NeXpose Install
NeXpose Install
NeXpose Install
Copyright 2012 Rapid7 LLC. Boston, Massachusetts, USA. All rights reserved. Rapid7 and Nexpose are trademarks of Rapid7, LLC. Other names appearing in this content may be trademarks of their respective owners.
Revision history
Revision date Description
November 11, 2009 November 25, 2009 December 3, 2009 March 8, 2010 June 21, 2010 October 25, 2010
Verified, tested, and updated installation procedures. Updated document template. Updated lists of required packages for Linux and instructions for using md5sum. Updated system requirements. Added note recommending 64-bit configuration. Added quick-start instructions and appendix on opening the Windows firewall. Updated URL for downloading deprecated libstdc++5 package; added reference to instructions in the administrator's guide for configuring offline activations and updates; removed deprecated references from sections on running the installation program; added instructions for first-time users to activate licenses. Expanded documentation on uninstalling for reinstallation. Removed installation instructions for platform that is not officially supported. Removed references to unsupported platforms. Removed references running on 32-bit and Windows systems; removed platform-specific instructions for opening firewalls on Windows targets. Updated instructions to reflect process with new installer. Corrected minor layout issues. Corrected several instructions for installing and removing Nexpose; updated supported browser information. Added instructions on enabling FIPS mode.
October 25, 2010 January 31, 2011 March 18, 2011 April 22, 2011
Added information about vAsset discovery, dynamic site creation, and using risk trends in reports. Nexpose 5.1. Updated Linux pre-installation instructions.
Contents
Revision history........................................................................................................................ 3 Contents.................................................................................................................................... 4 About this guide....................................................................................................................... 5 Document conventions...................................................................................................................................5 Using the Help site and other documents................................................................................................6 Obtaining support.............................................................................................................................................6 About the product ................................................................................................................... 7 Understanding vulnerability management .............................................................................................7 Understanding main components..............................................................................................................7 Installation requirements ....................................................................................................... 9 Hardware requirements ..................................................................................................................................9 Network activities and requirements .........................................................................................................9 Supported platforms ..................................................................................................................................... 10 Making sure you have necessary installation items ...................................................................................................................11 Installing in Windows environments ...................................................................................12 Running the Windows uninstaller ............................................................................................................ 16 Installing in Linux environments..........................................................................................17 Ensuring that the installer file is not corrupted ................................................................................... 17 Installing in Ubuntu ...................................................................................................................................... 17 Installing in Red Hat ...................................................................................................................................... 18 Running the Linux installer ......................................................................................................................... 19 Running the Linux uninstaller.................................................................................................................... 22 Working with FIPS mode .......................................................................................................23 Enabling FIPS mode....................................................................................................................................... 23 Manually starting and stopping ...........................................................................................25 Manually starting or stopping in Windows........................................................................................... 25 Changing the configuration for starting automatically as a service ........................................................................................................................................................ 25 Manually starting or stopping in Linux................................................................................................... 26 Working with the daemon .......................................................................................................................... 26 Getting started .......................................................................................................................27 Obtaining information on offline activations and updates............................................................. 27 Logging on........................................................................................................................................................ 27 Navigating the Security Console Home page ...................................................................................... 29 Using the search feature .............................................................................................................................. 31 Using configuration panels......................................................................................................................... 31 Setting up a site and configuring a scan................................................................................................ 32 Manually starting and stopping a scan................................................................................................... 33 Viewing scan data........................................................................................................................................... 34 Creating asset groups ................................................................................................................................... 34 Creating reports .............................................................................................................................................. 35 Glossary ..................................................................................................................................38
installing the Windows or Linux version of Nexpose software enabling FIPS mode if necessary starting Nexpose logging on to the Security Console Web interface getting started with Nexpose
Document conventions
Words in bold typeface are names of hypertext links and controls. Words in italics are document titles, chapter titles, and names of Web interface pages. 1. Procedural steps are indented and preceded by numerals. a. Procedural sub-steps are indented and preceded by letters.
Command examples appear in the Courier font in shaded boxes. Directory paths appear in the Courier font. Variables in command examples appear between box brackets. Example: [installer_file_name] Multiple options in commands appear between arrow brackets. Example: $ /etc/init.d/[daemon_name] <start|stop|restart>
NOTES, TIPS, WARNINGS, and DEFINITONS appear in shaded boxes.
learning important Nexpose concepts and terms setting up sites and scans running scans creating and running reports viewing vulnerabilities and excluding specific vulnerabilities from reports creating tickets (only available with the Enterprise version of Nexpose) creating and modifying scan templates (only available with the Enterprise version of Nexpose) creating user accounts creating asset groups configuring various Nexpose settings maintaining and troubleshooting Nexpose backing up and restoring the database
You will find these documents useful, as well: Nexpose Administrator's Guide Nexpose User's Guide Nexpose API guides
You can download these documents from the Support page in Help. Click the Help link that appears on any page of the Security Console Web interface. In the left navigation pane of Help, click the Support link.
Obtaining support
For technical support:
Send an e-mail to support@rapid7.com (Enterprise and Express Editions only). Click the Support link on the Security Console Web interface. Go to community.rapid7.com.
Installation requirements
Make sure that your host hardware and network support Nexpose operations.
Hardware requirements
See the Rapid7 Web site for hardware requirements: http://www.rapid7.com/products/nexpose/system-requirements.jsp
NOTE: The 64-bit configuration is recommended for enterprise-scale deployments.
It is recommended that you install Nexpose on a computer that does not have an Intrusion Detection System (IDS), Intrusion Prevention System (IPS), or a firewall enabled. These devices block critical Nexpose operations that are dependent on network communication.
Activity manage scan activity on Scan Engines and pull scan data from them download vulnerability checks and feature updates from a server at updates.rapid7.com upload PGP-encrypted diagnostic information to a server at support.rapid7.com provide Web interface access to Nexpose users
Type of communication outbound; scan engines listen on 40814 outbound; server listens on port 80
Nexpose Scan Engines contact target assets using TCP, UDP, and ICMP to perform scans. Scan engines do not initiate outbound communication with the Security Console. Ideally there should be no firewalls or similar devices between a scan engine and its target assets. Also, scanning may also require some flexibility in security policies. For more information, see the Nexpose Administrator's Guide.
