Reporting Toolbox - Trust, but Verify: Focused Search Lists

Document created by DMFezzaReed Employee on May 11, 2018Last modified by DMFezzaReed Employee on Jul 24, 2018
Version 13Show Document
  • View in full screen mode

This page contains a number of reporting search lists that when added to a routine reporting cycle will help to support a successful Vulnerability Management program. Adding these focused search lists to your routine reporting cycle (daily, weekly, monthly, quarterly, etc) will make it possible to track, and quickly spot check, relevant indicators in your environment.

 

Below is a summary of the information contained in this document:

 

Trust, but Verify: Authentication Without Validation Is Naïve

  • Administrator Account Reporting - Static 
  • Guest Account Reporting - Dynamic - Title: Guest
  • Default Credential Reporting - Dynamic - Title: Default Credentials
  • Authentication Information - Dynamic - Multiple Fields (See Image)

Audit Preparedness

  • Network Time Protocol (NTP) Reporting - Dynamic - Title: Network Time Protocol
  • Knowledge Base Edit Tracking - Dynamic - Search List Option Box (See Image)

Trust, but Verify: We Reboot Our Assets on a Routine Interval

  • Uptime Reporting - Static
  • Microsoft Pending Reboot - Static

Trust, but Verify: Our Release Management Program is Maintained at N-1

  • EOL/Obsolete Software - Dynamic - Title: EOL/Obsolete Software
  • EOL/Obsolete Hardware - Dynamic - Title: EOL/Obsolete Hardware
  • EOL/Obsolete Operating System - Dynamic - Title: EOL/Obsolete Operating System

Trust, but Verify: Enumerations

  • Assessment Information Gathered - Enumeration of the Details - Dynamic - Title: Enumerations

Trust, but Verify: CPE Search Lists

  • Application Detections - Dynamic - CPE: Application
  • Hardware Detections - Dynamic - CPE: Hardware
  • Operating System Detections - Dynamic - CPE: Operating System

Trust, but Verify: Installed Software/Application Search List New Jul 24, 2018

 

-----

 

Trust, but Verify: Authentication Without Validation Is Naïve

 

Administrator Account Reporting - Static Updated

Trust, but Verify: Authentication Without Validation Is Naïve

  • Administrator Account's Password Does Not Expire (Q90080)
  • Default Windows Administrator Account Name Present (Q90081)
  • Unix Users With root UserID (Q105139)
  • Unix Users With root GroupID (Q105140)
  • UNIX Daemon/Services Listed Under Root User (Q45241)

Guest Account Reporting - Dynamic - Title:  Guest

  • Enabled Guest Access to Security Log (Q90017)
  • Enabled Guest Access to System Log (Q90018)
  • Enabled Guest Access to Application Log (Q90016)
  • Apple Filing Protocol Guest Access Enabled (Q38037)
  • Built-in Guest Account Not Renamed at Windows Target System (Q105228)
  • Guest Account Accessible to FTP Server (Q27161)
  • Real Name of Built-in Guest Account Enumerated (Q90266)
  • Guest Account Not Disabled (Q105232)

 

