Cisco Cisco Firepower Management Center 2000
27-6
FireSIGHT System User Guide
Chapter 27 Using the FireSIGHT System as a Compliance Tool
Understanding Compliance White Lists
Every host on the network is assigned a host attribute that has the same name as the white list. This host
attribute has one of the following values:
attribute has one of the following values:
•
Compliant
, for valid targets that are compliant with the white list
•
Non-Compliant
, for valid targets that violate the white list
•
Not Evaluated
, for invalid targets and hosts that have not yet been evaluated for any reason
Note that if your network is large and the system is in the process of evaluating all the valid targets in
the network map against the white list, targets that have not yet been evaluated are marked as
the network map against the white list, targets that have not yet been evaluated are marked as
Not
Evaluated
. As the system completes its processing, more hosts move from
Not Evaluated
to either
Compliant
or
Non-Compliant
. The system can evaluate approximately 100 hosts per second.
Additionally, a host may be marked as
Not Evaluated
if the system has insufficient information to
determine whether the host is in compliance. For example, this may occur if the system has detected a
new host but has not yet gathered relevant information on the operating system, clients, application
protocols, web applications, or protocols running on the host.
new host but has not yet gathered relevant information on the operating system, clients, application
protocols, web applications, or protocols running on the host.
Note
If you change or delete a host attribute from a host and that change or deletion means that the host is no
longer a valid target, the host changes from either
longer a valid target, the host changes from either
Compliant
or
Non-Compliant
to
Not Evaluated
.
For more information on host attributes, see
.
Understanding White List Violations
License:
FireSIGHT
After the initial white list evaluation, the system generates a white list event when it detects that a valid
target is violating the white list. White list events are a special kind of correlation event, and are logged
to the Defense Center correlation event database. You can view white list events in a workflow, or search
for specific white list events. For more information, see
target is violating the white list. White list events are a special kind of correlation event, and are logged
to the Defense Center correlation event database. You can view white list events in a workflow, or search
for specific white list events. For more information, see
.
White list violations occur when the system generates an event that indicates that a host is out of
compliance. Similarly, discovery events may indicate that a previously non-compliant host is now
compliant, although the system does not generate a white list event when this occurs.
compliance. Similarly, discovery events may indicate that a previously non-compliant host is now
compliant, although the system does not generate a white list event when this occurs.
The following events can change the compliance of a host:
•
the system detects a change in a host’s operating system
•
the system detects an identity conflict for a host’s operating system or an application protocol on the
host
host
•
the system detects a new TCP server port (for example, a port used by SMTP or web servers) active
on a host, or a new UDP server running on a host
on a host, or a new UDP server running on a host
•
the system detects a change in a discovered TCP or UDP server running on a host, for example, a
version change due to an upgrade
version change due to an upgrade
•
the system detects a new client running on a host
•
the system drops a client from its database due to inactivity
•
the system detects a new web application running on a host
•
the system drops a web application from a host profile due to inactivity
•
the system detects that a host is communicating with a new network protocol, such as Novell
Netware or IPv6, or a new transport protocol, such as ICMP or EGP
Netware or IPv6, or a new transport protocol, such as ICMP or EGP