You are here: Install > System Configuration

System Configuration

The “System” link at the top right of the SecurityCenter web interface contains a number of options to configure the desired SecurityCenter system behavior. When logged in as an admin user, additional options are available, which are not available for non-admin users. Among the available admin options after selecting “Configuration” from the menu is “License”, “Mail”, “LDAP”, “Data Expiration”, “External Schedules”, “Security”, “Plugins / Feed”, and “Miscellaneous”. The sections below provide details about each of the categories and their configuration items.

Configuration

License

The “License” options allow the admin user to configure the licensing and Activation Code settings for SecurityCenter and the attached Tenable products. The screen capture below shows a sample default SecurityCenter License configuration page:

This page will rarely need to be modified by the administrator. It contains two sections, the SecurityCenter license and the Additional Licenses section. This page will only be changed manually when a new or upgraded Activation Code for Nessus, PVS, or LCE has been purchased by the organization.

Tip:

Offline repositories are not counted against the IP license count. Also, the following plugins are not counted against the license IP count when scanned using the Ping Host port scanner. Using other port scanners will cause the detected IPs to be counted against the license:

Nessus IDs: 10180, 10287, 19506, 12053, 11933, 11936

PVS IDs: 00003, 00012

LCE IDs: 800,000-800,099

To add a new license, use the “Choose File” button next to the “License File” field to locate the license key file (sent by Tenable via email) and then click “Submit”. Once a valid license is applied, a green field is displayed indicating a valid license and several informational fields will be shown. The fields indicate the name of the licensee, the type of license, the hostname of the SecurityCenter server, the license expiration date, IP count in use, and the maximum number of IPs allowed by the license.

For SecurityCenter installations, a valid Nessus Activation Code must also be entered to register any Nessus scanners used by SecurityCenter. A valid LCE Activation Code must be entered to download the LCE Event vulnerability plugins to SecurityCenter. A valid PVS Activation Code is required to use and manage attached PVS scanners. The Activation Codes are hyphen delimited alpha-numeric strings that enable SecurityCenter to download plugins and update Nessus scanner plugins. The LCE Activation Code allows SecurityCenter to download event plugins, but does not manage plugin updates for LCE servers. After uploading a valid license key and entering a valid Activation Code(s), click “Next” to continue.

A + sign with a grey background indicates that there has not been a license applied for the product. A green box with a checkmark in it indicates a valid code is entered. A red box with an X indicates an invalid code. Clicking on the symbol will reveal an area to either add or reset the Activation Code. Once a new code has been entered into the text box and registered, it will indicate as valid or invalid.

A plugin download is initiated in the background. This plugin download can take several minutes and must complete before any Nessus scans are initiated. Once the plugin update has occurred, the “Last Updated” date and time are updated on the “Plugins” screen.

Mail

The “Mail” option designates SMTP settings for all email related functions of SecurityCenter. Available options include SMTP host, port, authentication method, encryption, and return address. In addition, a “Test SMTP Settings” link is displayed in the upper left-hand section of the page to confirm the validity of the settings.

Note: The “Return Address” defaults to “noreply@localhost”. Use a valid return email address for this field. If this field is empty or the email server requires emails from valid accounts, the email will not be sent by the email server.

LDAP

Tip: If LDAP authentication is to be used, it is recommended to leave at least one SecurityCenter administrator account and one manager account for each organization in SecurityCenter set to use TNS authentication in the event that the LDAP services becomes unreachable.

LDAP configuration settings enable SecurityCenter to utilize any LDAP server for authentication purposes. This enhances the security of SecurityCenter by facilitating “single sign-on” and password complexity requirements in environments where mandated by security policy. After selecting “LDAP”, a page similar to the one below is displayed.

Fill out the LDAP configuration settings as provided by the LDAP server administrator and click “Test LDAP Settings” to confirm the validity of the settings.

This table provides a detailed breakdown of the available LDAP parameters:

Option

Description

Server Settings

Hostname

Enter the IP address or DNS name of the LDAP server in this field.

Port

Specify the remote LDAP port here. When Encryption is set to “none”, the LDAP port is typically 389, and when TLS or LDAPS is used, port 636 is the typical setting. Confirm the selection with your LDAP server administrators.

Encryption

This selection indicates if Transport Layer Security (STARTTLS) or LDAP over SSL (LDAPS) is used for communication with the LDAP server.

