Configure Your Scan Option Profile

You choose an option profile with compliance scan settings every time you start a compliance scan. The profile defines the settings you want to use.

How do I make the profile available to others?

Tell me about the dissolvable agent

Tell me about the default profile

Password Auditing

How do I change the owner?

Windows Share Enumeration

Select ports to scan

Windows Directory Search

Select controls to scan (scan by policy)

Tell me about performance settings

System Authentication Records

Ignore certain packets

File Integrity Monitoring

Worried about triggering your IDS?

Scan special control types

Tell me about settings for Database Controls

Tell me about Optimized Agent Data Processing for Policies Setup

 


How do I make the profile available to others?

Make it global. Global profiles created by Managers are made available to all users in the subscription. Global profiles created by Unit Managers are made available to all users in their business unit. If a user has permission to create option profiles, then the user also has permission to save personal copies of global profiles published by their Managers in order to use them as a base-line for new option profiles.

Tell me about the default profile

It's best practice to apply the same set of options across scan tasks to ensure compliance with corporate security policies and accurate trend reporting. A default option profile is defined for this reason. The service provides an initial default option profile called "Initial Options" which may be customized and renamed. There is one default profile for the subscription. Any Manager can select a new profile as the default.

How do I change the owner?

The user who creates a profile is set as the initial owner. Managers and Unit Managers can edit a profile in order to change the owner. The possible assignees listed in the Owner menu depends on the global status of the profile, the role of the manager making the change, and the current owner's role and business unit. Only users with the manage compliance permission can own the profile.

Global Option Profile

Non-Global Option Profile

Conflicts with Scheduled Tasks

Select ports to scan

We perform a targeted scan by default, which means we scan a smaller set of ports than the standard ports list. This is the recommended setting, and it is the initial setting for a new compliance profile.

Which ports are included in a targeted scan?

Which ports are included in a standard scan?

Does this setting apply to all technologies?

Select ports for host discovery

Select controls to scan (scan by policy)

When you run a compliance scan we scan for all controls in the controls list (except special control types listed in Control Types section - you must explicitly select these). The Scan by Policy option allows you to restrict your scans to the controls in selected policies. You can choose up to 20 policies, one policy at a time. Once you've selected a policy, all controls in that policy will be scanned including any special control types in the policy. This is regardless of the Control Types settings in the profile.

What if I add more controls to my policy?

System Authentication Records

Allow the system to create Apache Web Server authentication records automatically using the scan data discovered for running instances. Then choose whether to include system-created authentication records in scans. Learn about instance discovery and system authentication records

File Integrity Monitoring

If you've created File Integrity Check controls with the option "Use scan data as expected value" enabled then you'll want to choose "Auto Update expected value" in the profile. This allows us to automatically update the control value after a valid file change. Be sure to also select "File Integrity Monitoring controls enabled" under Control Types in the profile. Learn more

Scan special control types

These special control types require additional steps to set up. For example, to perform file integrity monitoring you must add user defined controls that specify the files you want to track.

Select each control type you want to include in the scan:

File Integrity Monitoring

Custom WMI Query Checks

If I'm using Scan by Policy are these checks included?

Tell me about the dissolvable agent

The Dissolvable Agent (Agent) is required for certain scan features (like Password Auditing, Windows Share Enumeration and Windows Directory Search). It must be accepted for the subscription - a Manager can do it by going to Scans > Setup > Dissolvable Agent. Once a Manager accepts any user with scan permissions can enable the dissolvable agent for their scans - you just configure the option profile and select "Enable the Dissolvable Agent". How does it work? At scan time, the Agent is installed on Windows devices to collect data, and once the scan is complete it removes itself completely from target systems.

Password Auditing

Use Password Auditing to check for service provided password auditing controls (control IDs 3893, 3894 and 3895). These controls are used to identify 1) user accounts with empty passwords, 2) user accounts with the password equal to the user name, and 3) user accounts with passwords equal to an entry in a user-defined password dictionary. Learn more

Windows Share Enumeration

Use Windows Share Enumeration to find Windows shares that are readable by everyone, and report details about them like the number of files for each share on each host (Control ID 4528) and whether the files are writable. This is good for identifying groups of files that may need tighter access control. Please make sure a Windows authentication record is defined for the hosts you want to scan. Learn more

Windows Directory Search

Select this option if you've set up Windows Directory Search controls and want to include them in the scan. This custom control allows you to search for files/directories based on various criteria like file name and user access permissions. Learn more

Tell me about performance settings

A performance level of Normal is selected initially. This is recommended for most cases. Click Configure to change the individual settings or to select a different performance level. To customize the settings, choose the Custom level. Want to know more about the individual settings? Learn more  

Ignore certain packets

If you want to ignore certain packets enable packet options in the Additional section:

Ignore RST packets

Ignore firewall-generated SYN-ACK packets

Do not send ACK or SYN-ACK packets during host discovery

Worried about triggering your IDS?

If our scan triggers your IDS, then it will likely be firewalled and we won't be able to continue our search for vulnerabilities on your network. Therefore, we need to know which IPs you have protected and which ports are blocked. Go to the Blocked Resources section and select the ports that are blocked and IP addresses that are protected by your firewall/IDS.

Other options to consider

Tell me about settings for Database Controls

You can set a limit on the number of rows to be returned per scan for the user defined database controls. The default value for MS SQL Database checks is 256 rows and for Oracle Database checks is 5000 rows.

Tell me about Optimized Agent Data Processing for Policies Setup

To enhance data processing you can choose to store only information collected by the cloud agent scan that is required to process the account’s applicable policies. Navigate to Users > Setup > Optimized CA Data Processing and enable the Optimize Agent Data Processing for Policies option. Once enabled, we'll only consider the information collected for controls that are relevant to the policies in your subscription. If new controls are added to a policy, then you won't have data available immediately. You’ll need to wait until the next agent scan to collect and process data for those controls. Only Managers can enable or disable this option.