Arctic Wolf Agent Vulnerability Debug Scans

User Guide

Overview

This guide provides steps for Arctic Wolf® Agent vulnerability debug scans, depending on the operating system (OS) of the device.

Arctic Wolf can enable debug reports for Agent vulnerability scans to provide details about how a vulnerability was found. Due to the number of vulnerability tests performed and potentially found, only the first 50 vulnerabilities are captured in the debug report. To capture all vulnerability findings, you can perform a debug scan directly on the device with the option to report on all vulnerabilities.

Note: You must perform at least one standard Agent scan prior to performing these steps, and the device must have 2 GB of RAM available to generate the full debug HTML file.

Performing an Agent vulnerabilities debug scan on Windows

To perform an Agent vulnerabilities debug scan on Windows:

  1. On the device, create a copy of the C:\Program Files (x86)\Arctic Wolf Networks\Agent\scans\oval.ini file, and rename it to oval_copy.ini.

  2. In a text editor, open the new oval_copy.ini file.

    Note: You may need administrator rights to open this file for editing.

  3. In the file, find the section starting with [Report: Target results -> JSON events].

  4. Click clipboard to copy the following content and replace the entire section:

    [Report: Target detail HTML report]

    export.dir: C:\Program Files (x86)\Arctic Wolf Networks\Agent\scans\reports\vulnerability

    input.type: xccdf_results#diagnostic

    output.extension: html

    transform.file: C:\Program Files (x86)\Arctic Wolf Networks\Agent\scans\scan-utility\tools\xccdf_results_to_html.xsl

    Notes:

    • Always check syntax when editing the .ini file, including confirming that export.dir, input.type, output.extension, and transform.file are each on their own line.
    • If the previous scan performed was a debug scan, the input.type may have a value of xccdf_results#failureDiag. Change this value to xccdf_results#diagnostic.
  5. Open a command prompt as an administrator.

  6. Click the clipboard to copy this command to the command line, including the double quotation marks, to perform the scan:

    "C:\Program Files (x86)\Arctic Wolf Networks\Agent\scans\jre\jre-11.0.1\bin\java.exe" -Xmx2048m -Djoval.shellcommandAdapter.enable=true -Dlicense.file="C:\Program Files (x86)\Arctic Wolf Networks\Agent\scans\scan-utility\rootsecure.com.sig.xml" -jar "C:\Program Files (x86)\Arctic Wolf Networks\Agent\scans\scan-utility\Scan-Utilities.jar" scan -c "C:\Program Files (x86)\Arctic Wolf Networks\Agent\scans\oval_copy.ini"

    Note: If you receive an insufficient memory error, change the -Xmx2048m flag value in the command to -Xmx4096m to expand the memory size from 2 GB to 4 GB. This means that the device needs 4 GB of space available.

  7. Wait for the scan to complete, and then look for the full HTML debug report in the C:\Program Files (x86)\Arctic Wolf Networks\Agent\scans\reports\vulnerability\ folder.

  8. Open the HTML report in a browser and click on Fail in the Rule Results Summary to filter on the vulnerabilities found and view failed tests.

Performing an Agent vulnerabilities debug scan on macOS

To perform an Agent vulnerabilities debug scan on macOS:

  1. On the device, create a copy of the /Library/ArcticWolfNetworks/Agent/scans/oval.ini file, and rename it to oval_copy.ini.

  2. In a text editor, open the new oval_copy.ini file.

    Note: You may need administrator rights to open this file for editing.

  3. In the file, find the section starting with [Report: Target results -> JSON events].

  4. Click clipboard to copy the following content and replace the entire section:

    [Report: Target detail HTML report]

    export.dir: /Library/ArcticWolfNetworks/Agent/scans/reports/vulnerability

    input.type: xccdf_results#diagnostic

    output.extension: html

    transform.file: /Library/ArcticWolfNetworks/Agent/scans/scan-utility/tools/xccdf_results_to_html.xsl

    Notes:

    • Always check syntax when making changes to the .ini file, including confirming that export.dir, input.type, output.extension, and transform.file are each on their own line.
    • If the previous scan performed was a debug scan, the input.type may have a value of xccdf_results#failureDiag. Change this value to xccdf_results#diagnostic.
  5. Open a command prompt as an administrator.

  6. Click the clipboard to copy this command to the command line to perform the scan:

    /Library/ArcticWolfNetworks/Agent/scans/jre/jre-11.0.1/bin/java -Xmx2048m -Djoval.shellcommandAdapter.enable=true -Dlicense.file=/Library/ArcticWolfNetworks/Agent/scans/scan-utility/rootsecure.com.sig.xml -jar /Library/ArcticWolfNetworks/Agent/scans/scan-utility/Scan-Utilities.jar scan -c /Library/ArcticWolfNetworks/Agent/scans/oval_copy.ini

    Note: If you receive an insufficient memory error, change the -Xmx2048m flag value in the command to -Xmx4096m to expand the memory size from 2 GB to 4 GB. This means that the device needs 4 GB of space available.

  7. Wait for the scan to complete, and then look for the full HTML debug report in the /Library/ArcticWolfNetworks/Agent/scans/reports/vulnerability/ folder.

  8. Open the HTML report in a browser and click on Fail in the Rule Results Summary to filter on the vulnerabilities found and view failed tests.