Facebook Google Plus Twitter LinkedIn YouTube RSS Menu Search Resource - BlogResource - WebinarResource - ReportResource - Eventicons_066 icons_067icons_068icons_069icons_070

Enhanced Windows Compliance Auditing

The Nessus 3 Direct Feed was updated today with enhanced functionality for Windows compliance checks. This blog entry discusses the new features and has example .audit text to illustrate them, including a test case for the recent Microsoft update for 2007 Daylight Savings Time. These changes only effect Windows audits.

Multiple Potential Compliance Values for AUDIT_POLICY Items

Both the "value" and "value_data" keywords can now accept multiple values within an "AUDIT_POLICY" context. If any of these values are present in the audited system, then the system passes the audit. Values are separated with "|" characters. Here is an example for a simple built-in test as well as a custom item test:

<item>
  name: "Audit logon events"
  value: "Failure" | "Success, Failure"
</item>

<custom_item>
   type: AUDIT_POLICY
   description: "Audit logon events"
   value_type: AUDIT_SET
   value_data: "Failure" | "Success, Failure"
   audit_policy: AUDIT_LOGON
</item>

Both examples would pass a Windows server if auditing only logged login failures, or if logging of login failures and successes were performed.

REG_BINARY Support

A new value type of POLICY_BINARY is now available to test REG_BINARY registry settings. Using the regedit.exe tool, if you encounter a binary registry setting which requires testing, strip out the spaces and add it in to the "value_data" content.

Below is an example custom item for testing the application of the recent Microsoft 2007 Daylight Savings Time update. It uses a POLICY_BINARY setting to test for a value of "00 00 03 00 02 00 02 00 0000 00 00 00 00 00 00".

<custom_item>
  type: REGISTRY_SETTING
  description: "2007 Daylight Savings Patch Applied"
  value_type: POLICY_BINARY
  value_data: "00000300020002000000000000000000"
  reg_key: "HKLM\SYSTEM\CurrentControlSet\Control\TimeZoneInformation"
  reg_item: "DaylightStart"
</item>

Service Checks support CAN_BE_NULL or CAN_NOT_BE_NULL Flags

Prior to this update, a "reg_option" value of CAN_BE_NULL or CAN_NOT_BE_NULL was only supported on Registry Setting, Registry Permissions, File Permissions, File Content Checks and File Content Check NOTs audits.

This release now supports a new optional "svc_option" tag with values of CAN_BE_NULL or CAN_NOT_BE_NULL for service policy audits. This is useful for cases where the lack of a service running doesn't violate being compliant, or specifying that a certain service has to be running.

Optionally Ignoring Access Control List Inheritance

This release also includes more flexibility when auditing access control list (ACL) inheritance. The following ACLs can currently be audited:

  • file_acl
  • registry_acl
  • service_acl

Each of these can now contain an "acl_inheritance" value of:

  • not inherited
  • inherited
  • not used

This can force an audit of a file, registry or service ACL to not care, if the actual list was inherited or to specifically state the ACL inheritance type.

Receiving The Latest Plugins

SecurityCenter and Nessus 3 Direct Feed users should update their plugins after reading this blog to receive the new functionality. If your SecurityCenter is performing daily updates of plugins, then a manual plugin update will be required if you wish to use the new functionality immediately.

For More Information

To purchase Direct Feed (now called ProfessionalFeed), please visit the Tenable Store. The SecurityCenter is available for the Red Hat operating system and can manage multiple Nessus scanners, perform configuration audits for compliance reporting, process network IDS logs, and also manage multiple Passive Vulnerability Scanners and Log Correlation Engines.

To learn more about auditing Windows servers, please refer to these blog posts and webinar:

Tenable's 80+ page Real-Time Compliance Monitoring paper is available to current and potential customers and discusses for logging, network monitoring, vulnerability scanning and configuration auditing can help monitor PCI, SOX, FISMA, NERC and many other compliance standards.

Subscribe to the Tenable Blog

Subscribe
Try for Free Buy Now

Try Tenable.io

FREE FOR 30 DAYS

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Sign up now.

Buy Tenable.io

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Purchase your annual subscription today.

65 assets

$2,275

Buy Now

Try for Free Buy Now

Try Nessus Professional Free

FREE FOR 7 DAYS

Nessus® is the most comprehensive vulnerability scanner on the market today. Nessus Professional will help automate the vulnerability scanning process, save time in your compliance cycles and allow you to engage your IT team.

Buy Nessus Professional

Nessus® is the most comprehensive vulnerability scanner on the market today. Nessus Professional will help automate the vulnerability scanning process, save time in your compliance cycles and allow you to engage your IT team.

Buy a multi-year license and save. Add Advanced Support for access to phone, email, community and chat support 24 hours a day, 365 days a year. Full details here.

Try for Free Buy Now

Try Tenable.io Web Application Scanning

FREE FOR 30 DAYS

Enjoy full access to our latest web application scanning offering designed for modern applications as part of the Tenable.io platform. Safely scan your entire online portfolio for vulnerabilities with a high degree of accuracy without heavy manual effort or disruption to critical web applications. Sign up now.

Buy Tenable.io Web Application Scanning

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Purchase your annual subscription today.

5 FQDNs

$3,578

Buy Now

Try for Free Contact Sales

Try Tenable.io Container Security

FREE FOR 30 DAYS

Enjoy full access to the only container security offering integrated into a vulnerability management platform. Monitor container images for vulnerabilities, malware and policy violations. Integrate with continuous integration and continuous deployment (CI/CD) systems to support DevOps practices, strengthen security and support enterprise policy compliance.

Buy Tenable.io Container Security

Tenable.io Container Security seamlessly and securely enables DevOps processes by providing visibility into the security of container images – including vulnerabilities, malware and policy violations – through integration with the build process.

Learn More about Industrial Security

Get a Demo of Tenable.sc

Please fill out the form below with your contact information and a sales representative will contact you shortly to schedule a demo. You may also include a short comment (limited to 255 characters). Please note that fields with asterisks (*) are mandatory.

Try for Free Contact Sales

Try Tenable Lumin

FREE FOR 30 DAYS

Visualize and explore your Cyber Exposure, track risk reduction over time and benchmark against your peers with Tenable Lumin.

Buy Tenable Lumin

Contact a Sales Representative to see how Lumin can help you gain insight across your entire organization and manage cyber risk.