5. GUI Introduction

5.1. GUI Concepts

This chapter covers recurring concepts when using the web user interface of the Greenbone Security Manager. This includes the dashboard, standard icons, Powerfilters and tags.

5.1.1. Dashboard

The Greenbone Security Manager has four dashboards:

  • Main dashboard
  • Scan dashboard
  • Assets dashboard
  • SecInfo dashboard

The default dashboards may be modified using the wrench icon edit in the upper right corner. You can add and remove charts and reset the dashboard to its defaults as well.

5.1.1.1. Main Dashboard

_images/main-dashboard.png

The main dashboard displays all tasks both by status and by severity at the top. At the bottom the host topology is shown and the CVEs and NVTs are rated by severity and creation time.

This view provides a quick presentation of the state of your network. All elements may be selected using the mouse and support a drill-down.

5.1.1.2. Scan dashboard

_images/scan-dashboard.png

The scan dashboard concentrates on the actual scan tasks. It shows the individual scanned hosts and the full reports by their severity class. Additionally the tasks by status and severity class are shown at the bottom as well. These two graphics are already shown on the main dashboard.

5.1.1.3. Assets dashboard

_images/asset-dashboard.png

The assets dashboard includes the host topology from the main dashboard and additionally displays the most vulnerable hosts, the distribution of the found vulnerabilities compared with the discovered operating systems and the operating systems by severity class.

5.1.1.4. SecInfo dashboard

_images/secinfo-dashboard.png

The SecInfo dashboards displays the NVTs, CVEs and CERT Bund advisories by their corresponding severity class. Additionally it displays both CVEs and CERT Bund advisories by their creation time.

5.1.1.5. Charts

The charts in the dashboards can be customized. This allows to display and format the data in different ways. The created graphs can be downloaded and included into other documents.

There are three different chart types available:

  • Line chart
_images/linechart.png
  • Bar chart
_images/barchart.png
  • Donut chart
_images/donutchart.png

The contents of the charts can be selected via the drop down menu at the bottom of the chart. This is available as soon as the edit edit icon in the upper left corner of the dashboard has been selected. This immediately also changes the chart type automatically.

_images/modify1chart.png

Downloading the pictures or a copy can be selected through the context menu at the top left of the chart.

_images/modifychart.png

5.1.2. Icons

The web user interface uses recurring icons for the execution of identical actions. The reference of these icons results from the context of the current view.

  • help Display context aware help.
  • list Display a list of current objects.
  • new Create a new object. It could be a user, a target, a task, permission or a filter.
  • trashcan Move an object to the trash can.
  • edit Edit an object.
  • clone Copy/Clone a resource.
  • download Export a resource as GSM object. This object can then be imported on another GSM.
  • refresh Refresh the page.
  • unfold Expand or collapse additional information, for example, the Powerfilter in the view.
  • delete Delete an object irrevocably.
  • next Jump to the next object (page) in a view.
  • last Jump to the last object (page) in a view.
  • view_other Other users have permission to access the object as well.

Other icons can only be accessed in a certain context. This applies to the following icons:

  • start Start of a currently not running task.
  • stop Stop a currently running task. All discovered results will be written to the database.
  • resume Resume a stopped task.
  • overrides_enabled Enable or disable overrides.
  • solution_type Indicates if a fix for a vulnerability exists.
  • st_vendorfix Indicates a vendor patch.
  • st_workaround Indicates a workaround.
  • st_nonavailable Indicates no solution exists.
  • trend_more Indicates that a scan configuration is being amended with additional NVTs automatically.
  • trend_nochange Indicates that a scan configuration is not activating new NVTs automatically.
  • first Reset to factory defaults
  • indicator_operator_ok Save changes
  • upload Upload/Import external files

5.1.3. Powerfilter

Almost every screen in the web user interface offers the possibility to filter the information displayed. The required entries can be performed in the filter bar at the top of the web user interface.

_images/filterleiste.png

The Powerfilter offers filtering of the displayed results everywhere.

The filter bar can be expanded by edit. This opens a new overlay. Multiple context aware parameters are being displayed that are being combined to become the Powerfilter. They can also be entered in the filter bar directly.

_images/filter-unfold.png

The Powerfilter can be expanded in an overlay.

Thereby the Powerfilter is context aware again. Depending on the context more or less options are available respectively after expanding.

_images/filter-unfold2.png

The options of the Powerfilter are context aware.

