ThreatView is a web application that uses Flash to provide a view of assessment results in a web browser, removing the need to install an application. The ThreatView dashboard breaks out results into categories and clickable charts, giving users the ability to view the security status at a glance or drill down into more detail. With the use of the optional Report Generator, ThreatView can also create reports in multiple formats. While it provides some degree of management capability for the Magnus server, it is primarily intended for organizing and viewing assessment results with having to install the full Magnus Navigator desktop client.
The Target Navigator serves as a launch point for all analytics of the Navigator. Grouping and filtering capabilities allow the user to focus on specific targets. Double-clicking on a target or target folder will send the selection to the Scorecard.
Used to reset all panels to their original state and clear all busy cursors.
This menu option clears all target filters and reloads all targets from the local Magnus database. On reload, the target list reverts back to grouping By Operating System.
A preset list of categories to group the displayed list of results.
This menu option opens a display showing server assessment settings, access control, license settings, and the collector identity.
Contains options for the behavior of the Magnus server when an assessment is performed. More details on these options are available from the Magnus User Guide.
Contains the tools to add read-only users to the system. These users can view information throughout the system but are unable to make any modifications or run aggregations. The system uses Windows local and domain user accounts for the account name with the following conventions:
Local Account Names: account_name
Domain Account Names: domain\account_name
Account access can be disabled by changing the Access option from “Read-Only” to “No Access”. Access granted through this mechanism provides read-only access to all data captured in the local Magnus database. These steps provide no access to the local analytics database. Please reference Role-Based Access Control guidance of the Aggregator for details on enterprise RBAC.
Displays the current license and level of utilization.
Provides the data entry for establishing a collector identity.
The Uniform Resource Name allows the user to define the local collector’s place in the enterprise hierarchy. This URN may be provided by a higher-level organizational authority. However, stand-alone installations should also use a URN for proper aggregation. The URN must start with a “/”, and must not include periods or spaces. On-screen guides will help ensure proper data entry.
An optional setting to indicate the physical location of a collector.
An optional setting to indicate the organizational ownership of the collector.
The external IP address of the Magnus server acting as a collector.
The Trigger a Local Aggregation button of the Server Settings Identity tab initiates an aggregation run, aggregating all live results of the local Magnus database into the local analytics database.
Allows the user to set visual and threshold preferences, such as the color of charts and the levels where color changes (green, yellow, red) should occur.
The console provides runtime feedback of debug and error messages. The console is automatically raised on errors.
This menu option displays the Login dialog, allowing the user to connect to a different server.
The “About…” popup provides version information for the Web UI.
The Scorecard menu item sends the current target list selection to the Scorecard. This is handy when double-clicking would override the desired selection.
The Report Center is a context-sensitive reporting engine that displays available reports and reporting options based on the user’s current selection. It can typically display only the options that are available for the specified combination of targets and benchmarks. For some illegal combinations (such as trying to run a “Standard XCCDF / CCE Report” against a group of targets and/or benchmarks), the Generate button will be disabled and bold-red text will explain why.
Example: a message such as “Supported Benchmarks: 1, Requested Benchmarks:all” explains that the selected combination can only generate a report for a single benchmark, but all benchmarks have been selected. To enable the report in this case, filter the target list by a single benchmark, or launch the Report Center from the Scorecard or IRV. Portions of the Report Center will be displayed or hidden, based on the user selection. For example, the Scope radio buttons will be displayed only if the user has selected one or more targets. Please see the Reports section for details on the available reports.
This menu item enables the Export of selected targets and benchmarks to your choice of XCCDF Results formats. This feature is useful for sharing SCAP results with other Magnus Servers or other SCAP products. Selections are made in the Target Navigator; when no selection has been made, all targets are assumed. The benchmark scope (shown above the target list) specifies which benchmarks will be exported. See help text for the Benchmark Browser for guidance on how to filter the target list by benchmark. When no benchmark filtering is applied, all applicable benchmarks for each target will be exported. Depending on the number of selected target and benchmarks, exporting may require an extended period of time to complete. The request is run in the background while the user regains control of the User Interface immediately. Results are saved on the Magnus Server as XML files in the Exports subdirectory of the installation. Currently, no notification is sent to the requesting user when the job completes.
