Dashboard Toolbox - AssetView: SSL/TLS MGMT Dashboard (v1.0)

Document created by Felix Jimenez Employee on Feb 14, 2019Last modified by Felix Jimenez Employee on May 31, 2019
Version 4Show Document
  • View in full screen mode

This AssetView Dashboard will enable you to be more pro-active in your SSL/TLS MGMT from your Vulnerability mgmt Qualys Scans.

Get a quick, easy glance to KPIs for SSL/TLS MGMT across different technologies.

 

Why is SSL/TLS Vulnerabilities & Certificate mgmt important?

Administrators have so many responsibilities that often overlooked server SSL/TLS configurations lead to insecure servers. These misconfigurations constitute a significant vector for breaches and downtime at major organizations since they don't have a precise inventory of certificates, expiration dates, type of certificates and number of CAs. Visibility into these KPIs is critical for any organization. 

 

Qualys offers CertView Free for all your external IPs, to enable organizations asses there SSL/TLS configurations without having to become SSL experts. It also allows you to quickly remediate cipher suites, protocols and key exchange parameters on the underlying endpoints. CertView identifies out-of-policy certificates with weak signatures or key-lengths and shows you how many certificates were issued by Certificate Authorities (CAs) that have been vetted and approved per your policy and how many certificates are self-signed or were issued by CAs that have not been authorized to issue certificates in your environment. Controlling the number of CAs that can issue certificates to your environment helps control the chain of trust for your domain, preventing man-in-the-middle and spoofing attacks.

 

Recent updates in the major browsers, led by Chrome, flag sites without an SSL certificate as "Not Secure," leading anyone doing business on the Internet to install an SSL certificate on their site. All organizations rely on SSL and certificates to protect their business. But most organizations don't have any visibility into their certificates, resulting in unplanned outages due to expired certificates. When the auditors say there are certificates and TLS related risks that need mitigated, it's difficult to remediate because you don't know where these certificates are or whether the underlying TLS configuration is weak or strong. CertView not only helps prevent expired certificates from interrupting critical business functions, but CertView also tells you how strong or weak the underlying configuration is through simple one letter grades. For weaker grades, CertView also tells you what you can do to improve the grade, and therefore the configuration and thus the security of the entire system.

 

For more information on CertView see the following 2 links and contact your TAM:

Qualys CertView App 

CertView Training Video SeriesNew

 

Dashboard Demonstration Images:

 

* * * Requirements * * *

The following Widgets Require Tags to be created: 

TLSv1.2 PROTOCOL IS ENABLEDTLSv1.1 PROTOCOL IS ENABLED
TAG-NAME:  TLSv1.2 PROTOCOL IS ENABLEDTAG-NAME:  TLSv1.1 PROTOCOL IS ENABLED
TAG-CODE: Copy paste under Asset Search rule:TAG-CODE: Copy paste under Asset Search rule:

<?xml version="1.0" encoding="UTF-8"?>
<TAG_CRITERIA>
<DETECTION>
<QID_LIST>
<QID>38116</QID>
</QID_LIST>
<RESULTS>
<SEARCH_TYPE>CONTAINING</SEARCH_TYPE>
<SEARCH_TERM>TLSv1.2 PROTOCOL IS ENABLED</SEARCH_TERM>
</RESULTS>
</DETECTION>
</TAG_CRITERIA>

<?xml version="1.0" encoding="UTF-8"?>

<TAG_CRITERIA>
<DETECTION>
<QID_LIST>

<QID>38116</QID>
</QID_LIST>
<RESULTS>
<SEARCH_TYPE>CONTAINING</SEARCH_TYPE>
<SEARCH_TERM>TLSv1.1 PROTOCOL IS ENABLED</SEARCH_TERM>
</RESULTS>
</DETECTION>
</TAG_CRITERIA>

 

 

 

Example: SSL/TLS Certificate QIDs, detection results example.

 

How to import the SSL Certificates search list from the library:

 

SSL Certificates:  

A static list of QIDS for detecting SSL certificates on target hosts and calculating SSL grades.

