Professional Documents
Culture Documents
UserGuide
Release 4.5.1
Retina CS UserGuide
Revision/Update Information: June 10, 2013
Software Version: Retina CS 4.5.1
Revision Number: 1
COPYRIGHT NOTICE
Copyright 2013 BeyondTrust Software, Inc. All rights reserved. Use of this software and/or document, as and when applicable, is
also subject to the terms and conditions of the license between the licensee and BeyondTrust Software, Inc. (BeyondTrust) or
BeyondTrusts authorized remarketer, if and when applicable.
TRADE SECRET NOTICE
This software and/or documentation, as and when applicable, and the information and know-how they contain constitute the
proprietary, confidential and valuable trade secret information of BeyondTrust and/or of the respective manufacturer or author, and
may not be disclosed to others without the prior written permission of BeyondTrust. This software and/or documentation, as and when
applicable, have been provided pursuant to an agreement that contains prohibitions against and/or restrictions on copying,
modification and use.
DISCLAIMER
BeyondTrust makes no representations or warranties with respect to the contents hereof. Other than, any limited warranties expressly
provided pursuant to a license agreement, NO OTHER WARRANTY IS EXPRESSED AND NONE SHALL BE IMPLIED,
INCLUDING WITHOUT LIMITATION THE WARRANTIES OF MERCHANTABILITY AND FITNESS FOR USE OR FOR A
PARTICULAR PURPOSE.
LIMITED RIGHTS FARS NOTICE (If Applicable)
If provided pursuant to FARS, this software and/or documentation, as and when applicable, are submitted with limited rights. This
software and/or documentation, as and when applicable, may be reproduced and used by the Government with the express limitation
that it will not, without the permission of BeyondTrust, be used outside the Government for the following purposes: manufacture,
duplication, distribution or disclosure. (FAR 52.227.14(g)(2)(Alternate II))
LIMITED RIGHTS DFARS NOTICE (If Applicable)
If provided pursuant to DFARS, use, duplication, or disclosure of this software and/or documentation by the Government is subject to
limited rights and other restrictions, as set forth in the Rights in Technical Data Noncommercial Items clause at DFARS 252.2277013.
TRADEMARK NOTICES
PowerBroker, PowerPassword, and PowerKeeper are registered trademarks of BeyondTrust. PowerSeries, PowerADvantage,
PowerBroker Password Safe, PowerBroker Directory Integrator, PowerBroker Management Console, PowerBroker Virtualization,
PowerBroker Express, PowerBroker Databases, PowerBroker Windows Servers, PowerBroker Windows Desktops, and PowerBroker
Identity Services are trademarks of BeyondTrust.
Retina, Retina CS, Iris, Blink, Retina Web, and REM are registered trademarks of BeyondTrust. SecureIIS and Enterprise Update
Server are trademarks of BeyondTrust.
Windows is a registered trademark of Microsoft Corporation
FICTITIOUS USE OF NAMES
All names of persons mentioned in this document are used fictitiously. Any resemblance to actual persons, living or dead is entirely
coincidental.
BeyondTrust
Retina CS UserGuide
Contents
Contents
I. Retina CS Management Console
Retina CS Overview
Retina CS Architectural Overview
Retina CS Components
Retina Network Security Scanner (RNSS agent)
Retina Protection Agent (RP agent)
eEye Manager Service
AppBus (Application Bus)
Events Client
Central Policy Server
Enterprise Update Server
Third Party Patch Service
Scheduling Service
Shared Services Engine
How a Scan Works
How Job Scheduling Works
Access Retina CS
Access the Client Portal
1
2
3
3
3
3
3
3
4
4
4
4
4
5
6
8
9
Retina CS Tools
Overview
Working with Smart Rules
Understanding Smart Rule Filters
Smart Rule Filters
Predefined Smart Groups
Creating an Asset Smart Rule
Creating a Vulnerabilities Smart Rule
Cloning a Smart Rule
Marking a Smart Group as Inactive
Creating an Address Group
Creating a Smart Rule based on an Address Group
Creating an Active Directory Query
Working with Attributes
Working with Tickets
Creating a Ticket
Managing Ticket Details
Marking a Ticket as Inactive
Tracking Open Tickets Using a Smart Rule
10
11
11
12
13
14
16
17
19
20
20
22
22
23
25
25
26
27
27
30
31
32
BeyondTrust
Retina CS UserGuide
Contents
32
33
34
34
35
36
36
38
41
42
43
46
46
54
54
Asset Management
Interpreting Scan Results on the Dashboard
Reviewing Asset Details
Risk Scores
Changing Asset Properties
Changing the Display
Setting Display Preferences
Filtering Records
Managing Jobs
Reviewing Job Details
Reviewing Scheduled Job Details
Viewing Scheduled Scans in the Calendar View
Viewing Scan Event Details
Aborting or Pausing a Job
Changing Job Page Settings
55
56
57
57
58
58
59
60
61
61
62
63
64
64
65
Mobility Scanning
Overview
Configuring a BlackBerry Connector
Configuring an Android Connector
Deploying the Application to Android Devices
Configuring Settings on Android Devices
Configuring an ActiveSync Connector
Reviewing Mobility Scan Results
Creating Custom Audits for Mobile Devices
67
67
67
69
70
70
71
72
72
Cloud Scanning
Requirements
Amazon EC2 Requirements
VMWare VCenter Requirements
74
74
74
74
BeyondTrust
ii
Retina CS UserGuide
Contents
75
76
Multi Tenant
Overview
Smart Rules Manager and Browser Pane
Working with Scan Credentials
Quick Rules
Organization Filters
Patch Management Module
Mobility Connectors
Retina Protection Agents
Setting Up Organizations
Step 1 Creating a Workgroup
Step 2 Adding an Organization
Step 3 Creating a User Group for a Tenant
78
78
79
79
80
80
80
81
81
82
82
83
84
Managing Users
Creating User Groups
User Group Permissions
Access Levels
Permissions Required for Configuration Options
Creating User Accounts
Reset Retina CS Account Password
Auditing Retina CS Users
Adding Credentials
Creating an SSH Credential
Creating Oracle Credentials
Adding Credentials for Active Directory Access
85
85
87
90
90
91
92
92
93
93
94
95
96
96
97
97
98
98
98
100
100
Maintenance
Viewing Status for Scanners and Agents
Determining if a Retina Agent is Available
Removing Retina Agent Files
Configuring a Failover Agent
102
102
102
103
104
BeyondTrust
iii
Retina CS UserGuide
Contents
104
106
106
108
109
110
110
111
111
112
115
116
117
118
119
119
120
120
122
123
123
123
124
125
125
127
129
129
130
131
133
133
134
135
135
135
136
138
139
140
140
141
BeyondTrust
iv
Retina CS UserGuide
Contents
143
143
144
145
145
146
148
148
150
151
151
152
152
154
155
155
155
155
156
157
158
161
162
162
163
163
164
165
166
166
167
168
169
170
170
171
172
172
176
177
177
179
181
184
BeyondTrust
Retina CS UserGuide
Contents
185
186
188
193
193
195
195
197
197
197
199
199
199
200
201
PasswordSafe
Overview
Configuring PasswordSafe
Creating a Connection to Your Appliance
Creating User Groups
Adding a Managed System
Managing Passwords
Requesting a Password
Approving a Password
Retrieving a Password
207
207
207
208
208
210
212
212
214
215
216
217
217
217
217
218
219
220
220
221
221
222
223
223
BeyondTrust
vi
Retina CS UserGuide
Contents
BeyondTrust
224
224
226
226
vii
Retina CS UserGuide
BeyondTrust
Retina CS UserGuide
Retina CS Overview
Retina CS Overview
In this section,
Retina CS Architectural Overview
Retina CS Components
How a Scan Works
How Job Scheduling Works
Accessing Retina CS
BeyondTrust
Retina CS UserGuide
Retina CS Overview
BeyondTrust
Retina CS UserGuide
Retina CS Overview
Retina CS Components
This section provides information on each of the components that Retina CS
relies on in running scans, protecting assets, etc.
Retina Network Security Scanner (RNSS agent)
The Retina Network Security Scanner is the scan engine responsible for
scanning the assets in your environment. The RNSS agent receives
instructions from the Central Policy service.
A security certificate is required by the Events Client to communicate with
the agent. This certificate can be created during the Retina CS installation.
Retina Protection Agent (RP agent)
The agent designed to protect your assets. The Retina Protection agent
provides layers of protection, including: virus and spyware, firewall,
intrusion prevention, system protection, and vulnerability assessment.
A security certificate is required by the Events Client to communicate with
the agent. This certificate can be created during the Retina CS installation.
eEye Manager Service
This component is the Retina CS web interface.
The eEye Manager Service also acts as a background service that gathers
information from the Events Client (which retrieves information from the
agents). The events are then encrypted and sent to the database.
AppBus (Application Bus)
Provides communications between BeyondTrust components and receives
events to insert in the Retina CS database. This function can also be done by
a dedicated Event Server for scalability.
Events Client
The Events Client is responsible for forwarding information gathered by the
RNSS agent and RP agent.
The Events Client sends the information to the eEye Manager Service. The
Events Client is installed when an RNSS agent or RP agent is installed.
Events Client Certificate
BeyondTrust
Retina CS UserGuide
Retina CS Overview
BeyondTrust
Retina CS UserGuide
Retina CS Overview
Create the scan job in Retina CS Management Console. The scan job
includes details such as the IP addresses to be targeted, scan
template, and scheduling information.
The Central Policy service notifies the RNSS agent with the
instructions for the scan job.
The RNSS agent goes out to the assets as provided in the scan job
details and gathers the data based on the selected scan template.
BeyondTrust
Retina CS UserGuide
Retina CS Overview
Ports Used by Retina CS
Function
Components
Port
Database
connectivity
CS to SQL Server,
1433
Event Client
RPA Central
Policy
RNSS Central
Policy
RNSS to Retina CS
Update Servers
SyncIt or EUS to
BeyondTrust
443 or 80
Client Browser
User to Retina CS or
Retina Insight
443 or 80
PowerBroker
Mobile
Connector to PBM
443
Android Mobile
Connector
Android agents to
Retina CS
21691
Retina CS
replication
Version 2 443
Version 1 10001
Version 2 443
List of scanners
Choosing the asset distribution algorithm
Choosing the targets
BeyondTrust
Address groups
Retina CS UserGuide
Retina CS Overview
l
l
Cloud assets
LDAP queries
BeyondTrust
Retina CS UserGuide
Retina CS Overview
Access Retina CS
When working in Retina CS, note that times displayed match the web
browser on the local computer (unless stated otherwise).
To log on Retina CS:
1. Select Start > All Programs > eEye Digital Security > Retina CS >
Retina CS.
You can also log on to Retina CSusing the URLprovided to you by your
Security Administrator.
2. Enter your username and password.
The default username is Administrator and the password is the
Administrator Password you set in the Retina CS Configuration wizard.
3. Click Login.
If you forget your password, click Forgot your Password? Enter your
username to have a new password sent to your registered email address.
BeyondTrust
Retina CS UserGuide
Retina CS Overview
BeyondTrust
Retina CS UserGuide
Retina CS Tools
Retina CS Tools
In this section,
Overview
Working with Smart Rules
Understanding Smart Rule Filters
Predefined Smart Groups
Creating an Asset Smart Rule
Creating a Vulnerability Smart Rule
Cloning a Smart Rule
Marking a Smart Group as Inactive
Creating an Address Group
Creating an Always Address Group
Creating a Smart Group Based on an Address Group
Creating an Active Directory Query
Working with Attributes
Working with Tickets
Creating a Ticket
Managing Ticket Details
Marking a Ticket as Inactive
Tracking Open Tickets Using a Smart Rule
BeyondTrust
10
Retina CS UserGuide
Retina CS Tools
Overview
Retina CS provides a set of tools to help you organize assets for scanning.
