row of radio buttons in the Organization section. If you sort by CCE ID then the CCE ID detail item will automatically be selected and you will not be able to deselect it. If the Failure Count organization is selected the resulting report will be organized such that the rule with the highest number of reported failures will appear first for each benchmark, followed by the rule with the next highest number of failures, and so on. The Pass and Fail result types will also be automatically selected and you will not be able to deselect them.
After selecting some or all of the items listed in the Summary Results view you can use the menu option to generate a CyberScope Report. You will need to enter the name of the organization this report is being generated for as well as a destination for the report.
The CyberScope Report is an XML document that uses the CyberScope 1.0.0 format as specified for the monthly reporting of key attributes as required by the U.S. Department of Homeland Security (DHS). When you generate the report an XSL transform will be copied to the same directory as your report so that if you then open the report in a web browser such as Internet Explorer the report will be rendered to HTML.
The CyberScope Report contains a summary of the evaluated operating systems as well as details on passes, failures, and deviations for every rule with a CCE or CVE number. Aside from the requirements for U.S. Federal agencies to do CyberScope reporting, this report is a good summary for the current status of your network.
When you generate the CyberScope Report, Secutor Prime will pull the summary data from the items you have selected in the Summary Results tool. For FISMA reporting the report needs to be generated for all information systems but the Summary Results tool will also let you refine the current data set before generating a report. The generated report will only use the most recent assessment results for each asset regardless of what you have selected.
Near the top of the Secutor Prime window is a panel called "Assessment Conditions". This panel displays the selected benchmark and profile title as well as the operating system to which they apply. Below that is a section that displays the currently selected deviation profile (if any). This panel can be minimized and expanded using the up/down arrow located on the right side of the panel.
After selecting an Assessment Profile, the display is populated with categories of compliance checks. Each of these categories contains subcategories and eventually the specific checks. To expand the tree, double-click on the category you wish to expand or click on the round icon to the left of the category. This method can be used to collapse the levels of the hierarchy.
The Secutor Prime interface operates in two modes: Assess and Fix. In Assess mode, those items that have a black "X" next to them in the tree will be evaluated for compliance. Those without a black "X" will not. In Fix mode, there are more types of icons next to checklist items.
The green check indicates the item passed the compliance check
The black circle indicates the rule wasn't selected for assessment or that it didn't apply to the current computer being assessed. This can happen if for instance a Windows Vista benchmark is being run against a Windows XP computer.
The red "X" indicates the item failed the compliance check
The black "?" indicates an OVAL check does not exist for a rule
The black "!" indicates an error processing a rule
A green check with a yellow background indicates a rule passed using settings of a policy deviation
A red “X” with a yellow background indicates a rule failed using settings of a policy deviation
After an assessment is run, Secutor Prime contains three areas that show status or findings. Directly above the tree is an indicator that shows the total number of unique rules that failed, passed, and were tested. Below and to the right of the tree is the summary scoring indicator. After an assessment is performed, this lists the total number of unique items tested, the number that passed and failed, and a percentage of the total items that passed. Finally, on the bottom left of the screen is the progress indicator. While assessment and remediation activities are taking place, this is updated to show the current item being assessed or fixed.
The Resources panel is located on the bottom of the window. This panel displays useful information about each item in the hierarchy. There are currently four types of information available: Details, Findings, References, and OVAL Notes. These views are switched by selecting the tab on the right of the Requirements panel.
Details tab - provides a detailed description of the selected item.
Findings tab - contains pass/fail information, including pre-remediation values that are present on the system.
References tab - displays a list of technical and regulatory guidance specific for the item selected.
OVAL Notes tab - provides metadata generated by the OVAL assessment engine during processing. This information is very useful in analyzing the logic behind an assessment result.
Secutor Prime Professional can perform all of its functions against remote computers. To do this, the remote target must meet the requirements outlined in the Target Settings for Remote Assessments
section (Appendix C) of this help.
To select the target, click on the Remote Target radio button at the top of the screen. Enter the IP address of the computer to be assessed and click the "Connect" button. Confirm that you wish to assess a new target by pressing the "OK" button. If Secutor Prime Professional was unable to connect to the remote target, a box will open allowing the user to enter a Windows domain name (if the host is in a domain), a username, and a password. The user account must have local administrative rights on the remote target for a successful assessment to take place.
By default, when attempting to connect to a remote target, Prime will attempt to authenticate using the identity of the current local user. This means that, when operating in a domain using an account that has local administrative rights on the target system, it will not be necessary to provide credentials. However, should you need to force authentication with every connection, enable the checkbox option Remote assessments: always prompt for credentials on the Assessment tab of the Settings tool.
The remote connection type used for Windows targets is NetBIOS and SSH for non-Windows assessments. If the target has both connection types available the login prompt will display green buttons for both. You will need to select the correct connection type for that target.
Before Secutor Prime can perform an assessment, it must have a benchmark and profile selected and loaded. Secutor Prime includes SCAP compliance and OVAL vulnerability assessment content available from multiple reliable public sources, but can run any SCAP/XCCDF/OVAL content that is compliant with the standards.
NOTE: The oem-content and vulnerability-content directories are maintained by Secutor Prime’s update system. If you would like to run content from other sources (or edited versions of the provided content) be sure to store them in a different location or it will be deleted/overwritten with the next update.
