Managing the Security audit tasks

This Help provides information related to Kaspersky Endpoint Agent for Windows. This information may be partially or completely inapplicable to Kaspersky Endpoint Agent for Linux. For complete information about Kaspersky Endpoint Agent for Linux, please refer to the Help of the solution that includes the application: Kaspersky Anti Targeted Attack Platform or Kaspersky Managed Detection and Response.

The task can be run only if you have an active Kaspersky Industrial CyberSecurity for Nodes license key with an ICS Audit licensed object.

Standard Security audit tasks are local or group tasks that are created and configured using the command line interface. These tasks are used to search for definitions and assess compliance of the enterprise systems with security standards and regulations. You can search for the following categories of definitions:

The following sources of OVAL rules are available for performing security audit using the command line:

To create and configure a Standard Security audit task using the command line interface:

  1. On the device, run a command line interpreter (for example, Command Prompt cmd.exe) with the permissions of the local administrator.
  2. Using the cd command, navigate to the folder where the Agent.exe file is located.

    For example, you can type the following command cd "C:\Program Files (x86)\Kaspersky Lab\Endpoint Agent\" and press Enter.

  3. Run the following command and press Enter:

    agent.exe --scan-oval --source={kl|file} [--path={<full path to the file with OVAL rules>|<full path to a folder containing several files with OVAL rules>}] [--external-vars=<name of the file with external variables>] [--mode={all|exclude|include}] [--definitions=<definition type_01;definition type_02;definition type_N>] [--log={none|critical|warning|information|debug}] --result-path=<path to the folder with the report>

    Command parameters for running and configuring Standard Security audit tasks

    Parameters

    Description

    --scan-oval

    Required parameter.

    Starts the Standard Security audit task on the device.

    --source={kl|file}

    Required parameter.

    Establishes connection to the source of OVAL rules that are required for the task execution.

    Available values:

    • kl – SCADA vulnerabilities database created by KL ICS Cert included in the distribution kit and located on Kaspersky Security Center server. Accessible from the command line after a successful update of Kaspersky Security Center repository.
    • file – user database with OVAL rules from an XML file stored locally.

      If the parameter value is not specified, the task execution fails.

    --path={<full path to the file with OVAL rules>|<full path to a folder containing several files with OVAL rules>}

    The parameter specifies the path to the file with OVAL rules for scanning in the --source=file mode.

    Available values:

    • <full path to the file with OVAL rules>
    • <full path to a folder containing several files with OVAL rules> – only the first file from the folder is used for the Security audit task.

      The total size of the file with OVAL rules and the file with external variables must not exceed 2 MB. If this limit is exceeded, the task execution fails.

    --external-vars=<name of the file with external variables>

    Optional parameter.

    The parameter specifies the full path to the XML file with external variables for OVAL rules.

    Kaspersky Endpoint Agent does not check if the variables are linked to a file with OVAL rules.

    The total size of the file with OVAL rules and the file with external variables must not exceed 2 MB. If this limit is exceeded, the task execution fails.

    --mode={all|exclude|include}

    Optional parameter.

    The parameter defines the definitions scan mode. If the parameter is not specified, all the definitions listed in the source are scanned by default.

    Available values:

    • all – scans all the definitions listed in the source.
    • exclude – scans the definitions listed in the source, except for those specified in the --definitions parameter.
    • include – scans only the definitions specified in the --definitions parameter.

    --definitions=<definition type_01;definition type_02;definition type_N>

    Optional parameter.

    Semicolon-separated list of definitions types that must be scanned or must be excluded from scan. For example, you can specify the following value: <oval:org.mitre.oval.test:def:990;oval:org.mitre.oval.test:def:999

    >

    . Used together with the --mode=include or --mode=exclude parameter.

    --log={none|critical|warning|information|debug}

    Optional parameter.

    The parameter defines the logging mode. If the parameter value is not specified, the critical mode is used by default. The log file in LOG format is saved to the folder specified by the --result-path parameter.

    Available values:

    • none – logging is disabled
    • critical – critical level
    • warning – warning level
    • information – notification level
    • debug – debug level

    --result-path=<path to the folder with the report>

    Required parameter.

    Specifies the path to the folder where the scan report in the XML format is stored. The file name contains the node name, as well as the date and time when the task was run.

    If the parameter is not specified, the task execution fails.

Return codes of the --scan-oval command:

If the command execution completes successfully (code 0), a report in the XML format will be available in the folder specified by the --result-path parameter, and if a logging parameter was specified, a log in LOG format will be available as well.

Page top