Security Center 3.2 Report Templates

One of the new features of Security Center 3.2 is the availability of many report templates. These allow any Security Center user to quickly create a report for one or more of their asset groups.

Some templates are very simple (such as all of the vulnerabilities from a specific Nessus plugin family) and included for convenience. Other templates take advantage of some unique features in Security Center 3.2 and our other products such as the Log Correlation Engine (LCE) and the Passive Vulnerability Scanner (PVS).

To select the verbosity level of a report, most templates include three options being "Summary and Trend", "System Details" and "Vulnerability Details". The trend report presents a list of matching vulnerabilities, vulnerability count by asset group and other high level information. The "System Details" options adds in lists of specific networks (summary by Class C network address) and lists of IP addresses. And lastly, the "Vulnerability Details" template includes all data known about the
vulnerabilities, including the unique responses from the systems reported on.

Below is a screen shot of where Security Center 3.2 users can select the report templates:

This template interface is available after a user chooses a report title and filter.

Below is an alphabetical list of each report type and what it does. For each chapter template, the source of data (Nessus, PVS, LCE or IDS data) is noted. In addition, if there are any special prerequisites (such as having a specifically named Asset Group) they are indicated as well.

NOTE: The "Vulnerability Details" report is extremely verbose. Even for a list of 100 computers, it can produce reports hundreds of pages in length.

AIX Patch Audit (Nessus credentialed patch audits) These templates include a list of all missing AIX patches.

Apache Web Servers (All Vulnerability Sources) For asset groups named "Apache 2_2 Web Server", "Apache 2_0 Web Server" and "Apache 1_3 Web Server", any available vulnerability data is reported on. Dynamic asset templates to automatically classify systems within these assets lists are available in the Security Center.

Asset Vulnerability Summary (All Vulnerability Sources) This template creates chapters unique to the actual assets assigned to the individual creating the report. These "by asset" chapters include generic vulnerability summaries, Database issues, Compliance issues, new issues discovered in the last 30 days, open ports, browsed ports, Internet browsing devices and patches.

Browsed Ports (Passive Vulnerability Scanner) Reports separately the TCP and UDP ports that are being "browsed". A third chapter includes a list of Class C networks which browse the Internet.

Cisco Patch Audit (Nessus credentialed checks) Lists all missing IOS security patches.

Common Open Ports (Nessus and Passive Vulnerability Scanner) Lists all open TCP and UDP ports, as well as unique Class C networks with open UDP and TCP ports.

Compliance (Nessus credentialed compliance audits) Reports on all compliance configuration issues.

Database (All Vulnerability Sources) Lists all vulnerability issues actively and passively discovered.

Discovery Report (All Vulnerability Sources) This template highlights very useful information about the discovered devices on the network. Chapters include passively discovered operating system types, trends of "pingable" hosts, trend of Internet browsing hosts and lists of detected services.

Email Server and Client Issues (All Vulnerability Sources) This report highlights all things related to email delivery, client usage and server security issues. Chapters include all vulnerabilities discover on common email ports, patches missing for Outlook and Exchange, lists of hosts and network which send or receive email, and unique chapters for Nessus and PVS families related to email.

Exchange Servers (All Vulnerability Sources) For asset groups named "Exchange - W2003", "Exchange - W2K", "Exchange - W2K-SP3" and "Exchange - WinXP", any available vulnerability data is reported on. Dynamic asset templates to automatically classify systems within these assets lists
are available in the Security Center.

Hosts With Discovered Vulnerabilities in Last 'N' Days (All Vulnerability Sources) This chapter finds all vulnerabilities discovered in the last 5, 15 or 30 days and lists them out, their ports, the networks and the assets effected by them. If the PVS is in use, or daily active scans are occurring, these reports can show the most recent vulnerabilities.

HP-UX Patch Audit (Nessus credentialed checks) Lists all missing HP-UX security patches.

IDS Targeted Events (IDS Events) Summarizes yesterday's IDS activity with separate chapters for inbound, outbound and internal events, as well as separate summaries for TCP and UDP events.

IDS Targeted Ports (IDS Events) Summarizes yesterday's IDS activity with separate chapters for inbound, outbound and internal ports corresponding to IDS events, as well as separate summaries for all TCP and UDP ports with IDS event activity.

IIS Web Servers (All Vulnerability Sources) Summarizes all vulnerability data for assets pertaining to specific IIS web server type. The asset names are "IIS 6_0 Web Server", "IIS 5_1 Web Server" and "IIS 5_0 Web Server". Templates for dynamic asset rules for these asset types ship with the Security Center and make use of both active and passive discovery.