Supported platforms
Windows
Windows Server 2003 (R1 and R2, SP2), Standard, Enterprise 64-bit Windows Server 2003 (R1 and R2, SP2), Standard, Enterprise 32-bit Windows Server 2008 (R2 SP1), Standard, Enterprise 64-bit Windows 7 Professional (RTM and SP1), Ultimate, Enterprise 64-bit * Windows 7 Professional (RTM and SP1), Ultimate, Enterprise 32-bit* *This platform is only supported for the Security Console.
Linux
RHEL Server 5.x 64-bit Ubuntu 8.04 LTS 64-bit Ubuntu 8.04 LTS 32-bit Ubuntu 10.04 LTS 64-bit
installers for all supported environments in 32-bit and 64-bit versions (.bin files for Linux and .exe files for Windows) the md5sum, which helps to ensure that installers are not corrupted during download documentation, including this guide
If you have not done so yet, download the correct installer for your system, the corresponding hash, and any documentation you need. The e-mail also includes a product key, which you will use to activate your license when you log onto Nexpose.
10
3.
TIP:
Wizard pages include a Previous button for going to a preceding page and changing an installation setting and a Cancel button for cancelling the installation. If you cancel the installation at any point, no files will be installed, and you will need to start the installation again from the beginning.
WARNING: The installer opens a command-line interface window behind the installation wizard window. Although you will not use the command-line window during the installation, do not close it. Doing so will stop the installation process.
4.
The installer displays the System check page, which indicates whether your system meets each setting that is required for installation. a. If your system meets all minimum requirements, click Next. OR If your system does not meet one or more minimum requirements, the installer lists the requirements and informs you that installation cannot continue. Click Finish to end the installation. Make sure that your host system meets all minimum installation requirements. See Installation requirements on page 9.
NOTE: The installer also indicates if any system setting meets minimum requirements but not recommended requirements. You can continue the installation, but you should consider modifying the setting after completing the installation to ensure optimal performance. For example, if your system does not run with the recommended the amount of RAM, you may encounter performance issues with RAM-intensive operations, such as running scans or reports.
5.
The installer displays the end-user license agreement. Scroll through and read it. If you agree with the terms, select the option for accepting the agreement. Click Next.
11
6.
The installer displays the User details page. Provide the requested information about yourself. a. b. Type your name and company name. Indicate whether you have a product key. You will need the key to activate your license when you log onto Nexpose for the first time.
TIP: Use help icons, which appear as question marks (?) in circles, for more information about installation options.
If you downloaded the software but have not received a product key, select the option to register for a product key. Click Next and read step c for registration instructions. If you purchased Nexpose or registered for an evaluation, and Rapid7 sent you a product key via e-mail, select the option indicating that you have a key. Then click Next and disregard step c.
c.
If you selected the option to register for a key and clicked Next, the installer displays a registration form. Type all requested information. All fields are required. The phone number must include an area code. The e-mail address must be for a valid account that is not associated with a free e-mail service, such as Gmail, Hotmail, or Yahoo!. After filling all fields, click Submit.
TIP:
Check your e-mail inbox or SPAM folder for a message with a product key from Rapid7. It should arrive within five minutes after you submit the form. It is recommended that you add Nexpose to your e-mail client white list communication to ensure that you receive future e-mails.
7.
The installer displays the Type and destination page. Make the requested selections for what components you want to install and in what directory. a. Select the component that you want to install.
NOTE: If you are currently installing a distributed Scan Engine, you will need to install a Security Console before you can use the Scan Engine. The Security Console controls all Scan Engine activity. See Understanding main components on page 7.
b.
To accept the default installation directory path, which is displayed near the bottom of the page, click Next. OR To choose a different installation path, delete the default path, and type the preferred path in the text box. Then, click Next. OR Click Change to open an explorer window and locate a preferred directory. When you find the directory, click OK. The path appears in the Destination directory text. Note the directory, and click Next.
12
8.
The installer displays the Account details page. On this page you will create a Global Administrator account, with which you can log onto Nexpose. A Global Administrator can perform all operations within an organizations environment. For more information about roles and permissions, see the Nexpose Administrators Guide, which you can download from the Support page in Help after completing the installation and logging on. a. Type a user name and password. Type the password again for confirmation, and click Next.
TIP: As you enter credentials, the installer displays complexity requirements. Even if you meet these, it is recommended that you make your password as strong as possible for better security. The installer displays a heat bar that gradually changes color from red to green as you make your password stronger.
WARNING: Recovery of credentials is not supported. If you forget your user name or password, you will have to reinstall the program. Credentials are case-sensitive.
NOTE: You can change credentials any time after logging on. See Managing and creating user accounts in Help.
9.
The installer displays the Shortcut location page, where you can create a shortcut to the program in your Windows Start menu. a. If you want to create a shortcut, simply leave the check box selected for creating a Start Menu folder. OR If you do not want to create a shortcut, clear the check box for creating a Start Menu folder. Disregard steps b through d. Click Next. If you do not want to change the default location for the shortcut, which would be a newly created folder called Nexpose, do not change the location name that is displayed in the text box. OR If you want to create a shortcut in a different folder, enter the name of the folder in the text box, or select one of the listed folders. If you want the shortcut to be available to all users on the host system, leave the appropriate check box selected. Otherwise, clear it. Click Next.
b.
c. d.
13
10. The installer displays the Confirm selections page, which list a summary of your selected installation settings and provides other several options a. Review the settings. If you do not want to change them, continue with steps b through d. OR If you want to change any settings, click Previous to go to the desired page, make the change, and then return to the summary. If you want the installer to create a desktop icon that you can double-click to start the program after installation, leave the appropriate check box selected. Otherwise, clear it. If you want Nexpose to initialize and start automatically after installation, leave the appropriate check box selected. Including initialization in with installation will lengthen the time required for installation by 10 to 30 minutes. However, you will be able to start using Nexpose immediately after installation is complete. Initialization prepares the product for operation by updating the database of vulnerability checks and performing configuration steps. OR If you do not want Nexpose to initialize and start automatically as part of installation, clear the check box. Installation will complete sooner, but it will take longer to start Nexpose the first time.
b. c.
