Fortinet white logo
Fortinet white logo

Running Vulnerability Scans against FortiSIEM

Running Vulnerability Scans against FortiSIEM

This document provides information about the configurations for running vulnerability scans against FortiSIEM.

Qualys Configuration

Logon to Qualys Vulnerability Management and follow the steps below to run a Vulnerability scan:

Step 1: Configure Scan Profile

  1. Go to Scans > Option Profiles and click New > PCI Option Profile.
  2. On the 'New PCI Option Profile' window, click the Scan tab.
  3. Select ‘Unix/Cisco’ Authentication.
  4. Click Save.

Step 2: Setup Host Authentication

  1. Go to Scans > Authentication and click New > Unix Record.
  2. On the 'New Unix Record' pop-up, add the login credentials.
  3. Click the IPs tab and enter the Host IPs and click Create.

Step 3: Add Host IPs to Scan

  1. Go to Assets > Host Assets.
  2. Click New > IP Tracked Hosts.
  3. Enter the new Host IPs and click Add.

Step 4: Launch Vulnerability Scan

  1. Go to Scans > Scans tab.
  2. Click New > Scans and select the Option Profile added in step #2.
  3. Select Host IPs that added in step #2.
  4. Click Launch to start the scan.

Nessus Configuration

Logon to Tenable Nessus Scanner UI and follow the steps below to run a Vulnerability scan:

Step 1: Configure Scan and Host IP

  1. Go to Scans and click New Scan > Advanced Network Scan.
  2. Under Settings tab, enter the information about the new scan including the FortiSIEM Host IP under Targets.
  3. Click Save.

Step 2: Setup Host Authentication

  1. Go to Scans and select the Scan added in Step #1.
  2. Click Configure.
  3. Under the Credentials tab, click SSH and enter the FortiSIEM credentials.
  4. Click Save.

Step 3: Launch Vulnerability Scan

  1. Go to Scans and select the Scan from Step #1.
  2. Click the Launch icon to start the scan.

Rapid7 Configuration

Logon to Rapid7 insightVM (Advanced Vulnerability Management Analytics and Reporting) and follow these steps to run a Vulnerability scan:

Step 1: Install Rapid7 Insight Agent on FortiSIEM

  1. Logon to Rapid7 insightVM (Advanced Vulnerability Management Analytics and Reporting).
  2. Go to the Agent Management page, then select Add New > Agent.
  3. Download the Rapid7 Linux Agent and copy it to FortiSIEM.
  4. SSH to FortiSIEM and install Rapid7 Insight Agent with Token, for example:

    sudo ./agent_installer.sh install_start --token us:bf870020-ef0b-41de-9c9e-da45237c214d

Step 2: Validate FortiSIEM Vulnerability Scan Results

  1. In the Rapid7 insightVM UI, go to the Agent Management page and check the recently installed Agent.
  2. Go to the insightVM default dashboard.
  3. In the Newly discovered Assets gadget, click Assets.
  4. In the Assets list, click the FortiSIEM hostname.
  5. On the Asset Details page, validate the list of vulnerabilities.

Validating Vulnerability Scan Results

The following sections describe how to validate vunerability scan results:

Find the CVE Information in the RedHat Database

  1. Log in to the Vulnerability scanner.
  2. Run a Vulnerability scan against FortiSIEM. See Running Vulnerability Scans against FortiSIEM.
  3. In the Vulnerability results, check for the CVE number on each vulnerability and search the noted CVE number in the Rocky Linux database and Redhat database.

  4. Click the CVE number in the search results to get detailed information.
  5. Check the Affected Packages State in the Redhat CVE report for Red Hat Enterprise Linux 8 platform (note that Rocky Linux 8 is the same as RHEL 8 because almost all rpms were recompiled from RHEL 8 source rpms).
  6. In the above example CVE-2009-3560, Red Hat Enterprise Linux 6 platform is Not affected. See the following table of affected package states.

    Affected Package States

    Platform

    Package

    State

    Red Hat Enterprise Linux 7

    expat

    Not affected

    Red Hat Enterprise Linux 6

    expat

    Not affected

    Red Hat Enterprise Linux 6

    compat-epat1

    Not affected

    Red Hat Enterprise Linux 5

    xmlrpc-c

    Will not fix

  7. The Redhat database can return the following types of results:
    • Not affected – Vulnerability scanner reported a false alarm.
    • Will not fix – Redhat will not fix these vulnerabilities either due to a low CVSS score, or the platform might have reached end of support.
    • Fixed/Patch available – Redhat has already provided a fix for these vulnerabilities.
  8. You can ignore vulnerabilities that are reported as Not affected. You will need to create a vulnerability exception for CVEs that are marked as Will not fix by Redhat. For Fixed vulnerabilities, follow the instructions in Validate Redhat Fixed vulnerabilities in FortiSIEM.

