Edit (5/25/2019): Almost all the installation steps mentioned in this article is no longer applicable as these steps are only applicable to the old version of the integration app developed by Rapid7.
This version is discontinued in favour of a newer version developed by ServiceNow. I am still keeping this article open in case if someone is still using the old version.
Installation and configuration of Nexpose and ServiceNow integration using MID server and Ruby gems
This article lists all the steps involved in setting up the integration for Nexpose and ServiceNow to pull Vulnerability, Asset and supplementary data (sites, group accounts, tags, etc) in ServiceNow.
Please note:
- This article is build up on the assumption that the person installing the application has gone through the Rapid7 Nexpose installation guide. The installation guide can be downloaded from the ServiceNow store page under the supporting article section. This article is not meant to replace the installation guide.
- Installation steps noted here are for a Windows machine
- Installation steps noted here are for a Nexpose console and not a database
- This article was prepared for the following version of the systems
- - - ServiceNow: Kingston
- - - Rapid7 Nexpose ServiceNow application: 2.2.0
Installation Steps:
- Get in touch with sales and support of Rapid7 and ServiceNow so that we can get the permissions to download the Rapid7 Nexpose ServiceNow application.
- Create an ID (Service account) in the Nexpose system. This ID should have report running access. This ID will later be used by the ServiceNow and MID server to retrieve vulnerability data. If this account doesn’t have needed access, all site data will not be imported.
- Installation of VM&R module in ServiceNow:
- In ServiceNow, type ‘Plugin’ in left navigation. Click on ‘Plugin’ under ‘System definition’.
- Search for ‘Vulnerability Response’ plugin. Right click and click on ‘Activate/upgrade’.
- You will see a pop up. Click on ‘Activate’ button.
- Provision a Windows machine. Recommended storage space is 200 GB however 40 GB space is also okay (your mileage may vary depending on the vulnerability and related data in our Nexpose system).
- Make sure firewall rules are open for all ServiceNow environments if your windows machine is in a locked down network.
- https://dev1.service-now.com
- https://dev2.service-now.com
- https://test1.service-now.com
- https://test2.service-now.com
- https://prod.service-now.com
Additionally, we need firewalls to be open to below sites from where Ruby and Ruby gem support files will be downloaded
- gembundler.com
- rubygems.org
- rubyinstaller.org
- camo.githubusercontent.com
- github.com
- repo.msys2.org
- clients5.google.com
- update.googleapis.com
- api.rubygems.org
- From your Windows machine, Do a ping test to Nexpose console with IP. This might need some additional changes on the network side too if the ping fails. check with network team.
- Create MID user in the ServiceNow instance and give mid server roles to this account.
- Install MID server in your Windows machine.
- Once MID Server is installed in the Windows machine, in ServiceNow, navigate to ‘Servers’ under ‘MID server’ and open the vulnerability mid server. Note the MID server name for later steps.
- Validate the mid server by clicking on ‘Validate’ link.
- Under the capabilities tab, see if we need to give it capabilities
- Under the IP address tab, see if we need to add Nexpose IP address
- Click on rekey link (optional).
- Verify the MID server status as ‘Up’. If the MID server is up and we have the required capabilities and IP address entered, we should be good on the MID server end.
- In the Windows machine, Install the Ruby+Devkit 2.4.4-1 (x64) from https://rubyinstaller.org/downloads/
- Verify the ruby ‘bin’ folder path in variables (system variables and not user domain)
- Restart your Windows machine.
- Open command line in your Windows machine. Execute the gem installation command 'gem install nexpose_servicenow' from the command line. If the gem can’t install properly due to firewall issues then resort to manual installation by downloading gem files from the internet. For detailed steps, refer the Nexpose Rapid7 installation guide.
- Install the Rapid7 Nexpose application in ServiceNow:
- Type ‘Applications’ in left navigation. Click on ‘Applications’ under ‘system applications’.
- Click on ‘downloads’ tab. Search for Rapid7 Nexpose.
- Click on ‘Install’ button next to the application
13.Update Rapid7 Nexpose properties in ServiceNow
- Type ‘Connection settings’ in left navigation. Open ‘Connection settings’ under ‘App configuration’, this should be under the Rapid7 Nexpose.
- Type ‘Import settings’ in left navigation. Open ‘Import settings’ under ‘App configuration’, this should be under the Rapid7 Nexpose.
- Update properties:
- Name of the MID server: Enter the mid server name you noted in the previous steps
- The output directory on the MID server to which files are saved (relative to the 'agent' folder): <folder path where you have the nexpose files stored> example D:\my_mid_server\agent\nexpose_files
- Update other properties like Nexpose IP, username and password.
14.‘VR system’ service account in ServiceNow requires nexpose roles like 'x_r7_rapid7_nx.user_role'. Add these roles to the account. This account is installed as part of the Vulnerability response plugin.
15.Create 2 user groups in ServiceNow with below name (use naming convention as desired😞
- Vulnerability Admin
- Roles assigned to this group: x_r7_rapid7_nx.admin_role and sn_vul.admin
- Members: Admin users like security team are supposed to be members of the admin team. This would give them access to change the properties and check the scan imports.
- Vulnerability User
- Roles assigned to this group: sn_vul.vulnerability_write
- Members: users like operations team are supposed to be members of the User team. This would give them access to read and close the vulnerabilities in the system.
16. (This issue with cross scope access is no longer present and hence this step is no longer needed)
Add 2 cross scope access (sys_scope_privilege) for the Rapid7 application for the software instance table (one for deleteRecord execute api and one for delete access on software instance table). Due to a bug in the Nexpose ServiceNow application, these scope access are not available by default. At the time of writing this article, this bug was present in the app however it may not be present in future versions.
17.For Kingston version of ServiceNow, submit a change ticket on hi.service-now.com to enable the ‘Core automation API’ plugin. This plugin is needed for the 2.2 version of the Nexpose ServiceNow application to function. If this plugin is not available, no Nexpose jobs will work and you will get the error 'sn_automation' is undefined.
18.Manually load jobs one at a time. Refer the diagram in the installation guide for the sequence .
- To manually schedule the jobs, go to ‘Scheduled jobs’ under ‘System Scheduler’ and search for name contain ‘Nexpose’.
Execute the first job ‘Nexpose Integration Last Scan’ job. Check the ECC queue to monitor the status. There should be a probe entry with agent ‘<mid server name you had provided>’ and Name as ‘R7ChunkProbe’.
After each job execution, monitor the ECC queue. If there are no more Rapid7 related input or output entries after some time then it can be safely assumed that ServiceNow has completed sending and receiving data.
Check the import set table for any new imports by navigating to ‘Import sets’ under ‘System import sets’. Search for ‘import set table’ contains ‘nexpose’. If there are no more nexpose related imports after some time then it can be safely assumed that ServiceNow has completed processing the received data.
Move on to executing the next job. Repeat till all jobs are executed.
Edit:
- ‘Core automation API’ plugin is available by default in Kingston release. Due to a known issue with the release, it was not available to us by default and we had to request it.
- All cross scope access issues seem to have resolved in 2.2 version of Nexpose app.