To select the Assessment Benchmark and Profile, click on the Change button on the top of the main application window. This opens the Select Publication tool. Check the appropriate radio button to determine what type of assessment content you would like to load: Compliance, Vulnerabilities, or Questionnaires, each of which is stored in different directories. You can change which resource directory is searched for content by using the Browse button at the top of the window. The Select Publication tool will remember the last selected directory for each content type.
A list of assessment content and their versions are listed in the Benchmark panel. By default, these benchmarks are listed using their associated titles. To display them by ID, deselect the Display by title bubble. Click on the benchmark you wish to use to activate the Available Profiles list on the bottom of the window. Select a profile by clicking the down arrow. Press the Done button to load your profile and prepare to perform an assessment.
When a benchmark is selected in the list the fields Date Authored and Date Installed below the list of benchmarks will be updated to show when the selected benchmark was, respectively, originally authored and when it was downloaded into the current installation of Prime.
Some benchmarks, such as the USGCB content from NIST, have only a single profile, so you can simply double-click the benchmark in the list to begin loading.
The Show only applicable benchmarks option uses the Common Platform Enumeration (CPE) standard to only include those resource files that are applicable to the computer being assessed. For example, this prevents Windows 2003 Server content from being listed as available assessment content on a Windows XP computer. Unchecking this option will display all available benchmarks.
It is also possible to register external OVAL variables with the system from a separate file. The values of these variables will then be used as referenced in the OVAL content being evaluated. This ability is available via the menu option File Import Variables.
By default, Secutor Prime will validate the SCAP content against the XML schema files before loading and using it. The Validate checkbox can be deselected to prevent this validation from occurring.
The Content Validation option only performs schema validation of each benchmark in the directory structure. This is a sanity check to be certain that the files conform to the SCAP document format standards, but makes no determination about the quality, accuracy, or applicability of the contents of each file and is a very time-consuming operation, so serves very little purpose in actual use.
Whether in the Assessment or Fix mode, items in the Assessment Profile tree can be selected or deselected by double-clicking on the box next to the item. Deselecting an item in the Assessment mode prevents the item from being assessed when the Assess button is clicked. While in the Fix mode, deselecting an item with a red "X" prevents the system from remediating it when the Fix button is clicked.
By selecting an item in the tree that had children and pressing the right mouse button, it is possible to select or deselect all child items under the current selection. The right-click menu also allows the user to select or deselect everything.
When you are satisfied with the list of items in the profile to be assessed (this will typically be all of the items in the hierarchy), click the "Run Now" button. This will start the assessment process. Progress will be shown in the bottom status indicator. When the assessment is complete, the status indicator will read "Done".
While the assessment is in progress the action button will change to a yellow background and have a label of “Stop Action”. You can click this button at any time during the assessment to cancel the remainder of the assessment. The system will need to wait for the current rule to be completed before it can recognize the cancellation request. After recognizing the cancel request the system will revert to Fix mode and display results of all tests that had been completed. Items that had not yet been evaluated will get a result icon of unknown (“?”).
To reassess the computer, click the "Assess" dot on the top left of the window and press the "Start Action" button.
NOTE: You are strongly encouraged to test remediation on a non-critical system before attempting it on an operational computer
Once an assessment is performed, Secutor Prime automatically switches to Fix mode. In this mode, the system will attempt to modify items that appear with a red "X" to conform to the Assessment Profile requirements. Items can be deselected to prevent them from being modified by the remediation system. When in Fix mode, as shown by the radio button set to “Fix” and the action button will have a red background, press the action button to begin remediation. After performing the assessment, the Findings tab on the bottom section of the screen will list what was found for each rule and what the policy requires.
You are advised to reboot your system after remediation occurs. This will ensure that all modified items are operating with their modified settings.
The remediation actions the Secutor Prime takes are automatically generated from the benchmark and deviation. This means that remediation can be performed for any benchmark including custom benchmarks that you author, but there are also some limitations to this system. For example, there are certain classes of items that Secutor Prime will not attempt to automatically fix, such as renaming user accounts, adding/removing software, and patch management, or tests where the setting cannot be reliably generated such as where the expected value is a pattern match. It also means that the remediation actions are only as accurate as the content from which it is generated.
If a deviation profile is loaded and contains an entry that applies to the target rule then the values in the deviation profile will take precedence. This feature can be used as a technique to create a viable remediation value for items the system would not otherwise be able to automatically generate, such as cases where the desired value is a pattern match.
To get an idea of what actions will be taken during remediation as well as which items for which automatic remediation will not happen, run the Remediation report. This will show the expected action to take to fix each rule and any rule marked as “manual” means that Secutor Prime will not attempt to perform remediation.
When using Secutor Prime to do remediation a history of the original value for each item changed will be saved in a local file and marked with a timestamp. Only items selected for remediation and for which a fix action is successful will be saved in the file. This remediation history can then be used to restore one or all changes made to the target system.
This file is created in the restore directory of the Secutor Prime application directory and given a name based on the IP address and hostname of the target computer. If that information has changed on the target computer then Secutor Prime will not be able to locate the proper history file. For that reason this capability is most reliable when used for the local computer only.
Selecting Restore Latest Changes which will change all modified settings back to the values they had prior to the most recent rollback point and remove that restore point from the remediation history file.
When multiple remediation actions have been taken the system will record each as a separate action with a timestamp. To view each set of remediation actions grouped by time, the menu option Tools Restore Points will let you roll back all remediation changes back to the selected time or delete all actions related to a time. To view what items were changed and their value prior to making the change, use the Remediation History report from the Reports menu.
