admin / Synapse-NetscanXi
publicNetwork Scanning, Vulnerability and Compliance Application
Synapse-NetscanXi / NetscanXiVersion13 / docs / training-guide.html
38912 B · main
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 151 152 153 154 155 156 157 158 159 160 161 162 163 164 165 166 167 168 169 170 171 172 173 174 175 176 177 178 179 180 181 182 183 184 185 186 187 188 189 190 191 192 193 194 195 196 197 198 199 200 201 202 203 204 205 206 207 208 209 210 211 212 213 214 215 216 217 218 219 220 221 222 223 224 225 226 227 228 229 230 231 232 233 234 235 236 237 238 239 240 241 242 243 244 245 246 247 248 249 250 251 252 253 254 255 256 257 258 259 260 261 262 263 264 265 266 267 268 269 270 271 272 273 274 275 276 277 278 279 280 281 282 283 284 285 286 287 288 289 290 291 292 293 294 295 296 297 298 299 300 301 302 303 304 305 306 307 308 309 310 311 312 313 314 315 316 317 318 319 320 321 322 323 324 325 326 327 328 329 330 331 332 333 334 335 336 337 338 339 340 341 342 343 344 345 346 347 348 349 350 351 352 353 354 355 356 357 358 359 360 361 362 363 364 365 366 367 368 369 370 371 372 373 374 375 376 377 378 379 380 381 382 383 384 385 386 387 388 389 390 391 392 393 394 395 396 397 398 399 400 401 402 403 404 405 406 407 408 409 410 411 412 413 414 415 416 417 418 419 420 421 422 423 424 425 426 427 428 429 430 431 432 433 434 435 436 437 438 439 440 441 442 443 444 445 446 447 448 449 450 451 452 453 454 455 456 457 458 459 460 461 462 463 464 465 466 467 468 469 470 471 472 473 474 475 476 477 478 479 480 481 482 483 484 485 486 487 488 489 490 491 492 493 494 495 496 497 498 499 500 501 502 503 504 505 506 507 508 509 510 511 512 513 514 515 516 517 518 519 520 521 522 523 524 525 526 527 528 529 530 531 532 533 534 535 536 537 538 539 540 541 542 543 544 545 546 547 548 549 550 551 552 553 554 555 556 557 558 559 560 561 562 563 564 565 566 567 568 569 570 571 572 573 574 575 576 577 578 579 580 581 582 583 584 585 586 587 588 589 590 591 592 593 594 595 596 597 598 599 600 601 602 603 604 605 606 607 608 609 610 611 612 613 614 615 616 617 618 619 620 621 622 623 624 625 626 627 628 629 630 631 632 633 634 635 636 637 638 639 640 641 642 643 644 645 646 647 648 649 650 651 652 653 654 655 656 657 658 659 660 661 662 663 664 665 666 667 668 669 670 671 672 673 674 675 676 677 678 679 680 681 682 683 684 685 686 687 688 689 690 691 692 693 694 695 696 697 698 699 700 701 702 703 704 705 706 707 708 709 710 711 712 | <!DOCTYPE html> <html lang="en"> <head> <meta charset="utf-8"> <title>NetscanXi Version 13 - Training & Reference Guide</title> <style> @page { size: A4; margin: 18mm 16mm 18mm 16mm; } * { box-sizing: border-box; } html { -webkit-print-color-adjust: exact; print-color-adjust: exact; } body { font-family: "Segoe UI", -apple-system, Roboto, Helvetica, Arial, sans-serif; color: #1c2430; font-size: 10.5pt; line-height: 1.5; margin: 0; } h1, h2, h3 { color: #0f2a47; font-weight: 700; } h2 { font-size: 15pt; margin: 22px 0 8px; padding-bottom: 5px; border-bottom: 2px solid #2496ed; } h3 { font-size: 12pt; margin: 16px 0 4px; color: #14507a; } p { margin: 6px 0; } ul, ol { margin: 6px 0 6px 0; padding-left: 20px; } li { margin: 3px 0; } code { font-family: "Consolas", "SF Mono", monospace; background: #eef3f8; padding: 1px 5px; border-radius: 4px; font-size: 9.5pt; color: #0a3d62; } pre { background: #0f1419; color: #e6edf3; padding: 12px 14px; border-radius: 7px; font-family: "Consolas", monospace; font-size: 9pt; line-height: 1.45; overflow-x: auto; white-space: pre-wrap; } pre code { background: none; color: inherit; padding: 0; } .keep { page-break-inside: avoid; } .pagebreak { page-break-before: always; } /* Cover */ .cover { height: 247mm; display: flex; flex-direction: column; justify-content: center; align-items: center; text-align: center; page-break-after: always; } .cover .logo { font-size: 54pt; margin-bottom: 4px; } .cover .official { letter-spacing: 6px; font-size: 10pt; font-weight: 700; color: #2496ed; margin-bottom: 18px; } .cover h1 { font-size: 40pt; margin: 0; color: #0f2a47; letter-spacing: -1px; } .cover h1 .x { color: #1f9d3a; } .cover .doctype { font-size: 18pt; color: #14507a; font-weight: 700; margin-top: 6px; } .cover .ver { display: inline-block; margin-top: 12px; background: #1f9d3a; color: #fff; font-weight: 700; padding: 4px 16px; border-radius: 20px; font-size: 13pt; } .cover .tag { color: #5a6675; font-size: 13pt; margin-top: 18px; max-width: 135mm; } .cover .foot { position: absolute; bottom: 22mm; color: #8b97a5; font-size: 9.5pt; } /* Feature badges */ .badges { margin: 4px 0 0; } .badge { display: inline-block; background: #eef3f8; border: 1px solid #cfe0f0; color: #14507a; border-radius: 14px; padding: 2px 10px; font-size: 9pt; margin: 3px 4px 3px 0; font-weight: 600; } /* Part divider */ .part { background: #0f2a47; color: #fff; border-radius: 9px; padding: 