Arctic Wolf Risk Scan Engine user guide

This document describes basic operation information for Arctic Wolf Risk Scan Engine (formerly Joval) and some of its components. For more information, see the User Guide files in the zip files for the components you license.

Note: This information only applies to Risk Scan Engine. It does not apply to any Managed Risk services. For more information about Managed Risk services, see Managed Risk.

Permission requirements

These permissions, based on your account:
  • Windows — Windows administrator group permissions
    Tip:
    • Right-click cmd.exe, and then click Run as Administrator to launch the command line console administrator permissions.
    • When running Risk Scan Engine in a Windows service, the built-in SYSTEM account has sufficient access for most SCAP content. If you need to query domain resources, make sure the domain account is a member of the local administrators group for the machine.
  • Unix, Linux, macOS — Superuser account or root account permissions
    Tip:

    Run either the sudo or su command to gain root access for remote scanning.

    Note:

    Arctic Wolf does not recommend using a sudoers file on Linux to restrict commands available to Risk Scan Engine. Risk Scan Engine only reads configuration data and writes to temporary files, but it requires commands that can be used to either get or set configurations.

  • Cisco — Level 14 access privileges
    Tip:

    If you require extensive access controls for all remote router sign-ins, we recommend that you collect the configuration data separately and use the offline plug-in for scanning.

  • Juniper — Risk Scan Engine does not currently support elevating privileges for a JunOS session using the enable command.
    Tip:

    If you require extensive access controls for all remote router sign-ins, we recommend that you collect the configuration data separately and use the offline plug-in for scanning.

  • Palo Alto Networks — A user account with administrator permissions
  • VMWare vCenter, ESXi — A user account with administrator permissions
    Note:

    Risk Scan Engine can directly connect to vCenter or ESXi targets. If the user is an SSH enabled user, Risk Scan Engine can scan the target as a Unix-like target. In this case, the Unix best practices would apply.

Connection strings

The connection_string entity of your sql_object connects to a database using a list of key-value pairs, separated by semicolons. The property names are case-sensitive. These are some properties you can use:

  • user or userName — Sets the database username.
  • password — Sets the database password.
  • port or portNumber — Sets a non-standard port number for database connections.
  • database, databaseName, or SID — Sets the database name.
  • domain — Sets the domain. For example, a Windows login domain for Microsoft structured query language (SQL).

The JDBC connection URL is constructed using the [prefix]:[host]:[port]/[database name] format. All key-value pairs are passed directly to the JDBC driver as connection properties, with the exception of the username and password.

Note:
  • For Microsoft SQL — If you do not specify a username and password, SSO is used for host-based scans, and the target host username and password is used for network and remote scans.
  • For Oracle, Microsoft SQL, and Sybase — The version entity property of your sql_object must match one of the supported versions in the Database engine support table.

Create an OpenJDK modular runtime to use for Risk Scan Engine

You can run Risk Scan Engine using the full OpenJDK distribution. Using OpenJDK, you can create a modular runtime that you can use with specific Java programs. While Risk Scan Engine is not built using module declarations, you can create a modular Java runtime to use with Risk Scan Engine.

  1. Get the list of module dependencies for Joval-Utilities.jar:
    • For Joval-Utilities version 6.5.1 and older versions, use this fixed list:
      JAVA 
      java.base,java.desktop,java.logging,java.management,java.naming,java.prefs,java.scripting,java.security.jgss,java.sql,java.xml,java.xml.crypto,jdk.crypto.ec,jdk.dynalink,jdk.unsupported
    • For Joval-Utilities version 6.5.2 and newer versions, run this command and copy the output:
      JAVA 
      java -jar Joval-Utilities.jar jdeps
  2. Run this command to create a suitable runtime using OpenJDK version 11 or later:
    JAVA 
    jlink --no-header-files --no-man-pages --compress=2 --strip-debug --add-modules <module_dependencies> --output java-runtime

    Where:

    • module_dependencies is the list of module dependencies from the first step.

    A Java runtime of approximately 43MB is produced.

Joval Utilities

Joval Utilities is a Java command-line program. See the User-Guide.pdf file in the Joval-Utilities.zip folder for more information.

Scan configuration files

During the Scan Configuration workflow, you can select from several types of reports. Depending on memory, CPU, and the report size, you can change the report type that is generated. Arctic Wolf recommends using the default Full Diagnostic HTML report. Make sure that your scan configuration files include:

JAVA 
[Report: FullDiagnosticHTML]
input.type: xccdf_results#diagnostic
transform.file: <path-to-joval-folder>\tools\xccdf_results_to_html.xsl
export.dir: reports
output.extension: diagnostic.html

Generate a diagnostic report from an Asset Reporting Format

If you have an Asset Reporting Format (ARF) result file from a previous scan, you can generate the diagnostic report for that ARF using the Joval Utilities Xpert mode.

  • Run this command:
    JAVA 
    -jar Joval-Utilities.jar xpert -arf <path-to-arf-result> -r result.diagnostic.html -u xccdf_results#diagnostic

Configure JDBC drivers for Joval Utilities

The Joval-Utilities.jar file does not bundle any JDBC drivers for use with the sql_object, but you can download and reference them.

  1. Download the JDBC drivers.
  2. Run this command:
    JAVA 
    "-Dbootstrapclasspath=<driver_filepath>/<driver_name>.jar:<target_filepath>/<driver_name>.jar" 
jar Joval-Utilities.jar [mode] [args]`

    Where:

    • driver_filepath is the JDBC driver file path.
    • target_filepath is the target file path.
    • driver_name is the driver name.

Run the scan assistant

If your license includes Joval Utilities, you can use the scan assistant.

  1. Run this command to open the Configuration Assistant:
    JAVA 
    java -jar Joval-Utilities.jar scan
  2. Select Target detail HTML report.
  3. Select Rule results with diagnostic data for all rules.

Override version list defaults

Joval Utilities enables you to override the version list defaults for Microsoft SQL Server and Sybase listed in the Database engine support table. The properties set the values that can be used in the sql_object/version entity in OVAL content with the associated engine entity value, without triggering an error during processing.

Note:

To configure multiple version defaults, use a comma-separated list without padding.

  • Based on your version list, do one of these actions:
    • Microsoft SQL Server version list — Run this command:
      JAVA 
      "-Djoval.sql.microsoft.versions=<version_number>" jar Joval-Utilities.jar [mode] [args]`

      Where:

      • 01version_number> is your version number.
    • Sybase version list — Run this command:
      JAVA 
      "-Djoval.sql.sybase.versions=<version_number>" jar Joval-Utilities.jar [mode] [args]`

      Where:

      • version_number is your version number.

Joval SDK

Joval SDK is a Java software development kit.

Diagnostic data in Joval SDK

If your license includes Joval SDK, you can view sample code in the SCAP example of the user-guide.html file. It is similar to:

JAVA 
IReport report;
...
File transformFile = new File("/path/to/xccdf_results_to_html.xsl");
Templates templates = XSLTools.newTemplates(transformFile, XSLTools.XSLVersion.V2);
DiagnosticReport dr = new DiagnosticReport(templates);
dr.createReport(report, IReport.VERBOSE_FILTER, new File("report.html"));

Use the IReport.VERBOSE_FILTER property to make sure that you get diagnostic details for all rules in the scan.