Configuration AuditScanning                Albert Campa
@betoftw   Blog:compusec.org
Configuration Auditing What it is. How it is done. What to Audit. Reporting.
Agent basedCons:  No more agents!Pros:  Unauthorized  changes can get  reverted  NRT - Near realtime
Agentless / Scanning Cons:   knock on door,   house falls   down(rare)   data aging Pros:   scheduled scans   no agents
Audit what exactly? Hardening guide compliance   DISA, CIS, NSA, custom, etc Custom audits/hardening guides (NIST, PCI, DO...
Tools...
Nessus Cisco Audit File<item>type:CONFIG_CHECKdescription:"1.1.2.6 Require SSH Access Control"info:" Verify that managemen...
Windows Nessus Audit File# 2.2.4.1.1 Application Log Maximum Event Log Size:16 MB<custom_item> type: REGISTRY_SETTING desc...
Nessus Audit: Cisco Results
Setting up the scanTune your audit file (Nessus = .audit)Run a vuln scan also? DB audits + OS audits?Credentials
Nessus Audit DB resultshttp://blog.tenablesecurity.com/2009/04/auditing-linux-apache-mysql-against-cis-benchmarks.html
1
2<custom_item> type  : REGISTRY_SETTING description: "1.6.1 Configure Automatic Updates" info  : "This control defines whe...
ReportingEasier when policy is tuned and testedEasier when hardening guide are approved by orgCareful, audit repots can be...
Trendinghttp://blog.tenablesecurity.com/2009/05/common-mistakes-in-vulnerability-and-compliance-reporting.html
Sample Reportshttp://blog.tenablesecurity.com/files/FDCC_WinXP_Compliance_Report.htmlhttp://blog.tenablesecurity.com/files...
Questions
Configuration Auditing
Upcoming SlideShare
Loading in …5
×

Configuration Auditing

1,550 views

Published on

Published in: Technology
0 Comments
1 Like
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total views
1,550
On SlideShare
0
From Embeds
0
Number of Embeds
1
Actions
Shares
0
Downloads
39
Comments
0
Likes
1
Embeds 0
No embeds

No notes for slide
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • Configuration Auditing

    1. 1. Configuration AuditScanning Albert Campa
    2. 2. @betoftw Blog:compusec.org
    3. 3. Configuration Auditing What it is. How it is done. What to Audit. Reporting.
    4. 4. Agent basedCons: No more agents!Pros: Unauthorized changes can get reverted NRT - Near realtime
    5. 5. Agentless / Scanning Cons: knock on door, house falls down(rare) data aging Pros: scheduled scans no agents
    6. 6. Audit what exactly? Hardening guide compliance DISA, CIS, NSA, custom, etc Custom audits/hardening guides (NIST, PCI, DOD, etc) Audit OS (Windows, Mac, *nix, Cisco, etc) Audit Services, databases, config files, signs of malware, sensitive info, web server configs
    7. 7. Tools...
    8. 8. Nessus Cisco Audit File<item>type:CONFIG_CHECKdescription:"1.1.2.6 Require SSH Access Control"info:" Verify that management access to the deviceis restricted on all VTY lines." context:"line .*" item:"access-class [0-9]+ in"</item>http://blog.tenablesecurity.com/2010/06/cisco-compliance-checks.html
    9. 9. Windows Nessus Audit File# 2.2.4.1.1 Application Log Maximum Event Log Size:16 MB<custom_item> type: REGISTRY_SETTING description: "2.2.4.1.1 Application Log MaximumEvent Log Size: 16 MB" value_type: POLICY_KBYTE value_data: [16384..MAX] reg_key: "HKLMSYSTEMCurrentControlSetServicesEventlogApplication" reg_item: "MaxSize" reg_type: REG_DWORD</item>
    10. 10. Nessus Audit: Cisco Results
    11. 11. Setting up the scanTune your audit file (Nessus = .audit)Run a vuln scan also? DB audits + OS audits?Credentials
    12. 12. Nessus Audit DB resultshttp://blog.tenablesecurity.com/2009/04/auditing-linux-apache-mysql-against-cis-benchmarks.html
    13. 13. 1
    14. 14. 2<custom_item> type : REGISTRY_SETTING description: "1.6.1 Configure Automatic Updates" info : "This control defines whether Windows will receivesecurity updates from Windows Update or WSUS." info : "CCE-8478-0" value_type : POLICY_DWORD value_data : 3 reg_key : "HKLMSoftwarePoliciesMicrosoftWindowsWindowsUpdateAU" reg_item "AUOptions" : reg_option : CAN_NOT_BE_NULL</custom_item>
    15. 15. ReportingEasier when policy is tuned and testedEasier when hardening guide are approved by orgCareful, audit repots can be hugeSetup some compliance metrics
    16. 16. Trendinghttp://blog.tenablesecurity.com/2009/05/common-mistakes-in-vulnerability-and-compliance-reporting.html
    17. 17. Sample Reportshttp://blog.tenablesecurity.com/files/FDCC_WinXP_Compliance_Report.htmlhttp://blog.tenablesecurity.com/files/FDCC_WinXP_Non-Compliance_Report.htmlhttp://blog.tenablesecurity.com/2007/09/using-nessus-co.html
    18. 18. Questions

    ×