You are here: Interface > Repositories

Data Management

Repositories

A repository is essentially a database of vulnerability data defined by one or more ranges of IP addresses or mobile data types. SecurityCenter integrates repositories of vulnerability data that are shared as needed among users and organizations based on manager-defined assets. The use of repositories allows for scalable and configurable data storage for organizations. Repository data can also be shared between multiple SecurityCenters. Repositories are configured by the administrative user and made available to the Security Manager user to assign to users as needed. The maximum repository size is 32GB.

Caution: When creating SecurityCenter IPv4 or IPv6 repositories, LCE event source IP ranges must be included along with the vulnerability IP ranges or the event data and event vulnerabilities will not be accessible from the SecurityCenter UI.

There are two types of repositories: Local (IPv4, IPv6, and mobile) and External (remote or offline). Local repositories are active repositories of SecurityCenter data collected via scanners attached to the local SecurityCenter. Remote repositories contain IP address and vulnerability information obtained via network synchronization with a second (remote) SecurityCenter. Offline repositories enable SecurityCenter to obtain repository data via manual export/import from a remote SecurityCenter that is not network-accessible. The screen capture below shows several configured repositories. Note that the “Type” column only displays when there are repositories other than Local.

Repository data collected from a remote or offline repository is static and used solely for reporting purposes.

Click the “Add” button to add a new repository. The sections below contain options for adding each type of repository.

IPv4/IPv6 (Local) Repository

These are the most common types of repositories used with SecurityCenter and store IPv4 and IPv6 data from active and passive scans. Data stored in local repositories can be shared between Organizations and includes the full range of event and vulnerability metadata. The table below describes configurable fields for IPv4 and IPv6 local repositories:

Local Repository Options

Option Description

General

Name

The repository name.

Description

Descriptive text for the repository.

Data

IP Ranges

Allowed ranges for importing vulnerability data. Addresses may be a single IP address, IP range, CIDR block, or any comma-delimited combination (20 K character limit).

Access

Organizations

Defines Organizations that have access to the vulnerability data within the repository. Within the “Organizations” section, selecting or deselecting the checkbox next to the Organization name grants or denies that Organization access to the repository information. When initially selecting the Organization, a prompt will appear to either grant access to all the Groups within the Organization, or not. If granted, all Groups will be given access to the repository information. If denied, Groups within the Organization must explicitly be given access on a per Group basis.

Advanced Settings

Generate Trend Data

Note: If trending is not selected, any query that uses comparisons between repository snapshots (e.g., trending line charts) will not be available.

This option allows for a periodic snapshot of the .nessus data for vulnerability trending purposes. This option is useful in cases where tracking data changes is important. In situations where repository datasets do not change frequently – negating the need for trending – disable this option to minimize disk space usage.

Days Trending

Sets the number of days for the trending data to track.

Enable Full Text Search

Determines if the trending data presented is indexed for a full text search.

LCE Correlation

Log Correlation Engine servers that will receive the vulnerability correlation information from this repository.

 

Mobile (Local) Repository

The Mobile repository is a local type that stores data from various MDM servers. The MDM servers currently supported as of this writing include ActiveSync, AirWatch MDM, Apple Profile Manager, Good MDM, and MobileIron. The table below describes configurable fields for mobile local repositories:

Local Repository Options

Option Description

General

Name

The repository name.

Description

Descriptive text for the repository.

MDM

Type

This setting determines if the repository will store ActiveSync, AirWatch MDM, Apple Profile Manager, Good, or MobileIron types of mobile data.

 

The authentication settings available will vary depending on the type selected.

Scanner

This setting determines which Nessus scanner is used when scanning the MDM server. Only one Nessus scanner may be used to add data to the mobile repository.

Schedule

Sets the schedule for the MDM server to be scanned to update the Mobile repository. On each scan, the current data in the repository is removed and replaced with the information from the latest scan.

Access

Organizations

Defines Organizations that have access to the vulnerability data within the repository. Within the “Organizations” section, selecting or deselecting the checkbox next to the Organization name grants or denies that Organization access to the repository information. When initially selecting the Organization, a prompt will appear to either grant access to all the Groups within the Organization, or not. If granted, all Groups will be given access to the repository information. If denied, Groups within the Organization must explicitly be given access on a per Group basis.

 

Remote Repository

Remote repositories are useful because they allow separate SecurityCenters to share repository data via a SSH session. The table below describes configurable fields for a remote repository:

Remote Repository Options

Option Description

General

Name

The repository name.

Description

Descriptive text for the repository.

Remote SecurityCenter

Host

Host to synchronize with to obtain the repository data. After entering the IP address of the remote SecurityCenter, click the “Request Repositories” link to enter an admin username and password for the SecurityCenter to exchange the SSH keys. Once completed, a list of available repositories will be populated.

Repository

Remote repository to collect IP address(es) and vulnerability data from. This is a list of the available repository names available on the remote SecurityCenter.