Depending on the number of assets that you want to scan, or the critical
nature of some of your assets, consider organizing the assets using address
groups or Active Directory queries which can be part of a Smart Rule.
The following list provides examples on ways you can use these tools:
l
Scans can return a lot of information. To help you review scan results, you
can create filters and set preferences on the Assets page to easily review scan
results. For more information, see Changing the Display.
Asset Smart Groups Organizes the assets based on the filters selected.
Read permissions to all user groups that the user is a member of.
BeyondTrust
11
Retina CS UserGuide
Retina CS Tools
A Smart Rule updates results automatically, ensuring that assets that match
the criteria in the rule are current.
For example, a simple filter on assets might be finding all assets in the
domain EMEA, as shown:
If you select Match All Criteria, then every indented filter under it must
be true for an asset to be included.
If you select Match Any Criteria, then only one of the indented filter
items under it must be true for an asset to be included.
The following filter example will include all assets in the EMEA domain that
are either servers or workstations.
BeyondTrust
12
Retina CS UserGuide
Retina CS Tools
Active Directory
Query
Address Group
Asset Fields
Assigned Attributes
Attacks
BeyondTrust
Cloud Assets
Installed Software
MAC Address
Malware
13
Retina CS UserGuide
Retina CS Tools
Filter on any combination of OS. Operating
systems included in the list are those detected in
your network.
Operating System
Processes
Protection Agents
Services
Vulnerabilities
Vulnerability Scanners
Windows Events
Workgroup
Filter by workgroup.
Table 2.
Vulnerability fields
Vulnerability has
mitigation patch
Vulnerability in audit
group
Vulnerability severity
Zero day
vulnerabilities
BeyondTrust
14
Retina CS UserGuide
Retina CS Tools
Predefined Smart Groups cannot be changed or deleted. However,
predefined Smart Groups can be marked as inactive (except for the All
Assets Smart Group) to improve performance on large databases. For more
information, see Marking a Smart Group as Inactive.
The predefined Smart Groups are displayed in the Smart Groups browser
pane and are organized in the following categories.
Table 3.
Intelligent Alerts
Servers
Virtualized Devices
Table 4.
BeyondTrust
All Vulnerabilities
Zero Day
Vulnerabilities
15
Retina CS UserGuide
Retina CS Tools
BeyondTrust
16
Retina CS UserGuide
Retina CS Tools
You can also select the default view to display on the Assets page
when the Smart Group is selected.
Smart Groups are also used for running scans, applying protection
policies, and registering for patch updates.
Send an email with a list of assets - Select and enter the email
addresses for notification when the rule criteria is matched.
Emails are only sent if the list of assets that match the rule is
changed from the last time the rule was processed.
Set attributes on each asset - Select the attribute type from the list
and then select the attribute.
BeyondTrust
Manage vulnerabilities
17
Retina CS UserGuide
Retina CS Tools
Select Vulnerability based smart rules from the Smart Rule type list.
Click New Rule.
Enter a name and description.
The Active check box is selected by default. The Smart Rule is always
available for processing when Active is selected. Clear the check box so
the rule is not processed.
7. Enter a category name or select a category from the list. Use categories
to organize your Smart Rules in the Smart Rules Manager.
8. Select the filters in the Asset Selection Criteria section of the manager.
9. From the Perform Actions section of the manager, select one of the
following:
Show vulnerability as Smart Group When selected, the rule is
displayed on the Vulnerabilities page as a filter for the list of assets
selected in the Smart Groups browser pane.
BeyondTrust
18
Retina CS UserGuide
Retina CS Tools
If you are using the Multi Tenant feature, select the organization from
the list, and then click OK.
3. On the Smart Rules Manager page, edit the Smart Rule filters as needed.
4. Click Save.
The Smart Rule is active only after you click Save.
BeyondTrust
19
Retina CS UserGuide
Retina CS Tools
You can create an address group and name it Always. The Retina scanner
agent is designed to recognize this address group name and includes the
group in every scan (regardless if the group is selected in the scan job).The
address group can include and exclude IP addresses.
The next time a scan runs, the address group is synchronized with the Retina
scanner agent. The IP addresses, whether included or omitted are considered
part of the scan that is running.
BeyondTrust
20
Retina CS UserGuide
Retina CS Tools
For example, the Always address group is configured with the following:
10.10.10.60 and buffett-laptop (omitted). A scan tries to scan 10.10.10.50
and buffett-laptop. The results:
Note that if an asset was scanned and then later added to the Always address
group as Omit, the asset is not scanned but might still be displayed in the
report. This only occurs with some reports.
To create an address group:
1. Click the Configure tab, and then click Address Groups.
2.
3.
4.
5.
BeyondTrust
21
Retina CS UserGuide
Retina CS Tools
The address group Smart Group is displayed in the Smart Groups browser
pane:
BeyondTrust
22
Retina CS UserGuide
Retina CS Tools
5. Select a scope to apply to the container: This Object and All Child
Objects, Immediate Children Only.
6. Enter a name and description for the filter.
7. Click Advanced and enter the LDAP query details.
BeyondTrust
23
Retina CS UserGuide
Retina CS Tools
Retina CS ships with attributes already created. You can also add attribute
types and attributes that meet your particular requirements.
You can use the Criticality attribute to weight the importance of an asset in
your environment. Assign the criticality attribute using a Smart Rule or on
the Asset Details page for an asset (see Changing Asset Properties).
To add an attribute type and attribute:
1. Click the Configure tab, and then click Attributes.
2. Click + and then select Attribute Type.
BeyondTrust
24
Retina CS UserGuide
Retina CS Tools
Assets
Attacks
Vulnerabilities
Malware
To create a ticket:
1. Select the arrow for a vulnerability, and then select Create Ticket.
25
Retina CS UserGuide
Retina CS Tools
A ticket ID is automatically generated after you save the details for the
ticket.
3. Click Save.
A Smart Rule is autogenerated when a ticket is saved. This Smart Rule is
intended to help you keep track of assets affected by the vulnerability,
attack or malware. No intervention is required by you.
The next time the Smart Rule is processed, affected assets where
solutions are applied will no longer be part of the Smart Rule. When all
assets have the solution applied, the SmartRule autogenerated ticket is
removed from the Smart Rules Manager.
The autogenerated tickets are not displayed in the Smart Rules browser
pane.
Managing Ticket Details
To change the details for a ticket:
1. Select the Assets tab, and then select Tickets.
2. Select i.
3. On the Ticket Details dialog box, change the ticket properties as needed.
If you select the Close status, the ticket is no longer displayed on the
Tickets pane.
4. If available, click the x revisions link to view details about activity on
the ticket.
BeyondTrust
26
Retina CS UserGuide
Retina CS Tools
BeyondTrust
27
Retina CS UserGuide
Retina CS Tools
5. Select the Auto-close Ticket check box to close and remove the Smart
Group from the Smart Rules Manager. The ticket is only closed after all
assets are remediated.
6. Click Save.
Later, you can run the Tickets report to view a current list of open
tickets. Select the ticket Smart Group and any other relevant parameters.
BeyondTrust
28
Retina CS UserGuide
BeyondTrust
30
Retina CS UserGuide
Reports will open in a new window. Ensure pop-up blockers are disabled for
the Retina CS web site.
To run a report on existing data:
1. Select the Assets tab.
2. Select the assets, and then click Scan.
3. Select the report, and then click Report.
4. Select the report parameters:
Note that the NONE export type provides a snapshot of the data and
produces results faster than selecting PDF output.
By default, the All check box is selected. Be sure to clear the All check
box if you want to use specific parameters for your report. Selecting All
uses all criteria available for that parameter.
BeyondTrust
31
Retina CS UserGuide
Email report to - Select the check box and enter email addresses.
Separate entries using a comma.
Alternatively, click + and select users or user groups.
The reports will be emailed to the users entered.
BeyondTrust
32
Retina CS UserGuide
If you export the report to PDF output, the list of vulnerabilities in the
document map is displayed as bookmarks in the PDF.
BeyondTrust
33
Retina CS UserGuide
Creating a Report
You can create a report template based on an existing report template.
A report template consists of:
BeyondTrust
34
Retina CS UserGuide
View reports
Access the Manage Report Templates page. For more information, see
Managing Report Templates.
BeyondTrust
Click the download button and then click Save File to save the
report in PDF format. Enter the report name, or use the default, and
then click Save.
35
Retina CS UserGuide
BeyondTrust
36
Retina CS UserGuide
5. The Section Parts pane displays the sections that you can use. Drag a
section part into the middle pane. You can also enter the name of the
Section Parts in the Search box.
6. To remove a section from the report, select the section and select the
garbage can.
7. Click Save.
8. Enter a name for the report and the report category.
9. Click Save.
BeyondTrust
37
Retina CS UserGuide
Audits. An audit contains the vulnerabilities and risks that you want to
search for on your selected assets. The audit information is organized in
audit groups.
The audit groups provided are industry standard and include: SANS20
(All), SANS20(Windows), and Zero-day. For a complete list, see Audit
Groups.
Ports. Select the port or port group ranges that you want to include in
the scan.
BeyondTrust
38
Retina CS UserGuide
Get MAC Address - Scans for the Media Access Control address or
unique hardware number.
Web Scan Depth - Sets the number of links to follow from the
home page.
BeyondTrust
39
Retina CS UserGuide
Enable Force Scan - Run if the targeted devices are not going to
answer SYN or ICMP scanning.
Forces Retina to run protocol discovery on each port of each device
to determine the protocol.
Only use in a highly locked down network where the standard port
scanning methods will be filtered or blocked. Force Scan should not
be used in IP ranges.
Enable WMI Service - Starts (and then stops) the WMI service.
The service is only active during the scan. OFF by default.
40
Retina CS UserGuide
Note that you cannot delete an audit group that ships with Retina CS.
To manage audit groups:
1. Click the Reports tab and then the click Manage Report Templates.
2. Select a report and click the arrow to display the menu.
BeyondTrust
41
Retina CS UserGuide
Edit an audit group Select the audit group from the Audit Groups
pane. You can also type the name of the audit group in the box to
search for the audit group.
6. Select the Automatically enable new audits in this group check box
to add all the new audits selected when created.
7. Click Revert to revert to either the last saved version of the selected
audit group or the default value.
8. Click Update.
Working with Port Groups
Port groups contain the list of ports to scan. You can change the ports
assigned in a port group, add port groups that will be available to all audit
scans, and delete port groups.
Retina CS ships with port groups already configured with a range of ports
(for example, HTTP Ports and Discovery Ports). Note that you cannot
delete a port group that ships with Retina CS.
To change port groups:
1. Click the Reports tab and then click Manage Report Templates.
2.
3.
4.
5.
Select the report and click the arrow to display the menu.
Select Edit Scan Settings.
Select Ports in the Settings pane.
Click Manage in the Port Groups pane to:
Use the Grid Size slider to adjust the view.
Add a port group Click + on the Port Groups pane. Enter the
name of the port group and click Create.
Edit a port group Select the port group from the Port Groups pane.
You can also type the name of the port group in the box to search for
and display the port group.
Remove a port from a group Select the port, and then select Clear
from the Protocol menu.
Add a port or group of ports Select the ports, and then select the
protocol from the list: Both, TCP, UDP. The grid is updated with
the corresponding color of the protocol.
To select multiple ports, drag and click on the range. Alternatively,
enter the port number or port number range in the Select Ports box
and click the arrow.
BeyondTrust
42
Retina CS UserGuide
Select the report and click the arrow to display the menu.
Select Edit Scan Settings.
Select Audits in the Settings pane.
Click Manage in the Audit Groups pane.
Click +New Audit to start the Audit wizard.
Click Next.
On the Audit Description page:
a Type the audit name.
b. Select the audit category, such as Database, Mail Servers,
Miscellaneous, or Windows.
c. From the Risk Level list, select the severity level that
corresponds to the severity of the vulnerability:
High - Risks that allow a non-trusted user to take control of a
susceptible host.