This option is best when exporting to another SCAP tool. While this export process is the fastest export option, it lacks the detail of the Enhanced XCCDF Format. As such, results will not include patch results, 800-53 grouping, deviation information, or detailed findings.
This option is best when exporting to another instance of Secutor Magnus. This XML file has a proprietary format which is easier to understand. Magnus requires more time to generate the Enhanced Format over the Standard Format. However, the Enhanced will include patch results, 800-53 groupings, deviation information, and detailed findings.
The Assessment Results Format (ARF) is a DoD standard that wraps the Standard XCCDF results format. This option is best for DoD-related initiatives and performs similar to the Standard XCCDF Export option. The assessment detail is identical to the Standard XCCDF format.
SCAP results, in either the Standard XCCDF Format or the Enhanced XCCDF Format can be imported into Magnus simply by placing the results files into the Results subdirectory. The Magnus Importer Service will react to their presence by processing and deleting the files upon completion.
Search controls allow the user to filter the target list by commonalities and search for items through the Scorecard and IRV. Once a search pattern has been categorized and entered, the Filter button will search the database for all matching targets. For example, searching by the compliance keyword “password” will search the database for all targets that had any password-related compliance failure. The system will present only the matching targets in the Target Navigator. Asset Tag filters require explicit wildcarding with the ‘*’ character; wildcards are automatically applied to keywords. Pressing the Scorecard button with the same search parameters will send the matching targets to the Scorecard. The IRV will also be pre-populated with the provided search string, to allow quick drilldown to the related violations. Asset Tags can only be filtered to the Target Navigator.
The top panel of the Navigator Overview tab contains a list of all benchmarks for which live assessment data exist. Double-clicking on any benchmark will filter the target list, showing only the targets for which the selected benchmark applies. To filter the target list by multiple benchmarks, select multiple lines with your keyboard (Shift Key or Ctrl Key) and mouse. Then, click the “Filter Target List By Selection” button.
The bottom panel of the Navigator Overview tab contains a set of graphics to illustrate security posture. The pie charts reflect the number and percentage of selected targets within Tolerance, and above or below the Warning Level in Compliance, Security Posture, Currency, and Patch Level. The column chart shows the composite score for Compliance, Patches, Vulnerabilities, and Currency, color-coded by their levels relative to the Tolerance and Warning Level thresholds. The pie charts and column chart are non-interactive. However, they are sensitive to the selection of targets in the Target Navigator.
The Scorecard presents a composite score of the specified targets and benchmarks. The banner will parenthetically show the Raw Score next to the Adjusted Score if deviations were applied during the assessment. The Impact by Benchmark pie chart shows the benchmark score times the number of targets on which that benchmark was assessed. The lowest score does not necessarily equate to the largest impact on the network. For example, a Vista Firewall benchmark may score lowest, but if the network is primarily comprised of Windows XP workstations, a higher-scoring XP OS benchmark may have a much higher impact on the network’s compliance posture. This chart is non-interactive, however selection of benchmarks in the list below will breakout the respective pie wedge. The Score Breakdown pie chart shows numbers and percentages of targets relative to the Tolerance and Warning Level thresholds. This chart is non-interactive. A single-click on the list of benchmarks will expand the list to show targets that contribute to the displayed score. Double-clicking any of the line items will send the selection to the IRV. The “IRV” button at the top is handy in cases where double-clicking will override the desired selection of targets. Only one (1) benchmark can be sent to the IRV. If multiple benchmarks are selected, only the last selection will be analyzed in the IRV. Launching the Report Center from the Scorecard will run reports relative to the data in the Scorecard.
The Interactive Results Viewer (IRV) is invoked in one of two modes: multi-target or single-target. Single-target mode enables the display of target-specific assessment data while multi-target mode is required for Failure Analysis.
