Arctic Wolf Agent Diagnostic Vulnerability Reports
Overview Direct link to this section
This guide provides steps for Arctic Wolf® Agent vulnerability diagnostic scans, depending on the operating system (OS) of the device.
Arctic Wolf can enable diagnostic reports remotely for Agent vulnerability scans to provide details on how a vulnerability was found. Due to the number of vulnerability tests performed and potentially found, only the first 1,700 vulnerabilities are detailed in the remote debug report. To capture all vulnerability findings, you can perform a long form diagnostic scan directly on the device with the option to report on all vulnerabilities.
Note: You must perform at least one standard Agent scan prior to performing these steps, and the device must have 4 GB of RAM available to generate the expected output files.
To obtain additional detail about how a vulnerability was detected on a device, you can perform an Agent vulnerability debug scan and then interpret the information. The scan generates the following files:
-
Raw XML output (default filename
LOCALHOST.arf.xml
) -
HTML Diagnostic Vulnerability long form report (default filename
LOCALHOST.diagnostic.html
) -
HTML Annotated report (default filename
LOCALHOST.annotated.html
)
Perform an Agent vulnerabilities diagnostic scan on Windows Direct link to this section
-
On the device, create a copy of the
C:\Program Files (x86)\Arctic Wolf Networks\Agent\scans\oval.ini
file, and rename it tooval_copy.ini
. -
In a text editor, open the new
oval_copy.ini
file.Note: You may need administrator rights to open this file for editing.
-
In the file, find the section starting with
[Report: Target results -> JSON events]
.[Report: Target results -> JSON events]
export.dir: scans/reports/vulnerability
input.type: arf
output.extension: json
transform.file: scans/scan-utility/tools/arf_xccdf_results_to_json_events.xsl -
Copy the following content and replace the entire section that you located in the previous step.
[Report: Raw ARF report]
export.dir: C:\Program Files (x86)\Arctic Wolf Networks\Agent\scans\reports\vulnerability
input.type: arf
output.extension: arf.xml
[Report: Diagnostic HTML report]
export.dir: C:\Program Files (x86)\Arctic Wolf Networks\Agent\scans\reports\vulnerability
input.type: xccdf_results#failureDiag
output.extension: diagnostic.html
transform.file: C:\Program Files (x86)\Arctic Wolf Networks\Agent\scans\scan-utility\tools\xccdf_results_to_html.xsl
[Report: Annotated HTML report]
export.dir: C:\Program Files (x86)\Arctic Wolf Networks\Agent\scans\reports\vulnerability
input.type: json#annotated
output.extension: annotated.html
transform.file: C:\Program Files (x86)\Arctic Wolf Networks\Agent\scans\scan-utility\tools\hostscan_json_to_html.jsNotes:
- Always check syntax when editing the
.ini
file, including confirming thatexport.dir
,input.type
,output.extension
, andtransform.file
are each on their own line. - To review only results that failed vulnerability scanning checks, ensure that the
input.type
field in theReport: Diagnostic HTML report
section is set toxccdf_results#failureDiag
. - If you would like to include all successful and failed vulnerability scanning tests, change the
input.type
field in theReport: Diagnostic HTML report
section toxccdf_results#diagnostic
. This may be significantly larger in size than usingxccdf_results#failureDiag
.
- Always check syntax when editing the
-
Open a command prompt as an administrator.
-
Click the clipboard to copy this command to the command line, including the double quotation marks, to perform the scan:
"C:\Program Files (x86)\Arctic Wolf Networks\Agent\scans\jre\jre\bin\java.exe" -Xmx4096m -Djoval.shellcommandAdapter.enable=true -Djoval.diagnostics.maxCount=2000 -Dlicense.file="C:\Program Files (x86)\Arctic Wolf Networks\Agent\scans\scan-utility\rootsecure.com.sig.xml" -jar "C:\Program Files (x86)\Arctic Wolf Networks\Agent\scans\scan-utility\Scan-Utilities.jar" scan -c "C:\Program Files (x86)\Arctic Wolf Networks\Agent\scans\oval_copy.ini"
Note: For a 64-bit OS, if you receive an insufficient memory error, change the
-Xmx4096m
flag value in the command to-Xmx6144m
to expand the memory size from 4 GB to 6 GB. This means that the device needs 6 GB of space available. -
Wait for the scan to complete, and then look for the output files in the
C:\Program Files (x86)\Arctic Wolf Networks\Agent\scans\reports\vulnerability\
folder.Note: To view the scan progress, you may need to press Enter in the command or terminal window during the scan.
