Cavirin Support Portal

How can we help you?

Cavirin Quick Start Guide - Spring 2019

Follow

Sizing Specifications

Sizing Specifications 

AWS Instance Type:

M5.xlarge (4 vCPUs, 16 GB memory)

GCP Instance Type:

n1-standard-4 (4 vCPUs, 16 GB memory)

Azure Instance Type:

Standard D4s v3 (4 vCPUs, 16 GB memory)

On-Prem:

4 vCPUs, 16 GB memory

Storage:

150 GB

 

Connectivity Requirements

From

To

Port

Protocol

Application/Purpose

Cavirin Platform’s IP

Internet (Outbound)

Per the Network

HTTP/HTTPS

Any

Cavirin Platform’s IP

Windows Target

5985/5986

HTTP/HTTPS

Windows RM Service/Scan

 

 

 

ICMP (on-prem only)

Discovery

Cavirin Platform’s IP

Linux Target

 22

SSH

Assessment/Scan

 

 

 

ICMP (on-prem only)

Discovery

 

Credentials for Accessing Clouds and On-prem Hosts

The Cavirin Platform must use credentials to access an organization’s computing resources or cloud infrastructure/s, so the organization can authenticate the Platform, as follows:

  • Cavirin offers cloud credentials to gain access to cloud services and computing resources within the cloud. 
  • Cavirin offers host credentials to the on-prem resources.

You might have resources that are on-prem as well as in a cloud; you can specify multiple sets of credentials for any deployment, as needed.

Cloud Credentials

Log into the Cavirin Platform and Navigate to ‘Protect’ -> ‘Cloud Credentials’. Select ‘Add Cloud Account’.

The screen for adding a cloud account is divided as follows: 

  • At left, the steps performed on the Cavirin VM.
  • At right, a description of steps performed in the cloud itself.
  • Note: Some values you enter in the cloud are also added to the Cavirin configuration.

AWS (Amazon)

AWS cloud credentials are configured in the AWS console and then copied to the Cavirin Platform. Choices for credentials are: (refer to the appendix for cloud configuration steps)

  • Access Key and Secret Key (AKSK).
  • IAM Role.
  • An Amazon Resource Name (ARN

AZURE (Microsoft)

Azure cloud credentials are configured in the Azure console and then copied to the Cavirin Platform. Choices for credentials are: (refer to the appendix for cloud configuration steps)

  • Application Registration

GCP (Google)

GCP cloud credentials are configured in the GCP console and then copied to the Cavirin Platform. Choices for credentials are: (refer to the appendix for cloud configuration steps)

  • Service account key (json)

Creating Host Credentials

To specify a set of host credentials (Group Admin role):

  1. Navigate to Protect > Host Credentials.
  2. Click Add in the upper-left corner of the Host Credentials screen. The following pop-up window opens:

  1. In the Credential Type dropdown, select Docker Image, Linux Servers - SSH, or Windows Administrator. The specifications are straight forward. The main thing to note is that label is the name you assign to a credential set. The next step is for the Linux credentials. It is slightly more complicated than the Windows or Docker credential, and this example suffices for Windows and Cloud host credentials.
  2. Select Linux Servers. For the credential type. The next figure shows the configuration popup and the default authentication method as PEM-key.
  3. Type a meaningful name for this credential set in the Label box.
  4. Choose the usage of Global or Restricted. Global means the Platform offers this credential to all hosts in the on-prem environment. Restricted means this credential is offered to hosts in a specific group of computing resources.
  5. For Authentication, choose one of the following:
    1. With Use Key-Pair, click Browse to locate and select the PEM key file.
    2. With Use Password marked, type a password.
  6. Select Save if done or Save and add another for another Linux credential set.

 

 Running an Assessment

This section will cover running an assessment. For more details refer to the  Cavirin User Guide.

  1. Navigate to Protect -> Discover and Assess Resources
  2. Select which environment you wish to discover resources in:
    1. Cloud
    2. On-Prem
    3. Docker Repository
  3. Fill in the required fields
    1. Cloud Type, Account Name, Group Name
  4. If you desire to Discover/Assess compute resources add/select host credential
  5. Select Next Step
  6. Select one or more Policy Packs of your choice
  7. Select Start Assessment to begin running an ‘On Demand’ assessment.

