SecurityCenter 5.0 SCAP Assessments. May 28, 2015 (Revision 2)

Similar documents
Nessus v6 SCAP Assessments. November 18, 2014 (Revision 1)

Tenable SCAP Standards Declarations. June 4, 2015 (Revision 11)

SecurityCenter 4.8.x Upgrade Guide. December 16, 2014 (Revision 1)

SecurityCenter Upgrade Guide. July 21, 2015 (Revision 1)

SecurityCenter 5.1 Upgrade Guide. November 12, 2015 (Revision 2)

July 18, (Revision 3)

Tenable Nessus Customer Loyalty Program to Purchase PVS Subscription

Tenable for ServiceNow. Last Updated: March 19, 2018

Log Correlation Engine 4.4 Statistics Daemon Guide. February 26, 2015 (Revision 1)

ForeScout Extended Module for Advanced Compliance

Secure Configuration Manager SCAP Module User's Guide. January 2018

How-to Guide: Tenable Nessus for BeyondTrust. Last Revised: November 13, 2018

AUTOMATED PROCESSES IN COMPUTER SECURITY

Practical OpenSCAP Security Standard Compliance and Reporting. Robin Price II Senior Solutions Architect Martin Preisler Senior Software Engineer

SecurityCenter 4.6 Administration Guide. April 11, 2013 (Revision 5)

Tenable Hardware Appliance Upgrade Guide

Tenable Network Security Support Portal. November 9, 2010 (Revision 8)

Contents User Guide... 1 Overview... 1 Create a New Report... 3 Create Report... 3 Select Devices... 3 Report Generation... 4 Your Audit Report...

SecurityCenter 5.1 Administration Guide. November 12, 2015 (Revision 2)

June 8th, 2017 Washington D.C. Security Compliance for modern infrastructures with OpenSCAP

Practical OpenSCAP, Security Standard Compliance and Reporting Part 1: CLI (command-line)

Nessus Enterprise for Amazon Web Services (AWS) Installation and Configuration Guide

How-to Guide: Tenable for McAfee epolicy Orchestrator. Last Updated: April 03, 2018

Tenable.io User Guide. Last Revised: November 03, 2017

ForeScout Extended Module for Qualys VM

How-to Guide: Tenable.io for Lieberman. Last Revised: August 14, 2018

Log Correlation Engine 4.0 Statistics Daemon Guide. August 13, 2012 (Revision 1)

Installation of RHEL 5 for Tenable SecurityCenter Evaluation

SCAP Security Guide Questions / Answers. Contributor WorkShop Volume #2

SCAP Security Guide Questions / Answers. Ján Lieskovský Contributor WorkShop November 2015

LCE Splunk Client 4.6 User Manual. Last Revised: March 27, 2018

Tenable.io for Thycotic

ForeScout Extended Module for Tenable Vulnerability Management

Chapter 5: Vulnerability Analysis

How-to Guide: Tenable.io for Microsoft Azure. Last Updated: November 16, 2018

Tanium Comply User Guide. Version 1.7.3

Current and Future Issues in Security

Tenable for McAfee epolicy Orchestrator

Foundstone 7.0 Patch 8 Release Notes

Nessus 6.4 User Guide

Foundstone 7.0 Patch 6 Release Notes

SecurityCenter 508 Compliance

PCI Compliance Assessment Module

Log Correlation Engine 4.2 Quick Start Guide. September 4, 2014 (Revision 3)

Log Correlation Engine 4.0 High Performance Configuration Guide

How-to Guide: Tenable Nessus for Microsoft Azure. Last Updated: April 03, 2018

How to Transition from Nessus to SecurityCenter Reports

Tenable for McAfee epolicy Orchestrator

How to Add, Deactivate, or Edit a Contact

Log Correlation Engine 3.4 Statistics Daemon Guide July 29, 2010 (Revision 3)

HIPAA Compliance Module. Using the HIPAA Module without Inspector Instructions. User Guide RapidFire Tools, Inc. All rights reserved.

