Hello, In IDR we've a user in AD being flagged as disabled account logging into cloud services. Call it jsmith (jon smith). There is an older account that is disabled he disabled was called jsmith (john smith) that (for whatever reason) was renamed from jsmith to jsmith-old. Both the UPN, SamAccountName, and other fields in AD are all renamed to jsmith-old. However, Jon Smith, the new user is still flagged as a disabled account logging into an online service. When I view the jsmith-old account in IDR it shows both the new entries of jsmith-old and the old entry for jsmith. Is there any way to remove the old entry from this account in IDR so the currently enabled user does not keep getting flagged? thank you.
Posted by Andre 9 months ago
I'm trying to edit the "Certificate Expiring in 90 days" SQL query to include the certificate's common name or better yet the cert's serial number so I can match that against the cert list from our internal Certificate Authority. I've tried a couple of changes but so far nothing's worked. The original query from the Nexpose KB is below. Anyone know how to pull the CN and serial number for each cert using this query? WITH cert_expiration_dates AS ( SELECT DISTINCT asset_id, service_id, name,value FROM dim_asset_service_configuration WHERE lower(name) LIKE '%ssl.cert.not.valid.after' ) SELECT ip_address, host_name, mac_address, ced.value FROM dim_asset JOIN cert_expiration_dates AS ced USING (asset_id) WHERE (cast(ced.value AS DATE) - CURRENT_TIMESTAMP <= INTERVAL '90 days') AND (cast(ced.value AS DATE) - CURRENT_TIMESTAMP > INTERVAL '0 days')
Posted by Doug Schaible 9 months ago
Hi, I am a Fastly customer, and they have built-in support for Logentries logging. However, when I try to create a new Logentries account this is redirected to Rapid7 instead. - Does Rapid7 receive logs which are directed to Logentries? Or does it have a different endpoint? - Is Fastly integration still working? - Is there a Knowledge Base article or any documentation explaining the connectivity/non-connectivity in between logentries.com and rapid7.com? - Is there a Knowledge Base article or documentation for Fastly customers? Thanks, Sam
Posted by Sam Darwin 9 months ago
Has anyone had success deploying the Insight Agent via SCCM. I am experiencing issues while trying to install from the script that was provided on the site. When using a simple script locally on workstations, the install seems to fail. When looking at the log, there is nothing that stands out to me. The scripts used are below: msiexec.exe /i agentinstaller-x86_x64.msi /qn msiexec.exe /i agentinstaller-x86_x64.msi /quiet msiexec.exe /i agentinstaller-x86_x64.msi /L*V "C:\temp\rapid7.log" /qn /norestart The output from the log file is below: === Verbose logging started: 4/30/2018 10:11:27 Build type: SHIP UNICODE 5.00.10011.00 Calling process: C:\WINDOWS\system32\msiexec.exe === MSI (c) (FC:FC) [10:11:27:137]: Resetting cached policy values MSI (c) (FC:FC) [10:11:27:137]: Machine policy value 'Debug' is 0 MSI (c) (FC:FC) [10:11:27:137]: ******* RunEngine: ******* Product: agentinstaller-x86_x64.msi ******* Action: ******* CommandLine: ********** MSI (c) (FC:FC) [10:11:27:138]: Client-side and UI is none or basic: Running entire install on the server. MSI (c) (FC:FC) [10:11:27:138]: Grabbed execution mutex. MSI (c) (FC:FC) [10:11:27:169]: Cloaking enabled. MSI (c) (FC:FC) [10:11:27:169]: