Scan Template Best Practices

This type of check is required for all scan templates, because it is the initial Nmap process run to find the assets within the site range, fingerprint the OS, and find open ports.

This can be combined with the option, Use Credentials, to perform authenticated discovery scans, which provides stronger OS fingerprints and the ability to better understand what’s running on your target assets. This setting only applies to the Asset Discovery check type because the Vulnerability check type will always try to authenticate to the target host.

If Asset Discovery is the only option selected then these scans do not count against your license. For more information on how licensing works, see Live Licensing.

Combined with Asset Discovery, these checks should be used in a best practice scan template. Vulnerabilities checks means we take the fingerprints from assets, ports and fingerprints found in Asset discovery and port scanning, apply any applicable credentials, or banner grabs and perform vulnerability assessments against those assets.

This option counts against your total licensed assets.

These checks are used to scan your assets to see how they stack up against different hardening guidelines, such as CIS or DISA STIGS. InsightVM has a fully featured policy assessment ability and is part of the defense-in-depth process of securing your environment.

Scanning credentials with administrative/root privileges are required, and we recommend enabling this feature in a scan template without also selecting the Vulnerabilities option and setting up OS-based scan templates targeting specific operating systems.

It is generally recommended to pursue policy scanning once your vulnerability management program is established and automated, as policy can be very complex and hard to justify in the early stages of your deployment. For easier policy scanning, you can use the agent based policy scans.

Enhanced Logging: This option provides DEBUG-level logging for scans and should be run before submitting logs to Rapid7’s Support team for a potential false positive issue.

This option only works when running a Discovery-only scan with no Vulnerability checks enabled and only applies to the Asset Discovery check type. When enabled, it uses the Maximum assets scanned simultaneously value when authenticating to your assets, and can lead to discovery scan slowdown, but provides higher accuracy of asset fingerprinting.

This option allows credentials when running a discovery scan; the assets will still not count toward the license.

This option is enabled by default in a scan template with Vulnerabilities disabled. It cannot be disabled if the Vulnerabilities option is selected. However, you can clear the checkbox to disable fingerprinting with a discovery scan. Since fingerprinting can be a large time sync in the discovery process, this could greatly speed up an asset-only discovery scan. By asset-only, there will be no attempt to identify the Operating System or other fingerprints, leading to decreased visibility.

We recommend keeping this enabled because there is relatively little benefit in only identifying live assets, without knowing other information such as OS, hostnames, etc.

This feature was built to help detect vulnerabilities like Log4J by doing a windows file search.

We do not recommend selecting this option unless you have a dedicated scan template which includes vulnerabilities like Log4J. By enabling this feature, we use the Windows search engine, which greatly increases the scan duration and impact on the device or asset being scanned.

The Rapid7 agent can run assessments against vulnerabilities like Log4J checks as well, making this template feature deprecated for assets that have the agent installed.

This is where you must calculate your needs, as it depends on whether you're using the Local Scan Engine, the OS being used, whether you're using a dedicated scan engine, and the memory and CPU levels. It is arguably the most important option in the scan template, as it controls how fast you can scan.

Rapid7 previously released changes which reduce the impact on customers for simultaneous assets and minimize the risk of running out of memory in the Scan Engines. For this to work, we need a 1:4 ratio of CPU to Memory. This means aiming for 4 CPUs and 16 GB or 8 CPUs and 32 GB of memory (2 CPUs and 8 GB also work).

Operating systems also have an impact, as Windows-based operating systems tend to use a lot more memory to run the Windows GUI than the Linux GUI (if headless, there is no GUI). However, we do not recommend using Linux to save memory. Choose an operating system that best fits into your patch management strategy. Because you can’t patch it, you do not want your server that has all of your network’s vulnerability information on it to be the most vulnerable asset in your environment.

Recommended starting points:

Enables the storage of invulnerable results. When scanning a device, all vulnerabilities, whether successful or not, will be sent back to the security console in the scan logs. This is required for some PCI auditors. Unless your PCI auditor explicitly requires a list of all vulnerabilities attempted on a target device, it is recommended to leave this setting disabled.

When disabled, only the vulnerabilities that were found to be successful on the host will be sent back to the console. Disabling will reduce disk space usage for scan data and speed up your scans, but prohibit reporting on invulnerable data. However, invulnerable data required for correlation will still be collected if vulnerability correlation is enabled.

You can see all of the vulnerability categories which can be used for other parts of the tool, or search for checks using the By individual check drop-down. Typically, none of these options should be changed.