Assess with agent-based policies
Agent-based policy is a secure configuration assessment feature in InsightVM that allows organizations to assess assets in their environments with the Insight Agent. Whether you’re implementing security best practices or adhering to a specific security compliance framework, the Insight Agent is able to collect asset information without the need for credential management or a corporate network connection. The information collected by the Insight Agent is then sent to InsightVM, once every 24 hours, for assessment.
Working with agent-based policy, at a glance
- Enable the agent-based policies and assets you want to be assessed.
- Once every 24 hours, InsightVM sends a request to the agents in your environment to collect asset configuration information.
- The agent then collects the configuration settings and information on an asset.
- The information collected is sent to InsightVM.
- InsightVM assesses that information against the policies you have enabled.
- InsightVM displays the assessment results on the agent-based policies pages, including any applied override results.
Requirements
Users must be Global Administrators
Agent-based policy assessment is currently only accessible to Global Administrators.
The Endpoint Broker must be deployed to your agent assets
The Endpoint Broker must be deployed to your agent assets before you can use the Insight Agent for policy data collection.
If your version of the Insight Agent is not set up for automatic updates and the Endpoint Broker is not already deployed, contact Rapid7 to arrange a specific time to deploy the Endpoint Broker.
When the Endpoint Broker is successfully deployed you'll see, rapid7_endpoint_broker, a new running process and sub-component of the Insight Agent on your agent assets.
You must adhere to Insight Agent supported systems
Agent-based policy assessment supports Windows, Linux, and macOS operating systems. For more information on specific versions supported by the Insight Agent, refer to Supported Operating Systems.
Windows PowerShell 5.1 required
If you're a Windows user, you must be running a minimum of Windows PowerShell 5.1 in your environment. If the minimum is not installed, you may experience incorrect assessment results.
Windows PowerShell 5.1 is installed by default on Windows Server version 2016 and higher and Windows client version 10 and higher.
Assessment limitations
At this time, a maximum of 100 agent-based policies can be enabled per organization.
Why use agent-based policies?
Agent-based policies, when run regularly against an organization’s assets, can quickly identify security misconfigurations and help to reduce the attack surface of your organization.
- Credentials are not needed for agent-based policies.
- An on-premise connection is not required for agent-based policies, which is especially beneficial for assessing remote assets.
How does it work?
Policy compliance is based on how well assets comply with the rules of each agent-based policy.
Select from a large library of pre-built configuration baselines and recommendations to monitor the assets in your environment for any compliance deviation. The asset information collected by the agent is assessed against recommendations within each benchmark. In InsightVM, these recommendations are called rules.
Example
The policy CIS Windows 10 Server Benchmark - Level 1 contains 400 rules. One of these rules requires a "password length of 14 characters" and another ensures "account lockout after 5 incorrect password attempts". Each of these rules must pass for the asset to be compliant to the policy.
After enabling an agent-based policy for your assets, InsightVM schedules the agents in your environment to collect configuration information and then assesses your assets once every 24 hours against the selected agent-based policy. The assessment results can then be viewed and adjusted in InsightVM.
Policy report data
The policy reports currently available on the console do not contain agent-based policy data because reporting for scan engine and agent-based policies are separate features.
How updates affect agent-based policies
After a third party publisher updates a policy, and those updates are applied by InsightVM, a new version of the agent-based policy is automatically added and the previous version is deprecated and flagged in the UI. This applies to both the agent-based policies that have not been enabled and those that are currently enabled for organizations. If an agent-based policy was enabled for your organization, the new version of that agent-based policy is automatically enabled to minimize any disruptions you might normally face when transitioning between versions.
Data is retained from the last agent-based policy assessment
For deprecated and manually disabled agent-based policies, data from the last assessment is only stored for 30 days and cannot be extended.
For enabled agent-based policies, the data displayed and stored is from the most recent assessment results.
Data from previous assessments cannot be recovered:
- Following a new assessment
- Beyond the 30 day period after an agent-based policy was deprecated or manually disabled
Enable an agent-based policy
Global Administrator role required
Agent-based policy assessment is currently only accessible to Global Administrators.