Attempting to enable all disabled privileges before calling Install on Server MSI (c) (FC:FC) [10:11:27:170]: Incrementing counter to disable shutdown. Counter after increment: 0 MSI (s) (28:84) [10:11:27:179]: Running installation inside multi-package transaction C:\Users\jmmiller\Desktop\Rapid7\agentinstaller-x86_x64.msi MSI (s) (28:84) [10:11:27:179]: Grabbed execution mutex. MSI (s) (28:B0) [10:11:27:182]: Resetting cached policy values MSI (s) (28:B0) [10:11:27:182]: Machine policy value 'Debug' is 0 MSI (s) (28:B0) [10:11:27:182]: ******* RunEngine: ******* Product: C:\Users\jmmiller\Desktop\Rapid7\agentinstaller-x86_x64.msi ******* Action: ******* CommandLine: ********** MSI (s) (28:B0) [10:11:27:183]: Note: 1: 2203 2: C:\Users\jmmiller\Desktop\Rapid7\agentinstaller-x86_x64.msi 3: -2147287038 MSI (s) (28:B0) [10:11:27:184]: MainEngineThread is returning 2 MSI (s) (28:84) [10:11:27:188]: User policy value 'DisableRollback' is 0 MSI (s) (28:84) [10:11:27:188]: Machine policy value 'DisableRollback' is 0 MSI (s) (28:84) [10:11:27:188]: Incrementing counter to disable shutdown. Counter after increment: 0 MSI (s) (28:84) [10:11:27:188]: Note: 1: 1402 2: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Installer\Rollback\Scripts 3: 2 MSI (s) (28:84) [10:11:27:189]: Note: 1: 1402 2: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Installer\Rollback\Scripts 3: 2 MSI (s) (28:84) [10:11:27:189]: Decrementing counter to disable shutdown. If counter >= 0, shutdown will be denied. Counter after decrement: -1 MSI (c) (FC:FC) [10:11:27:190]: Decrementing counter to disable shutdown. If counter >= 0, shutdown will be denied. Counter after decrement: -1 MSI (c) (FC:FC) [10:11:27:191]: MainEngineThread is returning 2 === Verbose logging stopped: 4/30/2018 10:11:27 ===
Posted by Jeff Miller 9 months ago
hey guys, I am having a major issue getting nexpose to run. I keep getting the error of: Critical error during initialization: Could not get JDBC Connection; nested exception is org.postgresql.util.PSQLException: FATAL: the database system is in recovery mode When I manually start with ./nsc.sh I get this. 2018-04-26T12:50:39 [INFO] Initializing console... 2018-04-26T12:50:39 [INFO] Product Version: 6.5.16 2018-04-26T12:50:39 [INFO] Current directory: /opt/rapid7/nexpose/nsc 2018-04-26T12:50:39 [INFO] User name: root 2018-04-26T12:50:39 [INFO] Super user: Yes 2018-04-26T12:50:39 [INFO] Computer name: kevin-Aspire-A517-51G 2018-04-26T12:50:39 [INFO] Host Address: 127.0.1.1 2018-04-26T12:50:39 [INFO] Host FQDN: kevin-Aspire-A517-51G 2018-04-26T12:50:39 [INFO] Operating system: Ubuntu Linux 17.10 2018-04-26T12:50:39 [INFO] CPU speed: 3175MHz 2018-04-26T12:50:39 [INFO] Number of CPUs: 8 2018-04-26T12:50:39 [INFO] Total memory: 11.6 GB 2018-04-26T12:50:39 [INFO] Available memory: 508.8 MB 2018-04-26T12:50:39 [INFO] Total disk space: 456.4 GB 2018-04-26T12:50:39 [INFO] Available disk space: 169.1 GB 2018-04-26T12:50:39 [INFO] Disk space used by installation: 1.5 GB 2018-04-26T12:50:39 [INFO] Disk space used by scans: 0 bytes 2018-04-26T12:50:39 [INFO] Disk space used by database: 68.4 MB 2018-04-26T12:50:39 [INFO] Disk space used by reports: 0 bytes 2018-04-26T12:50:39 [INFO] Disk space used by backups: 0 bytes 2018-04-26T12:50:39 [INFO] JVM name: OpenJDK 64-Bit Server VM 2018-04-26T12:50:39 [INFO] JVM vendor: Azul Systems, Inc. 2018-04-26T12:50:39 [INFO] JVM version: 25.162-b01 2018-04-26T12:50:39 [INFO] JVM started: 2018-04-26 19:50 GMT 2018-04-26T12:50:39 [INFO] Running interactively under super-user: root. 2018-04-26T12:50:39 [WARN] System is running low on memory: 11883MB total (508MB free) 2018-04-26T12:50:39 [INFO] Initializing JDBC drivers. 