14px 18px; margin: 26px 0 12px; page-break-inside: avoid; } .part h2 { color: #fff; border: none; margin: 0; padding: 0; font-size: 17pt; } .part p { margin: 4px 0 0; color: #b9c7d8; font-size: 10pt; } /* Callout boxes */ .note, .warn, .tip, .role { border-radius: 7px; padding: 9px 12px; margin: 10px 0; font-size: 9.8pt; border-left: 4px solid; page-break-inside: avoid; } .note { background: #eef3f8; border-color: #2496ed; } .warn { background: #fdeceb; border-color: #d12d24; } .tip { background: #eafaf0; border-color: #1f9d3a; } .role { background: #f3eefe; border-color: #7b46d1; } .note b, .tip b, .warn b, .role b { color: #0f2a47; } /* Tables */ table { width: 100%; border-collapse: collapse; margin: 8px 0; font-size: 9.5pt; } th, td { text-align: left; padding: 6px 9px; border: 1px solid #d4dae0; vertical-align: top; } th { background: #0f2a47; color: #fff; font-weight: 600; } tr:nth-child(even) td { background: #f4f7fa; } .toc li { margin: 4px 0; } .toc a { color: #14507a; text-decoration: none; } .toc .grp { font-weight: 700; color: #0f2a47; margin-top: 8px; } .lead { font-size: 11pt; color: #34404e; } .pill { display:inline-block; background:#0f2a47; color:#fff; border-radius:5px; padding:1px 7px; font-size:9pt; font-weight:600; } .pill.green { background:#1f9d3a; } .pill.amber { background:#9a6700; } .pill.red { background:#d12d24; } .pill.purple { background:#7b46d1; } .num { display:inline-block; min-width:20px; height:20px; line-height:20px; text-align:center; background:#2496ed; color:#fff; border-radius:50%; font-size:9pt; font-weight:700; margin-right:6px; } </style> </head> <body> <!-- ============ COVER ============ --> <div class="cover"> <div class="logo">🛰️</div> <div class="official">OFFICIAL DOCUMENTATION</div> <h1><span class="x">N</span>etscanXi</h1> <div class="doctype">Training & Reference Guide</div> <div class="ver">Version 13</div> <div class="tag">Includes Operator Training, Administrator Guidelines, Troubleshooting, and FAQ.</div> <div class="badges" style="margin-top:24px; max-width:160mm;"> <span class="badge">Operator Training</span> <span class="badge">Administrator Guidelines</span> <span class="badge">Account Security & MFA</span> <span class="badge">Scan Profiles</span> <span class="badge">Compliance Mapping</span> <span class="badge">🐳 Docker Detection</span> <span class="badge">🏢 Multi-Tenancy</span> <span class="badge">📋 Activity Log</span> <span class="badge">📡 Passive Scanning</span> <span class="badge">🆔 Asset IDs</span> <span class="badge">🗓️ Day/Time Schedules</span> <span class="badge">🐳 Deep Docker Scanning</span> <span class="badge">🔎 Image CVE Scanning</span> <span class="badge">🛡️ CIS Docker Audit</span> <span class="badge">🔧 Patching & Remediation</span> <span class="badge">Troubleshooting & FAQ</span> </div> <div class="foot">Self-hosted · Flask + nmap · Built for Debian | © 2026</div> </div> <!-- ============ INTRO ============ --> <h2>Welcome</h2> <p class="lead">Welcome to NetscanXi, your self-hosted network intelligence and vulnerability management dashboard.</p> <p>This platform is designed to give you continuous visibility into your infrastructure, mapping software, open ports, Docker environments, and regulatory compliance posture. This guide covers daily operator workflows, administrator responsibilities, troubleshooting, and frequently asked questions.</p> <div class="tip"><b>New in Version 13:</b> <b>Patch and Remedy</b> - apply <b>operating-system updates & upgrades</b> (apt / dnf / yum / zypper / apk, auto-detected) over SSH to a single asset, an asset group, or all assets - or update Docker images. NetscanXi <b>auto-creates and updates a remediation item</b> for every run, and uses <b>per-run credentials that are never stored</b>. Hands-on lessons are in <b>Part 6</b>.</div> <div class="tip"><b>New in Version 10r1:</b> deep <b>Docker container scanning</b> - authenticated Engine API inventory (containers + images), per-image <b>CVE scanning</b> (Trivy/Grype) with KEV flagging, a <b>CIS Docker audit</b>, a Docker dashboard panel and container drift detection. Hands-on lessons are in <b>Part 5</b>.</div> <div class="tip"><b>New in Version 9.1:</b> one-click <b>Passive Scanning</b> (zero-probe asset discovery), a stable <b>8-character Asset ID</b> bound to each device's MAC, <b>day & time scheduling</b> (tick days + set a clock time), an <b>editable device Type</b> that sticks across scans, and a <b>Passive/Active scan-type label</b> on every exported report.</div> <!