I've used Nessus "free" tool for almost 8 years now. I just recently
purchased the commercial version so I can utilize the .audit files.
After running the PCI compliance .audit file against a windows box and a
linux box I was concerned over the results.
On the windows box using the .audit file in the 'Edit' --> 'Advanced' -->
'Windows Compliance Checks' I selected 'PCI_Windows_v2.audit' and
'WinXPPro-DISA-Gold_v90_v2.audit' files. Under the 'Windows File Contents
Compliance Checks' I selected 'content_credit_card.audit',
'content_SSN_by_state.audit', 'content_social_security_number.audit' and
'content_DL_number.audit'.
After running it the report results the 'general/tcp' information had
results as follows;
Windows File Contents Compliance Checks
"Determine if a file contains a valid American Express 15 Digit Card
Number" : [PASSED]
Nessus ID : 24760
Which is great with the exception that I set up a file which contained a
fake CC number and got this;
Windows File Contents Compliance Checks
"" : [FAILED]
- error message: Unrecognized grammar (line 48) :
| regex : "([^0-9-]|^)(3(4[0-9]{2}|7[0-9]{2})( |-|)[0-9]{6}(
|-|)[0-9]{5})([^0-9-]|$)"regex_replace : "\3"expect : "American Express"|
"CCAX"| "amex"| ...
Nessus ID : 24760
This is great in that I didn't pass but it doesn't tell me where or which
file contained the CC information.
The other problem that I had was with Linux Servers which I can run the
'Unix Compliance Checks' and included the 'PCI Linux Compliance.session'.
Since there is no Unix File Contents Compliance Checks I couldn't run
anything.
When I open the PCI_Linux.audit file I find several issue which are of
great concern as this is the main reason why I recommended the commercial
purchase of this product.
<custom_item>
#System : "Linux"
type : FILE_CHECK
description : "PCI 2.2.3 Configure system security
parameters to prevent misuse - Additional Network Parameter Modifications"
info : "Hackers (external and internal to a
company) often use vendor default passwords and other vendor default
settings to compromise systems. These passwords and settings are well
known in hacker communities and easily determined via public information."
info : "Checking if /etc/sysctl.conf
permissions are OK"
info : "ref.pci_dss_v1-1.pdf Req. 2 pg. 5"
info : "
https://www.pcisecuritystandards.org/security_standards/download.html?id=pci_dss_v1-1.pdf
"
file : "/etc/sysctl.conf"
owner : "root"
group : "root"
mode : "600"
</custom_item>
# Note: Please change the remote host, in this case
# 172.20.101.151 to reflect the loghost in your
# target system
If you look at the .audit code above you will notice that it is checking
to determine if the permissions are OK on this particular file. There are
many other permission checks within this particular .audit file. But
there is no reporting results to tell me if everything passed or is ok or
failed. That would be something nice to have. I know the scans are
getting inside the box as I've run the scans and could tell by the
identification of our data base.
However there is nothing that comes up in the report.
Also what is the # documentation Note: trying to tell me. Change the
remote host? How? Where? This is confusing.
Any help would be greatly appreciated.
Thanks
Frank Kenisky IV, CISSP, CISA, CISM
Information Technical Security Specialist
(210) 301-6433 - (210) 887-6985
purchased the commercial version so I can utilize the .audit files.
After running the PCI compliance .audit file against a windows box and a
linux box I was concerned over the results.
On the windows box using the .audit file in the 'Edit' --> 'Advanced' -->
'Windows Compliance Checks' I selected 'PCI_Windows_v2.audit' and
'WinXPPro-DISA-Gold_v90_v2.audit' files. Under the 'Windows File Contents
Compliance Checks' I selected 'content_credit_card.audit',
'content_SSN_by_state.audit', 'content_social_security_number.audit' and
'content_DL_number.audit'.
After running it the report results the 'general/tcp' information had
results as follows;
Windows File Contents Compliance Checks
"Determine if a file contains a valid American Express 15 Digit Card
Number" : [PASSED]
Nessus ID : 24760
Which is great with the exception that I set up a file which contained a
fake CC number and got this;
Windows File Contents Compliance Checks
"" : [FAILED]
- error message: Unrecognized grammar (line 48) :
| regex : "([^0-9-]|^)(3(4[0-9]{2}|7[0-9]{2})( |-|)[0-9]{6}(
|-|)[0-9]{5})([^0-9-]|$)"regex_replace : "\3"expect : "American Express"|
"CCAX"| "amex"| ...
Nessus ID : 24760
This is great in that I didn't pass but it doesn't tell me where or which
file contained the CC information.
The other problem that I had was with Linux Servers which I can run the
'Unix Compliance Checks' and included the 'PCI Linux Compliance.session'.
Since there is no Unix File Contents Compliance Checks I couldn't run
anything.
When I open the PCI_Linux.audit file I find several issue which are of
great concern as this is the main reason why I recommended the commercial
purchase of this product.
<custom_item>
#System : "Linux"
type : FILE_CHECK
description : "PCI 2.2.3 Configure system security
parameters to prevent misuse - Additional Network Parameter Modifications"
info : "Hackers (external and internal to a
company) often use vendor default passwords and other vendor default
settings to compromise systems. These passwords and settings are well
known in hacker communities and easily determined via public information."
info : "Checking if /etc/sysctl.conf
permissions are OK"
info : "ref.pci_dss_v1-1.pdf Req. 2 pg. 5"
info : "
https://www.pcisecuritystandards.org/security_standards/download.html?id=pci_dss_v1-1.pdf
"
file : "/etc/sysctl.conf"
owner : "root"
group : "root"
mode : "600"
</custom_item>
# Note: Please change the remote host, in this case
# 172.20.101.151 to reflect the loghost in your
# target system
If you look at the .audit code above you will notice that it is checking
to determine if the permissions are OK on this particular file. There are
many other permission checks within this particular .audit file. But
there is no reporting results to tell me if everything passed or is ok or
failed. That would be something nice to have. I know the scans are
getting inside the box as I've run the scans and could tell by the
identification of our data base.
However there is nothing that comes up in the report.
Also what is the # documentation Note: trying to tell me. Change the
remote host? How? Where? This is confusing.
Any help would be greatly appreciated.
Thanks
Frank Kenisky IV, CISSP, CISA, CISM
Information Technical Security Specialist
(210) 301-6433 - (210) 887-6985