Within this article, find several frequent questions and answers regarding agent-based scanning (LINK), in the following categories:
- Are there any changes required to get agent-based scanning installed and working?
No changes are required; however, you are required to enable agent-based scanning in the Alert Logic console. See the Enable Agent-Based Scanning section of the Agent-Based Scanning article.
Alert Logic does recommend addressing health remediations to get all agents in a Healthy status and confirming that agents can access our public hosted address space and/or private Alert Logic DC-specific address space. See the Agent rules documentation.
- Will Alert Logic agents with an Error status still download the scan subcomponents for agent-based scanning? Do agents have to be Healthy before installing the scan subcomponents?
Yes, an Alert Logic agent in Error state will download the scan subcomponents (state-monitor, oval, and osquery), install them, and run them. They can run independently of an issue causing the error; however, we recommend getting all agents in a Healthy state. You can use the Agent map on the Topology view to gain insight into the status of each agent. See the Agent Map section of the Agent-Based Scanning article.
- Is it possible for osquery to install on the agent, but not oval?
If either fails to download or install, the state-monitor agent will not run. The main agent will be in an Error state.
- Are there any known issues that would prevent the scan subcomponents from installing?
The most likely issue is that the host instance is out of disk space to download the new scan subcomponents. The main Alert Logic agent will show in an Error state if it cannot download due to space issues.
- How can I confirm that the scan subcomponents have been installed on the host?
You can confirm installation by checking if al-statemonitor[.exe.].curent process is running on the host. The install date/time can be determined by checking for the creation date of al-statemonitor[.exe.]. currently in the agent bin directory on the host.
- Will agent-based scanning work on desktops or remote workstations?
The approach to agent-based scanning involves simply adding new subcomponents (osquery and ovaldi) to the existing Alert Logic agent; there is no separate agent. The Alert Logic agent was designed to run on high-available systems like servers, rather than on a desktop or workstation. For example, if an Alert Logic agent is installed on a Windows workstation, we use a UUID as identifier, so we should be able to have a consistent host in the asset model to publish vulnerabilities under. However, there will be significant issues on the health monitoring side; our health monitoring/alerting is not designed to handle common scenarios for desktops and workstations that are often powered off, offline, closed laptop, etc.
So, while technically possible, running the Alert Logic agent on a desktop or workstation will not be operationally or practically viable until the health monitoring issues are addressed. That effort is separate from the agent-based scanning beta and general awareness releases.
- What happens when new Alert Logic agents are deployed?
As long as agent-based scanning is enabled for the deployment, any new Alert Logic agents for the deployment will automatically download and install new scan subcomponents.
- Can agent-based scanning be disabled?
Yes, agent-based scanning can be disabled for a deployment. In the Alert Logic console, navigate to (navigation menu) > Configure > Deployments > the deployment you want agent-based scanning disabled on > Agent-based scanning and select Disable agent-based scanning. Click Save and Disable to commit the changes.
- What happens when agent-based scanning is disabled for a deployment?
The subcomponents will remain installed on the Alert Logic agents in the deployment, but they will be inactive, and agent-based scans will not execute. Also, the next network scan of the host will remove the agent-based scan results from the current vulnerabilities list in the Alert Logic console Exposures page, but they will remain in historic/trend reports or views.
- How does the Alert Logic agent know that updated scan subcomponents are available?
The Alert Logic agent checks in with the Config system periodically (randomized between 2.5 and 7.5 minutes). The Config system instructs the Alert Logic agent to download and install the scan subcomponents (statemonitor, osquery, ovaldi).
- How does the Alert Logic agent update the scan subcomponent executables?
Updated subcomponents are made available on the Alert Logic repository and the version is updated in the Config system. When the agent checks in with Config systems, it sees a later version and installs it. It then stops the old instance and starts a new instance.