Validate Redhat Fixed Vulnerabilities in FortiSIEM

  1. From the Vulnerability scanner report, find a CVE number on vulnerability and search for the number in the Redhat database.
  2. Perform the following steps if Redhat provides a patch (Security Errata):
    1. SSH to the FortiSIEM instances and the check installed packages.

      Example: search for CVE-2017-9798 in the Redhat database.

    2. Click CVE-2017-9798 and check the Redhat security errata for Red Hat Enterprise Linux 6. See the following table.

      Red Hat Security Errata

      Platform

      Errata

      Release Date

      Red Hat JBoss Enterprise Application Platform 6.4

      RHSA-2017:3239

      2017-11-16

      Red Hat Software Collections for Red Hat Enterprise Linux 6 (httpd24-httpd)

      RHSA-2017:3018

      2017-10-24

      Red Hat Enterprise Linux Extended Update Support 6.7 (httpd)

      RHSA-2017:3195

      2017-11-13

      Red Hat Enterprise Linux Extended Update Support 7.2 (httpd)

      RHSA-2017:3193

      2017-11-13

      Red Hat JBoss Web Server

      RHSA-2017:3114

      2017-11-02

      Red Hat JBoss Enterprise Web Server 2 for RHEL 7 Server

      RHSA-2017:3113

      2017-11-02

      Red Hat JBoss Enterprise Web Server 2 for RHEL 6 Server (httpd)

      RHSA-2017:3113

      2017-11-02

      Red Hat Enterprise Linux 6 (httpd)

      RHSA-2017:2972

      2017-10-19

    3. Click the RHSA-2017:2972 link, open the Updated Packages tab, and note the packages that are updated.

    4. SSH to the FortiSIEM instance and find installed httpd packages (based on the example) by running the rpm -qa | grep -i httpd command:

    5. Check the installed httpd package change log to find the CVE-2017-9798 fixes by running the rpm -q --changelog httpd | less command:

    6. In the above example, the CVE-2017-9798 patch is already available in FortiSIEM.

Mitigating Found Vulnerabilities

If the CVE number does not exist in the changelog, then follow these steps to perform a FortiSIEM OS update:

  1. If the CVE number is not included in the changelog list or the installed package is an older version, perform a FortiSIEM OS update. See FortiSIEM - OS Update Lifecycle.
  2. After the FortiSIEM OS update, repeat Step #2 in the previous section, Validate Redhat Fixed Vulnerabilities in FortiSIEM.
  3. Contact FortiSIEM support if the CVE number is not listed in the changelog after the OS update.

Running Vulnerability Scans against FortiSIEM

Running Vulnerability Scans against FortiSIEM

This document provides information about the configurations for running vulnerability scans against FortiSIEM.

Qualys Configuration

Logon to Qualys Vulnerability Management and follow the steps below to run a Vulnerability scan:

Step 1: Configure Scan Profile

  1. Go to Scans > Option Profiles and click New > PCI Option Profile.
  2. On the 'New PCI Option Profile' window, click the Scan tab.
  3. Select ‘Unix/Cisco’ Authentication.
  4. Click Save.

Step 2: Setup Host Authentication

  1. Go to Scans > Authentication and click New > Unix Record.
  2. On the 'New Unix Record' pop-up, add the login credentials.
  3. Click the IPs tab and enter the Host IPs and click Create.

Step 3: Add Host IPs to Scan

  1. Go to Assets > Host Assets.
  2. Click New > IP Tracked Hosts.
  3. Enter the new Host IPs and click Add.

Step 4: Launch Vulnerability Scan

  1. Go to Scans > Scans tab.
  2. Click New > Scans and select the Option Profile added in step #2.
  3. Select Host IPs that added in step #2.
  4. Click Launch to start the scan.

Nessus Configuration

Logon to Tenable Nessus Scanner UI and follow the steps below to run a Vulnerability scan:

Step 1: Configure Scan and Host IP

  1. Go to Scans and click New Scan > Advanced Network Scan.
  2. Under Settings tab, enter the information about the new scan including the FortiSIEM Host IP under Targets.
  3. Click Save.

Step 2: Setup Host Authentication

  1. Go to Scans and select the Scan added in Step #1.
  2. Click Configure.
  3. Under the Credentials tab, click SSH and enter the FortiSIEM credentials.
  4. Click Save.

Step 3: Launch Vulnerability Scan

  1. Go to Scans and select the Scan from Step #1.
  2. Click the Launch icon to start the scan.

Rapid7 Configuration

Logon to Rapid7 insightVM (Advanced Vulnerability Management Analytics and Reporting) and follow these steps to run a Vulnerability scan:

Step 1: Install Rapid7 Insight Agent on FortiSIEM

  1. Logon to Rapid7 insightVM (Advanced Vulnerability Management Analytics and Reporting).
  2. Go to the Agent Management page, then select Add New > Agent.
  3. Download the Rapid7 Linux Agent and copy it to FortiSIEM.
  4. SSH to FortiSIEM and install Rapid7 Insight Agent with Token, for example:

    sudo ./agent_installer.sh install_start --token us:bf870020-ef0b-41de-9c9e-da45237c214d

Step 2: Validate FortiSIEM Vulnerability Scan Results

  1. In the Rapid7 insightVM UI, go to the Agent Management page and check the recently installed Agent.
  2. Go to the insightVM default dashboard.
  3. In the Newly discovered Assets gadget, click Assets.
  4. In the Assets list, click the FortiSIEM hostname.
  5. On the Asset Details page, validate the list of vulnerabilities.

