TOC & Recently Viewed

Recently Viewed Topics

Repositories

A repository is essentially a database of vulnerability data defined by one or more ranges of IP addresses or mobile data types. SecurityCenter integrates repositories of vulnerability data that are shared as needed among users and organizations based on manager-defined assets. The use of repositories allows for scalable and configurable data storage for organizations. Repository data can also be shared between multiple SecurityCenters. Repositories are configured by the administrative user and made available to the Security Manager user to assign to users as needed. The maximum repository size is 32GB.

Caution: When creating SecurityCenter IPv4 or IPv6 repositories, LCE event source IP ranges must be included along with the vulnerability IP ranges or the event data and event vulnerabilities will not be accessible from the SecurityCenter UI.

There are two types of repositories: Local (IPv4, IPv6, and mobile) and External (remote or offline). Local repositories are active repositories of SecurityCenter data collected via scanners attached to the local SecurityCenter. Remote repositories contain IP address and vulnerability information obtained via network synchronization with a second (remote) SecurityCenter. Offline repositories enable SecurityCenter to obtain repository data via manual export/import from a remote SecurityCenter that is not network-accessible. The screen capture below shows several configured repositories. Note that the Type column only displays when there are repositories other than Local.

Repository data collected from a remote or offline repository is static and used solely for reporting purposes.

Click the Add button to add a new repository. The sections below contain options for adding each type of repository.

IPv4/IPv6 (Local) Repository

These are the most common types of repositories used with SecurityCenter and store IPv4 and IPv6 data from active and passive scans. Data stored in local repositories can be shared between Organizations and includes the full range of event and vulnerability metadata. The table below describes configurable options for IPv4 and IPv6 local repositories:

Local Repository Options

Option Description

General

Name

The repository name.

Description

(Optional) A description for the repository.

Data

IP Ranges

Allowed ranges for importing vulnerability data. Addresses may be a single IP address, IP range, CIDR block, or any comma-delimited combination.

Access

Organizations

Defines Organizations that have access to the vulnerability data within the repository. Within the Organizations section, selecting or deselecting the box next to the Organization name grants or denies that Organization access to the repository information. When initially selecting the Organization, a prompt will appear to either grant access to all the Groups within the Organization, or not. If granted, all Groups will be given access to the repository information. If denied, Groups within the Organization must explicitly be given access on a per Group basis.

Advanced Settings

Generate Trend Data

Note: If trending is not selected, any query that uses comparisons between repository snapshots (e.g., trending line charts) will not be available.

This option allows for a periodic snapshot of the .nessus data for vulnerability trending purposes. This option is useful in cases where tracking data changes is important. In situations where repository datasets do not change frequently – negating the need for trending – disable this option to minimize disk space usage.

Days Trending

Sets the number of days for the trending data to track.

Enable Full Text Search

Determines if the trending data presented is indexed for a full text search.

LCE Correlation

Log Correlation Engine servers that will receive the vulnerability correlation information from this repository.

Mobile (Local) Repository

The Mobile repository is a local type that stores data from various MDM servers. The MDM servers currently supported as of this writing include ActiveSync, AirWatch MDM, Apple Profile Manager, Good MDM, and MobileIron. The table below describes configurable options for mobile local repositories:

Local Repository Options

Option Description

General

Name

The repository name.

Description

Descriptive text for the repository.

MDM

Type

This setting determines if the repository will store ActiveSync, AirWatch MDM, Apple Profile Manager, Good, or MobileIron types of mobile data.

The authentication settings available will vary depending on the type selected.

Scanner

This setting determines which Nessus scanner is used when scanning the MDM server. Only one Nessus scanner may be used to add data to the mobile repository.

Schedule

Sets the schedule for the MDM server to be scanned to update the Mobile repository. On each scan, the current data in the repository is removed and replaced with the information from the latest scan.

Access

Organizations

Defines Organizations that have access to the vulnerability data within the repository. Within the “Organizations” section, selecting or deselecting the box next to the Organization name grants or denies that Organization access to the repository information. When initially selecting the Organization, a prompt will appear to either grant access to all the Groups within the Organization, or not. If granted, all Groups will be given access to the repository information. If denied, Groups within the Organization must explicitly be given access on a per Group basis.

Remote Repository

If you want to connect your SecurityCenter with another SecurityCenter, configure the secondary SecurityCenter as a remote repository. Remote repositories allow multiple SecurityCenters to share repository data via a SSH session.

Remote Repository Options

Option Description

General

Name

The repository name.

Description

Descriptive text for the repository.

Remote SecurityCenter

Host

Host to synchronize with to obtain the repository data. After entering the IP address of the remote SecurityCenter, click the Request Repositories link to type an admin username and password for the SecurityCenter to exchange the SSH keys. Once completed, a list of available repositories will be populated.

Repository

Remote repository to collect IP address(es) and vulnerability data from. This is a list of the available repository names available on the remote SecurityCenter.