-- ============ TOC ============ --> <h2>Contents</h2> <ol class="toc"> <li class="grp">Part 1 - Operator & Viewer Training</li> <li><a href="#secure">1. Securing Your Account</a></li> <li><a href="#scans">2. Running & Managing Scans</a></li> <li><a href="#dashboard">3. Reading the Dashboard & Data Tabs</a></li> <li><a href="#export">4. Exporting Reports</a></li> <li class="grp">Part 2 - Administrator Training</li> <li><a href="#users">5. User & Role Management</a></li> <li><a href="#tenancy">6. Managing Multi-Tenancy (Data Separation)</a></li> <li><a href="#activity">7. Monitoring the Activity Log</a></li> <li class="grp">Part 3 - Troubleshooting & FAQ</li> <li><a href="#trouble">8. Troubleshooting Guide</a></li> <li class="grp">Part 4 - Version 9.1 — What's New</li> <li><a href="#v91-charts">9. Interactive Dashboard Charts</a></li> <li><a href="#v91-lifecycle">10. CVE Finding Lifecycle (Status Tracking)</a></li> <li><a href="#v91-multiselect">11. Multi-Select Asset Table & Bulk Actions</a></li> <li><a href="#v91-tenantadmin">12. The Tenant Admin Role</a></li> <li><a href="#v91-search">13. Global Search Bar</a></li> <li><a href="#v91-retention">14. Data-Retention Policies (Admin Panel)</a></li> <li><a href="#v91-patch">15. Patch-Aware Vulnerability Assessment</a></li> <li><a href="#v91-trends">16. Historical Trend Graphs</a></li> <li><a href="#v91-integrations">17. Service-Desk Integrations</a></li> <li><a href="#v91-customise">18. Customisable Dashboard</a></li> <li class="grp">Part 5 - Version 10r1 — Docker Scanning</li> <li><a href="#v10-overview">19. Deep Docker Scan & the Host View</a></li> <li><a href="#v10-cve">20. Image CVEs & the CIS Audit</a></li> <li><a href="#v10-lab">21. Hands-On Lab: Your First Deep Docker Scan</a></li> <li class="grp">Part 6 - Version 13 — Patch and Remedy</li> <li><a href="#v13-overview">22. The Patch and Remedy Console</a></li> <li><a href="#v13-creds">23. Credentials, Safety & the Audit Trail</a></li> <li><a href="#v13-lab">24. Hands-On Lab: Patch an Asset's OS</a></li> </ol> <!-- ===================================================================== --> <div class="part"> <h2>Part 1 - Operator & Viewer Training</h2> <p>Daily operations for users assigned the <b>Operator</b> (can scan and export) or <b>Viewer</b> (read-only) roles.</p> </div> <!-- ============ 1 SECURE ============ --> <h2 id="secure">1. Securing Your Account</h2> <p>Before diving into the network data, ensure your access is secure.</p> <ul> <li><b>Changing Your Password:</b> Click <b>Security</b> in the top bar. Enter your current password, type a new one (minimum 8 characters), and click <b>Update password</b>.</li> <li><b>Enabling Two-Factor Authentication (TOTP):</b> In the Security panel, scan the displayed QR code with an authenticator app (like Authy or Google Authenticator). Enter the 6-digit code to confirm.</li> </ul> <div class="tip"><b>Tip:</b> Always save your backup codes in a secure location. They are your way back in if you lose access to your authenticator device.</div> <!-- ============ 2 SCANS ============ --> <h2 id="scans">2. Running & Managing Scans</h2> <p>Operators can initiate scans to discover assets and identify risks.</p> <ul> <li><span class="num">1</span><b>Set the Target:</b> The target box will automatically fill with your detected network, but you can edit this to target a specific IP range or a single host.</li> <li><span class="num">2</span><b>Select a Profile:</b> Choose the depth of your scan based on your current diagnostic requirements.</li> <li><span class="num">3</span><b>Execute:</b> Click <b>Scan</b> for an active scan, or <b>Passive Scan</b> for a zero-probe listen-only sweep. The progress bar displays live percentage, elapsed time, and the exact IP currently being scanned.</li> </ul> <h3>Active vs Passive scanning (v9)</h3> <p>Choose the right acquisition mode for the job:</p> <table> <tr><th>Mode</th><th>What it does</th><th>When to use</th></tr> <tr><td><b>Active</b></td> <td>Sends nmap probes. Returns ports, services, OS, software, vulnerabilities, Docker/TLS/AD findings, compliance and a risk score. Supports profiles and the selectable options.</td> <td>You need depth and risk assessment.</td></tr> <tr><td><b>Passive</b></td> <td><b>Sends no probe traffic.</b> Listens to the ARP cache and mDNS/SSDP announcements to harvest IP, MAC, vendor, hostname, advertised services and a low-confidence device type. <b>No</b> ports, services, OS accuracy, vulnerabilities, TLS/AD/Docker/credential findings, or risk score. No options - one button.</td> <td>You want a quiet, zero-footprint inventory or must avoid touching sensitive devices.</td></tr> </table> <div class="tip"><b>Asset continuity:</b> a device found passively shares the same <b>8-character Asset ID</b> it will use in active scans (matched by MAC), so when you later run an active scan its vulnerabilities attach to the same asset instead of being duplicated.</div> <h3>Correcting a mis-identified device Type (v9)</h3> <p>If the scanner labels a device's <b>Type</b> incorrectly, click the <b>✎</b> pencil beside the type in the Assets table, enter the correct value (e.g. <code>printer</code>, <code>nas</code>, <code>camera</code>, <code>router</code>, <code>iot</code>) and save. The correction is bound to the device's Asset ID and re-applied automatically on every future scan. Clear the field to revert to the scanner's guess.