Tenable for Palo Alto Networks

Red Hat Enterprise Linux 6 Security Feature Overview. Steve Grubb Principal Engineer, Red Hat June 23, 2010

Defense Security Service Industrial Security Field Operations National Industrial Security Program (NISP) Authorization Office (NAO)

Symantec Risk Automation Suite

Total Protection for Compliance: Unified IT Policy Auditing

QUICK REFERENCE TO OASIS SUBMISSIONS, SUBMISSION STATUS, AND FINAL VALIDATION REPORTS

EMC Documentum Composer

IBM BigFix Compliance PCI Add-on Version 9.5. Payment Card Industry Data Security Standard (PCI DSS) User's Guide IBM

McAfee Vulnerability Manager

FISMA COMPLIANCE FOR CONTAINERIZED APPS

QUICK REFERENCE TO OASIS SUBMISSIONS, SUBMISSION STATUS, AND FINAL VALIDATION REPORTS

MAKING SECURITY MEASURABLE AND MANAGEABLE

IBM Endpoint Manager Version 9.0. Software Distribution User's Guide

A guide to managing hosts in a Red Hat Satellite 6 environment. Edition 1.0

Tenable.sc-Tenable.io Upgrade Assistant Guide, Version 2.0. Last Revised: January 16, 2019

Cisco TEO Adapter Guide for Microsoft Windows

Tzunami Deployer FileNet Exporter Guide Supports extraction of FileNet contents and migrate to Microsoft SharePoint using Tzunami Deployer.

Applied SCAP: Automating Security Compliance and Remediation. Shawn Wells Maintainer, SCAP Security Guide 31-JULY-2014

How-to Guide: JIRA Plug-in for Tenable.io. Last Revised: January 29, 2019

HIPAA Compliance Assessment Module

L105190: Proactive Security Compliance Automation with CloudForms, Satellite, OpenSCAP, Insights, and Ansible Tower

Tzunami Deployer Confluence Exporter Guide

Tzunami Deployer Confluence Exporter Guide

Tenable.io Evaluation Workflow. Last Revised: August 22, 2018

How-to Guide: Tenable Core Web Application Scanner for Microsoft Azure. Last Updated: May 16, 2018

NIST Framework for Improving Critical Infrastructure Cybersecurity Technical Control Automation

IBM BigFix Compliance

McAfee Vulnerability Manager 7.0.1

Policy Compliance. Getting Started Guide. November 15, 2017

Software Assurance Ecosystem Knowledge Architecture. 1 Wednesday, December 31, 2008

Tzunami Deployer Hummingbird DM Exporter Guide

Tzunami Deployer Oracle WebCenter Interaction Exporter Guide

Tzunami Deployer Hummingbird DM Exporter Guide

Symantec Control Compliance Suite 10.5: Reporting and Analytics ReadMe Update

Interface reference. McAfee Policy Auditor Interface Reference Guide. Add Service Level Agreement page

FedRAMP Security Assessment Plan (SAP) Training

Tzunami Deployer Oracle WebCenter Interaction Exporter Guide

Federal Continuous Monitoring Working Group. March 21, DOJ Cybersecurity Conference 2/8/2011

CounterACT Security Policy Templates

Tenable Common Criteria Evaluated Configuration Guide. October 29, 2009 (Revision 4)

Log Correlation Engine 3.2 Log Normalization Guide May 19, 2009 (Revision 1)

Tzunami Deployer HPE Content Exporter Guide Supports migration of EMC HPE Content Manager into Microsoft SharePoint using Tzunami Deployer

A Government Health Agency Trusts Tenable to Protect Patient Data and Manage Expanding Attack Surface

TradeGuider VSA Plug-in for NinjaTrader quick install and setup guide.

