Configuring and launching the Security Audit task

This section provides information related to Kaspersky Endpoint Agent for Windows. This information may be partially or completely inapplicable to Kaspersky Endpoint Agent for Linux. For complete information about Kaspersky Endpoint Agent for Linux, please refer to the Help of the solution that includes the application: Kaspersky Anti Targeted Attack Platform or Kaspersky Managed Detection and Response.

The task can be run only if you have an active Kaspersky Industrial CyberSecurity for Node license key with an ICS Audit licensed object.

For the following rule sources, you can configure and launch a Security Audit task using the command line interface:

To configure and launch a Security Audit task using the command line interface:

  1. On the device, run a command line interpreter (for example, Command Prompt cmd.exe) with the permissions of the local administrator.
  2. Using the cd command, navigate to the folder where the Agent.exe file is located.

    For example: cd "C:\Program Files (x86)\Kaspersky Lab\Endpoint Agent"

  3. Press Enter.
  4. Enter the command:

    agent.exe --scan-oval [--source={kl|kl-compl|file}] [--repository=show] [--path={<full path and name of the archive with OVAL rules>|<full path to the folder containing files with OVAL and XCCDF rules>}] [--external-vars=<full path and name of the ZIP archive with external variables>] [--mode={all|exclude|include}] [--definitions=<vulnerability_type_01;vulnerability_type_02;vulnerability_type_N>] [--log={none|critical|warning|information|debug}] --result-path=<path to the file with the report>

  5. Press Enter.

    Command parameters for configuring and launching a Security Audit task

    Parameter

    Description

    --scan-oval

    Required parameter.

    Starts a Security Audit task on the device.

    --source

    Determines the source of rules required by the Security Audit.

    Available values:

    • kl – Kaspersky ICS CERT vulnerability database included in the distribution kit. Available from the command line after successfully updating the Kaspersky Endpoint Agent databases and modules.
    • kl-compl – Security configurations and standards compliance for operating systems, which are included in the distribution kit. Available from the command line after successfully updating the Kaspersky Endpoint Agent databases and modules.
    • file – Custom rule database from file.

      If the parameter is omitted, the Kaspersky ICS CERT vulnerability database (--source=kl), the default source, is used.

    --repository

    This parameter is available if the selected rule source is security configurations and standards compliance for operating systems (--source=kl-compl).

    If the parameter is specified, then instead of executing the Security Audit task, Kaspersky Endpoint Agent saves an XML file that lists the names of the existing security configurations to the folder specified by the --result-path parameter.

    --path

    This parameter passes the path to the files with rules for the Custom rule database from file source (--source=file).

    Possible parameter values:

    • <full path and name of the archive with OVAL rules> – indicates the full path and name of the archive with the XML file with OVAL rules.
    • <full path to the folder containing files with OVAL and XCCDF rules> – indicates the full path to the folder with XML files with OVAL and/or XCCDF rules.

    OVAL and XCCDF rules must be saved in UTF-8 without BOM.

    --external-vars

    This parameter specifies the full path and name of the ZIP archive with the XML file with external variables for OVAL rules.

    The parameter is available if the source contains only OVAL rules.

    --mode

    This parameter defines the vulnerability scan mode.

    The parameter is available if the source contains only OVAL rules.

    Possible parameter values:

    • all – scans all vulnerabilities listed in the source.
    • exclude – scans the vulnerabilities listed in the source, except for those specified by the --definitions parameter.
    • include — scans the vulnerabilities specified by the --definitions parameter.

      If the parameter value is not specified, the all mode will be used by default.

    --definitions

    Semicolon-separated list of vulnerability types that must be scanned or must be excluded from being scanned.

    The parameter is available if the source contains only OVAL rules.

    For example: oval:org.mitre.oval.test:def:998;oval:org.mitre.oval.test:def:999.

    Used together with the --mode=include or --mode=exclude parameter.

    --log

    This parameter determines the logging mode for recording task events.

    Available values:

    • none – logging is disabled
    • Critical – only Critical events.
    • Warning – only Critical and Warning events.
    • Information – all Critical, Warning and Information events.
    • Debug – all Critical, Warning, Information and Debug events.

      If the parameter value is not specified, the critical mode will be used by default.

      The log file in LOG format is saved to the folder specified by the --result-path parameter.

    --result-path

    Required parameter.

    Specifies the path to the folder where the scan report in XML format is stored. The file name contains the node name, as well as the date and time when the task was run.

    A log file in LOG format with task events is saved in the same folder.

    If the parameter is not specified, the task's execution will fail.

Return codes of the --scan-oval command:

If the command completes successfully (code 0), a report in XML format is saved in the folder specified by the --result-path parameter. If the --log parameter was specified, a log file in LOG format with task events is saved there as well.

See also

Security audit

Running Kaspersky Endpoint Agent database and module update

Page top