Default Credential Reporting - Dynamic - Title:  Default Credentials

  • Open Source Point of Sale (OSPOS) Using Default Credentials (Q11633)
  • Juniper EX Series Switch J-Web Accessible Using Default Credentials (Q11847)
  • pfSense Admin Console Accessible Using Default Credentials (Q11821)
  • IBM Integrated Management Module (IMM) Interface Accessible via Default Credentials (Q12706)
  • VMware ESXi Server Accessible Using Default Credentials (Q11507)
  • Seagate Central Accessible Via Default Credentials (Q43029)
  • Citrix Netscaler Web Management Interface Accessible Using Default Credentials (Q12929)
  • Apache Tomcat Web Application Manager Accessible Using Default Credentials (Q86857)
  • American Power Conversion (APC) Web/SNMP Management SmartSlot Card Accessible via Default Credentials (Q43431)
  • Web Server / Web Application Accessible Via Default Credentials (Q10693)
  • Silver Peak VX Accessible Using Default Credentials (Q13053)
  • Solus Virtual Manager Accessible Using Default Credentials (Q12702)
  • McAfee Asset Manager Accessible Using Default Credentials (Q12907)
  • F5 BIG-IP Management Interface Accessible Via Default Credentials (Q42417)
  • Nokia Firewall Web interface Accessible Using Default Credentials (Q43246)
  • Apache Sling Admin Page Accessible via Default Credentials (Q12587)
  • Schweitzer Engineering Laboratories (SEL) Controller Accessible Using Default Credentials (Q43225)
  • Rockwell Automation / Allen-Bradley MicroLogix PLC Web Server Accessible Using Default Credentials (Q43223)
  • Schneider Modicon Quantum Telnet Server Accessible Using Default Credentials (Q43221)
  • Schneider Modicon Quantum Web Server Accessible Using Default Credentials (Q43220)
  • Schneider Modicon Quantum FTP Server Accessible Using Default Credentials (Q43222)
  • Yak! Chat Client FTP Server Default Credentials Vulnerability (Q27202)
  • Apache ActiveMQ Admin Console Accessible Using Default Credentials (Q11804)
  • Unitrends Enterprise Backup Accessible Using Default Credentials (Q12928)
  • Oracle Enterprise Manager Accessible Using Default Credentials (Q12705)
  • Scrutinizer Accessible Using Default Credentials (Q12590)
  • XAMPP FTP Server Accessible Using Default Credentials (Q27358)
  • Pandora FMS Accessible Using Default Credentials (Q12565)
  • Oracle GlassFish Server Accessible Using Default Credentials (Q87106)
  • Apache OFBiz Accessible Using Default Credentials (Q12563)
  • Oracle WebLogic Accessible Using Default Credentials (Q12562)
  • Google Urchin Accessible Using Default Credentials (Q12560)
  • Adobe Document Server Accessible Using Default Credentials (Q12558)
  • AmpJuke Accessible Using Default Credentials (Q12559)
  • JBoss Administration Console Accessible Using Default Credentials (Q87098)
  • Geronimo Console Default Credentials Access (Q12541)
  • Trend Micro InterScan Web Security Suite Accessible Using Default Credentials (Q12599)
  • Recipe Accessible Using Default Credentials (Q11867)

 

Authentication Information - Dynamic - Multiple Fields (See Image)

If your vulnerability management program includes the authentication tracking, I recommend creating custom authentication reports that are scheduled to run before and after your routine scan schedules.  Before and After executions can be helpful when your team is working to improve authentication success results.

 

  • This search list can be customized and/or broken into smaller groups such as:
    • By Authentication Type
    • Successful vs. Failed vs. Not Attempted
    • By Vendor
  • Oracle Authentication Method (Q19129)
  • Oracle Listener Authentication Method (Q19233)
  • DB2 Authentication Method (Q19648)
  • Unix Authentication Method (Q38307)
  • Detected NTLMv2 Authentication method (Q45279)
  • Windows Authentication Method (Q70028)
  • Windows Authentication Method for User-Provided Credentials (Q70053)
  • SMB Shares Readable Without Authentication (Q70062)
  • SNMP Authentication Method (Q78049)
  • Microsoft Windows Network Level Authentication Disabled (Q90788)
  • Windows Authentication Failed (Q105015)
  • Unix Authentication Failed (Q105053)
  • SNMP Authentication Failed (Q105192)
  • Oracle Authentication Failed (Q105193)
  • Windows Authentication Not Attempted (Q105296)
  • Unix Authentication Not Attempted (Q105297)
  • SNMP Authentication Not Attempted (Q105298)
  • Oracle Authentication Not Attempted (Q105299)
  • Oracle Listener Authentication Failed (Q105329)
  • Oracle Listener Authentication Not Attempted (Q105330)
  • DB2 Authentication Not Attempted (Q105420)
  • DB2 Authentication Failed (Q105421)
  • VMware Authentication Failed (Q105441)
  • VMware Authentication Not Attempted (Q105443)
  • Unix Authentication Timeout Occurred (Q115263)
  • VMware Authentication Successful (Q216008)

Audit Preparedness

Network Time Protocol (NTP) Reporting - Dynamic - Title:  Network Time Protocol

This report has proven useful for PCI DSS Requirement 10.4: Using time-synchronization technology, synchronize all critical system clocks and times and ensure that the following is implemented for acquiring, distributing, and storing time.