You can select one or more history points to rollback changes to (using drag click, shift+click, or crtl+click). If you select more than one the system will apply the changes in reverse chronological order. Whenever possible, however, it is safest to undo changes in reverse chronological order without skipping any changes.
If the system detects an error while performing a restore it will not remove the items that triggered the error, and therefore that restore point will not be removed from the rollback file. You can use the Remediation History report to inspect which items did not change and choose to delete that restore point to allow the system to revert to prior history points.
Restoration can also be done on a rule-by-rule basis by selecting a rule for which remediation has been performed, right-clicking, and selecting Undo Last Change from the context menu. This reverts the setting of that item to the value it had before the most recent fix. If that item had been altered by more than one remediation action you will be able to use Undo Last Change to undo each change in reverse chronological order.
The security policies codified in the assessment content represent the ideal state of every applicable system, but often complete adherence to a policy will render the target computer unable to perform its primary function. Organizations therefore commonly need to deviate from policy and Secutor Prime uses a granular deviation system to enable this.
The interactive nature of the Advanced Interface of Secutor Prime is designed to let you perform remediation, restore, and deviation management down to the individual compliance rule level to let you whittle your security policy down to the best combination of security settings and functionality for your organization.
Once an assessment has been run, select Deviation Manager from the Deviations menu or click the Change button from the Deviations section of the Assessment Conditions panel.
This will let you select an existing set of deviation definitions: simply use the Browse button to locate the saved file and then click the Set as Current button to make it active. The deviations in that file will then be matched up against every assessment rule run by Secutor Prime. If any tested rule fails compliance it will then be checked against a possible policy deviation and the final result scored accordingly.
After selecting a deviation policy file you can also use the Report button to view the details of the file.
Once a deviation policy file has been set as active it will be applied to every subsequent assessment run using Secutor Prime. This setting will be retained so the same deviation policy will be applied every time Secutor Prime is started. Use the Inactivate button on the bottom of the Deviation Manager to stop applying a deviation policy.
After loading the compliance benchmark for which you would like to create policy deviations, open the Deviation Manager and select a file to store the policy deviation information.
A policy deviation file can contain sections for multiple benchmarks. This makes it possible to create a single file that contains a complete deviation record for an assessment context (for example “Internal Windows Servers” versus “Public Windows Servers”).
Since the process of creating a deviation policy means that you will be prompted for deviation information for every rule that fails compliance it is easiest if the target system is already remediated as close to full compliance as possible.
If this is a new policy deviation file you will need to fill in all the fields in the Deviation Policy Information section in the bottom section of the Deviation Manager. You can then start recording policy deviations by clicking the Profile Now button. For every rule that does not pass compliance for the loaded benchmark you will be prompted for text justifying why this deviation exists (for example, so because a particular application requires it in order to function properly) as well as POAM (Plan of Action and Milestones) information – that is, what plan of action is to be taken to remove the need for this deviation in the future. You can also record a date for when each deviation entry is expected to expire. If you don’t select an expiration date a default of one year will be entered.
Click the Apply button to apply your justification and POAM to the deviation entry, Apply To All to apply it to all failed rules, Skip to go on to the next failed rule without creating a deviation entry, Skip All to complete assessing the loaded benchmark without creating any new deviation entries, or Cancel to stop deviation profiling at the current point.
Once a deviation file has been created you can edit the file by adding or removing an individual or a group of deviations. Simply select the rule or group then right-click and select the appropriate add or set option from the context menu. Which options are enabled will depend on whether you have selected a rule or a group and whether you are using the tree or table view.
The Office of Management and Budget (OMB) working with NIST have defined an FDCC XCCDF deviations reporting format for federal agencies. This format is an XML file that documents agencies deviations from the FDCC configuration standard. In addition, the consolidated FDCC Reporting Excel spreadsheet must be completed by each federal agency and submitted to NIST. Secutor Prime Professional makes the generation of these reports very easy.
Once an agency has performed an assessment (using the FDCC profile) of a system matching their standard configuration and documented any deviations using the Deviation Manager, they are ready to export the FDCC XCCDF report. To do this, select "Export FDCC Report" from the "Federal Reporting" menu. This launches the FDCC report export tool. Fill in the report title and other options. This information will be included in the FDCC XCCDF XML report file. Information such as "Computers that have this role" will be included in the FDCC Reporting Excel spreadsheet (discussed below). Press the "Browse" button to select a location in which to save the file. We suggest you create a common directory for your FDCC XCCDF XML files. Enter the name for the file and press the "Accept" button. Now click the "Export" button to create the FDCC deviation report file.
After pressing the "Export" button as described above, the user is prompted with "Would you like to view the report using your default browser?". Select yes to have this report generated and sent for display to the browser.
NIST has defined a standard spreadsheet reporting format for use by federal agencies. This spreadsheet is to be created and submitted to NIST along with all applicable FDCC XCCDF XML files. Secutor Prime can automatically generate the information for this spreadsheet. To use this feature, the organization should first generate the FDCC XCCDF deviations files for each benchmark against the various standard configurations. NIST defines these categories of systems at the link above. These FDCC XCCDF XML files should be placed in a single directory that can be accessed by Secutor Prime Professional.