The Overview tab displays a Score Breakdown pie chart and context-sensitive Report Center. Multi-target mode displays a target list where single-target mode displays details about the selected target.
These views show the passes and failures from various grouping perspectives. The Tree View displays a hierarchical view of results in the manner intended by the benchmark author. The List View displays results in a single, flat list. The 800-53 view displays results grouped by 800-53 paragraph references. All views have the ability to search results for specific references or keywords by applying a filter. Single-user mode enables the Findings expansion. Failures under findings provide a hyperlink to a report of the assessment logic used to reach the failure decision.
Failure Analysis is available only in multi-target mode, and provides a graphical representation of the violations. The bar chart shows the most common violations at the top and tapers down to the least common violations at the bottom.
This report is a textual report displaying score breakdowns by groups of checks. This report supports groups of targets assessed against a single benchmark.
This report shows a list of Operating Systems or Windows Domains sorted by compliance score.
This report is the textual Executive Summary which is available from the Magnus Navigator.
This is a textual report displaying a pass/fail indication of checks by groups for a single benchmark assessed against a single target. The 'Detailed' option allows for hyperlink drilldown to details about each rule, including available references and descriptions.
This is a report of failed compliance items, uninstalled patches, and security risks, and the targets on which each was found.
This is a report of targets and their respective list of failed compliance items, uninstalled patches, and security risks.
This is a flat listing of all failures, generated from the standard XCCDF Results format.
This report shows the settings that are different between two targets.
This report shows which settings have changed for a single target.
This report shows a listing of selected targets broken out by decades of compliance assessment scores.
The Aggregator is a support system designed to highlight the areas of the enterprise which need the most attention. Analysis categories are pre-defined based on data that’s available from assessments. Aggregations are displayed on a monthly basis. Local aggregations can be intense and costly, and increase in intensity by the number of targets, target groups, and assessment tasks defined. As such, it is recommended to perform local aggregation after hours. Large networks of 100,000 targets or more may require eight (8) hours of processing time to calculate all aggregates.
When a local aggregation is performed in the same month in which data already exists, the old data is considered stale and replaced with the new data. The very first local aggregation will save two historical data points. The “Initial” data point marks the original baseline state, and thus never gets overwritten. The second data point represents the “Current” state and gets overwritten as local aggregations are performed over the remainder of the month. The state saved during the last local aggregation of the month survives as the historical record.
Use the Analytics tab of the Secutor Agent Settings (launched from the Magnus Server Start menu). Checking the Active checkbox enables periodic aggregations as specified by the Frequency settings. Optionally, the aggregation results can be uploaded to a parent node as specified by the Receiving Server address (DNS name or IP address). Aggregations and uploading can also be performed manually and immediately by clicking the Sync Now button.
Role-Based Access Control (RBAC) in the Aggregator allows an administrator to grant read-only access to Windows user accounts, and specify which portions of the aggregated enterprise each user is permitted to view.
Accounts that have administrator access to the Magnus Server (local or domain) have access to view all data and to adjust access controls. Non-administrator accounts must be granted access to the Magnus Server through the Navigator’s RBAC settings as it is the gateway to aggregated data.
Once the non-administrator accesses the Aggregator interface, that user sees only the nodes of the enterprise to which access was granted. All other portions of the enterprise will be hidden in views, rollups, and reports as if they did not exist.
The User Groups panel of the Access Control Manager allows an administrator to define groups that are used to define access. The Global Executives group is a system-defined group that cannot be removed or have its name changed. However, it can be disabled, or left empty. Only Groups can be granted direct access permissions to portions of the hierarchical network. Once a group is selected it can be assigned permissions using the Group Permissions panel. It can be also be edited by clicking the Edit button. Both the Edit and Add button place the User Groups panel into edit mode.
