Mailing List Archive

Some questions about running compliance checks on linux servers
I've used Nessus "free" tool for almost 8 years now. I just recently
purchased the commercial version so I can utilize the .audit files.

After running the PCI compliance .audit file against a windows box and a
linux box I was concerned over the results.

On the windows box using the .audit file in the 'Edit' --> 'Advanced' -->
'Windows Compliance Checks' I selected 'PCI_Windows_v2.audit' and
'WinXPPro-DISA-Gold_v90_v2.audit' files. Under the 'Windows File Contents
Compliance Checks' I selected 'content_credit_card.audit',
'content_SSN_by_state.audit', 'content_social_security_number.audit' and

After running it the report results the 'general/tcp' information had
results as follows;

Windows File Contents Compliance Checks
"Determine if a file contains a valid American Express 15 Digit Card
Number" : [PASSED]
Nessus ID : 24760

Which is great with the exception that I set up a file which contained a
fake CC number and got this;

Windows File Contents Compliance Checks
"" : [FAILED]
- error message: Unrecognized grammar (line 48) :
| regex : "([^0-9-]|^)(3(4[0-9]{2}|7[0-9]{2})( |-|)[0-9]{6}(
|-|)[0-9]{5})([^0-9-]|$)"regex_replace : "\3"expect : "American Express"|
"CCAX"| "amex"| ...
Nessus ID : 24760

This is great in that I didn't pass but it doesn't tell me where or which
file contained the CC information.

The other problem that I had was with Linux Servers which I can run the
'Unix Compliance Checks' and included the 'PCI Linux Compliance.session'.
Since there is no Unix File Contents Compliance Checks I couldn't run

When I open the PCI_Linux.audit file I find several issue which are of
great concern as this is the main reason why I recommended the commercial
purchase of this product.

#System : "Linux"
description : "PCI 2.2.3 Configure system security
parameters to prevent misuse - Additional Network Parameter Modifications"
info : "Hackers (external and internal to a
company) often use vendor default passwords and other vendor default
settings to compromise systems. These passwords and settings are well
known in hacker communities and easily determined via public information."
info : "Checking if /etc/sysctl.conf
permissions are OK"
info : "ref.pci_dss_v1-1.pdf Req. 2 pg. 5"
info : "
file : "/etc/sysctl.conf"
owner : "root"
group : "root"
mode : "600"

# Note: Please change the remote host, in this case
# to reflect the loghost in your
# target system

If you look at the .audit code above you will notice that it is checking
to determine if the permissions are OK on this particular file. There are
many other permission checks within this particular .audit file. But
there is no reporting results to tell me if everything passed or is ok or
failed. That would be something nice to have. I know the scans are
getting inside the box as I've run the scans and could tell by the
identification of our data base.

However there is nothing that comes up in the report.

Also what is the # documentation Note: trying to tell me. Change the
remote host? How? Where? This is confusing.

Any help would be greatly appreciated.


Frank Kenisky IV, CISSP, CISA, CISM
Information Technical Security Specialist
(210) 301-6433 - (210) 887-6985