Configuration Benchmark auditing with Nexpose and Nessus

EDIT: Something just realized and confirmed by Rapid7 is that Nexpose does not currently support Cisco, Solaris, nor Oracle config auditing. So the breadth of platforms Nexpose can audit is limited in comparison.

Intro: A history/disclaimer before getting into this post. I have extensive experience with Nessus and more so, the enterprise solution from Tenable Called Security Center.

I have had Demos from Rapid7 and have ran trial version of the Nexpose VM appliance, as well as a Trial of Nexpose installed on Windows.

As far as vulnerability scanning experience in general, I have extensive experience with nmap and IBM ISS Internet Scanner/Enterprise scanner. Just fyi.

With that said, I don’t want to necessarily give recommendations as to what scanner to purchase. Purpose of this post is to just provide the facts based on my experience. Feel free to correct me with comments or via twitter.

So lets begin!

Nessus: List of capabilities from Tenable can be found on their site, here. You will see the Standards-based audits, such as CIS, DISA STIG, NIST, PIC and more.

Tenable does include tutorial videos on how things work. Paul Asadoorian and Co. do a good job with these. Here is one pertaining to Config auditing.

I need to run CIS and DISA STIG config audits on Win2k8, Cisco firewall, router and switches, Solaris and Oracle databases. I also need the ability to modify a CIS audit benchmark, but not just the values, such as 3 minutes for session timeouts, but add additional baseline checks.

These benchmarks to be used in Nessus are in .audit format. This is proprietary to Nessus and is a text file that you import into the Nessus tool and you can include this into a Nessus scan policy. This way you can scan for vulnerabilities and also config benchmarks in a single scan job. Pretty easy and simple. Only complication is if you need to modify the benchmark checks, you will have to understand the .audit file and edit it in notepad++ or whatever editor of your choice. My thoughts are it would be pretty nice and easier to have a gui tool to make these policy creations or editing.

Here is an example of a .audit file benchmark check: (from Tenable documentation)

description: "xp_cmdshell option"
info: "The xp_cmdshell extended stored procedures allows exe
cution of host
executables outside the controls of database access permissions and may be
exploited by malicious users."
info: "Checking that the xp_cmdshell stored procedure is set to '0'"
sql_request: "select value_in_use from sys.configurations where
name = 'xp_cmdshell'"
sql_expect: "0"

This particular check is pretty easy to understand, but there can be more complicated ones and what if you need to add a custom baseline policy from scratch? Of course documentation is your friend, but a gui tool still may make it a lot easier. A year ago I posted on the Tenable discussions forum, asking if they planned putting in a gui for benchmark compliance policies. They have been looking into the possibility but have some concerns. You can read the discussion here:
I would be very interested in hearing feedback from Nessus customers on their views based on their experience with Nessus .audit file customization and if a gui would benefit.

Nexpose: List of capabilities for Nexpose performing config benchmarking can be found here. The page states Nexpose covers CIS, FDCC, USGCB and SCAP. I was worried seeing that many other standards were missing from this list. During my exposure to a vendor demo of the product, I noticed some lacking of these capabilities also, but was assured that future releases would provide more coverage. Now, when I downloaded the trial, I noticed that there is a capability to upload benchmark audit policy to Nexpose, so that solves any standards issues, as long as you have access to xccdf and oval XML files to be imported into Nexpose. DISA STIG have these at their website. CIS XML files are available as well to paying members via their website.

So looking at the gui Policy Configuration editor, I am quite impressed. It is a folder hierarchy view and gives the ability to modify values, but not so much the ability to add values. Here is a screen shot of a specific rule:


You can upload your own custom benchmark policies into Nexpose, so as long as you create or modify SCAP xccdf/oval files. I had a good discussion with rpoppa from Rapid7 on their Security Street community site about this:

I will say, it does seem easier to edit/create a Nessus .audit file than mess with xccdf/oval files. More on this later. My question for Nexpose customers is how useful do you find the policy manager that gives you a gui to edit/modify values to audit compliance with. Is it of great benefit or is it rarely used? Are the default CIS or FDCC policies are the only ones mostly used by customers and little customization actually done?

Nexpose as well as Nessus, can scan for vulns and baseline compliance in the same scan. The view of the results is pretty good and exportable if needed, just as in Nessus.

Now back to editing xccdf/oval policies for use in either converting to a Nessus .audit file or importing directly into Nexpose Policy editor. I was searching for a gui editor and found one from a reputable source, Mitre. Take a look here.
You may want to try it and see how it works. I tried it out briefly but hope to soon work with it more intensively. It makes the xml files easier to read and edit. It is good to have an understanding of how xccdf/oval work. There are often 2 files that reference each other, so it can get pretty advanced. My idea for this tool would be to open xccdf/oval files edit and customize them to customer needs, then save them. From there I can either convert them to a .audit file for Nessus(Tenable has a tool for this conversion) or directly import them into Nexpose. This would of course make the Nexpose Policy editor gui, not needed, because all the editing was done on the xccdf/oval files.

So in conclusion, Nessus and Nexpose provide very good vulnerability scanning solutions. Benchmark compliance auditing is more indepth and granular type of scanning. Both of these tools have these capabilities but may be at different levels of maturity. They seem to also have different approaches. So based on your preference, you can either work with relatively easy to edit .audit files with a text editor to use with Nessus or a nice gui policy editor in Nexpose, but customize prior using xccdf/oval editors. Hopefully this post is informative and helpful. I know its not fully complete, as I would like to further test scans on a variety of platforms with different standards/policies. Maybe a blog post to follow up with be needed.

Thanks for visiting.

Leave a Reply

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>