Edit mode provides an interface to change the name or enabled state of the group. (The name of the “Global Executives” group cannot be changed.) Disabling a group disables access to all permission scopes by all group members. A member can still have access to one or more of the referenced scope items if permission is granted by another enabled group.
This panel provides a quick reference to the hierarchy that has been reported to the local analytics database. This tree is provided as a reference, but permission scopes are not restricted to the currently known tree structure.
This panel also serves as a means to easily add permission scopes to a group. With a group selected, the Known Hierarchy panel becomes enabled. Use a single-click on the All Collectors node to expand the tree. Then double-click any node to place the Group Permission panel into edit mode and auto-populate the Scope field with appropriate notation. Although this action uses the string “(All Collectors)” to wildcard all subordinate nodes, manual input can use an asterisk (“*”). The Known Hierarchy panel has no edit mode.
This panel lists all scopes to which the selected Group has been granted permission. Selecting a scope enables the Edit button; a scope can be added at any time. Pressing the Edit or Add button (or double-clicking a node in the Known Hierarchy tree) places this panel into edit mode.
In edit mode, the permission scope can be adjusted as well as the scope’s enabled state. Disabling a scope item disables access to that scope item without disabling the entire group. A user can still have access to a disabled scope item if another group grants access.
The Scope field uses a slash-notation (much like a computer file system) to specify permission scopes. The asterisk (“*”) can be used as short-hand notation to specify all subordinate node of the hierarchical structure.
The Group Permissions list will translate this to a long-hand notation:
Example: /gov/dhs/ctu/district-2/(All Collectors)
The Scope must begin with a slash (“/”) and must not contain any periods (“.”).
The User List provides a means to add Windows Accounts to the system. Users can exist without being referenced by a group, and have access to no data until added to a group. Deleting a group has no effect on the existence of referenced users. Selecting a user will enable the Edit and Remove buttons. Both the Edit and Add buttons place the panel into edit mode.
Edit mode allows for the account name, first name, last name, and enabled state to be altered. The Account Name is the name of the Windows user account using the following conventions:
Local Account Name Example: account_name
Domain Account Name Example: domain\account_name
If a User is disabled, it is disabled for all groups. If a User is deleted, it is also removed from the membership of all groups.
Group Membership provides a means to add Users to Groups. Selecting a group in the User Groups panel enables the Group Membership panel such that members can be added or edited. Clicking an item in the enables the Edit button. Both the Edit and Add buttons place the Group Membership panel into edit mode. Double-clicking an item in the User List also places the Group Membership panel into edit mode, and populates the Member Name field.
NOTE: A user can only be added to a Group Membership if it exists on the User List. The Add button will be disabled until a User List selection is made, and will add that selection to the group. Double-clicking the item in the User List will also add that user to the Group Membership. In edit mode, disabling the member disables the member within the group without fully deleting it.
The far-left panel of the Aggregator shows a hierarchical arrangement of Collectors that have reported to the local aggregation point. Selecting any level of the hierarchy changes the view in the Collectors Pod under the References tab, and adjusts the dashboard column and pie chart components. The column chart displays a representation of the selected scope’s compliance, patch, security, and currency posture. The pie chart shows the number of targets found relative to each operating system. The pie chart is non-interactive. However, clicking the Compliance, Patches, or Vulnerabilities pylon of the column chart will query the database for a list of respective violations and display that list in the Violations Pod under the References tab.
This menu option expands the selected tree branch to display all subordinate leaf nodes.
This menu option collapses the entire tree.
This menu option reloads the hierarchical set of Collectors from the database.
The console provides runtime feedback of debug and error messages. The console is automatically raised on errors.
The “About…” popup provides version information for the Web UI.
This menu option triggers a trend analysis of the selected tree branch, including all subordinate Collectors.
Please see previous description of the Report Center. Please see the Reports section for details on the available reports.
When a single collector is selected, this option enables the user to purge all historical data for that collector.
This pod reflects the selections made in the Scope selector. It also provides informational and statistical data for each node subordinate to the selection.
This pod provides details of Compliance, Patch, and Vulnerability violations found at or below selections made in the Scope Selector.
