Configuring Security Audit task settings using a custom rule database from the Kaspersky Security Center repository

This section provides information related to Kaspersky Endpoint Agent for Windows. This information may be partially or completely inapplicable to Kaspersky Endpoint Agent for Linux. For complete information about Kaspersky Endpoint Agent for Linux, please refer to the Help of the solution that includes the application: Kaspersky Anti Targeted Attack Platform or Kaspersky Managed Detection and Response.

The task can be run only if you have an active Kaspersky Industrial CyberSecurity for Node license key with an ICS Audit licensed object.

Before configuring Security Audit task settings using custom databases using the Kaspersky Security Center repository:

Create a thumbprint for the certificate for signing the custom database from the command line interface.
You can use an existing thumbprint for the certificate for signing the custom database.
Create a Kaspersky Security Center installation package named package.zip using the command line interface.
Create and run the task for installing the installation package and select the option to install only the Administration Server in order to add the package.zip archive with OVAL or XCCDF rules created in the previous step to the Kaspersky Security Center repository.
In Kaspersky Endpoint Agent, you can only update an installed and deployed package with a custom rule database. The rule package cannot be deleted.

To configure Security Audit task settings using a custom rule database from the Kaspersky Security Center repository:

In the main Kaspersky Security Center Web Console window select Devices → Tasks.
Open the task settings window by clicking the task name.
Select the Application settings tab.
In the Source of rules section, select Custom rule base from Kaspersky Security Center repository.
Click the Select file from custom collection button.
In the window that opens, specify the archive with the rule database.
You can load only one archive containing an XML file with OVAL rules and / or XCCDF rules.

The total archive size must not exceed 2 MB.
Click OK.
The Source of rules section displays information about the loaded rules. Follow the Details links in the Platforms and Products fields to open windows with lists of the operating systems and products mentioned in the rules of the selected source.
If necessary, specify the thumbprint of the certificate for signing the custom rule database:
1. Select the Use thumbprint checkbox.
  If the Use thumbprint check box is selected and a thumbprint received using the Kaspersky Endpoint Agent command line interface is specified, Kaspersky Security Center will check the thumbprint when executing the task. If the thumbprint does not match the one specified in the task settings, the task execution will terminate with an error.
  
  If the Use thumbprint check box is cleared, Kaspersky Security Center will not check the thumbprint.
2. In the Thumbprint field, enter the thumbprint obtained using the command line interface.
If necessary, load the file with external variables:
External variables are stored in a separate XML file with the following structure:

<oval_variables>

<variable id="oval:a:b:c:123" datatype="int" comment="Check user login">

<value>1</value >

</variable>

</oval_variables>

External variables are used in OVAL rules as substitution for the <external_variable> parameter:

<external_variable id="oval:a:b:c:123" version="1" datatype="int" comment="Check user login" />

The file with external variables in the XML format must be packed in a ZIP archive. No signature is required for the file with external variables.

You can download only one archive no larger than 6 MB for Kaspersky Security Center Web Console earlier than 13.2.571. For Kaspersky Security Center Web Console 13.2.571 and later there is no limit. The substitution of variable values is not verified on Kaspersky Endpoint Agent side.

You cannot use external variables if the selected rule source contains XCCDF rules.
1. Select the Use external variables data with custom database check box.
2. Click the Import external variables from file.
3. In the window that opens, specify the path to the file with the external variables.
4. Click OK.
In the Scope section, if necessary, change the vulnerability scan mode:

The Scope section is unavailable if the selected rule source contains XCCDF rules.
1. Select one of the modes:
  - Scan all vulnerabilities.
    Kaspersky Endpoint Agent scans the devices to which the task is assigned in order to detect all vulnerabilities described in the rules of the Kaspersky ICS CERT vulnerabilities database for SCADA.
  - Scan all vulnerabilities except added to the list.
    Kaspersky Endpoint Agent scans the devices to which the task is assigned in order to detect all vulnerabilities described in the rules of the Kaspersky ICS CERT vulnerabilities database for SCADA except for those added to the list below.
  - Scan vulnerabilities added to the list.
    Kaspersky Endpoint Agent scans the devices to which the task is assigned in order to detect vulnerabilities added to the list below.
2. If you selected Scan all vulnerabilities except added to the list or Scan vulnerabilities added to the list, create a list of vulnerabilities using the Add or Add by conditions.
In the Advanced section, if necessary, determine the statuses of directive-based scans that will be included in the security audit task report:
Directives cannot be applied if the selected rule source contains XCCDF rules.
1. Select the Use Directives check box.
  The directive list is loaded from the selected source of security audit rules.
  
  Possible directives:
  - Compliance – a scan of this category shows if the system configuration settings comply with the security policy.
  - Inventory – a scan of this category shows if the software or hardware specified in the rules is installed in the system.
  - Miscellaneous – custom scan.
  - Patch – a scan of this category shows if the patch specified in the rules is installed in the system.
  - Vulnerability – a scan of this category shows if the vulnerabilities specified in the rules exist in the system.
  The scan result for a directive can have one of the following statuses:
  - True – Positive scan result.
  - False – Negative scan result.
  - Unknown – unclear vulnerability scan result. The scan finishes successfully, no obvious errors were detected, but it is not possible to make a decision.
  - Error – The scan completed with an error.
  - Not evaluated – no decision regarding the vulnerability is made, but not because of an error. For example, it was not possible to calculate the size of the second partition on the hard drive, because the second partition is missing.
  - Not applicable – The scan conditions cannot be applied to the selected scan scope. For example, vulnerability must be applied to a 64-bit operating system, but the test is performed on a 32-bit operating system.
2. Using the switch next to each directive, determine the statuses of directive-based scans that will be displayed in the security audit task report.
  If the switch next to a directive status is on, results of scans based on the directive's rules that have this status will be displayed in the security audit task report.
  
  By default, the check boxes next to the True and False scan result are selected for all directives.
In the Advanced section, if necessary, configure settings for logging task completion events:
1. Select the Enable logging check box.
2. Select the desired Logging level from the list.
  By default, the log is stored in the C:\Program Files\Kaspersky Lab\Kaspersky Security Center Web Console\logs folder.
  
  The following logging levels are available:
  - Critical level – only Critical events
  - Warning level – only Critical and Warning events
  - Information level – all Critical, Warning and Information events
  - Debug level – all Critical, Warning, Information and Debug events
Click OK to save the changes.

You can start the created task manually or configure a scheduled task start.

Page top