Note

The Powerfilter is not case sensitive.

A typical Powerfilter search could search for all CVE-2012-* vulnerabilities within the 192.168.222.0/24 network.

_images/cve-network-search.png

Powerfilters may search for CVEs

5.1.3.1. Components

The possible components of the Powerfilter depend on its context. In general the specification of the following parameters is always possible:

rows:
Enter the amount of the results to be displayed. Mostly the value is rows=10. Entering a value of -1 will display all results. Entering a value of -2 will use the value that was pre-set in My Settings under Rows Per Page.
first:
Sets from which position the results should be displayed. If a search returns 50 results but only 10 should be displayed at the same time, rows=10 first=11 displays the second 10 results.
sort:

Defines the column that should be used for sorting the results (sort=name). The results are being sorted ascending. The name of the column can mostly be deducted from the name of the column. By clicking the column the name of the column can be verified. Typical column names are:

  • name
  • severity
  • host
  • location

The column names will be changed to small caps and spaces to underscores. Additionally a couple of other fields are available.

  • uuid: The uuid of a result
  • comment: A possible comment
  • modified: Date and time of the last modification
  • created: Data and time of the creation
sort-reverse:
Defines the column that should be used for sorting the results (sort-reverse=name). The results will be sorted descending.
tag:
Selects only the results with a specific Tag (see also Tags). It can be filtered by a specific tag value (tag=”server:mail”) or search only for the tag (tag=”server”). Regular expressions are also allowed.

Note

By filtering using tags custom categories can be created and used in the filters. This allows for versatile and granular filter functionality!

When specifying these components many operators can be used:

  • = equals i.e. rows=10
  • ~ contains i.e. name~admin
  • < less than i.e. created<-1 w older than a week
  • > greater than i.e. created>-1 w younger than a week
  • :RegEx i.e. name:admin$

There are a couple of special features. If the value is omitted after the equal sign all results will be displayed where this value is not set:

comment=

shows all results without a comment.

If the column that should be searched is omitted all columns will be searched:

=192.168.15.5

This searches if at least one column contains the search string.

The data is usually or combined. This can be specifically specified with the key word or. To achieve an and-combination the keyword and needs to be specified. Using not will negate the filter.

5.1.3.1.1. Date specifications

Date specifications in the Powerfilter can be absolute or relative. An absolute data specification has the following format:

2014-05-26T13h50

The time can be omitted:

2014-05-26

The time of 12:00am will be assumed automatically. The date specification can be used in the search filter i.e. created>2014-05-26.

Relative time specifications are always calculated in relation to the current time. Positive time specification are interpreted as being in the future. Time specification in the past are defined with a prepended minus (-). For time periods the following letters can be used:

  • s second
  • m minute
  • h hour
  • d day
  • w week
  • m month (30 days)
  • y year (365 days)

To view the results of the past 5 days enter -5d. A combination 5d1h is not permitted. This is to be replaced with 121h respectively.

To limit the time period , i.e. month, for which information should be displayed the following expression can be used:

modified>2014-06-01 and modified<2014-07-01
5.1.3.1.2. Text phrases

In general, additionally text phrases that are being searched for can be specified. Then only results are being displayed in which the text phrases where found. If the text phrases or not limited to a column (name=text) all columns will be searched. This means that also columns that are hidden from the current view will be searched as well.

The following examples can be useful:

overflow
Finds all results that contain the word overflow. This applies to both Overflow as well as Bufferoverflow. Also 192.168.0.1 will find 192.168.0.1 as well as 192.168.0.100.
remote exploit
Will find all results containing remote or exploit. Of course results that contain both words will be displayed as well.
remote and exploit
Both words must be found in a result in any column. The results do not have to be found in the same column.
"remote exploit"
The exact string is being searched for and not the individual words.
regexp 192\.168\.[0-9]+.1
The regex is being searched for.
_images/nvt-last-week.png

Often used Powerfilters can be saved and retrieved again.

5.1.3.2. Saving and Management

Interesting and often used filters can be saved as well. This simplifies their re-use. For example, to display the NVTs that were modified or added to the feed last week, in the GUI select SecInfo Management followed by NVTs. Then edit the Powerfilter so that it has the following content (see figure Often used Powerfilters can be saved and retrieved again.):

Created>-1w or modified>-1w sort-reverse=created rows=1 first=1
_images/switch-filter.png

The filters can be selected via the drop down box.

