Transcription
Compliance Checks Reference GuideLast Updated: June 04, 2021
Table of ContentsCompliance Checks Reference13Compliance Standards14Configuration Audits, Data Leakage, and Compliance16Tips on String Matching18Adtran AOS Compliance File ReferenceAdtran AOS SyntaxAmazon Web Services (AWS) Compliance File Reference192122Audit File Syntax23AWS Keywords24AWS Debugging26Known Good Auditing27BlueCoat ProxySG Compliance File Reference30BlueCoat ProxySG Syntax31BlueCoat ProxySG Context32Brocade Fabric OS (FOS) Compliance File ReferenceBrocade Fabric OS SyntaxCheck Point GAiA Configuration Audit Compliance File Reference333637Check Type: CONFIG CHECK38Check Point GAiA Keywords39CONFIG CHECK Examples42Conditions43Reporting45Copyright 2021 Tenable, Inc. All rights reserved. Tenable, Tenable.io, Tenable Network Security, Nessus, SecurityCenter, SecurityCenter Continuous View and Log Correlation Engine are registered trademarks ofTenable,Inc. Tenable.sc, Tenable.ot, Lumin, Indegy, Assure, and The Cyber Exposure Company are trademarks of Tenable, Inc. All other products or services are trademarks of their respective owners.
Cisco IOS Configuration Audit Compliance File Reference46Check Type47Cisco IOS Keywords48Command Line Examples53Search for a Defined SNMP ACL54Disable "finger" Service55Randomness Check to Verify SNMP Community Strings and Access Control are SufficientlyRandom56Context Check to Verify SSH Access Control58ConditionsCitrix XenServer Audit Compliance File Reference6062Check Type: AUDIT XE64Citrix XenServer Keywords65Database Configuration Audit Compliance File Reference68Database Configuration Check Type69Database Configuration Keywords70Database Configuration Command Line Examples73Database Configuration Conditions76Dell Force10 Compliance File ReferenceDell Force10 SyntaxExtreme ExtremeXOS Compliance File ReferenceExtreme ExtremeXOS SyntaxFireEye Audit Compliance File ReferenceFireEye Check Types788182848587Copyright 2021 Tenable, Inc. All rights reserved. Tenable, Tenable.io, Tenable Network Security, Nessus, SecurityCenter, SecurityCenter Continuous View and Log Correlation Engine are registered trademarks ofTenable,Inc. Tenable.sc, Tenable.ot, Lumin, Indegy, Assure, and The Cyber Exposure Company are trademarks of Tenable, Inc. All other products or services are trademarks of their respective owners.
FireEye KeywordsFortinet FortiOS Audit Compliance File ReferenceFortinet FortiOS SyntaxHP ProCurve Audit Compliance File Reference88919397HP ProCurve Check Types98HP ProCurve Keywords99Huawei VRP Compliance File ReferenceHuawei VRP SyntaxIBM iSeries Configuration Audit Compliance File Reference102105106Required User Privileges107Check Type108Keywords109Custom Items111Conditions112Juniper Junos Configuration Audit Compliance File Reference114Check Type: CONFIG CHECK115Juniper CONFIG CHECK Keywords116CONFIG CHECK Examples120Check Type: SHOW CONFIG CHECK121Juniper SHOW CONFIG CHECK Keywords122SHOW CONFIG CHECK Examples127Conditions129Reporting131Microsoft Azure Audit Compliance Reference132Copyright 2021 Tenable, Inc. All rights reserved. Tenable, Tenable.io, Tenable Network Security, Nessus, SecurityCenter, SecurityCenter Continuous View and Log Correlation Engine are registered trademarks ofTenable,Inc. Tenable.sc, Tenable.ot, Lumin, Indegy, Assure, and The Cyber Exposure Company are trademarks of Tenable, Inc. All other products or services are trademarks of their respective owners.