Vulnerabilities that severely impact the overall safety and
usability of the network.
BeyondTrust
43
Retina CS UserGuide
File Version - Determines if a file exists. The audit can check if the
file exists or not.
The Audit Details page displays parameters based on the audit type that
you select in step 9.
10. Enter the information for the audit type, and then click Next.
Banner audit details - Select the banner protocol, and then type the
banner name.
CGI Script audit details - Type the URL path to the script name.
Registry - Select Path, Key, or Value from the menu. Select the
operating systems that the vulnerability affects.
Note that the registry path cannot contain the selected Hive value.
BeyondTrust
44
Retina CS UserGuide
Mobile Software - Enter the name of the software, and set if software
exists. Can also audit on the version number.
Share - Select user account access on the share, type of access on the
share, and OS version. Optionally, list the accounts by SID.
11. On the Vulnerability Details page, enter the BugTraq and CVE details, as
needed.
BugTraq - A security portal dedicated to issues about computer
security, such as vulnerabilities, methods of exploitation and
remediation.
12. On the Audit Wizard Summary page, click the pencil to change the audit
information.
13. Click Finish.
BeyondTrust
45
Retina CS UserGuide
Vulnerabilities
Report Name
Description
Access
Discovery Scan
PCI Compliance
Report
BeyondTrust
46
Retina CS UserGuide
Description
Vulnerabilities by
Reference
Vulnerabilities
Delta
Vulnerabilities
Attacks
Report Name
Description
Attack
Malware
Delta reports are useful for comparing changes such as add/remove of user
accounts, software, OS upgrades.
BeyondTrust
47
Retina CS UserGuide
Assets
Report Name
Description
Asset Export
Assets
OS Delta
OS
Port Delta
Port
Protection Agent
Configuration
Service Delta
Service
BeyondTrust
48
Retina CS UserGuide
Description
Share
Software
Software Delta
User Delta
User
Windows Event
Report
Table 8.
Executive Overview
Report Name
Description
BeyondTrust
Patches
Report Name
Description
Patches
49
Retina CS UserGuide
Description
Lists each patch available and includes a link to more
information for the patch. Each patch also provides
the name of the violated audit.
Table 10.
Hardware
Report Name
Description
Hardware Delta
Hardware
Table 11.
Report Name
Description
COBiT
Compliance
FERC-NERC
BeyondTrust
50
Retina CS UserGuide
Description
HITRUST
Compliance
ISO-27002
Compliance
ITIL Compliance
MASS 201
NIST 800-53
SOX Compliance
Table 12.
Protection
Report Name
Description
Protection Policy
Provides a summary of differences in a protection
Differences Report policy.
You cannot run reports on existing data for the
Protection reports. This report is intended to provide
configuration information for your Retina Protection
agent policies.
Table 13.
BeyondTrust
Configuration Compliance
Report Name
Description
Benchmark
Compliance
51
Retina CS UserGuide
Description
Patch Management
Report Name
Description
Approved Patches
Installed Patches
Required Patches
Tickets
Report Name
Description
Ticket
Table 16.
Mobility
Report Name
Description
Mobile Assets
Mobile
Vulnerabilities
Table 17.
PowerBroker Windows
Report Name
Description
Applications By
Hash
BeyondTrust
52
Retina CS UserGuide
Description
Applications By
Path
Dashboard Report
BeyondTrust
File Integrity by
Asset
File Integrity by
Rule
Shell Rule
Executions
53
Retina CS UserGuide
Audit Groups
Access Scan
All Audits
Android
ActiveSync
BlackbBerry
Databases
Database Servers
Domain Controllers
FDCC-Windows XP
FDCC-Windows Vista
Mail Servers
SANS20 (All)
SANS20 (Unix)
SCADA
SANS20 (Windows)
Third Party Patch Assessment
Virtualization
Web Applications
Zero-Day
Regulatory Reporting Pack Audit Groups
COBiT Compliance
GLBA Compliance
HIPAA Compliance
HITRUST
ITIL Compliance
ISO-27002 Compliance
NERC/FERC Compliance
PCI Compliance
SOX Compliance
BeyondTrust
54
Retina CS UserGuide
Asset Management
Asset Management
In this section,
Interpreting Scan Results on the Dashboard
Reviewing Asset Details
Risk Scores
Changing Asset Properties
Changing the Display
Setting Display Preferences
Filtering Records
Managing Jobs
Reviewing Job Details
Reviewing Scheduled Job Details
Viewing Scan Event Details
Aborting or Pausing a Job
Changing Job Page Settings
BeyondTrust
55
Retina CS UserGuide
Asset Management
BeyondTrust
56
Retina CS UserGuide
Asset Management
1. Click Show Status to display status detail, including the names of scans.
Hover over the job icon to see more details.
and
Risk Scores
The risk score indicates the potential for an asset to be attacked. You can
use the risk score to determine which assets need the most urgent attention.
The asset risk score is calculated using factors such as: vulnerability, number
of attacks, exposure (open ports, number of users, shares, for example), and
overall threat level.
Risk scores range from 0 to 9.99:
BeyondTrust
57
Retina CS UserGuide
Asset Management
An asset risk score is displayed in the following areas:
3.
4.
5.
6.
BeyondTrust
Columns
58
Retina CS UserGuide
Asset Management
Assets page
Vulnerabilities page
Agents page
Jobs page
Note that you can display a Domain and filter by Domain. If the domain
name is not known or the asset is not part of a domain, then the field is
blank. The Domain filter is not displayed by default.
To set display preferences:
1. Select the Assets tab.
2. Click the preferences button.
Show Filter - Select to always display the filtering text boxes and
lists.
For more information, see Filtering Records.
BeyondTrust
59
Retina CS UserGuide
Asset Management
Filtering Records
Create a filter to match certain records that you want to view on the page.
To set filtering on assets:
1. Select the Assets tab.
2. Select the show filter button to display the filter options.
BeyondTrust
60
Retina CS UserGuide
Asset Management
Managing Jobs
On the Jobs page, you can review:
BeyondTrust
61
Retina CS UserGuide
Asset Management
Job name
Smart Rule
Credentials
Schedule
The Last Refresh Date indicates the date when the Smart Rule was
processed. Assets added or removed after the Last Refresh Date are not
reflected in the Smart Rule.
The Smart Rules are processed every 6 hours. Depending on the schedule
and how frequently assets change in your environment, you might want to
change the refresh rate. Otherwise, assets might not be included in the scan
as you expect. For more information, see Refresh Settings.
BeyondTrust
62
Retina CS UserGuide
Asset Management
3. Click the Report icon to open the report for a completed scan.
BeyondTrust
63
Retina CS UserGuide
Asset Management
BeyondTrust
64
Retina CS UserGuide
Asset Management
BeyondTrust
65
Retina CS UserGuide
Mobility Scanning
Mobility Scanning
In this section,
Overview
Configuring a BlackBerry Connector
Configuring an Android Connector
Deploying the Application to Android Devices
Configuring Settings on Android Devices
Configuring an ActiveSync Connector
Configuring a PowerBroker Mobile Connector
Reviewing Mobility Scan Results
Creating Custom Audits for Mobile Devices
Overview
A mobility scan scans mobile devices against scan templates to determine if
there are any vulnerabilities.
You can use the predefined scan templates that ship with Retina CS or create
a custom scan template. Create a custom template to scan for particular
device software and hardware versions, for example.
Running a mobility scan also retrieves information such as device ID, model,
and serial number on BlackBerry, Android, and mobile devices on
ActiveSync server.
After you create a mobility connector, a Smart Group is created. The Smart
Group name is the same as the connector name. The Smart Group is
populated with the devices that are detected when a scan runs.
67
Retina CS UserGuide
Mobility Scanning
4. Click Update.
5. To run the scan now, click Scan Now.
Scan Now is only available after you click Update.
A Smart Group is populated with the devices that are detected when the
connector is created. Go to the Assets page to see the new Smart Group.
BeyondTrust
68
Retina CS UserGuide
Mobility Scanning
Create a configuration file that you can email to your mobile device
users.
The device user needs the password to run the configuration file.
Select the check box to allow Android devices that are using the
configuration file to communicate to the server using an untrusted SSL
certificate.
Although this option is available, it is recommended to use a trusted SSL
certificate.
4. Click Update.
BeyondTrust
69
Retina CS UserGuide
Mobility Scanning
After you create a connector, an Android connector Smart Group is
displayed in the Assets pane.
If you using a configuration file, you can distribute the file now using email.
Be sure to provide the configuration file password using another method so
the Retina CS Server information in the configuration file remains secure.
USB
After your workstation recognizes the device, copy the APK file.
BeyondTrust
70
Retina CS UserGuide
Mobility Scanning
Note that after the mobile device is configured to communicate with a
Retina CS Server, the Scan Time is dictated by the Android Connector. Any
Scan Time values that have been previously configured in the
BeyondTrustScanner Application will be ignored.
To manually configure the Android application:
1. Tap the BeyondTrustScanner application.
2. Set the following on each device:
Notifications - Tap to turn on notifications.
Updates on the status of scans are displayed to the user.
Server - Enter the IP address and port for the Retina CS server.
Enter the default port (21691) that is opened when a connector is
created.
3. Click Synchronize.
If your server settings are correct and your server is accessible, a list of
Android Connectors that match the Authentication Code are displayed.
4. To register the device with the Retina CS Server, select an Android
Connector from the list.
BeyondTrust
71
Retina CS UserGuide
Mobility Scanning
4. Click Update.
After you create a connector, an ActiveSync Smart Group is displayed in the
Assets pane. The Smart Group will be populated with assets after a scan
runs.
BeyondTrust
72
Retina CS UserGuide
Mobility Scanning
The procedure to create a custom audit is the same as in Creating a Custom
Audit.
You can review the following table for details on audit types and audit
details that are specific to mobile devices.
BeyondTrust
Audit Type
Audit Details
Mobile Software
BlackBerry
Device
ActiveSync
Device
Android Device
73
Retina CS UserGuide
Cloud Scanning
Cloud Scanning
In this section,
Requirements
Amazon EC2 Requirements
VMWare VCenter Requirements
Configuring a Cloud Connector
Scanning Paused or Offline VMWare Images
You can run scans on the following cloud types: Amazon EC2, VMWare
vCenter, GoGrid, Rackspace, and IBM SmartCloud.
Requirements
Before you create a cloud connector, ensure the following requirements are
in place.
Amazon EC2 Requirements
To use the Amazon EC2 connector, you must adhere to the following
recommendations from Amazon:
ec2:DescribeInstances
ec2:DescribeInstanceStatus
ec2:StartInstances
ec2:StopInstances
ec2:DescribeImages
BeyondTrust
74
Retina CS UserGuide
Cloud Scanning
VMWare Tools must be installed on the targets that you want to scan.
Log on to the VMWare web site and download the Virtual Disk
Development Kit (VDDK):
http://www.vmware.com/support/developer/vddk/
Retina only supports version 5.1 of the VDDK. Ensure you copy the
following file: VMware-vix-disklib-5.1.0-774844.i386.exe
BeyondTrust
GoGrid - Select the account type, enter the user name and API key.
75
Retina CS UserGuide
Cloud Scanning
Rackspace - Select the account type, enter the user name and API
key.
IBM SmartCloud - Select the region, enter the user name and
password.
After you configure the connector, click Test to ensure the connector
works.
8. Click Save.
9. In the Perform Actions area of the Smart Rules Manager, select Show
asset as Smart Group, and then click Save.
After you create a cloud connector, you can run a scan and review the results
to determine if any cloud assets are vulnerable.
Scanning Paused or Offline VMWare Images
By default, paused or offline VMs are turned on during a scan. After the scan
runs, the VMs are reverted to the paused or offline state. To scan offline
VMs, see Scanning VMDK Files.