This displays all the NVTs that were created or modified last week. This filter can now be given a name. Use the field to the right of the Powerfilter. Enter the name and confirm with new. The filter is now being saved and can be selected via the drop down box next to it.

To use a previously saved filter use the drop down box and confirm afterwards by clicking Switch Filter refresh (see figure The filters can be selected via the drop down box.). If Java script is activated the filter is executed immediately after selection from the drop down box.

If a specific filter should always be activated in a specific view it can be done in the user settings (see also chapter mysettings). In this example (see figure Often used filters can be set up as default filter in the user settings.) it is the NVT Filter.

_images/settings-filter.png

Often used filters can be set up as default filter in the user settings.

All saved filters can be managed in Configuration/Filters. Here, filters can be deleted, edited, cloned and exported as GSM object for import into other appliances.

_images/filter-mgmt.png

All filters can be easily managed.

These filters can then be used to filter results of events for the alerts as well.

Filters can be shared.

5.1.4. Tags

Tags are discretionary information that can be linked to any resource. Tags are simply created directly with the resources. Then the tags can be used to filter objects respectively with the help of the Powerfilter (see section Powerfilter). This presents very powerful and granular filter possibilities.

_images/new-tag.png

Tags are discretionary strings that can be assigned a value.

Afterwards these tags can be used in filter expressions. With the filter tag=target:server the specific tag must be set in order to be included. The assigned value is irrelevant and can be empty. With tag="target:server=mail" the exact tag with the respective value must be set.

5.2. My Settings

Every user of the GSM appliance can manage their own settings for the web interface. This setting can be accessed by either selecting Extras under the submenu My Settings or by clicking on the user name at the top right.

_images/mysettings.png

Every user can manage their own settings.

By clicking the icon edit in the upper left corner the user can modify these settings. Important settings are:

Timezone:
Internally the GSM saves all information in the UTC time zone. In order to display the data in the time zone of the user the respective selection is required here.
Password:
Here the user can change their password.
User Interface Language:
Here the language is defined. The default uses the browser setting. To always get an English or German interface use english or german.
Rows Per Page:
This is the amount of results in a list.
Wizard Rows:
This defines how long to display the wizard for. For example, if the value is set to 3 the wizard won’t be displayed in the task overview as soon as a minimum of 4 tasks are available.
Details Export File Name:

This defines the default name of the file for exported resource details. The format string can contain alphanumeric characters, hyphens, underscores and placeholders that will be replaced as follows:

  • %C The creation date in the format YYYYMMDD. This gives the current date if a creation is not available, e.g. when exporting lists of resources
  • %c The creation time in the format HHMMSS. Falls back to the current time similar to %C.
  • %D The current date in the format YYYYMMDD
  • %F The name of the format plugin used (XML for lists and types other than reports).
  • %M The modification date in the format YYYYMMDD If the modification date is not available this gives either the creation date or the current date if a creation date is no available as well, e.g. when exporting lists of resources.
  • %m The modification time in the format HHMMSS. Falls back to the creation time or current time similar to %M.
  • %N The name for the resource or the associated task for reports. Lists and types without a name will use the type (see %T).
  • %T The resource type, e.g. “task”, “port_list”. Pluralized for list pages.
  • %t The current time in the format HHMMSS
  • %U The unique ID of the resource or “list” for lists for multiple resources.
  • %u The name for the currently logged in user.
  • %% The percent sign (%).
List Export File Name:
This defines the default name of the file for exported resource lists (see above).
Port Export File Name:
This defines the default name of the file for exported reports (see above).
Severity Class:

Here the classification of the vulnerability respective to the score can be defined.

  • NVD Vulnerability Severity Ratings
    • 7.0 - 10.0: High
    • 4.0 - 6.9: Medium
    • 0.0 - 3.9: Low
  • BSI Vulnerability Traffic Light
    • 7.0 - 10.0: Red
    • 4.0 - 6.9: Yellow
    • 0.0 - 3.9: Green
  • OpenVAS classic
    • 5.1 - 10.0: High
    • 2.1 - 5.0: Medium
    • 0.0 - 2.0: Low
  • PCI-DSS
    • 4.3 - 10.0: High
    • 0.0 - 4.2: None
Filter:
Here specific default filters for each page can be specified that are being activated automatically when the page is loaded.