Login: Support | Partner    
 
Home » Learning Center » Policy: CPE-based Checks 

Policy: CPE-based Checks

CPE stands for Common Product Enumeration. It is a structured naming scheme for information technology systems, platforms, and packages.

In other words: CPE provides a unique identifier for virtually any software product that is known for a vulnerability.

The CPE dictionary is maintained by MITRE and NIST. MITRE also maintains CVE (Common Vulnerability Enumeration) and other relevant security standards.

CPE-based, simple checks for security policies

top^

With any executed scan, CPEs for the identified products are stored. This happens independently of whether the product actually reveals a security problem or not.

On this basis it is possible to describe simple security policies and the checks for compliance with these.

With the Greenbone Security Manager it is possible to describe policies to check for the presence as well as for the absence of a product. These cases can be associated with a severity to appear in the scan report.

Checking policy compliance

top^

This example demonstrates how to check the compliance of a policy regarding specific products in a IT infrastructure and how the reporting with the corresponding severity can be done.

  1. The information about whether a certain product is present on the target system is gathered by a single Network Vulnerability Test (NVT) or even independently by a number of special NVTs.

    This means that for a certain product you can specify an optimized scan configuration that only concentrates on this product and does not do any other scan activity.

    The advantage of such a special scan configuration is a considerably faster execution of the scan compared to a comprehensive scan configuration such as "Full and Fast".

    The disadvantage of a special scan configuration is that some experience is required to select the right set of NVTs to maximize the probability of success.

    Initially it is easier to apply a comprehensive scan configuration. In this case it is not necessary to care about the product character, you just enter its CPE identifier.

    This example follows the simple approach. First, a copy of "Full and Fast" is created. This is necessary because "Full and Fast" is a pre-configured scan configuration and thus can not be modified.

  2. Edit the newly created scan configuration by clicking on .

  3. On the overview page for this scan configuration you will find a section "Network Vulnerability Test Preferences". Here, all NVTs that allow special configuration are listed. With you can jump directly to the edit dialog for a specific NVT. This short-cut avoids having to click through the family structures to get to the desired NVT (the here used NVTs are in the family "Policy").

  4. You can either specify a single CPE directly or a list of CPEs in a file which must be imported afterwards (through clicking on "Browse" to select the file and selecting "Upload file"). Below is an example for checking for Internet Explorer 9 and ClamAV 0.98:

    cpe:/a:microsoft:ie:9
    cpe:/a:clamav:clamav:0.98
         

    For this example we have a policy where the stated CPEs must be present to comply. This means we want to know especially if there are some installations which violate this policy (e.g. missing or not wrong products/versions).

    Confirm your changes with "Save Config".

  5. Policy checks report the results in general as "Log" messages. If you want to change this you have to create an override. In this example violations of the policy should be reported with an elevated severity.

    For this a new override has to be created through the "Scan Management". The OID in this case will be "1.3.6.1.4.1.25623.1.0.103964" (for the NVT "CPE-based Policy Check Violations") and a new severity of 5.0 (Medium) will be set.

  6. In case the detection efficiency should be increased by applying local security checks it is required to configure remote access via the "Credentials" feature. If not done yet, create a corresponding user account on the Windows systems (a low privileged user account is sufficient).

  7. Define the target systems (targets) and, if applicable, choose the respective credentials.

  8. Now you can create the actual task. This means to combine the newly created scan configuration with the newly created targets.

  9. The scan is started by clicking on of the respective task. It can take a while for the scan to complete. To update the view with the current progress, click on .

  10. As soon as the status changes to "Done" the complete report is available. At any time you can review the intermediate results.

    To only show the results of the CPE-based policy checks, you can apply a suitable filter (search text "cpe").

  11. In this example ClamAV 0.98 was found on one of the target systems and reported as a log message.

    Internet Explorer 9 on the other hand haven't been found on the target system which will be reported as a medium risk as defined in the override.

Finding problematic products

top^

This example demonstrates how the presence of a certain product in an IT infrastructure is classified as a severe problem and reported as such.

  1. Execute steps 1 to 3 of the above described method for finding checking policy compliance.

    Note that when choosing a general scan like "Full and Fast" both cases are treated the same, presence of the product as a running service and presence of the product on a hard drive.

    This essentially means that if you want to ensure the desired product indeed runs as a service you should avoid running NVTs that check for the simple presence on the file system or in a registry. If you don't want to go into such details right now, you still have the option to look into the report details in order to check for false positives and false negatives.

  2. This time a single CPE (Internet Explorer 6) will be searched.

    In this case we have to set that the entered CPE must be "present".

    Confirm your changes with "Save Config".

  3. Policy checks report the results in general as "Log" messages. If you want to change this you have to create an override. In this example violations of the policy should be reported with an elevated severity.

    For this, a new override has to be created through the "Scan Management". The OID in this case will be "1.3.6.1.4.1.25623.1.0.103963" (for the NVT "CPE-based Policy Check OK") and a new severity of 10.0 (High) will be set.

  4. In case the pure presence of a product should be considered, you should apply local security checks by configuring remote access via the "Credentials" feature. Execute step 6 to 9 in the example above to enable local security checks, to create a new task with the target systems and to start it.

  5. As soon as the status changes to "Done" the complete report is available. At any time you can review the intermediate results.

    To only show the results of the CPE-based policy checks, you can apply a suitable filter (search text "cpe").

  6. In this example Internet Explorer 6 was found on one of the target systems and reported as a severe problem as defined in the override.

Detecting absence of important products

top^

This example shows how the absence of a certain product in your IT infrastructure is defined as a severe problem and reported as such.

  1. Execute steps 1 to 3 of the above described method for finding problematic products.

    Note that when choosing a general scan like "Full and Fast" both cases are treated the same, presence of the product as a running service and presence of the product on a hard drive.

    This essentially means that if you want to ensure the desired product indeed runs as a service you should avoid running NVTs that check for the simple presence on the file system or in a registry. If you don't want to go into such details right now, you still have the option to look into the report details in order to check for false positives and false negatives.

  2. This time the configuration of "CPE-based Policy Check" will be set up to check if Norton Antivirus is present on the target system. In this case it will be reported if it is "missing".

  3. Policy checks report the results in general as "Log" messages. If you want to change this you have to create an override. In this example violations of the policy should be reported with an elevated severity.

    For this, a new override has to be created through the "Scan Management". The OID in this case will be "1.3.6.1.4.1.25623.1.0.103963" (for the NVT "CPE-based Policy Check OK") and a new severity of 10.0 (High) will be set.

  4. For checking simply the availability of a product installation, local security checks can improve the detection rate. If just running network services should be searched it normally doesn't help but rather increase the number of false positives.

    Execute step 6 to 9 in the example "Checking policy compliance" to enable local security checks, to create a new task with the target systems and to start it.

  5. As soon as the status changes to "Done" the complete report is available. At any time you can review the intermediate results.

    To only show the results of the CPE-based policy checks, you can apply a suitable filter (search text "cpe").

  6. In this example Norton Antivirus was not found on one of the target systems.