  • Network Time Protocol Daemon ntpd Multiple Vulnerabilities (Q38665)
  • Network Time Protocol Multiple Security Vulnerabilities (ntp-4.2.8p7) (Q38681)
  • Network Time Protocol Multiple Security Vulnerabilities (ntp-4.2.8p6) (Q38682)
  • Network Time Protocol Multiple Security Vulnerabilities (ntp-4.2.8p5) (Q38683)
  • Network Time Protocol Multiple Security Vulnerabilities (ntp-4.2.8p4) (Q38684)
  • Network Time Protocol Denial of Service Vulnerablity (ntp-4.2.8p3) (Q38686)
  • Cisco NX-OS Network Time Protocol Distributed Reflective Denial of Service Vulnerability (Q43033)
  • Cisco IOS Software Network Time Protocol Packet Vulnerability (cisco-sa-20090923-ntp) (Q43166)
  • Cisco IOS Software Multicast Network Time Protocol Denial of Service Vulnerability (cisco-sa-20130925-ntp) (Q43320)
  • Cisco NX-OS Network Time Protocol Daemon Multiple Vulnerabilities (cisco-sa-20160127-ntpd) (Q43479)
  • Cisco IOS Network Time Protocol Daemon Multiple Vulnerabilities (cisco-sa-20160127-ntpd) (Q43480)
  • HPE ArubaOS Network Time Protocol Daemon (NTPD) Multiple Vulnerabilities (ARUBA-PSA-2015-010) (Q43515)
  • Solaris Network Time Protocol (NTP) Service Denial of Service Vulnerability (1021781.1) (Q118182)
  • IBM AIX Network Time Protocol (NTP) Vulnerability (Q122133)
  • IBM AIX Network Time Protocol (NTP) Vulnerability (Q123287)
  • IBM AIX Network Time Protocol (NTPv4) Vulnerability (Q124749)
  • Cisco IOS Network Time Protocol Daemon Multiple Vulnerabilities (cisco-sa-20160603-ntpd) (Q316002)
  • Cisco IOS Software Crafted Network Time Protocol Packets Denial of Service Vulnerability (cisco-sa-20160804-wedge) (Q316021)
  • Cisco Nexus Network Time Protocol Daemon Multiple Vulnerabilities (cisco-sa-20161123-ntpd) (Q316066)
  • Cisco NX-OS Network Time Protocol Daemon Multiple Vulnerabilities (cisco-sa-20160603-ntpd) (Q316122)

 

Knowledge Base Edit Tracking - Dynamic - Search List Option Box (See Image)

If your vulnerability management program includes the editing or disabling of vulnerabilities within the knowledge base (KB), it's a good idea to run routine reports on the KB to track this activity.  This type of a report can come in extremely useful for audit tracking. I recommend running two (2) seperate reports, one for disabled, one for edited, and scheduling the report to run weekly. 

Trust, but Verify: We Reboot Our Assets on a Routine Interval

Uptime Reporting - Static

  • Microsoft Windows Last Reboot Date and Time (Q90924)

  • Host Uptime Based on TCP TimeStamp Report (Q82063)

  • Unix Last Reboot Date and Time (Q124145)

 

Microsoft Pending Reboot - Static

  • Pending Reboot Detected (Q90126)

 

Trust, but Verify: Our Release Management Program is Maintained at N-1

EOL/Obsolete Software - Dynamic - Title: EOL/Obsolete Software

I have often found routine generation and sharing of this information with your client endpoint and systems teams, so they may leverage the results during routine release management, maintenance and deployment planning can be a relationship building between security and IT teams. This also help identify anomolies in an imaged environment.

  • +/- 276 entries in the Qualys Vulnerability Knowledge Base

 

EOL/Obsolete Hardware - Dynamic - Title: EOL/Obsolete Hardware

  • +/- 5 entries in the Qualys Vulnerability Knowledge Base

 

EOL/Obsolete Operating System - Dynamic - Title: EOL/Obsolete Operating System

I have often found routine generation and sharing this information with your infrastructure teams, so they may leverage the results during routine release management and maintenance planning can be a relationship building between security and infrastructure teams. This also helps identify anomalies in an imaged environment.

  • +/- 137 entries in the Qualys Vulnerability Knowledge Base

 

Trust, but Verify: Enumerations New

Assessment Information Gathered - Enumeration of the Details - Dynamic - Title: Enumerate