Incorrect Credentials (Nessus credentialed checks) This template summarizes output from Nessus ID #21745 which reports on issues related to incorrect SSH and Domain credentials. Separate chapter summaries are provided for unique Class C networks and hosts.

LCE Event Summary - Last 'N' Days (Log Correlation Events) This template summarizes all events recorded by the Log Correlation Engine for the past day, two days, five days and 25 days. It lists all events and has separate chapters for inbound, outbound and internal logs.

LCE Port Summary - Last 'N' Days (Log Correlation Events) This template summarizes all ports effected by events recorded by the Log Correlation Engine for the past day, two days, five days and 25 days. It lists all ports and has separate chapters for inbound, outbound and internal logs.

Linux Patch Audits (Nessus credentialed checks) This template lists all known missing security patches for Linux operating systems supported by Nessus. This includes RedHat, CentOS, and several others. Separate chapters for each OS are included.

MacOS X Patch Audit (Nessus credentialed checks) Lists all missing MacOS X security patches.

Nessus Scan Summary (Nessus scan and credentialed checks) This chapter summarizes all vulnerability data. The "Vulnerability Details" version of this template should only be used on small numbers of hosts.

Open Ports Summary (All Vulnerability Sources) This template lists all open TCP and UDP ports, as well as lists of all assets which have open ports. A last chapter includes a list of vulnerabilities which have "high" severity levels.

Outbound Internet Connections (Passive Vulnerability Scanner) This template makes extensive use of PVS ID #3 (the show connections plugin) and any targets of 0.0.0.0. The template summarizes all hosts, outbound ports, internal browsing networks and browsing hosts per day.

Passively Discovered Clients (Passive Vulnerability Scanner) The PVS identifies many different types of information about monitored networks. This template includes chapters for passively discovered operating systems, passively discovered email client types and passively discovered web client types.

PCI Level 4 and 5 Asset Summary (All Vulnerability Sources) This template lists all assets which have vulnerabilities scored as a PCI level 4 or 5 severity.

PCI Level 4 and 5 Nessus Scan Summary (Nessus scan and credentialed checks) This template lists all vulnerabilities which have scored as a PCI level 4 or 5 severity.

PCI Nessus Scan Summary (Nessus scan and credentialed checks) The PCI standard assigns vulnerability severity levels between 1 and 5 with 5 being the most severe. This template produces a report which maps all Nessus vulnerabilities into each of these severity levels.

PVS (Passive Vulnerability Scanner) The vulnerabilities and information about the systems and networks monitored by the PVS is captured in this report template. Separate chapters for browsed ports, discovered vulnerabilities, open ports and Internet browsing devices are included.

SANS Top 20 (All Vulnerability Sources) Tenable includes report templates for the vulnerabilities and recommendations published by the organization. The report template produces chapters which correspond to the topics (such as the "W2 Windows Libraries" in the SANS Top 20 2006 Q4 update) in the corresponding SANS lists.

Solaris Patch Audit (Nessus credentialed checks) Lists all missing Solaris security patches.

Vulnerability Report (All Vulnerability Sources) This template includes various chapters about discovered vulnerabilities.

Web Server and Client Issues (All Vulnerability Sources) This chapter considers all vulnerability data and network information pertaining to web security. Separate chapters are included for Nessus and PVS plugin families related to web servers and clients, vulnerabilities on port 80 and 443, and lists of systems and networks which browse the Internet on port 80 and 443.

Windows OS (All Vulnerability Sources) This template lists vulnerabilities by asset groups which have been defined by the Windows operating system type. Several dynamic asset lists are included to build asset lists named "Windows 2000", "Windows 2003" and "Windows XP". This template summarizes vulnerability data for each of these assets in separate chapters.

Windows Patch Audit (Nessus active and credentialed scan data) This template summarizes vulnerability data from the "Windows : Microsoft Bulletins", "Windows : User management" and "Windows" Nessus groups.

Windows OS and Application Audit (All Vulnerability Sources) This template summarizes all vulnerabilities by asset type for the Windows operating sytems and applications. Chapters for the "Windows 2000", "Windows 2003", "Windows XP", "IIS 6_0 Web Server", "IIS 5_1 Web Server", "IIS 5_0 Web Server", "Exchange - W2003", "Exchange - W2K", "Exchange - W2K-SP3" and "Exchange - WinXP" are included.