Enhanced Windows Compliance Auditing

The Nessus 3 Direct Feed was updated today with enhanced functionality for Windows compliance checks. This blog entry discusses the new features and has example .audit text to illustrate them, including a test case for the recent Microsoft update for 2007 Daylight Savings Time. These changes only effect Windows audits.

Multiple Potential Compliance Values for AUDIT_POLICY Items

Both the "value" and "value_data" keywords can now accept multiple values within an "AUDIT_POLICY" context. If any of these values are present in the audited system, then the system passes the audit. Values are separated with "|" characters. Here is an example for a simple built-in test as well as a custom item test:

<item>
  name: "Audit logon events"
  value: "Failure" | "Success, Failure"
</item>

<custom_item>
   type: AUDIT_POLICY
   description: "Audit logon events"
   value_type: AUDIT_SET
   value_data: "Failure" | "Success, Failure"
   audit_policy: AUDIT_LOGON
</item>

Both examples would pass a Windows server if auditing only logged login failures, or if logging of login failures and successes were performed.

REG_BINARY Support

A new value type of POLICY_BINARY is now available to test REG_BINARY registry settings. Using the regedit.exe tool, if you encounter a binary registry setting which requires testing, strip out the spaces and add it in to the "value_data" content.

Below is an example custom item for testing the application of the recent Microsoft 2007 Daylight Savings Time update. It uses a POLICY_BINARY setting to test for a value of "00 00 03 00 02 00 02 00 0000 00 00 00 00 00 00".

<custom_item>
  type: REGISTRY_SETTING
  description: "2007 Daylight Savings Patch Applied"
  value_type: POLICY_BINARY
  value_data: "00000300020002000000000000000000"
  reg_key: "HKLM\SYSTEM\CurrentControlSet\Control\TimeZoneInformation"
  reg_item: "DaylightStart"
</item>

Service Checks support CAN_BE_NULL or CAN_NOT_BE_NULL Flags

Prior to this update, a "reg_option" value of CAN_BE_NULL or CAN_NOT_BE_NULL was only supported on Registry Setting, Registry Permissions, File Permissions, File Content Checks and File Content Check NOTs audits.

This release now supports a new optional "svc_option" tag with values of CAN_BE_NULL or CAN_NOT_BE_NULL for service policy audits. This is useful for cases where the lack of a service running doesn't violate being compliant, or specifying that a certain service has to be running.

Optionally Ignoring Access Control List Inheritance

This release also includes more flexibility when auditing access control list (ACL) inheritance. The following ACLs can currently be audited:

• file_acl
• registry_acl
• service_acl

Each of these can now contain an "acl_inheritance" value of:

• not inherited
• inherited
• not used

This can force an audit of a file, registry or service ACL to not care, if the actual list was inherited or to specifically state the ACL inheritance type.

Receiving The Latest Plugins

SecurityCenter and Nessus 3 Direct Feed users should update their plugins after reading this blog to receive the new functionality. If your SecurityCenter is performing daily updates of plugins, then a manual plugin update will be required if you wish to use the new functionality immediately.

For More Information

To purchase Direct Feed (now called ProfessionalFeed), please visit the Tenable Store. The SecurityCenter is available for the Red Hat operating system and can manage multiple Nessus scanners, perform configuration audits for compliance reporting, process network IDS logs, and also manage multiple Passive Vulnerability Scanners and Log Correlation Engines.

To learn more about auditing Windows servers, please refer to these blog posts and webinar:

• Auditing Windows 2003 Servers for Disabled USB Drives and AutoRun CD-ROM
• Creating "Gold Build" Audit Policies
• Nessus 3 Agentless Compliance Checks
• Nessus Compliance Checks (webinar)

Tenable's 80+ page Real-Time Compliance Monitoring paper is available to current and potential customers and discusses for logging, network monitoring, vulnerability scanning and configuration auditing can help monitor PCI, SOX, FISMA, NERC and many other compliance standards.