Username

If the LDAP server requires credentials to search for user data, then the “Username” and “Password” fields are required. By default, if an Active Directory server is used for LDAP queries, it requires an authenticated search. Enter the username within this field in the “email” style format (user@domain.com).

Password (optional)

If the LDAP server requires credentials to search for user data, then the “Username” and “Password” fields are required. By default, many LDAP servers require an authenticated search.

Tip: It is recommended to use passwords that meet stringent length and complexity requirements.

LDAP Schema Settings

Base DN

This is the LDAP search base used as the starting point to search for the user information.

User Object Filter

This string may be modified to create a search based on a location or filter other than the default search base or attribute.

User Schema Settings

Username Attribute

This is the attribute name on the LDAP server that contains the username for the account. This is often specified by the string “sAMAccountName” in Active Directory servers that may be used by LDAP. Contact your local LDAP administrator for the correct username attribute to use.

Email Attribute

This is the attribute name on the LDAP server that contains the email address for the account. This is often specified by the string “mail” in Active Directory servers that may be used by LDAP. Contact your local LDAP administrator for the correct email attribute to use.

Phone Attribute

This is the attribute name on the LDAP server that contains the telephone number for the account. This is often specified by the string “telephoneNumber” in Active Directory servers that may be used by LDAP. Contact your local LDAP administrator for the correct telephone attribute to use.

Name Attribute

This field is the attribute name on the LDAP server that contains the name associated with the account. This is often specified by the string “CN” in Active Directory servers that may be used by LDAP. Contact your local LDAP administrator for the correct name attribute to use.

Note: Access to Active Directory is performed via AD’s LDAP mode. When using multiple AD domains, LDAP access may be configured to go through the Global Catalog. Port 3268 is the default non-SSL/TLS setting, while port 3269 is used for SSL/TLS connections by default. More general information about LDAP searches via the Global Catalog may be found at: http://technet.microsoft.com/en-us/library/cc728188(v=ws.10).aspx.

Data Expiration

Data expiration determines how long SecurityCenter retains acquired data.

Use the table below to determine default and minimum values for these settings:

Option

Description

Active

SecurityCenter will automatically remove any vulnerability data that was discovered via active scanning after the designated number of days. The default value of this field is 365.

Passive

By default, SecurityCenter will automatically remove any passive vulnerability data that is older than seven days.

Event

SecurityCenter will automatically remove any event vulnerability data that was discovered via LCE log scanning after the designated number of days. The default value of this field is 365.

Compliance

SecurityCenter will automatically remove any compliance data after the designated number of days. The default value of this field is 365.

Mitigated

Automatically remove any mitigated vulnerability data after the designated number of days. The default value of this field is 365.

Closed Tickets

Automatically remove any closed tickets after the designated number of days. The default value of this field is 365.

Scan Results

Automatically remove any scan results after the designated number of days. The default value of this field is 365.

Report Results

Automatically remove any report results after the designated number of days. The default value of this field is 365.

External Schedules

The SecurityCenter external schedule settings are used to determine the update schedule for the common tasks of pulling passive scanner data, IDS signature updates, and IDS correlation updates.

The following settings are available:

Option

Description

Pull Interval

This option configures the interval that SecurityCenter will use to pull results from the attached PVS servers. The default setting is 1 hour. The timing is based from the start of the SecurityCenter service on the host system.

IDS Signatures

Frequency to update SecurityCenter IDS signatures via third-party sources. The schedule is shown along with the time zone being used.

IDS Correlation Databases

Frequency to push vulnerability information to the LCE for correlation. The schedule is shown along with the time zone being used.

Each of the update schedule times may also be configured to occur by time in a particular time zone, which can be selected via the “Time Zone” link next to each hour selection.

Security

The “Security” section defines the SecurityCenter web interface login parameters and options for account logins. Banners, headers, and classification headers and footers can also be configured from this screen.

Use the table below to determine correct values for your environment:

Option

Description

Session Timeout

The web session timeout in minutes (default: 60 minutes).

Maximum Login Attempts

The maximum number of user login attempts allowed by SecurityCenter before the account is locked out (default: 20). Setting this value to zero disables this feature.

Minimum Password Length

This setting defines the minimum number of characters for passwords of accounts created using the local TNS authentication access (default:3).

Startup Banner Text

Enter the text banner that is displayed prior to the login interface.

Header Text

Adds custom text to the top of the SecurityCenter screen. The text may be used to identify the company, group, or other organizational information. The field is limited to 128 characters.

