Risk Scan Engine User Guide

Updated Aug 16, 2023

Arctic Wolf Risk Scan Engine

This document describes basic operation information for Arctic Wolf Risk Scan Engine (formerly Joval) and some of its components. For more information, see the User Guide files in the zip files for the components you license.

Risk Scan Engine permission requirements

We recommend granting the highest level of permissions to the accounts that run Risk Scan Engine. You can use more restricted accounts, but this may result in UNKNOWN and ERROR rule results if Risk Scan Engine cannot access certain information.

Windows

Risk Scan Engine requires Windows Administrators group permissions.

Tip: Right-click cmd.exe and click Run as Administrator to launch the command line console as an Administrator.

When running Risk Scan Engine in a Windows service, the built-in SYSTEM account has sufficient access for most SCAP content. If you need to query domain resources, make sure the domain account is a member of the local Administrators group for the machine.

Unix/Linux/macOS

Risk Scan Engine requires superuser account, also known as root account, permissions.

Tip: For remote scanning, Risk Scan Engine can use either the sudo or su command to gain root access.

Note: We do not recommend using a sudoers file on Linux to restrict commands available to Risk Scan Engine. Although Risk Scan Engine only reads configuration data and writes to temporary files, it requires commands that can be used to either get or set configurations.

Cisco

Risk Scan Engine requires Level 15 access privileges.

Tip: If you require extensive access controls for all remote router sign-ins, we recommend that you collect the configuration data separately and use the offline plug-in for scanning.

Juniper

Risk Scan Engine does not currently support elevating privileges for a JunOS session using the enable command.

Tip: If you require extensive access controls for all remote router sign-ins, we recommend that you collect the configuration data separately and use the offline plug-in for scanning.

Palo Alto Networks

Risk Scan Engine requires a user account with the Administrator role.

VMWare vCenter/ESXi

Risk Scan Engine requires a user account with the Administrator role.

Risk Scan Engine can directly connect to vCenter or ESXi targets, and if the user is an SSH enabled user, Risk Scan Engine can scan the target as a Unix-like target. In this case, the Unix best practices would apply.

Connection strings

The connection_string entity of your sql_object connects to a database using a list of key-value pairs, separated by semicolons. The property names are case-sensitive. These are some properties you can use:

The JDBC connection URL is constructed using this format: [prefix]:[host]:[port]/[database name]. With the exception of the username and password, all key-value pairs are passed directly to the JDBC driver as connection properties.

Notes:

  • For Microsoft SQL, if you do not specify a username and password, SSO will be used for host-based scans and the target host username and password will be used for network and remote scans.
  • For Oracle, Microsoft SQL, and Sybase, the version entity property of your sql_object must match one of the supported enumerated versions from the Supported database engines table.

Create an OpenJDK modular runtime to use for Risk Scan Engine

You can run Risk Scan Engine using the full OpenJDK distribution, although is a relatively large package. OpenJDK enables you to create a modular runtime that you can use in conjunction with specific Java programs. While Risk Scan Engine is not built using any module declarations, it is still possible to create a modular Java runtime for use with Risk Scan Engine.

  1. Run the jdeps command to analyze the module dependencies for Joval-Utilities.jar.
  2. Run this command to create a suitable runtime using OpenJDK version 11 or later:
    jlink --no-header-files --no-man-pages --compress=2 --strip-debug --add-modules java.datatransfer,java.desktop,java.instrument,java.logging,java.management,java.naming,java.prefs,java.scripting,java.security.jgss,java.sql,java.xml,java.xml.crypto --output java-runtime"
    This command produces a runtime of approximately 40MB. Diagnostic reports allow you to explore the data and logic used to produce each result in a scan of a target device.

Joval Utilities

Joval Utilities is a Java command-line program. For more information, see the User-Guide.pdf file in the Joval-Utilities.zip folder.

Scan configuration files

During the Scan Configuration workflow, you can select from several types of reports. Depending on memory, CPU, and the report size, you may want to change the report type that is generated. We recommend using the default Full Diagnostic HTML report. Ensure that your scan configuration files include:

[Report: FullDiagnosticHTML]
input.type: xccdf_results#diagnostic
transform.file: <path-to-joval-folder>\tools\xccdf_results_to_html.xsl
export.dir: reports
output.extension: diagnostic.html

Generate a diagnostic report from an Asset Reporting Format

If you have an Asset Reporting Format (ARF) result file from a previous scan, you can generate the diagnostic report for that ARF using the Joval Utilities Xpert mode.

Configure JDBC drivers for Joval Utilities

The Joval-Utilities.jar file does not bundle any JDBC drivers for use with the sql_object, but you can download and reference them.

  1. Download the JDBC drivers.
  2. Run this command, replacing the filepaths as necessary:
"-Dbootstrapclasspath=<driver_filepath>/<driver_name>.jar:<target_filepath>/<driver_name>.jar" 
jar Joval-Utilities.jar [mode] [args]`

Run the scan assistant

If your license includes Joval Utilities, you can use the scan assistant.

  1. Run this command to open the Configuration Assistant:
    java -jar Joval-Utilities.jar scan
  2. Select Target detail HTML report.
  3. Select Rule results with diagnostic data for all rules.

Override version list defaults

With Joval Utilities, you can override the version list defaults for Microsoft SQL Server and Sybase noted in the Supported database engines table. The properties set the values that can be used in the sql_object/version entity in OVAL content, along with the associated engine entity value, without triggering an error during processing.

Note: To configure multiple version defaults, list the values with commas and without padding.

To override Microsoft SQL Server version list defaults:

To override Sybase version list defaults:

Joval SDK

Joval SDK is a Java software development kit.

Diagnostic data in Joval SDK

If your license includes Joval SDK, you can view sample code in the SCAP example of the user-guide.html file similar to this sample:

IReport report;
...
File transformFile = new File("/path/to/xccdf_results_to_html.xsl");
Templates templates = XSLTools.newTemplates(transformFile, XSLTools.XSLVersion.V2);
DiagnosticReport dr = new DiagnosticReport(templates);
dr.createReport(report, IReport.VERBOSE_FILTER, new File("report.html"));

Use the IReport.VERBOSE_FILTER property to ensure you get diagnostic details for all rules in the scan.

See also