Minimum System Requirements The following are the minimum system requirements needed to run and install Premium Pro Enterprise:

SSA-420 ISA Security Compliance Institute System Security Assurance Vulnerability Identification Testing Policy Specification

Tzunami Deployer AquaLogic Exporter Guide Supports extraction of Web Components on the server and guides migration to Microsoft SharePoint.

Log Correlation Engine 3.0 Log Normalization Guide October 29, 2008 (Revision 1)

Frequently Asked Questions

Transcription:

SecurityCenter 5.0 SCAP Assessments May 28, 2015 (Revision 2)

Table of Contents Overview... 3 Standards and Conventions... 3 Abbreviations... 3 Simple Assessment Procedure... 4 XCCDF Certified vs. Lower-Tier Content... 4 Operation... 4 Target Exceptions... 4 Downloading SCAP XCCDF Content... 6 Working with SecurityCenter... 6 Loading SCAP Content into SecurityCenter... 6 Adding the Audit File to a Scan Policy... 8 Running a SCAP Scan... 11 Analyzing Scan Results... 12 Technical Issues... 14 Downloading Nessus Scan Results... 16 Downloading SCAP Scan Results... 16 About Tenable Network Security... 16 2

Overview This document describes how to use Tenable s SecurityCenter to generate SCAP content audits as well as SCAP OVAL, XCCDF, ASR, and ARF reports from the scan results. Standards and Conventions Throughout the documentation, filenames, daemons, and executables are indicated with a courier bold font such as gunzip, httpd, and /etc/passwd. Command line options and keywords are also indicated with the courier bold font. Command line options may or may not include the command line prompt and output text from the results of the command. Often, the command being run will be boldfaced to indicate what the user typed. Below is an example running of the Unix pwd command: # pwd /opt/sc/daemons# Important notes and considerations are highlighted with this symbol and grey text boxes. Tips, examples, and best practices are highlighted with this symbol and white on blue text. Abbreviations The following abbreviations are used throughout this documentation: ARF ASR CCE CPE CVE FDCC LASR NIST OVAL SCAP USGCB XCCDF Assessment Results Format Assessment Summary Results Common Configuration Enumeration Common Platform Enumeration Common Vulnerability Enumeration Federal Desktop Core Configuration Lightweight Asset Summary Results Schema National Institute of Standards and Technology Open Vulnerability and Assessment Language Security Content Automation Protocol United States Government Configuration Baseline Extensible Configuration Checklist Description Format 3

Simple Assessment Procedure To perform a SCAP assessment, follow these high-level steps: 1. Download certified NIST SCAP content in its zip file format. Note that the entire zip file must be obtained for use with SecurityCenter. 2. Upload the SCAP content zip file to SecurityCenter in the same manner as an audit file. Select the appropriate datastream, benchmark, and profile to be used in the desired audit. 3. Associate the uploaded SCAP content audit file with a properly configured scan policy that is targeting the desired asset(s). When creating the policy, make sure that Generate SCAP XML Results is selected. 4. Perform a vulnerability scan based on the selected policy. 5. When the scan is completed, view the results within SecurityCenter s Scan Results section. Each of these steps is documented in detail later in this document. XCCDF Certified vs. Lower-Tier Content Tenable designed SecurityCenter 5.0 and higher to work with the official XCCDF Tier IV content used in the SCAP program. Beta quality XCCDF-compliant content (Tier III and below) is also available from NIST. Tier definitions are listed below: IV Will work in SCAP validated tool III Should work in SCAP validated tool II Non-SCAP automation content I Non-automated prose content Operation Performing SCAP assessments as described in this document requires SecurityCenter 5.0 or higher. Target Exceptions Red Hat 5: Root login should be enabled on the target (PermitRootLogin yes in /etc/ssh/sshd_config). o This is required to allow Nessus to log in to remote host and run the scan. Iptables should be disabled (service iptables stop) on the target. o Iptables rules could prevent Nessus from running the scan on the remote target; therefore it is recommended to disable the service or at least configure it in such a way that doesn t interfere with Nessus scans. 4

