Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

 

CIS Benchmark Scans

 

To set up a CIS benchmark scan, you must carry out a range of configuration tasks on the Admin, Assets, Vulnerabilities, and Risks tabs in JSA.

In order to set up CIS benchmark scan, the following prerequisites are needed:

Valid JSA Vulnerability Manager and JSA Risk Manager licenses.

If you patched from an earlier version of JSA, you must do an automatic update before you do a CIS benchmark scan.

There are 8 steps involved in setting up a CIS benchmark scan:

  1. Adding assets.

  2. Configuring a credential set.

    It is easiest to add centralized credentials on the JSA Admin tab but you can also add credentials when you create a benchmark profile.

  3. Creating an asset saved search.

    You use the asset saved searches when you configure the asset compliance questions.

  4. Modifying CIS benchmark checks in JSA Vulnerability Manager.

    You can create a custom CIS benchmark checklist by using the Compliance Benchmark Editor.

  5. Configuring a CIS benchmark scan profile in JSA Vulnerability Manager.

  6. Creating an asset compliance question in JSA Risk Manager.

  7. Monitoring the asset compliance question that you created.

  8. Viewing the CIS benchmark scan results.

Adding or Editing an Asset Profile

Before you can do a CIS benchmark scan you must add the network assets you intend to scan to Juniper Secure Analytics. Asset profiles are automatically discovered and added; however, you might be required to manually add a profile.

You can enter information on each asset manually by creating an Asset Profile on the Assets tab. Alternatively, you can configure a scan profile on the Vulnerabilities tab to run a discovery scan. The discovery scan allows JSA to identify key asset characteristics such as operating system, device type, and services.

When assets are discovered using the Server Discovery option, some asset profile details are automatically populated. You can manually add information to the asset profile and you can edit certain parameters.

You can only edit the parameters that were manually entered. Parameters that were system generated are displayed in italics and are not editable. You can delete system generated parameters, if required.

  1. Click the Assets tab.
  2. On the navigation menu, click Asset Profiles.
  3. Choose one of the following options:

    To add an asset, click Add Asset and type the IP address or CIDR range of the asset in the New IP Address field.

    To edit an asset, double-click the asset that you want to view and click Edit Asset .

  4. Configure the parameters in the MAC & IP Address pane. Configure one or more of the following options:

    Click the New MAC Address icon and type a MAC Address in the dialog box.

    Click the New IP Address icon and type an IP address in the dialog box.

    If Unknown NIC is listed, you can select this item, click the Edit icon, and type a new MAC address in the dialog box.

    Select a MAC or IP address from the list, click the Edit icon, and type a new MAC address in the dialog box.

    Select a MAC or IP address from the list and click the Remove icon.

  5. Configure the parameters in the Names & Description pane. Configure one or more of the following options:

    Parameter

    Description

    DNS

    Choose one of the following options:

    Type a DNS name and click Add.

    Select a DNS name from the list and click Edit.

    Select a DNS name from the list and click Remove.

    NetBIOS

    Choose one of the following options:

    Type a NetBIOS name and click Add.

    Select a NetBIOS name from the list and click Edit.

    Select a NetBIOS name from the list and click Remove.

    Given Name

    Type a name for this asset profile.

    Location

    Type a location for this asset profile.

    Description

    Type a description for the asset profile.

    Wireless AP

    Type the wireless Access Point (AP) for this asset profile.

    Wireless SSID

    Type the wireless Service Set Identifier (SSID) for this asset profile.

    Switch ID

    Type the switch ID for this asset profile.

    Switch Port ID

    Type the switch port ID for this asset profile.

  6. Configure the parameters in the Operating System pane:

    1. From the Vendor list box, select an operating system vendor.

    2. From the Product list box, select the operating system for the asset profile.

    3. From the Version list box, select the version for the selected operating system.

    4. Click the Add icon.

    5. From the Override list box, select one of the following options:

      • Until Next Scan Select this option to specify that the scanner provides operating system information and the information can be temporarily edited. If you edit the operating system parameters, the scanner restores the information at its next scan.

      • Forever Select this option to specify that you want to manually enter operating system information and disable the scanner from updating the information.

    6. Select an operating system from the list.

    7. Select an operating system and click the Toggle Override icon.

  7. Configure the parameters in the CVSS & Weight pane. Configure one or more of the following options:

    Parameter

    Description

    Collateral Damage Potential

    Configure this parameter to indicate the potential for loss of life or physical assets through damage or theft of this asset. You can also use this parameter to indicate potential for economic loss of productivity or revenue. Increased collateral damage potential increases the calculated value in the CVSS Score parameter.

    From the Collateral Damage Potential list box, select one of the following options:

    None

    Low

    Low-medium

    Medium-high

    High

    Not defined

    When you configure the Collateral Damage Potential parameter, the Weight parameter is automatically updated.