Validating Vulnerability Scan Results

The following sections describe how to validate vunerability scan results:

Find the CVE Information in the RedHat Database

  1. Log in to the Vulnerability scanner.
  2. Run a Vulnerability scan against FortiSIEM. See Running Vulnerability Scans against FortiSIEM.
  3. In the Vulnerability results, check for the CVE number on each vulnerability and search the noted CVE number in the Rocky Linux database and Redhat database.

  4. Click the CVE number in the search results to get detailed information.
  5. Check the Affected Packages State in the Redhat CVE report for Red Hat Enterprise Linux 8 platform (note that Rocky Linux 8 is the same as RHEL 8 because almost all rpms were recompiled from RHEL 8 source rpms).
  6. In the above example CVE-2009-3560, Red Hat Enterprise Linux 6 platform is Not affected. See the following table of affected package states.

    Affected Package States

    Platform

    Package

    State

    Red Hat Enterprise Linux 7

    expat

    Not affected

    Red Hat Enterprise Linux 6

    expat

    Not affected

    Red Hat Enterprise Linux 6

    compat-epat1

    Not affected

    Red Hat Enterprise Linux 5

    xmlrpc-c

    Will not fix

  7. The Redhat database can return the following types of results:
    • Not affected – Vulnerability scanner reported a false alarm.
    • Will not fix – Redhat will not fix these vulnerabilities either due to a low CVSS score, or the platform might have reached end of support.
    • Fixed/Patch available – Redhat has already provided a fix for these vulnerabilities.
  8. You can ignore vulnerabilities that are reported as Not affected. You will need to create a vulnerability exception for CVEs that are marked as Will not fix by Redhat. For Fixed vulnerabilities, follow the instructions in Validate Redhat Fixed vulnerabilities in FortiSIEM.

Validate Redhat Fixed Vulnerabilities in FortiSIEM

  1. From the Vulnerability scanner report, find a CVE number on vulnerability and search for the number in the Redhat database.
  2. Perform the following steps if Redhat provides a patch (Security Errata):
    1. SSH to the FortiSIEM instances and the check installed packages.

      Example: search for CVE-2017-9798 in the Redhat database.

    2. Click CVE-2017-9798 and check the Redhat security errata for Red Hat Enterprise Linux 6. See the following table.

      Red Hat Security Errata

      Platform

      Errata

      Release Date

      Red Hat JBoss Enterprise Application Platform 6.4

      RHSA-2017:3239

      2017-11-16

      Red Hat Software Collections for Red Hat Enterprise Linux 6 (httpd24-httpd)

      RHSA-2017:3018

      2017-10-24

      Red Hat Enterprise Linux Extended Update Support 6.7 (httpd)

      RHSA-2017:3195

      2017-11-13

      Red Hat Enterprise Linux Extended Update Support 7.2 (httpd)

      RHSA-2017:3193

      2017-11-13

      Red Hat JBoss Web Server

      RHSA-2017:3114

      2017-11-02

      Red Hat JBoss Enterprise Web Server 2 for RHEL 7 Server

      RHSA-2017:3113

      2017-11-02

      Red Hat JBoss Enterprise Web Server 2 for RHEL 6 Server (httpd)

      RHSA-2017:3113

      2017-11-02

      Red Hat Enterprise Linux 6 (httpd)

      RHSA-2017:2972

      2017-10-19

    3. Click the RHSA-2017:2972 link, open the Updated Packages tab, and note the packages that are updated.

    4. SSH to the FortiSIEM instance and find installed httpd packages (based on the example) by running the rpm -qa | grep -i httpd command:

    5. Check the installed httpd package change log to find the CVE-2017-9798 fixes by running the rpm -q --changelog httpd | less command:

    6. In the above example, the CVE-2017-9798 patch is already available in FortiSIEM.

Mitigating Found Vulnerabilities

If the CVE number does not exist in the changelog, then follow these steps to perform a FortiSIEM OS update:

  1. If the CVE number is not included in the changelog list or the installed package is an older version, perform a FortiSIEM OS update. See FortiSIEM - OS Update Lifecycle.
  2. After the FortiSIEM OS update, repeat Step #2 in the previous section, Validate Redhat Fixed Vulnerabilities in FortiSIEM.
  3. Contact FortiSIEM support if the CVE number is not listed in the changelog after the OS update.