Facebook Google Plus Twitter LinkedIn YouTube RSS Menu Search Resource - BlogResource - WebinarResource - ReportResource - Eventicons_066 icons_067icons_068icons_069icons_070

Version 2 of Windows Compliance Checks Available for Testing

Direct Feed and Security Center customers who use Nessus to perform configuration audits of their Windows computers can now beta test an upgrade of this technology. The upgrade provides enhanced auditing features, increased speed and is Tenable's foundation for compliance with NIST SCAP auditing requirements when auditing Microsoft platforms. This blog entry discusses the new features of the upcoming release, the release schedule for this update, how customers can participate in the beta test today.

Scope and Release Schedule

Plugin #21156 (named the compliance_check.nbin plugin) is used by Nessus Direct Feed and Security Center customers to audit the configuration of Windows systems. Version 1 of this plugin has been available for over a year. Version 2 adds many new features and is available immediately for beta testing.

Current Direct Feed or Security Center users are not required to take any action right now, however, on January 15th, 2008, version 2 of the compliance_check.nbin will be released for Direct Feed and Security Center customers. This will automatically upgrade the compliance_check.nbin plugin to version 2. At that time, any existing version 1 audit policy files will need to be replaced with version 2 audit policy files. Tenable made every effort to maintain backwards compatibility, however, to achieve 100% compliance with content generated from NIST SCAP XCCDF policies, several new functions were required.

All existing Windows configuration audit polices will be re-released with support for version 2. These include a variety of PCI, NIST SCAP and CIS polices. At the Tenable Customer Support Portal, all Windows policies are now available under both version 1 and version 2. Version 1 policies should continue to be used in production, and the version 2 policies are available for beta testing. All version 2 polices have a _v2 extension on them along with the same root name as before. 

New Audit Features in Version 2

New check_type header

All version 2 Windows audit policies now contain the following header information:

<check_type:"Windows" version:"2">

Previously, version 1 policies started out with:

<check_type:"Windows">

If you have written a custom audit policy, in order to run it under the new beta plugin, the 'check_type' value will need to specify version 2 as shown above.

As part of this beta, a new version of the i2a tool (version 2.0.0) is also available from the customer support portal. It generates version 2 compliant audit policies based on existing Windows GPO .inf files.

Clearer logic symbols

Previously in version 1 of the compliance checks, the pipe symbol "|", was used to delineate lists of potential values. In some checks, this symbol functioned like an AND and in others, an OR. In version 2.0, checks make use of the following conditional functions:

  •   && - conditional AND
  •   || - conditional OR
  •   |  - Binary OR

A binary 'OR' is used for comparing windows access control lists.

If you have written custom policies using the POLICY_MULTI_TEXT or USER_RIGHTS_POLICY audits, under version 2, they should make use of the "double and" separator instead of the single pipe separator. In other words, replace all of your '|' characters for POLICY_MULTI_TEXT or USER_RIGHTS_POLICY audits with '&&'.

For example, here is a version 2 and version 1 audit section which looks for a combination of values for a particular registry setting:

version 2 format:

<custom_item>
type: REGISTRY_SETTING

description: "HKLM\System\CurrentControlSet\Services\LanManServer\Parameters\NullSessionPipes"
value_type: POLICY_MULTI_TEXT

value_data: "COMNAP"&&"COMNODE"&&"SQL\QUERY"&&"SPOOLSS"&&"LLSRPC"&&"browser"
reg_key: "HKLM\System\CurrentControlSet\Services\LanManServer\Parameters"

reg_item: "NullSessionPipes"
</item>

version 1 format:

<custom_item>
type: REGISTRY_SETTING

description: "HKLM\System\CurrentControlSet\Services\LanManServer\Parameters\NullSessionPipes"
value_type: POLICY_MULTI_TEXT

value_data: "COMNAP" | "COMNODE" | "SQL\QUERY" | "SPOOLSS"|"LLSRPC"|"browser"
reg_key: "HKLM\System\CurrentControlSet\Services\LanManServer\Parameters"

reg_item: "NullSessionPipes"
</item>

Forced Reporting

Audit polices can now be forced to output a specific result by making use of the 'report' keyword. Report types of PASSED, FAILED and WARNING can be used. Below is an example policy:

<report type: "WARNING">
description: "Audit 103-a requires a physical inspection of the pod bay doors Hal"
</report>

The text inside the 'description' would always be displayed in the report.

