As an alternative to running an assessment on a vulnerability policy, SaltStack SecOps Vulnerability supports importing security scans generated by a variety of third-party vendors.
Instead of running an assessment on a vulnerability policy, you can import a third-party security scan directly into SaltStack Config and remediate the security advisories it identified using SaltStack SecOps Vulnerability. See How do I run a vulnerability assessment for more information about running a standard assessment.
- Kenna Security
- Carbon Black
You can import a third-party from a file, from a connector, or by using the command line.
Before you can import a third-party security scan you must configure a connector. The connector must first be configured using the third-party tool's API keys.
To configure a Tenable.io connector:
|Secret Key and Access Key||Key pair required to authenticate with the connector API. For more information on generating your keys, see the Tenable.io documentation.|
|URL||Base URL for API requests. This defaults to https://cloud.tenable.com.|
|Days since||Query Tenable.io scan history beginning this number of days ago. Leave blank to query an unlimited period of time. When you use a connector to import scan results, SaltStack SecOps Vulnerability uses the most recent results per node available within this period.
Note: To ensure your policy contains the latest scan data, make sure to rerun your import after each scan. SaltStack SecOps Vulnerability does not poll Tenable.io for the latest scan data automatically.
To configure a Carbon Black connector (Windows only):
Before you can configure a Carbon Black connector, you must first set up a Windows Minion Carbon Black sensor kit environment.
- Launch a Saltstack Config environment and deploy a Windows server.
- Install the Salt minion on the Windows server. For more information see, Salt Minion Installation.
- Accept the master keys in SaltStack Config, and the minion keys from SaltStack Config or the Salt Master.
- Install the Carbon Black sensor kit on the Windows minion. For more information, see Installing Sensors on VM Workloads.
- In SaltStack SecOps, define a policy with a target group that contains the Windows minion.
- After the SaltStack Config VMan ingestion is complete, sync the SaltStack Config Carbon Black module from the Salt master by running these commands:
salt mywindowsminion saltutil.sync_modules saltenv=sse.
- On the Windows minion, set the Carbon Black device grain by running the
salt mywindowsminion carbonblack.set_device_grain.
|URL||URL for API requests|
|Token and Org Key||Key pair required to authenticate with the connector API.
Note: If you a delete a VMware Carbon Black connector, these fields are populated with 'xxxx' characters. This is to maintain the token key format of 'xxxxxxxxxxxxxxxxxxxxxxxx/xxxxxxx'
|Verify SSL||Default is set to true.|
- Click Minions and select either All Minions or a specific minion for a policy target group.
- Click Run Command and run these commands:
- In your third-party tool, run a scan and make sure to pick a scanner that is in the same network as the nodes you want to target. Then, indicate the IP addresses you want to scan. If you are importing a third-party scan from a file, export the scan in one of the supported file formats (Nessus, XML, or CSV).
- In SaltStack Config, make sure you have downloaded SaltStack SecOps Vulnerability content.
- In the SaltStack SecOps Vulnerability workspace, create a security policy targeting the same nodes that were included in the third-party scan. Ensure the nodes you scanned in your third-party tool are also included as targets in the security policy. See How do I create a vulnerability policy for more information.
Note: After exporting your scan and creating a policy, you can import your scan by running the raas third_party_import "filepath" third_party_tool security_policy_name command. For example, raas third_party_import "/my_folder/my_tenable_scan.nessus" tenable my_security_policy. It is recommended to import your scan using the CLI if the scan file is especially large.
- In the policy dashboard, click the Policy Menu drop down arrow and select Upload Vendor Scan Data.
- Import your scan:
- If importing your scan from a file, select and select your third-party vendor. Then select the file to upload your third-party scan.
- If importing your scan from a connector, select and select the third-party. If no connectors are available, the menu directs you to the connectors settings workspace.
- On the Select supported page, select the supported advisories that you want to include as part of your file import.
- On the Select unsupported page, select the unsupported advisories that you want to include as part of your file import.
- Review unmatched advisories for advisories that do not match a host or minion. As a result they cannot be remediated through SaltStack Config.
- Click Next and review a summary of what will be imported into the policy.
- Click Finish Import to import your scan.
What to do next
You can now remediate these advisories. See How do I remediate my advisories for more information.