The Config system contains the SHA (Sender Hardware Address) hashes for the content files. If they do not match what the agent currently has, the agent retrieves new content from Alert Logic public-hosted AWS (Amazon Web Services) address space (first choice) or private Alert Logic DC-specific address space (backup). Refer to outbound connect requirements for the Alert Logic agent.
- How often will the scan subcomponents or content be updated?
It depends on new or improved features being added or defects being resolved. It can happen at any time. Executable updates are released regularly but normally only for new installs. Existing installs typically get remote updates when manually triggered to fix problems or roll out critical features. Content updates are triggered whenever new scan content is released.
- What is the additional overhead/footprint on the host after the new scan subcomponents are installed?
The resources are only used during scan execution on the hosts (<1 minute of osquery and <3 minutes for ovaldi):
- Windows: 50 MB ovaldi, 70 MB osquery
- Linux: 90 MB ovaldi, 30 MB osquery
The scan subcomponent processes run at Below Normal priority so all hosts processed will run before us. The agent will give up the CPU to other host processes.
- Executables (100 MB totals): 15 MB statemonitor, 40 MB ovaldi, 80 MB osquery
- Content: less than 2 MB
- Are unauthenticated network scans or credential scans still available?
Unauthenticated network scans are still available and are required to trigger the consolidation process of merging network scan results with the latest host scan results. The consolidated vulnerabilities are posted to the asset model for consumption on the Alert Logic console Exposures page and in vulnerability reports.
Authenticated or credentialed scans are still available but will only run for hosts that do not have the scan agent subcomponents installed. By default, hosts with the scan subcomponents will suppress the credential scans since the host scan will run.
- Does agent-based scanning on Windows remove the need to enable Windows port access (RPC/WMI, SMB/CIFS, and NetBIOS) and the remote WMI configs required for Windows authenticated network scanning?
If Alert Logic agents are installed on all hosts that are scanned, there is no longer a need to enable access and config since the host scans will suppress the authenticated scans from running against the hosts.
However, Windows port access and remote WMI configs will still be required for scanning any nodes or hosts without the Alert Logic agent.
- Will the agent-based scan or host scan run based off the existing scan schedule?
The first host scan execution will occur within 12 hours after the installation of scan subcomponents on the host. Subsequent host scan executions will be based on the scan windows defined in Internal Scan schedules to ensure the unauthenticated network scan and host scan execute in the same window.
- If the Scan Window is set to Scan Anytime then host scan execution will occur twice per day (every 12 hours) and after the network scan runs and completes for the host, then the network results are merged with the latest host scan results.
- If the Scan Window is set to a specific stand and end time, then the host scan will execute at the start of window, the network scan runs and completes for the host later in the scan window, and then the results of both scans are consolidated.
- Does a customer need to change the configuration or open ports for agent-based scanning?
No new rules are needed for the customer to configure. We first try to go direct to Ingest in AWS IP address space. If that is blocked, we fall back to the Alert Logic control channel that all customers are required to open.
- Will the scan be executed on the host if it is excluded from internal network scanning?
The host scan will still be executed based on the frequency, but the scan results will not get consolidated or appear in the Alert Logic console Exposures page or reports since the host is excluded from internal network scanning.
Vulnerability Consolidation and Consumption
- Are host scan results available immediately after the scan is completed?
Only consolidated vulnerability results are posted and presented in the Alert Logic console and within reports. Host scan results will become available only after they can be combined or consolidated with a completed internal network scan.
- Are there any changes to the Exposures page of the Alert Logic console?
Additional categories have been added to provide visibility into which assessment method was used to detect a vulnerability. You can now filter on the following category values on the Exposures page:
- Category = "Security, Agent" for agent-based scans
- Category = "Security, Credentials" for authenticated network scan
- Category = "Security, Network" for unauthenticated network scan
- Category = "Security, External" for external network scan (non-PCI)
- Category = "Security, Cloud Configuration" for Cloud/CIS compliance checks
The same category filters will also be available in vulnerability reports.