Joval Utilities Quickstart (~15 minutes)

Welcome to the Joval Utilities

The Joval Utilities is a lightweight, standalone assessment engine that provides access to the core capabilities of the Joval Java SDK via the command line. It’s included in all Enterprise Edition and Developer Edition trials and licenses.

Please follow this guide to deploy the Joval Utilities and run your first scan. It should take about 15 minutes.

Prerequisites

In order to complete this guide, you will need:

  • The Joval Utilities
  • A valid license file (.xml)

If you don’t have these, please register for an evaluation.

Deploy Joval

  1. Create a working directory: joval
  2. Download the Joval Utilities (.zip) and unzip it
  3. Rename the unzipped folder to Joval-Utilities and move it to your working directory
  4. Copy your license file [your-domain].sig.xml to your working directory
  5. Add an empty folder to your working directory: content

Your working directory should now look like this:

joval
     content
     Joval-Utilities
          ...
          Joval-Utilities.jar
          User_Guide.pdf
     [your-domain].sig.xml

Continue from the command line (note: reverse slashes on Windows):

cd [path-to-your-working-directory]

:: Confirm that Java is installed on this device
java -version

:: If you don't have Java, we recommend Java 8:
:: http://www.oracle.com/technetwork/java/javase/downloads/jre8-downloads-2133155.html

:: Confirm successful deployment by viewing command line help 
java -jar Joval-Utilities/Joval-Utilities.jar -?

Note: Joval supports Java 6+, but we currently recommend Java 8 because XML support is less stable in Java 9-11.

Select Scan Content

Secure Configuration Assessment

To a run secure configuration assessment, download a baseline in SCAP format as follows:

  • CIS Benchmarks
  • USGCB Benchmarks
    1. Visit the NIST USGCB Content Repository and select a platform benchmark
    2. Download the USGCB SCAP content
    3. Unzip it and copy the .xml file to the content folder in your joval working directory
  • STIG Benchmarks
    1. Download a benchmark from the DISA IASE SCAP Repository (note whether it’s under the SCAP 1.2 heading or the SCAP 1.1 heading)
    2. For SCAP 1.2 Content
      • Unzip it and copy the .xml file to the content folder in your joval working directory
    3. For SCAP 1.1 Content
      • Copy the downloaded .zip file to the content folder in your joval working directory
  • SCAP Security Guides for Linux
    1. Download the latest scap-security-guide.[version].zip from the OpenSCAP Releases Page
    2. Unzip and copy the desired ssg-[platform]-ds.xml file to the content folder in your joval working directory

Vulnerability (CVE) Assessment

To run a vulnerability (CVE) assessment, download an OS-version-specific vulnerability feed in OVAL format to the content folder in your joval working directory:

Configure & Scan

The Joval Scan Configuration Assistant will guide you through the process of creating a scan configuration file. Continue from the command line (note: reverse slashes on Windows):

cd [path-to-your-working-directory]

:: Start the assistant and follow prompts to create your configuration file
java -Dlicense.file=[your-domain].sig.xml -jar Joval-Utilities/Joval-Utilities.jar scan

:: Then, run your scan!
java -Dlicense.file=[your-domain].sig.xml -jar Joval-Utilities/Joval-Utilities.jar scan -c config.ini

:: Review the output files and logs in the configured folders

Next Steps

  • Configure & Scan using alternate scan content and targets
  • Review the User_Guide.pdf in the Joval-Utilities folder for additional configuration options including:
    • Tailoring configuration
    • Gateway & Proxy configuration
    • Scan hosts file configuration
    • File-less configuration via -c -
    • Custom report creation

Questions? Feedback?

Please contact your account executive or reach out here!