Deploy the InsightVM Console

Run scans to extensively probe your devices for known vulnerabilities, exploits, and policy rules. Create sites to logically group your assets for targeted scans. The Security Console uses Scan Engines to perform the actual scan job, and you can configure/distribute them in a way that is best for your environment.

Choose between several built-in Scan Templates (such as CIS policy compliance or Full audit without Web Spider) to determine which checks are performed for a particular scan. You can also tailor your own Scan Templates to quickly search for the vulnerabilities and policies that matter the most to your organization. Create scan schedules to automate your scan jobs and keep your security team informed on a regular basis.

Organize your scanned assets into dynamic or static asset groups according to a variety of traits, such as location, operating system, and owner. Use the Security Console’s tagging system to adjust risk scores and prioritize remediation for your most critical assets. Run filtered asset searches to find scanned assets based on over 40 unique parameters.

Generate reports of your scan results so your security teams know what to fix and how. Make use of our built-in report templates or leverage SQL query exports for fully customizable reports. The following example cases highlight some of our most popular report templates:

• Leverage the Top Remediation report to prioritize the remediations that lead to the greatest reduction in risk.
• If you’re a business that handles credit card transactions, use the PCI report to prepare for an upcoming PCI audit.
• Generate the Vulnerability Trends report to examine your total detected assets, vulnerabilities, and exploits over custom date ranges.

InsightVM offers far more advanced functionality than we can cover in the scope of this guide, but we can talk about those features later. For now, just keep these core features in mind as they are the tools you’ll be using day to day.

The following system requirements are necessary to ensure you have the best experience.

Memory

The integration of scan data from Scan Engines can be memory-intensive depending on how many assets are being scanned at once. For this basic deployment, your host machine must have a minimum of 16GB RAM.

Disk space

Proper disk space allocation for the database is essential. The biggest storage impact on your host machine will come from scans, reports, and database backups. Scan data alone can have varying levels of storage impact depending on your configuration, including scan frequency and whether or not you are authenticating to the target assets.

For this basic deployment, your host machine must have a minimum of 100GB of free storage space in order to accommodate your future scan data and reports. At least 1TB of free storage space is recommended for small-scale deployments.

Consider this example deployment situation: Scanning 1000 assets on a monthly basis with authentication, generating a single report, and storing the data for one year will take 76GB of storage.

Don’t underestimate your storage needs

As you prepare your deployment plan, think about how your network and security needs could change over time. Allocate free storage so you can scan additional assets, increase your scanning frequency, and create database backups. Your Security Console host should be prepared for these events! If you find yourself making a decision between two numbers, go for the larger one.

Check our System Requirements page for details. Note the supported operating systems and browsers in particular. Also, you can run the Security Console and Scan Engine on a virtualized instance of any of our supported operating systems as long as they meet the system requirements.

You can deploy using Ubuntu Linux or Windows.

Host IP address

The IP address of your host machine must be statically assigned. You will use this address to access the Security Console’s web interface.

Ports

The Security Console communicates through the following ports in order to perform the following tasks.

Opt into the Insight platform

InsightVM’s platform-only features like Dashboards and Remediation Projects require some additional connectivity in order to function properly. See our communications page for detailed platform connectivity requirements.

Several programs and services must be disabled for the Security Console to function. In general, the following services may interfere with network scanning and may also prevent checks from loading or executing:

• Anti-virus / malware detectors: If disabling your anti-virus or malware detection software is not an option, make sure that you configure the software to bypass the Rapid7 installation directory on your Security Console host (the default location for this directory on Windows is C:\Program Files\Rapid7). This ensures that InsightVM can operate without interference from this kind of software.
• Intrusion Detection Systems (IDS)
• Personal firewalls
• Executable blocking products
• SELinux

During your installation, you’ll create a default account with Global Administrator privileges. When you configure these credentials, store them in a safe place where you can reference them in the future.

