Risk Scan Engine User Guide

Updated Feb 20, 2024

Arctic Wolf Risk Scanner user guide

This document describes basic operation information for Arctic Wolf Risk Scan Engine (formerly Joval) and some of its components. For more information, see the User Guide files in the zip files for the components you license.

Permission requirements

Connection strings

The connection_string entity of your sql_object connects to a database using a list of key-value pairs, separated by semicolons. The property names are case-sensitive. These are some properties you can use:

The JDBC connection URL is constructed using the [prefix]:[host]:[port]/[database name] format. All key-value pairs are passed directly to the JDBC driver as connection properties, with the exception of the username and password.

Notes:

  • For Microsoft SQL — If you do not specify a username and password, SSO is used for host-based scans, and the target host username and password is used for network and remote scans.
  • For Oracle, Microsoft SQL, and Sybase — The version entity property of your sql_object must match one of the supported enumerated versions from the Supported database engines table.

Create an OpenJDK modular runtime to use for the Risk Scanner

You can run Risk Scan Engine using the full OpenJDK distribution. Using OpenJDK, you can create a modular runtime that you can use with specific Java programs. While Risk Scan Engine is not built using module declarations, but you can create a modular Java runtime to use with Risk Scan Engine.

  1. Run this command to analyze the module dependencies for Joval-Utilities.jar:
    jdeps
  2. Run this command to create a suitable runtime using OpenJDK version 11 or later:
    jlink --no-header-files --no-man-pages --compress=2 --strip-debug --add-modules java.datatransfer,java.desktop,java.instrument,java.logging,java.management,java.naming,java.prefs,java.scripting,java.security.jgss,java.sql,java.xml,java.xml.crypto --output java-runtime"
    A Java runtime of approximately 40MB is produced. Diagnostic reports allow you to explore the data and logic used to produce each result in a scan of a target device.

Joval Utilities

Joval Utilities is a Java command-line program. See the User-Guide.pdf file in the Joval-Utilities.zip folder for more information.

Scan configuration files

During the Scan Configuration workflow, you can select from several types of reports. Depending on memory, CPU, and the report size, you can change the report type that is generated. Arctic Wolf recommends using the default Full Diagnostic HTML report. Make sure that your scan configuration files include:

[Report: FullDiagnosticHTML]
input.type: xccdf_results#diagnostic
transform.file: <path-to-joval-folder>\tools\xccdf_results_to_html.xsl
export.dir: reports
output.extension: diagnostic.html

Generate a diagnostic report from an Asset Reporting Format

If you have an Asset Reporting Format (ARF) result file from a previous scan, you can generate the diagnostic report for that ARF using the Joval Utilities Xpert mode.

Configure JDBC drivers for Joval Utilities

The Joval-Utilities.jar file does not bundle any JDBC drivers for use with the sql_object, but you can download and reference them.

  1. Download the JDBC drivers.

  2. Run this command:

    "-Dbootstrapclasspath=<driver_filepath>/<driver_name>.jar:<target_filepath>/<driver_name>.jar" 
    jar Joval-Utilities.jar [mode] [args]`

    Where:

    • <driver_filepath> is the JDBC driver file path.
    • <target_filepath> is the target file path.
    • <driver_name> is the driver name.

Run the scan assistant

If your license includes Joval Utilities, you can use the scan assistant.

  1. Run this command to open the Configuration Assistant:
    java -jar Joval-Utilities.jar scan
  2. Select Target detail HTML report.
  3. Select Rule results with diagnostic data for all rules.

Override version list defaults

Joval Utilities enables you to override the version list defaults for Microsoft SQL Server and Sybase noted in the Supported database engines table. The properties set the values that can be used in the sql_object/version entity in OVAL content with the associated engine entity value, without triggering an error during processing.

Note: To configure multiple version defaults, use a comma-separated list without padding.

Joval SDK

Joval SDK is a Java software development kit.

Diagnostic data in Joval SDK

If your license includes Joval SDK, you can view sample code in the SCAP example of the user-guide.html file. It is similar to:

IReport report;
...
File transformFile = new File("/path/to/xccdf_results_to_html.xsl");
Templates templates = XSLTools.newTemplates(transformFile, XSLTools.XSLVersion.V2);
DiagnosticReport dr = new DiagnosticReport(templates);
dr.createReport(report, IReport.VERBOSE_FILTER, new File("report.html"));

Use the IReport.VERBOSE_FILTER property to make sure that you get diagnostic details for all rules in the scan.

See also