Windows: The Remote Registry service should be enabled on the target. o The Windows Remote Registry service allows remote computers with credentials to access the registry of the computer being audited. If the service is not running, reading keys and values from the registry will not be possible, even with full credentials. If UAC must be enabled, then the user must add LocalAccountTokenFilterPolicy and set its value to 1. This key should be created in the registry at the following location: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\system\LocalAccountTokenFilterPolicy This is only required for targets that are not part of a domain to allow Nessus to gain access to administrative shares during the scan. The following exceptions do not deviate the target from the Tier IV content but are required for SecurityCenter 5.0 to perform a scan: #1. When running SecurityCenter scans against USGCB-compliant Windows Vista and Windows 7 target hosts, the USGCB content in SCAP 1.2 format must be extracted and then disunited. 1. Extract Win7-2.0.5.1.zip or WinVista-3.0.5.1.zip USGCB SCAP content. 2. Next, zip scap_gov.nist_usgcb-windows-7.xml or scap_gov.nist_usgcb-windows-vista.xml using the Microsoft Windows default archiver (the Windows archiver must be used for content to import properly). 3. Proceed with validation testing. #2. When running a SecurityCenter scan on a Windows XP target host using the combined validation content, the wmi_memory_limit.vbs script must be run on the target prior to scanning. Steps to run the wmi_memory_limit.vbs: 1. Extract the wmi_memory_limit.zip folder. 2. Run the wmi_memory_limit.vbs on the Windows XP target host using the following command: cscript wmi_memory_limit.vbs 3. Reboot for changes to take effect. 4. Proceed with validation testing. This will raise the WMI memory limit to 512 MB on Windows XP. #3. PowerShell checks will not run on the target unless Microsoft.NET Framework 2.0 and Microsoft Visual C++ 2008 Redistributable Package or Microsoft.NET Framework 4 and Microsoft Visual C++ 2010 Redistributable Package are installed on the target. 5

Downloading SCAP XCCDF Content SecurityCenter users can obtain the various SCAP bundles at http://web.nvd.nist.gov/view/ncp/repository. Bundles can be downloaded collectively as a single.zip archive depending on the platform to be assessed and the version of SCAP and OVAL desired to be used in an assessment. When a SCAP bundle file is unzipped, multiple files relating to the specific platform are extracted. The following section describes how to load these files into SecurityCenter and generate audit policies that can be used for SCAP assessments. Working with SecurityCenter Only users with the Create Audit Files permission can upload audit files and SCAP content to SecurityCenter. The Security Manager and Administrator users always have this permission. Audit files and SCAP content uploaded by the administrator are available to any Organization, while those uploaded by the Security Manager are available to their respective Organization only. Loading SCAP Content into SecurityCenter To load XCCDF/SCAP content into SecurityCenter, navigate to Scans and select Audit Files in SecurityCenter: Audit Files Screen Selection Loading the Audit File 6

Select Add, and then click Advanced under Custom templates: This displays a choose file option where a single audit file or SCAP content file can be added to SecurityCenter. Select the file to upload to SecurityCenter, and then click Submit. Many XML files are distributed in SCAP content. These files define the checks (in OVAL) and the target platforms (CPE). SecurityCenter expects a zip file with valid SCAP content to be loaded as the reference file and will generate an error message after an attempt to load an invalid file. 7

After loading the SCAP content, SecurityCenter displays the available profile(s) within the file: If multiple profiles are available, SecurityCenter will display them in the drop-down window next to Profile. In the screen capture above, only one profile is available. SecurityCenter automatically attempts to identify the benchmark SCAP type as being for Windows or Linux. If it is unable to determine the type, the drop-down will be empty and the user must make the appropriate selection before submitting the audit file. Adding the Audit File to a Scan Policy Once the audit file is loaded to SecurityCenter, it can be used in a scan policy. One or more audit files can be specified in a scan policy. They do not all need to be based on SCAP content. Vulnerability policy definition and usage is covered in the SecurityCenter documentation. 1. Create a new Policy. Navigate to Scans -> Policies. Click Add -> Select the SCAP Compliance Audit template. 8