This pod provides a look-up of any compliance item, patch, vulnerability, or platform that has been aggregated to this node.
This pod enables the user to search all Collectors for a specified compliance item, patch, or vulnerability. Once a Collector is selected in the list, the Drillout button refocuses the UI on the specified Collector, if connectivity can be achieved.
This interactive and inter-connected set of charts surfaces problem areas in any selected category. The Trend Selector specifies the type of trend analysis to perform (Compliance, Patch Level, or Security Posture), while the Category Selector specifies how data will be broken down for analysis. Category options include a breakdown by Collector (“All Targets”), by platform, by Windows domain, by SCAP benchmark, by 800-53 paragraph (“FISMA Group”), by asset group, by assessment job, by asset tag, by trend vector, and by FIPS category.
Q1 represents the specified trend over all categories selected. It shows the trend line over the past twelve (12) months (or less, if fewer than 12 months of data have been captured). After the initial Local Aggregation, this quadrant will show two parallel lines. The data points represent the initial state and the ‘current’ state. Clicking on any data point on this line chart will cascade an analysis from Quadrant 2 through Quadrant 4, focusing on the newly selected month.
Q2 represents the five (5) worst categories under the month selected in Quadrant 1. On initial load, the system populates this quadrant with the worst categories of the last month shown in Quadrant 1. Clicking a pylon in Quadrant 2 will cascade an analysis from Quadrant 3 to Quadrant 4.
Q3 represents the 12-month (or less) trend of the subcategory selection made in Quadrant 2. By default, the worst subcategory of Q2 is used, but this selection can be overwritten by clicking alternate pylons. Selecting a data point in Q3 triggers a reload of Quadrant 4 to reflect the selected month.
Q4 represents the ten (10) most common violations of the selected category in the selected month of Q3. If no data is collected for that category, this chart will be blank. For example, some early benchmarks do not have CCE IDs. In these cases, a list of the most common CCE Violations produces no results. Clicking a pylon in Q4 triggers a global search of the violation and presents the results in the Search Pod under the References tab.
This report is an enterprise-wide Executive Summary showing compliancy, patch level, security posture, and currency trends. Breakdown options show scores by Collector, Platform, Windows Domain, Guidance, or 800-53 Technical Controls.
This report is a listing of failed compliance items, uninstalled patches, and security risks and their respective aggregate counts. The impact column shows the severity of the violation times the number of occurrences.
The compliance score with deviations applied.
The Asset Tag is used by some Magnus Power Users to apply a self-defined grouping mechanism for an additional tracking option. It’s particularly useful when assessing non-networked devices manually. These targets can be devoid of information that ties them to a group of related computers. In these cases, the Asset Tag can be added to the results files manually, prior to importing them into the Magnus database.
A Magnus Server used to collect real-time assessment data.
This primarily refers to the reverse URN notation used to uniquely identify a Collector within the enterprise. Reverse URN notation is used to allow subordinate Collectors to be analyzed simply by using a wildcard (much like selecting a group of subordinate directories on a computer file system with a “*”). Other fields of the identity record physical and departmental location information.
Performing a Local Aggregation is the act of exporting aggregated scores and results from the Local Magnus database and importing them into the local analytics database.
The local Magnus database is the database instance that maintains Live Data as collected and scored by the Magnus assessment engine.
The local analytics database is the database instance that maintains historical, aggregated assessment data.
The compliance score without deviations applied.
Magnus employs a methodology of presenting the most recent assessment results to the user. Some historical data is maintained for reporting purposes. However, historical trends are captured and displayed by the Magnus BI Component.
Tolerance is the threshold over which a score is considered ‘ok’. Scores above this level are typically displayed as green in Web UI components.
The Warning Level is the threshold over which a score is considered ‘a concern’. Scores above this level but below the Tolerance are typically displayed as yellow in Web UI components. Scores below this level are considered to be ‘failing’, and are typically displayed as red in UI components.