If you suspect that a VM is suspicious, you can turn on the VM in another
secure network where other VMs will not be under potential threat. The
scan runs as usual, then the VM is reverted to the paused or offline state.
When creating the connector click the Advanced button. You can configure
each host that is a member of the vCenter instance.
The option that you select applies to all VMs on the host.
Note: The advanced options dialog box varies depending on your vCenter
configuration. The list of available options includes all other
networks configured for your vCenter instance or on your ESX
server.
BeyondTrust
76
Retina CS UserGuide
Cloud Scanning
Scanning VMDK Files
You can scan a VMDK file rather than turning on a VM. Ensure the check
box is selected as shown.
Scan times are faster when VMs remain powered off. However, scan results
might differ from scan results for VMs powered on (for example, open ports
and running processes might not be detected for VMs powered off).
BeyondTrust
77
Retina CS UserGuide
Multi Tenant
Multi Tenant
Not supported in Retina CS Community.
Overview
Smart Rules Manager
Working with Credentials
Quick Rules
Organization Filters
Patch Management Module
Mobility Connectors
Retina Protection Agents
Setting Up Organizations
Step 1 Creating a Workgroup
Step 2 Adding an Organization
Step 3 Creating a User Group for a Tenant
Overview
The Multi Tenant feature in Retina CS allows you to define multiple
organizations (or tenants) where each organizations asset data is kept
isolated from all other organizations. Only Smart Rules marked as Global can
combine asset data across multiple organizations.
Most Retina CS features are available with Multi Tenant, including:
Smart Rules
Mobility connectors
BeyondTrust
78
Retina CS UserGuide
Multi Tenant
Create Smart Rules in the usual way. For more information, see Creating a
Smart Rule.
You can easily switch between tenants on the Smart Groups browser pane
and on the Smart Rules Manager page.
BeyondTrust
79
Retina CS UserGuide
Multi Tenant
Quick Rules
When you create a quick rule from the Vulnerabilities page or the Attack
page the rule applies to whichever organization is selected in the Smart
Groups browser pane.
When you create a quick rule from the Address Group, you can select the
organization.
Organization Filters
When working with more than one customer, use the Organization filters to
see only assets, Retina scan agents, or Retina protection agents associated
with a particular customer.
The Organization filter is only displayed if more than one active organization
is available to the currently logged-on user.
Additionally, when managing your user groups, you can filter Smart Rules by
organization.
Patch Management Module
If you are using Multi Tenant, note the following when using the Patch
Management Module:
BeyondTrust
When creating a Smart Rule, the credentials displayed are only for the
selected organization.
Credentials created when you create the Smart Rule are only associated
to that organization.
The list of available WSUS servers includes all global connections plus
any specific to the organization.
80
Retina CS UserGuide
Multi Tenant
For more information, see Patch Management Module.
Mobility Connectors
You can associate an organization with any of the mobility connectors.
Select the organization when creating the connector.
For more information, see Mobility Scanning.
Retina Protection Agents
A workgroup is required when deploying Retina protection agents in a Multi
Tenant environment.
For more detailed information about deployment, see Deploying the
Protection Policies.
Selecting a Workgroup
For unknown assets (assets not scanned by Retina CS), you must select a
workgroup associated with the organization. Assets might be unknown when
using the settings:
Single IP address
IP range
CIDR notation
Named Hosts
Creating a Workgroup
The workgroup name must be unique across all organizations. If you enter a
name that exists, an error message is displayed.
Note that you cannot enter a workgroup name when Global is selected in
the Smart Groups browser pane.
BeyondTrust
81
Retina CS UserGuide
Multi Tenant
Viewing the Workgroups Available
The workgroups displayed depend on the item selected in the Smart Groups
browser pane.
Setting Up Organizations
Key steps in setting up the organization
Create a workgroup
Create an organization
BeyondTrust
82
Retina CS UserGuide
Multi Tenant
You can add and delete workgroups. However, you cannot rename
workgroups.
You can only delete a workgroup if it is not associated with an organization,
mobility connector, Retina scanner or Protection agents.
Use the REM Client Configuration tool to create a workgroup.
To create the workgroup:
1. Log on to the asset where the agent resides.
2. Start the REM Client Configuration Tool.
3. Select the Enabled Application tab, and select the check box for the
agent.
4. Select the Workgroup tab and enter a name and description.
5. Click OK.
Step 2 Adding an Organization
An organization is automatically populated with an All Assets Smart Group.
To create an organization and associate with a workgroup:
1. Click the Configure tab, and then click the Organizations tab.
2. Click the Create New Organization button.
3. Enter the name of the organization.
BeyondTrust
83
Retina CS UserGuide
Multi Tenant
The Active check box is selected by default and must be selected to
successfully run scans on the tenant's assets.
4. Click the Create button.
5. Scroll to the Workgroups tab.
6. Click the edit icon for the organization, and then select the organization.
BeyondTrust
84
Retina CS UserGuide
Managing Users
Managing Users
Not supported in Retina CS Community.
In this section,
Creating User Groups
User Group Permissions
Access Levels
Creating User Accounts
Reset Retina CS Account Password
Auditing Retina CS Users
Create user groups and user accounts so that your Retina CS administrators
can log on to Retina CS.
You can delegate Retina CS administrator responsibilities by explicitly
assigning certain Read and Write permissions to a user group. After a user
group is created, create and add user accounts to the group.
BeyondTrust
85
Retina CS UserGuide
Managing Users
BeyondTrust
86
Retina CS UserGuide
Managing Users
BeyondTrust
87
Retina CS UserGuide
Managing Users
Permission Name
Asset Management
Attribute Management
Benchmark Compliance
Credential Management
Deployment
BeyondTrust
Option Management
Patch Management
Protection Policy
Management
Reports Management
Retina CS Login
88
Retina CS UserGuide
Managing Users
Permission Name
Retina Insight
Scan Management
Session Monitoring
Ticket System
BeyondTrust
User Accounts
Management
User Audits
89
Retina CS UserGuide
Managing Users
Access Levels
Access Level
Description
No Access
Read
Permission
Accounts
BeyondTrust
Asset Management
Address Groups
Asset Management
Attributes
Asset Management
Benchmark Management
Benchmark Compliance
Cloud Connections
Asset Management
Mobile
Asset Management
Organization
Patch Management
Patch Management
SCCM
Patch Management
Protection Policies
Scan Options
Scan Management
Services
User Audits
User Audits
Workgroups
90
Retina CS UserGuide
Managing Users
91
Retina CS UserGuide
Managing Users
Later, after you create a user, you can change the group membership. Change
the view to the Users view. Select a user account and change the group
membership.
If there are a lot of audit activities, you can use the search feature to display
only those that are relevant. You can also configure display preferences and
filters to refine the information displayed. For more information, see
Changing the Display.
BeyondTrust
92
Retina CS UserGuide
Managing Users
The following example shows that the Administrator added and then
removed an address group.
Adding Credentials
You can create the following credential types:
Windows
MySQL
Retina scanner agent version 5.14 (or later) is required to support this
feature.
To add a credential:
1. On the Set Scan Options page, expand Credentials Management and
click the pencil icon.
2. Click Add.
3. Select a credential type from the list: Any, Windows, MySQL, MS SQL
Server.
4. Enter the user account information: domain, user name, password, and
key.
5. If you are creating Microsoft SQL Server credentials, select the
authentication type.
6. If you are creating more than one credential, you can use the same
confirmation key for all credentials. Select the Use the same key for all
check box, and then enter the key.
7. Click Save.
Creating an SSH Credential
You can create Public Key Encryption credentials to connect to SSHconfigured targets. You can select a credential that contains a public/private
key pair used for SSH connections.
DSA and RSA key formats are supported.
BeyondTrust
93
Retina CS UserGuide
Managing Users
Optionally, when configuring SSH, you can select to elevate the credential:
Use sudo. Using sudo, you can access scan targets that are not
configured to allow root accounts to log on remotely. You can log on as
a normal user and sudo to a more privileged account. Additionally, you
can use sudo to elevate the same account to get more permissions.
Use pbrun. Using pbrun, you can elevate the credential when working
with PowerBroker Servers for Unix & Linux target assets.
Public Key - Enter the private key file name and passphrase. Click
Browse to navigate to the file.
A public key is generated based on the contents of the private key.
sudo Enter a sudo user name and password. You can use the user
name provided in the Username box and leave the sudo username
blank.
8. Click Save.
Creating Oracle Credentials
If you are scanning Oracle databases, you can create Oracle credentials.
The tsanames.ora file is updated automatically after you create an Oracle
credential.
To create Oracle credentials:
1. On the Set Scan Options page, expand Credentials Management and
click the pencil icon.
2. Click Add.
3. From the Type list, select Oracle.
4. Provide a user name, description, and password.
BeyondTrust
94
Retina CS UserGuide
Managing Users
5. Select an access level from the list: Standard, SYSDBA, or SYSOPER.
6. Select additional connection options:
Connect To - Select from: Database SID, Named Service.
Host - Enter the host name where the Oracle database resides.
7. Enter a key.
8. Click Save.
Adding Credentials for Active Directory Access
You can add credentials to access a particular Active Directory domain. Add
credentials for each forest/domain combination.
To add Active Directory credentials:
1. Click the Configure tab then select the Accounts tab.
2.
3.
4.
5.
6. Click Test.
Success is displayed when the credentials provided can successfully
contact the domain.
7. Click OK.
BeyondTrust
95
Retina CS UserGuide
4. Click Update.
BeyondTrust
96
Retina CS UserGuide
4. Click Update.
BeyondTrust
97
Retina CS UserGuide
Display Options
You can turn on auto-expansion and set the number of items to display per
page.
To set display options:
1. Select Options.
2. On the Application Options dialog box, expand Display Options.
3. Select the Yes check box to open the report in a new window.
This feature is available only with reporting on existing data.
4. Enter the number of items to display per page.
5. Select the Yes check box to turn on auto-expansion.
6. Click Update.
Email Notifications
The email notification sends an email when an error occurs while running
reports.
The email address is stored in the Retina CS database.
Note: Email settings are initially set in the Retina CS configuration tool.
Ensure that you use the same information here.
To add an email address for notification:
1. Select Options.
2. On the Application Options dialog box, expand Email Notification
Options.
3. Enter an email address in the From Email Address box.
4. Verify the SMTP server name and port.
5. Enter the username and password.
6. Click Update.
Maintenance Options
You can remove collected data from the Retina CS database. Configure the
number of days to retain data.
Not all maintenance options are supported in Retina CS
Community.
To specify the maintenance options:
1. Select Options.
2. On the Application Options dialog box, expand Maintenance Options.
3. Enter the number of days that pass before data is purged.
BeyondTrust
98
Retina CS UserGuide
Purge Retina Agent Jobs every N days - Purges jobs. The default
value is every 30 days.
Enter 0 if you do not want to purge the jobs.
BeyondTrust
Purge Chart Data Older Than - Purges chart data. The default
value is 90 days.
Purge Scans Older Than - Purges the raw information sent by the
protection agents and Retina agents. Recommended: 7 days.
99
Retina CS UserGuide
Purge FIM Events Older Than - Purges the File Integrity events
captured by PowerBroker for Windows.
4. Click Update.
Proxy Settings
You can configure a proxy server if the Retina CS server does not have
direct Internet access.
To set up a proxy server:
1. Select Options.
2. On the Application Options dialog box, expand Proxy Settings.
3. Select the Yes check box.
4. In the Address box, enter the IP address or domain name of the proxy
server.
5. Enter the user name and password for the proxy server.
6. To override any local proxies, select the Yes check box.
7. Click Update.
Refresh Settings
You can set refresh intervals for scan jobs and Smart Rules.
Scans can run more efficiently when Smart Rules are set to refresh at longer
intervals.