Once the files are in place, select "Create FDCC Reporting Excel Spreadsheet" from the "Federal Reporting" menu. Browse to the source directory where the XML files were stored. Next, select a destination directory where the resulting comma-separate file (CSV) will be saved. Fill-in the agency name, CIO name, and total XP and Vista computer counts in your organization then press the "Create" button. This will create a file with the name you selected and add the "csv" file extension. This file can be read directly into your spreadsheet application and viewed. You may need to adjust the widths of the columns to make this easier to read. This report can be saved as a Microsoft Excel (xls) file from your spreadsheet application for submission to NIST.
Several types of reports are available from under the Reports menu, depending on the type of benchmark that has been assessed.
Advanced Reports gives you a great deal of control over the appearance of the final report including the format of the report (PDF, RTF, or CSV) as well as what fields will be included in the report. You can also use Advanced Reports to create a report of the benchmark prior to doing an assessment. For more information refer to the Advanced Reports topic in the Multiview Interface section of this document.
When the assessed benchmark is a compliance benchmark the reports under the Compliance submenu become usable. These are all HTML-formatted reports that will automatically open the report in your default browser once the report has been generated. Each of these reports use a static name and are written into the products subdirectory below the Secutor Prime installation directory. Some reports will not be available unless other information is present. The Remediation History report, for example can only be run after a remediation action has been taken for the current target. The 800-53 reports require addition 800-53 category data that is only available in the legacy SCAP 1.0/1.1 benchmarks produced by NIST.
The Vulnerabilities report can be run after doing a vulnerability assessment using an OVAL vulnerability benchmark.
In addition to the Benchmark and Assessment reports, there are also Windows convenience reports for Users, Services, and Patches.
Advanced Reports are available only for XCCDF (compliance) benchmarks. They give you a great deal of control over what appears in your report and how it is organized. You can also use Advanced Reports to print the content of a benchmark before doing an assessment, giving you a reference document of the benchmark.
Check which detail items you want included in your report. Your selections will be remembered by the tool so the same settings will be set the next time you run it. Some items, such as findings and fix actions, are only available after an assessment has been performed. If any of these are selected when you run a report before doing an assessment they will simply be omitted from the final report.
Select which result types you want to appear in the final report. Your choices will not affect the content of a report if no assessment has been run, nor will it affect the statistics line that appears at the top of the first page.
Advanced Reports can be produced in PDF (Adobe's Portable Document Format), RTF (Rich Text Format), or CSV (Comma-Separated Values). The RTF format is useful for importing the report into other documents, such as Word. The CSV format is useful for importing into spreadsheet applications such as Microsoft Excel.
Some output formats support including a graph on the title page (PDF and RTF). When either of these report formats is selected the Show Chart checkbox becomes enabled. Selecting CSV as the report format will automatically disable charts. When including a chart in your report you can have be either a pie chart or a horizontal stacked bar. You can also choose whether or not you want a 3-D perspective applied to the chart.
Select how you want the final report organized. The Category View is the same view presented in the main Prime interface, and if the benchmark has grouping information available for the 800-53 controls then you can also check Organize by 800-53 controls as the categorical organization.
A Flat List organization will omit the grouping headers from the report and simply list all of the rules from the benchmark. Choosing this organization type will also let you sort the rules alphabetically by the rule title or by CCE ID if a CCE ID is available.
Use the Browse button to open a file save dialog to select where you want your report written to. You can also edit the path and final file name by hand. Note that if you do not include a file name extension, or the extension does not match the selected Report Format, then it will be changed when the final report is written out.
If the Launch document viewer after the report is generated checkbox is checked the application will attempt to locate the default application installed on your system for viewing the file type for the report you just generated. For example, if you generate a report formatted as PDF and have Adobe Reader installed, then the system will attempt to open Adobe Reader with your new report.
Most of the time the checkbox Delete intermediate file on successful render should be checked. The Advanced Reports system uses an intermediary XML file type to record the report data resulting from your choices, which is then rendered to the final report type of PDF or RTF. This intermediary file is not user-friendly and is simply clutter, and should normally be deleted by the system. However, you may wish to retain this intermediary file for trouble-shooting purposes or to use with other commercial XML-FO rendering systems.
Secutor Prime includes capabilities to export findings in OVAL format and comma separated value (CSV) format. The CSV export feature provides a means to export results associated with Vulnerability, Compliance, Patch, and Inventory assessment while the OVAL export tool can export Vulnerability and Patch findings. Data exporting is only available in the Advanced Interface.
The OVAL export tool is launched by selecting the menu item File --> Export As --> OVAL. Use the tool to select the types of test results you wish to have included in your OVAL file and then select the type(s) of content (vulnerabilities and/or patches). Secutor Prime can generate standard full and thin OVAL results files. These can be imported by any certified OVAL results consumer. The results file can also be compressed (in .gz format). Finally, the destination browser allows the user to select where and by what name the results file will be saved.
NOTE: By default, the OVAL Export menu item is disabled. It is automatically activated when OVAL vulnerability content has been loaded and activated. To do this, go to "Tools-->Settings". Click on the "Assessment" tab. Click the "Vulnerabilities" check box and select the file "windows.oval.xml" from the resources subdirectory. You may have to do a "Check for Updates" from he help menu to make sure your Secutor Prime has this file...
The CSV export tool is launched by selecting the menu item File --> Export As --> CSV. This tool provides a very comprehensive and configurable method to export data from Secutor Prime. To use the tool, first select the types of test results you wish to export. Next select type(s) of content you wish included in the export. Options include vulnerability, patch, compliance, and inventory content.
