Hi Question on how to setup an automated process when InsightVM finds a new IP through DHCP log connection - InsightVM finds new IP in DHCP log - InsightVM automatically adds IP address to site within the IP scope defined on the site. - InsightVM automatically do an discovery scan of the IP address.
Posted by Jacob Husted about a year ago
We are trying to test compliance in a Windows Server 2012, according to CIS Benchmark policy, but when the scan is finished the policy appears as "not applicable", and the log file indicates the following: "xccdf_org.cisecurity.benchmarks_benchmark_2.3.0_CIS_Microsoft_Windows_Server_2012_R2_Benchmark:2.3.0 is not applicable due to platform restriction(s)" How could i fix this? Thanks in advance.
Posted by Alejandro Luna about a year ago
I use a SQL Query to gather information on compliance failures. The query gives me the scan date, host name, and the failed rule. does anyone know the name of the field that lists the Remediation Steps (fix) information? Here is the query that I am using: select da.ip_address, da.host_name, dpr.title as Rule_Name, dprs.description as Complaince_Status, fpr.date_tested as "Date Tested" from fact_asset_policy_rule as fpr join dim_asset as da on fpr.asset_id = da.asset_id join dim_operating_system as dos using (operating_system_id) join dim_policy as dp on fpr.policy_id = dp.policy_id join dim_policy_rule as dpr on fpr.rule_id = dpr.rule_id join dim_policy_result_status as dprs on fpr.status_id = dprs.status_id
Posted by Stephen R. Harashack about a year ago
Hi all, I am just looking for some insight, best practices, or dos/don'ts from anyone that has tried creating custom scan / report templates specifically looking for vulnerabilities related to findings from an external security rating vendor (i.e. SecurityScorecard, BitSight, etc.). The goal here would be to mirror the findings from the rating vendor in a Nexpose report. Any information / insight would be greatly appreciated, thanks!
Posted by Brett von Reyn about a year ago
Hi, I'm trying to integrate splunk with Nexpose using the TA Add-on but is not sending the logs, I have already set up everything as described but still does not work. I have the data input added on the forwarder and the account set up. these are the logs that I get from the TA-Rapid7_nexpose.log 2018-09-10 14:48:57,905 INFO nx_logger:38 - Executing nexpose_setup.py 2018-09-10 14:48:58,005 INFO nx_logger:38 - Executing nexpose_setup.py 2018-09-10 14:48:58,006 INFO nx_logger:38 - Listing the fields for the set up screen... 2018-09-10 14:48:58,198 INFO nx_logger:38 - Executing nexpose_setup.py 2018-09-10 14:48:58,307 INFO nx_logger:38 - Executing nexpose_setup.py 2018-09-10 15:02:33,181 INFO nx_logger:38 - Executing nexpose_setup.py 2018-09-10 15:02:33,311 INFO nx_logger:38 - Executing nexpose_setup.py 2018-09-10 15:02:33,311 INFO nx_logger:38 - Listing the fields for the set up screen... 2018-09-10 15:02:33,511 INFO nx_logger:38 - Executing nexpose_setup.py 2018-09-10 15:02:33,609 INFO nx_logger:38 - Executing nexpose_setup.py 2018-09-10 15:02:33,725 INFO nx_logger:38 - Executing nexpose_setup.py 2018-09-10 15:02:33,836 INFO nx_logger:38 - Executing nexpose_setup.py 2018-09-10 15:02:33,837 INFO nx_logger:38 - Listing the fields for the set up screen... 2018-09-10 15:02:34,036 INFO nx_logger:38 - Executing nexpose_setup.py 2018-09-10 15:02:34,138 INFO nx_logger:38 - Executing nexpose_setup.py 2018-09-10 15:02:34,249 INFO nx_logger:38 - Executing nexpose_setup.py 2018-09-10 15:02:34,355 INFO nx_logger:38 - Executing nexpose_setup.py 2018-09-10 15:02:34,356 INFO nx_logger:38 - Listing the fields for the set up screen... 2018-09-10 15:02:34,543 INFO nx_logger:38 - Executing nexpose_setup.py 2018-09-10 15:02:34,643 INFO nx_logger:38 - Executing nexpose_setup.py 2018-09-10 15:02:34,743 INFO nx_logger:38 - Executing nexpose_setup.py 2018-09-10 15:02:34,841 INFO nx_logger:38 - Executing nexpose_setup.py 2018-09-10 15:02:34,841 INFO nx_logger:38 - Saving changes made on configuration screen... 2018-09-10 15:02:34,937 INFO nx_logger:38 - Sucessfully retrieved stored config for Nexpose. 2018-09-10 15:02:34,953 INFO nx_logger:38 - Password retrieved. 2018-09-10 15:02:35,110 INFO nx_logger:38 - Executing nexpose_setup.py 2018-09-10 15:02:35,111 INFO nx_logger:38 - Listing the fields for the set up screen... 2018-09-10 15:02:35,300 INFO nx_logger:38 - Executing nexpose_setup.py 2018-09-10 15:02:35,428 INFO nx_logger:38 - Executing nexpose_setup.py 2018-09-10 15:02:35,429 INFO nx_logger:38 - Listing the fields for the set up screen... 2018-09-10 15:02:35,622 INFO nx_logger:38 - Executing nexpose_setup.py 2018-09-10 15:02:35,726 INFO nx_logger:38 - Executing nexpose_setup.py I would like to see if I there is way to see more logs and troubleshoot this, Thanks. Ernesto M.