    Confidentiality Requirement

    Configure this parameter to indicate the impact on confidentiality of a successfully exploited vulnerability on this asset. Increased confidentiality impact increases the calculated value in the CVSS Score parameter.

    From the Confidentiality Requirement list box, select one of the following options:

    Low

    Medium

    High

    Not defined

    Availability Requirement

    Configure this parameter to indicate the impact to the asset's availability when a vulnerability is successfully exploited. Attacks that consume network bandwidth, processor cycles, or disk space impact the availability of an asset. Increased availability impact increases the calculated value in the CVSS Score parameter.

    From the Availability Requirement list box, select one of the following options:

    Low

    Medium

    High

    Not defined

    Integrity Requirement

    Configure this parameter to indicate the impact to the asset's integrity when a vulnerability is successfully exploited. Integrity refers to the trustworthiness and guaranteed veracity of information. Increased integrity impact increases the calculated value in the CVSS Score parameter.

    From the Integrity Requirement list box, select one of the following options:

    Low

    Medium

    High

    Not defined

    Weight

    From the Weight list box, select a weight for this asset profile. The range is 0 - 10.

    When you configure the Weight parameter, the Collateral Damage Potential parameter is automatically updated.

  8. Configure the parameters in the Owner pane. Choose one or more of the following options:

    Parameter

    Description

    Business Owner

    Type the name of the business owner of the asset. An example of a business owner is a department manager. The maximum length is 255 characters.

    Business Owner Contact

    Type the contact information for the business owner. The maximum length is 255 characters.

    Technical Owner

    Type the technical owner of the asset. An example of a business owner is the IT manager or director. The maximum length is 255 characters.

    Technical Owner Contact

    Type the contact information for the technical owner. The maximum length is 255 characters.

    Technical User

    From the list box, select the username that you want to associate with this asset profile.

    You can also use this parameter to enable automatic vulnerability remediation for Juniper Secure Analytics Vulnerability Manager. For more information about automatic remediation, see the Juniper Secure Analytics Managing Vulnerability User Guide.

  9. Click Save.

Configuring a Credential Set

In JSA Vulnerability Manager, you can create a credential set for the assets in your network. During a scan, if a scan tool requires the credentials for a Linux, UNIX, or Windows operating system, the credentials are automatically passed to the scan tool from the credential set.

  1. On the navigation menu, click Admin to open the admin tab.
  2. In the System Configuration pane, click Centralized Credentials.
  3. In the Centralized Credentials window, on the toolbar, click Add.

    To configure a credential set, the only mandatory field in the Credential Set window is the Name field.

  4. In the Credential Set window, click the Assets tab.
  5. Type a CIDR range for the assets that you want to specify credentials for and click Add.

    Users must have network access permissions that are granted in their security profile for an IP address or CIDR address range that they use or create credentials for in Centralized Credentials.

  6. Click the Linux/Unix, Windows, or Network Devices (SNMP) tabs, then type your credentials.
  7. Click Save.

Saving Asset Search Criteria

On the Asset tab, you can save configured search criteria so that you can reuse the criteria. Saved search criteria does not expire.

  1. Click the Assets tab.
  2. On the navigation menu, click Asset Profiles.
  3. Perform a search.
  4. Click Save Criteria .
  5. Enter values for the parameters:

    Parameter

    Description

    Enter the name of this search

    Type the unique name that you want to assign to this search criteria.

    Manage Groups

    Click Manage Groups to manage search groups. This option is only displayed if you have administrative permissions.

    Assign Search to Group(s)

    Select the check box for the group you want to assign this saved search. If you do not select a group, this saved search is assigned to the Other group by default.

    Include in my Quick Searches

    Select this check box to include this search in your Quick Search list box, which is on the Assets tab toolbar.

    Set as Default

    Select this check box to set this search as your default search when you access the Assets tab.

    Share with Everyone

    Select this check box to share these search requirements with all users.

Editing a Compliance Benchmark

Use the Compliance Benchmark Editor in JSA Risk Manager to add or remove tests from the default CIS benchmarks.

  1. Click the Risks tab.
  2. Click Policy Monitor.
  3. Click Compliance to open the Compliance Benchmark Editor window.
  4. On the navigation menu, click the default CIS benchmark that you want to edit.
  5. In the Compliance pane, click the Enabled check box in the row that is assigned to the test that you want to include.

    Click anywhere on a row to see a description of the benchmark test, a deployment rationale, and information on things to check before you enable the test.

    When you are building a custom CIS checklist, be aware that some benchmark tests that are not included by default can take a long time to run. For more information, please refer to the CIS documentation.

Create an asset compliance question to test assets against the benchmark you edited.