The Format section provides a means to customize the export elements and format of the data. Clicking on the format items places a letter in the Format Mask. The order of the letters indicates the order in which they will be listed in each row of the export file. A custom Field Delimiter (other than a comma) can be used by simply replacing the comma in the Field Delimiter box with any desired character. The Clear button removes the current Format Mask and allows the user to create a new one. The Backspace button removes the last item listed in the Format Mask. Finally, the destination browser allows the user to select where and by what name the file will be saved.
This tool allows the user to export results from Secutor Prime for use with ThreatGuard's Secutor Magnus enterprise compliance product. The files exported using this option can be imported into Secutor Magnus using the Magnus Navigator application.
If the document you have loaded has a reference to an OCIL questionnaire you can use this option to export the complete questionnaire it references, including the details for any questions that have already been answered, notes, attachments, and so on.
The text boxes in the Export Questionnaire dialog let you fill in details about who answered the questions (the “Assessor”) and what organization the questionnaire is being filled out for (“Assessment Subject”). The assessor name will also be used as the organization contact.
The system includes a Find tool for use in searching the Assessment Profile and results for information. This tool is access by selecting Find in the Tools menu. To use the tool, simply enter the text that you wish to find and press the Next button. Each press of the Next button will take you to subsequent locations in the tree where the term was found. The Previous button moves through the tree in reverse order. The Look in checkboxes allow the user to restrict or expand the data areas to search.
Finding Tests by OVAL ID: The Secutor Prime find feature allows the user to search for test definitions by OVAL ID in a variety of ways. First, the user can simply search for the OVAL ID using all Look in fields. The OVAL ID can show up in a variety of places. The OVAL Notes field can be used to search for a wide variety of OVAL-related information. Additionally, Secutor Prime includes an option to display vulnerability content using the OVAL ID as the title in the tree. To search for an OVAL ID in the title, use the Tools --> Settings --> Assessment dialog to load vulnerabilities and set them to Display as OVAL ID. Then in the Find dialog, enter the OVAL ID in the Search For: field, ensure the Title box is checked, and click the Next or Previous button. This will find any loaded vulnerability definition that matches your search string.
The Settings tool is used to configure various Secutor Prime features associated with automatic updates, assessment capabilities, and remediation. It is launched by selecting Settings from the Tools menu.
By default, the application checks the ThreatGuard.com website for updates once a day and downloads any updates in the background. To force the application to check for updates each time it is started, simply select that option. If automatic updating is not desired, select the "No Automatic Updating" option. It is also possible to change the default location (the ThreatGuard website) from where updates are pulled. Large organizations (or organizations without Internet access) may wish to install the Secutor Prime update files on a local intranet server for distribution. To change the default update server, select the Custom button and type in the full address. For example “http://www.ThreatGuard.com/secutor".
Note: The update source must comply with the Secutor Prime format. Update source may be obtained directly from ThreatGuard for this purpose.
For sites that use a proxy server to control Internet access, settings for your proxy server can also be entered here. Currently the update mechanism supports HTTP proxying (not HTTPS) with Basic authentication. By omitting either the user name or password authentication with the proxy server will be skipped.
The Vulnerabilities section at the top of the Assessment tab is primarily for use when Prime is in Simple mode and can be ignored when using Prime in Advanced mode. When in Advanced mode you can use it to manually load an OVAL vulnerability document, but this is more easily done using the Select Publication tool. You can also use this section to switch the Prime display to display vulnerability definitions by OVAL ID rather than the definition title, which can be helpful for content developers.
In licensed versions of Secutor Prime it is possible to do agentless assessments of networked computers. By default Secutor Prime will attempt to authenticate to the remote target using either the user account being used to run Secutor Prime (Windows only) or the credentials, if any, of the previous assessment and only prompt for credentials if the proper level of authentication cannot be achieved. Enabling this option will always prompt for remote credentials, allowing you to connect as a different user. In some cases this can also be used to bypass some inherent issues with Windows Authentication.
Enabling this option will cause Prime to automatically run an assessment against the local machine when it is started. If no benchmark had been active when Prime was last exited, or if the last benchmark used does not apply to the local target, this option will have no effect.
This option is most useful in Simple mode which will first locate all benchmarks that apply to the local target (or reload the last set of benchmarks used) and then do an assessment against all of them. This option has no effect when Prime is switched to the Multiview interface.
64-bit versions of the Windows operating system also contain a separate 32-bit version of the operating system, almost like having two operating systems on the same machine. Most assessment content does not account for this and since, for the most part, these subsystems operating independently, an assessment of your target is not complete unless both the 32-bit and 64-bit versions of the system are checked. To allow for this while still using the existing benchmarks and without having to load both 32- and 64-bit versions of the tool, Secutor Prime allows you to target either part of the operating system. This also applies when doing assessments of remote targets.
In normal operation Prime will detect if the assessment target is a 64-bit Windows operating system and prompt you for which subsystem you want that assessment to target and redirect the assessment as necessary, regardless of whether Prime is being run as a 32- or 64-bit application. Note that this ability to redirect is only available when the local system running Prime is Windows Vista or newer.
This option, then, lets you select a target bit level that will be used for all assessments, bypassing the prompt that happens when you start an assessment (Simple and Advanced interfaces only). Since the prompt that appears when you start an assessment has an option to remember your choice and never prompt again, you can use this option to clear that choice.
