Instance discovery and auto record creation is supported for Apache Web Server, IBM WebSphere App Server and JBoss server. As before a single record may be used when the same record configuration is replicated across hosts in the record.
Modules supported - PC
Jump to: Summary | Steps to get started | How it works | Make records Inactive | Search records | Common questions
These capabilities are available.
- Support for scanning multiple instances running on the same host, and when hosts have varying configurations
- 2 phased scanning process. First a discovery scan finds instances of server applications (Apache/IBM WebSphere/JBoss) that you have chosen to scan, consolidates instance data, and creates/updates auth records in the user’s account. Then an assessment scan uses the records saved in the user’s account for control evaluations.
- Option profile settings allow you to 1) enable instance discovery and auto record creation, 2) include system-created records for scans, and 3) determine whether to send system records or user records when there are 2 records for the same instance configuration.
- Compliance scan results show a list of instances discovered by the scan when the instance discovery and auto record creation feature is enabled for the scan. Compliance assessment data is not collected during instance discovery scans.
- New System created auth records. Auto created authentication records have the owner "System". These records cannot be edited by users.
- You can enable (Apache/IBM WebSphere/JBoss) server application records for authenticated scanning, i.e. set as Active, or disable this, i.e. set as Inactive.
You'll need to create 2 option profiles. These options cannot be selected in the same profile.
Option Profile 1: Choose "Allow instance discovery and system record creation" and select one or more application. Use this option profile for instance discovery scans. We’ll discover running instances during the scan, and then use the information collected about your running instances to create authentication records. For JBoss server, Unix and/or Windows authentication are required for this option while for Apache Web Server and IBM WebSphere server, only Unix authentication is required. So be sure you have Unix/Windows records in your account depending on the technology for which you want to discover instances.
Option Profile 2: Choose "Include system created authentication records in scans" in the option profile you'll use for compliance assessments. System created records will be used along with user created records. If you have a user created record and a system created record for the same instance configuration we'll use the user record by default. You can change this if you prefer to use the system record.
Launch a compliance scan (using PC or SCA) and choose an option profile with the "Allow instance discovery and system record creation" option enabled. We recommend you schedule instance discovery scans to occur when you expect changes in your infrastructure.
Note that we auto discover instances of respective applications for hosts running on operating systems supported for PC.
Looking for auto discovered instances? Scroll down to the Appendix section of your compliance scan results.
We’ll also tell you when we don’t find running instances for scanned hosts.
We’ll tell you when we don’t find an authentication type on any scanned hosts.
Instance scan data consolidation occurs based on authenticated scan data from the scan. Authentication records are created based on consolidated scan data. Record creation starts when the scan is Finished, during scan processing. Records may be created or updated (new IPs added, existing IPs removed).
System-created authentication records are identified by a gold lock and Owner “System”.
Launch a compliance scan (using PC or SCA) and choose an option profile with the "Include system authentication records in scans" option enabled.
During scan processing instance scan data is consolidated, mapping record configuration to hosts:
- Single host with single instance configuration
- Single host with multiple instance configurations
- Multiple hosts with single instance configuration
- Multiple hosts with multiple instance configurations
Let's consider a sample Apache authenticated scan with auto record creation enabled. Sample scan data collected from the discovery scan is represented below.
For this scan, 3 Apache authentication records are auto created:
You can choose to make any record created for these applications Inactive, including system created records and user created records.
Inactive records are not included in scans (even if the "Include system created authentication records in scans" option is selected in the option profile). Simply choose the records you want to make Inactive and pick Deactivate from the Actions menu above the data list. To activate records choose Activate.
You can search records for these server applications by creation type (System created or User created) and by status (Active or Inactive).
- Two Apache Web Server instance records on same/different hosts are different if the 2 parameters "Apache configuration file", "Apache control command" for two instances have different values.
- Two IBM WebSphere instance records on same/different hosts are different if the parameter "unix_websphere_home_dir" value for two WebSphere instances are different.
- Two JBoss instance records on same/different hosts are considered different if values in any of these parameters for JBoss instances are different: jboss_domain_mode, jboss_home_path, jboss_base_path, jboss_conf_dir_path, jboss_conf_file_path and jboss_conf_host_file_path.
You'll see "Authentication Type [System Created] – ID" for the authentication record name, where Authentication Type is name of the application (Apache Web Server/IBM WebSphere App Server/JBoss server) and ID is a unique record ID for the instance discovered. For example, Apache Web Server [System Created] – 100201.
When new instances are discovered they are added to existing records or new records are created for them, depending on their settings (configuration file, control command, IPs, network if applicable).
Your user created authentication records are not changed, and they are included in scans as long as they are Active.
Yes. New system authentication records are always created for all running instances discovered when the option profile for the scan has the "Allow instance discovery and system record creation" option enabled. If you already have a user created record with the same settings, the system makes no changes to it. The user created record is included in scans by default. Edit the option profile if you prefer to use system created records in the case of duplicates.
Instances are reported for the host:
For each instance reported we'll see if a system record exists with the instance configuration.
If a record is found for the instance and it has the host's IP included then there is no change.
If a record is found for the instance but it doesn't have the IP we'll add the IP to the record.
If a record is not found for the instance we'll create a new system record for the instance and IP.
No instances are reported for the host:
The host's IP is removed from all existing system records that have the IP.
Fewer instances are reported than the previous scan (instances are brought down):
The host's IP is removed from system records for the instances that are no longer running.
More instances are reported than the previous scan (instances are brought up):
We'll look at each reported instance to see if a system record already exists. If a record exists then we'll add the host's IP to the record (if not already included). If a record does not exist then we'll create a new system record for the instance and IP.
Yes, and this is recommended. You can use Scan by Policy to perform compliance assessment on assets in a policy. We recommend you include system created authentication records. This is the only way to ensure that all active authentication records (system and user created) will be used for the compliance assessment.
No. These options cannot be used together. Compliance assessment data is not collected for instance discovery scans.
No. System authentication records cannot be edited by users. You can change the record status (Active, Inactive) from the Actions menu above the data list.
Yes. Users with permission to create/edit authentication records can also delete authentication records, including system records. Tip - You may choose to make system records Inactive. Inactive records are not included in any scans.
Go to your option profile and clear the option "Allow instance discovery and system record creation" under System Authentication Records. When cleared, new system records will not be created.
No problem. Take one of these actions:
- Deactivate system records. Use the search feature above your authentication records list to find all records with creation type "System created". Then select the records and choose Deactivate from the Actions menu.
- In your compliance profile, clear the option "Include system created authentication records in scans". When cleared, only user created authentication records are included in scans. Keep in mind that existing compliance scan data will remain in your account. Purge hosts to remove all host information.