CIS Certification for Nessus Red Hat audits

Tenable was recently awarded certification to perform  Center For Internet Security (CIS) audits of Red Hat systems with the Nessus 3 scanner and Security Center. This blog entry discusses what the audit files look for, how customers should obtain the audit files and how this impacts PCI audits.

CIS Red Hat ES4 Audit Policy

A new .audit file for both Nessus Direct Feed and the Security Center named redhat_es4_cis.audit, is available on the Tenable Support Portal. This .audit file implements configuration checks and settings recommended in version 1.0.5 of the CIS Red Hat Benchmark.

Audit checks include:

• Correct logging levels
• Secure configuration of SSH
• Banners for FTP, logins and SSH
• Disabling of un-needed services
• Configuration of TCP Wrappers
• Configuration of the cups daemon
• Configuration of Sendmail
• User account configuration
• Locking down the boot processes
• Hardening of kernel network parameters
• Configuration of FTP
• System-wide file and directory permission audits
• Secure X server configuration

Obtaining and Using these Checks

This .audit file can be loaded into the Security Center for enterprise scanning or leveraged as part of a Nessus 3 Direct Feed scan. The policy is downloaded from the Tenable Support Portal. Once logged into the portal, click on the 'Downloads' button, then the 'Download CIS Audit and Compliance Files' button.

Security Center uses should download this policy to the /opt/sc3/admin/nasl directory as owner 'tns'. They will then be available as a Compliance Audit policy for any Vulnerability Scan Policy. Multiple .audit polices can be combined to be performed simultaneously during each scan.

Nessus 3 Direct Feed users should download this policy to their laptop or system where their Nessus client is operating. Nessus 3 clients can reference one or more audit policies for their credentialed scans.

Impact to PCI Assessments

PCI requirements include vulnerability auditing, firewall analysis, log analysis and configuration auditing among many other things. The PCI standard specifically points to CIS as a source for configuration auditing.

For More Information

The following list of links and blog entries are available for readers interested in Tenable solutions and compliance auditing.

• CIS Audits for Windows Domain Controllers with Nessus and the Security Center
• Center for Internet Security -- http://www.cisecurity.org
• Realtime compliance Paper -- Current and potential Tenable customers should request a copy of this paper which details how our unified approach to log analysis, configuration auditing and vulnerability management impacts PCI,  FISMA, SOX, NERC and compliance auditing and montioring.   
• Creating "Gold" Build Audit Policies -- This blog entry details how the Windows Nessus Policy Creator can be used to extract a Nessus configuration auditing policy from a properly configured Windows server.
• NIST Auditing -- Tenable products can also perform NIST configuration audits from the Secure Content Automation Program. This blog entry provides details about the polices available to perform these configuration audits.  The NIST SCAP web site is located at http://nvd.nist.gov/scap/scap.cfm.
• Security and IT Controls -- Gene Kim was interviewed by Richard Steinian about the positive impact that IT Controls (such as configuration management) can have on security and availability of IT resources.