This type of reporting is useful if you wish to inform an auditor that an actual check being performed by Nessus can't be accomplished. For example, perhaps there is a requirement to determine that a specific system has been physically secured and we wish to inform the auditor to perform the check or inspection manually. This type of report is also useful if the specific type of audit required to be performed by Nessus has not been determined with an OVAL check.

"if, then and else" Logic

A powerful new feature of the version 2 compliance checks for Windows is the ability to have conditional tests based on existing conditions. The logic implements OR and AND logic and has the following type of structure:

<if>
  <condition type:"and/or">
      < Insert your audit here >
  </condition>
<then>
     < Insert your audit here >
</then>
<else>
     < Insert your audit here >
</else>
</if>

Below is an example that audits the password policy. Since the 'and' type is used, for this policy to pass the audit, both custom items would need to pass. This example tests for a very odd combination of valid password history policies to illustrate how sophisticated test logic can be implemented.

<if>
   <condition type:"and">

     <custom_item>
       type: PASSWORD_POLICY
       description: "2.2.2.5 Password History: 24 passwords remembered"
       value_type: POLICY_DWORD
       value_data: [22..MAX] || 20
       password_policy: ENFORCE_PASSWORD_HISTORY
     </item>

     <custom_item>
       type: PASSWORD_POLICY
       description: "2.2.2.5 Password History: 24 passwords remembered"
       value_type: POLICY_DWORD
       value_data: 18 || [4..24]
       password_policy: ENFORCE_PASSWORD_HISTORY
     </item>

   </condition>

   <then>

     <report type:"PASSED">
       description: "Password policy passed"
     </report>

   </then>

   <else>

     <report type:"FAILED">
       description: "Password policy failed"
     </report>

   </else>

</if>

The if/then/else logic is extremely powerful. In the above example, only the new 'report' type was shown, but the if/then/else structure supports performing additional audits within the 'else' clauses. Within a condition, nested if/then/else clauses can also be used. A more complex example is shown below:

<if>
<condition type:"and">
<custom_item>
    type: CHECK_ACCOUNT
    description: "Accounts: Rename Administrator account"
    value_type: POLICY_TEXT
    value_data: "Administrator"
    account_type: ADMINISTRATOR_ACCOUNT
    check_type: CHECK_NOT_EQUAL
</item>
</condition>

<then>
<report type:"PASSED">
   description: "Administrator account policy passed"
</report>
</then>

<else>

<if>
<condition type:"or">
<item>
   name: "Minimum password age"
   value: [1..30]
</item>
<custom_item>
   type: PASSWORD_POLICY
   description: "Password Policy setting"
   value_type: POLICY_DWORD
   value_data: 1
   password_policy: COMPLEXITY_REQUIREMENTS
</custom_item>
</condition>
<then>
<report type:"PASSED">
   description: "Administrator account policy passed"
</report>
</then>
<else>
<report type:"FAILED">
   description: "Administrator account policy failed"
</report>
</else>
</if>

</else>
</if>

This example implements the logic, if the Administrator account has not been renamed, then audit that the minimum password age is 30 or less. This audit policy would pass if the administrator account has been renamed regardless of the password policy and would only test the password age policy if the administrator account hadn't been renamed.

'info' field for each check

A new function that can be used to label each audit field with one or more external references is also available. For example, this field will be used to place references from NIST CCE tags as well as CIS specific audit requirements. These external references are printed out in the final audit performed by Nessus and will be displayed in the Nessus report, or through the Security Center's user interface.