When you assess a policy, you are actively checking which assets in your environment align with or deviate from the rules outlined in specific configuration standards. You must select and enable each agent-based policy you want your environment to be assessed against.
- In the navigation menu, click Policies > Agent-based Policy.
- On the Agent Based Policies page, on the All Policies tab, select an agent-based policy you want to assess against.
- On the Policy Details page, click Enable to start regularly assessing your environment against the selected agent-based policy.
- When prompted, specify the assets you want to assess against the enabled agent-based policy by selecting either:
- All assets. This applies the policy to all applicable assets that have the Insight Agent installed.
- Custom scope. This allows you to select and assess specific assets that have the Insight Agent installed. You must use a query to select these assets.
- Click Enable.
Manage which assets are being assessed against a specific agent-based policy at any time by clicking Manage Assessment Scope on the Policy Details Page.
Disable an agent-based policy
- In the navigation menu, click Policies > Agent-based Policy.
- On the Agent Based Policies page, on the Enabled Policies tab, select the agent-based policy that you want to disable.
- On the Policy Details page, click Disable > Yes, disable it to stop assessing your assets against the selected agent-based policy.
- When an agent-based policy is disabled, the data from the last assessment is only retained for 30 days.
Adjust assessment results
An override can be used to manually change the assessment result of a rule to either passed, failed, or N/A. Global Administrators can approve and delete overrides.
Create an override
- Click Create Override on the Rule Details table.
- In the pop-up, select to create an override for All assets or based on either an IP Range/Netmask/Host Name. To create an override for a singular asset, see Review rule details.
- Complete the required fields.
- Click Submit and approve.
Delete an override
You may want to delete an override if the overridden status no longer applies, or if you want to create a similar override, but with different parameters.
To delete an override:
- From the Rule Details page, click on the overridden rule you want to delete.
- Click Delete on the Override details page.
View agent-based policies
You can view your compliance results in the All Policies Listing table, the Enabled Policy Listing table, Policy Details pages, and the various agent-based policy dashboard cards.
You can export agent-based policy results to CSV from the Policy Listing table, Policy Details page, and Rule Details page, and convert them to PDF through the dashboard cards.
View all policies
The All Policies Listing table displays all of the agent-based policies that you can assess within your environment. You can view a specific agent-based policy’s details by clicking on its name:
| Feature | Description |
|---|---|
| All Policies Compliance | Tracks the total percentage of rules that have successfully passed policy checks against the total number of policy rules. |
| Filter Results | Narrow results by platform, publisher, and status. You can use the publisher filter to filter by organizations that publish policy benchmarks such as DISA or CIS. Check the Include Deprecated Policies box to display all policy versions. You can use the status filter to filter by assessment data, including whether a policy is assessed. An assessed policy means that the policy has been previously evaluated against your environment. |
Review policy details
View agent-based policy rules and assessment results for your enabled agent-based policies on the Policy Details page. This is where you can find an agent-based policy’s full description, its rules, the assets it’s assessing against, and any of its override exceptions:
| Feature | Description |
|---|---|
| Rules | Each policy contains rules that assets are assessed against. You can click on a rule to view its details. When you assess a policy, you are investigating to see if the assets in your environment comply with the policy’s rules. If an asset meets the configuration standard outlined by individual rules, it is marked as pass. If an asset does not meet the configuration standard for the rule, it is marked as a failure. You can override any assessment result. |
| Assets | View compliance results and percentage of rules for each asset assessed by a policy. Rule compliance for an asset is measured by how many rules that asset has passed within a policy. |
| Overrides | View the status of rule overrides, their scope, and their expiration date. Learn more about creating and managing overrides. |
How updates affect agent-based policies
After a third party publisher updates a policy, and those updates are applied by InsightVM, a new version of the agent-based policy is automatically added and the previous version is deprecated and flagged in the UI. This applies to both the agent-based policies that have not been enabled and those that are currently enabled for organizations. If an agent-based policy was enabled for your organization, the new version of that agent-based policy is automatically enabled to minimize any disruptions you might normally face when transitioning between versions.