To set refresh settings:
1. Select Options.
2. On the Application Options dialog box, expand Refresh Settings.
BeyondTrust
100
Retina CS UserGuide
BeyondTrust
101
Retina CS UserGuide
Maintenance
Maintenance
Viewing Status for Scanners and Agents
Determining if a Retina Agent is Available
Removing Retina Agent Files
Configuring a Failover Agent
Diagnostics
Monitoring Services
Creating a Support Package
BeyondTrust
When you are setting up a scan, there is a warning icon next to an agent
name.
102
Retina CS UserGuide
Maintenance
Clean RCS Files - Removes all jobs for the selected agent,
including scheduled, queued, and completed jobs.
BeyondTrust
103
Retina CS UserGuide
Maintenance
7. Click OK.
You can configure a failover agent timeout on the Configure tab. The default
timeout is 15 minutes.
BeyondTrust
104
Retina CS UserGuide
Maintenance
BeyondTrust
105
Retina CS UserGuide
Maintenance
Diagnostics
Not supported in Retina CS Community.
In this section,
Monitoring Services
Monitoring Services
On the Services page, you can:
BeyondTrust
106
Retina CS UserGuide
Maintenance
Turn off debug logging after you finish troubleshooting Retina CS to
improve performance.
To change the credentials for the service:
1. Select the Configure tab.
2. Select the Services tab.
3. Click the button as shown:
BeyondTrust
107
Retina CS UserGuide
BeyondTrust
108
Retina CS UserGuide
BeyondTrust
109
Retina CS UserGuide
Discovery Scanning
Run a discovery scan to locate network assets, such as workstations, routers,
laptops, and printers. A discovery scan also determines if an IP address is
active.
You can periodically repeat the discovery scans to verify the status of
devices and programs and the delta between the current and previous scan.
Note that discovered assets do not count toward your license.
Running a Discovery Scan
You run a discovery scan in the same way as a vulnerability scan. See
Running a Vulnerability Scan for a step-by-step procedure.
Review the following recommended Discovery scan settings:
On the Scan Policy Options page, here are some recommended settings:
Perform OS
Detection
Perform
Traceroute
Enumerate *
Randomize Target
Select this check box.
List
Change the settings on the Edit Scan Settings page. See Configuring Scan
Settings.
Use more than one scanner to distribute the coverage across the network.
BeyondTrust
110
Retina CS UserGuide
Create a Smart Group that includes the address group or query as the
filter. Ensure the discover assets check box is selected.
Note that you can use the Discover New assets check box on any scan.
However, the scan is slower when this option is selected.
It is recommended that you run a discovery scan at a regular interval (for
example, monthly or weekly schedule). Full vulnerability scans can then run
only on known targets.
BeyondTrust
111
Retina CS UserGuide
When you run a scan in Retina CS, you must select a report template to
determine the scope of the scanning. For a complete list of report
templates, see Reports Templates and Audit Groups.
Determine the assets to include in the scan. For example, you can create
Smart Groups, enter IP address ranges, or list named hosts.
Note that on the Assets page, you can individually select the assets to scan.
BeyondTrust
112
Retina CS UserGuide
Notify when complete - Select the check box and enter email
addresses. Separate entries using a comma.
Alternatively, click + and select users or user groups.
Email notification is sent when the scan and report are complete.
Email report to - Select the check box and enter email addresses.
Separate entries using a comma.
Alternatively, click + and select users or user groups.
The report will be emailed to the users entered.
BeyondTrust
113
Retina CS UserGuide
One Time - Select to schedule jobs to run one time. Select the start
time and date.
Monthly schedules jobs for the day of the month selected for
every month selected. Options include the
first/second/third/fourth and last day of the month selected.
You can delete or change the recurring scan job later on the Jobs
page. See Managing Jobs.
9. Select Abort the scan if it takes longer than and enter the time in
minutes to restrict the length of time the scan runs.
10. Click Start Scan.
11. Click Show Status to view the progress of the scan. You can also view
the progress on the dashboard or through the Jobs page.
BeyondTrust
114
Retina CS UserGuide
and
You can create Smart Rules based on vulnerabilities. Using this tool can
provide additional filtering selected assets.
BeyondTrust
115
Retina CS UserGuide
Patches - The number indicates the patches that can fix the
vulnerability.
Click the button to review more information about the patches.
For more information, see Managing Patch Updates.
BeyondTrust
116
Retina CS UserGuide
Excluding Vulnerabilities
You can exclude vulnerabilities from the display and only view those that
require remediation to satisfy regulatory compliance.
Depending on your environment, accepted vulnerabilities (a false positive)
might be reported in the scan. For example, if Anonymous FTP is
configured on your network, vulnerabilities will be reported in your scan
results. Since this type of vulnerability does not require remediation (patch
or compliance updates), you can ignore these scan results.
Records for exclusions reside in the database. During an audit, you can
remove the exclusion on the record.
You can run the Vulnerability Exclusions report to keep track of the
exclusions. The report includes the reason for the exclusion and the expiry
date.
Note: Vulnerability exclusions do not apply to the parent Smart Group
when the exclusion is set at a child Smart Group.
To set or remove the exclusion property on a vulnerability:
1. Select the Assets tab.
2. Select the Vulnerabilities tab.
BeyondTrust
117
Retina CS UserGuide
5. Click Save.
BeyondTrust
118
Retina CS UserGuide
Review more information about the malware toolkit and the recommended
mitigation action.
Remediating Vulnerabilities
You can remediate vulnerabilities by viewing solutions on the Vulnerability
Details page.
You can use the ticket system to assign a vulnerability or attack to a member
of your security team. See Working with Tickets.
1. Select the Assets tab, and then click Vulnerabilities.
2. Click i for a vulnerability.
A description and solution are displayed.
The Mitigation column provides information on action to take to remediate
the vulnerability.
BeyondTrust
119
Retina CS UserGuide
You must be familiar with CVSS scoring definitions and concepts. Refer to
the CVSS Scoring Guide.
Setting CVSS Environmental Metrics
The environmental metrics are based on your security plans. Determine the
level of impact a vulnerability has on your assets and assign environmental
metrics accordingly.
You can create a Smart Group that includes the assets where you want to
assign the environmental metrics.
To set the environmental metrics on assets:
1. Select the Assets tab.
2. Click Manage Smart Rules.
3. Click New Rule.
4. Enter a name and description, and set the Smart Rule criteria that
determines the scope of the assets.
5. In the Perform Actions area, select Set Environmental CVSS Metrics.
6. Select the metrics from the corresponding lists.
7. Click Save.
Later when you edit the Smart Group, the Show asset as Smart Group list is
also displayed, as shown:
BeyondTrust
120
Retina CS UserGuide
7. Click Save.
BeyondTrust
121
Retina CS UserGuide
BeyondTrust
122
Retina CS UserGuide
If you override the TCP connection limit, the TCP incomplete connections
limits are removed for all applications during the scan.
Timeout Values
Configure ping and data timeout values to compensate for network latency.
If pings are not returning in time for Retina to detect them, increase the ping
timeout value.
To configure scan options:
1. Click the Configure tab.
2. Click the Scan Options tab.
3. Click the Scanner tab.
4. In the Performance area, configure the following settings:
Number of Simultaneous scan targets - Set the number of
targets to scan simultaneously.
The maximum is 128 targets.
BeyondTrust
123
Retina CS UserGuide
6. Click Save.
Event Routing
Turn on event logging to send scan data to Retina CS, including:
Port information
Services
6. Click Save.
BeyondTrust
124
Retina CS UserGuide
One scan only. Configure the restricted scan time when you are
configuring the scan.
5. Select the Abort in progress scans check box to stop all scans that are
running when the scan restriction window starts, otherwise running
scans are paused and then resume when the scan restriction ends.
BeyondTrust
125
Retina CS UserGuide
Check for updates when launching Retina - Select the check box
to check for updates when you start Retina.
6. Set a timeout value for a failover agent. To configure a failover agent, see
Configuring a Failover Agent.
7. Set maintenance options to purge Retina information.
8. Set the minutes that pass before Retina checks for updates from the
Central Policy server. The default value is 15 minutes.
9. Click Save.
BeyondTrust
126
Retina CS UserGuide
Scanner Pooling
You can use scanner pooling to select more than one scanner agent when
scanning a large number of assets. When more than one scanner is selected
for a scan job, the list of target assets is divided among the selected scanners
in a round-robin style, evenly distributing the target scan range.
To use scanner pooling, select more than one scan agent when running a
scan, or use the "Set Scanner" action in a Smart Rule to lock a set of
scanners to that Smart Group.
Note that when using scanner pooling, you cannot automatically generate a
report when a scan finishes.
6. Click the browse button to select the scanners to associate with the
Smart Group.
BeyondTrust
127
Retina CS UserGuide
8. Click Save.
Note that on the Job Details page, the agent name indicates if the scanner is
part of a pool.
BeyondTrust
128
Retina CS UserGuide
Create File Integrity rules in PowerBroker for Windows and manage the
results in Retina CS.
Sort and filter data into useful reports and generate PowerBroker rules
for applications based on user needs for privilege elevation. This is a best
practice approach for discovering applications and the construction of
quick and concise rules for any user or computer.
Overview
BeyondTrust
An administrator can then create policies and rules that are stored in
the AD domain.
129
Retina CS UserGuide
BeyondTrust
130
Retina CS UserGuide
For detailed instructions on Smart Groups, see Working with Smart Rules.
BeyondTrust
131
Retina CS UserGuide
BeyondTrust
132
Retina CS UserGuide
Arguments can be included when creating the following rule types: Path,
hash, .msi.
Creating rules for a denied application (28698) will include arguments when
the check box is selected.
BeyondTrust
133
Retina CS UserGuide
4. Click Save.
BeyondTrust
134
Retina CS UserGuide
Deploying Policies
Create your rules and policies in PowerBroker for Windows as usual.
Create Smart Rules to determine the assets where the policies need to be
deployed.
To use Retina CS to deploy PowerBroker for Windows policies:
1. Log on to Retina CS, and then go to the Smart Rules Manager.
2. Select the PowerBroker for Windows assets and the policy that you want
to deploy.
3. Click Save.
Reviewing Policies
You can review the list of policies available from PowerBroker for Windows
on the Configure tab.
Session Monitoring
You can track the following events:
Keystroke logging
Mouse events
Process events
Screen captures
BeyondTrust
135
Retina CS UserGuide
On the Session Viewer page, you can view more details about the
events.
4. Double-click an event (or click i) to view more details about the event
on the right pane.
Filtering Events
You can filter the events that are displayed in the Session Viewer.
BeyondTrust
136
Retina CS UserGuide
When viewing screen captures, you can zoom in and zoom out, and scroll
through all of the screen captures saved during the session.
If there is more than one monitor for an asset the Session Viewer displays
the following titles: Display1, Display2...
BeyondTrust
137
Retina CS UserGuide
BeyondTrust
138
Retina CS UserGuide
BeyondTrust
139
Retina CS UserGuide
Overview
Use the Patch Management Module to deploy important patches to selected
assets.
Note: Using the Patch Management Module does not override any
automation policies you might have in place with your existing
Windows Server Update Services (WSUS) configuration. Those
policies are retained and applied as usual.
How Patching with WSUS Works
Retina CS integrates with WSUS to facilitate Microsoft and third-party
patching. Retina CS uses WSUS as the patching engine and effectively
becomes a management console to WSUS.
You must be familiar with WSUS features to understand the Retina CS
integration with WSUS. The WSUS client is built into the Microsoft OS,
however, it needs to be enabled and configured. In typical WSUS-only
environments this is accomplished through GPOs. When using Retina CS,
clients are enabled and configured through Retina CS.
The Retina CS configuration and patch deployment process is outlined here.
u
BeyondTrust
140
Retina CS UserGuide
BeyondTrust
141
Retina CS UserGuide
BeyondTrust
142
Retina CS UserGuide
Microsoft IIS 7.0. Ensure the following components are turned on:
Windows Authentication
ASP.NET
Note that .NET Framework 2.0 and BITS 2.0 update are part of the
Windows Server 2008 OS.