 Appendix: 

Configuring Access Key/Secret Key Credentials for AWS

  1. From  AWS log into the Console that you intend to evaluate.
  2. Click Services, and then, under Security, Identity, & Compliance, select IAM.
  3. Select Users link under IAM Resources, and then click Add user.
  4. On Add user page, Enter a User name.
  5. In Select AWS access type, under Access type, select Programmatic access
  6. Near the bottom, click Next: Permissions
  7. In Set permissions, select Attach existing policies directly.
  8. Select Create Policy. (This typically opens a new browser tab. Please keep the previous tab open we will access it later. )
  9. Select the JSON tab. The policy required here needs to be copied from the Cavirin Platform in the following steps.
  10. Delete existing text from the JSON tab so it is blank.
  11. Copy the policy from Cavirin Platform or from here.Top of Form
  12. Bottom of FormCreate a name for the policy. This name will be used later. Next, click Create Policy.
  13. In the first browser tab (in AWS Add user), click Refresh button to refresh the policy list.
  14. Search the name for the policy created earlier, Select it using the checkbox in the row, then click Next: Tags.
  15. Click Next: Review
  16. Click Create User
  17. Copy and save the Access key ID. Paste it in the Access Key ID field in the Cavirin Platform's ADD CLOUD ACCOUNT page.
  18. Click Show under Secret access key.
  19. WARNING: The Secret access key cannot be retrieved later.
  20. Copy and save the Secret access key. Paste it in the Secret Access Key field in the Cavirin Platform's ADD CLOUD ACCOUNT page.
  21. Click Validate at the bottom of the screen. After validation, the button changes to Save.
  22. Click Save.

Configuring IAM Role Credentials for AWS

NOTE: The steps in the following numbered list are the current version. Therefore, use the steps described below if the UI appears different.

  1. Log into the AWS Console.
  2. Click Services, then select IAM.
  3. Select Policies, then click Create Policy.
  4. Select Create Your Own Policy. (This policy will come from Cavirin’s Platform.)
  5. Click the JSON tab.
  6. Copy the policy from Cavirin Platform or from here
  7. In the AWS window for creating policies, paste the policy into the Policy Document area, then click Review Policy.
  8. Create a name for the policy and then click Create Policy.
  9. In the left pane (still AWS), select Roles, then click Create new role.
  10. From Role Type, select Amazon EC2 (allow EC2 instances to call AWS services on your behalf).
  11. Search for the policy created in Steps 4 - 8. Select the policy, then click Next Step.
  12. Set Role Name with your choice (‘cavirin_trusted_role'), then click Create Role.
  13. Click Services, then select the EC2.
  14. Locate and select the EC2 instance where the Cavirin Platform resides.
  15. Click Actions -> Instance Settings, then select Attach/Replace the IAM Role.
  16. Select the Role you created in Step 12 in the dropdown.
  17. Click Validate at the bottom of the screen. After validation, the button changes to Save.
  18. Click Save 

 

Configuring ARN Credentials for AWS

  1. Log into the  AWS Console that you intend to evaluate.
  2. Click Services, and then select IAM.
  3. Select Policies, and then click Create Policy.
  4. Select Create Your Own Policy. (This policy will come from Cavirin’s Platform.)
  5. Select Policies, and then click Create Policy.
  6. Select the JSON tab.
  7. Copy the policy from Cavirin Platform or from here.Top of FormBottom of Form 
  8. In the AWS window for creating policies, paste the policy into the Policy Document area, then click Review Policy.
  9. Create a name for the policy that AWS is about to get from the Platform (for example, cavirin_arn) and then click Create Policy.
  10. In the left pane (in AWS), select Roles and then click Create new role.
  11. In Role Type, select Role for cross-account Access. Select Provide access between your AWS account and a 3rd party AWS account.
    • For account ID, provide the AWS account ID for the account where your Platform instance is running.
    • The range for external ID is 2 - 96 characters. Later, you insert this ID to finish setup.
    • Clear the Require MFA box.
  1. Click Next Step.
  2. Search for and then select the policy created in Steps 4 - 9, then click Next Step.
  3. Specify a Role Name of your choice (e.g., ‘Platform-Trusted’), then click Create Role.
  4. On the search box, look for the role name specified in the preceding step and click it.
  5. Copy the Role ARN. Paste it in the ARN Role field in the Cavirin Platform.
  6. Provide the external ID from Step 11.
  7. Click Validate at the bottom of the screen. After validation, the button changes to Save.
  8. Click Save

 

 

Adding Credentials for Microsoft Azure 

This section describes the steps for adding a Microsoft Azure account to the Cavirin Platform so that the Platform can assess it. 