Enabled by default, this option will initialize the Security Console after it’s been installed. Initialization configures the application for use and updates the vulnerability database. If you enable initialization, your installation time will increase respective to that process. Initialization time ranges from 10 to 30 minutes.

While most organizations do not require this configuration, ensure that you DO NOT initialize the console during your installation if you intend to use FIPS mode. FIPS mode must be configured before the Security Console is started for the first time.

See Enabling FIPS mode for instructions.

If you are installing both the Scan Engine and the Security Console, the automatic start option is enabled by default. If you do not want automatic initialization to occur, you must disable it. The benefit to leaving this option enabled is that you can start using the InsightVM application immediately after the installation is complete. This is because it has to initialize before the process prepares the application for use by updating the database of vulnerability checks and performing the initial configuration. Leaving this option enabled increases total installation time by 10 to 30 minutes. Although disabling the option shortens the installation time, it takes longer to start the application because it will have to initialize before you can begin to use it.

Your preferred communication direction between console and engine depends on network configuration:

• (Recommended) Engine to Console. The Scan Engine will actively inform the Security Console that it is available for communication. This configuration allows a configured console that is behind a firewall to allow inbound connections to establish a communication channel.
• Console to Engine. The Scan Engine will listen for communication from the security console. This configuration is most effective when the engine and console are on the same area of the network.

• The latest Linux installer.
• The corresponding checksum file for your installer, which helps ensure that installers are not corrupted during download.
• A product key, which is needed to activate your license upon login.
• Disable SELinux before you install the application.
• We recommend installing the tmux or screen package to provide an interactive terminal with the Security Console and Engine.
• Check the installer file to make sure it was not corrupted during the download.
• Uninstall any previously installed versions of InsightVM.

Contact your account representative if you are missing any of these items. You should have received an email containing the download links and product key if you purchased InsightVM or registered for an evaluation. We recommend adding InsightVM to your email client allowlist to ensure you are receiving all future emails regarding InsightVM.

If you intend to install the Security Console on a Linux host, you can verify whether or not SELinux is disabled, and take action to disable it if it isn't, with the following procedure:

1. Check the status of SELinux by opening its configuration file using a text editor of your choice. Enter the following command in a terminal: vi /etc/selinux/config.
2. Navigate to the line beginning with SELINUX=. If the value of this line shows enforcing, you will need to make an edit to disable SELinux.
3. To do so, modify the value of SELINUX= from enforcing to disabled: SELINUX=disabled.
4. When finished, save and close the configuration file.
5. Run the following command in your terminal to restart the Linux host so the changes can take effect: shutdown -r now

If you are using a Graphical User Interface, omit the -c switch at the end of the installer run command. You’ll use a wizard similar to the Windows version instead.

If you want to enable FIPS mode, do not select the option to initialize the application after installation. FIPS mode must be enabled before the application runs for the first time.

If you are only installing the Scan Engine, you may need to specify the Shared Secret to pair it with a Security Console. Global Administrators can generate a Shared Secret in the Administration section of the Security Console. Select Manage scan engines, click Generate next to Shared Secret, and copy and paste the Shared Secret into the Installation Wizard.

• The Windows installer.
• The corresponding checksum file for your installer, which helps ensure that installers are not corrupted during download: sha512sum for Windows download
• A product key, which is needed to activate your license upon login.
• You have administrator privileges and are logged onto Windows as an administrator.
• Your system meets the minimum installation requirements.
• You have uninstalled any previously installed copies of the application.

Contact your account representative if you are missing any of these items. You should have received an email containing the download links and product key if you purchased InsightVM or registered for an evaluation. We recommend adding InsightVM.

If you want to enable FIPS mode, do not select the option to initialize the application after installation. FIPS mode must be enabled before the application runs for the first time.

If you are only installing the Scan Engine, you may need to specify the Shared Secret to pair it with a Security Console. Global Administrators can generate a Shared Secret in the Administration section of the Security Console. Select Manage scan engines next under Scans, click Generate next to Shared Secret, and copy and paste the Shared Secret into the Installation Wizard.