Note that when the assessment target is a 32-bit operating system and you have selected 64-bit as the target bit level, Prime will recognize that the target is not 64-bit and correctly target it as 32-bit.
When this option is selected Prime will treat all assessment content in strict accordance with the SCAP 1.2 specification. However, since most content (older content in particular) is not completely SCAP 1.2 compliant you will get false positives/negatives if this option is enabled so it is best to always leave it unchecked.
By necessity, some of the compliance and vulnerability tests use operations that can be very resource intensive and greatly increase the amount of time it takes to complete an assessment. This option allows Prime to apply some techniques to speed up the assessment at the cost of a chance of not finding some findings.
This can be helpful when trying to reduce the time and resource consumption of continuous assessments, but in that case a full non-optimized should also be done regularly for completeness.
The normal flat view will show only the rule title, results, and CCE/CVE reference (if any), but checking this option will create a forth column that shows which check the compliance rule references. This option is primarily of use to content authors.
Some types of assessment errors can be captured during the assessment operation and logged. These are useful for tracking down problems with the assessment process, but for the most part are not helpful for normal operations and could possibly contain sensitive information. If problems are found in the assessment results, enabling this option may help locate the reason. If this type of logging is not enabled then the option Remind me when there are unlogged errors will be available, which will show a popup message at the end of the assessment if errors were detected but not logged.
For Windows assessments Secutor Prime uses the native Windows libraries to perform the necessary collection of data. Enabling this option will collect an additional level of debug information during the assessment which can be useful in troubleshooting problems in the assessment process. This can potentially collect a great deal of very low-level information and should only be used when there are problems with the assessment process that cannot be resolved from the information in the other logs.
At the end of an assessment, versions of Secutor Prime with a valid license installed will switch to remediation mode which can be used to set the assessment target to match the conditions of the compliance benchmark. By unchecking this option Prime will not go into remediation mode at the end of the assessment, even if it has been activated. This can help prevent unwanted use of the remediation function.
A secondary warning box will be presented when a remediation action is initiated. Unchecking this option will bypass that warning box.
A secondary warning box will be presented when a restore action is initiated. Unchecking this option will bypass that warning box.
For every assessment target that Prime is used to perform remediation an undo log will be created by default. Unchecking this box will instruct Prime to not create that undo log, so all remediation actions will be permanent.
Some types of remediation errors can be captured during the remediation operation and logged. These are useful for tracking down problems with the remediation process, but for the most part are not helpful for normal operations and could possibly contain sensitive information. If problems are found in the remediation results, enabling this option may help locate the reason. If this type of logging is not enabled then the option Remind me when there are unlogged errors will be available, which will show a popup message at the end of remediation if errors were detected but not logged.
The Benchmark report includes very detailed information regarding the decisions the assessment engine made to determine compliance or non-compliance. This information is included for each compliance rule and is available when drilling down to the lowest level of each item in the Benchmark report. Since Secutor Prime uses the Open Vulnerability and Assessment Language (OVAL) to perform assessments, the analysis results show the OVAL decisions. These items begin with titles similar to:
The OVAL Notes tab in the Resources section of Secutor Prime also displays detailed results of each OVAL test.
Secutor Prime includes an advanced feature to assist the user in validating OVAL content. This tool is launched by selecting the menu item Tools --> OVAL Validator. This tool uses the OVAL schema xsd files to validate OVAL content files. The schema files are not distributed with Secutor Prime and must be downloaded from the Internet. Official OVAL schema files are available at:
Use the "Browse" button to select the directory that contains the OVAL schema xsd files and press the "Accept" button. Next, use the Validate "Browse" button to select the OVAL file to validate. When an appropriate file is selected, the green "Validate" button appears. Press that button to validate the OVAL file against the schema. If the file is valid, the word "Passed" appears on the bottom-left of the OVAL Validator window. If it fails, the "Details" button will appear active. Click that button to view the line number in the OVAL file and the error message that occurred. As errors are corrected, revalidate the file until it passes.
The Simple Prime interface consists of a top section that lists the benchmarks to test and a bottom section that has a few simple controls.
The first time you use the Simple interface, it will search through all known locations for benchmarks that apply to the system it is running on and populate the top section with basic information about each. For more details on each benchmark displayed you can click the Details button. This takes you to a tree view very much like the the main view in the Advanced interface that displays the structure of the benchmark and lets you select/deselect particular rules to test. After the benchmark has been evaluated this view will change to show the results of each tested rule and let you select/deselect which rule(s) to remediate.
Just below the list of benchmarks is a row of buttons:
Rescan For Benchmarks - Clears out all benchmarks from the list and looks through the default benchmark locations for any benchmarks that apply to your machine. The default locations are "resources" for XCCDF benchmarks and "resources\protected" for OVAL content.
Add Benchmark - Allows you to add another benchmark to the list. Any benchmarks you add in this manner will be remembered and pre-loaded the next time the application is started.
Reset Results - Clears assessment data and scoring for all displayed benchmarks including the Compliance and Vulnerabilities cumulative scores just below this button.
Go! - Performs the selected action. In unlicensed versions this will be limited to assessments only. Licensed versions can also choose to perform remediation by selecting that item via the radio button immediately below this button.
Finer control of each benchmark is available from the Details button associated with each benchmark in the top section of the main view. This is also where to go for individual rule results and to run reports.
For XCCDF benchmarks the top section of this display will contain a drop-down list of known profiles for that benchmark. The default profile will have automatically have been selected for you: changing that selection when more than one profile is available will be remembered the next time the application is run.
