by Sharon Everson
July 16, 2019
To ensure they have the most complete information about the security posture of assets, organizations should deploy scans that use credentials. Scans that use credentials and successfully authenticate on a system (and run with Local Security Checks enabled) return a more comprehensive set of data about the system. This Assurance Report Card (ARC) provides the ability to report and analyze authenticated scan results for Debian, Ubuntu, and Kali systems.
When managing a large enterprise, problems often arise when verifying the validity of a vulnerability scan. However, challenges can arise while ensuring the Operating System (OS) is correctly identified so that the relevant checks can be run and that the system is properly authenticated. For example, some hosts may have invalid credentials, valid credentials but insufficient privileges, or connectivity issues. Through the use of Dynamic Assets, Tenable.sc is able to group devices together for a comparative analysis. Using the ARC, Tenable.sc provides advanced analysis capabilities to facilitate and easily distribute this functionality to organizations.
This ARC presents a series of policy statements which, together, can be used to troubleshoot, fix, and verify authenticated scan results. The policy statements are grouped so that the analyst can focus on issues related to OS Detection, Authentication Errors, and Authentication Success. The first 4 policy statements relate to operating system detection and the OS detection confidence level. The first policy statement reports on systems that are scanned by Nessus that are running SSH servers. The next policy statement helps identify systems running for which identifying the operating system was not possible. Examine these systems so that they can be properly identified and then authenticated. The next two policy statements indicate the OS detection confidence level of systems running SSH on identified operating systems. The fifth policy shows all those systems that were identified as Debian, Ubuntu, or Kali. This number includes all Debian, Ubuntu, and Kali systems (those running SSH servers and those not running SSH servers).
The following 2 policy statements help isolate various types of authentication-related issues on suspected Debian, Ubuntu, or Kali systems. To help identify authentication-related issues, the next 5 policy statements help isolate various types of Debian, Ubuntu, or Kali systems with successful credentials. The first of these helps identify Kali systems with successful authentication but with Local Checks disabled (currently, local checks are not available for Kali systems). The next two of these policy statements help identify Debian, Ubuntu, or Kali systems with authentication issues. The next policy statement provides analysts with a clear view of systems with successful credentials that may still have authentication problems.
Finally, the last policy statement shows those systems identified as Debian, Ubuntu, or Kali with successful authentication, with local checks enabled, and without authentication errors.
This ARC is available in the Tenable.sc feed, which is a comprehensive collection of dashboards, reports, Assurance Report Cards, and assets. The ARC can be easily located in the Tenable.sc feed under the Compliance category. The ARC requirements are as follows:
- Tenable.sc 5.9.0
- Nessus 8.5.1
This ARC provides the organization with clear and simplified method to identify Debian, Ubuntu, and Kali systems for analysis. By first Discovering the systems running SSH Servers from the scanned devices, the ARC can then assess the operating systems of the targets to ensure the devices are running Debian, Ubuntu, or Kali. Then, the data is Analyzed for proper authentication, which facilitates the Fix and Measuring steps to the Cyber Exposure Lifecycle. Tenable.sc is the On-Prem solution for understanding a comprehensive picture of the network, while keeping the data under the organization’s control. Built on leading Nessus technology, Tenable.sc discovers unknown assets and vulnerabilities, and monitors unexpected network changes before they turn into breaches.
This ARC includes the following policy statements:
1. Number of systems scanned found to be running SSH - This policy statement displays a ratio number of the systems running SSH compared to the total number of systems scanned. Compliance for this policy statement is Any system matching the policy.
2. OS Detection - Linux: Systems running SSH where OS Linux detection was not successful - This policy identifies systems that were scanned and found to be running a SSH server, but for some reason the operating system was not discovered. Systems that match this policy should be investigated for misconfiguration, valid login credentials, or for proper identification as a Debian, Ubuntu, or Kali computer. Compliance for the policy is No systems matching the policy.
3. OS Detection - Linux: Less than 6% of Systems running SSH where OS detection confidence level was less than 95 - This policy identifies systems that were scanned and found to have a SSH server, however, Nessus was not confident of the operating systems. The matching systems are most likely running a version of Linux, but the version could be new or the authentication could have been invalid. Systems matched by this policy should be investigated for misconfiguration, valid login credentials, or for proper identification as a Debian, Ubuntu, or Kali computer. Compliance for the policy is less than 6% systems matching the policy, which allows for new systems that are found on the network.
