Hello Frank,
Comments inline:
Frank_Kenisky@psc.uscourts.gov wrote:
>
> I've used Nessus "free" tool for almost 8 years now. I just recently
> purchased the commercial version so I can utilize the .audit files.
>
> After running the PCI compliance .audit file against a windows box and a
> linux box I was concerned over the results.
>
> On the windows box using the .audit file in the 'Edit' --> 'Advanced'
> --> 'Windows Compliance Checks' I selected 'PCI_Windows_v2.audit' and
> 'WinXPPro-DISA-Gold_v90_v2.audit' files. Under the 'Windows File
> Contents Compliance Checks' I selected 'content_credit_card.audit',
> 'content_SSN_by_state.audit', 'content_social_security_number.audit' and
> 'content_DL_number.audit'.
>
> After running it the report results the 'general/tcp' information had
> results as follows;
> Windows File Contents Compliance Checks
> "Determine if a file contains a valid American Express 15 Digit Card
> Number" : [PASSED]
> Nessus ID : _24760_
> <http://www.nessus.org/plugins/index.php?view=single&id=24760>
>
>
>
> Which is great with the exception that I set up a file which contained a
> fake CC number and got this;
> Windows File Contents Compliance Checks
> "" : [FAILED]
> - error message: Unrecognized grammar (line 48) :
> | regex : "([^0-9-]|^)(3(4[0-9]{2}|7[0-9]{2})( |-|)[0-9]{6}(
> |-|)[0-9]{5})([^0-9-]|$)"regex_replace : "\3"expect : "American
> Express"| "CCAX"| "amex"| ...
> Nessus ID : _24760_
> <http://www.nessus.org/plugins/index.php?view=single&id=24760>
>
>
>
> This is great in that I didn't pass but it doesn't tell me where or
> which file contained the CC information.
I am unable to duplicate this particular failure and was hoping you could send me your fake CC file and the audit file that you are using
off-line so that I can do some testing on my side.
>
> The other problem that I had was with Linux Servers which I can run the
> 'Unix Compliance Checks' and included the 'PCI Linux
> Compliance.session'. Since there is no Unix File Contents Compliance
> Checks I couldn't run anything.
>
> When I open the PCI_Linux.audit file I find several issue which are of
> great concern as this is the main reason why I recommended the
> commercial purchase of this product.
>
> <custom_item>
> #System : "Linux"
> type : FILE_CHECK
> description : "PCI 2.2.3 Configure system
> security parameters to prevent misuse - Additional Network Parameter
> Modifications"
> info : "Hackers (external and internal
> to a company) often use vendor default passwords and other vendor
> default settings to compromise systems. These passwords and settings are
> well known in hacker communities and easily determined via public
> information."
> info : "Checking if /etc/sysctl.conf
> permissions are OK"
> info : "ref.pci_dss_v1-1.pdf Req. 2 pg. 5"
> info :
> "https://www.pcisecuritystandards.org/security_standards/download.html?id=pci_dss_v1-1.pdf"
>
> file : "/etc/sysctl.conf"
> owner : "root"
> group : "root"
> mode : "600"
> </custom_item>
>
> # Note: Please change the remote host, in this case
> # 172.20.101.151 to reflect the loghost in your
> # target system
>
> If you look at the .audit code above you will notice that it is checking
> to determine if the permissions are OK on this particular file. There
> are many other permission checks within this particular .audit file.
> But there is no reporting results to tell me if everything passed or is
> ok or failed. That would be something nice to have. I know the scans
> are getting inside the box as I've run the scans and could tell by the
> identification of our data base.
>
> However there is nothing that comes up in the report.
When you run a compliance scan, the output report of the scan should indeed indicate "PASSED" or "FAILED". If you are getting no output at all
from the scan, that typically indicates that the scan failed in some way and you'll want to check further to determine the root cause (improper
Nessus settings, wrong credentials, etc.)
>
> Also what is the # documentation Note: trying to tell me. Change the
> remote host? How? Where? This is confusing.
This comment relates to the audit directly below it and indicates that you will want to configure the audit file with the IP address of your
remote syslog (as configured in /etc/syslog.conf).
>
> Any help would be greatly appreciated.
>
> Thanks
>
> Frank Kenisky IV, CISSP, CISA, CISM
> Information Technical Security Specialist
> (210) 301-6433 - (210) 887-6985
>
>
> ------------------------------------------------------------------------
>
> _______________________________________________
> Plugins-writers mailing list
> Plugins-writers@list.nessus.org
> http://mail.nessus.org/mailman/listinfo/plugins-writers
--
Best Regards,
Paul Davis
Research Engineer
Tenable Network Security Inc
Phone: 410.872.0555 x245
www.tenablesecurity.com
Is your network TENABLE?