Creating a Benchmark Profile

To create Center for Internet Security compliance scans, you must configure benchmark profiles. You use CIS compliance scans to test for Windows and Red Hat Enterprise Linux CIS benchmark compliance.

  1. Click the Vulnerabilities tab.
  2. In the navigation pane, click Administrative >Scan Profiles.
  3. On the toolbar, click Add Benchmark.
  4. If you want to use pre-defined centralized credentials, select the Use Centralized Credentials check box.

    Credentials that are used to scan Linux operating systems must have root privileges. Credentials that are used to scan Windows operating systems must have administrator privileges.

  5. If you are not using dynamic scanning, select a JSA Vulnerability Manager scanner from the Scan Server list.
  6. To enable dynamic scanning, click the Dynamic server selection check box.

    If you configured domains in the Admin >Domain Management window, you can select a domain from the Domain list. Only assets within the CIDR ranges and domains that are configured for your scanners are scanned.

  7. In the When To Scan tab, set the run schedule, scan start time, and any pre-defined operational windows.
  8. In the Email tab, define what information to send about this scan and to whom to send it.
  9. If you are not using centralized credentials, add the credentials that the scan requires in the Additional Credentials tab.

    Credentials that are used to scan Linux operating systems must have root privileges. Credentials that are used to scan Windows operating systems must have administrator privileges.

  10. Click Save.

Creating an Asset Compliance Question

Create an asset compliance question in Policy Monitor to search for assets in the network that fail CIS benchmark tests.

Policy Monitor questions are evaluated in a top down manner. The order of Policy Monitor questions impacts the results.

  1. Click the Risks tab.
  2. On the navigation menu, click Policy Monitor.
  3. From the Actions menu, select New Asset Compliance Question.
  4. In the What do you want to name this question field, type a name for the question.
  5. Select the level of importance you want to associate with this question from the Importance Factor list.
  6. From the Which tests do you want to include in your question field, select the add (+) icon beside the test compliance of assets in asset saved searches with CIS benchmarks test.

    Select this test multiple times, if necessary.

  7. Configure the parameters for your tests in the Find Assets that field.

    Click each parameter to view the available options for your question. Specify multiple assets saved searches and multiple checklists in this test, if necessary.

  8. In the group area, click the relevant check boxes to assign group membership to this question.

    Asset compliance questions must be assigned to a group for inclusion in compliance dashboards or reports.

  9. Click Save Question.

Associate a benchmark profile with, and monitor the results of, the question you created.

Monitoring Asset Compliance Questions

Monitor asset compliance questions by selecting CIS scan profiles. CIS benchmark scans run against the assets.

  1. Click the Risks tab.
  2. On the navigation menu, click Policy Monitor.
  3. In the Questions pane, select the asset compliance question that you want to monitor.
  4. Click Monitor to open the Monitor Results window.
  5. Select a benchmark profile from the Which benchmark profile to associate with this question? list.

    The selected benchmark scan profile uses a JSA Vulnerability Manager scanner that is associated with a domain. The domain name is displayed in the Benchmark Profile Details area. For more information about domain management, see the Juniper Secure Analytics Administration Guide.

  6. Select the Enable the monitor results function for this question/simulation check box.
  7. Click Save Monitor.

    Monitoring begins at the scan start time that you set on the When To Scan tab when you created the benchmark scan profile.

Viewing Scan Results

The Scan Results page displays a summary list of the results generated by running a scan profile.

The Scan Results page provides the following information:

Table 1: Scan Results List Parameters

Parameter

Description

Profile

The name of the scan profile. Hover your mouse over the Profile to display information about the scan profile and the status of the scan.

Schedule

The run schedule that is applied to the scan profile. If you initiated a manual scan then Manual is displayed.

Score

The average Common Vulnerability Scoring System (CVSS) score for the scan. This score helps you prioritize vulnerabilities.

Hosts

The number of hosts found and scanned when the scan profile ran.

Click the Host column link to display vulnerability data for the scanned hosts.

Vulnerabilities

The number of different types of vulnerabilities found by a scan.

Click the Vulnerabilities column link to view all unique vulnerabilities.

Vulnerability Instances

The number of vulnerabilities found by the scan.

Open Services

The number of unique open services found by the scan. A unique open service is counted as a single open service.

Click the Open Services column link to view vulnerabilities categorized by open service.

Status

The status of the Scan Profile, options include:

Stopped - This status is displayed if the scan completed successfully or the scan was canceled.

Running - The scan is running

Paused - The scan is paused.

Not Started - The scan is not initiated.

Progress

Specifies the progress of the scan.

Hover your mouse over the progress bar, while the scan is running, to display information about the status of a scan.

Start Date/Time

The date and time when the scan profile started running.

Duration

Displays the time taken for the scan to complete.

  1. Click the Vulnerabilities tab.
  2. In the navigation pane, click Scan Results.

Related Documentation