Scan options affect how the service gathers information about target hosts and how the service performs compliance assessment. These options appear on the Scan tab when you create or edit a compliance option profile.
Scan Options: Performance | Control Types | Ports
The overall performance level is High, Normal, Low or Custom. The performance level determines the number of hosts to scan in parallel, the number of processes to run in parallel against each host, and the delay between groups of packets sent to each host. Click Configure to change the overall performance level or customize performance settings. See Configure Scan Performance Settings for more information. (Initial Setting: Normal)
File Integrity Monitoring. Select this check box if you want scans using this compliance profile to check for file integrity. To use this option you must define one or more custom controls to specify the files you want to monitor for changes. See File Integrity Check (Windows) and File Integrity Check (Unix). (Initial Setting: Unchecked)
Note: The following options are only available if the Dissolvable Agent is accepted for the subscription. A Manager can accept the Dissolvable Agent from the Dissolvable Agent Setup page (Setup > Dissolvable Agent).
Password Auditing. Select this option if you want scans using this compliance profile to check for service-provided password auditing controls (control IDs 3893, 3894 and 3895). These controls are used to identify 1) user accounts with empty passwords, 2) user accounts with the password equal to the user name, and 3) user accounts with passwords equal to an entry in a user-defined password dictionary. See Password Auditing. (Initial Setting: Unchecked)
Click Configure to create a password dictionary. Then enter a list of passwords (up to 100) that are not allowed in your organization. When this profile is applied to a scan task, the scanning engine will compare users' passwords to the password dictionary entries to find any violations. Note that each compliance profile may contain a different password dictionary.
Windows Share Enumeration. Select this option if you want scans using this compliance profile to check Windows shares that are readable by Everyone and return the number of files for each share on each host (control ID 4528). See Windows Share Enumeration. (Initial Setting: Unchecked)
Note: The Ports setting applies to Unix and Windows scans only. For other scan types, including Oracle, MS SQL and SNMP, the Ports setting does not apply. For Oracle and MS SQL scan types, the service always scans the ports defined in the corresponding authentication records.
These Ports settings are available:
Standard Scan. When selected, the standard ports (about 1900 ports) are used for compliance scanning, including the well known ports: 22 (SSH), 23 (telnet) and 513 (rlogin). For Unix hosts, any custom ports specified in the Unix authentication record are also scanned.
Targeted Scan. When selected, the service targets the scan to a smaller set of ports than the standard ports (about 1900 ports). This is the recommended setting, and it is the initial setting for a new compliance profile.
• For Unix hosts, these well known ports are scanned: 22 (SSH), 23 (telnet) and 513 (rlogin). Any one of these services is sufficient for authentication. If services (SSH, telnet, rlogin) are not running on these well known ports for the hosts you will be scanning, select this option and define a custom ports list in the Unix authentication record. Note: The actual ports scanned also depends on the Ports setting in the Unix authentication record.
• For Windows hosts, the service scans a fixed set of required Windows ports (a service defined, internal list).