Transcription
Nessus Compliance ChecksAuditing System Configurations and ContentApril 20, 2016
Table of ContentsIntroduction . 5Prerequisites . 5Nessus and SecurityCenter Customers . 5Standards and Conventions . 5Compliance Standards . 6Configuration Audits, Data Leakage, and Compliance . 6What is an audit? . 6Audit vs. Vulnerability Scan . 7Example Audit Items . 7Windows . 7Unix . 8Cisco . 8Huawei . 8Palo Alto Firewall . 9IBM iSeries . 9NetApp Data ONTAP . 9Salesforce .10Databases.10Audit Reports .11Credentialed Scanning and Privileged Account Use .11Technology Required .12Mobile Device Management (MDM) Compliance Nessus Plugin .12Rackspace Compliance Nessus Plugin .12OpenStack Compliance Nessus Plugin .12Unix and Windows Configuration Compliance Nessus Plugins .12Unix and Windows Content Compliance Nessus Plugin .12Database Compliance Nessus Plugin .13IBM iSeries Compliance Nessus Plugin .13Cisco Compliance Nessus Plugin .13Juniper Junos Compliance Nessus Plugin .13Huawei Compliance Nessus Plugin .14Palo Alto Compliance Nessus Plugin .14VMware Compliance Nessus Plugin .14Copyright 2016. Tenable Network Security, Inc. All rights reserved. Tenable Network Security and Nessus are registered trademarks of Tenable Network Security, Inc.2
Citrix XenServer Compliance Nessus Plugin .14HP ProCurve Compliance Nessus Plugin .14FireEye Compliance Nessus Plugin .14Fortigate FortiOS Compliance Nessus Plugin .15Amazon AWS Compliance Capability .15Dell Force10 Compliance Nessus Plugin .15Adtran AOS Compliance Nessus Plugin .15SonicWALL SonicOS Compliance Nessus Plugin .15Extreme ExtremeXOS Compliance Nessus Plugin .15Check Point GAiA Compliance Nessus Plugin .16Brocade FabricOS Compliance Nessus Plugin .16NetApp Data ONTAP Compliance Nessus Plugin .16SCAP Linux and Windows Compliance Checks .16MongoDB Compliance Nessus Plugin .16Salesforce Compliance Nessus Plugin .16BlueCoat ProxySG Compliance Nessus Plugin .17Red Hat Enterprise Virtualization (RHEV) Compliance Nessus Plugin .17Audit Policies .17Helpful Utilities .17Unix or Windows Nessus Scanners .17Credentials for Devices to be Audited .18Using “su”, “sudo”, and “su sudo” for Audits .18sudo Example .19su sudo Example .19Important Note Regarding sudo .20Cisco IOS Example: .21Converting Windows .inf Files to .audit Files with i2a . 22Obtaining and Installing the Tool.22Converting the .inf to .audit .22Analyzing the Conversion .23Correct .inf Setting Format .23Converting Unix Configuration Files to .audit Files with c2a . 25Obtaining and Installing the Tool.25Create a MD5 Audit File .26Create Audit File Based on One or More Configuration Files .26Creating a MAP File .27Copyright 2016. Tenable Network Security, Inc. All rights reserved. Tenable Network Security and Nessus are registered trademarks of Tenable Network Security, Inc.3
Other Uses for the c2a Tool .28Manual Tweaking of the .audit Files .28Converting Unix Package Lists to .audit Files with p2a . 29Obtaining and Installing the Tool.29Usage .29Create Output File Based on all Installed Packages .30Create Output File Based on Package List and Send to the Screen .30Create Audit File Based on a Specified Input File .30Example Nessus User Interface Usage . 31Obtaining the Compliance Checks .31Configuring a Scanning Policy .31Uploading a Custom Audit Policy .34Offline Configuration Audits .35Performing a Scan .37Example Results .37Example Nessus for Unix Command Line Usage . 38Obtaining the Compliance Checks .38Using .nessus Files .38Using .nessusrc Files .39Performing a Scan .39Example Results .39SecurityCenter Usage. 40Obtaining the Compliance Checks .40Configuring a Scan Policy to Perform a Compliance Audit .40Managing Credentials .43Analyzing the Results .43Additional Resources . 45About Tenable Network Security . 46Copyright 2016. Tenable Network Security, Inc. All rights reserved. Tenable Network Security and Nessus are registered trademarks of Tenable Network Security, Inc.4
IntroductionThis document describes how Nessus 5.x can be used to audit the configuration of Unix, Windows, database, SCADA, IBMiSeries, and Cisco
All audit files must be encoded in ANSI format. Unicode, Unicode big endian, and UTF-8 encoded files will not work. Windows Nessus can test for any setting that can be configured as a
