Managing the Security audit tasks
September 13, 2022
ID 231169
This Help provides information related to Kaspersky Endpoint Agent for Windows. This information may be partially or completely inapplicable to Kaspersky Endpoint Agent for Linux. For complete information about Kaspersky Endpoint Agent for Linux, please refer to the Help of the solution that includes the application: Kaspersky Anti Targeted Attack Platform or Kaspersky Managed Detection and Response.
The task can be run only if you have an active Kaspersky Industrial CyberSecurity for Nodes license key with an ICS Audit licensed object.
Standard Security audit tasks are local or group tasks that are created and configured using the command line interface. These tasks are used to search for definitions and assess compliance of the enterprise systems with security standards and regulations. You can search for the following categories of definitions:
- Compliance – scan of this category shows if the system configuration settings comply with the security policy.
- Inventory – scan of this category shows if the software or hardware specified in the OVAL rules is installed in the system.
- Miscellaneous – custom scan.
- Patch – scan of this category shows if the patch specified in the OVAL rules is installed in the system.
- Vulnerability – scan of this category shows if the definitions specified in the OVAL rules exist in the system.
The following sources of OVAL rules are available for performing security audit using the command line:
- SCADA vulnerabilities database created by KL ICS Cert included in the application distribution kit.
- Custom database that contains OVAL rules in the XML file stored locally.
To create and configure a Standard Security audit task using the command line interface:
- On the device, run a command line interpreter (for example, Command Prompt cmd.exe) with the permissions of the local administrator.
- Using the
cdcommand, navigate to the folder where the Agent.exe file is located.For example, you can type the following command
cd "C:\Program Files (x86)\Kaspersky Lab\Endpoint Agent\"and press Enter. - Run the following command and press Enter:
agent.exe --scan-oval --source={kl|file} [--path={<full path to the file with OVAL rules>|<full path to a folder containing several files with OVAL rules>}] [--external-vars=<name of the file with external variables>] [--mode={all|exclude|include}] [--definitions=<definition type_01;definition type_02;definition type_N>] [--log={none|critical|warning|information|debug}] --result-path=<path to the folder with the report>Command parameters for running and configuring Standard Security audit tasks
Parameters
Description
--scan-ovalRequired parameter.
Starts the Standard Security audit task on the device.
--source={kl|file}Required parameter.
Establishes connection to the source of OVAL rules that are required for the task execution.
Available values:
kl– SCADA vulnerabilities database created by KL ICS Cert included in the distribution kit and located on Kaspersky Security Center server. Accessible from the command line after a successful update of Kaspersky Security Center repository.file– user database with OVAL rules from an XML file stored locally.If the parameter value is not specified, the task execution fails.
--path={<full path to the file with OVAL rules>|<full path to a folder containing several files with OVAL rules>}The parameter specifies the path to the file with OVAL rules for scanning in the
--source=filemode.Available values:
<full path to the file with OVAL rules><full path to a folder containing several files with OVAL rules>– only the first file from the folder is used for theSecurity audit task.The total size of the file with OVAL rules and the file with external variables must not exceed 2 MB. If this limit is exceeded, the task execution fails.
--external-vars=<name of the file with external variables>Optional parameter.
The parameter specifies the full path to the XML file with external variables for OVAL rules.
Kaspersky Endpoint Agent does not check if the variables are linked to a file with OVAL rules.
The total size of the file with OVAL rules and the file with external variables must not exceed 2 MB. If this limit is exceeded, the task execution fails.
--mode={all|exclude|include}Optional parameter.
The parameter defines the definitions scan mode. If the parameter is not specified, all the definitions listed in the source are scanned by default.
Available values:
all– scans all the definitions listed in the source.exclude– scans the definitions listed in the source, except for those specified in the--definitionsparameter.include– scans only the definitions specified in the--definitionsparameter.
--definitions=<definition type_01;definition type_02;definition type_N>Optional parameter.
Semicolon-separated list of definitions types that must be scanned or must be excluded from scan. For example, you can specify the following value: <
oval:org.mitre.oval.test:def:990;oval:org.mitre.oval.test:def:999>
. Used together with the--mode=includeor--mode=excludeparameter.--log={none|critical|warning|information|debug}Optional parameter.
The parameter defines the logging mode. If the parameter value is not specified, the
criticalmode is used by default. The log file in LOG format is saved to the folder specified by the--result-pathparameter.Available values:
none– logging is disabledcritical– critical levelwarning– warning levelinformation– notification leveldebug– debug level
--result-path=<path to the folder with the report>Required parameter.
Specifies the path to the folder where the scan report in the XML format is stored. The file name contains the node name, as well as the date and time when the task was run.
If the parameter is not specified, the task execution fails.
Return codes of the --scan-oval command:
0– command successfully executed.1– general error.
If the command execution completes successfully (code 0), a report in the XML format will be available in the folder specified by the --result-path parameter, and if a logging parameter was specified, a log in LOG format will be available as well.
