This topic provides orientation on automated collections used in the analysis phase of a risk management project. In these projects, evidence of flaws in security configurations in technology assets can be collected and stored automatically, and this information is then used to automatically answer certain controls in the questionnaire. Controls answered automatically in questionnaires using the information provided from the collection are indicated with the () icon in the questionnaire in the column on the far right.
The system uses collector servers to manage and run these evidence collections. An authorized user can send requests for collections to the servers directly from the system. The request can be scheduled so that it is run at the most convenient time when the target machines are not being heavily used. The collector server receives these requests, schedules the requests made for each asset component in the project, runs the collections through the OVAL engine in the collector server, and, when finished, sends the results to the system. Periodically, the system will check if the collection that was requested was finished in order to receive the results. As the collections are managed and run by the collector server, at least one collector server must be registered in the system.
Note that only asset components associated with knowledge bases supporting automated collections enable this feature in the system. These collections are passive, and no information is modified in the target machines that are analyzed. In addition to knowledge bases that support collections, a separate license for automated collections is also necessary. System installation users without valid automated collection licenses can access knowledge bases that support collections, but cannot use the collection feature. For more information about obtaining a license for automated collections, contact your account manager.
Assets analyzed by automated collectors are technology assets comprised of operating systems and various applications. As there may be many workstations and servers on a local network, the host names for the assets that were included in the scope of the project must be provided so that they can be sent to the collector server.
So that the collector server can connect to the target machines, it must have high-privilege credentials (username and password) so that all the security configurations can be read without generating errors. These credentials are registered in the Administration module, and this will allow the collector server to access the assets whose configurations will be analyzed. In some cases, the port to be used by the collector server to access the target machine can also be specified.
To request a collection in a project, the credentials (which will allow access to the assets) and the collector server (which should have modSIC, Modulo's collector service, installed and which should be able to communicate with the assets) must be registered beforehand. The server and the asset must be able to communicate; that is, the target machines cannot be turned off, blocked by firewalls, or anything else that would hinder communication. The connection between the collector server and the target machine can be tested to avoid sending collection requests to unavailable target machines. When a collection is requested, a confirmation window is displayed with some instructions to help ensure the collection is successful.
Communication between the system and the collector server involves the exchange of certain files that follow OVAL (Open Vulnerability and Assessment Language): one is the OVAL Definitions file, which contains information on the expected state of the configurations in the target machine; the other is the OVAL System Characteristics file, which contains the actual configurations found in the target machine; and the third is the OVAL Results file, which stores the results of the collection.
In short, the process for an automated collection is as follows:
1. When a collection is requested, the system provides the collector server with some information on the structure of the organization, for example: the host addresses of the assets in the scope of the project that will be analyzed. The OVAL Definitions are also sent – which are the best practices or expected configurations for the asset components which will be analyzed –, as well as the scheduling details.
2. The collector server receives the information sent by the system along with the OVAL definitions, manages the collection schedule, and, when appropriate, activates the OVAL collection engine to run the collection.
3. Once the credentials are received, the OVAL engine in the collector server accesses the assets and begins analyzing the configurations of their asset components. This process does not require the installation of any agent or software component in the assets – all of this takes place transparently and automatically, as long as the credentials provided are valid and the engine is able to connect to the asset to be analyzed.
4. When the collection is finalized, the information obtained is formatted and a file (OVAL System Characteristics) is generated for each asset component analyzed. This file is sent back to the system.
5. When the various files with data on the collections are received, the system processes these results by comparing the OVAL Definitions file, containing the expected configurations of the target machine, with the OVAL System Characteristics file, which reports the actual state of the configurations in the target machine, which produces an OVAL Results file. Based on this results file, the system is able to automatically modify the status of the questionnaire controls that refer to the asset component analyzed. When it is not possible to automatically change the status of a control, the system displays evidence on the configurations found to help the analyst complete the questionnaire.
For details on registering collector servers, see Chapter 17: Administration -> Settings -> Collector Servers. For details on registering credentials for the collector server to access the target machines, see Chapter 17: Administration -> Settings -> Credentials.
Note: In addition to remote automated collections managed by the system's collector service (modSIC), you can also import the OVAL Results or Characteristics file for a certain asset component to answer questionnaire controls. In this case, the OVAL Definitions file from the knowledge base associated with the asset component added to the scope of the project must be exported. You can then run the collection locally with this OVAL Definitions file on the target machine using a third-party OVAL interpreter. Instead of scheduling a collection, you can simply import the results on the Automated Collection page in the analysis phase of the project. The system will validate the file and use the results to answer the controls automatically based on the results. Only Results or System Characteristics files that were generated based on OVAL Definitions originating from the system will be validated. No collection parameters need to be provided in this case, but it is important to ensure that the results you are importing correspond to the asset component in question and not any other.