WARNING: If you want to enable FIPS mode, disable the option to start automatically after initialization. You must enable FIPS mode after completing the installation and BEFORE starting Nexpose for the first time.
NOTE: If you are installing the distributed Scan Engine component and not the Security Console, the installer does not display the initialization option.
d.
Click Next.
11. The installer displays the Installation progress page with a status bar with a message indicating that it is extracting installation files. 12. If you are installing the security console component and if you enabled the initialization/start option as part of installation, Nexpose displays the Initialization page with a status bar and messages about initialization processes. You can click a link to view more granular details about the installation process. In the pane below the status bar, you can view information about Nexpose and related products. a. If you want to exit this page and go to the final installation page, click Exit. This will not stop the initialization process, which continues in the background. If you do not click Exit, the installer will continue to display the information as described until initialization completes.
NOTE: If you are installing the distributed scan engine component and not the security console, the installer does not display the Initialization page.
14
13. The installer displays the Installation success page. If you have installed the distributed Scan Engine component, disregard steps a and b. See Working with FIPS mode on page 23 for information on starting the Scan Engine. a. b. Read the instructions for getting started with the product. Click the URL for logging onto Nexpose. This will cause a browser to display the logon box page for the Security Console if it has initialized and started. See the following chapter for information on getting started in Nexpose.
NOTE: If you have installed the security console component and you disabled the option to initialize and start Nexpose as part of the installation, clicking the URL will not cause your browser to display the logon page. You will need to start Nexpose manually first. See Working with FIPS mode on page 23.
c.
1.
Start the program to uninstall Nexpose. a. If you created a shortcut folder during installation, click the Windows Start button, go the Nexpose folder, and select Nexpose Uninstaller. OR Click the Windows Start button, select the Windows Control Panel, and select the option to uninstall or remove a program, depending on the version of Windows youre running. Double-click Nexpose in the list of programs. The uninstaller displays a Welcome page. Note the warning about backing up Nexpose data. Click Next. The uninstaller displays a status bar with a message that uninstallation is in progress. The uninstaller displays a message that uninstallation is complete. Click Finish.
b. 2. a. b. c.
WARNING: The uninstaller opens a command-line interface window behind the installation wizard window. Although you will not use the command-line window, do not close it. Doing so will stop the uninstallation process.
15
$ md5sum -c [installer_file_name].md5sum
2.
If this command returns an "OK" message, the file is valid. If it returns a "FAILED" message, download the installer and md5sum file again, and repeat this procedure.
Installing in Ubuntu
NOTE: You must have root-level access to run the installation. If sudo is active in your environment, and if your account is listed in the sudoers file, you can use sudo -i to run the commands.
These steps apply to Ubuntu 8.04. There may be some variation on other versions of Ubuntu. Make sure you have downloaded all items necessary for installation. See Making sure you have necessary installation items on page 11.
After you finish these preparatory steps, you can proceed with installation. See Running the Linux installer on page 19.
16
These steps apply to Red Hat 5.4. There may be some variation on other versions of Red Hat. Make sure you have downloaded all items necessary for installation. See Making sure you have necessary installation items on page 11. You need a Red Hat Enterprise Linux license in order to install Nexpose.
screen
17
SELINUX=disabled
$ shutdown -r now
After you finish these preparatory steps, you can proceed with the installation.
After making sure that the required packages are installed, take the following steps. 1. 2. 3. Go to the directory to which you downloaded installer. Change the permissions for the installation file to make it executable: Start the installer:
$ chmod +x [installation_file_name]
$ ./[installation_file_name] c
NOTE: If you are using a graphical user interface, such as KDE or Gnome, omit the c flag. The installer will launch a wizard to guide you through the installation process. The experience is similar to that of the Windows installation. See Installing in Windows environments on page 12. The following steps in this section reflect installation with the command line.
4.
The installer displays information about Nexpose. Type y and then press ENTER.
18
5.
The installer displays system check results, which indicate whether your system meets each setting that is required for installation. a. If your system meets all minimum requirements, type y and then press ENTER. OR If your system does not meet one or more minimum requirements, the installer lists the requirements and informs you that installation cannot continue. Press ENTER to cancel the installation. Make sure that your host system meets all minimum installation requirements. See Hardware requirements on page 9.
NOTE: The installer also indicates if any system setting meets minimum requirements but not recommended requirements. You can continue the installation, but you should consider modifying the setting after completing the installation to ensure optimal performance. For example, if your system does not meet recommended settings for the amount of RAM, you encounter performance issues with RAM-intensive operations, such as running scans or reports.
6.
The installer displays the end-user license agreement, which runs through several screens. a. b. As you read the agreement, type y and then ENTER to proceed to the next screen. At the final screen of the agreement, if you agree with the terms, type 1 to accept it and proceed to the next step.
7.
The installer displays prompts for your name and company name, which are required. a. b. c. Type your first name, and press ENTER. Type your last name, and press ENTER. Type your company name, and press ENTER. To accept the default installation directory path, which is displayed in square brackets, press ENTER. To choose a different installation path, type the preferred path and then press ENTER.
8.
NOTE: If your hard drive is partitioned and you select a location on a different partition, make sure that partition has sufficient space.
9.
The installer displays a prompt to select the component you want to install. a. b. To view a description of a component, type an asterisk (*) and the components number. To select a component, type its number.
NOTE: If you are currently installing a distributed Scan Engine, you will need to install a Security Console before you can use the engine. The console controls all engine activity. See Understanding main components on page 7.
19
10. The installer displays the Account details page. On this page you will create a Global Administrator account, with which you can log onto Nexpose. A Global Administrator can perform all operations within an organizations environment. For more information about roles and permissions, see the Nexpose Administrators Guide, which you can download from the Support page in Help after completing the installation and logging on. a. b. Type a user name and then press ENTER. Type a password and then press ENTER.