BeyondTrust
143
Retina CS UserGuide
Adding a Connection
You can create a connection to an upstream and downstream server.
The downstream server synchronizes with the upstream server to manage
patch updates. Note that downstream servers are configured in WSUS.
To connect to a WSUS server:
1. On the Retina CS console, select Configure, and then click the Patch
Management tab.
Alternatively, on the Dashboard, click Mitigate.
2. Click +, and then enter the server name, port number, and credentials
for the server.
Ports available: 80, 8530, 443 (SSL), or 8531 (SSL).
3. Click Test Connection to ensure the information is correct.
Note: The WSUS Administration Console must be installed if WSUS
and Retina CS are not on the same server. For more information,
see Installing the WSUS Administration Console.
1. Click Save.
2. After you connect to a WSUS server, set the following options.
BeyondTrust
144
Retina CS UserGuide
Groups - Select the check boxes for the groups that already exist in
WSUS. Additionally, select synchronization frequency, credentials,
and how you want patches applied.
After you click Save, a patch-enabled Smart Group for each WSUS
group that you selected is displayed in the Smart Groups browser
pane.
BeyondTrust
145
Retina CS UserGuide
BeyondTrust
146
Retina CS UserGuide
Every / At - Select a day and time the client computers will poll the
WSUS server.
7. Click Save.
After clicking Save, the following occurs:
If the client has the Retina Protection Agent (v. 4.7 or greater),
registry changes occur through the Central Policy connection.
If the client does not have the RPA, registry changes occur through
the Remote Registry API. Remote Registry service must be enabled
on the client. The supplied credentials must have permissions for
Remote Registry.
If the first two fail, then registry changes are facilitated through
WMI, a service running on the endpoint.
Retina CS uses the supplied credentials to access and edit the clients
registry. The client is configured for WSUS and then pointed to the
WSUS Server. All other relevant registry parameters are set, see:
HKEY_LOCAL_
MACHINE\Software\Policies\Microsoft\Windows\WindowsUpdate
HKEY_LOCAL_
MACHINE\Software\Policies\Microsoft\Windows\WindowsUpdate\AU
The client is now configured to poll WSUS for any approved updates; this is
standard WSUS client behavior. Note that polling may not occur
immediately and it may take up to 6 hours for WSUS clients to display as
patch-enabled assets in Retina CS.
The patch group is displayed in the Smart Groups browser pane.
After the group is registered, you must approve the patches that you want to
apply to the assets.
Updates are installed during the time that you selected in step 6.
BeyondTrust
147
Retina CS UserGuide
Redeploying Configuration
You might need to redeploy the Smart Rule configuration settings in the
following scenarios:
Note that on the Approvals page, the most recent patches available are
always displayed. Any older patches superseded by new patches are no
longer displayed. You can however, select the Show Superseded Patches
check box to review older patches not applied.
To display the Superseded column, click the Preferences button and then
select Superseded.
BeyondTrust
148
Retina CS UserGuide
BeyondTrust
149
Retina CS UserGuide
The assets are set to check in with the WSUS server every hour.
If you select All Groups, and a group already has approved patches, the
menu changes to Keep existing approvals. This ensures that all previously
approved patches will still be deployed at the scheduled time.
Select Decline to remove the patch from the Not Installed list.
Select Not Approved will not apply the patch to the select Smart Group.
However, the patch is still displayed in the Not Installed list.
Reviewing Patch Details
Click i to review more information about the update.
Click Apply Patch Now to install the update to the designated assets.
When selected, the clients are forced to check in with WSUS. The patch is
applied immediately regardless of the installation settings in the Smart Group
associated with the clients. The credentials in the Smart Group are used to
apply the patch.
Note that the client evaluates and downloads the patch before the
installation occurs.
BeyondTrust
150
Retina CS UserGuide
Deleting Patches
You can delete patches either on the Asset details page or on the approval
page where patches are listed.
Third-Party Patching
You can download and deploy patches for third-party products such as
Adobe, WinZip, and Apple. For a complete list, see List of Supported
Vendors.
You can subscribe to vendor patches through the Retina CS Configure tab.
BeyondTrust
151
Retina CS UserGuide
Generating a Certificate
After setting up a connection to WSUS, a Third Party section is available.
A message indicates that a certificate is required when you initially log on
and go to the Third Party section. The certificate establishes trust between
the WSUS server and the client.
If the WSUS connection is configured to use SSL, you can use the Import
button on the Third Party Certificate tab to import an external certificate or
use the Generate button to create a self-signed certificate.
Note that if the upstream server has a third-party certificate, then the
downstream server automatically receives the certificate. The certificate
feature is not available for only downstream servers.
Click Generate.
Self-signed Certificates
If you are using a self-signed certificate for 3rd Party Patching, sometimes
Windows will automatically delete it.
If Windows finds a discrepancy with an intermediate certificate on the server
it will check it against their list of approved SSLs. If it does not match
Windows will remove it and log the following in the application log:
Event ID: 4108
Successful auto delete of third-party root certificate
BeyondTrust
152
Retina CS UserGuide
3. Select the check boxes for the vendor products, and then click Save.
BeyondTrust
153
Retina CS UserGuide
Adobe Acrobat
Adobe Reader
Adobe Shockwave - Firefox/IE
BeyondTrust
Apple Incorporated
Safari
Foxit Corporation
Foxit Reader
Google Incorporated
Chrome
7-Zip
Mozilla Foundation
Mozilla Firefox
Opera Browser
Oracle Corporation
Sun Java
Skype Limited
Skype
win.rar GmbH
WinRAR
WinZip
154
Retina CS UserGuide
Overview
The SCCM feature in Retina CS offers you a way to create a connection to
your SCCM server and manage deploying software packages to selected
collections.
An important difference between traditional Smart Groups in Retina CS and
the SCCM Smart Groups is that asset data is gathered from the collections in
SCCM and is stored in the Retina CS database. The assets have not been
scanned by Retina CS. You can use the synchronize feature on the SCCM
configure page to ensure the most current data resides in the Retina CS
database.
The package deployment feature in Retina CS is similar to SCCM and offers
most of the options that you are already familiar with.
Requirements
The client must have SCCM installed or patches cannot be deployed and
applied.
The SCCM Smart Groups are not patch-enabled like the WSUS Smart
Groups.
BeyondTrust
155
Retina CS UserGuide
Site Status - Displays a site status only. Includes such information as:
current status, site code, server availability (online or offline), event
information, version.
A unique identifier (the site code) is added to every SCCM Smart Group.
This helps to identify the SCCM Site Server where the collection is from.
3. Click Updates.
4. Review and select updates, and then click Deploy.
BeyondTrust
156
Retina CS UserGuide
Enable Wake On Lan when the deadline for this deployment has
been reached
7. Click Deploy.
You can keep track of the successfully deployed packages on the Job
page.
BeyondTrust
157
Retina CS UserGuide
Using Group Policy to Configure SCCM Assets for 3rd Party Patches
Configuring SCCM assets to accept 3rd Party Patches involves two steps:
BeyondTrust
Enter a file name for the certificate and go through the remaining
pages of the wizard.
158
Retina CS UserGuide
BeyondTrust
159
Retina CS UserGuide
BeyondTrust
160
Retina CS UserGuide
BeyondTrust
161
Retina CS UserGuide
Overview
This section provides information on how the Retina Protection agent
deployment works.
How RP Agent Deployments Work
The Application Bus service receives a message from Retina CS to
start a deployment. A deployment package is created and includes
these files:
l
l
l
l
l
l
BlinkSetup.exe
#deploy.xml
deployc.pfx
msxml3.dll
msxml3r.dll
startdeplservice.exe
l
l
BeyondTrust
162
Retina CS UserGuide
Use the 3rd Party Deployment tool. See Using the 3rd Party
Deployment Wizard.
BeyondTrust
163
Retina CS UserGuide
BeyondTrust
164
Retina CS UserGuide
Serial number - Enter the serial number for the Retina Protection
Agent.
5. Click Next.
6. To activate central policy, select the Use Central Policy check box.
a.
b.
c.
d.
e.
7. Click Next.
8. Select the Send REM events check box to activate REM events.
9. Click Next.
10. Enter your registration information and click Next.
11. Enter the URL to download updates. Click Next.
BeyondTrust
165
Retina CS UserGuide
Note: Turn off the Require SSL setting in IIS Manager for the Retina CS
default web site.
Otherwise, the status displayed does not indicate when the
deployment has successfully completed.
BeyondTrust
166
Retina CS UserGuide
BeyondTrust
167
Retina CS UserGuide
If you are only assigned the Deployment permission the last section of the
serial number is displayed and the Save as Default button is not displayed.
You can clear the Use Default Serial check box at any time and then enter
another serial number.
For more information about permissions, see User Group Permissions.
Reviewing Details about Protection Agents
You can review the following information for a protection agent on the
Agents tab:
Policy name
Operating system
BeyondTrust
168
Retina CS UserGuide
BeyondTrust
169
Retina CS UserGuide
When there is more than one rule group attached to a policy, the rules for all
attached groups are automatically merged into an effective set of rules for
the policy.
In the case where a specific rule is set in more than one attached group, the
group that is located higher in the list of attached groups takes priority. You
can click and drag on attached Rule Groups to modify their ordering and
thus their resulting relative priority.
Retina CS ships with a set of default rules. Each new policy automatically
inherits these default settings. Some rules are on while others are off.
Changing a default value is considered an override even if that setting is later
changed to its default state. This is important to understand since a rule
setting override is considered when multiple Rule Groups are merged in a
given Policy, but rules considered to be in their factory default state are
not.
To remove all rule setting overrides, from a rule category in a Rule Group,
select that category and click the arrow next to the category title. In the
context menu that appears, select Revert to factory.
BeyondTrust
170
Retina CS UserGuide
Case 1: In Group B, that rule is set to on. The rule in Group A has never
been changed and is considered the default. The effective merged rule
setting will be on.
Case 2: The rule in Group B is set to on, but in Group A that rule has
been set to on previously, but later set to off. Since this off
setting is now considered an override over the default setting, the
effective merged rule setting will now be off.
Case 3: The rule category where this rule resides is reverted to factory
default for Group A and now the effective merged setting is once again
on, this case now being identical to the first.
Master Rules
Every policy has a set of Master Rules which can be considered a non-shared
Rule Group (it is specific to one policy only) that always has the highest
priority when rules are merged. Any rule set in the Master Rules section will
override the same rule setting in any attached groups.
Creating a Rule Group and Setting Rules
A Rule Group is a container for the rules that you want to apply to protect
your assets. In Retina CS, a rule group can contain any combination of rule
categories that includes: system firewall, application firewall, IPS signatures,
and Trusted and Banned IPs. In each rule category, there are particular rules
that you can activate if you want to provide that specific protection to your
asset.
Rule groups provide proactive and reactive protection against intruder,
internal attack and machine misuse. When assigned to a policy, rule groups
are applied to assets, such as networks, servers, workstations and laptops.
To create a rule group:
1. Select the Dashboard tab and click Protect; or select the Assets tab,
and then click Protect.
2. Click Manage Rule Groups.
3. On the Manage Rule Groups page, you can:
Click + to add a rule group. Enter a name for the rule group.
BeyondTrust
Select the rule group from the Rule Groups pane to change the rule
group properties. You can type the name of the rule group in the box
to search for the rule group.
Select the rule group and click - to delete the rule group.
171
Retina CS UserGuide
BeyondTrust
172
Retina CS UserGuide
1. Select the Dashboard tab, and then click Protect; or select the Assets
tab and click Protect.
2. Click New Policy.
You can also add locations to existing policies.
3. Click Add Location.
4. From the Location menu, select Manage Locations.
5. Click the + sign. Enter a name and click Create.
To edit an existing location, select the location from the Location pane.