2. Select Custom report. Add Name and Description under the Setup menu option, and then select Custom under report. 9

3. Enable the Generate SCAP XML Results option. 4. Select the audit file. Select the Compliance menu option to select an audit file. 5. Apply the audit file to the Policy. Select SCAP Linux or SCAP Windows and then proceed to apply a predefined audit file. 10

Selecting an Audit File for Use in a Scan Policy Running a SCAP Scan 1. Navigate to Scans -> Add. 2. Add Name and Description, and then select the SCAP policy that was previously created. 3. Select Targets or add an IP address or range under Targets. 4. Add valid credentials for the target(s), and then click Submit. At a minimum, the policies must include the following: The specific audit policies to be used. Port scanning options. If no vulnerability audits are being performed, consider disabling port scanning to speed up scanning. The vulnerability scan credentials are added to the scan itself, and not through the scan policy creation dialog. The Windows Remote Registry service is crucial to read Windows registry settings specified by XCCDF policies and content. Nessus has the ability to start this service and then turn it off when the audit is done. If there are issues with starting the service during a scan, the scan results will show these findings (highlighted below): In addition to enabling the Windows Remote Registry service, the Windows Management Instrumentation (WMI) service must also be started to enable the scanner to run a successful compliance check against the remote host(s). Please refer to 11

Microsoft s documentation on starting the WMI service on the Windows host(s) to be scanned. It should also be noted that while not relevant to Windows, the SSH service must be started on Red Hat target systems in order for the scanner to connect and run a successful compliance check. SCAP compliance audits require sending an executable named tenable_ovaldi_2ef350e0435440418f7d33232f74f260.exe to the remote host. For systems that run security software (e.g., McAfee Host Intrusion Prevention), they may block or quarantine the executable required for auditing. For those systems, an exception must be made for the either the host or the executable sent. Analyzing Scan Results When scans complete, the results will be available in the Scan Results interface. Important SCAP data references are available for querying from the Scan Results interface via the query and filter tools. A Vulnerability Summary listing of configuration items found during an audit of a Windows 7 host is shown below: SecurityCenter Scan Results 12

Scan results will show the measured value (Actual Value) of the system(s) scanned, as well as the value specified in the SCAP content (Policy Value): Filters can be used to locate SCAP relevant entries, such as CCE, CVE, CPE, or CVSS references: SecurityCenter Filters 13

Technical Issues There are several technical issues to be aware of when analyzing the scan results: The Compliance Check Test Error will show as ERROR (medium severity) if an audit cannot be performed. It will report as a pass if there was an error at one point, but now scans have proceeded without issue. 14

If there are errors related to Schematron errors, missing requirements, etc. while running a SCAP scan, those errors will be reported under plugin ID 66759 or 66578. 15

Downloading Nessus Scan Results To download your scan results for importing into another SecurityCenter or Nessus, choose the Nessus download format. This provides a zipped version of the report results. The name of the file will be in the format of <scanid>-nessus.zip where the scan ID is the actual scan ID used in SecurityCenter. A screen capture of the download process is shown below: Downloading SCAP Scan Results Downloading Nessus Scan Results In addition to Nessus scan results, users can also download reports in SCAP format. Choose Download SCAP XML to download reports in SCAP (XCCDF/OVAL/SCAP) format. A screen capture of the download process is shown below: About Tenable Network Security Downloading SCAP XML Results Tenable Network Security provides continuous network monitoring to identify vulnerabilities, reduce risk, and ensure compliance. Our family of products includes SecurityCenter Continuous View, which provides the most comprehensive and integrated view of network health, and Nessus, the global standard in detecting and assessing network data. Tenable is relied upon by many of the world s largest corporations, not-for-profit organizations and public sector agencies, including the entire U.S. Department of Defense. For more information, visit tenable.com. 16

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback