Configuring the Security audit task settings

This Help provides information related to Kaspersky Endpoint Agent for Windows. This information may be partially or completely inapplicable to Kaspersky Endpoint Agent for Linux. For complete information about Kaspersky Endpoint Agent for Linux, please refer to the Help of the solution that includes the application: Kaspersky Anti Targeted Attack Platform or Kaspersky Managed Detection and Response.

The task can be run only if you have an active Kaspersky Industrial CyberSecurity for Nodes license key with an ICS Audit licensed object.

Before you start configuring the Security audit task, perform the following actions:

1. Create a signing certificate using Kaspersky Endpoint Agent command line interface.

   You can also use a signing certificate that already exists.

2. Create Kaspersky Security Center installation package named package.zip using Kaspersky Endpoint Agent command line interface.
3. Create and run the installation package installation task and select to install only the Administration Server. It is required to add the package.zip archive with OVAL rules to Kaspersky Security Center repository. The archive was created earlier using Kaspersky Endpoint Agent command line interface.

   In Kaspersky Endpoint Agent, you can only update an installed and deployed package with a custom database of OVAL rules. It is not possible to remove the package.

4. Create the Security audit task or proceed to configure the settings of a task created earlier.

To configure the Security audit task settings:

1. In the main Kaspersky Security Center Web Console window select Devices → Tasks.
2. Open the task settings window by clicking the task name.
3. Select the Application settings tab.
4. In the Source section, select User databases from the KSC repository, click Select an OVAL file from the collection of custom databases, and select the appropriate file from the list. Click OK to confirm your selection.
5. Depending on your needs, select the Use thumbprint check box and in the field that appears, specify the thumbprint received using Kaspersky Endpoint Agent command line interface.

   If the Use thumbprint check box is selected in the settings of the Security audit task and the thumbprint received using Kaspersky Endpoint Agent command line interface is specified, Kaspersky Security Center checks the thumbprint when executing the task. If the thumbprint does not match the one specified in the task settings, the task execution terminates with an error.

   If the Use thumbprint check box is cleared, Kaspersky Security Center does not check the thumbprint.

6. To download a file with external variables, select the Use data with external variables for custom databases check box and click Import external variables from file.
   

   External variables are stored in a separate XML file with the following structure:

   <oval_variables>

   <variable id="oval:a:b:c:123" datatype="int" comment="Check user login">

   <value>1</value >

   </variable>

   </oval_variables>

   External variables are used in OVAL rules as substitution for the <external_variable> parameter:

   <external_variable id="oval:a:b:c:123" version="1" datatype="int" comment="Check user login" />

   The file with external variables in the XML format must be packed in a ZIP archive. No signature is required for the file with external variables.

   You can download only one archive no larger than 6 MB for Kaspersky Security Center Web Console earlier than 13.2.571. For Kaspersky Security Center Web Console 13.2.571 and later there is no limit. The substitution of variable values is not verified on Kaspersky Endpoint Agent side.

   After you select the rule source, the Source tab displays data on OVAL rules uploaded by Kaspersky Security Center administrator to the server.

7. In the Scope section, select the action for the Run a scan task in the selected mode option:
   • Scan all definitions
   • Scan definitions, except for the ones in the following list

     To create a list of definitions to be scanned, use the Add or Add according to conditions option, depending on the desired level of the settings details. The Specify scan scope settings window that opens displays the OVAL rules available from the specified source. These rules can be used to create a list.

   • Scan only definitions included in the list below

     To create a list of definitions to be scanned, use the Add or Add according to conditions option, depending on the desired level of the settings details. The Specify scan scope settings window that opens displays the OVAL rules available from the specified source. These rules can be used to create a list.

   Click Save to save and apply the selected settings.

8. In the Advanced section, select the settings based on your requirements:
   • Select the Apply directives check box and specify the Directive settings.

     Use the switches to select the directives required for the report. The list of directives is loaded from the selected source of OVAL rules.

     Available values:

     • Compliance – scan of this category shows if the system configuration settings comply with the security policy.
     • Inventory – scan of this category shows if the software or hardware specified in the OVAL rules is installed in the system.
     • Miscellaneous – custom scan.
     • Patch – scan of this category shows if the patch specified in the OVAL rules is installed in the system.
     • Vulnerability – scan of this category shows if the vulnerabilities specified in the OVAL rules exist in the system.

     Check boxes required for the report correspond to the directives of a certain type. This list is static and does not depend on the source of OVAL rules:

     • True – positive definitions scan result.
     • False – negative definitions scan result.
     • Unknown – unclear definitions scan result. The scan finishes successfully, no obvious errors were detected, but it is not possible to make a decision.
     • Error – definitions scan failed.
     • Not evaluated – no decision regarding the definition is made, but not because of an error. For example, it was not possible to calculate the size of the second partition on the hard drive, because the second partition is missing.
     • Not applicable – the specified category cannot be applied to the selected scan scope because the requirements are not met. For example, the definition must be applied to a 64-bit operating system, but the test is performed on a 32-bit operating system.

     By default, the check boxes next to the True and False scan result are selected for all directives. You can customize filtering as you want.

   • Select the Enable logging check box and select the desired Logging level from the list.

     By default, the log is stored in the C:\Program Files\Kaspersky Lab\Kaspersky Security Center Web Console\logs folder.

     The following logging levels are available:

     • Critical – only Critical events.
     • Warning – only Critical and Warning events.
     • Information – all Critical, Warning and Information events.
     • Debug – all Critical, Warning, Information and Debug events.

   Click Save to save and apply the selected settings.

   You can start the created task manually or configure a scheduled task start.