To delete a location, select the location from the Location pane and click
the - sign.
6. Click Manage.
On the Manage Conditions window, you can create and delete
conditions.
a. Click + to create a condition. Enter a name and click Create.
b. Select Command or Script from the Command Type list.
Command options:
Check
In the Command Parameters box,
Reachable type the IP address or domain
name.
Pings the IP address or domain
name to verify access in the
network. For example, if the IP
address or domain is reachable,
then the policy can be applied.
BeyondTrust
173
Retina CS UserGuide
Script options:
Script Name Java or Visual Basic script file.
Click Upload Script to upload a
script.
Script
Script file location.
Parameters
c. Select the Network Status Change Events check box if you want to
log network status changes.
d. Click Update.
7. Drag the condition from the Conditions pane.
8. More than one condition can apply to a location. The following operators
are available:
And = &
Or = |
Not = !
Parentheses group conditions
BeyondTrust
174
Retina CS UserGuide
9. Click Update.
BeyondTrust
175
Retina CS UserGuide
BeyondTrust
176
Retina CS UserGuide
Rules Reference
As mentioned earlier, a protection policy contains the security rules that are
deployed to your assets.
This section details the rules available to you.
You can create, copy, edit, and delete rules. You cannot create rules for the
following rule categories: Identity Theft and Analyzers.
To copy, edit, or delete a rule:
1. Select the Dashboard tab and click Protect; or select the Assets tab
and click Protect.
2. Click Manage Rule Groups.
You can also manage rule groups from the Configure tab (Protection
Policies).
3. Select a rule group from the Rule Groups pane. You can also type the
name of the rule group in the box to search for a rule group.
4. Select the rule category.
5. Select a rule name check box to activate the rule.
6. Select the rule, click the arrow and select one of the following menu
items:
Edit Ruleto edit the selected rule. Click the pencil icon to change
the settings.
Duplicate Ruleto create a copy of the rule. Edit the new rule as
needed.
BeyondTrust
177
Retina CS UserGuide
a. Action
Allow traffic that matches the rule can pass through the
firewall.
Deny traffic that matches the rule cannot pass through the
firewall.
Alert user receive and log alerts from Blink when the rule is
matched. This can create a flood of alerts and increase the size of
the log file.
b. Protocol
c. Traffic Direction
BeyondTrust
Specific ports Click +, and then enter a port number, port list,
or port range.
178
Retina CS UserGuide
Click Finish.
a. Application
BeyondTrust
179
Retina CS UserGuide
b. Action
Allow traffic that matches the rule can pass through the
firewall.
Deny traffic that matches the rule cannot pass through the
firewall.
Log event check box select to create an event log when the
rule is matched.
Alert user check box - receive and log alerts from Blink when
the rule is matched. This can create a lot of alerts and increase
the size of the log file.
c. Protocol
d. Traffic Direction
BeyondTrust
180
Retina CS UserGuide
Specific ports Click +, and then enter a port number, port list,
or port range.
Use a comma to separate values. Ports in a range are separated
with a hypen.
Click Finish.
Enter a name and description for the rule.
Place at the top of the rule list select to run the rule first.
IPSSignature Rules
You can create IPS network signatures that filter a specific protocol, such as
FTP, ICMP, and SMTP. For example, you can create an application layer IPS
signature that filters traffic from the subject line of all incoming or outgoing
email messages associated with the EMAIL protocol.
When you create an IPS signature rule, you can choose the Network Layer
or Application Layer protocol. The wizard pages change depending on the
protocol that you select.
For the following procedure, the wizard pages described assume CGIScripts
and Network Layer options are selected.
To create an IPSsignature rule:
1. Select the Dashboard tab and click Protect; or select the Assets tab
and click Protect.
2. Click Manage Rule Groups.
3. Select a rule group from the Rule Groups pane. You can type the name
of the rule group in the box to search for the rule group.
4. Expand IPSSignatures and select a subcategory to display the
associated rules.
5. Click Create New Rule to start the wizard.
Protocol
Select a protocol.
IP Protocol
Fragment Flags Select the check box then select: More Fragment,
Don't Fragment Bit, Reserved Bit.
BeyondTrust
181
Retina CS UserGuide
Not Set The binary value of the corresponding flag for 0s only
is verified.
IP ID Select Less Than, Equal To, or Greater Than and set the ID
number.
IP Protocol Select Less Than, Equal To, or Greater Than and set
the protocol.
Time to Live Select Less Than, Equal To, or Greater Than and set
the time.
Traffic Direction
Specific ports Click +, and then enter a port number, port list, or
port range.
Use a comma to separate values. Ports in a range are separated with a
hyphen.
BeyondTrust
182
Retina CS UserGuide
Action
Block IP for Stop the attack for the specified number of minutes.
Available only for TCP-based IPS signatures.
This is not recommended for spoofable protocols, such as IP, UDP
and ICMP. In a spoofable attack, an attacker mimics the IP address
of critical systems and then forces the IP address to be added to the
banned list. Specify the frequency of the action.
Alert user Receive and log alerts from RPA when the rule is
matched. This can create a flood of alerts and increase the size of the
log file.
Specify Threshold
Specify References
BeyondTrust
183
Retina CS UserGuide
Rule Summary
Click Finish.
Enter a name and description for the rule.
Place at the top of the rule list select to run the rule first.
If an IPaddress is added to the Trusted list and Banned list, that IPaddress
is banned.
All IPS Analyzer rules and signatures can be configured to ban the attacker
IP for a certain amount of time. For example, you may want to slow down
someone trying to guess your FTP password account by stopping them from
accessing the server for 10 minutes after each 10 failed attempts occurring in
less than three minutes.
To create a Trusted IP or Banned IP rule:
1. Select the Dashboard tab and click Protect; or select the Assets tab
and click Protect.
2. Click Manage Rule Groups.
3. Select a rule group from the Rule Groups pane. You can also type the
name of the rule group in the box to search for a rule group.
BeyondTrust
184
Retina CS UserGuide
c. Caller Path
BeyondTrust
185
Retina CS UserGuide
MD5 Validation
Do not use caller MD5.
Auto-calculate caller MD5 Calculates MD5 if access to the file
is provided on disk.
User specified caller MD5 Enter a hex MD5 caller.
The MD5 algorithm is a method for signing and verifying a file
and its contents mathematically. At run-time, Retina CS
compares this MD5 checksum to the checksum of the
application that is requesting network access. There is an implicit
OR between the two types of matching, such as location and
MD5 checksum. If either matches, the rule is triggered.
d. Specify an Action
Select a Read or Write action to be matched by this rule.
Allow Traffic that matches the rule can pass through the
firewall. This is the default.
Deny Traffic that matches the rule cannot pass through the
firewall.
Alert Receive and log alerts from Blink when the rule is
matched. This can create a lot of alerts and increase the size of
the log file.
e. Rule Summary
Click Finish.
Enter a name and description for the rule.
Place at the top of the rule list select to run the rule first.
BeyondTrust
186
Retina CS UserGuide
c. Caller Path
MD5 Validation
Do not use caller MD5
Auto-calculate caller MD5 Calculates MD5 if access to the file
is provided on disk.
User specified caller MD5 Enter a hex MD5 caller.
BeyondTrust
187
Retina CS UserGuide
Allow Traffic that matches the rule can pass through the
firewall. This is the default.
Deny Traffic that matches the rule cannot pass through the
firewall.
e. Rule Summary
Click Finish.
Enter a name and description for the rule.
Place at the top of the rule list select to run the rule first.
Protected files Folders and files that you want to monitor for changes.
A file protection rule activates when the protected file is changed, renamed,
or deleted.
Add a Protected File Rule
BeyondTrust
188
Retina CS UserGuide
Protect a file
Enter the file that you want to protect.
b. Specify an action
Select the Log check box to track the rule activities.
Set the rule severity. The severity level is included in the event log.
The default value is 1.
You can also create a category to organize rules.
c. Rule Summary
Click Finish.
Enter a name and description for the rule.
Place at the top of the rule list select to run the rule first.
Add an Authorized Application Rule
BeyondTrust
189
Retina CS UserGuide
File Path Browse to the executable location for the caller, and
then select the matching type:
Exact Matches only the exact registry key. This is the fastest
matching.
Contains Matches if the pattern is found anywhere in the key.
This is the second fastest matching.
Not Contains Matches when the pattern is not found.
Wildcard Creates more complex rules that use * for any
sequence of characters, # for any single numerical character and ?
for any single alpha character.
Regex Creates the most complex matching rules. This can be
the slowest matching.
BeyondTrust
190
Retina CS UserGuide
b. Specify an action
Select the Log check box to track the rule activities.
Set the rule severity. The severity level is included in the event log.
The default value is 1.
You can also create a category to organize rules.
c. Rule Summary
Click Finish.
Enter a name and description for the rule.
Place at the top of the rule list select to run the rule first.
Add a Custom Rule
A custom rule applies protection on a folder (all files in the folder are
protected regardless of the file type). Files and folders included in the rule
are not included in the scheduled scan.
To create a custom rule:
1. Select the Dashboard tab and click Protect; or select the Assets tab
and click Protect.
2. Click Manage Rule Groups.
3. Select a rule group from the Rule Groups pane. You can type the name
of the rule group in the text box to search for the rule group.
4. Select the File Integrity rule category and select the Custom
subcategory to display the associated rules.
5. Select Create New Rule.
6. Complete the following pages.
BeyondTrust
191
Retina CS UserGuide
File Path Browse to the executable location for the caller, and
then select the matching type:
Exact Matches only the exact registry key. This is the fastest
matching.
Contains Matches if the pattern is found anywhere in the key.
This is the second fastest matching.
Not Contains Matches when the pattern is not found.
Wildcard Creates more complex rules that use * for any
sequence of characters, # for any single numerical character and ?
for any single alpha character.
Regex Creates the most complex matching rules. This can be
the slowest matching.
BeyondTrust
192
Retina CS UserGuide
c. Specify an action
Select the action to take when the rule is matched: Allow or Deny.
Select the Log check box to track the rule activities.
Set the rule severity. The severity level is included in the event log.
The default value is 1.
You can also create a category to organize rules.
d. Rule Summary
Click Finish.
Enter a name and description for the rule.
Place at the top of the rule list select to run the rule first.
Windows Events Rules
You can create a rule that tracks Windows Event logs, including:
Application, System, and Security.
Source Names
The source name is the name of the Windows event.
The source name that you enter depends on the operating system that is
forwarding the events.
Windows XP
Windows 2003
BeyondTrust
193
Retina CS UserGuide
Vista
Windows 7
Windows 2008
Severity - Select the severity level from the list: Only Errors, Errors
and Warnings, All.
Note that All includes Information events.
Add - Click to provide the following information about the event log
you want to track:
BeyondTrust
194
Retina CS UserGuide
5. Click Save.
Trusted List Options
The Trusted List displays trusted malware by name and category.
To access Trusted List rules:
1. Select the Dashboard tab and click Protect; or select the Assets tab
and click Protect.
2. Click Manage Rule Groups.
3. Select a rule group from the Rule Groups pane. You can also type the
name of the rule group in the box to search for a rule group.
4. Select the Trusted List rule category.
5. Click Create New Rule to start the wizard.
6. Select a malware name check box and click Save.
7. Click Save.
8. Click Update.
Miscellaneous Options
Miscellaneous options allow you to set rules for Retina CS operations.
To access miscellaneous options:
BeyondTrust
195
Retina CS UserGuide
General
System Protection
Scheduler
Auto-Updater
Vulnerability Assessment
Intrusion Prevention
IIS Protection
Firewall
Events
For more information, refer to the Retina Protection Agent User Guide.
5. After you change the properties for a subcategory, click Update.
BeyondTrust
196
Retina CS UserGuide
For detailed information about PowerBroker Servers for Unix and Linux
features, refer to the PowerBroker Servers product documentation.