11. Type the password again for confirmation, and then press ENTER.
TIP: If your password does not meet minimum character requirements, the installer displays a warning as well as the requirements. Even if you meet these, it is recommended that you make your password as strong as possible for better security.
WARNING: Recovery of credentials is not supported. If you forget your user name or password, you will have to reinstall the program. Credentials are case-sensitive.
NOTE: You can change credentials any time after logging on. See Managing users and asset groups in Help.
12. The installer displays your selected installation settings. Review the settings. 13. The installer displays an option to create an icon that you can use to start the application if you are using a graphical user interface. The installer places the icon in the in the Applications | Internet menu . Type y and then press ENTER to accept the option. Type n to decline it. 14. The installer displays an option to have Nexpose initialize and start automatically after installation. This will lengthen the time required for installation by 10 to 30 minutes. However, you will be able to start using Nexpose immediately after installation is complete. Initialization prepares the product for operation by updating the database of vulnerability checks and performing configuration steps. Type y and then press ENTER to accept the option, or type n to decline it.
NOTE: If you are installing the distributed scan engine component and not the security console, the installer does not display the initialization option.
15. The installer displays installation progress. 16. If you are installing the security console component and if you enabled the initialize/start option as part of installation, Nexpose displays initialization progress. 17. The installer displays a message that installation is complete. a. b. Read the additional displayed information. Press ENTER to exit the installer.
20
NOTE:.install4j is a hidden directory. To list hidden directories, run the command ls -a.
21
What is FIPS?
The FIPS publications are a set of standards for best practices in computer security products. FIPS certification is applicable to any part of a product that employs cryptography. A FIPS-certified product has been reviewed by a lab and shown to comply with FIPS 140-2 (Standard for Security Requirements for Cryptographic Modules), and to support at least one FIPS-certified algorithm. Government agencies in several countries and some private companies are required to use FIPS-certified products.
When Nexpose is installed, it is configured to run in non-FIPS mode by default. Nexpose must be configured to run in FIPS mode before being started for the first time. When FIPS mode is enabled, communication between Nexpose and non-FIPS enabled applications such as Web browsers or API clients cannot be guaranteed to function correctly.
22
TIP: It is recommended that you add the rngd command to the system startup files so that it runs each time the server is restarted. Consult your system administrator for the proper method to accomplish this.
2.
Create a properties file for activating FIPS mode. a. b. c. d. Create a new file using a text editor. Enter the following line in this file: fipsMode=1 Save the file in the [install_directory]/nsc directory with the following name: CustomEnvironment.properties Start the Security Console.
NOTE: You also can disable database consistency checks on startup using the CustomEnvironment.properties file. Do this only if instructed by Technical Support.
23
24
To start Nexpose from the command line, take the following steps: 1. 2.
$ ./nsc.sh
Go to the directory that contains the script that starts Nexpose: Run the script:
$ cd [installation_directory]/nsc
WARNING: To detach from a Nexpose screen session, press CONTROL and type a and then d. Do not use CONTROL-c, which will stop Nexpose.
$ ./[service_name] <start|stop>
Preventing the daemon from automatically starting with the host system
1. To prevent the Nexpose daemon from automatically starting when the host system starts:
$ update-rc.d [daemon_name] remove
25
Getting started
After you have installed Nexpose, you can use it right away to find vulnerabilities in your environment. This section provides quick instructions for getting started:
logging on becoming familiar with the Security Console Web interface setting up a site and configuring a scan starting and stopping a scan manually viewing scan data working with asset groups creating a report
For more detailed instructions, go to Help by clicking the Help link on any page of the Web interface. Click the Support link to view and download all documentation.
Logging on
NOTE: If you are a first-time user and have not yet activated your license, you will need the product key that Rapid7 sent to you to activate your license after you log on.
1.
Start a Web browser. The Security Console Web interface supports the following browsers:
2.
If you are running the browser on the same computer as the console, go to the following URL: https://localhost:3780 Make sure to indicate HTTPS protocol and to specify port 3780. If you are running the browser on a separate computer, substitute localhost with the correct host name or IP address.
NOTE: If there is a usage conflict for port 3780, you can specify another available port in the XML file [installation_directory]\nsc\conf\httpd.xml. You also can switch the port after you log on. See Managing Security Console settings in the administrators guide or Help.
3.
When your browser displays the Logon box, enter your user name and password that you specified during installation. Click the Logon button. User names and passwords are case-sensitive and non-recoverable. If you are a first-time user and have not yet activated your license, the console displays an activa-
4.
26
tion dialog box. If Rapid7 sent you a product key, enter the product key in the text box. You can copy the key from the Rapid7 e-mail and paste it into the text box; or you can type it with or without hyphens. Whether you choose to include or omit hyphens, do so consistently for all four sets of numerals. If you do not have a product key, click the link to request one. Doing so will open a page on the Rapid7 Web site, where you can register to receive a key by e-mail. After you receive the product key, log onto the Security Console interface again, and enter the key. Click Activate to complete this step.
NOTE: If the logon box indicates that the Security Console is in maintenance mode, then either an error has stopped the system from starting properly, or a scheduled task has initiated maintenance mode. See Running Nexpose in maintenance mode in the administrator's guide or Help.
If the console displays a warning about authentication services being unavailable, and your network uses an external authentication source such as LDAP or Kerberos, your Global Administrator must check the configuration for that source. See Using external sources for user authentication in the administrator's guide. The problem may also indicate that the authentication server is down. The first time you log on to the console, you will see the News page, which lists all updates and improvements in the installed Nexpose system, including new vulnerability checks. If you do not wish to see this page every time you log on after an update, clear the check box for automatically displaying this page after every login. You can always view the News page by clicking the News link that appears in a row near the top right corner of every page of the console interface. 5. 6. Click the Home link to view the Security Console Home page. Click the Help link on any page of the Web interface for information on how to use Nexpose.
