Check Windows Services with Nessus Auditfile

Objective

  • Monitor Windows Services with Nessus via auditfile

Nessus Auditfile Check

You can verify the StartType of Windows Services with Nessus via a Nessus auditfile.
In the example below we check if the Telnet service is disabled if it is installed.

<custom_item>
 type : SERVICE_POLICY
 description : "CCE-37037-9:The Telnet service must be disabled if installed"
 info : "STIG V-26606"
 value_type : SERVICE_SET
 value_data : "Disabled"
 service_name : "tlntsvr"
 svc_option : CAN_BE_NULL
</custom_item>

Generating an auditfile for each installed Windows Service

The following powershell script will generate a service check for each installed service and save it to service.audit:

$auditfile = ".\services.audit"
$services = get-service
 
$header = write-output '<check_type: "Windows" version:"2">' '<group_policy: "MS Windows Server">'`r 
$footer = write-output '</group_policy>' '</check_type>'
 
$checks = $services | Foreach {
 
 write-output '<custom_item>'
 write-output ' type : SERVICE_POLICY'
 $Description = ' description : "Check Service ' + $_.DisplayName + '"'
 write-output $Description
 write-output ' value_type : SERVICE_SET'
 $Value = ' value_data : "' + $_.StartType + '"' 
 write-output $Value
 $Servicename = ' service_name : "' + $_.Name + '"'
 write-output $Servicename
 write-output " svc_option : CAN_NOT_BE_NULL"
 write-output '</custom_item>'`r 
 }
 
$header | Out-File -Encoding "UTF8" $auditfile 
$checks | Out-File -Encoding "UTF8" $auditfile -append 
$footer | Out-File -Encoding "UTF8" $auditfile -append
 
# Powershell saves file with a Byte-Order Mark (BOM)
# Nessus will not process the auditfile
# So we convert the file here
$MyFile = Get-Content $auditfile 
$Utf8NoBomEncoding = New-Object System.Text.UTF8Encoding $False
[System.IO.File]::WriteAllLines($auditfile , $MyFile, $Utf8NoBomEncoding)