2018-04-26T12:50:39 [INFO] Loading configuration... 2018-04-26T12:50:39 [INFO] Initializing license manager... 2018-04-26T12:50:40 [WARN] No valid licenses were found. This will prevent site modification and the running of scans. 2018-04-26T12:50:40 [INFO] Initializing maintenance manager... 2018-04-26T12:50:40 [INFO] Renamed /opt/rapid7/nexpose/nsc/maintenance.xml to /opt/rapid7/nexpose/nsc/maintenance.bak 2018-04-26T12:50:40 [INFO] Initializing crypto subsystem... 2018-04-26T12:50:40 [INFO] Initializing plugins... 2018-04-26T12:50:40 [INFO] Initializing authentication services... 2018-04-26T12:50:40 [INFO] Initializing web server... 2018-04-26T12:50:40 [INFO] Configuring web server. 2018-04-26T12:50:40 [INFO] Generating skin: /opt/rapid7/nexpose/nsc/htroot/scripts/nexpose-skin.js 2018-04-26T12:50:40 [INFO] Generating feature set: /opt/rapid7/nexpose/nsc/htroot/scripts/nexpose-features.js 2018-04-26T12:50:40 [INFO] Context loader config file is jar:file:/opt/rapid7/nexpose/nsc/lib/nsc.jar!/META-INF/context.xml 2018-04-26T12:50:40 [INFO] Initializing ProtocolHandler ["http-nio-3780"] 2018-04-26T12:50:40 [ERROR] Failed to initialize end point associated with ProtocolHandler ["http-nio-3780"] 2018-04-26T12:50:40 [ERROR] Failed to initialize connector [Connector[HTTP/1.1-3780]] 2018-04-26T12:50:40 [ERROR] A critical error occured during initialization 2018-04-26T12:50:40 [INFO] Adding maintenance task NexposeRecovery 2018-04-26T12:50:40 [INFO] Reinitializing web server for maintenance mode... 2018-04-26T12:50:40 [INFO] Stopping ProtocolHandler ["http-nio-3780"] 2018-04-26T12:50:40 [INFO] Destroying ProtocolHandler ["http-nio-3780"] 2018-04-26T12:50:40 [INFO] Accepting web server logins. 2018-04-26T12:50:40 [INFO] Found a pending maintenance task: NexposeRecovery 2018-04-26T12:50:40 [INFO] Entering maintenance mode, only administrator logins permitted. 2018-04-26T12:50:40 [INFO] Maintenance Task Started 2018-04-26T12:50:40 [INFO] Accepting console commands. > 2018-04-26T12:50:40 [ERROR] Error during server initialization. 2018-04-26T12:50:40 [INFO] Shutting down immediately 2018-04-26T12:50:40 [WARN] Error stopping quartz schedulers. 2018-04-26T12:50:40 [INFO] Shutting down web server... 2018-04-26T12:50:40 [INFO] Pausing ProtocolHandler ["http-nio-3780"] 2018-04-26T12:50:40 [INFO] Stopping service Tomcat 2018-04-26T12:50:40 [ERROR] Problem shutting down Tomcat 2018-04-26T12:50:40 [INFO] Web server stopped 2018-04-26T12:50:40 [INFO] removing scheduled risk and history updater jobs 2018-04-26T12:50:40 [INFO] Shutting down extension manager 2018-04-26T12:50:40 [INFO] Extension manager shutdown successful. 2018-04-26T12:50:40 [INFO] Shutting down config manager 2018-04-26T12:50:40 [INFO] Shutting down crypto system 2018-04-26T12:50:40 [WARN] Error stopping connection scheduler. 2018-04-26T12:50:40 [INFO] Shutting down daemon manager 2018-04-26T12:50:40 [WARN] Error shutting down database. 2018-04-26T12:50:40 [INFO] Shutting down command console 2018-04-26T12:50:40 [INFO] Shutting down web server... NeXpose security console exited with code 0 What is going wrong here? Thanks!