Schedule

Sets the schedule for the remote server to be queried for updated information.

Access

Organizations

Defines Organizations that have access to the vulnerability data within the repository. Within the “Organizations” section, selecting or deselecting the box next to the Organization name grants or denies that Organization access to the repository information. When initially selecting the Organization, a prompt will appear to either grant access to all the Groups within the Organization, or not. If granted, all Groups will be given access to the repository information. If denied, Groups within the Organization must explicitly be given access on a per Group basis.

Offline Repository

Offline repositories are similar to remote repositories with the exception that data is synchronized manually using an archive file (.tar.gz) and not via network transmission. The table below describes configurable options for an offline repository:

Offline Repository Options

Option Description

General

Name

The repository name

Description

Descriptive text for the repository

Access

Organizations

Defines Organizations that have access to the vulnerability data within the repository. Within the Organizations section, selecting or deselecting the box next to the Organization name grants or denies that Organization access to the repository information. When initially selecting the Organization, a prompt will appear to either grant access to all the Groups within the Organization, or not. If granted, all Groups will be given access to the repository information. If denied, Groups within the Organization must explicitly be given access on a per Group basis.

Advanced Settings

Generate Trend Data

Note: If trending is not selected, any query that uses comparisons between repository snapshots (e.g., trending line charts) will not be available.

This option allows for a periodic snapshot of the .nessus data for vulnerability trending purposes. This option is useful in cases where tracking data changes is important. In situations where repository datasets do not change frequently – negating the need for trending – disable this option to minimize disk space usage.

Days Trending

Sets the number of days for the trending data to track.

Enable Full Text Search

Determines if the trending data presented is indexed for a full text search.

To initiate offline repository synchronization, first download the repository archive from an existing repository by clicking on the Export link from the gear icon drop-down menu.

Depending on browser choice, the option to open or save the Nessus or Compressed Tar file is presented. It is recommended that the file be saved at this time.

Tip: Depending on the size of the repository database, this file can be quite large. It is important to save the file to a location with sufficient free disk space.

Tip: When importing the repository archive, the default maximum file import size is 360MB. This is specified by the post_max_size directive in /opt/sc/support/etc/php.ini. If larger file uploads are required, increase the default value.

To load the repository archive to the offline repository, copy it to a location where the offline repository is accessible via the SecurityCenter GUI, open the Repositories page, highlight the offline repository and click Upload from the gear icon drop-down menu.

On the Upload page add a name and description for the repository. Using the Choose File button next to Repository Data, click the file to add to the repository, which was previously exported.

Accept Risk Rules

Any non-admin user has the ability to accept a vulnerability risk by adding an Accept Risk Rule. Adding a rule moves vulnerabilities from the unfiltered cumulative database view. These vulnerabilities are not deleted, but only display in the cumulative database vulnerability view if the Accepted Risk filter option is checked. Once a risk has been accepted, the admin user can view the details of and delete the accept rules associated with the risk if they deem that the risk is still valid. This is accomplished by clicking on Repositories and then Accept Risk Rules. From there a list of available rules is displayed and may be filtered by Plugin ID, Repository, and Organization combination. Choose All for Repository and Any for Organization if plugin IDs are to be accepted across these boundaries. This is especially useful in setups where hundreds of repositories or organizations have been configured and the same accept risk rule must be applied globally.

To see more information about a rule, click the rule to be viewed from the list or click View from the gear icon drop-down menu. To remove a rule, select it from the list, click Delete from the gear icon drop-down menu and a confirmation dialog is displayed that confirms if you really wish to delete the accepted risk rule:

After clicking Delete, click the Apply Rules button in the top left for the changes to take effect. Once completed, any vulnerabilities that had been modified by the accept risk rule are displayed unfiltered in the cumulative database.

Recast Risk Rules

Similar to Accept Risk Rules, Recast Risk Rules are rules that have been recast to a different risk level by a non-admin user. The admin user can display and delete these rules if desired. As with Accept Risk Rules, rules can be filtered for a plugin ID, a repository, or organization combination. A screen capture of example Recast Risk Rules is shown below:

To view the rule details, click Detail to view the highlighted Recast Risk Rule. To remove the rule, click Delete. A confirmation dialog is displayed and confirms that you really wish to delete the recasted risk rule:

After clicking Delete, click the Apply Rules button in the top left for the changes to take effect. Once completed, any vulnerabilities that had been modified by the recast risk rule are returned to their original state.

Copyright 2017 Tenable, Inc. All rights reserved. Tenable Network Security, Nessus, SecurityCenter, SecurityCenter Continuous View and Log Correlation Engine are registered trademarks of Tenable, Inc.  Tenable, Tenable.io, Assure, and The Cyber Exposure Company are trademarks of Tenable, Inc.  All other products or services are trademarks of their respective owners.