Today, Tenable released two new plugins for Nessus 3 that can audit the configuration of a remote UNIX or Windows system and report "compliant" or "not compliant" with a set of user-defined security policy configuration settings. We've also written policies based off of the publicly available hardening and best practice guides from the NSA, NIST, CERT and the Center for Internet Security. These plugins are available to any Nessus Direct Feed customer or Security Center user.
Along with the new plugins and audit policies, we also have released two tools that allow users to quickly build their own polices for scanning Windows hosts. The i2a.exe (inf to audit) Windows executable allows users to convert existing Windows policy files to a direct Nessus 3 audit file. Similarly, the Windows Nessus Policy Creator allows users to create audit policies based on the exiting configuration of their servers.
The actual audit files are text based, and easily modified with most text editors. The types of configuration audits performed by Nessus 3 include Windows user policies, file permissions, registry permissions, service permissions and specific security policies such as Kerberos and event auditing policies. For UNIX systems, user policies, file permissions, running processes and file content checks can be audited. Combinations of each of these types of audits can be combined to perform tests against 1000s of files, registry settings, users and so on, usually in less than a few seconds per host..
Full documentation for these compliance checks, tool download and example audit files can be found here.
So what are the uses for this technology? There are several:
- Consultants and Managed Service Providers can now use Nessus 3 to audit their customer's systems for compliance against a variety of "best practices" configurations.
- Consultants and Managed Service Providers can work with their customers to create custom audit polices for their environment and then alert when specific systems deviate from acceptable configuration settings.
- Security Center customers can now perform specific types of configuration audits against specific types of assets. For example, the Security Center can be used to test the Solaris DNS servers with one type of UNIX audit, and the Windows Exchange servers with a different one.
We've uploaded demonstration videos of running a compliance audit with Nessus 3 to our video demo page. Look for the videos titled "Compliance Audit" which is the Security Center example, and "Nessus 3 Compliance Audit" which shows a Nessus 3 vulnerability scan, configuring a compliance scan and example usage of the two Windows audit policy creation tools.