</p> <h3>Scan Profiles</h3> <table> <tr><th>Scan Profile</th><th>Functionality Overview</th><th>Expected Speed</th></tr> <tr><td><b>Quick</b></td> <td>Scans the top 100 ports with light service detection. Skips vulnerability scripts.</td> <td><span class="pill green">Seconds</span></td></tr> <tr><td><b>Standard</b></td> <td>Scans the top 1000 ports and includes deep OS and service detection.</td> <td><span class="pill amber">Minutes</span></td></tr> <tr><td><b>Deep</b></td> <td>Adds nmap vulnerability (NSE) scripts to detect specific CVEs.</td> <td><span class="pill red">Slower</span></td></tr> </table> <!-- ============ 3 DASHBOARD ============ --> <h2 id="dashboard">3. Reading the Dashboard & Data Tabs</h2> <p>Once a scan completes, the dashboard populates with actionable intelligence.</p> <ul> <li><b>Asset Details:</b> Click any row in the asset table to view an expanded panel showing software, open ports, and vulnerabilities.</li> <li><b>Vulnerabilities:</b> Findings are ranked by severity, highlighting CVSS scores and tagging vulnerabilities found in CISA's Known-Exploited (KEV) catalog. Crucially, the system provides official CISA mitigations or tailored hardening advice for every finding.</li> <li><b>Compliance:</b> NetscanXi maps your network against <b>eight</b> major regulatory frameworks. This includes pass/fail mappings for <b>GDPR, PCI DSS, ISO 27001, SOC 2, HIPAA, Cyber Essentials, NIST CSF</b>, and the <b>NCSC CAF</b>.</li> <li><b>Docker Detection:</b> Hosts running container runtimes will display a Docker badge. The platform probes container ports and APIs to identify engine versions.</li> </ul> <div class="warn"><b>Critical:</b> Exposed Docker APIs (ports 2375, 2376, 4243) represent a critical risk and should be restricted immediately.</div> <!-- ============ 4 EXPORT ============ --> <h2 id="export">4. Exporting Reports</h2> <p>You can export data for external audits, ticketing, or distribution to system owners.</p> <ul> <li><b>Whole-Scan Export:</b> Use the top control bar to download the entire network inventory as a flat CSV, a structured JSON, or a branded PDF executive summary.</li> <li><b>Single-Host Export:</b> Expand a specific host in the asset table and click the dedicated export buttons to generate a focused report (CSV/JSON/PDF) for just that machine.</li> <li><b>Scan-type & Asset ID (v9):</b> every export states whether the data is from a <b>Passive</b> or <b>Active</b> scan (printed on the PDF, a leading comment line + column in CSV, and the <code>scan_type</code> field in JSON) and includes each device's Asset ID.</li> </ul> <!-- ===================================================================== --> <div class="part"> <h2>Part 2 - Administrator Training</h2> <p>Strictly for users assigned the <b>Admin</b> role, which provides unscoped visibility across all data and full control over system configuration.</p> </div> <!-- ============ 5 USERS ============ --> <h2 id="sched">Scheduling scans by day & time (v9)</h2> <p>Open <b>⏱ Schedule</b> to manage recurring scans. As well as the classic “every N minutes” interval, you can now schedule by <b>day of week and clock time</b>:</p> <ul> <li><span class="num">1</span><b>Run on days:</b> tick any combination of Mon–Sun.</li> <li><span class="num">2</span><b>At time:</b> enter the hour (0–23) and minute (0–59) in local time.</li> <li><span class="num">3</span><b>Scan type:</b> pick <b>Active</b> or <b>Passive</b> for the scheduled run.</li> <li><span class="num">4</span>Leave the days unticked and set <b>every N minutes</b> instead for a plain interval.</li> </ul> <div class="note"><b>Example:</b> tick Mon/Wed/Fri at <b>02:30</b> with scan type <b>Passive</b> for a zero-footprint inventory three nights a week. The schedule list shows the next run time and an Active/Passive badge.</div> <h2 id="users">5. User & Role Management</h2> <p>Admins have full editable control over every account to prevent lockouts and ensure security.</p> <ul> <li><b>Adding Users:</b> Navigate to <b>User Admin</b> to create accounts. You must assign a username, password, role, and a tenant tag.</li> <li><b>Resetting Passwords:</b> If a user is locked out, admins can click <b>"set password"</b> on their row to immediately assign a new password without needing the old one.</li> <li><b>Enforcing MFA:</b> Admins can force Multi-Factor Authentication on or off per user, or reset a user's MFA if they lose their authentication device (forcing them to re-enrol at their next login).</li> </ul> <!-- ============ 6 TENANCY ============ --> <h2 id="tenancy">6. Managing Multi-Tenancy (Data Separation)</h2> <p>NetscanXi supports <b>soft multi-tenancy</b>, allowing one installation to serve multiple isolated teams or customers.