The field is named 'info'. Below is an example password audit policy that has been augmented to list references to a fictitious corporate policy:

     <custom_item>
       type: PASSWORD_POLICY
       description: "Password History: 24 passwords remembered"
       value_type: POLICY_DWORD
       value_data: [22..MAX] || 20
       password_policy: ENFORCE_PASSWORD_HISTORY
       info: "Corporate Policy 102-A"
     </item>

If multiple policy references are required for a single audit, the string specified by the 'info' keyword can make use of the '\n' separator to specify multiple strings. For example, consider the following audit:

<custom_item>
type: CHECK_ACCOUNT
description: "Accounts: Rename Administrator account"
value_type: POLICY_TEXT
value_data: "Administrator"
account_type: ADMINISTRATOR_ACCOUNT
check_type: CHECK_NOT_EQUAL
info: 'Ron Gula Mambo Number 5\nCCE-60\nTenable Best Practices Policy 1005-a'
</item>

When run with the nasl command line tool, this audit function produces the following output:

[[email protected] ~]# /opt/nessus/bin/nasl -t 192.168.20.16 ./compliance_check.nbin

            Windows Compliance Checks, version 2.0.0(Beta2)

Which file contains your security policy : ./test_v2.audit
SMB login : Administrator
SMB password :
SMB domain (optional) :
"Accounts: Rename Administrator account": [FAILED]

Ron Gula Mambo Number 5
CCE-60
Tenable Best Practices Policy 1005-a

Remote value: "Administrator"
Policy value: "administrator"

'check_type' option

Audit functions can now make use of a field named 'check_type' which implements a variety of flexible logic to test the results of an audit. Below is an example audit to check to make sure that the account name "Guest" does not exist for any Guest account.

<custom_item>
  type: CHECK_ACCOUNT
  description: "Accounts: Rename guest account"
  value_type: POLICY_TEXT
  value_data: "Guest"
  account_type: GUEST_ACCOUNT
  check_type: CHECK_NOT_EQUAL
</item>

If any other value besides "Guest" is present, the test will pass. If "Guest" is found, the audit will fail.

The 'check_type' option can accept the following values which implements the following types of logic:

  • CHECK_EQUAL compare the remote value against the policy value (default if check_type is missing)
  • CHECK_EQUAL_ANY checks that each element of 'value_data' is at least present once in the system list.
  • CHECK_NOT_EQUAL checks the remote value is different than the policy value
  • CHECK_GREATER_THAN checks the remote value is greater than the policy value
  • CHECK_GREATER_THAN_OR_EQUAL checks the remote value is greater or equal than the policy value
  • CHECK_LESS_THAN checks the remote value is less than the policy value
  • CHECK_LESS_THAN_OR_EQUAL checks the remote value is less or equal than the policy value
  • CHECK_REGEX checks that the remote value match the regular expression in the policy value (only works with POLICY_TEXT and POLICY_MULTI_TEXT)
  • CHECK_SUBSET checks that the remote access control list (ACL) is a subset of the policy ACL. (This check only works with ACLs)

The following custom item checks that 'lsarpc' is in the 'NullSessionPipes' list.

<custom_item>
description: "CHECK_EQUAL_ANY"
type: REGISTRY_SETTING
value_type: POLICY_MULTI_TEXT
value_data: 'lsarpc'

reg_key: "HKLM\System\CurrentControlSet\Services\LanManServer\Parameters"
reg_item: "NullSessionPipes"
check_type: CHECK_EQUAL_ANY
</item>

The following custom item checks that 'lsarpc' and 'browser' are in the 'NullSessionPipes' list.

<custom_item>
description: "CHECK_EQUAL_ANY"
type: REGISTRY_SETTING
value_type: POLICY_MULTI_TEXT
value_data: 'lsarpc' && 'browser'

reg_key: "HKLM\System\CurrentControlSet\Services\LanManServer\Parameters"
reg_item: "NullSessionPipes"
check_type: CHECK_EQUAL_ANY
</item>

Support for Signed, Unsigned and Hexadecimal Numbers

Numbers can now be specified with plus or minus to indicated their 'sign'. Number can also be specified as hexadecimal values. Hex and signs can be combined. The following are valid examples (without the corresponding label in parentheses) within a REGISTRY_SETTING audit for a POLICY_DWORD:

value_data: -1  (signed)
value_data: +10  (signed)
value_data: 10 (unsigned)
value_data: 2401649476 (unsigned)
value_data: [MIN..+10]  (signed range)
value_data: [20..MAX] (unsigned range)
value_data: 0x800010AB (unsigned hex)
value_data: -0x10 (signed hex)