27
A row of tabs appears at the top of the Home page, as well as every page of the Security Console. Use these tabs to navigate to the main pages for each area. The Assets page links to pages for viewing assets organized by different groupings, such as the sites they belong to or the operating systems running on them. The Tickets page lists remediation tickets and their status. The Reports page lists all generated reports and provides controls for editing and creating report templates. The Vulnerabilities page lists all discovered vulnerabilities. The Administration page is the starting point for all management activities, such as creating and editing user accounts, asset groups, and scan and report templates. Only global administrators see this tab.
On the Site Listing pane, you can click controls to view and edit site information, run scans, and start to create a new site, depending on your role and permissions. Information for any currently running scan appears in the pane labeled Current Scan Listings for All Sites. On the Ticket Listing pane, you can click controls to view information about tickets and assets for which those tickets are assigned. On the Asset Group Listing pane, you can click controls to view and edit information about asset groups, and start to create a new asset group.
28
On the Home page and throughout the interface, you can use various controls for navigation and administration. Control Description
Minimize any pane so that only its title bar appears. Expand a minimized pane. Close a pane.
Configure link
Click to display a list of closed panes and open any of the listed panes. See (Insert X Ref) Reverse the sort order of listed items in a given column. You can also click column headings to produce the same result. Export asset data to a comma-separated value (CSV) file.
Start a manual scan. Pause a scan. Resume a scan. Stop a scan. Edit properties for a site, report, or a user account.
Help link News link Log Out link User: <user name> link Search box
View Help. View the News page which lists all updates. Log out of the Security Console interface. The Logon box appears. For security reasons, the Security Console automatically logs out a user who has been inactive for 10 minutes. This link is the logged-on user name. Click it to open the User Configuration panel where you can edit account information such as the password and view site and asset group access. Only Global Administrators can change roles and permissions. Search the database for assets, asset groups, and vulnerabilities.
29
creating and editing user accounts creating and editing asset groups creating and editing scan templates creating and editing report templates configuring Nexpose Security Console settings troubleshooting and maintaining Nexpose
All panels have the same navigation scheme. You can either use the navigation buttons in the upper-right corner of each panel page to progress through each page of the panel, or you can click a page link listed on the left column of each panel page to go directly to that page. To save configuration changes, click the Save button that appears on every page. To discard changes, click the Cancel button.
NOTE: Parameters labeled in red denote required parameters on all panel pages.
30
DEFINITION: A site is a physical group of assets assembled for a scan by a specific, dedicated scan engine. The grouping principle may be something meaningful to you, such as a common geographic location or a range of IP addresses. Or, you may organize a site for a specific type of scan.
1. 2.
Click the New Site button on the Home page. This opens the Site Configuration panel. On the Site Configuration General page, enter a name and description for your site. Select a level of importance, which corresponds to a risk factor used to calculate a risk index for each site. Go to the Assets page. You can manually enter addresses and host names. You also can import a comma- or new-line-delimited ASCII-text file that lists IP address and host names of assets you want to scan. To prevent assets within an IP address range from being scanned, manually enter addresses and host names in the text box labeled Devices to Exclude from scanning; or import a comma- or new-line-delimited ASCII-text file that lists addresses and host names that you don't want to scan. Go to the Scan Setup page to select a scan template and/or scan engine other than the default settings. A scan template is a predefined set of scan attributes that you can select quickly rather than manually define properties, such as port scan methods and targeted vulnerabilities. See the following topics in Help for more information:
3.
4.
5. 6.
Specifying scan settings for a comparison of preset scan templates Working with scan templates for information on how to customize templates.
If you want to schedule scans to run automatically, select the check box labeled Enable schedule. Then select schedule settings. Alerts make you aware of important scan events, such as the discovery of certain vulnerabilities. If you want to receive scan alerts, go the Alerting page and click the New Alert button, and edit and select settings according to your preferences. Some alert settings filter alerts according to criteria such as the level of severity or the level of certainty that these vulnerabilities exist. See Setting up alerts in Help. Credentials enable Nexpose to perform deep checks, inspecting assets for a wider range of vulnerabilities. Additionally, credentialed scans can check for software applications and packages such as hotfixes. If you want to set up credentials for your scan, go the Credentials page and click New Login. The steps for setting up credentials depend on the type of system you want to access. See Configuring scan credentials in Help. You must give users access to a site in order for them to be able view assets or perform assetrelated operations, such as scanning or reporting, with assets in that site. Go to the Access page. Click Add Users. In the Add Users dialog box, select the check box for every user account that you want to add to the access list. Click Save. To save the site configuration, click Save on any page of the panel. To discard changes, click the Cancel button.
7.
8.
9.
31
2.
3. 4.
the Home page the Sites page the page for the site that is being scanned the page for the actual scan
Use breadcrumb links to go back and forth between the Home, Sites, and specific site and scan pages. To pause a scan, click the Pause icon for the scan on the Home, Sites, or specific site page; or click the Pause Scan button on the specific scan page. Nexpose displays a message, asking you to confirm that you want to pause the scan. Click OK. To resume a paused scan, click the Resume icon for the scan on the Home, Sites, or specific site page; or click the Resume Scan button on the specific scan page. Nexpose displays a message, asking you to confirm that you want to resume the scan. Click OK. To stop a scan, click the Stop icon for the scan on the Home, Sites, or specific site page; or click the Stop Scan button on the specific scan page. Nexpose displays a message, asking you to confirm that you want to stop the scan. Click OK. The stop operation may take 30 seconds or more to complete pending any in-progress scan activity.
32
sites to which they are assigned asset groups to which they are assigned operating systems that they are running services that they are running software that they are running policy check results
Viewing vulnerabilities and their risk scores helps you to prioritize remediation projects. To view vulnerabilities, click the Vulnerabilities tab that appears on every page of the console interface. The console displays the Vulnerabilities page. For every displayed vulnerability, Nexpose displays a set of metrics that indicate the danger that this vulnerability poses to your network security. Vulnerabilities that make your environment susceptible to compromise via exploits or malware kits appear with icons that you can click for more information about these exposures. See Viewing active vulnerabilities in Help or the users guide. You can click the icon in the Exclude column for any listed vulnerability to exclude that vulnerability from a report. See Creating vulnerability exceptions in Help.