XCCDF benchmarks can also have a deviation profile selected. This profile is used to change the pass/fail conditions contained in the benchmark to reflect any variations in local security policy. A deviation profile only needs to be created once. Refer to the Deviation Manager section of this help document for more information.
Any time after the benchmarks have been loaded you can evaluate all of them by clicking on the Go! button.
Unchecking the Active checkbox for any loaded benchmark will cause it to not be assessed. You can also directly assign a deviation profile for each benchmark by using the Details button. These settings will be remembered the next time the application is started.
The selection of individual benchmark rules for assessment or remediation will not be remembered between sessions. If you wish to consistently skip one or more rules that can be achieved with a deviation profile.
For more information about creating a deviation profile, refer to the Policy Deviations & USGCB Reporting section of this help file.
After the assessment has been run you can view the full results for each assessed benchmark by clicking the Details button for any benchmark. While the benchmark details window is open you can also run reports from under the Reports menu. Which reports are available will depend on the type of benchmark that was assessed.
Refer to the Results topic in the Advanced Interface section for more information.
Secutor Prime is built around support for the Security Content Automation Protocol (SCAP). SCAP is a collection of six open standards developed jointly by the government and private sector. Security content written to the SCAP standard can be used by any product that supports the standard. This allows regulatory authorities and configuration managers a means to construct much more definitive guidance than was possible in the past. The guidance is written in the standard format and passed to security products for automated processing and reporting; common input and common output. Secutor Prime includes support for all six protocols. It uses the XCCDF and OVAL assessment protocols to determine what items to check and how to check them. It uses the CPE, CCE, CVSS, and CVE reference protocols to ensure all rules are accurately and appropriately reflected in the system. The SCAP standard references are visible in the interface, reports, and export files.
Secutor Prime includes the following SCAP capabilities
Authenticated Configuration Scanner (ACS)
OC IL Option
Authenticated Configuration Scanner
Authenticated Vulnerability and Patch Scanner
Secutor Prime Professional can perform both local and remote USGCB computer security assessments. Secutor Prime Professional operates agentlessly when performing remote assessments. In most cases, some modifications of the USGCB configuration are required to perform these assessments. For agentless operation, these modifications may differ depending on whether the computer is a member of an Active Directory Domain or is standalone.
Turn on remote registry service
Open the Local Security Policy MMC snapin and configure the following inbound firewall rule for TCP port 445.
Navigate to \Security Settings\Windows Firewall with Advanced Security\Windows Firewall with Advanced Security - Local Group Policy Object\Inbound Rules\
Right click and select "New Rule".
Select "File and Printer Sharing" from the drop-down list then click the "Next" button.
Check "File and Printer Sharing (SMB-In)" for profiles "Private, Public" and "Domain".
Click the "Next" button.
Reboot to force the settings.
Turn on remote registry service
Use regedt32.exe to add: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\system\
Create DWORD value named: LocalAccountTokenFilterPolicy With value: 1
Open the Local Security Policy MMC Snapin and configure the following inbound firewall rule for TCP port 445.
Navigate to \Security Settings\Windows Firewall with Advanced Security\Windows Firewall with Advanced Security - Local Group Policy Object\Inbound Rules\
Right click and select "New Rule".
Select "File and Printer Sharing" from the drop-down list then click the "Next" button.
Check "File and Printer Sharing (SMB-In)" for profiles "Private, Public" and "Domain".
Click the "Next" button.
Reboot to force the settings.
No modifications of the USGCB are required
In the GPO Editor \Local Computer Policy\Computer Configuration\Administrative Templates\Network\Network Connections\Windows Firewall\Standard Profile configure the following:
Windows Firewall: Do not allow exceptions is "Not Configured"
Windows Firewall: Allow file and print sharing exception is Enabled (Add the IP address of the scanning server or the subnet).
Secutor Prime uses SSH to connect to non-Windows systems when doing agentless remote assessments. The target machine will need to have the SSH daemon installed and running and have a firewall rule allowing connection to port 22.
Additionally, some benchmarks require elevated privileges to collect all the required assessment items. Usually it is enough to use a user that is a member of the daemon, bin, sys, and adm groups, but it might also be necessary to use the root account. In that case SSHD will need to be configured to permit root access.
Secutor Prime includes seamless support for the eXtensible Configuration Checklist Description Format (XCCDF). XCCDF specifies system settings for automated tools to assess. XCCDF specifies what to check. It is the primary protocol required to process the SCAP datastream. ThreatGuard presented the first live demonstration of processing XCCDF, OVAL, and the SCAP datastream using Secutor Prime at the 2nd annual NIST Security Automation Conference, held September 2006. The Secutor XCCDF interpreting engine has been exercised by thousands of users in hundreds of Federal Agencies, hundreds of commercial sites, and over fifty countries. Compliance checklist content, like those developed by NIST for the Federal Desktop Core Configuration (USGCB), are written in the standard XCCDF format. These files are included with Secutor Prime and are used by the product to generate the groups and lists of rules to be checked. Secutor Prime generates and displays a hierarchical tree of these groups and rules when an XCCDF file is selected. The product then uses information from the XCCDF file to perform the assessment as specified in the accompanying Open Vulnerability and Assessment Language (OVAL) file.
