最后更新于2024年5月16日星期四14:35:46 GMT
多年来,我们的建议和最佳实践 InsightVM 随着我们对系统的改进和更新,控制台也发生了变化. Here are some of the most common improvements to get the most out of your InsightVM console.
调整管理设置
There are a few InsightVM settings that can be optimized out of the box for a better experience.
调整数据保留
默认情况下,InsightVM控制台将永远保存所有数据. This can lead to decommissioned assets not being removed and too much disk space being used up. 建议使用以下值作为起点.
保留12个月的扫描数据:
如果您对保存扫描数据有任何法律或审计要求, such as for PCI, 这是可以调整的. If you have >50,000个ip,你需要保存更长时间的扫描数据, it is recommended you use the InsightVM data warehouse functionality to export the data to the warehouse database, 将主机留存率设置为3个月,以提高主机效率.
报告数据保留6个月:
有些报告可能相当大, so periodically removing older historical reports can help clean up the console storage, especially if you’re emailing out the reports and storing them off of the console.
资产数据保留30天:
The asset data retention uses the last scan date of your devices to remove devices that have not been scanned in a while. 建议每周对网络运行一次基于网络的扫描. With weekly scans, if a device has missed 4 scan cycles, it very likely doesn’t exist anymore. 如果设备上安装了Insight Agent, 最后一次扫描日期将在代理签到时更新.
代理数据保留30天:
Insight Platform座席的默认数据保留策略为30天, 所以建议您在InsightVM控制台中匹配它.
数据保留可在 Administration -> Maintenance, Backup and Retention
更改控制台更新频率
默认情况下,InsightVM控制台每6小时检查一次更新. This could mean that the console reboots for an update in the middle of your work day. It is recommended to change the update frequency to 24 hours and the time to outside your work hours.
控制台更新可以在 Administration -> Updates
会话超时时间和控制台HTTPS证书
InsightVM默认的会话超时时间为600秒,即10分钟. It is recommended to increase this to 1800 for 30 minutes or 3600 for 1 hour so you don’t have to keep logging back in to the console. If you have some internal session timeout requirements, you can also adjust it to match those.
控制台附带一个默认的自签名HTTPS证书. 目前,所有到InsightVM控制台的管理流量都是加密的, 但是网络浏览器不信任这种流量. It is recommended to generate a new certificate and have it signed by your internal Certificate Authority. Adding a signed web server certificate can also help remove platform login errors between the cloud and the on-premise console. Be sure that the Subject Alternative Name (SAN) field is populated with the FQDN of your security console server.
After improving the console connection with an internally signed HTTPS certificate, it is recommended that you enable platform login to link your on-premise InsightVM account with your Insight Platform account. This will make it so you only need a single login to access all of your Rapid7 products. 如果您有SSO提供程序, you can enable that on the Insight Platform for additional ease of user management.
Optionally, you can also change the default web server port from the default of 3780 to 443 if that will be more convenient for your users.
超时和HTTPS证书可以在下面找到 Administration -> Web Server
http://docs.28277cc.com/insightvm/managing-the-security-console
http://docs.28277cc.com/insightvm/enable-insightvm-platform-login http://docs.28277cc.com/insight/single-sign-on
优化扫描模板
The default 完全审计没有网络蜘蛛 扫描模板适用于一些初始扫描, 但它可以调整,以加快您的扫描和提高整体扫描精度. 如果所有的扫描引擎都有相同的资源, 您可以只使用一个优化的扫描模板, 减少潜在的混乱,并进一步简化扫描配置. My colleague Landon Dalke 写了一篇很棒的博客 扫描模板的最佳实践. 以下是他文章中的一些亮点:
每个扫描引擎同时扫描的资产
Please use the following table for reference depending on how much CPU and RAM your scan engines have. 确保你的引擎的CPU与内存的比例为1:4,以获得最佳性能. Also, 如果你的扫描引擎是虚拟的, 确保保留分配的内存,以避免内存不足问题.
向端口发送UDP报文
我们建议禁用它. 不响应ICMP的设备是不可能被访问的, ARP, 或TCP,但不知何故只使用UDP.
不把TCP复位响应作为活资产
我们建议启用它. This will help prevent “ghost assets” with no hostname or operating system from appearing, 某些路由器或IDS/IPS发送TCP复位响应.
Nmap服务检测
We recommend disabling this, as it can cause scans to take 5-10 times longer to run. 在设备上拥有凭证或代理提供相同的信息.
