Using Rapid7 Insight Agent 和 InsightVM扫描助手 in T和em

Last updated at Mon, 05 Jun 2023 17:52:36 GMT

Background

Rapid7 Insight Agent和InsightVM扫描助手是可执行文件，可以部署以帮助理解 漏洞 在你的环境中. Frequently there are questions around when 和 where you would deploy each, 如果两者都需要, what they actually monitor, 等. 本文将回答这些问题，但首先让我们更详细地了解每个可执行文件.

Rapid7 Insight Agent

Notice the name of this starts with Rapid7. This is important, because the Insight Agent can be used for multiple tools, primarily InsightVM 和 InsightIDR. 然而, the agent does different things for each. 对于insighttidr，代理监视进程启动和停止事件，并具有日志收集功能. For InsightVM, the Insight Agent is used for assessment of 漏洞. In this article, we’ll focus on using Insight Agent for InsightVM.

The Insight Agent performs an "assessment" roughly every six hours. Notice the word "assessment" 和 not "scan". Insight Agent具有必要的权限，可以收集有关其所安装资产的信息，然后将该信息直接转发到Insight平台. InsightVM安全控制台从Insight平台下载这些数据，并根据扫描模板运行它，以确定该资产具有哪些漏洞. 一旦完成, 安全控制台使用该资产的结果更新其自己的数据库，然后在与了解平台通信的间隔时间内，它将把评估结果转发回了解平台.

使用Insight Agent, 您不需要确定扫描计划，也没有能力在该资产上启动临时扫描或修复扫描. As noted above, assessments occur every six hours. 然而, not every agent is being assessed on the same six hour interval. The schedule is maintained entirely by the 了解平台.

关于上述通信路径的另一个关键要点是:Insight Agent并不直接与控制台通信. 这使得Insight Agent在保护您的远程员工方面特别有益. Given that remote assets are not on your network, you typically cannot scan them directly. So, Insight Agent is the main option to view the 漏洞 for those assets.

最近，Rapid7发布了使用Insight Agent执行策略扫描的功能. 此功能仅限于可用于安装InsightAgent的资产(Windows, Linux, Mac), however that typically covers a large portion of the policy scanning needed. Policy scanning occurs every 24 hours.

InsightVM Documentation: Insight Agents with InsightVM

InsightVM扫描助手

InsightVM扫描助手可执行文件仅专用于InsightVM，并配置为在端口21047上显示证书. 扫描助手只能在从扫描引擎(分布式或本地)访问时使用。. 不像Insight Agent, which monitors 和 performs assessments on a scheduled basis, 扫描助手处于休眠状态，除非扫描引擎通过从安全控制台配置的手动或计划扫描调用.

要做到这一点，首先必须在凭证设置中从InsightVM生成证书. 然后, 您需要编辑用于在资产和服务发现中额外查找端口TCP 21047的任何扫描模板. 从那里, 扫描引擎将使用这些凭据并查找端点服务器上打开的端口. 如果在该端口上提供的证书与在InsightVM中创建的证书相匹配, the scan engine will use it to authenticate to the endpoint asset. Scan Assistant具有对端点资产执行所有本地检查所需的权限.

Using the Scan Assistant instead of regular domain credentials offers better security, 因为它消除了在您的环境中使用具有提升权限的域帐户的可能性. 另外, 扫描助手已被证明比域凭据更有效，执行扫描更快.

InsightVM Documentation: Using the Scan Assistant

为什么两者都用呢??

As stated above, the two executables are completely independent of each other. Insight Agent与平台通信，而Scan Assistant则直接与执行扫描的扫描引擎对话. Insight Agent在其计划评估中是不可配置的，而Scan Assistant在扫描之前完全处于休眠状态，并且完全依赖于管理员配置扫描.

So, WHERE should each executable be installed? 我建议在所有本地和远程设备上安装Insight Agent——所有能够安装Insight Agent的设备. For the Scan Assistant, only internal assets would be applicable. You could install the Scan Assistant on remote assets as well, 如果您的策略要求用户在设定的时间表上连接到VPN，并且您计划通过该VPN或办公室wi-fi进行扫描. 然而, in most situations, the Insight Agent is the only way to assess your remote assets.

因此，这将我们带到了应该同时安装Insight Agent和Scan Assistant的内部资产. 您可能会问:“如果Insight Agent已经对这些资产进行了评估，我为什么还要部署另一个可执行文件??好吧，让我们回到洞察特工只执行本地检查的事实上来. So, 您至少需要每月对这些资产进行一次扫描，以查看网络漏洞. 此外，如上所述，洞察代理无法启动临时扫描. This is where the Scan Assistant comes into play for remediation scans specifically.

Scenario: I have an asset "abc.公司.com." InsightAgent discovers a local vulnerability on the asset at 10AM 和 it's only 10:30AM. I send the finding off to my system administrator to patch the vulnerability immediately. By 11AM the vulnerability is patched, 和 I want to verify that the vulnerability has been remediated. Without a credentialed scan, I have to wait a number of hours before InsightAgent conducts another assessment. 然而, 使用Scan Assistant，我可以立即针对该资产启动经过身份验证的漏洞扫描，以确定该漏洞不再存在.

Scan Assistant的另一个主要用例是利用策略扫描的全面性. 目前, InsightAgent最多只能评估100个不同的策略，并且只能通过CIS或DISA评估策略的默认值.

使用扫描助手与扫描引擎，您可以访问所有类别的策略扫描, 包括独联体, DISA, FDCC, 和USGCB. 此外，您可以使用自定义策略构建器来编辑典型基准中的值. 例如, 如果您的内部策略要求，您可以将最小密码长度从14个字符更改为20个字符.