Data is retained from the last agent-based policy assessment
For deprecated and manually disabled agent-based policies, data from the last assessment is only stored for 30 days and cannot be extended.
For enabled agent-based policies, the data displayed and stored is from the most recent assessment results.
Data from previous assessments cannot be recovered:
- Following a new assessment
- Beyond the 30 day period after an agent-based policy was deprecated or manually disabled
Review rule details
From the Policy Details Page, you can click on an individual rule to open the Rule Details Page to examine the various details of an individual rule and all assets assessed by that rule.
Click Remediation Details to see the rule’s rationale and the remediation steps that need to be followed in order to apply the rule. Additionally, from here, you can create an override for the rule.
View enabled policies
The Enabled Policies Listing table displays the active agent-based policies that are being assessed within your environment. You can view a specific agent-based policy’s details by clicking on its name in the table.
Review policy details
View agent-based policy rules and assessment results for your enabled agent-based policies on the Policy Details page. This is where you can find an agent-based policy’s full description, its rules, the assets it’s assessing against, and any of its override exceptions:
| Feature | Description |
|---|---|
| Rules | Each policy contains rules that assets are assessed against. You can click on a rule to view its details. When you assess a policy, you are investigating to see if the assets in your environment comply with the policy’s rules. If an asset meets the configuration standard outlined by individual rules, it is marked as pass. If an asset does not meet the configuration standard for the rule, it is marked as a failure. You can override any assessment result. |
| Assets | View compliance results and percentage of rules for each asset assessed by a policy. Rule compliance for an asset is measured by how many rules that asset has passed within a policy. |
| Overrides | View the status of rule overrides, their scope, and their expiration date. Learn more about creating and managing overrides. |
How updates affect agent-based policies
After a third party publisher updates a policy, and those updates are applied by InsightVM, a new version of the agent-based policy is automatically added and the previous version is deprecated and flagged in the UI. This applies to both the agent-based policies that have not been enabled and those that are currently enabled for organizations. If an agent-based policy was enabled for your organization, the new version of that agent-based policy is automatically enabled to minimize any disruptions you might normally face when transitioning between versions.
Data is retained from the last agent-based policy assessment
For deprecated and manually disabled agent-based policies, data from the last assessment is only stored for 30 days and cannot be extended.
For enabled agent-based policies, the data displayed and stored is from the most recent assessment results.
Data from previous assessments cannot be recovered:
- Following a new assessment
- Beyond the 30 day period after an agent-based policy was deprecated or manually disabled
Review rule details
From the Policy Details Page, you can click on an individual rule to open the Rule Details Page to examine the various details of an individual rule and all assets assessed by that rule.
Click Remediation Details to see the rule’s rationale and the remediation steps that need to be followed in order to apply the rule. Additionally, from here, you can create an override for the rule.
Enabled Policies Compliance tracks the percentage of rules, across all enabled policies, that have a 100% asset compliance score. A rule only scores 100% if all the assets that have been assessed by that rule have a status of pass.
Compliance example
There are 100 total rules in policy A, 400 total rules in policy B, and 300 total rules in policy C, equaling 800 total rules. If only 80 rules have scored 100% (meaning all assets assessed by that rule passed) across the 800 total rules, then the enabled compliance percentage would be 80/800 = 10%.
Display agent-based policies in the dashboard
There are 5 agent-based policy compliance dashboard cards available to organize and display your data. You can view more detailed information for each card by clicking Expand Card.
| Dashboard card | Description |
|---|---|
| Total Assets Assessed by Policy | Displays the total number of assessed assets by agent-based policy. |
| Total Assessed Policies | Displays the count of agent-based policies with findings stored. |
| Asset Compliance by Policy | Displays asset compliance by an agent-based policy. Select which agent-based policy’s data you want to view in the dropdown. |
| Least Compliant Assets | Populates the assets with the least compliance for specific agent-based policies. Select which agent-based policy’s data you want to view in the dropdown. |
| Rule Compliance by Policy | Measures the ratio of rules that passed or failed in comparison to the total amount of rules within an agent-based policy. Select to display the percentage of rules that passed or failed. |