Configuration Auditing
Upcoming SlideShare
Loading in...5
×

Like this? Share it with your network

Share
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Be the first to comment
No Downloads

Views

Total Views
1,540
On Slideshare
1,540
From Embeds
0
Number of Embeds
0

Actions

Shares
Downloads
32
Comments
0
Likes
1

Embeds 0

No embeds

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
    No notes for slide
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n

Transcript

  • 1. Configuration AuditScanning Albert Campa
  • 2. @betoftw Blog:compusec.org
  • 3. Configuration Auditing What it is. How it is done. What to Audit. Reporting.
  • 4. Agent basedCons: No more agents!Pros: Unauthorized changes can get reverted NRT - Near realtime
  • 5. Agentless / Scanning Cons: knock on door, house falls down(rare) data aging Pros: scheduled scans no agents
  • 6. Audit what exactly? Hardening guide compliance DISA, CIS, NSA, custom, etc Custom audits/hardening guides (NIST, PCI, DOD, etc) Audit OS (Windows, Mac, *nix, Cisco, etc) Audit Services, databases, config files, signs of malware, sensitive info, web server configs
  • 7. Tools...
  • 8. Nessus Cisco Audit File<item>type:CONFIG_CHECKdescription:"1.1.2.6 Require SSH Access Control"info:" Verify that management access to the deviceis restricted on all VTY lines." context:"line .*" item:"access-class [0-9]+ in"</item>http://blog.tenablesecurity.com/2010/06/cisco-compliance-checks.html
  • 9. Windows Nessus Audit File# 2.2.4.1.1 Application Log Maximum Event Log Size:16 MB<custom_item> type: REGISTRY_SETTING description: "2.2.4.1.1 Application Log MaximumEvent Log Size: 16 MB" value_type: POLICY_KBYTE value_data: [16384..MAX] reg_key: "HKLMSYSTEMCurrentControlSetServicesEventlogApplication" reg_item: "MaxSize" reg_type: REG_DWORD</item>
  • 10. Nessus Audit: Cisco Results
  • 11. Setting up the scanTune your audit file (Nessus = .audit)Run a vuln scan also? DB audits + OS audits?Credentials
  • 12. Nessus Audit DB resultshttp://blog.tenablesecurity.com/2009/04/auditing-linux-apache-mysql-against-cis-benchmarks.html
  • 13. 1
  • 14. 2<custom_item> type : REGISTRY_SETTING description: "1.6.1 Configure Automatic Updates" info : "This control defines whether Windows will receivesecurity updates from Windows Update or WSUS." info : "CCE-8478-0" value_type : POLICY_DWORD value_data : 3 reg_key : "HKLMSoftwarePoliciesMicrosoftWindowsWindowsUpdateAU" reg_item "AUOptions" : reg_option : CAN_NOT_BE_NULL</custom_item>
  • 15. ReportingEasier when policy is tuned and testedEasier when hardening guide are approved by orgCareful, audit repots can be hugeSetup some compliance metrics
  • 16. Trendinghttp://blog.tenablesecurity.com/2009/05/common-mistakes-in-vulnerability-and-compliance-reporting.html
  • 17. Sample Reportshttp://blog.tenablesecurity.com/files/FDCC_WinXP_Compliance_Report.htmlhttp://blog.tenablesecurity.com/files/FDCC_WinXP_Non-Compliance_Report.htmlhttp://blog.tenablesecurity.com/2007/09/using-nessus-co.html
  • 18. Questions