-
Upload the raw XML output, HTML Diagnostic Vulnerability long form report, and HTML Annotated report to Arctic Wolf, using the link that your Concierge Security® Team (CST) provided. If you do not have a link, contact your CST at security@arcticwolf.com.
-
(Optional) Open the HTML Annotated report in a browser and click Fail in the Rule Results Summary to filter on the vulnerabilities found and view failed tests.
Note: See Risk Dashboard User Guide to interpret the report results.
Perform an Agent vulnerabilities diagnostic scan on macOS Direct link to this section
-
On the device, create a copy of the
/Library/ArcticWolfNetworks/Agent/scans/oval.ini
file, and rename it tooval_copy.ini
. -
In a text editor, open the new
oval_copy.ini
file.Note: You may need administrator rights to open this file for editing.
-
In the file, find the section starting with
[Report: Target results -> JSON events]
.[Report: Target results -> JSON events]
export.dir: /Library/ArcticWolfNetworks/Agent/scans/reports/vulnerability
input.type: arf
output.extension: json
transform.file: /Library/ArcticWolfNetworks/Agent/scans/scan-utility/tools/arf_xccdf_results_to_json_events.xsl -
Copy the following content and replace the entire section that you located in the previous step.
[Report: Raw ARF report]
export.dir: /Library/ArcticWolfNetworks/Agent/scans/reports/vulnerability
input.type: arf
output.extension: arf.xml
[Report: Diagnostic HTML report]
export.dir: /Library/ArcticWolfNetworks/Agent/scans/reports/vulnerability
input.type: xccdf_results#failureDiag
output.extension: diagnostic.html
transform.file: /Library/ArcticWolfNetworks/Agent/scans/reports/vulnerability/xccdf_results_to_html.xsl
[Report: Annotated HTML report]
export.dir: /Library/ArcticWolfNetworks/Agent/scans/reports/vulnerability
input.type: json#annotated
output.extension: annotated.html
transform.file: /Library/ArcticWolfNetworks/Agent/scans/scan-utility/tools/hostscan_json_to_html.jsNotes:
- Always check syntax when editing the
.ini
file, including confirming thatexport.dir
,input.type
,output.extension
, andtransform.file
are each on their own line. - To review only results that failed vulnerability scanning checks, ensure that the
input.type
field in theReport: Diagnostic HTML report
section is set toxccdf_results#failureDiag
. - If you would like to include all successful and failed vulnerability scanning tests, change the
input.type
field in theReport: Diagnostic HTML report
section toxccdf_results#diagnostic
. This may be significantly larger in size than usingxccdf_results#failureDiag
.
- Always check syntax when editing the
-
Open a command prompt as an administrator.
-
Click the clipboard to copy this command to the command line to perform the scan:
/Library/ArcticWolfNetworks/Agent/scans/jre/jre/bin/java -Xmx4096m -Djoval.shellcommandAdapter.enable=true -Djoval.diagnostics.maxCount=2000 -Dlicense.file=/Library/ArcticWolfNetworks/Agent/scans/scan-utility/rootsecure.com.sig.xml -jar /Library/ArcticWolfNetworks/Agent/scans/scan-utility/Scan-Utilities.jar scan -c /Library/ArcticWolfNetworks/Agent/scans/oval_copy.ini
Note: For a 64-bit OS, if you receive an insufficient memory error, change the
-Xmx4096m
flag value in the command to-Xmx6144m
to expand the memory size from 4 GB to 6 GB. This means that the device needs 6 GB of space available. -
Wait for the scan to complete, and then look for the ouput files in the
/Library/ArcticWolfNetworks/Agent/scans/reports/vulnerability/
folder. -
Upload the raw XML output, HTML Diagnostic Vulnerability long form report, and HTML Annotated report to Arctic Wolf, using the link that your Concierge Security® Team (CST) provided. If you do not have a link, contact your CST at security@arcticwolf.com.
