Arctic Wolf Agent Diagnostic Scans on Linux
Updated Aug 25, 2023Run an Arctic Wolf Agent Diagnostic Scan on Linux
You can run an Agent diagnostic scan to get more details about how a vulnerability was detected on a device.
Requirement
- 4 GB of RAM available on your device to generate the expected output.
Before you begin
-
Schedule a scan.
Agent does not have the scanning components pre-installed. When you schedule a scan, the necessary files automatically download.
Steps
-
On the device, create a copy of the
/var/arcticwolfnetworks/agent/scans/oval.ini
file, and then rename it tooval_copy.ini
. -
In a text editor, open the new
oval_copy.ini
file.Note: You may need admin or superuser permissions to open this file for editing.
-
In the file, find the section starting with
[Report: Target results -> JSON events]
.[Report: Target results -> JSON events] export.dir: /var/arcticwolfnetworks/agent/scans/reports/vulnerability input.type: arf output.extension: json transform.file: /var/arcticwolfnetworks/agent/scans/scan-utility/tools/arf_xccdf_results_to_json_events.xsl
-
Copy this content and replace the entire section that you located in the previous step.
[Report: Raw ARF report] export.dir: /var/arcticwolfnetworks/agent/scans/reports/vulnerability input.type: arf output.extension: arf.xml [Report: Diagnostic HTML report] export.dir: /var/arcticwolfnetworks/agent/scans/reports/vulnerability input.type: xccdf_results#failureDiag output.extension: diagnostic.html transform.file: /var/arcticwolfnetworks/agent/scans/scan-utility/tools/xccdf_results_to_html.xsl [Report: Annotated HTML report] export.dir: /var/arcticwolfnetworks/agent/scans/reports/vulnerability input.type: json#annotated output.extension: annotated.html transform.file: /var/arcticwolfnetworks/agent/scans/scan-utility/tools/hostscan_json_to_html.js
Notes:
- Always check syntax when editing the
.ini
file, including confirming thatexport.dir
,input.type
,output.extension
, andtransform.file
are each on their own line. - To review only results that failed vulnerability scanning checks, ensure that the
input.type
field in theReport: Diagnostic HTML report
section is set toxccdf_results#failureDiag
. - If you would like to include all successful and failed vulnerability scanning tests, change the
input.type
field in theReport: Diagnostic HTML report
section toxccdf_results#diagnostic
. This may be significantly larger in size than usingxccdf_results#failureDiag
.
- Always check syntax when editing the
-
Open a shell.
-
Click the clipboard to copy this command to the command line to run the scan as the superuser:
sudo /var/arcticwolfnetworks/agent/scans/jre/jre/bin/java -Xmx4096m -Djoval.shellcommandAdapter.enable=true -Djoval.diagnostics.maxCount=2000 -Dlicense.file=/var/arcticwolfnetworks/agent/scans/scan-utility/rootsecure.com.sig.xml -jar /var/arcticwolfnetworks/agent/scans/scan-utility/Scan-Utilities.jar scan -c /var/arcticwolfnetworks/agent/scans/oval_copy.ini
Note: For a 64-bit OS, if you receive an insufficient memory error, change the
-Xmx4096m
flag value in the command to-Xmx6144m
to expand the memory size from 4 GB to 6 GB. This means that the device needs 6 GB of space available. -
Wait for the scan to complete, and then look for the output files in the
/var/arcticwolfnetworks/agent/scans/reports/vulnerability/
folder.The scan generates these files:
- Raw XML output (default filename
LOCALHOST.arf.xml
) - HTML Diagnostic Vulnerability long form report (default filename
LOCALHOST.diagnostic.html
) - HTML Annotated report (default filename
LOCALHOST.annotated.html
)
- Raw XML output (default filename
-
Upload the raw XML output, HTML Diagnostic Vulnerability long form report, and HTML Annotated report to Arctic Wolf, using the link that your Concierge Security® Team (CST) provided. If you do not have a link, contact your CST at security@arcticwolf.com.
-
(Optional) Open the HTML Annotated report in a browser and click Fail in the Rule Results Summary to filter on the vulnerabilities found and view failed tests.
Note: See Risk Dashboard User Guide to interpret the report results.