Posted by Kevin Humphrey 10 months ago
I have installed Nexpose in a VM and scanned few hosts but it only shows 1 or 2 vulnerabilities. I have switched off the windows firewall in my VM and host machines. They are in the same network. I have performed a full audit without web scan. What might be the issue here. All the hosts have connection with the console and I can telnet to the ports too.
Posted by Gamunu Panamaldeniya 10 months ago
Hi Support, We're measuring vulnerability metrics each week via a 'New and Remediated' vulnerability report (sql query found in rapid7 help). Unfortunately, the report does not report off the number of instances each of the vulnerabilities occur. Question - Is there a way to filter via date or run a historical report based on the Vulnerabilities (the section where there's Vulnerability Charts, Vuln by CVSS Score - pie graph area). What I'm looking for is Total Outstanding vulnerabilities breaking it down week by week. Any tips and tricks will be greatly appreciated. Thank you!
Posted by Romel Edrada 10 months ago
We have noticed cases where Microsoft patch is installed but Nexpose is still reporting on the vulnerability. Some times the patch was superseded and Nexpose still look for the previous KB. Here are some examples. I wonder if there is any fix for this because it's really causing a lot of noise on the reports. 1- CVE-2017-11882 : KB4011276 was installed but Nexpose still show this as vulnerable and ask for KB4011604. Microsoft said if you have KB4011276 there is no action needed but Nexpose is not reflecting that 2-MS14-066: installed KB2992611 on windows server 2012 but Nexpose still reporting on it
Posted by Maiash 10 months ago
Customer wants to select a vulnerability (with all assets that have it) and send it for remediation as ticket of some sort with all description, proof and vulnerability solution. How to auto delete assets that have been reinstalled or permanently shut down ?
Posted by Nikolajs Matjusenko 10 months ago
I'm trying to create my first scan. The first page of scan configuration asks for URLs I want to scan. I pasted one in and immediately saw red text telling me that I would first need to add something to the "starting URLs" list. But I don't see anything in the UI or menus called "starting URLs list" and I don't find any mention of a "starting URLs list" in the user guide (I'm looking here: https://www.rapid7.com/docs/download/AppSpider_Pro_User_Guide_-_3-6-17.pdf)
Posted by Brian 10 months ago
I'm fairly new to AppSpider so I assume I'm missing something obvious, but I've been looking though the various guides on your website and don't see my answer. How do I suppress a false positive in a scan? I would prefer to do it locally for a particular scan on a particular page, but the only place I've found in the app that looks like it might suppress findings is under Tools | Global Finding Repository. I'm guessing that checking the right-most "ignore" column would suppress the finding for all scans. Correct? Is that the only way to suppress it? Also, the particular finding I want to suppress is called "Hard-Coded Password." That shows up in the Global Findings three separate times, and for each one the URL field is blank. What is the difference between them? Is one of them perhaps from the particular scan where I want to suppress the finding? Thanks for the help.
Posted by Brian 10 months ago
We have a few 2012R2 hosts getting hit for Microsoft CVE-2017-8529 with the proof stating they have "KB4022720 installed". The fix listed in Nexpose is to uninstall this patch. However when I check the box it does not show this patch or any of the other possible June 2017 patches that were known to cause any issues. The registry keys have been set for this host, the patch KB4036586 has been applied and the host has been rebooted. Would there be any other reason this host is being flagged?
Posted by Robert DeBellis 10 months ago
What is the best way to deal with devices such as routers that have multiple interfaces? Is the scanning software able to detect with credentials all of the IP addresses in use and collate them or is it best to put exception in place?
