SecurityCenter 5.0 SCAP Assessments May 28, 2015 (Revision 2)
Table of Contents Overview... 3 Standards and Conventions... 3 Abbreviations... 3 Simple Assessment Procedure... 4 XCCDF Certified vs. Lower-Tier Content... 4 Operation... 4 Target Exceptions... 4 Downloading SCAP XCCDF Content... 6 Working with SecurityCenter... 6 Loading SCAP Content into SecurityCenter... 6 Adding the Audit File to a Scan Policy... 8 Running a SCAP Scan... 11 Analyzing Scan Results... 12 Technical Issues... 14 Downloading Nessus Scan Results... 16 Downloading SCAP Scan Results... 16 About Tenable Network Security... 16 2
Overview This document describes how to use Tenable s SecurityCenter to generate SCAP content audits as well as SCAP OVAL, XCCDF, ASR, and ARF reports from the scan results. Standards and Conventions Throughout the documentation, filenames, daemons, and executables are indicated with a courier bold font such as gunzip, httpd, and /etc/passwd. Command line options and keywords are also indicated with the courier bold font. Command line options may or may not include the command line prompt and output text from the results of the command. Often, the command being run will be boldfaced to indicate what the user typed. Below is an example running of the Unix pwd command: # pwd /opt/sc/daemons# Important notes and considerations are highlighted with this symbol and grey text boxes. Tips, examples, and best practices are highlighted with this symbol and white on blue text. Abbreviations The following abbreviations are used throughout this documentation: ARF ASR CCE CPE CVE FDCC LASR NIST OVAL SCAP USGCB XCCDF Assessment Results Format Assessment Summary Results Common Configuration Enumeration Common Platform Enumeration Common Vulnerability Enumeration Federal Desktop Core Configuration Lightweight Asset Summary Results Schema National Institute of Standards and Technology Open Vulnerability and Assessment Language Security Content Automation Protocol United States Government Configuration Baseline Extensible Configuration Checklist Description Format 3
Simple Assessment Procedure To perform a SCAP assessment, follow these high-level steps: 1. Download certified NIST SCAP content in its zip file format. Note that the entire zip file must be obtained for use with SecurityCenter. 2. Upload the SCAP content zip file to SecurityCenter in the same manner as an audit file. Select the appropriate datastream, benchmark, and profile to be used in the desired audit. 3. Associate the uploaded SCAP content audit file with a properly configured scan policy that is targeting the desired asset(s). When creating the policy, make sure that Generate SCAP XML Results is selected. 4. Perform a vulnerability scan based on the selected policy. 5. When the scan is completed, view the results within SecurityCenter s Scan Results section. Each of these steps is documented in detail later in this document. XCCDF Certified vs. Lower-Tier Content Tenable designed SecurityCenter 5.0 and higher to work with the official XCCDF Tier IV content used in the SCAP program. Beta quality XCCDF-compliant content (Tier III and below) is also available from NIST. Tier definitions are listed below: IV Will work in SCAP validated tool III Should work in SCAP validated tool II Non-SCAP automation content I Non-automated prose content Operation Performing SCAP assessments as described in this document requires SecurityCenter 5.0 or higher. Target Exceptions Red Hat 5: Root login should be enabled on the target (PermitRootLogin yes in /etc/ssh/sshd_config). o This is required to allow Nessus to log in to remote host and run the scan. Iptables should be disabled (service iptables stop) on the target. o Iptables rules could prevent Nessus from running the scan on the remote target; therefore it is recommended to disable the service or at least configure it in such a way that doesn t interfere with Nessus scans. 4
Windows: The Remote Registry service should be enabled on the target. o The Windows Remote Registry service allows remote computers with credentials to access the registry of the computer being audited. If the service is not running, reading keys and values from the registry will not be possible, even with full credentials. If UAC must be enabled, then the user must add LocalAccountTokenFilterPolicy and set its value to 1. This key should be created in the registry at the following location: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\system\LocalAccountTokenFilterPolicy This is only required for targets that are not part of a domain to allow Nessus to gain access to administrative shares during the scan. The following exceptions do not deviate the target from the Tier IV content but are required for SecurityCenter 5.0 to perform a scan: #1. When running SecurityCenter scans against USGCB-compliant Windows Vista and Windows 7 target hosts, the USGCB content in SCAP 1.2 format must be extracted and then disunited. 1. Extract Win7-2.0.5.1.zip or WinVista-3.0.5.1.zip USGCB SCAP content. 2. Next, zip scap_gov.nist_usgcb-windows-7.xml or scap_gov.nist_usgcb-windows-vista.xml using the Microsoft Windows default archiver (the Windows archiver must be used for content to import properly). 3. Proceed with validation testing. #2. When running a SecurityCenter scan on a Windows XP target host using the combined validation content, the wmi_memory_limit.vbs script must be run on the target prior to scanning. Steps to run the wmi_memory_limit.vbs: 1. Extract the wmi_memory_limit.zip folder. 2. Run the wmi_memory_limit.vbs on the Windows XP target host using the following command: cscript wmi_memory_limit.vbs 3. Reboot for changes to take effect. 4. Proceed with validation testing. This will raise the WMI memory limit to 512 MB on Windows XP. #3. PowerShell checks will not run on the target unless Microsoft.NET Framework 2.0 and Microsoft Visual C++ 2008 Redistributable Package or Microsoft.NET Framework 4 and Microsoft Visual C++ 2010 Redistributable Package are installed on the target. 5
Downloading SCAP XCCDF Content SecurityCenter users can obtain the various SCAP bundles at http://web.nvd.nist.gov/view/ncp/repository. Bundles can be downloaded collectively as a single.zip archive depending on the platform to be assessed and the version of SCAP and OVAL desired to be used in an assessment. When a SCAP bundle file is unzipped, multiple files relating to the specific platform are extracted. The following section describes how to load these files into SecurityCenter and generate audit policies that can be used for SCAP assessments. Working with SecurityCenter Only users with the Create Audit Files permission can upload audit files and SCAP content to SecurityCenter. The Security Manager and Administrator users always have this permission. Audit files and SCAP content uploaded by the administrator are available to any Organization, while those uploaded by the Security Manager are available to their respective Organization only. Loading SCAP Content into SecurityCenter To load XCCDF/SCAP content into SecurityCenter, navigate to Scans and select Audit Files in SecurityCenter: Audit Files Screen Selection Loading the Audit File 6
