Configure Your Scan Option Profile (for PC Scans)

You choose an option profile with compliance scan settings every time you start a compliance scan. The profile defines the settings you want to use.

How do I make the profile available to others?

Password Auditing

How do I change the owner?

Windows Share Enumeration

Select ports to scan

Windows Directory Search

Select controls to scan (scan by policy)

Tell me about performance settings

System Authentication Records

Ignore certain packets

File Integrity Monitoring

Worried about triggering your IDS?

Scan special control types

Tell me about settings for Database Controls

Tell me about Optimized Agent Data Processing for Policies Setup

Tell me about Instance Data Collection using OS-based Authentication Records

Tell me about the dissolvable agent

 


How do I make the profile available to others?

Make it global. Global profiles created by Managers are made available to all users in the subscription. Global profiles created by Unit Managers are made available to all users in their business unit. If a user has permission to create option profiles, then the user also has permission to save personal copies of global profiles published by their Managers in order to use them as a base-line for new option profiles.

How do I change the owner?

The user who creates a profile is set as the initial owner. Managers and Unit Managers can edit a profile in order to change the owner. The possible assignees listed in the Owner menu depends on the global status of the profile, the role of the manager making the change, and the current owner's role and business unit. Only users with the manage compliance permission can own the profile.

Global Option Profile

Non-Global Option Profile

Conflicts with Scheduled Tasks

Select ports to scan

We perform a targeted scan by default, which means we scan a smaller set of ports than the standard ports list. This is the recommended setting, and it is the initial setting for a new compliance profile.

Which ports are included in a targeted scan?

Which ports are included in a standard scan?

Does this setting apply to all technologies?

Select ports for host discovery

Select controls to scan (scan by policy)

When you run a compliance scan we scan for all controls in the controls list (except special control types listed in Control Types section - you must explicitly select these). The Scan by Policy option allows you to restrict your scans to the controls in selected policies. You can choose up to 20 policies, one policy at a time. Once you've selected a policy, all controls in that policy will be scanned including any special control types in the policy. This is regardless of the Control Types settings in the profile.

What if I add more controls to my policy?

System Authentication Records

Note: The System Authentication section is not visible in the compliance profile for subscriptions with SCA only. Your subscription must have PC and PC Agent enabled to use this feature.

Allow the system to create authentication records automatically using the scan data discovered for running instances. Then choose whether to include system created authentication records in scans. Learn about instance discovery and system authentication records

File Integrity Monitoring

If you've created File Integrity Check controls with the option "Use scan data as expected value" enabled then you'll want to choose "Auto Update expected value" in the profile. This allows us to automatically update the control value after a valid file change. Be sure to also select "File Integrity Monitoring controls enabled" under Control Types in the profile. Learn more

Scan special control types

These special control types require additional steps to set up. For example, to perform file integrity monitoring you must add user defined controls that specify the files you want to track.

Select each control type you want to include in the scan:

File Integrity Monitoring

Custom WMI Query Checks

If I'm using Scan by Policy are these checks included?

Tell me about the dissolvable agent

The Dissolvable Agent (Agent) is required for certain scan features (like Password Auditing, Windows Share Enumeration and Windows Directory Search). It must be accepted for the subscription - a Manager can do it by going to Scans > Setup > Dissolvable Agent. Once a Manager accepts any user with scan permissions can enable the dissolvable agent for their scans - you just configure the option profile and select "Enable the Dissolvable Agent". How does it work? At scan time, the Agent is installed on Windows devices to collect data, and once the scan is complete it removes itself completely from target systems.

Password Auditing

Use Password Auditing to check for service provided password auditing controls (control IDs 3893, 3894 and 3895). These controls are used to identify 1) user accounts with empty passwords, 2) user accounts with the password equal to the user name, and 3) user accounts with passwords equal to an entry in a user-defined password dictionary. Learn more

Windows Share Enumeration

Use Windows Share Enumeration to find Windows shares that are readable by everyone, and report details about them like the number of files for each share on each host (Control ID 4528) and whether the files are writable. This is good for identifying groups of files that may need tighter access control. Please make sure a Windows authentication record is defined for the hosts you want to scan. Learn more

Windows Directory Search

Select this option if you've set up Windows Directory Search controls and want to include them in the scan. This custom control allows you to search for files/directories based on various criteria like file name and user access permissions. Learn more

Tell me about performance settings

A performance level of Normal is selected initially. This is recommended for most cases. Click Configure to change the individual settings or to select a different performance level. To customize the settings, choose the Custom level. Want to know more about the individual settings? Learn more  

Ignore certain packets

If you want to ignore certain packets enable packet options in the Additional section:

Ignore RST packets

Ignore firewall-generated SYN-ACK packets

Do not send ACK or SYN-ACK packets during host discovery

Worried about triggering your IDS?