Classification Type

Adds a header and footer banner to SecurityCenter to indicate the classification of the data accessible via the software. Current options are “None”, “Unclassified”, “Confidential”, “Secret”, “Top Secret”, and “Top Secret – No Foreign”.

Note: When set to an option other than “None”, the available report style for users will only show the “plain” report style types. The Tenable report styles do not support the classification banners.

Allow Session Management This setting is disabled by default. When enabled (as displayed in the screen shot above), the Session Limit option will appear. This feature displays the option that will allow the administrator to set a session limit for all users.
Session Limit Any number entered here will be saved as the maximum number of sessions a user can have open at one time. If a user logs in, and the session limit for that user has already been reached, he/she will be prompted with a warning notifying him/her that the oldest session with that username will be logged out automatically. The user may click cancel and opt not to Sign In, or he/she may click Sign In, at which point the oldest session for that user will be bumped.

Note: This behavior is different for CAC logins - the previously described behavior is bypassed as was the old login behavior.

Login Notifications Sends notifications for each time a user logs in.

Miscellaneous Configuration

The Miscellaneous Configuration area offers options to configure settings for web proxy, syslog, notifications, and enable or disable a variety of reporting types that are encountered and needed only in specific situations.

From this configuration page, a web proxy can be configured by entering the host URL (proxy hostname or IP address), port, authentication type, username, and password. The host name used must resolve properly from the SecurityCenter host.

The “Syslog” section allows for the configuration and sending of SecurityCenter log events to the local syslog service. When “Enable Forwarding” is enabled, the forwarding options are made available for selection. The “Facility” text entry box provides the ability to enter the desired facility that will receive the log messages. The “Severities” section determines which level(s) of syslog messages will be sent: “Informational”, “Warning”, and/or “Critical” by selection checkboxes.

The “Notifications” field defines the SecurityCenter web address used when notifications are generated for alerts and tickets.

Among the reporting standards for the Defense Information Systems Agency (DISA) are the Asset Report Format (ASR) and the Assessment Results Format (ARF) styles. Additionally, there is CyberScope reporting utilizing Lightweight Asset Summary Results Schema (LASR) style reports used by some segments of governments and industry. These formats are typically used only by select groups and organizations for specific needs that do not apply to many organizations. The ability to enable or disable their usage within SecurityCenter is controlled here. Selecting the checkbox will enable the reporting type and unselecting will disable the reporting type in the report type drop-down for SecurityCenter users.

Plugins/Feeds Configuration

The Feeds option displays information about the SecurityCenter feeds and plugin sets including the update schedule, a link to update the plugins either through SecurityCenter or by manually uploading plugins. The displayed feeds are for SecurityCenter Feed, Active Plugins, Passive Plugins, and Event Plugins. Only feeds with valid Activation Codes will be able to be updated.

Plugins are scripts used by the Nessus, PVS, and LCE servers to interpret vulnerability data. For ease of operation, Nessus and PVS plugins are managed centrally by SecurityCenter and pushed out to their respective scanners. LCE servers download their own event plugins and SecurityCenter downloads event plugins for its local reference. SecurityCenter does not currently push event plugins to LCE servers.

Clicking on “Upload Plugins” opens a file selection window that allows the user to choose an active, passive, event, or custom plugin file. All custom plugins must have unique Plugin ID numbers and have family associations based on existing SecurityCenter families.

Note:

Custom plugin uploads must now be a complete “feed”. In order to upload custom plugins the provided tar.gz file must include the relevant NASLs and a custom_feed_info.inc file comprised of the following two lines:

PLUGIN_SET = "201202131526";

PLUGIN_FEED = "Custom";

The administrator must manage this file and update the PLUGIN_SET option for each upload. The PLUGIN_SET format is “YYYYMMDDHHMM”.

For example, running the following command against the custom_feed_info.inc file and custom plugins in a directory will create a new tar and gziped uploadable archive file called custom_nasl_archive.tar.gz that contains both custom plugins:

# tar -cvzf custom_nasl_archive.tar.gz custom_feed_info.inc *.nasl

It is recommended that the custom_nasl_archive.tar.gz file be updated for each addition and update of custom NASLs.

Diagnostics

The System menu contains a drop-down that includes Diagnostics. This page displays and creates information that assists in troubleshooting issues that may arise while using SecurityCenter.

In the “System Status” section, the following items are indicated by a green check mark for a properly working status. A red “X” icon is displayed when the item is in a critical state.