Select Add, and then click Advanced under Custom templates: This displays a choose file option where a single audit file or SCAP content file can be added to SecurityCenter. Select the file to upload to SecurityCenter, and then click Submit. Many XML files are distributed in SCAP content. These files define the checks (in OVAL) and the target platforms (CPE). SecurityCenter expects a zip file with valid SCAP content to be loaded as the reference file and will generate an error message after an attempt to load an invalid file. 7
After loading the SCAP content, SecurityCenter displays the available profile(s) within the file: If multiple profiles are available, SecurityCenter will display them in the drop-down window next to Profile. In the screen capture above, only one profile is available. SecurityCenter automatically attempts to identify the benchmark SCAP type as being for Windows or Linux. If it is unable to determine the type, the drop-down will be empty and the user must make the appropriate selection before submitting the audit file. Adding the Audit File to a Scan Policy Once the audit file is loaded to SecurityCenter, it can be used in a scan policy. One or more audit files can be specified in a scan policy. They do not all need to be based on SCAP content. Vulnerability policy definition and usage is covered in the SecurityCenter documentation. 1. Create a new Policy. Navigate to Scans -> Policies. Click Add -> Select the SCAP Compliance Audit template. 8
2. Select Custom report. Add Name and Description under the Setup menu option, and then select Custom under report. 9
3. Enable the Generate SCAP XML Results option. 4. Select the audit file. Select the Compliance menu option to select an audit file. 5. Apply the audit file to the Policy. Select SCAP Linux or SCAP Windows and then proceed to apply a predefined audit file. 10
Selecting an Audit File for Use in a Scan Policy Running a SCAP Scan 1. Navigate to Scans -> Add. 2. Add Name and Description, and then select the SCAP policy that was previously created. 3. Select Targets or add an IP address or range under Targets. 4. Add valid credentials for the target(s), and then click Submit. At a minimum, the policies must include the following: The specific audit policies to be used. Port scanning options. If no vulnerability audits are being performed, consider disabling port scanning to speed up scanning. The vulnerability scan credentials are added to the scan itself, and not through the scan policy creation dialog. The Windows Remote Registry service is crucial to read Windows registry settings specified by XCCDF policies and content. Nessus has the ability to start this service and then turn it off when the audit is done. If there are issues with starting the service during a scan, the scan results will show these findings (highlighted below): In addition to enabling the Windows Remote Registry service, the Windows Management Instrumentation (WMI) service must also be started to enable the scanner to run a successful compliance check against the remote host(s). Please refer to 11
Microsoft s documentation on starting the WMI service on the Windows host(s) to be scanned. It should also be noted that while not relevant to Windows, the SSH service must be started on Red Hat target systems in order for the scanner to connect and run a successful compliance check. SCAP compliance audits require sending an executable named tenable_ovaldi_2ef350e0435440418f7d33232f74f260.exe to the remote host. For systems that run security software (e.g., McAfee Host Intrusion Prevention), they may block or quarantine the executable required for auditing. For those systems, an exception must be made for the either the host or the executable sent. Analyzing Scan Results When scans complete, the results will be available in the Scan Results interface. Important SCAP data references are available for querying from the Scan Results interface via the query and filter tools. A Vulnerability Summary listing of configuration items found during an audit of a Windows 7 host is shown below: SecurityCenter Scan Results 12
Scan results will show the measured value (Actual Value) of the system(s) scanned, as well as the value specified in the SCAP content (Policy Value): Filters can be used to locate SCAP relevant entries, such as CCE, CVE, CPE, or CVSS references: SecurityCenter Filters 13
Technical Issues There are several technical issues to be aware of when analyzing the scan results: The Compliance Check Test Error will show as ERROR (medium severity) if an audit cannot be performed. It will report as a pass if there was an error at one point, but now scans have proceeded without issue. 14
If there are errors related to Schematron errors, missing requirements, etc. while running a SCAP scan, those errors will be reported under plugin ID 66759 or 66578. 15
Downloading Nessus Scan Results To download your scan results for importing into another SecurityCenter or Nessus, choose the Nessus download format. This provides a zipped version of the report results. The name of the file will be in the format of <scanid>-nessus.zip where the scan ID is the actual scan ID used in SecurityCenter. A screen capture of the download process is shown below: Downloading SCAP Scan Results Downloading Nessus Scan Results In addition to Nessus scan results, users can also download reports in SCAP format. Choose Download SCAP XML to download reports in SCAP (XCCDF/OVAL/SCAP) format. A screen capture of the download process is shown below: About Tenable Network Security Downloading SCAP XML Results Tenable Network Security provides continuous network monitoring to identify vulnerabilities, reduce risk, and ensure compliance. Our family of products includes SecurityCenter Continuous View, which provides the most comprehensive and integrated view of network health, and Nessus, the global standard in detecting and assessing network data. Tenable is relied upon by many of the world s largest corporations, not-for-profit organizations and public sector agencies, including the entire U.S. Department of Defense. For more information, visit tenable.com. 16