Scan Requirements133Microsoft Azure Syntax135Microsoft Azure Keywords136MongoDB Compliance File Reference139MongoDB Syntax141MongoDB Keywords142NetApp Data ONTAP143Required User Privileges144Check Type: CONFIG tack Syntax153OpenStack Keywords155Palo Alto Firewall Configuration Audit Compliance File Reference156AUDIT XML157AUDIT REPORTS159Palo Alto Firewall Keywords162Red Hat Enterprise Virtualization (RHEV) Compliance File Reference164Red Hat Enterprise Virtualization Syntax166Red Hat Enterprise Virtualization Debugging167Salesforce Compliance File Reference168SalesForce Setup Requirements169SalesForce Syntax170Copyright 2021 Tenable, Inc. All rights reserved. Tenable, Tenable.io, Tenable Network Security, Nessus, SecurityCenter, SecurityCenter Continuous View and Log Correlation Engine are registered trademarks ofTenable,Inc. Tenable.sc, Tenable.ot, Lumin, Indegy, Assure, and The Cyber Exposure Company are trademarks of Tenable, Inc. All other products or services are trademarks of their respective owners.
SonicWALL SonicOS Compliance File ReferenceSonicWALL SonicOS SyntaxUnix Configuration Audit Compliance File Reference172174175Unix Configuration Check Type176Unix Configuration Keywords177Unix Configuration Custom Items188AUDIT XML190AUDIT ALLOWED OPEN PORTS192AUDIT DENIED OPEN PORTS193AUDIT PROCESS ON PORT194BANNER CHECK195CHKCONFIG196CMD EXEC197FILE CHECK198FILE CHECK NOT201FILE CONTENT CHECK203FILE CONTENT CHECK NOT205GRAMMAR CHECK206MACOSX DEFAULTS READ207PKG CHECK210PROCESS CHECK211RPM CHECK212SVC PROP214XINETD SVC215Copyright 2021 Tenable, Inc. All rights reserved. Tenable, Tenable.io, Tenable Network Security, Nessus, SecurityCenter, SecurityCenter Continuous View and Log Correlation Engine are registered trademarks ofTenable,Inc. Tenable.sc, Tenable.ot, Lumin, Indegy, Assure, and The Cyber Exposure Company are trademarks of Tenable, Inc. All other products or services are trademarks of their respective owners.
Built-In ChecksPassword Management216217min password length218max password age220min password age222Root Access224Permissions Management225accounts bad home permissions226accounts bad home group permissions227accounts without home dir228active accounts without home dir229invalid login shells230login shells with suid231login shells writeable232login shells bad owner233Password File Management234passwd file consistency235passwd zero uid236passwd duplicate uid237passwd duplicate gid238passwd duplicate username239passwd duplicate home240passwd shadowed241passwd invalid gid242Copyright 2021 Tenable, Inc. All rights reserved. Tenable, Tenable.io, Tenable Network Security, Nessus, SecurityCenter, SecurityCenter Continuous View and Log Correlation Engine are registered trademarks ofTenable,Inc. Tenable.sc, Tenable.ot, Lumin, Indegy, Assure, and The Cyber Exposure Company are trademarks of Tenable, Inc. All other products or services are trademarks of their respective owners.
Group File Management243group file consistency244group zero gid245group duplicate name246group duplicate gid247group duplicate members248group nonexistent users249Root Environment250File Permissions251find orphan files252find world writeable files254find world writeable directories256find world readable files258find suid sgid files259home dir localization files user check261home dir localization files group check262Suspicious File Content263Unnecessary Files264ConditionsUnix Content Audit Compliance File Reference265267Check Type268Item Format269Unix Content Command Line Examples273Target Test File274Copyright 2021 Tenable, Inc. All rights reserved. Tenable, Tenable.io, Tenable Network Security, Nessus, SecurityCenter, SecurityCenter Continuous View and Log Correlation Engine are registered trademarks ofTenable,Inc. Tenable.sc, Tenable.ot, Lumin, Indegy, Assure, and The Cyber Exposure Company are trademarks of Tenable, Inc. All other products or services are trademarks of their respective owners.