Value data can also make use of parentheses to specify ranges of valid data values. For example, the example below  would accept valid data in non-discrete ranges:

value_data: ( ([20..MAX] || 18) && (32 || 18) )

Minor Features and Differences

The following is a list of other features and differences between version 1 and version 2:

  • Performance Increase on Low Latency Networks - The new logic implemented in this update is more efficient. In some lower latency networks, a speed increase of more than two times has been observed.
  • Strings can be specified with single or double quotes - Escaped characters such as \n, \r, \\, \', \t, \", ... are only evaluated in strings specified with single quotes.
  • USER_RIGHTS_POLICY is now case sensitive - In all of the new version 2 audit policies, the USER_RIGHTS_POLICY has been updated to the correct string and case. For example, previously, many polices included a test for "setcbprivilege" and now with version 2, the string SeTcbPrivilege is used without any quotes.
  • REGISTRY_SETTING 'reg_type' field - This field is now automatically converted to the given 'value_type' policy of the audit.

Obtaining and Testing the new compliance_check.nbin beta Plugin

To obtain the new compliance_check.nbin file, log into the Tenable Customer Support Portal, click on the 'Downloads' button, and then click on the 'Download Compliance Checks Tools' button. On this page is a link for the beta of the new plugin as well as version 2.0.0 of the i2a tool.

On UNIX systems, you can download the plugin to someplace other than the Nessus plugins directory and use the nasl command line tool to test it out. If you are not familiar with the nasl command line tool, we've blogged about its usage previously before, including an example of how to perform tests with Direct Feed auditing files.

Here is an example running the new plugin with an older, incompatible version 1 policy.

[[email protected] ~]# /opt/nessus/bin/nasl -t 192.168.20.16 ./compliance_check.nbin

            Windows Compliance Checks, version 2.0.0(Beta1)

Which file contains your security policy : ./FDCC_Desktops_v90.audit
SMB login : Administrator
SMB password :
SMB domain (optional) :
Parse error line 99 - unknown token 'setcbprivilege'

This older audit file failed because previously, the USER_RIGHTS_POLICY was case insensitive. In version 2, the case is important. The older version 1 policy had a line which tested the string "setcbprivilege' whereas in version 2, the more specific 'SeTcbPrivilege' has been specified.

Here is a second, truncated example running version 2 of the same policy:

[[email protected] ~]# /opt/nessus/bin/nasl -t 192.168.20.16 ./compliance_check.nbin

            Windows Compliance Checks, version 2.0.0(Beta1)

Which file contains your security policy : FDCC_Desktops_v90_v2.audit
SMB login : Administrator
SMB password :
SMB domain (optional) :
"Minimum password age": [FAILED]

Remote value: 0
Policy value: [1..MAX]

Testing with Nessus Direct Feed Scanners

If you would like to replace your compliance_check.nbin in your Nessus plugins directory, you can make use of the new beta directly from Nessus. Simply move the current compliance_check.nbin file to a safe place to be able to revert to it, and replace it with the new compliance_check.nbin file. Any scan policies you test with should be performed with version 2 polices.

If your Nessus scanner is set to update plugins, keep in mind that the compliance_check.nbin file will be overwritten with the older version 1 plugin. Once the new plugin is in place, on Windows systems, the plugins should be rebuilt by running the build.exe command. On UNIX systems, a Nessus service restart will work, or it can be forced from the command line with the command:

/opt/nessus/sbin/nessusd -t -D

Testing with the Security Center

If you place the compliance_check.nbin file in your /opt/sc3/admin/nasl directory, the Security Center will push this plugin out to all of your managed Nessus scanners within the next hour. If you are impatient, you can force this by placing the plugin and then restarting the Security Center.

From within the Security Center, you should place any desired version 2 test polices also in the /opt/sc3/admin/nasl directory and then perform your testing.

Keep in mind that if the Security Center performs a plugin update during its nightly process, it will obtain the older version 1 of this plugin and will overwrite it on each of your managed Nessus scanners.

Providing Feedback

We appreciate any positive or negative feedback, as well as bug reports. Tenable customers should send email to [email protected] or open up a ticket through the support portal if any issues have been found.

Any updates to the available beta will be posted on the support portal, as well as the Nessus Compliance RSS feed.