Configuring the Security audit task settings using a custom database from file

This Help provides information related to Kaspersky Endpoint Agent for Windows. This information may be partially or completely inapplicable to Kaspersky Endpoint Agent for Linux. For complete information about Kaspersky Endpoint Agent for Linux, please refer to the Help of the solution that includes the application: Kaspersky Anti Targeted Attack Platform or Kaspersky Managed Detection and Response.

The task can be run only if you have an active Kaspersky Industrial CyberSecurity for Nodes license key with an ICS Audit licensed object.

To configure the Security audit task settings:

1. In the main Kaspersky Security Center Web Console window select Devices → Tasks.
2. Open the task settings window by clicking the task name.
3. Select the Application settings tab.
4. In the Source section, select User database from file, click Import OVAL collection from file, and select the appropriate file from the list.

   You can download one ZIP file containing an XML file with OVAL rules. The XML file does not require a signature. The total size of the file with OVAL rules and the file with external variables must not exceed 2 MB.

   Click OK to confirm your selection.

   After you select the rule source, the Source tab displays data on OVAL rules uploaded by Kaspersky Security Center administrator to the server.

5. To download a file with external variables, select the Use data with external variables for custom databases check box and click Import external variables from file.

   External variables are stored in a separate XML file with the following structure:

   <oval_variables>

   <variable id="oval:a:b:c:123" datatype="int" comment="Check user login">

   <value>1</value >

   </variable>

   </oval_variables>

   External variables are used in OVAL rules as substitution for the <external_variable> parameter:

   <external_variable id="oval:a:b:c:123" version="1" datatype="int" comment="Check user login" />

   The file with external variables in the XML format must be packed in a ZIP archive. No signature is required for the file with external variables. The total size of the file with OVAL rules and the file with external variables must not exceed 2 MB.

   

   External variables are stored in a separate XML file with the following structure:

   <oval_variables>

   <variable id="oval:a:b:c:123" datatype="int" comment="Check user login">

   <value>1</value >

   </variable>

   </oval_variables>

   External variables are used in OVAL rules as substitution for the <external_variable> parameter:

   <external_variable id="oval:a:b:c:123" version="1" datatype="int" comment="Check user login" />

   The file with external variables in the XML format must be packed in a ZIP archive. No signature is required for the file with external variables.

   You can download only one archive no larger than 6 MB for Kaspersky Security Center Web Console earlier than 13.2.571. For Kaspersky Security Center Web Console 13.2.571 and later there is no limit. The substitution of variable values is not verified on Kaspersky Endpoint Agent side.

   External variables are stored in a separate XML file with the following structure:

   <oval_variables>

   <variable id="oval:a:b:c:123" datatype="int" comment="Check user login">

   <value>1</value >

   </variable>

   </oval_variables>

   External variables are used in OVAL rules as substitution for the <external_variable> parameter:

   <external_variable id="oval:a:b:c:123" version="1" datatype="int" comment="Check user login" />

   The file with external variables in the XML format must be packed in a ZIP archive. No signature is required for the file with external variables. The total size of the file with OVAL rules and the file with external variables must not exceed 2 MB.

6. In the Scope section, select the action for the Run a scan task in the selected mode option:
   • Scan all definitions
   • Scan definitions, except for the ones in the following list

     To create a list of definitions to be scanned, use the Add or Add according to conditions option, depending on the desired level of the settings details. The Specify scan scope settings window that opens displays the OVAL rules available from the specified source. These rules can be used to create a list.

   • Scan only definitions included in the list below

     To create a list of definitions to be scanned, use the Add or Add according to conditions option, depending on the desired level of the settings details. The Specify scan scope settings window that opens displays the OVAL rules available from the specified source. These rules can be used to create a list.

     Click Save to save and apply the selected settings.

7. In the Advanced settings section, select the settings based on your requirements:
   • Select the Apply directives check box and specify the Directive settings.

     Use the switches to select the directives required for the report. The list of directives is loaded from the selected source of OVAL rules.

     Available values:

     • Compliance – scan of this category shows if the system configuration settings comply with the security policy.
     • Inventory – scan of this category shows if the software or hardware specified in the OVAL rules is installed in the system.
     • Miscellaneous – custom scan.
     • Patch – scan of this category shows if the patch specified in the OVAL rules is installed in the system.
     • Vulnerability – scan of this category shows if the vulnerabilities specified in the OVAL rules exist in the system.

     Check boxes required for the report correspond to the directives of a certain type. This list is static and does not depend on the source of OVAL rules:

     • True – positive definitions scan result.
     • False – negative definitions scan result.
     • Unknown – unclear definitions scan result. The scan finishes successfully, no obvious errors were detected, but it is not possible to make a decision.
     • Error – definitions scan failed.
     • Not evaluated – no decision regarding the definition is made, but not because of an error. For example, it was not possible to calculate the size of the second partition on the hard drive, because the second partition is missing.
     • Not applicable – the specified category cannot be applied to the selected scan scope because the requirements are not met. For example, the definition must be applied to a 64-bit operating system, but the test is performed on a 32-bit operating system.

     By default, the check boxes next to the True and False scan result are selected for all directives. You can customize filtering as you want.

   • Select the Enable logging check box and select the desired Logging level from the list.

     By default, the log is stored in the C:\Program Files\Kaspersky Lab\Kaspersky Security Center Web Console\logs folder.

     The following logging levels are available:

     • Critical – only Critical events.
     • Warning – only Critical and Warning events.
     • Information – all Critical, Warning and Information events.
     • Debug – all Critical, Warning, Information and Debug events.

   Click Save to save and apply the selected settings.

   You can start the created task manually or configure a scheduled task start.