Today’s Tip of the Day is a collection of oldies but goodies, I thought I would touch back on a couple Retina items as a refresher from the years…
1. Navy CA recognizes SevCode as the Raw Risk level, not “Risk Level”. The SevCode field is not included in reports by default (see previous TOD).
2. STIG checks in Retina are unsupported, and have been since at least 2008 (“unsupported” by DISA, eEye still believes them valid).
3. Retina *reportedly* includes STIG IDs in their product, but DISA strips them out [to prevent use of Retina as a STIG tool?]. You see the field in our reports, but it is never populated (I actually saw one filled in once from a submission from a NAVAIR site… I need to get back with them…)
4. DISA directed Retina to mark ALL manual checks a CAT III! Even if they are a CAT I in the STIG (again… unsupported! Thanks ‘All Audits’). From eEye: “Since DISA requested we set manual audits to CAT III we have done so.”
5. Include Informational and CAT IV in your review, they are often mislabeled for risk.
Example: Audit ID 6798 title Verify Microsoft Windows Anonymous SID/Name Translation, Risk=Information and Sev Code=Category III. Searching the STIG title for Verify Microsoft returns no results. Searching for the title Anonymous SID returns STIG ID 3.062 for Anonymous SID/Name Translation, a CAT I finding. Titles are similar and indicate a match , but a mismatch in the assigned severity category.
See attached process document for more info.
6. Retina REMOVES references to IAVs when a new IAV is released for the same product. Problem is, older versions of the product are not associated with the new CVEs, against which the IAV is now associated.
This results in (as an example of one occurrence) an NMCI review of a new installation where they required the High risk IAVs be corrected. But because IAV numbers were removed from old CVEs, the NMCI reviewer did not realize these were IAVs and therefore did not require their remediation. This is evident in the attached screenshot of a Remediate report showing two CVEs associated with IAV 2008-A-0031, notice there is no IAV listed?
For more details see ‘The Superseding Problem’ in the attached training (it is old, so don’t judge too harshly).
7. Well, this one is special. I will send this one out tomorrow as a separate tip, just to give it special focus. BE WARNED, reading tomorrow’s tip will reveal The Matrix…
False Negatives!!!
Standard Process – Retina – Correlate Findings to STIGs – 2012-01-22
Comments (0)