Configuring the Security Audit task settings using the SCADA vulnerabilities database created by KL ICS Cert

This Help provides information related to Kaspersky Endpoint Agent for Windows. This information may be partially or completely inapplicable to Kaspersky Endpoint Agent for Linux. For complete information about Kaspersky Endpoint Agent for Linux, please refer to the Help of the solution that includes the application: Kaspersky Anti Targeted Attack Platform or Kaspersky Managed Detection and Response.

The task can be run only if you have an active Kaspersky Industrial CyberSecurity for Nodes license key with an ICS Audit licensed object.

To use the SCADA vulnerabilities database created by KL ICS Cert, update the application databases and modules.

To configure the Security audit task settings:

1. In the main Kaspersky Security Center Web Console window select Devices → Tasks.
2. Open the task settings window by clicking the task name.
3. Select the Application settings tab.
4. In the Source section, select SCADA vulnerabilities database created by KL ICS Cert. Click OK to confirm your selection.

   After you select the rule source, the Source tab displays data on OVAL rules uploaded by Kaspersky Security Center administrator to the server.

5. In the Scope section, select one of the following actions for the Run a scan task in the selected mode option:
   • Scan all definitions
   • Scan definitions, except for the ones in the following list

     To create a list of definitions to be scanned, use the Add or Add according to conditions option, depending on the desired level of the settings details. The Specify scan scope settings window that opens displays the OVAL rules available from the specified source. These rules can be used to create a list.

   • Scan only definitions included in the list below

     To create a list of definitions to be scanned, use the Add or Add according to conditions option, depending on the desired level of the settings details. The Specify scan scope settings window that opens displays the OVAL rules available from the specified source. These rules can be used to create a list.

   Click Save to save and apply the selected settings.

6. In the Advanced section, select the settings based on your requirements:
   • Select the Apply directives check box and specify the Directive settings.

     Use the switches to select the directives required for the report. The list of directives is loaded from the selected source of OVAL rules.

     Available values:

     • Compliance – scan of this category shows if the system configuration settings comply with the security policy.
     • Inventory – scan of this category shows if the software or hardware specified in the OVAL rules is installed in the system.
     • Miscellaneous – custom scan.
     • Patch – scan of this category shows if the patch specified in the OVAL rules is installed in the system.
     • Vulnerability – scan of this category shows if the vulnerabilities specified in the OVAL rules exist in the system.

     Check boxes required for the report correspond to the directives of a certain type. This list is static and does not depend on the source of OVAL rules:

     • True – positive definitions scan result.
     • False – negative definitions scan result.
     • Unknown – unclear definitions scan result. The scan finishes successfully, no obvious errors were detected, but it is not possible to make a decision.
     • Error – definitions scan failed.
     • Not evaluated – no decision regarding the definition is made, but not because of an error. For example, it was not possible to calculate the size of the second partition on the hard drive, because the second partition is missing.
     • Not applicable – the specified category cannot be applied to the selected scan scope because the requirements are not met. For example, the definition must be applied to a 64-bit operating system, but the test is performed on a 32-bit operating system.

     By default, the check boxes next to the True and False scan result are selected for all directives. You can customize filtering as you want.

   • Select the Enable logging check box and select the desired Logging level from the list.

     By default, the log is stored in the C:\Program Files\Kaspersky Lab\Kaspersky Security Center Web Console\logs folder.

     The following logging levels are available:

     • Critical – only Critical events.
     • Warning – only Critical and Warning events.
     • Information – all Critical, Warning and Information events.
     • Debug – all Critical, Warning, Information and Debug events.

   Click Save to save and apply the selected settings.

   You can start the created task manually or configure a scheduled task start.