Enterprise Software Discovery with Nessus

If you are performing credentialed patch audits with Nessus, you can also create an inventory of installed software on each of your UNIX and Windows hosts. This blog post will review how Nessus can perform these tasks and what you can do with the results.

Finding Software on UNIX and Windows Systems

For Windows servers, Nessus plugin #20811 will enumerate all of the installed software by considering the "Uninstall" values set in the registry. This technique won't detect a simple executable present on a system, but it will find just about any piece of software that uses an installer. This particular check uses registry calls because it is intended to be generic. Other checks that Nessus performs to look for a variety of patch audits, questionable applications or specific versions of software consider both registry settings and analysis of local files such as DLLs. 

For auditing UNIX software, the default "command line" technique to enumerate managed applications is considered. Nessus plugin #22869 performs this task. For example, on Red Hat based systems, a list of RPMs is obtained through the use of the rpm command. This technique is quite fast and is intended to report just the applications that the OS is tracking. It won't enumerate software that was placed just as a binary or which was compiled natively on the system. Also, unlike Windows software enumeration many "applications" which were installed with the base OS will also be enumerated, creating very verbose lists of software.

Configuring a Nessus scan

Nessus scans should be configured for remote credentials for the target UNIX or Windows machines. For UNIX, this means an SSH account which can run commands such as "rpm". On Windows, this means an account that has access to the registry (although for full and reliable patch audits, Tenable recommends a domain account which can read files).

On Windows, plugin #20811 can be selected individually, or by enabling the entire "Windows" Nessus plugin group. For UNIX, plugin #22869 can also be run individually, but if you want to complement an existing patch audit, this plugin is part of the "Generic" plugin family.

Dynamic Asset Lists and Ad hoc Searches

If you are using the Security Center to manage multiple Nessus scanners or for sharing the scan results with different auditors and departments securely, the list of installed software can be very useful.

Below is a screen shot of a list of installed applications on a fairly bare Windows 2003 server:

A quick analysis of this will see that VNC 4.1.1 is installed and that it is the free version. Data like this can be very useful for a variety of tasks such as:

• verifying compliance with software licenses
• verifying compliance with corporate policy
• identifying potential vulnerable applications which aren't running
• identifying lack of required software

The Security Center can be used to quickly display or report all hosts that have certain types of software installed on them. If the software is Windows, type plugin ID #20811 into the plugin ID field of the Cumulative Database or Scan Results filter, and then in the "Search Vuln Text" field type a string which represents the software you are looking for. You might not know the exact string to search for unless you see it in a listing from a scan.

The Security Center can also be used to take this content and create a dynamic asset list of all systems that have (or don't have) specific installed software. In the image below is an example rule which combines plugin ID #20811 and a simple pattern search for "VNC Free Version 4.1.1".

This rule gets applied each time a scan is accomplished and creates a dynamic list based on the results. This means that every IP address that matched this criteria would be added to the list as shown below:

This is a list of vulnerability severities by asset group and the second to last group is our system with VNC 4.1.1 installed.

It might be more interesting to find servers that didn't have this installed. Since we have a regular expression engine available for pattern matching, a dynamic asset rule could be created with the following string:

20811:(?s)^((?!VNC Free Edition 4.1.1).)*$

In the Security Center dynamic asset rules interface, this would be entered as a "regex" type of match. This code matches strings which don't have the string "VNC Free Edition 4.1.1" in them. Under the Security Center's dynamic asset rules engine, we couple this with the specific Nessus ID of #20811. Writing the pattern with a preceding "20811:" string tells the engine to only apply the match to vulnerability data a host may have for just that particular ID. Also adding a generic match for plugin ID #20811 is an easy way of only listing Windows hosts for which we have software enumeration data. Otherwise, we'd have many matches for our Cisco routers, Linux servers and so on which didn't have this code in plugin #20811.

Conclusion

These software enumeration plugins can provide a great deal of information which is extremely useful for auditing remote hosts. Audits can help find illegal software, misconfigured hosts and can help identify classes of servers by technology or function.