4. OS Detection - Linux: Greater than 94% of Systems running SSH where OS detection confidence level was greater than 94 - This policy identifies systems that were scanned and found to be running a SSH server. Nessus is confident of the identified operating system. The matching systems are running a version of Linux. Compliance for the policy is greater than 94% systems matching the policy.
5. OS Detection – Debian/Ubuntu/Kali: Systems with Operating System identified as Debian, Ubuntu, or Kali - This policy identifies systems that were scanned and identified to be Debian, Ubuntu, or Kali. Nessus is confident of the identified operating system. Compliance for the policy is Any system matching the policy.
6. Authentication Errors: Suspected Debian, Ubuntu, or Kali Systems with No authentication attempts recorded - This policy identifies systems where the OS is suspected to be Debian, Ubuntu, or Kali and no authentication was attempted. This could mean no suitable protocol was presented to Nessus, no credentials were available for the operating system, or another issue is present. These systems should be investigated and special attention should be paid to how the operating system was detected and what condition exists that prevents proper authentication attempts. This policy statement displays a ratio number of the systems so identified compared to the total number of suspected Debian, Ubuntu, or Kali systems. Compliance for the policy is No systems matching the policy.
7. Authentication Errors: Suspected Debian, Ubuntu, or Kali Systems and Authentication Failures - This policy identifies systems where the OS is suspected to be Debian, Ubuntu, or Kali, however, the credentials provided with the scan failed to allow Nessus to login correctly. Invalid credentials, incompatible protocol settings, or other similar problems could cause this issue. The vulnerability data collected on this system should be considered incomplete. This policy statement displays a ratio number of the systems so identified compared to the total number of suspected Debian, Ubuntu, or Kali systems. Compliance for the policy is No systems matching the policy.
8. Authentication Success: No Systems identified as Kali with Authentication Success and Local Checks Not Available - This policy identifies systems where the OS is correctly identified as Kali and with authentication success, however, local checks are not available. Nessus does not currently provide local checks for Kali systems. This policy statement displays the percentage of the systems identified compared to the total number of Debian, Ubuntu, or Kali systems with Authentication Success. Compliance for the policy is No systems matching the policy.
9. Authentication Success: No Systems identified as Debian, Ubuntu, or Kali with Authentication Success and Authentication Failures - This policy identifies systems where the OS is correctly identified and with authentication success, however, the credentials provided with the scan failed to allow Nessus to login correctly. Invalid credentials, incompatible protocol settings, or other similar problems could cause this issue. The vulnerability data collected on this system should be considered incomplete. This policy statement displays the percentage of the systems identified compared to the total number of Debian, Ubuntu, or Kali systems with Authentication Success. Compliance for the policy is No systems matching the policy.
10. Authentication Success: No Systems identified as Debian, Ubuntu, or Kali with Local Checks disabled - This policy provides a list of systems that have been successfully authenticated, however, local checks were not enabled. While these systems should be considered successfully authenticated, there could be missing vulnerability data. System administrators should investigate these systems for misconfiguration. This policy statement displays the percentage of the systems identified compared to the total number of Debian, Ubuntu, or Kali systems with Authentication Success. Compliance for the policy is No systems matching the policy.
11. Authentication Success: Less than 6% of Systems identified as Debian, Ubuntu, or Kali with Local Checks Enabled & Errors - This policy provides a list of systems that have been successfully authenticated, however, there were recorded problems related to permissions or access to any number of resources. While these systems should be considered successfully authenticated, there could be missing vulnerability data. System administrators should investigate these systems for misconfiguration or possible insufficient privileges for the scan account. This policy statement displays the percentage of the systems identified compared to the total number of Debian, Ubuntu, or Kali systems with Authentication Success. Compliance for the policy is less than 6% systems matching the policy, which allows for new systems that are found to be on the network.
12. Authentication Success: Greater than 94% Systems identified as Debian, Ubuntu, or Kali with Successful Authentication, Local Checks, and without Errors - This policy identifies the majority of Debian, Ubuntu, or Kali systems on the network. Analysts can rely on the vulnerability data collected for these targets. Nessus was able to login and collect missing patches, compliance settings, and many other risk indicators based on the applied scan policies. This policy statement displays the percentage of the systems so identified compared to the total number of Debian, Ubuntu, or Kali systems with Authentication Success. Compliance for the policy is greater than 94% systems matching the policy.