Timeout Interval
The Timeout Interval can be adjusted depending on the bandwidth in your environment to speed up asset discovery and port scanning. If you are scanning low bandwidth environments or offices across the world from one scan engine, 建议不要使用这些设置. 如果你有快速的网络和引擎放置在被扫描设备附近, 可以使用以下值:
初始超时时间: 200ms
最小超时时间: 200ms
最大超时时间: 500ms
跳过Insight Agent执行的检查
我们建议启用它. 如果在设备上检测到代理, 它将跳过代理已经执行的漏洞检查, 缩短扫描时间.
存储坚不可摧的结果
我们建议禁用它. In the scan logs, 启用此设置时, 它将告诉您某个漏洞在目标主机上是否不容易受到攻击. PCI has an audit requirement where you need the explicit negative for the vulnerability on a target host. 如果您不需要PCI兼容, 或者没有PCI审核员要求提供这种级别的详细信息, internal testing revealed disabling this setting caused scans to run ~50% faster with ~70% less disk space used.
更新控制台
用于InsightVM产品更新, 典型的发布时间安排是每周的周三, 偶尔的带外更新. 保持在最新版本, 确保启用了自动更新, 并遵循上面提到的更新频率指导.
InsightVM内容更新包括新的或修改的漏洞. 每两个小时检查一次,不需要重新启动系统.
确保你的扫描引擎也正确更新了. As long as the scan engine has enough storage space and can reach the InsightVM console, 它应该在没有运行扫描时自动更新.
除非您使用的是Rapid7托管控制台, 您还负责更新底层操作系统. 而不仅仅是应用最新的安全补丁, 但要确保操作系统版本本身不会寿终正终. 这将确保对最新InsightVM版本的持续支持.
Lastly, you want to make sure you’re running the latest version of the InsightVM PostgreSQL database. 如果您仍在运行旧版本, this can cause some potential issues with the database as well as general slowdown for the console and reports.
http://docs.28277cc.com/insightvm/postgresql-database-migration-guide/
调优PostgreSQL数据库
InsightVM has a database auto tune feature which automatically tunes based on the amount of RAM on the console server. 数据库将在安装时自动调优, 但是如果您在安装后增加控制台资源, 您将需要手动运行自动调谐. 要激活它,请转到 Administration -> Run 然后运行命令 tune assistant 以查看如何调优数据库,然后运行 调音助手申请. 然后在下一次系统重新启动时应用该调优. 如果你有64GB或以上的内存,这将有更大的影响.
Check out this doc 关于调优PostgreSQL数据库的更多细节. 如果您对调优自己的数据库感到不舒服, 您可以随时联系Rapid7支持部门寻求帮助.
扫描和站点清理
Before October 2020, the discovery portion of the scan would only hit 1024 assets simultaneously. 现在,我们正在同时对65,535个ip进行发现. 这导致更快地发现更大的IP范围. Because of this, 我们建议使用更少的站点和更大的IP范围, such as /16, /12, or /8 CIDR ranges.
The best way to organize these new, larger sites is based around function or geographical region. For example, having a separate site for “all stores” and one for “all corporate” ranges. 另一个例子是根据大陆划分站点, 或者是一个尽可能大的地理区域. Make sure that you have engines placed as close to the devices you want to scan as possible for maximum visibility and reduced bandwidth concerns.
Having fewer sites with a larger scope will help reduce micromanagement with scoping, scheduling, 并且允许在扫描更多设备时易于扩展. 用于粒度报告和访问管理, use asset groups, 哪些比网站更灵活.
除了有太多的网站, the next largest problem most consoles face is when scans overlap on the same scan engine. 站点越少,计划扫描就越少, 但是你仍然应该知道这些网站使用的是什么扫描引擎. 运行扫描会耗尽扫描引擎上的RAM, and having too many scans running at once can cause scan slowdown or potentially engine crashes due to lack of memory.
目标是每个站点有一个扫描引擎. That way, your sites can be scanned at the same time without them overloading a single engine. 如果你有一些网站或地点比其他网站或地点大得多, you can deploy more engines to that location and pool them together for even greater scan efficiency.
如果你要扫描多于2个,000台设备或具有分段网络, you should not be using the local scan engine as that is running on the console server, 占用了web服务器和PostgreSQL数据库的资源.
http://xaj.28277cc.com/blog/post/2023/12/04/method-to-an-old-consultants-madness-with-site-design
在执行以下步骤之后, your console should be in a much better place to reduce micromanagement and improve overall efficiency. 如果你需要继续帮助, 不要犹豫,联系Rapid7支持或你的客户成功经理.