Search Files for Properly Formatted VISA Credit Card Numbers275Search for AMEX Credit Card Numbers276Auditing Different Types of File Formats277Performance Considerations278VMware vCenter/ESXi Configuration Audit Compliance File Reference279Requirements280Supported Versions281Check Types282Keywords284Additional Notes287Windows Configuration Audit Compliance File ReferenceValue Data288289Complex Expressions291The "check type" Field292The "group policy" Field294The "info" Field295The "debug" Field297ACL Format298File Access Control Checks299Registry Access Control Checks302Service Access Control Checks305Launch Permission Control Checks308Launch2 Permission Control Checks310Access Permission Control Checks312Copyright 2021 Tenable, Inc. All rights reserved. Tenable, Tenable.io, Tenable Network Security, Nessus, SecurityCenter, SecurityCenter Continuous View and Log Correlation Engine are registered trademarks ofTenable,Inc. Tenable.sc, Tenable.ot, Lumin, Indegy, Assure, and The Cyber Exposure Company are trademarks of Tenable, Inc. All other products or services are trademarks of their respective owners.
Custom Items314PASSWORD POLICY316LOCKOUT POLICY318KERBEROS POLICY320AUDIT POLICY322AUDIT POLICY SUBCATEGORY324AUDIT POWERSHELL328AUDIT FILEHASH POWERSHELL334AUDIT IIS APPCMD336AUDIT ALLOWED OPEN PORTS339AUDIT DENIED OPEN PORTS341AUDIT PROCESS ON PORT343AUDIT USER TIMESTAMPS345BANNER CHECK347CHECK ACCOUNT349CHECK LOCAL GROUP352ANONYMOUS SID SETTING354SERVICE POLICY355GROUP MEMBERS POLICY357USER GROUPS POLICY359USER RIGHTS POLICY360FILE CHECK364FILE VERSION366FILE PERMISSIONS368Copyright 2021 Tenable, Inc. All rights reserved. Tenable, Tenable.io, Tenable Network Security, Nessus, SecurityCenter, SecurityCenter Continuous View and Log Correlation Engine are registered trademarks ofTenable,Inc. Tenable.sc, Tenable.ot, Lumin, Indegy, Assure, and The Cyber Exposure Company are trademarks of Tenable, Inc. All other products or services are trademarks of their respective owners.
FILE AUDIT371FILE CONTENT CHECK373FILE CONTENT CHECK NOT375REG CHECK377REGISTRY SETTING379REGISTRY PERMISSIONS385REGISTRY AUDIT387REGISTRY TYPE389SERVICE PERMISSIONS391SERVICE AUDIT393WMI POLICY395ItemsPredefined Policies398399Forced Reporting414Conditions415Windows Content Audit Compliance File Reference419Check Type420Item Format421Windows Content Command Line Examples425Target Test File426Search Examples427Auditing Different Types of File Formats436Performance Considerations437Additional Information438Copyright 2021 Tenable, Inc. All rights reserved. Tenable, Tenable.io, Tenable Network Security, Nessus, SecurityCenter, SecurityCenter Continuous View and Log Correlation Engine are registered trademarks ofTenable,Inc. Tenable.sc, Tenable.ot, Lumin, Indegy, Assure, and The Cyber Exposure Company are trademarks of Tenable, Inc. All other products or services are trademarks of their respective owners.
Appendix: All Compliance and Audit Files439Appendix: XSL Transform to .audit Conversion440Install xsltproc441Identify the XML File to Use442Become Familiar with XSL Transforms and XPath443Create the XSLT Transform444Verify the XSLT Transform Works445Copy the XSLT to the .audit446Final Audit447Copyright 2021 Tenable, Inc. All rights reserved. Tenable, Tenable.io, Tenable Network Security, Nessus, SecurityCenter, SecurityCenter Continuous View and Log Correlation Engine are registered trademarks ofTenable,Inc. Tenable.sc, Tenable.ot, Lumin, Indegy, Assure, and The Cyber Exposure Company are trademarks of Tenable, Inc. All other products or services are trademarks of their respective owners.