</p> <ul> <li><b>How it works:</b> Every user, scan, and schedule carries a text-based <span class="pill">🏢 tenant tag</span>.</li> <li><b>Visibility Boundaries:</b> Scoped users (Viewers and Operators) will only ever see scans, history, and exports that share their exact tenant tag.</li> <li><b>Admin Visibility:</b> Admins bypass these restrictions and can see data across all tenants.</li> </ul> <!-- ============ 7 ACTIVITY ============ --> <h2 id="activity">7. Monitoring the Activity Log</h2> <p>For compliance and accountability, the system maintains a timestamped audit log. Navigate to <b>Activity</b> to view successful/failed logins, scan executions, data exports, and administrative actions (like password resets).</p> <div class="note"><b>Accountability:</b> Every action logs the acting user, their tenant, and their client IP address.</div> <!-- ===================================================================== --> <div class="part"> <h2>Part 3 - Troubleshooting & FAQ</h2> <p>Common issues and their resolutions.</p> </div> <!-- ============ 8 TROUBLE ============ --> <h2 id="trouble">8. Troubleshooting Guide</h2> <table> <tr><th style="width:42%">Issue</th><th>Solution</th></tr> <tr> <td><b>Scans are returning empty results or missing data.</b></td> <td>Ensure the underlying installation has root access. If NetscanXi does not have <code>NET_ADMIN</code> or <code>NET_RAW</code> capabilities, it will skip OS detection and SYN scans.</td> </tr> <tr> <td><b>A passive scan found few or no devices.</b></td> <td>Passive scanning only sees devices that have recently talked on the LAN (ARP cache) or that broadcast mDNS/SSDP announcements. Give it time, ensure the container shares the host network so it can read the neighbour cache and receive multicast, then re-run. For a complete inventory, run an Active scan.</td> </tr> <tr> <td><b>A device's Type is wrong.</b></td> <td>Click the <b>✎</b> pencil next to the Type in the Assets table and enter the correct value. The override is bound to the device's Asset ID and persists across future scans.</td> </tr> <tr> <td><b>A day/time schedule didn't fire.</b></td> <td>Times are interpreted in the server's local timezone. Confirm at least one day is ticked and the hour/minute are set; if no days are ticked the schedule falls back to the “every N minutes” interval.</td> </tr> </table> <!-- ===================================================================== --> <div class="part pagebreak"> <h2>Part 4 - Version 9.1 — What's New</h2> <p>Ten new capabilities land in Version 9.1. Each lesson below is hands-on: open the named control and follow the steps. Unless noted, these features respect your tenant scope and role.</p> </div> <!-- ============ 9 INTERACTIVE CHARTS ============ --> <h2 id="v91-charts">9. Interactive Dashboard Charts</h2> <p>The dashboard renders four equal-sized chart tiles — <b>OS Distribution</b>, <b>Vulnerability Severity</b>, <b>Network Risk & Compliance</b> and <b>Regulatory Compliance</b> — that you can re-style, resize and rearrange. The OS and severity charts also double as live filters for the asset table.</p> <ul> <li><span class="num">1</span><b>Find the charts:</b> after a scan completes, look at the <b>Interactive Charts</b> block near the top of the dashboard.</li> <li><span class="num">2</span><b>Choose a chart type:</b> use each tile's <b>type selector</b> to switch between a <b>pie chart</b>, <b>horizontal bars</b> or <b>vertical bars</b> (the Network Risk & Compliance tile also offers a <b>trend line</b>).</li> <li><span class="num">3</span><b>Resize a tile:</b> drag the <b>bottom-right corner</b> of any tile to make it bigger or smaller.</li> <li><span class="num">4</span><b>Move a tile:</b> drag the <b>⠿ handle</b> in the tile header to reorder the charts.</li> <li><span class="num">5</span><b>Filter by clicking:</b> click a pie <b>slice</b> (e.g. <i>Windows</i>) or a severity <b>bar</b> (e.g. <i>Critical</i>) to filter the asset table to only matching assets; click again or use <b>Clear filter</b> to reset.</li> <li><span class="num">6</span><b>Reset charts:</b> click <b>↺ Reset charts</b> to restore the default types, sizes and order.</li> </ul> <div class="tip"><b>Tip:</b> your chart types, sizes and order are saved in your browser, so the dashboard looks the way you left it next time you sign in.</div> <!-- ============ 10 CVE LIFECYCLE ============ --> <h2 id="v91-lifecycle">10. CVE Finding Lifecycle (Status Tracking)</h2> <p>You can now triage individual vulnerabilities and have that decision follow the asset across future scans, instead of re-reviewing the same finding every time.</p> <ul> <li><span class="num">1</span><b>Open host detail:</b> click an asset row, then expand a vulnerability under its <b>Vulnerabilities</b> list.</li> <li><span class="num">2</span><b>Set status:</b> click <b>Set status</b> and choose one of <span class="pill red">Open</span> <span class="pill green">Remediated</span> <span class="pill amber">Accepted Risk</span> <span class="pill">False Positive</span>.