Posted by Mike 10 months ago
As a security person, the InsightVM picked up these two vulnerabilities as an example: Obsolete Version of PHP PHP versions prior to 5.6 are no longer supported. General support for PHP 5.5.37 has been discontinued since July 10, 2016. It is strongly recommended to upgrade to PHP 5.6 or later. and PHP CGI Argument Injection https://www.rapid7.com/db/vulnerabil...p-php-obsolete The response I have back is that the version of Apache and PHP is fully supported. Can someone reconcile those two statements? Just want to have a sanity check before approve the exception. Here is the explaination: https://access.redhat.com/solutions/445713 What version of httpd is supported on RHEL? Is the community version of Apache httpd supported? Which versions of Apache httpd are supported? How can I install Apache 2.4/2.5? Is Apache httpd 2.4/2.5 supported? Does Redhat support self compiled apache installations? What are supported install methods for apache 2.4(e.g. rpm and yum only etc.)? Support for apache installation. We need to update the httpd version from 2.4.9 to 2.4.12 . we are unable to find the same on portal. Please provide Apache executable file for this. Which is the latest version of httpd(Apache) server available from RHEL. Apache HTTPD Upgrade I am aware that the Apache HTTPD version supplied for RHEL7.1 is version 2.4.6.Will Redhat upgrade this to 2.5 in future for RHEL7? I also have RHEL6.6 OS. Will there be plans to upgrade the Apache Httpd package in future? Apache Prior to 2.4.4 and 2.2.24 Multiple Vulnerabilities Apache HTTP Server Prior to 2.2.25 Multiple Vulnerabilities httpd vulnerabilty on port 443 We patched httpd packages to latest (available on RHEL6 repository) to solve below vulnerabilties, but seems there is still vulnerability that Qualys is reporting What is the latest version of httpd supported on RHEL It looks like the latest is 2.2.3 but this is quite old. Does RHEL 7 supports Apache version 2.2.31?Else which Apache Version does RHEL 7 supports? Which versions of Apache are available for my version of Red Hat Enterprise Linux? It is necessary to install a specific version of Apache, does the installed version of Red Hat Enterprise Linux supports it? We need to know which is latest Apache (httpd) version that Redhat support? Does Apache/2.2.31 (Unix) supported in RHEL6 or RHEL7? Upstream is discussing EOL dates for PHP 5.3. https://wiki.php.net/rfc/php53eol Can you verify that RHEL6 will support PHP 5.3.x for the entire lifespan of RHEL6? Or is it possible that PHP 5.3.x will also become EOL for RHEL6? Please suggest how and where I can get the PHP 5.3.25 or above to install using Yum in RHEL6? Resolution At the time of this writing, we have following default versions of php packages available for RHEL5, RHEL6 and RHEL7 RHEL5 :- php-5.1 (latest RHEL provides php-5.3 in php53 package) RHEL6 :- php-5.3 RHEL7 :- php-5.4 The major version for php will remain as above for its whole life cycle. Please check below paragraph on how are RHEL packages managed. Red Hat Software Collections provides support for php-5.4, php-5.5, php-5.6, and php-7.0 for RHEL6 as well RHEL7 (as Software Collections follows a different naming convention, these packages are named as php54, php55, rh-php56, rh-php70 respectively). Please visit How to use Red Hat Software Collections for more information. Red Hat Enterprise Linux is a maintained collection of many different components, which are drawn from the wider open source software community. At the time our product is released we have a particular version of each of the software components, selected for features and stability. During the life cycle of our product we backport any relevant bug fixes and security enhancements created by the upstream maintainers to the packages that we maintain, as well as contributing any fixes that we do. We have our own version numbering scheme for the packages that we create based on these backported changes. We do not change the version of any of the software components based on the release of a new version by an upstream project. For example, if PHP releases a new version of PHP. we will not update our package to that new version. This is in order to maintain compatibility and stability. We will backport any bug fixes or security errata that are relevant to the version of PHP that is part of Red Hat Enterprise Linux. For more information about Red Hat's policy on the backporting of security updates, visit the following; What is Red Hat's security patch and backport policy
Posted by Al Wilson 10 months ago
Hello Community, Firstly, I am sorry if I am opening a thread on restricted subject, and unintentionally violating forum policy. The issue I am facing is while setting up Hackazon on my Ubuntu server. After installing all the required repos, I am trying to access the http://localhost/install wizard in browser, however it throws an error as following. Fatal error: Call to undefined function bcpow() in /var/www/hackazon/vendor/gwtphp/gwtphp/src/util/TypeConversionUtil.class.php on line 207 Could you please help me resolving the issue? Thank you
Posted by Darshan Doshi 10 months ago