-
(Optional) Open the HTML Annotated report in a browser and click Fail in the Rule Results Summary to filter on the vulnerabilities found and view failed tests.
Note: See Risk Dashboard User Guide to interpret the report results.
Perform an Agent vulnerabilities diagnostic scan on Linux Direct link to this section
-
On the device, create a copy of the
/var/arcticwolfnetworks/agent/scans/oval.ini
file, and rename it tooval_copy.ini
. -
In a text editor, open the new
oval_copy.ini
file.Note: You may need admin or superuser access to open this file for editing.
-
In the file, find the section starting with
[Report: Target results -> JSON events]
.[Report: Target results -> JSON events]
export.dir: /var/arcticwolfnetworks/agent/scans/reports/vulnerability
input.type: arf
output.extension: json
transform.file: /var/arcticwolfnetworks/agent/scans/scan-utility/tools/arf_xccdf_results_to_json_events.xsl -
Copy the following content and replace the entire section that you located in the previous step.
[Report: Raw ARF report]
export.dir: /var/arcticwolfnetworks/agent/scans/reports/vulnerability
input.type: arf
output.extension: arf.xml
[Report: Diagnostic HTML report]
export.dir: /var/arcticwolfnetworks/agent/scans/reports/vulnerability
input.type: xccdf_results#failureDiag
output.extension: diagnostic.html
transform.file: /var/arcticwolfnetworks/agent/scans/reports/vulnerability/xccdf_results_to_html.xsl
[Report: Annotated HTML report]
export.dir: /var/arcticwolfnetworks/agent/scans/reports/vulnerability
input.type: json#annotated
output.extension: annotated.html
transform.file: /var/arcticwolfnetworks/agent/scans/scan-utility/tools/hostscan_json_to_html.jsNotes:
- Always check syntax when editing the
.ini
file, including confirming thatexport.dir
,input.type
,output.extension
, andtransform.file
are each on their own line. - To review only results that failed vulnerability scanning checks, ensure that the
input.type
field in theReport: Diagnostic HTML report
section is set toxccdf_results#failureDiag
. - If you would like to include all successful and failed vulnerability scanning tests, change the
input.type
field in theReport: Diagnostic HTML report
section toxccdf_results#diagnostic
. This may be significantly larger in size than usingxccdf_results#failureDiag
.
- Always check syntax when editing the
-
Open a shell.
-
Click the clipboard to copy this command to the command line to run the scan as the superuser:
sudo /var/arcticwolfnetworks/agent/scans/jre/jre/bin/java -Xmx4096m -Djoval.shellcommandAdapter.enable=true -Djoval.diagnostics.maxCount=2000 -Dlicense.file=/var/arcticwolfnetworks/agent/scans/scan-utility/rootsecure.com.sig.xml -jar /var/arcticwolfnetworks/agent/scans/scan-utility/Scan-Utilities.jar scan -c /var/arcticwolfnetworks/agent/scans/oval_copy.ini
Note: For a 64-bit OS, if you receive an insufficient memory error, change the
-Xmx4096m
flag value in the command to-Xmx6144m
to expand the memory size from 4 GB to 6 GB. This means that the device needs 6 GB of space available. -
Wait for the scan to complete, and then look for the output files in the
/var/arcticwolfnetworks/agent/scans/reports/vulnerability/
folder. -
Upload the raw XML output, HTML Diagnostic Vulnerability long form report, and HTML Annotated report to Arctic Wolf, using the link that your Concierge Security® Team (CST) provided. If you do not have a link, contact your CST at security@arcticwolf.com.
-
(Optional) Open the HTML Annotated report in a browser and click Fail in the Rule Results Summary to filter on the vulnerabilities found and view failed tests.
Note: See Risk Dashboard User Guide to interpret the report results.