A dynamic asset group contains scanned assets that meet a specific set of search criteria. The list of assets in a dynamic group is subject to change with every scan. A static asset group contains assets that meet a set of criteria that you define according to your organization's needs. Unlike with a dynamic asset group, the list of assets in a static group does not change unless you alter it manually.
For information on how to create and use asset groups, see Using asset groups to your advantage in Help.
33
Creating reports
You can create a variety of reports based on scan data. Nexpose templates enable you to initiate reports that focus on vulnerabilities, specific risk levels of vulnerabilities, remediation plans, policy evaluation, PCI compliance, or other criteria. Template attributes include options for exporting reports to external databases or formatting them for Webbased viewing. In addition to using pre-made templates, you can create custom report templates (see Creating a custom report template in Help). As with setting up sites and scans, the Web interface provides a wizard for setting up reports. 1. 2. 3. Click the New Report button on the Reports page. The console displays the General page of the Report Configuration panel. Enter a name for the new report, which will be unique. Select a report format. To learn about formats, see Specifying general report attributes in Help.
NOTE: If you select Database Export as your report format, the Report ConfigurationOutput page of the panel contains fields specifically for transferring scan data to a database. You have an external, JDBC-compliant database available in order to use the Database Export format.
4.
Select a template from the drop-down list. Click the Browse Templates button to view information about each template. In the Browse Templates dialog box, you can click the Preview icon for any template to view a sample. For more information about scan templates, see Specifying general report attributes in Help. Select a time zone for reports. Go to the Scope page. If you are a global administrator, you will see a list of users to whom you can assign ownership of the report. Select a report owner. After a report is generated, only a global administrator and the designated report owner can see that report on the Reports page. You also can have a copy of the report stored in the report owner's directory. If you are not a Global Administrator, you will not see a list of users. You will automatically become the report owner.
5. 6.
7.
Select assets to be included in the report. You can select entire sites or asset groups by clicking those respective buttons, or you can select individual assets by clicking the Select devices... button. These choices are not mutually exclusive; you can combine selections of sites, asset groups, and individual assets. If you click the Select devices... button, the console displays a list of all your organizations assets, as defined when sites were created. You can page through the list ...or you can search for specific assets by IP address range, device name, site, or operating system. To do the latter, type and/or select the desired search criteria and click the Apply Filter button. Nexpose applies all filter settings. The console displays a list of search results. Click the check boxes for each asset that you wish to add to the group. Click the Save button. If you want to use only the most recent scan data in your report, click the check box for that option. Otherwise, Nexpose will include all historical scan data in the report.
8.
You can include risk trend graphs in your Executive Overview or custom report template. On the Scope page of the Report Configuration settings you can set the assets to include in your risk trend graphs. On the Advanced Properties page you can specify on which asset collections within the scope of your report you want to risk trend graphs. You can generate a graph representing how risk has changed over time for all assets. Select All assets in report scope to generate risk trends for overall in your organization.
34
You can select All assets in report scope, and you can further specify Total risk score and indicate Scope trend if you want to include either the Average risk score or Number of assets in your graph. You can also choose the five highest risk sites, five highest risk asset groups, and five highest risk assets depending on the level of detail you want and require in your risk trend report. Setting the date range for your report establishes the report period for risk trends in your reports. For more information about using risk trends, see the administrators guide. 9. You can configure Nexpose to generate reports automatically on a schedule. Doing this is a good idea if you have an asset group containing assets that are assigned to many different sites, each with a different scan template. Since these assets will be scanned frequently, it makes sense to generate reports automatically. Go to the Report ConfigurationSchedule page. If you wish to produce a report manually, on the spot, click the radio button labeled This time only. If you want Nexpose to generate a report every time it successfully completes a scan of any one asset, click the radio button labeled After each scan. If you want to schedule reports for regular time intervals, click the option button labeled On the following schedule. Click the calendar icon to select a start date. Type a start time in the hour and minute fields to the right of the calendar icon. To set a time interval for repeating the report, type a value in the field labeled Repeat every and select a time unit. If you wish to run a report only once, type 0 in the field labeled Repeat every. 10. If you want users to view reports without going to the Security Console, do one of the following actions: Store reports in user directories You can store copies of reports in specific user directories of the file system. Users with access to those directories can view the reports immediately after they are created. Go to the Report ConfigurationOutput page. Type the path of the desired user directory using a canonical naming convention, in which variables replace certain absolute values. See the user guide for detailed instructions.
NOTE: In order to store copies of reports in specific user directories, you must create custom directories within the Nexpose directory structure beforehand. See Storing reports in user directories in Help.
Configure database export settings You can export report data to an external database. To do so, you have to select Database Export as your report format in step 3. Select the database type from the drop-down list of the Output page. Enter the IP address and port of the database server. Enter a name for the database. Then, enter the administrative user ID and password for logging on to that database. After Nexpose completes a scan, check the database to make sure that the scan data has populated the tables. Have Nexpose send reports via e-mail You also can configure Nexpose to distribute reports via e-mail as a URL link or an attachment. Go to the Report ConfigurationDistribution page. Select the check box labeled Send E-mail. Click an option button for attaching the report as a URL, an uncompressed file (File), or a zipped file.
NOTE: Selecting the uncompressed file option is not recommended for reports that consist of multiple files, such as HTML pages with graphs. If such a report is attached without being zipped, Nexpose will send only the HTML page and not the graph files.
If you want to e-mail reports to Nexpose users with access to the assets included into the report, click the appropriate check box. This is a convenient way to distribute reports automatically to users who are responsible for remediation of vulnerabilities. Type all other desired recipient email addresses. Then, type the e-mail address of the sender.
35
NOTE: You may require an SMTP relay server for one of several reasons. For example, a firewall may prevent Nexpose from accessing your network's mail server. If you are using an SMTP relay server, type its address in the appropriate field. If you leave SMTP relay server field blank, Nexpose searches for a suitable mail server for sending reports. Also Nexpose regards the mail sender address as the "originator" of e-mailed reports.
11. To save configuration changes, click the Save button that appears on every page. To discard changes, click the Cancel button.
36
Glossary
For more detailed information on any term in this glossary, search for the term in Nexpose Help.