Overview
Use Retina CS to manage PowerBroker Servers event log records. Configure
Retina CS and PowerBroker Servers to work together to send the event logs
to the Retina CS management console.
After the event log records are sent to the Retina CS database, you can run
reports to analyze your Unix and Linux assets. You can create Smart Groups
based on the argument types to track the event types in the I/O logs.
The event information is used as the source information to determine the
heartbeat of your assets. For example, is the asset running.
Event Types
The event types forwarded to Retina CS, include: Accept and Reject.
Accept and Reject events can help you determine if your assets are sending
events (indicating that the asset is up and running successfully).
Retina CS and PowerBroker Servers Architecture
The following diagram shows how Retina CS and PowerBroker Servers send
information between their respective components.
Secure Retina CS certificates are deployed to the PowerBroker Servers
assets. Apache Solr software is used to index PBUL I/O logs. The indexed
results are forwarded to Retina CS where they can be sorted and viewed.
BeyondTrust
197
Retina CS UserGuide
BeyondTrust
198
Retina CS UserGuide
For detailed instructions on Smart Groups, see Working with Smart Rules.
Purge Events
PowerBroker Servers events are purged after 30 days. You can configure the
number of days events remain in the database before purging. See
Maintenance Options.
BeyondTrust
199
Retina CS UserGuide
BeyondTrust
200
Retina CS UserGuide
5. Select the Solr host your I/O Logs were indexed on from the drop-down
menu "Search Hosts".
Note: In order to allow the Search Window to securely connect to the Solr
Servers, you will need to import the SSL Certificates and Certificate
Authorities correctly on the RCS side. The instructions for
importing the certificates are in the PowerBrokers Servers Install
Guide, under "Post-Install" section of "Solr Installation".
Search Parameters
A query is broken up into terms and operators. There are two types of
terms:Single terms and Phrases. A Single Term is a single word such as "test"
or "hello".
A Phrase is a group of words surrounded by double quotes such as "hello
dolly".
Multiple terms can be combined together with Boolean operators to form a
more complex query (see below).
PowerBroker Servers I/O Log files are indexed on the content of the I/O
Log, as well as the following fields: user, runuser, runcommand, runargy.
You can search any field by typing the field name followed by a colon ":" and
then the term you are looking for.
Examples of search on the event log variables in the I/O Logs:
Table 18.
Search Pattern
Finds...
runuser:root
user:oracle AND
runcommand:bash
If you have added custom policy variables to the list of indexed variables
(using the setting 'solrvariables <var>_pbul'in PowerBroker Servers
pb.settings file), you can also search on those variables using the following
syntax in the "Search" field.
BeyondTrust
201
Retina CS UserGuide
Finds...
ticketnum_
pbul:1523XA5
You can combine the above queries for eventlogs variables in the query to
search the content of the I/O Logs. For example:
Search Pattern
Finds...
runuser:root AND rm
You can also narrow down your search using the Start and End time fields.
These dates are in the local time zone of browser (where Retina CS is
accesssed).
Note: These are the date and time where the I/O Log files (sessions) were
created and completed. These are not the date and time when a
secured task was executed by PowerBroker Servers. To search using
the date and time within the I/O Log sessions, refer to Proximity
Search below.
Simple Search Example
BeyondTrust
202
Retina CS UserGuide
Wildcard matching
Search Pattern
Finds...
grep*
grep*someFile
*:*
rm*
rm *someFile
P?sswd
Note: Lucene does not support using * and ? as the first character of a
search.
BeyondTrust
203
Retina CS UserGuide
Range Queries allow one to match documents whose field(s) values are
between the lower and upper bound specified by the Range Query. Range
Queries can be inclusive or exclusive of the upper and lower bounds.
Sorting is done lexicographically.
Search Pattern
Finds...
runuser:[Aida TO
Carmen]
runuser:{Aida TO
Carmen}
The AND operator matches documents where both terms exist anywhere in
the text of a single document. This is equivalent to an intersection using
sets.
To search for documents that contain "cat services" and rm passwd" use the
query:"cat services" AND "rm passwd"
NOT
The NOT operator excludes documents that contain the term after NOT.
This is equivalent to a difference using sets.
To search for documents that contain "rm passwd" but not "cat services" use
the query: "rm passwd" NOT "cat services"
Note: The NOT operator cannot be used with just one term. For example,
the following search will return no results:
NOT "cat services"
Grouping
Use parentheses to group clauses to form sub queries. This can be very
useful if you want to control the boolean logic for a query.
To search for either "rm" or "cat" and "passwd" use the query:
(rm OR cat) AND passwd
Field Grouping
BeyondTrust
204
Retina CS UserGuide
Escaping special characters that are part of the query syntax is supported.
The current list special characters are
+- &&||!( ) { } [ ] ^ " ~ * ? : \
To escape these character use the \ before the character. For example to
search for (1+1):2 use the query:
\(1\+1\)\:2
To search for /etc/passwd use \/etc\/passwd
Proximity Search
The proximity search finds words that are within a specific distance away
from each other. For proximity searches, use a tilde (~) at the end of the
phrase.
Table 20. Proximity matching
Search Pattern
Finds...
"grep someFile"~4
BeyondTrust
205
Retina CS UserGuide
BeyondTrust
206
Retina CS UserGuide
PasswordSafe
PasswordSafe
Overview
Configuring PasswordSafe
Creating a Connection to Your Appliance
Creating User Groups
Adding a Managed System
Managing Passwords
Requesting a Password
Approving a Password
Retrieving a Password
Overview
PasswordSafe integrates with BeyondTrust's PowerBroker PasswordSafe.
PowerBroker PasswordSafe is a hardened appliance that creates and secures
privileged accounts through automated password management, encryption,
secure storage of credentials, and a sealed operating system.
Configure PasswordSafe to monitor and manage passwords.
Email notification is configured from the PowerBroker Safe appliance.
Emails are sent during the request and approval process.
Configuring PasswordSafe
To configure PasswordSafe, you must:
Create user groups that are assigned roles to manage password releases.
Always use Retina CS to edit or delete the following
PasswordSafe items created in Retina CS: users, user
groups, managed systems, collections.
Using the PasswordSafe appliance to manage these items
can result in unrecoverable configuration or synchronization
errors.
BeyondTrust
207
Retina CS UserGuide
PasswordSafe
CLI User The CLI user is generated from the appliance and cannot
be changed.
4. After you enter the information, click Test to ensure the connection is
established to the appliance.
5. Click Save.
Creating User Groups
In the PasswordSafe password release process, there must be user groups
created to manage the following tasks in the process:
Approver Assign this role to your users that will approve password
releases.
Auditor Assign the Auditor role to run reports in Retina Insight. The
Auditor role can be assigned in combination with other roles available.
BeyondTrust
208
Retina CS UserGuide
PasswordSafe
Note: All changes to PasswordSafe user accounts (users with PasswordSafe
roles assigned) must be managed by the Retina CS Administrator
account.
To create a PasswordSafe user group:
1. Click the Configure tab, and then click the Accounts tab.
2.
3.
4.
5.
BeyondTrust
209
Retina CS UserGuide
PasswordSafe
BeyondTrust
210
Retina CS UserGuide
PasswordSafe
BeyondTrust
211
Retina CS UserGuide
PasswordSafe
3. Click Save.
Managing Passwords
There are three stages in the password release process:
Requesting a password
Approving a password
Retrieving a password
Requesting a Password
You must be assigned the Requestor role in Retina CS to request a password
release.
BeyondTrust
212
Retina CS UserGuide
PasswordSafe
The Ticket System is managed from the appliance. PowerBroker Safe does
not interact with a ticket system. The ticket information is added for
reference only to track password requests related to a ticket. For more
information, refer to the PowerBroker Safe Administration Guide.
To request a password release:
1. Log on to the PasswordSafe website using your Retina CS credentials.
2. Click the Request Password tab.
3. Provide the request information, and the click Request Password.
BeyondTrust
213
Retina CS UserGuide
PasswordSafe
Approving a Password
You must be assigned the Approver role to approve password releases.
There might be more than one approver required depending on how the
managed systems are configured.
To approve a password request:
1. Log on to the PasswordSafe website using your Retina CS credentials.
2. Click the Approve Requests tab.
3. Select a request in the list.
The Approval History displays the number of approvals required and if
any approvals are applied.
4. Click Approve.
BeyondTrust
214
Retina CS UserGuide
PasswordSafe
The Retrieve Password button is now available to the original requestor
in the Approval History section of the Approve Request page.
Click Check-in Password at any time to expire the released password.
The password is then no longer available to use.
Retrieving a Password
To retrieve a password:
1. Log on to the PasswordSafe website using your Retina CS credentials.
2. Select the Request Password tab, and then select an account.
3. Click Retrieve Password.
4. Click Highlight Password, and then Ctrl+C to copy the password the
Clipboard.
BeyondTrust
215
Retina CS UserGuide
BeyondTrust
216
Retina CS UserGuide
Compliance Scans
By default the following scan templates are available.
Healthcare, Finance, and Government packs need an updated license key.
ISO-27002 Scans
Compliance
Area
COBiT Scans
Compliance
Area
SOX Scans
Compliance
Area
BeyondTrust
217
Retina CS UserGuide
NIST-800-53 Scans
Compliance
Area
3. Click Scan.
4. Select the scan options, and then click Start Scan.
BeyondTrust
218
Retina CS UserGuide
Scroll through the list of vulnerabilities provided in the report. You can
review remediation fixes, CVSS scores, and additional information for the
vulnerability as shown in the following example from a report.
BeyondTrust
219
Retina CS UserGuide
1.
2.
3.
4.
BeyondTrust
220
Retina CS UserGuide
Managing Benchmarks
Retina CS ships with a default set of benchmark templates. You can import
additional or updated benchmarks, and synchronize benchmarks.
If you are working with your benchmark profiles outside Retina CS, then
you can synchronize the templates using the Retina CS Configuration tool.
To download an editor to change your benchmarks, click the Download
Editor button.
To manage benchmarks:
1. Click the Configure tab.
2. Click the Benchmark Management tab.
3. Expand a benchmark to review more detail.
Policies included with benchmark templates can be inactivated if they do
not apply. Clear policies as needed.
For Windows 7:
CIS_Windows_7_Benchmark_v1.1.0_oval.xml
CIS_Windows_7_Benchmark_v1.1.0.xml
Windows-7-cpe-oval.xml
Windows-7-cpe-dictionary.xml
BeyondTrust
CIS_Windows_2008_Server_Benchmark_v1.1.0_oval.xml
June 10, 2013
221
Retina CS UserGuide
CIS_Windows_2008_Server_Benchmark_v1.1.0.xml
Windows-2008-cpe-oval.xml
Windows-2008-cpe-dictionary.xml
BeyondTrust
222
Retina CS UserGuide
BeyondTrust
Go to Administrator tools.
223
Retina CS UserGuide
Your Remedy system must already have forms created to accept asset and
vulnerability information.
Note: Remedy web service endpoints expect a sortable date format. For
example, 2009-06-15T13:45:30.
However, you can override the default format in the registry with a
valid .NET date format string:
HKEY_LOCAL_
MACHINE\SOFTWARE\eEye\RetinaCS\RemedyExportDateFormatString
View examples of standard date format strings here:
http://msdn.microsoft.com/en-us/library/az4se3k1.aspx
To create a connector:
1. Click the Configure tab, then click the Export Connectors tab.
2. Click +, then click BMC Remedy Connector.
3. Enter a connector name, and a Remedy user name and password.
The connector name can be any name.
BeyondTrust
224
Retina CS UserGuide
Target Namespace - Enter the target namespace from the WSDL file.
Field Mappings - Enter the fields that you want to include in the
export data.
The order of the fields must match the order of the fields in the
WSDL file. Use the arrows to change the order.
BeyondTrust
225
Retina CS UserGuide
BeyondTrust
226