Group Management Report

by Cody Dumont
March 27, 2014

This report provides a detailed analysis of the group membership across many platforms. The supported platforms are Windows, OS X, and LDAP. The report is structured to provide a summary list of systems, and then enumerate the group membership. The report provides details on group membership though SMB enumeration, LDAP search queries, ADSI, and parsing of system configuration files.

The report is available in the SecurityCenter 4.7 Report app feed, an app store of dashboards, reports and assets.  The report requirements are:

  • SecurityCenter 4.7.1
  • Nessus 5.2.5
  • LCE 4.2.2
  • Tenable LCE Client

The report can be time consuming when ran without additional filters. Therefore, to better use the report, it should run against individual assets or address filters.

 To easily modify the report from app feed, choose “Configure Now” and apply the appropriate asset or address filter.

 Group Management Report add asset

Additionally, if the report is already installed from the feed, you can use the “Find/Update” option above the chapter list.

 Group Management Report Find Link

Next, apply the filter for an address or asset.  In the screen shot below, we have made a update to the address filter.

Group Management Report find set asset

Chapters

Microsoft Windows Group Membership Enumeration – This chapter provides a group membership analysis of systems running Windows or SMB services. The chapter starts with a summary table providing a list of the hosts running Windows or SMB shares. The table is followed by an iteration of each host. For each host, there is a user summary table, group membership details, user account activity, and group membership activity.

LDAP Group Enumeration – The chapter provides an analysis of the LDAP group structure using a search request with a filter set to 'objectClass=*'. This query uses plugin 25701 (LDAP Crafted Search Request Server Information Disclosure). The chapter begins with a summary table outlining the hosts identified with plugins 25701, 45477, and 58038. The table is followed by an iteration of each host. For each host, there are is a user summary table, followed by the detailed results for plugins 45477 and 58038.

Mac OS X Admin Group – This chapter provides a list of systems which have modified Admin and Wheel groups on OS X computers. The Admin and Wheel groups grant users root level access to the computer by using the “su” or “sudo” commands. The chapter begins with a summary table outlining the hosts identified with plugin 60019. The table is followed by an iteration of each host. For each host, there is a user summary table, followed by the detailed results for plugin 60019.

Linux Group Events - This chapter collects data from the LCE on events from group management tasks. These tasks include adding a group, adding users to a group, and other related group activities. The chapter begins with a summary table outlining the hosts that have been found to have the target events. The table is followed by an iteration of each host. For each host, there are is a user summary table, followed by the detailed events for user and group management events.