Appliance
An Appliance is a set of Nexpose components shipped as a dedicated hardware/software unit. Appliance configurations include a Security Console/Scan Engine combination and an Scan Engine-only version.
Asset
An asset is a single device on a network that Nexpose discovers during a scan. In the Web interface and API, an asset may also be referred to as a device. See Managed asset on page 41 and Unmanaged asset on page 46. An assets data has been integrated into the scan database, so it can be listed in sites and asset groups. In this regard, it differs from a node. See Node on page 42.
Asset group
An asset group is a logical collection of managed assets to which specific members have access for creating or viewing reports or tracking remediation tickets. An asset group may contain assets that belong to multiple sites or other asset groups. An asset group is either static or dynamic. An asset group is not a site. See Site on page 45. See Dynamic asset group on page 40 and Static asset group on page 45.
Asset Owner
Asset Owner is one of the preset Nexpose roles. A user with this role can view data about discovered assets, run manual scans, and create and run reports in accessible sites and asset groups.
Authentication
Authentication is the process of a security application verifying the logon credentials of a client or user that is attempting to gain access. By default Nexpose authenticates users with an internal process, but you can configure Nexpose to authenticate users with an external LDAP or Kerberos source.
37
Average risk
Average risk is a setting in risk trend report configuration. It is based on a calculation of your risk scores on assets over a report date range. For example, average risk gives you an overview of how vulnerable your assets might be to exploits whether its high or low or unchanged. Some assets have higher risk scores than others. Calculating the average score provides a high-level view of how vulnerable your assets might be to exploits.
Benchmark
In the context of scanning for FDCC policy compliance, a benchmark is a combination of policies that share the same source data. Each policy in the Advanced Policy Engine contains some or all of the rules that are contained within its respective benchmark. See Federal Desktop Core Configuration (FDCC) on page 41 and United States Government Configuration Baseline (USGCB) on page 46.
Category
In the context of scanning for FDCC policy compliance, a category is a grouping of policies in the Advanced Policy Engine configuration for a scan template. A policys category is based on its source, purpose, and other criteria. See Advanced Policy Engine on page 38, Federal Desktop Core Configuration (FDCC) on page 41, and United States Government Configuration Baseline (USGCB) on page 46.
Command console
The command console is a page in the Security Console Web interface for entering commands to run certain operations. When you use this tool, you can see real-time diagnostics and a behind-the-scenes view of Security Console activity. To access the command console page, click the Run console commands link next to the Troubleshooting item on the Administration page.
38
Compliance
Compliance is the condition of meeting standards specified by a government or respected industry entity. Nexpose tests assets for compliance with a number of different security standards, such as those mandated by the Payment Card Industry (PCI) and those defined by the National Institute of Standards and Technology (NIST) for Federal Desktop Core Configuration (FDCC).
Continuous scan
A continuous scan starts over from the beginning if it completes its coverage of site assets within its scheduled window. This is a site configuration setting.
Dynamic site
A dynamic site is a collection of assets that are targeted for scanning and that have been discovered through vAsset discovery. Asset membership in a dynamic site is subject to change if the discovery connection changes or if filter criteria for asset discovery change. See Static site on page 45, Site on page 45, and vAsset discovery on page 46.
Exploit
An exploit is an attempt to penetrate a network or gain access to a computer through a security flaw, or vulnerability. Malicious exploits can result in system disruptions or theft of data. Penetration testers use benign exploits only to verify that vulnerabilities exist. The Metasploit product is a tool for performing benign exploits. See Metasploit on page 41. See Published exploit on page 43.
Exposure
An exposure is a vulnerability, especially one that makes an asset susceptible to attack via malware or a known exploit.
39
Global Administrator
Global Administrator is one of the preset Nexpose roles.
Host
A host is a physical or virtual server that provides computing resources to a guest virtual machine. In a high-availability virtual environment, a host may also be referred to as a node. The term node has a different context in Nexpose. See Node on page 42.
Malware
Malware is software designed to disrupt or deny a target systemss operation, steal or compromise data, gain unauthorized access to resources, or perform other similar types of abuse. Nexpose can determine if a vulnerability renders an asset susceptible to malware attacks.
Malware kit
Also known as an exploit kit, a malware kit is a software bundle that makes it easy for malicious parties to write and deploy code for attacking target systems through vulnerabilities.
Managed asset
A managed asset is a network device that has been discovered during a scan and added to a sites target list, either automatically or manually. Only managed assets can be checked for vulnerabilities and tracked over time. Once an asset becomes a managed asset, it counts against the maximum number of assets that can be scanned, according to your Nexpose license.
Manual scan
A manual scan is one that you start at any time, even if it is scheduled to run automatically at other times. Synonyms include ad-hoc scan and unscheduled scan.
Metasploit
Metasploit is a product that performs benign exploits to verify vulnerabilities. See Exploit on page 40.
40
MITRE
The MITRE Corporation is a body that defines standards for enumerating security-related concepts and languages for security development initiatives. Examples of MITRE-defined enumerations include Common Configuration Enumeration (CCE) and Common Vulnerability Enumeration (CVE). Examples of MITRE-defined languages include Open Vulnerability and Assessment Language (OVAL). Nexpose implements a number of MITRE standards, especially in verification of FDCC compliance.
Node
A node is a device on a network that Nexpose discovers during a scan. After Nexposeintegrates its data into the scan database, the device is regarded as an asset that can be listed in sites and asset groups. See Asset on page 38.
Override
An override is a change made by a user to the result of a check for compliance with a configuration policy rule. For example, a user may override a Fail result with a Pass result.
Permission
A permission is the ability to perform one or more specific operations in Nexpose. Some permissions only apply to sites or asset groups to which an assigned user has access. Others are not subject to this kind of access.
Policy
A policy is a set of primarily security-related configuration guidelines for a computer, operating system, software application, or database. Nexpose verifies compliance with a number of different policies, including those encompassed in the United States Government Configuration Baseline (USGCB) and the Federal Desktop Core Configuration (FDCC). See Advanced Policy Engine on page 38, Federal Desktop Core Configuration (FDCC) on page 41, United States Government Configuration Baseline (USGCB) on page 46, United States Government Configuration Baseline (USGCB) on page 46, and Scan on page 44.
