Agent-based Scanning (Beta)
Alert Logic is upgrading vulnerability scanning features to support scanning on the host by adding OSQuery and OVALdi scan components to the existing Alert Logic agent.
Upgrades to the scanning experience
The agent-based scan upgrade improves the efficiency, accuracy, and usability of Alert Logic vulnerability scanning features with the following advantages over network scanning:
No Credential Management: Agent-based scanning does not require credential management. Users of authenticated network scans had to configure access and manage credentials for assets and networks. The agent is installed on the host with all the permissions it needs and does not require any further authentication.
Reduced Network Traffic: Agent-based scanning reduces network traffic. Agent-based scanning reduces network traffic by running locally on the host before sending results to the network appliance for final analysis.
Limited Network and Host Processing Impact: Authenticated and unauthenticated network scans can adversely impact some networks and hosts. Agent-based scanning reduces network impacts by running locally on the host and limits host processing impact to less than 5 minutes. For detailed information on host impacts, see Requirements for the Alert Logic agent with scan components.
Increased Host-Target Availability: You can deploy the agent on hosts that are impossible or impractical to scan from the network.
Better Vulnerability Accuracy: Agent-based scanning increases the accuracy and reliability of vulnerability scan results. Improved coverage includes better operating system, application, patch, and kernel level vulnerability assessment. For more information, see Scan-based vulnerability assessment coverage details.
A host must meet the following criteria to support agent-based scanning.
Node subscription level
The host node must be configured for the Alert Logic MDR Professional or Alert Logic MDR Enterprise level of protection. You can verify or change the protection levels by using Entitlement Summary or Change Protection Level of an Asset.
Host operating system
The host must run a supported Windows or Linux operating system.
The agent-based scanning components are fully validated on the following operating systems. Older Linux and Windows operating systems may work, but will report a large amount of vulnerabilities.
|Operating System||Installation Guide|
|Amazon Linux 2||Install the Alert Logic Agent for Linux|
|CentOS 6, 7, 8||Install the Alert Logic Agent for Linux|
|Debian 9, 10||Install the Alert Logic Agent for Linux|
|Red Hat Enterprise Linux (RHEL) 7||Install the Alert Logic Agent for Linux|
|Windows 7||Install the Alert Logic Agent for Windows|
|Windows 10 (All)||Install the Alert Logic Agent for Windows|
|Windows Server 2008 (All)||Install the Alert Logic Agent for Windows|
|Windows Server 2012 (All)||Install the Alert Logic Agent for Windows|
|Windows Server 2016 (All)||Install the Alert Logic Agent for Windows|
|Windows Server 20H2||Install the Alert Logic Agent for Windows|
Installed agent and agent health
The agent must be installed on the host. The health status of the agent related to connectivity or resource issues may affect the installation of agent-based scanning . You can verify the health and presence of an agent on a specific host by using the Health and the Missing Agent Digest report.
Scan components of the agent require the following in addition to the standard Requirements for the Alert Logic Agent.
|Requirement Type||Additional System Requirement for Scan Components||Total System Requirement|
Processing requirements and host impact for running an agent-based scan
|Type||Operating Systems||Scan Components||System Requirement||Duration of Demand (Estimate)|
|RAM (Max)||Windows||OSQuery||50MB||5 seconds|
|CPU||Windows||Both||Up to 100%, running at low priority||3-4 minutes|
|Linux||Both||Up to 100%, running at low priority||4-5 minutes|
Scan using Alert Logic agents
Any successful network scan of a host that meets the Requirements automatically recognizes and collects the results of the latest agent-based scan.
In the first Beta group, the agent initially scans the host in 0-24 hours after installation is complete. Subsequent scans run every 12-36 hours after the completion of the previous scan. The Agent-based Scanning (Beta) of the agent-based host scan are not visible in the Alert Logic console until a network scan completes. For technical details on agent-based and network-based vulnerability coverage, see Scan-based vulnerability assessment coverage details.
You can collect the latest results from agent-based scans on target host(s) using two methods:
Scan Schedule Scope: Complete an internal network scan with the host(s) that you want the agent to scan in scope of the scan schedule. For more information on asset scopes in scan schedules, see Define the scope of the assets to scan.
Scan Now: You can use the Scan Now feature from the Topology page of the Alert Logic console to collect the latest agent-based scan results from an individual host as soon as possible. For more information on the Scan Now feature, see Scan Now.
Expect a significant increase in number of detected vulnerabilities with a new agent-based scan, especially if you did not previously use authenticated scans on the host. Vulnerabilities detected by the agent have the "Agent" category on the Exposures page.
|Vulnerability Type||Host-based Scan (Agent)||Network Scan (no credentials)||Authenticated Network Scan (credentials)|
|System-level vulnerabilities (kernel - Windows OS)||Yes||Partial||Yes|
|Application-level exposures (RHEL)||Yes||Yes|
|Application-level exposures (Debian)||Yes||Yes|
|Application-level exposures (Windows Programs)||Yes||Yes|
|Configuration Check (TLS/Certificates, Common U/P)||Yes||Yes|
|Web Application Testing||Partial||Partial|
|Active Exploits/ SQL Injections/ Etc||Partial||Partial|
Deference to agent-based scanning
Agent-based scans and authenticated network scans provide equivalent vulnerability assessment for OS, application, patch, and kernel level vulnerabilities.
Therefore, to reduce impact to the network and host, when an authenticated network scan begins scanning a particular host, it checks in with that host for the presence of agent-based scan results.
If agent-based scan results are present on the host:
The authenticated scan will not run against the host. The unauthenticated network scan will still run against the host.
If no agent-based scan results are present on the host:
The authenticated network scan runs as configured against the host.