If our scan triggers your IDS, then it will likely be firewalled and we won't be able to continue our search for vulnerabilities on your network. Therefore, we need to know which IPs you have protected and which ports are blocked. Go to the Blocked Resources section and select the ports that are blocked and IP addresses that are protected by your firewall/IDS.

Other options to consider

Tell me about settings for Database Controls

You can set a limit on the number of rows to be returned per scan for the user defined database controls. The default value for MS SQL Database checks is 256 rows and for Oracle Database checks is 5000 rows.

Tell me about Optimized Agent Data Processing for Policies Setup

(This option is available only for PC Agents.) To enhance data processing you can choose to store only information collected by the cloud agent scan that is required to process the account’s applicable policies. From the PC application, navigate to Users > Setup > Optimized CA Data Processing and enable the Optimize Agent Data Processing for Policies option. Once enabled, we'll only consider the information collected for controls that are relevant to the policies in your subscription. If new controls are added to a policy, then you won't have data available immediately. You’ll need to wait until the next agent scan to collect and process data for those controls. Only Managers can enable or disable this option.

Tell me about Instance Data Collection using OS-based Authentication Records 

On the Instance Data Collection tab, you can select the database technologies as well as other OS-based applications and technologies for which you want to enable data collection without creating an authentication record for respective technologies. Data collection for the selected technologies happens on host assets by using the underlying OS authentication records.

In case of database technologies, only OS-dependent database controls are used in data collection and evaluation. To see the list of available OS-dependent database controls, go to Policies > Controls > Search and then, in the Search dialog box, select the Instance Data Collection box for DB OS CIDs. The search returns OS-dependent database controls that are system-defined and supported by Scanner.

Databases

To select the database technologies, first select the Databases box. Currently, we support the following databases in this feature. 

IBM DB2
- InformixDB
- MongoDB
- Microsoft SQL Server (MS SQL)
- MySQL
- Neo4j
- Oracle
Pivotal Greenplum
PostgreSQL
- Sybase / SAP ASE

For data collection on IBM DB2 instances, you can use your UNIX (with Sudo as root delegation) or Windows authentication record depending on the host operating system.

For data collection on IBM Informix, MongoDB, MySQL, Neo4j, Oracle, Pivotal Greenplum, PostgreSQL, and Sybase / SAP ASE instances, you need a UNIX authentication record (with sudo or dzdo as root delegation).

For data collection on MS SQL instances, you need a Windows authentication record.

Note: If you are using database authentication records for compliance scans already, we recommend that you do not enable this option. Because if you enable it, you will see duplicate results in your compliance reports, one by using database authentication records and the other by using OS-based authentication records. This functionality is useful in a scenario where you have a team responsible for compliance assessment of host operating systems, which does not have access to database authentication records. In this case, if they want to scan database instances running on host assets, they can go ahead by using OS-based authentication records.

Applications and Other Technologies

To select OS-based applications and other technologies, first select the Applications and Other Technologies box. 

Currently, we support the following applications and technologies in this feature:

- Red Hat OpenShift Container Platform
- Oracle JRE
- IBM WebSphere Liberty

For data collection on Oracle JRE instances, you need UNIX authentication record (with Sudo as root delegation) or Windows authentication record depending on the host operating system.

For data collection on Red Hat Openshift Container Platform and IBM WebSphere Liberty instances, you need a Unix authentication record (with sudo or dzdo as root delegation).

For the supported versions of databases as well as OS-based applications and other technologies, see Authentication Technologies Matrix.

Some of these technologies are auto-discovered by Cloud Agents for Policy Compliance (PC). For the most current list of middleware technologies auto-discovered by Cloud Agent, please refer to this article: Middleware Technologies Auto-discovered by Cloud Agents for PC