PCI-DSS Plugins For Nessus

Tenable’s Research Group has released three new beta plugins to all ProfessionalFeed and Security Center users that automate the process of preparing a PCI-DSS audit. The three new plugins available are:

• PCI DSS compliance: tests requirements
• PCI DSS compliance: passed
• PCI DSS compliance

These plugins evaluate the results of your scan and the actual configuration of your scanner to determine if the target server could be PCI compliant. The plugins don’t perform actual scanning – they just look at the results from other plugins.

Tenable chose to audit and report on the actual scan configuration so that Nessus users can still perform basic scans and get actionable results. This helps them understand if they have some glaring vulnerabilities that need to be fixed without performing a full audit, which can include onerous tasks such as full UDP and TCP port scans.

Configuring a Scan

A system will only be reported as being seemingly PCI-DSS compliant if the scan is compliant. PCI-DSS requires many different types of thorough testing. The PCI-DSS plugins report that your scan was not configured correctly if any of the following settings are not invoked:

• Enable all plugins
• Enable “thorough tests”
• Enable “experimental scripts”
• Enable TCP scanning of all 65535 ports

If these scan settings are not invoked, plugin 33931 will report the required settings. If this plugin reports anything, it will also prevent Nessus from actually designating a machine as being seemingly “PCI” compliant.

When configuring a port scan, please keep in mind that the credentialed method enables you to enumerate all ports, as well their listening processes, without actually scanning for all ports on the network. PCI-DSS requires that an audit of a web server be performed without any filtering. If there is no filtering between Nessus and the audited server, there is no reason to perform a full port scan. 

One last point for configuring port scans – if you want to use the credentialed scanning options, be sure to disable the network scan options. If you don’t, Nessus does not report anything  extra and the scans will only take longer. Tenable also provides a UDP port scanner for Nessus. This plugin is available for download from the Tenable Support Portal.

The PCI plugins are located under the Policy Compliance Nessus family as shown below:

To invoke the PCI-DSS compliance analysis, under the “Advanced” tab of your Nessus scan policy, there is a “PCI-DSS compliance” option with a single checkbox. Enabling this scan preference tells the three PCI plugins to perform their analysis as shown below:

Analyzing the Results

PCI-DSS audits will generally fail for three classes of items:

• Detection of any vulnerability with a CVSS score greater than or equal to 4
• Detection of any Cross Site Scripting or SQL Injection vulnerabilities
• Older versions and mis-configured SSL encryption

Because of the logic of our plugins, a scanned system will be in one of four states:

1. It should be ready to obtain PCI-DSS compliance.
2. The scan was good and we found information saying we were not compliant.
3. The scan was bad and we still found information saying we were not compliant.
4. The scan was bad and we didn’t find any information to prove we weren’t compliant.

Below is an example results output for plugin 33929:

The output shows the specific vulnerability IDs that determined that the system was not compliant. 

Enterprise PCI Auditing

Tenable has many different solutions that can help with PCI reporting and auditing requirements on an enterprise level. The following general PCI requirements can be easily managed, monitored and reported on with Tenable solutions:

• PCI Requirement 1 – Nessus, the Passive Vulnerability Scanner and the Log Correlation Engine can be used to monitor firewalls access control lists, activity and configurations.
• PCI Requirement 2 – Nessus and the Passive Vulnerability Scanner audit for hundreds of default vendor settings as well as best practice system configurations.
• PCI Requirement 3 – Nessus and the Passive Vulnerability Scanner can audit systems for data containing credit card or customer information. 
• PCI Requirement 4 – Nessus and the Passive Vulnerability Scanner can identify all SSL daemons and many different types of encrypted protocols.
• PCI Requirement 5 – Nessus can identify the running anti-virus solution and also identify if it has been disabled, mis-configured or has out-of-date signatures.
• PCI Requirement 6 – The Security Center is the premier tool to manage scanning data, patch audit data, configuration data and passively obtained network data. With the Security Center it is trivial to schedule scans, identify changes that impact PCI, find vulnerabilities older than 30 days and report on compliant and non-compliant systems.
• PCI Requirement 7 - The Log Correlation Engine can be used to analyze audit trails from servers to identify access to systems with cardholder data.
• PCI Requirement 8 – Nessus can be used to audit configuration settings required by PCI. Tenable offers several “audit” policies for Nessus which can be used to audit AIX, Solaris, Windows, FreeBSD, HP-UX and other operating systems.
• PCI Requirement 10 - The combination of the Security Center, Nessus, Passive Vulnerabiltiy Scanner and the Log Correlation Engine allows for tracking of all access to network resources and systems with cardholder data.
• PCI Requirement 11 - Nessus and the Passive Vulnerabiltiy Scanner can be used to regularly test systems for security issues and correct configurations. If the Log Correlation Engine is also deployed, it can be used to log the vulnerability scanning activity to prove that systems are being audited.

For More Information

During the beta period, customers are encouraged to provide feedback to Tenable by emailing us at [email protected]. Support for scanning with these plugins is not currently available in the Security Center, but Nessus results can be manually imported.

The following blog entries will be of interest to anyone who uses Nessus or the Security Center to monitor a network for compliance and security issues:

• Network Process Auditing with Nessus
• How to perform a full 65,535 UDP and TCP port scan with just 784 packets
• Finding Vulnerabilities older than 30 Days
• Auditing Anti-Virus Software Without an Agent
• Reporting Vulnerabilities in an IT Managed Environment