</li> <li><span class="num">3</span><b>Add a note (optional):</b> record why — e.g. a change ticket, a compensating control, or evidence it's a false positive.</li> <li><span class="num">4</span><b>Choose the scope:</b> apply the status to <b>this asset only</b>, or <b>tenant-wide</b> so the same CVE is treated consistently across every host in your tenant.</li> </ul> <div class="note"><b>Persistence:</b> a status is bound to the asset's Asset ID, so a finding you mark <b>Accepted Risk</b> stays that way when the host reappears in the next scan — until the CVE is no longer detected or you change the status.</div> <!-- ============ 11 MULTI-SELECT ============ --> <h2 id="v91-multiselect">11. Multi-Select Asset Table & Bulk Actions</h2> <p>The asset table gains a checkbox column so you can act on many hosts at once.</p> <ul> <li><span class="num">1</span><b>Select assets:</b> tick the checkbox at the start of each row, or use the <b>select-all</b> checkbox in the header to grab every row in the current (possibly filtered) view.</li> <li><span class="num">2</span><b>Export selected:</b> click <b>Export selected</b> and choose <b>CSV</b> or <b>JSON</b> to download just the chosen assets.</li> <li><span class="num">3</span><b>Re-scan selected:</b> click <b>Re-scan selected</b> to queue a fresh scan against only those hosts.</li> </ul> <div class="tip"><b>Tip:</b> combine with chart filters — click the <i>Critical</i> bar, press select-all, then <b>Re-scan selected</b> to immediately re-validate every high-risk host.</div> <!-- ============ 12 TENANT ADMIN ============ --> <h2 id="v91-tenantadmin">12. The Tenant Admin Role</h2> <p>Version 9.1 adds a new RBAC role, <b>Tenant Admin</b>, sitting between Operator and the global Admin.</p> <div class="role"><b>Role hierarchy:</b> <span class="pill">viewer</span> < <span class="pill">operator</span> < <span class="pill purple">tenant_admin</span> < <span class="pill">admin</span></div> <ul> <li><b>What they can do:</b> a Tenant Admin has full administrative control <b>within their own tenant</b> — managing users, scans, schedules, retention, and integrations for that tenant.</li> <li><b>What they cannot do:</b> they <b>cannot</b> see other tenants' data and <b>cannot</b> create global Admins.</li> <li><b>Assigning it:</b> a global Admin opens <b>User Admin</b>, edits the user, and sets the role to <code>tenant_admin</code>.</li> </ul> <div class="warn"><b>Least privilege:</b> prefer Tenant Admin over global Admin for per-customer or per-team administrators — it confines blast radius to a single tenant.</div> <!-- ============ 13 GLOBAL SEARCH ============ --> <h2 id="v91-search">13. Global Search Bar</h2> <p>A search box now lives in the top navigation bar for fast lookups.</p> <ul> <li><span class="num">1</span><b>Type a query:</b> click the search bar in the top nav and enter an IP, hostname, CVE ID, or software name.</li> <li><span class="num">2</span><b>What it searches:</b> assets, CVEs, and software in the <b>latest scan</b>.</li> <li><span class="num">3</span><b>Jump to the asset:</b> click any result to open the associated asset's detail panel directly.</li> </ul> <div class="note"><b>Scope:</b> results obey your tenant boundary, so scoped users only match assets, CVEs, and software within their own tenant.</div> <!-- ============ 14 RETENTION ============ --> <h2 id="v91-retention">14. Data-Retention Policies (Admin Panel)</h2> <p>The new <b>⚙ Admin</b> panel lets administrators control how long scan history is kept.</p> <ul> <li><span class="num">1</span><b>Open the panel:</b> go to <b>⚙ Admin</b> and find the <b>Data Retention</b> section.</li> <li><span class="num">2</span><b>Set the rules:</b> choose <b>delete scans older than N days</b> and/or <b>keep the M most-recent</b> scans. You can use either or both.</li> <li><span class="num">3</span><b>Auto-apply (optional):</b> tick <b>auto-apply</b> to enforce the policy automatically after each scan.</li> <li><span class="num">4</span><b>Purge now:</b> click <b>Save & purge now</b> to save the policy and immediately remove out-of-policy scans.</li> </ul> <div class="warn"><b>Preserved data:</b> purging removes only scan results. The <b>asset registry</b> (Asset IDs, Type overrides, finding statuses) and the <b>audit log</b> are always preserved.</div> <!-- ============ 15 PATCH-AWARE ============ --> <h2 id="v91-patch">15. Patch-Aware Vulnerability Assessment</h2> <p>A new scan toggle improves accuracy by confirming findings against captured patch levels.</p> <ul> <li><span class="num">1</span><b>Enable the toggle:</b> before running a scan, switch on <b>Patch-aware vulns</b>. This adds the <code>vulners</code> NSE script to the scan.</li> <li><span class="num">2</span><b>Run the scan:</b> NetscanXi captures patch and build tokens into a per-host <b>patch-level list</b> visible in host detail.