Black lists, white lists – what lists? How to audit program usage on your network

How do you know that the software being executed on your network is authorized and acceptable? Many organizations struggle with this concept or ignore it altogether. There are generally four approaches to enabling or preventing software usage:

• White listing of software - A third party application or very tight operating system configuration settings is used to only enable specific authorized program names. Everything else is denied by default.
• Black listing of software - A third party application specifically controls what programs cannot be run. Anything not on the list is allowed by default.
• Ignorance – Some organizations simply do not have the staff, resources, technology or concern to attempt any type of analysis of what software is allowed.
• Auditing – Using one or more methods, an organization takes no immediate action on software usage, but it does track and analyze what programs are available and in use to help make better policy decisions, to have a more intelligent incident response process and to help IT troubleshoot issues.

This blog entry describes how Tenable’s Nessus, Security Center, Passive Vulnerability Scanner (PVS) and Log Correlation Engine (LCE) can be combined to provide comprehensive auditing of software installed and in use on your network.

Credentialed Software Enumeration with Nessus

Nessus has the ability to log into a wide variety of Unix and Windows systems to enumerate their entire list of installed software, as described in previous blog posts. The highlights of this ability include:

• It is agent-less and works for Windows and Unix.
• The audit is very rapid and can be accomplished during a patch or configuration audit.
• The results can be used for dynamic tagging of assets such that all hosts with a specific type of software can automatically be placed on one or more lists.

Nessus has additional logic to see if any of the network services that are running were manually compiled or if major applications were installed in user home directories. This is important because the software enumeration relies on asking the operating system for the list of known software packages that were installed. In the cases of manually installed and hand-compiled applications, the underlying operating system does not know about a package. Similarly, applications like Google Chrome (detected with Nessus plugin #34196) are installed directly to the user’s home directory and are not part of the system’s list of known applications.

The two screen shots below show how Nessus and Tenable’s Security Center work together in this fashion. The one on the top is a small screen shot of portion of enumerated software titles obtained from Nessus plugin #22869. This plugin lists all RPMs and packages installed on Unix servers. You can see that the Nessus-4.0.0-es5 package has been installed. The image on the bottom displays a Security Center dynamic asset list rule. The rule shown looks at the text in all of the output for plugin 22869 and, if it contains the pattern “Nessus-4.0.0-es5”, puts this system on a particular list.

List of software enumerated
by Nessus plugin 22869


Security Center Dynamic Asset List
rule for specific Nessus 4 version detection

Using this type of agent-less discovery helps you quickly see what software titles are installed across your network. If Nessus were installed on a new server, the new server would automatically show up on our list of "Nessus" assets.

Process Accounting and Log Analysis

Nessus enables you to build an inventory of software that has been installed on your systems, but how can you audit when this software is used? It is useful to know who is using the programs or if software has been installed but is not being used. The Windows and Unix operating systems have the ability to log each process that is executed. On Windows, this feature is part of your group policy and is called “Audit Process Tracking”. Enabling this setting causes a Windows event log to be written any time a process is executed. On Unix systems, process accounting can be enabled, which can log the execution of every command thread. Tenable has several approaches to monitoring these logs with the Log Correlation Engine.

Event Normalization

Tenable has written specific normalization rules for Windows and Unix events that indicate when a process has been executed. In the screen shot below, all of the “system” events for a test Windows server have been summarized for a 24 hour period. 

The “Windows-New_Process_Created” and “Windows-Process_Exited” events indicate Windows event logs that correspond to a particular process starting and exiting. All of these events occurred between 6:00 PM and 6:00 AM during this 24 hour period. 

Process Tracking and Correlation

Tenable’s Research group has written several correlation scripts for these log sources that generate an alert on the following items:

• Any time a new process name has been seen for the first time.
• Any time a command is run for the first time during a typical 24 hour period.
• Statistical spikes in the amount of programs being executed during a certain time period.
• Automatic hourly and daily summaries of program usage by server.

For example, in the above screen shot, you can also see the events “Hourly_Command_Summary” and “Daily_Command_Summary”. These alerts track the unique list of processes that have been executed during the past hour or 24 hour period. Below is an example listing:

Daily_Command_Summary - host 172.130.25.280 issued these commands in the last day: csc.exe, nod32.exe, wmiprvse.exe, cvtres.exe, userinit.exe, helpsvc.exe, w3wp.exe (report generated at 6/1/2009 00:00:01)

This type of listing makes it easy to understand what types of programs are being used on your servers or desktops.

Log Search

All process accounting logs can be fed into the Log Correlation Engine’s full log storage and search archive. Below is an example Unix process accounting log, as generated by a Unix Log Correlation Engine client:

user 'root' on TTY 0 executed command 'netstat' on May 31, 2009 at 09:39:30. The process executed for 0 seconds (0 CPU seconds), during which an average of 4208K of memory was used. There were 266 minor page faults, 0 major page faults, and 0 swaps. The process exited with code 0. Superuser privileges were used.

It would be trivial to search for all occurrences of the ‘netstat’ command. A more complex search would be to consider the amount of memory used, or to exclude a specific user account. The point is that if you are concerned about the execution of a certain piece of code, it is trivial to search logs about when it was executed.

Passive Network Monitoring

The ability to monitor the network in real-time with a solution such as the Tenable’s PVS can also provide a great deal of value in identifying software on the network. The most important feature of the PVS is the ability to monitor a network when you do not have permission to scan it with credentials or even scan it frequently. A previous blog post described how the PVS can be used for auditing during an end-of-year “freeze”. In real-time, the PVS can alert and log many different types of software used on both the client and the server side. For example, below is a portion of a screen shot that lists all “sniffed” versions of unique web browsers from a large university:

This data can easily be used in the form of a filter or as input to a dynamic asset list on the Security Center as we shown in an above example. The PVS signature set has close to 5000 unique rules currently available. These rules identify software titles in many common types of network traffic including:

• Client and Server enumeration for common Internet protocols such as FTP, HTTP, SMTP and SSH.
• Popular P2P, media and chat applications such as Bittorrent clients, Twitter, iTunes and Skype.
• Monitoring of client-side “live update” processes to enumerate Windows systems, JAVA libraries, patches for web browser plugins, instances of VMWare and much more.
• Identification of network management agents via SNMP as well as proprietary command and control protocols.

For More Information

Combining active scanning, passive network analysis and log searching is part of Tenable's Unified Security Monitoring strategy. It allows many different methods to identify software installed and in use on your network. To see how Tenable’s solutions work together, please visit our video “demos” page and watch the products work in live action.

Previous blogs on identifying and auditing software can be accessed at these links:

• Auditing Anti-Virus Software without an Agent
• Detecting Manually Compiled Network Daemons
• Enterprise Software Discovery with Nessus
• Insecure Software Update Detection
• Solaris Software Enumeration with Nessus