Skip to main content

1.4 Project Management and Asset Management

User input these info for Asset scanning

  • IP range
  • SSH credentials (use name + password or public key)

1.4.1 Asset Scanning

Flow:

  • Project Network setting
    Asset Agent will try to SSH into servers in the IP range with given credentials
    Asset Agent will create Asset entity for new Asset
  • Asset Agent scan for supported binaries in Asset
  • Asset Agent upload binaries to SourceGuard Backend
  • an Asset must at least contain the kernel
  • SourceGuard run Generate Report
  • SourceGuard view vulnerability report
  • When an Asset is offline, it will be removed (together with their reports) during Refresh List

1.4.1.1 Asset Agent

SSCVIP cannot install packages or agents on Assets or the client will loss vendor support.
So we adopted a SSH-only Asset Agent implementation.

A simple script cannot handle all Assets from different vendors, it need to get the real shell to fetch the binaries. We did research on various network connected devices on market so the Asset Agent can support various firewall, router, VPN, etc...

1.4.2 External Vulnerability Scanner

External Vulnerability Scanner can be added to SourceGuard to provide a second source of vulnerability.

The External Vulnerability Scanners are pluggable and supported systems are installed upon SourceGuard deployment. External Vulnerability Scanner's configuration is made generic to adapt to different systems. The Admin user can then set the default values of the config to reduce input during Project creation.

Then the External Vulnerability Scanner can be specified in Project Management.
External Vulnerability Scanner settings can also be overridden here.
See Tenable scan template for example.

1.4.3 Scheduled Scans

User can setup Scheduled Scans in Project Management.
The UX is similar to alarm creation with three repeating modes:

  • Once: scan at specified datetime, no repeat
  • Weekly: user select weekday and time
  • Monthly: user select the calendar day and time, schedule will be executed the day before if the scheduled day does not exist