</li> <li><span class="num">3</span><b>Read the tags:</b> each finding is labelled <span class="pill red">version-confirmed</span> (matched against the detected build) or <span class="pill amber">heuristic</span> (banner/inference only).</li> </ul> <div class="tip"><b>Why it matters:</b> version-confirmed findings dramatically cut false positives — prioritise remediation on those first.</div> <!-- ============ 16 TRENDS ============ --> <h2 id="v91-trends">16. Historical Trend Graphs</h2> <p>The dashboard plots how your posture changes over time.</p> <ul> <li><span class="num">1</span><b>Open the trend chart:</b> set the <b>Network Risk & Compliance</b> tile's type selector to <b>Trend (line)</b> to plot <b>network risk score</b> and <b>compliance posture</b> across your full scan history.</li> <li><span class="num">2</span><b>Switch views:</b> change the same tile to a <b>pie</b> or <b>bar</b> view to see the latest posture values instead of the time series.</li> <li><span class="num">3</span><b>Understand the data:</b> a snapshot is recorded automatically <b>after each scan</b>, so the line fills in as you scan over time.</li> </ul> <div class="note"><b>Tip:</b> use the trend line in management reviews to show risk trending down after a remediation push.</div> <!-- ============ 17 INTEGRATIONS ============ --> <h2 id="v91-integrations">17. Service-Desk Integrations</h2> <p>Open tickets for findings directly in <b>Jira</b>, <b>ServiceNow</b>, or <b>Zendesk</b>.</p> <ul> <li><span class="num">1</span><b>Configure:</b> go to the <b>🔗 Integrations</b> panel, pick your service desk, and enter the connection details (URL, project/queue, credentials or API token).</li> <li><span class="num">2</span><b>Test:</b> click <b>Test</b> to verify the connection before saving.</li> <li><span class="num">3</span><b>Create a ticket:</b> in host detail, expand a CVE finding and click <b>Create ticket</b> to open a pre-filled ticket in your service desk.</li> </ul> <div class="tip"><b>Workflow:</b> pair this with the finding lifecycle — raise a ticket, then mark the CVE <b>Open</b> with the ticket reference in the note for full traceability.</div> <!-- ============ 18 CUSTOMISABLE DASHBOARD ============ --> <h2 id="v91-customise">18. Customisable Dashboard</h2> <p>Tailor the dashboard layout to the way you work.</p> <ul> <li><span class="num">1</span><b>Enter edit mode:</b> click <b>✎ Customise</b> in the dashboard toolbar.</li> <li><span class="num">2</span><b>Rearrange:</b> <b>drag</b> components to reorder them, <b>pin</b> the ones you always want on top, or <b>hide</b> components you don't need.</li> <li><span class="num">3</span><b>Exit:</b> leave Customise mode to lock in your layout; it persists for your account.</li> <li><span class="num">4</span><b>Start over:</b> click <b>↺ Reset layout</b> to return to the default arrangement at any time.</li> <li><span class="num">5</span><b>Customise the charts too:</b> inside the <b>Interactive Charts</b> block you can change each chart's type, resize it and reorder it independently — see §9.</li> </ul> <div class="note"><b>Per-user:</b> your customised layout is saved to your account and doesn't affect what other users see.</div> <!-- ===================================================================== --> <div class="part pagebreak"> <h2>Part 5 - Version 10r1: Docker Scanning</h2> <p>Hands-on training for deep Docker container scanning & vulnerability assessment.</p> </div> <h2 id="v10-overview">19. Deep Docker Scan & the Host View</h2> <p>Version 10r1 looks <i>inside</i> the Docker hosts NetscanXi finds. With the <b>Deep Docker scan</b> option enabled (default on), NetscanXi connects to each host's Docker Engine API and pulls the container and image inventory.</p> <ul> <li><span class="num">1</span><b>Run a scan:</b> on the scan bar keep <b>Docker hosts</b> and <b>Deep Docker scan</b> ticked, then run an Active scan.</li> <li><span class="num">2</span><b>Open a Docker host:</b> its detail panel now shows API status, engine info and a <b>Containers</b> list with risk badges (privileged, docker.sock, host-net, host-pid, +caps).</li> <li><span class="num">3</span><b>Dashboard:</b> the <b>🐳 Docker & Containers</b> panel summarises hosts, containers, images, image CVEs, privileged containers, docker.sock mounts and CIS failures.</li> </ul> <div class="tip"><b>Read-only:</b> NetscanXi only reads from the Docker API - it never starts/stops containers or changes configuration.</div> <h2 id="v10-cve">20. Image CVEs & the CIS Audit</h2> <ul> <li><span class="num">1</span><b>Image CVEs:</b> if Trivy or Grype is installed, each image is scanned for CVEs. The host view shows a severity strip and per-image CVE chips; <b>known-exploited (KEV)</b> CVEs are flagged 🔥 and sorted first.