NOTE: To complete the steps in Azure, the user must have the owner role in Azure. 

  1. Type a name for the Azure account the Platform uses locally. (It does not need to match the account name entered in the Azure UI.)
  2. Type a description, as needed.
  3. Log into the Azure Management Portal.
  4. Go to Azure Active Directory. Click Properties.
  5. Copy the directory ID.
  6. In Cavirin, paste the directory ID value into the Tenant ID.
  7. In the Azure Active Directory navigation blade, click App registrations, then click New application registration.
  8. Type a name for the Cavirin application in the Name box.
  9. In the Application Type dropdown, select Web app/API.
  10. For a sign-on URL, type any valid URL. (Cavirin ignores this URL, but Azure requires a URL.) The Create button now appears at the bottom of the screen.
  11. Click Create. Azure begins generating the application ID (but does not display it in this blade).
  12. In the App registrations list, find the generated application ID, click on it, and copy it.
  13. In Cavirin, paste the application ID in the Application ID box.
  14. In Azure (where the same window is open), select the Settings blade at right and then select Keys near the top of the blade.
  15. Specify a key description and a duration (expiration) for the key.
  16. Click Save at the top of the blade. Azure now generates the key and displays it.
  17. Record the value of the key and safely store it.

WARNING: Record the key (before next step) because you can’t retrieve it later. 

  1. Copy the key and paste it the Cavirin Application Key. 
  2. In Azure, in the blade at left, click Subscriptions; copy the subscription ID.
  3. Paste this subscription ID into the Cavirin UI’s Subscription ID box.
  4. In Azure, again locate the subscription; click on it to open a configuration blade at right.
  5. Select Access control (IAM) in the menu. The Add button appears (if you have an owner role).
  6. Click Add. The blade for role configuration opens at right. In the Role dropdown at upper-right, select Reader.
  7. In the Select box, start typing the name of the Cavirin application (from Step 9). When auto-complete displays the app name, click it.
  8. Click Save. This completes the tasks in the Azure management portal.
  9. Click the Validate button at the bottom of the screen (not shown in next figure). After successful validation, the button changes to Save (also not shown).
  10. Click Save. This completes the addition of the Azure cloud account.

 

Adding Credentials for Google Cloud 

This section describes the steps for adding a Google Cloud account so that Cavirin can assess it. 

A cloud credential for Google Cloud is a key for a service account in a JSON format.

  1. Type a name for the Google account for the Platform to use locally. (It does not need to match the account name entered in Google Cloud.)
  2. Type a description, as needed.

In the Cloud Credentials area, select JSON

  1. Log into the organization’s Google Cloud Console.
  2. Select the name of a project at the top of the screen; click Open.
  3. In the upper-left corner, click the list icon (for Products and Services) to open a navigation pane.
  4. Click APIs and services and select Dashboard (default).
  5. Click Enable APIs and Services. You will use a search box to locate and enable two APIs (they might already be enabled).
  6. In the Enable APIs and Service search box, type Google Compute Engine API to start searching for it. After finding it, click on the API.
  7. Click Enable if this button is visible (otherwise, the API is already enabled).
  8. In the same search box, type Google Cloud Resource Manager API. After finding it, click on this API. Click Enable if visible (otherwise, it is already enabled).
  9. Again, in APIs and Services, locate and click Credentials (in the menu at left).
  10. Click Create Credentials, and then select Service account key.
  11. In the Service account dropdown, choose New service account (near bottom of the list).
  12. Type a name for the service account (for example, “Cavirin”).
  13. Access the Role dropdown and select the Viewer role.
  14. For Key type, select JSON.
  15. Click Create. Google creates and downloads a key to your local system.
  16. (This and the remaining steps are in the Cavirin system.) In the Select JSON box, Browse to and select the JSON file (downloaded with preceding step); click Open.
  17. At the bottom of the screen for a new account, click Validate. After validation succeeds, the button changes to Save.
Was this article helpful?
0 out of 0 found this helpful