Compliance Checks ReferenceThis document describes the syntax used to create custom .audit files that can be used to audit theconfiguration of Unix, Windows, database, SCADA, IBM iSeries, and Cisco systems against a compliance policy as well as search the contents of various systems for sensitive content.For a higher-level view of how Tenable compliance checks work, see the Nessus Compliance Checkswhitepaper.For the PDF version of this guide, see the PDF.Tip: Nessus supports SCADA system auditing; however, this functionality is outside of the scope of this document. Please reference the Tenable SCADA information page for more information.PrerequisitesThis document assumes some level of knowledge about the Nessus vulnerability scanner along with adetailed understanding of the target systems being audited. For more information on how Nessus canbe configured to perform local Unix and Windows patch audits, please refer to the Nessus User Guideavailable at https://docs.tenable.com/nessus/.Copyright 2021 Tenable, Inc. All rights reserved. Tenable, Tenable.io, Tenable Network Security, Nessus, SecurityCenter, SecurityCenter Continuous View and Log Correlation Engine are registeredtrademarks of Tenable,Inc. Tenable.sc, Tenable.ot, Lumin, Indegy, Assure, and The Cyber Exposure Company are trademarks of Tenable, Inc. All other products or services are trademarks of theirrespective owners.- 13 -
Compliance StandardsThere are many different types of government and financial compliance requirements. It is importantto understand that these compliance requirements are minimal baselines that can be interpreted differently depending on the business goals of the organization. Compliance requirements must bemapped with the business goals to ensure that risks are appropriately identified and mitigated. Formore information on developing this process, please refer to the Tenable whitepaper Maximizing ROIon Vulnerability Management.For example, a business may have a policy that requires all servers with customer personally identifiable information (PII) on them to have logging enabled and minimum password lengths of 10 characters. This policy can help in an organization’s efforts to maintain compliance with any number ofdifferent regulations.Common compliance regulations and guides include, but are not limited to:lBASEL IIlCenter for Internet Security Benchmarks (CIS)lControl Objectives for Information and related Technology (COBIT)lDefense Information Systems Agency (DISA) STIGslFederal Information Security Management Act (FISMA)lFederal Desktop Core Configuration (FDCC)lGramm-Leach-Bliley Act (GLBA)lHealth Insurance Portability and Accountability Act (HIPAA)lISO 27002/17799 Security StandardslInformation Technology Information Library (ITIL)lNational Institute of Standards (NIST) configuration guidelineslNational Security Agency (NSA) configuration guidelineslPayment Card Industry Data Security Standards (PCI DSS)lSarbanes-Oxley (SOX)Copyright 2021 Tenable, Inc. All rights reserved. Tenable, Tenable.io, Tenable Network Security, Nessus, SecurityCenter, SecurityCenter Continuous View and Log Correlation Engine are registeredtrademarks of Tenable,Inc. Tenable.sc, Tenable.ot, Lumin, Indegy, Assure, and The Cyber Exposure Company are trademarks of Tenable, Inc. All other products or services are trademarks of theirrespective owners.- 14 -
lSite Data Protection (SDP)lUnited States Government Configuration Baseline (USGCB)lVarious State Laws (e.g., California’s Security Breach Notification Act - SB 1386)These compliance checks also address real-time monitoring such as performing intrusion detectionand access control. For a more in depth look at how Tenable’s configuration auditing, vulnerability management, data leakage, log analysis, and network monitoring solutions can assist with the mentionedcompliance regulations, please refer to the Tenable whitepaper Real-Time Compliance Monitoring.Copyright 2021 Tenable, Inc. All rights reserved. Tenable, Tenable.io, Tenable Network Security, Nessus, SecurityCenter, SecurityCenter Continuous View and Log Correlation Engine are registeredtrademarks of Tenable,Inc. Tenable.sc, Tenable.ot, Lumin, Indegy, Assure, and The Cyber Exposure Company are trademarks of Tenable, Inc. All other products or services are trademarks of theirrespective owners.- 15 -