Sector Prime includes fully integrated support for the Open Vulnerability and Assessment Language (OVAL) standard. OVAL specifies a standardized approach for assessing each system setting. While XCCDF describes what to check, OVAL specifies how to perform the check. ThreatGuard develops and distributes the world's most mature commercial OVAL interpreter. From 2004 to present day, ThreatGuard has been the first to fulfill OVAL definition consumer compatibility requirements with each major evolution of the language. The ThreatGuard OVAL interpreter was engineered from the beginning to assess local computers and remote targets using agentless 'over the wire' technology. This OVAL interpreter currently supports Microsoft Windows, as well as Solaris, HP-UX, Linux, and Cisco IOS. Support for additional operating systems and applications, such as mainframes and databases, will be added as new OVAL content is developed. Secutor Prime automatically processes the OVAL definition content as referenced in the XCCDF file to perform assessment activities. Secutor Prime also includes an OVAL Notes tab that allows the user to see the decisions made by the interpreter as it processes the OVAL content. For vulnerability content, Secutor Prime includes an option to display the OVALID in the tree as the title for each vulnerability definition.
Secutor Prime includes support for Common Configuration Enumeration (CCE) references. CCE provides a standard notation and reference to configuration settings. The SCAP datastream contains CCE tags in the XCCDF documents. ThreatGuard raises the CCE references from the SCAP content to populate user interfaces, reports, and exports. In addition, Secutor Prime includes a search feature that allows the user to search the system and results for a given CCE number. By including CCE references in the SCAP content and consuming them into Secutor Prime, it is now possible to easily compare very specific configuration settings across systems.
Secutor Prime includes automated support for the Common Platform Enumeration (CPE) standard. CPE provides a standard notation and reference to operating systems and applications. An operating system can be referred to in many different ways such as "Windows XP" vs. "Microsoft Windows XP". CPE introduces a standard notation, such as:
"cpe cpe:/o:microsoft:windows_xp" and "cpe:/a:microsoft:ie:7", enabling products to share SCAP results without pre-coordinating operating system and application references. The SCAP datastream also uses CPE to specify the OS to which a benchmark applies. Secutor Prime processes this CPE content to automatically select benchmarks that are applicable to each target system. The user simply points Secutor Prime at a directory of SCAP content files and the product performs CPE checks to determine which benchmarks apply. The Secutor Prime report and export files also include the applicable operating system or application CPE reference.
Secutor Prime provides support for the Common Vulnerability Scoring System (CVSS). CVSS provides a standardized approach to measuring the impacts of IT vulnerabilities. Each CVE includes an associated CVSS vector for use in calculating the relative severity of vulnerabilities. The SCAP datastream currently uses a flat scoring methodology, giving all compliance checks the same "weight" (level of importance). These weights are compatible with CVSS scoring. NIST, through their National Vulnerability Database (NVD), plans to include CVSS vectors and scores for each CCE compliance item. That will enable Secutor Prime to calculate severity scores for both vulnerability and compliance items. The references tab in Secutor Prime also includes links to the NVD to view the CVSS vectors and to calculate the score of each vector.
Secutor Prime includes support for Common Vulnerabilities and Exposures (CVE) names. CVE provides standardized references to known vulnerabilities. This unique identifier provides a common way to refer to vulnerabilities. CVE is the oldest of the six protocols and is directed at vulnerabilities rather than compliance items. Patch content can optionally refer to CVE names, allowing the end user to track attack vectors associated with missing patches. The XCCDF and OVAL compliance checks currently do not reference CVE names. Secutor Prime raises the CVE references from the SCAP patch content to populate the user interface and reports. The CVE name is included on the Details tab of Secutor Prime for each patch check listed in the tree. Secutor Prime can also perform vulnerability assessments using the included OVAL content. The References tab includes the CVE name and a link to the NVD site for each CVE name.
Action Work done by the application such as performing an assessment or importing data from previous assessments.
Authentication The process of positively identifying an entity for the purpose of gaining access to otherwise restricted material, usually based on a user name and password.
Benchmark A document or collection of related documents that contains the details and processing instructions of a policy necessary to perform an assessment and to score the pass/fail status of the items.
CCE Common Configuration Enumeration
CPE Common Platform Enumeration
CVE Common Vulnerabilities and Exposures.
CVSS Common Vulnerability Scoring System
Content Information used for security assessments. A benchmark is one type of content, but content can also be the policy documents from which the benchmarks are derived, security training materials, and so on.
Context A way to combine a variety of settings together and be able to quickly switch between them with just a few clicks.
Deviations When local conditions require that a configuration setting cannot be used in compliance with the policy a deviation is used to indicate that the local security authority has accepted that change. A deviation can also contain information about why it has been accepted, what plan is in place to remove the need for the deviation, and when the deviation expires.
Deviation Profile A collection of deviations grouped together for a common use, such as to be applied to a particular benchmark.
Magnus A server-based product in ThreatGuard’s Secutor product line that does continuous SCAP compliance and OVAL vulnerability assessments, suitable for enterprise use.
Magnus Format The format for importing and exporting assessment results used by the Magnus server.
Offline Assessment An assessment performed against local data that is representative of the configuration of a device. This is usually done to determine the security state of a device where direct access is not possible or directly accessing the device is considered too high a risk.
OCIL Open Checklist Interactive Language
OVAL Open Vulnerability and Assessment Language
USGCB U.S. Government Configuration Baseline. A security policy for federal government agencies.
XCCDF eXtensible Configuration Checklist Description Format