  • Windows XP SP2 Firewall Disable Configuration Enumerated (Preinstall / Postinstall) (Q105036)
  • Microsoft Windows Audit  Settings Enumerated From LSA (Q105063)
  • CA (Computer Associates) Unicenter Asset Management Components Enumerated (Q105080)
  • TIMEOUT Parameter From /etc/default/login Is Enumerated (Q105151)
  • RETRIES Parameter From /etc/default/login Is Enumerated (Q105152)
  • SYSLOG_FAILED_LOGINS Parameter Enumerated (Q105153)
  • Microsoft Windows Default Screen Saver Policy Enumerated (Q105178)
  • Microsoft Windows Effective Permission on Shares Enumerated (Q105185)
  • Microsoft Exchange 2000/2003 Public Folder Permissions Enumerated (Q105205)
  • Administrator Group Members Enumerated (Q105231)
  • SAMR Pipe Permissions Enumerated (Q105237)
  • Group Policy Objects Processed By SecCli are Enumerated from History Log (Q105238)
  • IIS Audit - Site Information Enumerated (Q105248)
  • IIS Audit - Anonymous Access Information for Web Site Enumerated (Q105251)
  • IIS Audit - Server Level Logging Settings Enumerated (Q105264)
  • IIS Audit - Use Host Name Setting Enumerated (Q105265)
  • IIS Audit - Web Server Extensions Enumerated (Q105273)
  • IIS Audit - Web Site Information Enumerated (Q105274)
  • ActiveX Controls Enumerated (Q105276)
  • Installed Custom Software Enumerated (Q105319)
  • Microsoft Windows Permission on Shares Enumerated (Q105335)
  • Microsoft IIS Authentication Method Enumerated (Q11773)
  • Microsoft ASP.NET HTTP Handlers Enumerated (Q12033)
  • Microsoft Windows Recently Changed User Names Enumerated (Q125029)
  • Recent Local User Logons Enumerated from Target (Q125030)
  • Successful Network Logons Enumerated from Target (Q125031)
  • Microsoft SQL Server 2000 SP4 Registry Extended Stored Procedure Enumerated (Q19126)
  • Oracle Server Enumerated for Open User Accounts (Q19133)
  • Microsoft SQL Server Instances Enumerated (Q19145)
  • MSSQL - Sysadmin Membership Enumerated (Q19175)
  • MSSQL Server Serveradmin Role Members Enumerated (Q19176)
  • MSSQL Server SetupAdmin Role Members Enumerated (Q19177)
  • MSSQL SecurityAdmin Role Members Enumerated (Q19178)
  • MSSQL ProcessAdmin Role Members Enumerated (Q19179)
  • MSSQL DbCreator Role Members Enumerated (Q19180)
  • MSSQL Bulkadmin Role Members Enumerated (Q19182)
  • MSSQL DB_OWNER Role Members Enumerated (Q19183)
  • MSSQL DB_AccessAdmin Role Members Enumerated (Q19184)
  • MSSQL Db_Datareader Role Members Enumerated (Q19185)
  • MSSQL Db_DataWriter Role Membership Enumerated (Q19186)
  • MSSQL Db_DdlAdmin Role Enumerated (Q19187)
  • MSSQL Db_SecurityAdmin Role Members Enumerated (Q19188)
  • MSSQL Db_DenyDataWriter Role Members Enumerated (Q19190)
  • MSSQL Db_DenyDataWriter Role Members Enumerated (Q19191)
  • MSSQL RTblDBMprops Privileges Enumerated (Q19192)
  • MSSQL SysdtsPackages Privilege Members Enumerated (Q19193)
  • MSSQL Diskadmin Role Members Enumerated (Q19195)
  • Docker Running Container Enumerated (Q370440)
  • Windows Mobile Devices Enumerated (Q43114)
  • Disabled Accounts Enumerated From SAM Database (Q45027)
  • Accounts Enumerated From SAM Database Whose Passwords Do Not Expire (Q45031)
  • NTFS Settings Enumerated (Q45063)
  • Interface Names and Assigned IP Address Enumerated from Registry (Q45099)
  • Trusted Digitial Certificates Enumerated From Windows Registry (Q45231)
  • Administrator Group Members Enumerated Using SID (Q45302)
  • Installed Applications Enumerated From Windows Installer (Q90235)
  • Real Name of Built-in Guest Account Enumerated (Q90266)

Trust, but Verify: CPE Search Lists

If you are not seeing the CPE option in the Vulnerability Management search list criteria, you may have to enable CPE reporting by navigating to Vulnerability Management > Reporting > Setup > OS CPE.  Please reference image below for step-by-step navigation.

 

 

  • Application Detections - Dynamic - CPE: Application
    • +/-  10k entries in the Qualys Vulnerability Knowledge Base

 

 

  • Hardware Detections - Dynamic - CPE: Hardware
    • +/-  200 entries in the Qualys Vulnerability Knowledge Base

 

 

 

  • Operating System Detections - Dynamic - CPE: Operating System
    • +/-  4k entries in the Qualys Vulnerability Knowledge Base

 

 

 

Trust, but Verify: Installed Software/Application Search List New Jul 24, 2018

  • Microsoft Office Product Detected (Q45103)
  • Google Chrome Web Browser Detected (Q45105)
  • Installed Packages on Unix and Linux Operating Systems (Q45141)
  • Microsoft System Center Endpoint Protection (SCEP) Detected (Q45239)
  • Installed Applications Enumerated From Windows Installer (Q90235)
  • Windows Internet Explorer Version (Q90295)
  • Microsoft XML parser (MSXML) Versions Detected (Q91228)
  • Microsoft Windows Defender Installed (Q105310)
  • Microsoft Office Component Detected (Q110187)

 

 

Back to Dashboarding and Reporting 

1 person found this helpful

Attachments

    Outcomes