Configuration Audits, Data Leakage, and ComplianceWhat is an audit?Nessus can be used to log into Unix and Windows servers, Cisco devices, SCADA systems, IBM iSeriesservers, and databases to determine if they have been configured in accordance to the local site security policy. Nessus can also search the entire hard drive of Windows and Unix systems, for unauthorizedcontent.It is important that organizations establish a site security policy before performing an audit to ensureassets are appropriately protected. A vulnerability assessment will determine if the systems are vulnerable to known exploits but will not determine, for example, if personnel records are being stored ona public server.There is no absolute standard on security – it is a question of managing risk and this varies betweenorganizations.For example, consider the password requirements such as minimum/maximum password ages andaccount lockout policies. There may be very good reasons to change passwords frequently or infrequently. There may also be very good reasons to lock an account out if there have been more than fivelogin failures, but if this is a mission critical system, setting something higher might be more prudentor even disabling lockouts altogether.These configuration settings have much to do with system management and security policy, but notspecifically system vulnerabilities or missing patches. Nessus can perform compliance checks for Unixand Windows servers. Policies can be either very simple or very complex depending on the requirements of each individual compliance scan.Audit vs. Vulnerability ScanNessus can perform vulnerability scans of network services as well as log into servers to discover anymissing patches. However, a lack of vulnerabilities does not mean the servers are configured correctlyor are “compliant” with a particular standard.The advantage of using Nessus to perform vulnerability scans and compliance audits is that all of thisdata can be obtained at one time. Knowing how a server is configured, how it is patched and what vulnerabilities are present can help determine measures to mitigate risk.Copyright 2021 Tenable, Inc. All rights reserved. Tenable, Tenable.io, Tenable Network Security, Nessus, SecurityCenter, SecurityCenter Continuous View and Log Correlation Engine are registeredtrademarks of Tenable,Inc. Tenable.sc, Tenable.ot, Lumin, Indegy, Assure, and The Cyber Exposure Company are trademarks of Tenable, Inc. All other products or services are trademarks of theirrespective owners.- 16 -
At a higher level, if this information is aggregated for an entire network or asset class (as with Tenable.sc), security and risk can be analyzed globally. This allows auditors and network managers to spottrends in non-compliant systems and adjust controls to fix these on a larger scale.Audit ReportsWhen an audit is performed, Nessus attempts to determine if the host is compliant, non-compliant orif the results are inconclusive.Compliance results in Nessus are logged as Pass, Fail, and Warning. The Nessus user interface andTenable.sc log results as Info for passed, High for failed, and Medium for inconclusive (e.g., a permissions check for a file that is not found on the system).Unlike a vulnerability check, which only reports if the vulnerability is actually present, a compliancecheck always reports something. This way, the data can be used as the basis of an audit report toshow that a host passed or failed a specific test, or if it could not be properly tested.Copyright 2021 Tenable, Inc. All rights reserved. Tenable, Tenable.io, Tenable Network Security, Nessus, SecurityCenter, SecurityCenter Continuous View and Log Correlation Engine are registeredtrademarks of Tenable,Inc. Tenable.sc, Tenable.ot, Lumin, Indegy, Assure, and The Cyber Exposure Company are trademarks of Tenable, Inc. All other products or services are trademarks of theirrespective owners.- 17 -
Tips on String MatchingAs a general rule, where possible, it is most accurate (along with being easier to write andtroubleshoot) to confine the matching to a single line of the message. Single quotes and double quotesare interchangeable when surrounding audit fields, except in the following cases:lIn Windows compliance checks where special fields such as CRLF must be interpreted literally,use single quotes. Any embedded fields that are to be interpreted as strings must be escapedout. For example:expect: 'First line\r\nSecond line\r\nJohn\'s Line'lDo
Compliance Checks Reference For the PDF version of this guide, see the PDF. be configured to perform local Unix and Wi
