Set Up and Run a Configuration Scan
Take the following steps to set up configuration scanning and run your first scan.
1 Define a server group to scan.
If you have not already installed Halo agents on your servers and organized them into groups along functional and architectural lines, do so now.
- Install Halo agents on a set of similar servers that you wish to monitor for configuration security. For detailed instructions, log into the Halo Portal and go to either the Install Linux Daemons page or the Install Windows Daemons page.
Choose servers that all share the same operating system and basic applications, so that the same configuration security policy (or policies) can apply to all of them. For example, all Debian/Ubuntu web servers that use Apache could be in the same server group. Likewise, all Red Hat Enterprise, CentOS, or Fedora database servers that use MySQL could be in another group. Windows servers would be in their own separate group as well.
Note: For simplicity, in your first trial you might create just one group containing only a single server.
- Use the Halo Portal UI to create a named server group. Then add this set of servers to the group. See Setting Up Server Groups in the Halo Operations Guide for detailed instructions.
2 Select and assign a configuration policy.
In the Halo Portal, go to Policies > Configuration Policies. If you have not cloned or created a policy before, the policy list on this page will be empty.
It's best to start with the core configuration policy for your servers' operating-system type. Click Policy Templates to open the Configuration Policy Templates page.
Then locate your desired policy template—such as OS Core (Debian-based Linux) v3 or OS Core (Windows 2012) BETA—and select Clone from the Action drop-down menu in that line. The cloned policy will appear as a copy on the Configuration Policies page. You may wish to rename it before assigning it to a group.
Now assign the policy to the server group that you want to scan. Go to the Halo Dashboard and select your server group from the list of groups. Below the group name, click Edit Details.
On the Edit Group Details page, select your cloned policy from the Configuration Policies drop-down list. The policy is now assigned to your server group.
Note: You can assign more than one configuration policy to a server group. For example, the discussion under Ideas and Tips for Configuration Scanning suggests that you clone and assign both core and extended O.S policies, plus application-level policies where appropriate, to your production server groups.
3 Execute an automatic or manual scan.
Set up auto-scanning (optional):
You can conduct configuration scans manually or automatically. For automatic scans, decide whether and how frequently you want to conduct them. Then go to [Site Administrator menu] > Site Administration in the Halo Portal and click the Scanner Settings tab.
Under Scanner Scheduling, in the line for "Configuration Security Monitoring", select Enable Automatic Scanning, then choose a scan frequency from once per hour to once per week. Leave Execute scan on daemon start selected if you want to run an initial scan on each server as soon as it starts up.
Under Scanner Options, select or clear the Mark finding as Failed if... checkbox depending on how you want to handle indeterminate scan results. For information on when you might want to set this option, see About Indeterminate Results.
The next scheduled scan will occur in as little as one hour or as much as 24 hours later, depending on the frequency you have specified. Note that only servers in groups that have an assigned configuration policy are scanned at each automatic scan.
Select servers and run a manual scan:
For a manual scan, you can choose to scan all of your servers, or one server group, or a subset of the servers in a server group.
Click the Configs icon ( ) on the Halo Dashboard and then select All Servers or some other server group. Use the checkboxes to select all servers in the group or one or more individual servers. Then choose Launch Scan from the Actions menu to run the scan.
4 View scan results.
After a configuration scan has completed, you can view summary results of the scan by selecting the Configs icon ( ) and the name of the scanned server group on the dashboard page of the Halo portal:
To view the details of an individual server's configuration scan results, click the number of Critical or Other issues for the desired server on the dashboard page. The server scan results page appears, showing pass-fail results for every policy rule applied during the scan:
See Inspect a Server's Current Issues and other sections of Halo Issues, Events, and Alerts: Addressing Scan Results and Security Notifications for further instructions on how to view, interpret, and act upon configuration scan results.
// <![CDATA[ var pdfTitle="Configuration Security Monitoring"; var pdfURL="http://www.cloudpassage.com/document_images/CSM/configuration-security.pdf"; specifyPDF(pdfTitle, pdfURL); // ]]>