Stacking Up to CIS Benchmarks
The Center for Internet Security (CIS) establishes consensus benchmarks for a large variety of applications and operating systems. These benchmarks are a valuable aid to evaluate the security of your systems. Tenable has produced a number of Nessus audit files that have been certified by the Center for Internet Security to perform audits against the CIS standards. These audit files are available to ProfessionalFeed and Security Center customers through the the Tenable Support Portal.
To use these audit files, you will need to provide Nessus with credentials to login to the target host to compare the configuration against the CIS standards. Scans that use login credentials run much faster than network-based scans and the results often provide more detailed vulnerability
findings and information on configuration issues.
The audit files I used for this scan are:
The above audit files correspond to the published CIS benchmarks. You can obtain these benchmark documents by registering on the Center For Internet security web site. The audit files are loaded into the NessusClient and the scan policy is configured accordingly (please refer to the Nessus 4.0 Users Guide for more information).
The target system in this example is actually running CentOS 5.2. CentOS mirrors the Red Hat distributions libraries and most of its configuration. The CIS Apache configuration checks expect the Apache software to reside in /usr/local/apache2 , which is not where it resides on CentOS. To rectify this problem we can use some simple Linux commands to create a symbolic link that allows the compliance checks to find the Apache configuration:
Setting up Nessus for Compliance Checking
The NessusClient needs credentials on the target host to perform compliance checking on the operating system and Apache configuration. This procedure has been covered on the Tenable Blog in several posts (For example, "Configuring Nessus To Scan Through Firewalls"), and in the Nessus Product Documentation.
If you want to audit a database configuration, provide Nessus with database credentials, the name of the database to test and the database type as shown:
The login provided must exist in the database and have the appropriate permissions. To setup access permissions on the MySQL server, execute the following command on the database:
|mysql> grant all on oscomm.* to [email protected]'192.168.10.122' identified by 'areallylongandcomplicatedbypass';|
The SQL statement above creates a user called "nessus" and grants permission to all tables in the "oscomm" database. The user name in this example is "nessus" but it can be anything.
Reviewing the Results
When the scan completes, you will see results that you may not see in a network-based scan. For example, in our PCI compliant post, Nessus found problems with the MySQL configuration. The compliance audit scan with login credentials goes much deeper and finds that the database is using insecure passwords:
The compliance checking can check the strength of the password by measuring the size of the hash and against a required certain length. Passwords are often the weakest link in your defenses, and this check provides a great way to test them. The database is also not using SSL for communications:
The above check audits the MySQL configuration and tests if SSL is enabled for communications with the MySQL server. Compliance checking also identifies missing functionality. For example, the CIS benchmarks for Apache servers require that mod_security be installed and configured. The compliance checking does not find this on our target system and reports on it:
Nessus provides several different ways to test your systems for vulnerabilities and compliance against multiple standards. Network-based scans provide a thorough view of the vulnerabilities available to remote attackers. Standards, such as PCI-DSS, help guide you in the configuration of such scans and the security level of your systems as a whole. Security benchmarks, such as those from CIS, offer very detailed system hardening guidelines. System hardening is crucial to securing your systems and preventing attacks. For example, if an attacker does penetrate a system, hardening the operating system can lessen the impact and make an attacker work hard to collect sensitive information. Nessus provides a way to audit your systems on a regular basis and ensure that the hardening guidelines are followed. You can even create your own audit files and test your systems against internal policies and procedures.
- Auditing MS SQL Servers for DISA STIG Compliance with Nessus
- Auditing PHP Settings to OWASP Recommendations with Nessus