Posted by Ernesto Melendez about a year ago
So I am trying to have our various server admin teams look into the assets with missing credential scans and so I need to add a column for OS. I literally have spent all day trying to figure this out and am still stumped. It should not be this hard.... Might anyone have some other ideas? This is the closest I have come but I need those IDs to mean something to a human (just general Windows or Linux would actually do if push comes to shove). WITH max_certainty AS ( SELECT asset_id, max(certainty) AS certainty FROM dim_asset_operating_system GROUP BY asset_id ), asset_cred_status AS ( SELECT DISTINCT fa.asset_id, CASE WHEN dacs.aggregated_credential_status_id IN ('1','2') THEN 'FAIL' WHEN dacs.aggregated_credential_status_id IN ('3', '4') THEN 'SUCCESS' ELSE 'N/A' END AS auth_status FROM fact_asset fa JOIN dim_aggregated_credential_status dacs ON (fa.aggregated_credential_status_id = dacs.aggregated_credential_status_id) ) SELECT acs.asset_id, da.ip_address, da.host_name, acs.auth_status, operating_system_id, ROUND(mc.certainty::numeric, 2) AS certainty FROM asset_cred_status acs JOIN dim_asset da ON (da.asset_id = acs.asset_id) JOIN max_certainty mc ON (mc.asset_id = da.asset_id)
Posted by Lora Fulton about a year ago
We use Skybox for ingesting and reporting on data from InsightVM. On 8/13/18, Skybox began showing a critical vulnerability for CVE-2017-7779: Mozilla Firefox 54, Firefox ESR 52.2 and Thunderbird <52.3 Remote Code Execution Vulnerability. However, when reviewing data from Skybox for previous days this vulnerability did not appear. It also does not currently appear in InsightVM as a vulnerability for any of our assets. I looked at several of the assets, and they do not show the affected software installed. In Skybox, the History tab of the vulnerability shows that on 8/12 there was the following change: New Related Source was added: Rapid7\cifs-share-everyone-readable. I opened a case with Skybox, and they pushed it back to Rapid7. I've opened a case with Rapid7, but haven't gotten anywhere. InsightVM shows no assets with the vulnerability for CVE-2017-7779. I'm not understanding how the "Cifs share readable by everyone" vulnerability is associated with a vulnerability for Firefox/Thunderbird from 2017, and why assets that don't have Firefox/Thunderbird installed are showing this vulnerability in Skybox. Has anyone else seen this issue recently?
Posted by John Magnetta about a year ago
Currently the infrastructure admin sends us a a note or a request for scheduling scans but they are expecting to schedule scans on their own which I am trying to build a UI/API for them to just schedule a scan without directly logging into Nexpose. Can I use any API or Nexpose supports only a few? Looking for a automated approach rather than a manual one
Posted by MJ about a year ago
Hello, i need an sql query which will produce the total amount of assets scanned, total amount assets scanned which were successfully authenticated, which were unsuccessfully authenticated, and which were not attempted to authenticate due to lack of authentication parameters. I saw separate queries that will provide me that data but i need it all in one report is it possible? Thanks.
Posted by Maxim Vovk about a year ago
On a number of machines Windows 10 and Windows 7 scan results are showing "Partial Credential Success". I created an inbound rule to the firewall for RPC Endpoint mapper, also created firewall rules for WMI, and enabled the registry key for AllowRemoteRPC. This resolved the issue for 2/5 test machines. When comparing Wireshark logs of a working machine and a machine which is showing the credential failure with these changes in place. Both machines send a bind request for ISystemActivator and request a remote instance + receive a response. On the working device it then binds to IRemUnknown2 and does a bunch of queries via IWbemServices on the machine which is not working it instead binfs to IOXIDResolver and does a Complex Ping then moves on to another part of the Nexpose Scan skipping the additional queries. I've been at this for a couple of days, is there documentation somewhere I am missing with a list of services which must be running for this to function properly? I believe I am past this being a firewall issue as I don't see anything that appears to be getting blocked in wireshark but I could be wrong. Any assistance in location documentation for proper configuration on machines to be scanned would be greatly appreciated.
Posted by Shane Burke about a year ago
Hi Mark, Do we still need a scan engine setup in one of the host on network if we already have agent installed on all the hosts (assets) that we want to scan? if answer is no , then how does communication between a agent and console needs to be established. I understand the distributed scan engine, scans assets over the network while this engine is paired with console through which we run the scan and get the vulnerability information. How is agent in this case if different from engine?
Posted by RamaKrishna about a year ago
Is it possible to create a report that excludes vulnerabilities posted after a certain date? Ex. patching occurs on a Monday, new vulnerability comes out on a Tuesday, report is ran on a Wednesday showing that devices are non-compliant.
Posted by Hunter Brindley about a year ago