41
Policy Result
In the context of FDCC policy scanning, a result is a state of compliance or non-compliance with a rule or policy. Possible results include Pass, Fail, or Not Applicable.
Policy Rule
A rule is one of a set of specific guidelines that make up an FDCC configuration policy. See Federal Desktop Core Configuration (FDCC) on page 41, United States Government Configuration Baseline (USGCB) on page 46, and Policy on page 42.
Published exploit
In the context of Nexpose, a published exploit is one that has been developed in Metasploit or listed in the Exploit Database. See Exploit on page 40.
Risk
In the context of vulnerability assessment, risk reflects the likelihood that a network or computer environment will be compromised, and it characterizes the anticipated consequences of the compromise, including theft or corruption of data and disruption to service. Implicitly, risk also reflects the potential damage to a compromised entitys financial well-being and reputation.
Risk score
A risk score is a rating that Nexpose calculates for every asset and vulnerability. The score indicates the potential danger posed to network and business security in the event of a malicious exploit. You can configure Nexpose to rate risk according to one of several built-in risk strategies, or you can create custom risk strategies.
Risk strategy
A risk strategy is a method for calculating vulnerability risk scores. Each strategy emphasizes certain risk factors and perspectives. Four built-in strategies are available in Nexpose: Real Risk strategy on page 43, TemporalPlus risk strategy on page 45, Temporal risk strategy on page 45, and Weighted risk strategy on page 47. You can also create custom risk strategies.
Risk trend
A risk trend graph illustrates a long-term view of your assets probability and potential impact of compromise that may change over time. Risk trends can be based on average or total risk scores. The highest-risk graphs in your report demonstrate the biggest contributors to your risk on the site, group, or asset level. Tracking risk trends helps you assess threats to your organizations standings in these areas and determine if your vulnerability management efforts are satisfactorily maintaining risk at acceptable levels or reducing risk over time. See Average risk on page 39 and Total risk on page 45.
42
Role
A role is a set of permissions. Five preset roles are available in Nexpose. You also can create custom roles by manually selecting permissions. See Asset Owner on page 38, Security Manager on page 45, Global Administrator on page 41, Site Owner on page 45, and User on page 46.
Scan
A scan is a process by which Nexpose discovers network assets and checks them for vulnerabilities. See Exploit on page 40 and See Vulnerability check on page 47.
Scan credentials
Scan credentials are the user name and password that Nexpose submits to target assets for authentication in order to gain access and perform deep checks. Nexpose supports many different authentication mechanisms for a wide variety of platforms.
Scan Engine
The Scan Engine is one of two major Nexpose components. It performs asset discovery and vulnerability detection operations. Scan engines can be distributed within or outside a firewall for varied coverage. Each installation of the Security Console also includes a local engine, which can be used for scans within the consoles network perimeter.
Scan template
A scan template is a set of parameters for defining how Nexpose scans assets. Various preset scan templates are available in Nexpose for different scanning scenarios. You also can create custom scan templates. Parameters of scan templates include the following:
methods for discovering assets and services types of vulnerability checks, including safe and unsafe Web application scanning properties verification of compliance with policies and standards for various platforms
Scheduled scan
A scheduled scan starts automatically at predetermined points in time. The scheduling of a scan is an optional setting in site configuration. It is also possible to start any scan manually at any time.
Security Console
The Security Console is one of two major Nexpose components. It controls Scan Engines and retrieves scan data from them. It also controls all Nexpose operations and provides a Web-based user interface.
43
Security Manager
Security Manager is one of the preset Nexpose roles. A user with this role can configure and run scans, create reports, and view asset data in accessible sites and asset groups.
Site
A site is a collection of assets that are targeted for a scan. Each site is associated with a list of target assets, a scan template, one or more Scan Engines, and other scan-related settings. See Dynamic site on page 40 and Static site on page 45. A site is not an asset group. See Asset group on page 38.
Site Owner
Site Owner is one of the preset Nexpose roles. A user with this role can configure and run scans, create reports, and view asset data in accessible sites.
Static site
A static site is a collection of assets that are targeted for scanning and that have been manually selected. Asset membership in a static site does not change unless a user changes the asset list in the site configuration. For more information, see Dynamic site on page 40 and Site on page 45.
Total risk
Total risk is a setting in risk trend report configuration. It is an aggregated score of vulnerabilities on assets over a specified period.
44
Unmanaged asset
An unmanaged asset is a device that has been discovered during a scan but not correlated against a managed asset or added to a sites target list. Nexpose is designed to provide sufficient information about unmanaged assets so that you can decide whether to manage them. An unmanaged assets does not count against the maximum number of assets that can be scanned according to your Nexpose license.
Update
An update is a released set of changes to Nexpose. By default, Nexpose automatically downloads and applies two types of updates:
Content updates include new checks for vulnerabilities, patch verification, and security policy compliance. Content updates always occur automatically when they are available. Product updates include performance improvements, bug fixes, and new product features. Unlike content updates, it is possible to disable automatic product updates and update the product manually.
User
User is one of the preset Nexpose roles. An individual with this role can view asset data and run reports in accessible sites and asset groups.
vAsset discovery
vAsset discovery is a process by which Nexpose automatically discovers virtual assets through a connection with a vSphere server or virtual machine host. You can refine or limit asset discovery with criteria filters. See vAsset discovery filter on page 46 and vConnection on page 46. vAsset discovery is different from Discovery (scan phase) on page 40.
vConnection
A vConnection is a connection that Nexpose initiates with a server that manages virtual machines in order to discover those assets. A Global Administrator can configure a vConnection. See vAsset discovery filter on page 46.
Vulnerability
A vulnerability is a security flaw in a network or computer.
45
Vulnerability check
A vulnerability check is a series of operations that Nexpose performs to determine whether a security flaw exists on a target asset.
Vulnerability exception
A vulnerability exception is the removal of a vulnerability from a report and from any asset listing table. Excluded vulnerabilities also are not considered in the computation of risk scores.
46