Schedule

Sets the schedule for the remote server to be queried for updated information.

Access

Organizations

Defines Organizations that have access to the vulnerability data within the repository. Within the “Organizations” section, selecting or deselecting the checkbox next to the Organization name grants or denies that Organization access to the repository information. When initially selecting the Organization, a prompt will appear to either grant access to all the Groups within the Organization, or not. If granted, all Groups will be given access to the repository information. If denied, Groups within the Organization must explicitly be given access on a per Group basis.

 

Offline Repository

Offline repositories are similar to remote repositories with the exception that data is synchronized manually using an archive file (.tar.gz) and not via network transmission. The table below describes configurable fields for an offline repository:

Offline Repository Options

Option Description

General

Name

The repository name

Description

Descriptive text for the repository

Access

Organizations

Defines Organizations that have access to the vulnerability data within the repository. Within the “Organizations” section, selecting or deselecting the checkbox next to the Organization name grants or denies that Organization access to the repository information. When initially selecting the Organization, a prompt will appear to either grant access to all the Groups within the Organization, or not. If granted, all Groups will be given access to the repository information. If denied, Groups within the Organization must explicitly be given access on a per Group basis.

Advanced Settings

Generate Trend Data

Note: If trending is not selected, any query that uses comparisons between repository snapshots (e.g., trending line charts) will not be available.

This option allows for a periodic snapshot of the .nessus data for vulnerability trending purposes. This option is useful in cases where tracking data changes is important. In situations where repository datasets do not change frequently – negating the need for trending – disable this option to minimize disk space usage.

Days Trending

Sets the number of days for the trending data to track.

Enable Full Text Search

Determines if the trending data presented is indexed for a full text search.

To initiate offline repository synchronization, first download the repository archive from an existing repository by clicking on the “Export” link from the gear icon menu.

Depending on browser choice, the option to open or save the Nessus or Compressed Tar file is presented. It is recommended that the file be saved at this time.

Tip: Depending on the size of the repository database, this file can be quite large. It is important to save the file to a location with sufficient free disk space.

Tip: When importing the repository archive, the default maximum file import size is 360MB. This is specified by the “post_max_size” directive in /opt/sc/support/etc/php.ini. If larger file uploads are required, increase the default value.

To load the repository archive to the offline repository, copy it to a location where the offline repository is accessible via the SecurityCenter GUI, open the “Repositories” page, highlight the offline repository and click select “Upload” from the gear icon menu.

On the Upload page add a name and description for the repository. Using the “Choose File” button next to “Repository Data”, select the file to add to the repository, which was previously exported.

Accept Risk Rules

Any non-admin user has the ability to accept a vulnerability risk by adding an “Accept Risk Rule”. Adding a rule moves vulnerabilities from the unfiltered cumulative database view. These vulnerabilities are not deleted, but only display in the cumulative database vulnerability view if the “Accepted Risk” filter option is checked. Once a risk has been accepted, the admin user can view the details of and delete the accept rules associated with the risk if they deem that the risk is still valid. This is accomplished by clicking on “Repositories” and then “Accept Risk Rules”. From there a list of available rules is displayed and may be filtered by Plugin ID, Repository, and Organization combination. Choose “All” for Repository and “Any” for Organization if plugin IDs are to be accepted across these boundaries. This is especially useful in setups where hundreds of repositories or organizations have been configured and the same accept risk rule must be applied globally.

To see more information about a rule, select the rule to be viewed from the list or click “View” from the gear icon menu. To remove a rule, select it from the list, click “Delete” from the gear icon menu and a confirmation dialog is displayed that confirms if you really wish to delete the accepted risk rule:

After clicking “Delete”, click the “Apply Rules” button in the top left for the changes to take effect. Once completed, any vulnerabilities that had been modified by the accept risk rule are displayed unfiltered in the cumulative database.

Recast Risk Rules

Similar to “Accept Risk Rules”, “Recast Risk Rules” are rules that have been recast to a different risk level by a non-admin user. The admin user can display and delete these rules if desired. As with “Accept Risk Rules”, rules can be filtered for a plugin ID, a repository, or organization combination. A screen capture of example “Recast Risk Rules” is shown below:

To view the rule details, click “Detail” to view the highlighted “Recast Risk Rule”. To remove the rule, click “Delete”. A confirmation dialog is displayed and confirms that you really wish to delete the recasted risk rule:

After clicking “Delete”, click the “Apply Rules” button in the top left for the changes to take effect. Once completed, any vulnerabilities that had been modified by the recast risk rule are returned to their original state.

Copyright © 2017. Tenable Network Security, Inc. All rights reserved. Tenable Network Security, Nessus, SecurityCenter Continuous View, Passive Vulnerability Scanner, and Log Correlation Engine are registered trademarks of Tenable Network Security, Inc. All other products or services are trademarks of their respective owners.