_______________________________________________
Plugins-writers mailing list
Plugins-writers@list.nessus.org
http://mail.nessus.org/mailman/listinfo/plugins-writers
Comments inline:
Frank_Kenisky@psc.uscourts.gov wrote:
>
> I've used Nessus "free" tool for almost 8 years now. I just recently
> purchased the commercial version so I can utilize the .audit files.
>
> After running the PCI compliance .audit file against a windows box and a
> linux box I was concerned over the results.
>
> On the windows box using the .audit file in the 'Edit' --> 'Advanced'
> --> 'Windows Compliance Checks' I selected 'PCI_Windows_v2.audit' and
> 'WinXPPro-DISA-Gold_v90_v2.audit' files. Under the 'Windows File
> Contents Compliance Checks' I selected 'content_credit_card.audit',
> 'content_SSN_by_state.audit', 'content_social_security_number.audit' and
> 'content_DL_number.audit'.
>
> After running it the report results the 'general/tcp' information had
> results as follows;
> Windows File Contents Compliance Checks
> "Determine if a file contains a valid American Express 15 Digit Card
> Number" : [PASSED]
> Nessus ID : _24760_
> <http://www.nessus.org/plugins/index.php?view=single&id=24760>
>
>
>
> Which is great with the exception that I set up a file which contained a
> fake CC number and got this;
> Windows File Contents Compliance Checks
> "" : [FAILED]
> - error message: Unrecognized grammar (line 48) :
> | regex : "([^0-9-]|^)(3(4[0-9]{2}|7[0-9]{2})( |-|)[0-9]{6}(
> |-|)[0-9]{5})([^0-9-]|$)"regex_replace : "\3"expect : "American
> Express"| "CCAX"| "amex"| ...
> Nessus ID : _24760_
> <http://www.nessus.org/plugins/index.php?view=single&id=24760>
>
>
>
> This is great in that I didn't pass but it doesn't tell me where or
> which file contained the CC information.
I am unable to duplicate this particular failure and was hoping you could send me your fake CC file and the audit file that you are using
off-line so that I can do some testing on my side.
>
> The other problem that I had was with Linux Servers which I can run the
> 'Unix Compliance Checks' and included the 'PCI Linux
> Compliance.session'. Since there is no Unix File Contents Compliance
> Checks I couldn't run anything.
>
> When I open the PCI_Linux.audit file I find several issue which are of
> great concern as this is the main reason why I recommended the
> commercial purchase of this product.
>
> <custom_item>
> #System : "Linux"
> type : FILE_CHECK
> description : "PCI 2.2.3 Configure system
> security parameters to prevent misuse - Additional Network Parameter
> Modifications"
> info : "Hackers (external and internal
> to a company) often use vendor default passwords and other vendor
> default settings to compromise systems. These passwords and settings are
> well known in hacker communities and easily determined via public
> information."
> info : "Checking if /etc/sysctl.conf
> permissions are OK"
> info : "ref.pci_dss_v1-1.pdf Req. 2 pg. 5"
> info :
> "https://www.pcisecuritystandards.org/security_standards/download.html?id=pci_dss_v1-1.pdf"
>
> file : "/etc/sysctl.conf"
> owner : "root"
> group : "root"
> mode : "600"
> </custom_item>
>
> # Note: Please change the remote host, in this case
> # 172.20.101.151 to reflect the loghost in your
> # target system
>
> If you look at the .audit code above you will notice that it is checking
> to determine if the permissions are OK on this particular file. There
> are many other permission checks within this particular .audit file.
> But there is no reporting results to tell me if everything passed or is
> ok or failed. That would be something nice to have. I know the scans
> are getting inside the box as I've run the scans and could tell by the
> identification of our data base.
>
> However there is nothing that comes up in the report.
When you run a compliance scan, the output report of the scan should indeed indicate "PASSED" or "FAILED". If you are getting no output at all
from the scan, that typically indicates that the scan failed in some way and you'll want to check further to determine the root cause (improper
Nessus settings, wrong credentials, etc.)
>
> Also what is the # documentation Note: trying to tell me. Change the
> remote host? How? Where? This is confusing.
This comment relates to the audit directly below it and indicates that you will want to configure the audit file with the IP address of your
remote syslog (as configured in /etc/syslog.conf).
>
> Any help would be greatly appreciated.
>
> Thanks
>
> Frank Kenisky IV, CISSP, CISA, CISM
> Information Technical Security Specialist
> (210) 301-6433 - (210) 887-6985
>
>
> ------------------------------------------------------------------------
>
> _______________________________________________
> Plugins-writers mailing list
> Plugins-writers@list.nessus.org
> http://mail.nessus.org/mailman/listinfo/plugins-writers
--
Best Regards,
Paul Davis
Research Engineer
Tenable Network Security Inc
Phone: 410.872.0555 x245
www.tenablesecurity.com
Is your network TENABLE?
_______________________________________________
Plugins-writers mailing list
Plugins-writers@list.nessus.org
http://mail.nessus.org/mailman/listinfo/plugins-writers