CIS "Best Practices" Certification For Nessus Audits

Tenable was recently awarded certification to perform three different Center For Internet Security (CIS) Windows Domain Controller audits with the Nessus 3 scanner and Security Center. This blog entry discusses CIS, what the audit files look for, how customers should obtain the audit files and how this impacts PCI audits.

Center for Internet Security

The CIS is a non-profit organization that produces "best practice" guides for securing a wide variety of IT infrastructure such as operating systems, applications and network devices. The consortium takes input from operators, operating system vendors, governments and security experts to produce a set of "best practices" documents.

Product vendors such as Tenable that can perform a technical configuration audit can join the CIS organization and have their audit methodology and technology become certified.

For these new Windows audits, Tenable submitted a detailed methodology of how Nessus 3 and the Security Center performed and reported the specific audits required by the best practice guides.

CIS Windows Audit Polices

Three new audit files for Nessus 3 Direct Feed and Security Center users are now available. These audit Windows 2003 Domain Controllers that have been configured for Legacy, Enterprise and Specialized Security Profiles.

The Enterprise profile comprises all of the settings that the CIS best practices guide recommends. For example, it recommends that all communications for the Domain occur with "signed" packets. This feature was added in Windows 2003 and is not supported by older Windows domain controllers. The Legacy profile relaxes the security requirements that are not available to older release of Windows Servers. The Specialized Security profile is used for high-risk configurations that host sensitive data or require high availability. 

Some settings are the same across policies and some are different. For example, the minimum recommended password length for the Legacy and Enterprise policies is 8 characters, but it is extended to 12 for Specialized Security.

Example Video Demonstration

A demonstration video of both Nessus 3 and the Security Center performing and analyzing results from a Windows 2003 configuration audit is available here. The demo includes a short overview of CIS.

Obtaining these Checks

Any of the .audit files can be loaded into the Security Center for enterprise scanning or leveraged as part of a Nessus 3 Direct Feed scan. Polices are downloaded from the Tenable Support Portal. 

Security Center uses should download the polices they need and place them in the /opt/sc3/admin/nasl directory as owner 'tns'. They will then be available as a Compliance Audit policy for any Vulnerability
Scan Policy. Multiple .audit polices can be combined to be performed simultaneously during each scan.

Nessus 3 Direct Feed users should download the desired audit policies to their laptop or system where their Nessus client is operating. Nessus 3 clients can reference one or more audit policies for their credentialed scans.

Impact to PCI Assessments

PCI requirements include vulnerability auditing, firewall analysis, log analysis and configuration auditing among many other things. The PCI standard specifically points to CIS as a source for configuration auditing.

For More Information

The following list of links and blog entries are available for readers interested in Tenable solutions and compliance auditing.

• Center for Internet Security -- http://www.cisecurity.org
• Realtime compliance Paper -- Current and potential Tenable customers should request a copy of this paper which details how our unified approach to log analysis, configuration auditing and vulnerability management impacts PCI,  FISMA, SOX, NERC and compliance auditing and montioring.   
• Creating "Gold" Build Audit Policies -- This blog entry details how the Windows Nessus Policy Creator can be used to extract a Nessus configuration auditing policy from a properly configured Windows server.
• NIST Auditing -- Tenable products can also perform NIST configuration audits from the Secure Content Automation Program. This blog entry provides details about the polices available to perform these configuration audits.  The NIST SCAP web site is located at http://nvd.nist.gov/scap/scap.cfm.
• Security and IT Controls -- Gene Kim was interviewed by Richard Steinian about the positive impact that IT Controls (such as configuration management) can have on security and availability of IT resources.