38116
SSL Server Information Retrieval
38142
SSL Server Allows Anonymous Authentication Vulnerability
38167
SSL Certificate - Expired
38168
SSL Certificate - Future Start Date
38169
SSL Certificate - Self-Signed Certificate
38170
SSL Certificate - Subject Common Name Does Not Match Server FQDN
38171
SSL Certificate - Server Public Key Too Small
38172
SSL Certificate - Improper Usage Vulnerability
38173
SSL Certificate - Signature Verification Failed Vulnerability
38174
SSL Certificate - Will Expire Soon
38182
Webmin Static SSL Key Vulnerability
38224
OpenSSL ASN.1 Parsing Vulnerabilities
38356
OpenSSL RSA Timing Attack Vulnerability
38477
SSL Insecure Protocol Negotiation Weakness
38596
TLS Protocol Session Renegotiation Security Vulnerability
38598
Deprecated Public Key Length
38599
SSL/TLS Compression Algorithm Information Leakage Vulnerability
38600
SSL Certificate will expire within the next six months
38601
SSL/TLS use of weak RC4 cipher
38602
OpenSSL Multiple Remote Security Vulnerabilities
38603
SSLv3 Padding Oracle Attack Information Disclosure Vulnerability (POODLE)
38605
SSL/TLS Server Factoring RSA Export Keys (FREAK) vulnerability
38608
SSL Server Diffie-Hellman Weak Encryption Vulnerability (Logjam)
38609
SSL Server default Diffie-Hellman prime information
38610
SSL/TLS Server supports TLS_FALLBACK_SCSV
42007
Debian OpenSSL Package Random Number Generator Weakness
42012
X.509 Certificate MD5 Signature Collision Vulnerability
42350
TLS Secure Renegotiation Extension Support Information
42366
SSLv3.0/TLSv1.0 Protocol Weak CBC Mode Server Side Vulnerability (BEAST)
42430
OpenSSL Memory Leak Vulnerability (Heartbleed Bug)
45218
Authenticated Certificate Retrieval - Information
86002
SSL Certificate - Information
86137
HTTP Strict Transport Security (HSTS) Support Detected

 

 

API Guide  - Evaluate Tag: 

Asset Mgmt and Tagging v2 API

See Page:  31

* * * Re-Evaluate the Tags as needed per Scan Candance * * *

Evaluate all tags that have Groovy Script or Asset Search tag rules.

API Request:  **Note the POD API url & the file.xml needs to be created**

POD 1: curl -u "USERNAME:PASSWORD" -H "content-type: text/xml" -X "POST" --data-binary @- "https://qualysapi.qualys.com/qps/rest/2.0/evaluate/am/tag" < file.xml

POD 2: curl -u "USERNAME:PASSWORD" -H "content-type: text/xml" -X "POST" --data-binary @- "https://qualysapi.qg2.apps.qualys.com/qps/rest/2.0/evaluate/am/tag< file.xml

POD 3: curl -u "USERNAME:PASSWORD" -H "content-type: text/xml" -X "POST" --data-binary @- "https://qualysapi.qg3.apps.qualys.com/qps/rest/2.0/evaluate/am/tag< file.xml

Request POST data:   file.xml  or   GROOVY.xml
<?xml version="1.0" encoding="UTF-8" ?>
<ServiceRequest>
<filters>
<Criteria field="ruleType"
operator="EQUALS">GROOVY</Criteria>
</filters>
</ServiceRequest>
Request POST data:   file.xml   or  ASSETSEARCH.xml
<?xml version="1.0" encoding="UTF-8" ?>
<ServiceRequest>
<filters>
<Criteria field="ruleType"
operator="EQUALS">ASSET_SEARCH</Criteria>
</filters>
</ServiceRequest>

 

 

How to Enable Trending on the widgets:

Open the desired widget in edit mode, by selecting the 3 lines on the top right of the widget,

and clicking on Configure Widget. Then select the Collect trend data check box.

 

Help Link:

POD - 1 - Apply Tags to Organize Your Assets

POD - 2 - Apply Tags to Organize Your Assets

POD - 3 - Apply Tags to Organize Your Assets

 

References: 

Looking for additional Qualys Documentation use the Resource link in the Qualys Portal (Help > Resources)

 

Related community Post:

 

Additional AssetView Dashboards:#performance_mgmt

Dashboard Toolbox - Asset View: How To - Import a Dashboard json 

- - - - - - - - - - - - - - - - - - - - - - - - - - - -- - - - - - - - - - - - - - - - - - - - - - - -

Dashboard Toolbox - AssetView: Host Scan Time Management (v1.1)  

  Dashboard Toolbox - AssetView: SSL/TLS MGMT Dashboard (v1.0) 

Dashboard Toolbox - AssetView: Performance Management (v1.0)

Dashboard Toolbox - AssetView: Scanning Activity Management (v1.0)
Dashboard Toolbox - AssetView: Open Ports Management & RTI (v1.0)

Dashboard Toolbox - AssetView: EOL/Obsolete Software & RTI MGMT (v1.0)

Dashboard Toolbox - AssetView: Windows Authentication Management (v1.2)

 

WARNING: Read Before Downloading

Dashboard and Widget JSON files are not interchangeable between application dashboards. AssetView JSON files may only be used in AssetView and Vulnerability Management JSON files may only be used in Vulnerability Management. If you make a mistake and import a JSON file from one application into the other, you must contact Qualys Support to have the error corrected in the database for your subscription. Again, there is no way to reverse this mistake within the UI, it must be done in the database.

 

Credits

fjimenez asifkarel This page contains information to create a Scorecard dashboard leveraging data in your Qualys Vulnerability Management subscription. This dashboard is part of AssetView Dashboard Program. If you have any questions regarding the content, please comment below or Contact Support - Technical Assistance Inquiry Form | Qualys, Inc.

 

Dashboard Collaborators:

fjimenez

 

Back to Dashboarding and Reporting

Outcomes