Option

Description

Correct Java Version

The icon is red when a minimal version of Java is not installed as required by certain SecurityCenter features.

Sufficient Disk Space

Once the disk that stores the SecurityCenter data is within 5% of being filled, the icon indicator will turn red.

Correct RPM Package Installed

This indicator is green when the correct RPM is installed for the OS architecture on which it is running.

The “Diagnostics File” section is used primarily when working with the Tenable Support team. In order to troubleshoot issues that may be encountered, the Support team may request that a diagnostics file be generated with one or more of the “Diagnostics File Chapters” selected. Clicking the “Generate Diagnostics File” button will open a page to set the options to be included in the diagnostic file. If selected, the “Strip IPs from Chapters” option will remove IP addresses from the log files before generating the diagnostics file.

Job Queue

Job Queue is a feature of SecurityCenter that allows specified events to be displayed in a list for review.

Job Queue notifications can be viewed and sorted in several ways by clicking on the desired sort column. Using the gear icon menu next to an item, that item may be viewed for more detail or, if the job is running, the process may be killed. Killing a process should be done only as a last resort, as killing a process may have undesirable effects on other SecurityCenter processes.

System Logs

SecurityCenter logs contain detailed filter options to troubleshoot unusual system or user activity. The logs include filters that allow users to search logs based on parameters such as Date, Initiator, Keyword, Module, and Severity.

This search flexibility improves debugging and maintains an audit trail of users who access SecurityCenter or perform basic functions such as changing passwords, recasting risks, or running Nessus scans.

Publishing Sites

Organizations may configure publishing sites as targets to send report results to a properly configured web server or a Defense Information Systems Agency (DISA) Continuous Monitoring and Risk Scoring (CMRS) site.

Configuring the publishing sites starts with clicking the “Add a Publishing Site” link to open the “Add Publishing Site” window as shown below:

Option

Description

Name

Enter a name for the publishing site.

Description

Enter a description of the publishing site.

Type

This is the method SecurityCenter will use to publish to the site. Available options are “HTTP Post” or “CMRS”. Use the selection appropriate for the configuration of the publishing site.

URI

This is the target address to send the report to when completed.

Authentication

There are two methods of authentication available: “SSL Certificate” and “Password”. When “SSL Certificate” is selected, the option to upload a certificate is available. When “Password” is selected, fields are available to enter a username and password to authenticate to the publishing server.

Organizations

This field allows for selecting the Organization(s) that are allowed to publish to the configured site.

Keys

From the System menu one of the drop-down options is for Keys. Keys allow the administrator to use key-based authentication with a remote SecurityCenter (remote repository) or between a SecurityCenter and an LCE server. This also removes the need for the SecurityCenter administrator to know the administrator login or password of the remote system.

Note: The public key from the local SecurityCenter must be added to the “Keys” section of the SecurityCenter that you wish to retrieve a repository from. If the keys are not added properly, the remote repository “add” process will prompt for the root username and password of the remote host to perform a key exchange before the repository add/sync occurs.

From the “Options” drop-down the SecurityCenter key may be downloaded in a DSA or RSA format. After selecting the option, the key format dialog is displayed. Choose the type of key being requested and then click “Download”:

If “DSA” was chosen during download, the DSA public key is downloaded. Likewise, choosing “RSA” downloads the RSA public key string.

Clicking on “Add” brings up the dialog box below:

In the “Type” drop-down, select DSA or RSA as the key type.

In the “Comment” box, enter an optional string of text that describes the purpose of the key being added to the system.

In the “Public Key” box, paste the text of the public key from the remote SecurityCenter and click “Submit”.

Remote LCE Key Exchange

A manual key exchange between the SecurityCenter and the LCE is normally not required; however, in some cases where remote root login is prohibited or key exchange debugging is required, you will need to manually exchange the keys.

For the remote LCE to recognize the SecurityCenter, you need to copy the SSH public key of the SecurityCenter and append it to the /opt/lce/.ssh/authorized_keys file. The /opt/lce/daemons/lce-install-key.sh script performs this function. The steps are outlined in the manual LCE key exchange section of this document.

Copyright © 2016. Tenable Network Security, Inc. All rights reserved. Tenable Network Security and Nessus are registered trademarks of Tenable Network Security, Inc. SecurityCenter Continuous View, Passive Vulnerability Scanner, and Log Correlation Engine are trademarks of Tenable Network Security, Inc. All other products or services are trademarks of their respective owners.