</li> <li><span class="num">2</span><b>CIS audit:</b> review the pass/warn/fail checks - exposed API, no TLS, privileged containers, docker.sock mounts, host network/PID, insecure registry, :latest tags. Fix the <b>fail</b> items first.</li> <li><span class="num">3</span><b>Exports & drift:</b> CSV/JSON/PDF now carry container & image data, and change detection flags new containers, new-privileged / docker.sock changes and new KEV container CVEs.</li> </ul> <h2 id="v10-lab" class="pagebreak">21. Hands-On Lab: Your First Deep Docker Scan</h2> <ol> <li>(Optional) install <b>Trivy</b> on the NetscanXi host so images get CVE results (the bundled Docker image already includes it).</li> <li>Run an Active scan of a range that includes a Docker host.</li> <li>Open the <b>🐳 Docker & Containers</b> dashboard panel and note the counts.</li> <li>Open a Docker host → review Containers, Image Vulnerabilities and the CIS audit.</li> <li>Pick your top 3 actions: a KEV image CVE, a privileged container, and any docker.sock mount. Export a per-host PDF to share.</li> </ol> <div class="warn"><b>Authorisation:</b> only scan hosts you are authorised to assess; use read-only Docker API access.</div> <!-- ===================================================================== --> <h2 class="pagebreak">Part 6 - Version 13: Patch and Remedy</h2> <p>Version 13 lets NetscanXi <b>act</b> on what it finds. It applies <b>operating-system updates and upgrades</b> over SSH, and can also update Docker images. Patching is an <b>operator</b>-level action and is fully tenant-separated.</p> <h2 id="v13-overview">22. The Patch and Remedy Console</h2> <p>Open the <b>Patch and Remedy</b> tab. Choose a <b>Patch type</b> — <b>Operating system (SSH)</b> or <b>Docker images</b> — then a target:</p> <ul> <li><b>Single asset</b> - patch one asset from the latest scan.</li> <li><b>Asset group</b> - patch every asset in a tenant asset group.</li> <li><b>All assets in scope</b> - patch every asset found (OS patching is not limited to Docker hosts).</li> </ul> <p><b>Operating-system patching</b> connects over SSH, auto-detects the package manager (<code>apt</code>, <code>dnf</code>, <code>yum</code>, <code>zypper</code> or <code>apk</code>) and runs an update + upgrade. Tick <b>Full distribution upgrade</b> for a heavier dist-upgrade, or <b>Simulate only</b> to run the package manager in dry-run mode so nothing is changed.</p> <p><b>Docker patching</b> instead pulls the latest image for each running container over the same authenticated Docker Engine API used for scanning, with an optional experimental <b>Recreate containers after pull</b>.</p> <div class="tip"><b>Preview first.</b> <b>Preview (dry run)</b> lists the targeted assets and their detected OS (or images) with <b>no side effects</b> — the OS preview does not even contact SSH — and creates no remediation items.</div> <h2 id="v13-creds">23. Credentials, Safety & the Audit Trail</h2> <p><b>SSH and sudo credentials</b> (for OS patching) and <b>registry credentials</b> (for Docker) are entered <b>per patch run</b>. They are used once and are <b>never written to the database, never logged, and never returned</b>. Password fields are cleared in the browser the moment the request is sent.</p> <p>Every patch run is recorded two ways:</p> <ul> <li><b>Remediation Tracking</b> - one item per targeted asset is auto-created (status <i>in progress</i>) and then updated to <b>resolved</b> or <b>blocked</b> with a result summary, assignee and timestamp.</li> <li><b>Activity log</b> - an <code>os_patch</code> (or <code>docker_patch</code>) entry records who patched what, with counts only (e.g. <code>targets=3 ok=2 simulate=False</code>) — never any credential material.</li> </ul> <div class="warn"><b>Authorisation & change control:</b> OS patching performs <b>privileged remote execution</b> and makes live changes to running systems. Patch only assets you are authorised to change, prefer the simulate/dry-run preview, and use a maintenance window for production hosts.</div> <h2 id="v13-lab" class="pagebreak">24. Hands-On Lab: Patch an Asset's OS</h2> <ol> <li>Run an Active scan of a range containing a Linux host you may change.</li> <li>Open the <b>Patch and Remedy</b> tab; keep <b>Patch type = Operating system</b>.</li> <li>Choose <b>Single asset</b> and pick your Linux host (it now appears whether or not it runs Docker).</li> <li>Click <b>Preview (dry run)</b> and confirm the detected OS / package manager.</li> <li>Enter the <b>SSH username/password</b> (and sudo password if different) — note they are not stored.</li> <li>Tick <b>Simulate only</b> first, click <b>Patch now</b>, and review what <i>would</i> change.</li> <li>Untick Simulate and run again to apply the updates; watch the per-asset log.</li> <li>Open <b>Remediation Tracking</b> and confirm the item was created and updated; (admins) check the <code>os_patch</code> activity entry shows no credentials.</li> </ol> </body> </html> |