Auditing Linux, Apache, & MySQL Against CIS Benchmarks
Stacking Up to CIS Benchmarks
The Center for Internet Security (CIS) establishes consensus benchmarks for a large variety of applications and operating systems. These benchmarks are a valuable aid to evaluate the security of your systems. Tenable has produced a number of Nessus audit files that have been certified by the Center for Internet Security to perform audits against the CIS standards. These audit files are available to ProfessionalFeed and Security Center customers through the the Tenable Support Portal.
To use these audit files, you will need to provide Nessus with credentials to login to the target host to compare the configuration against the CIS standards. Scans that use login credentials run much faster than network-based scans and the results often provide more detailed vulnerability
findings and information on configuration issues.
The audit files I used for this scan are:
- CIS_MySQL_4.1_5.1_Benchmark_v1.0.1.audit
- CIS_Apache_v2_1.audit
- CIS_Redhat_ES5_1_1.audit
The above audit files correspond to the published CIS benchmarks. You can obtain these benchmark documents by registering on the Center For Internet security web site. The audit files are loaded into the NessusClient and the scan policy is configured accordingly (please refer to the Nessus 4.0 Users Guide for more information).
Note
| The target system in this example is actually running CentOS 5.2. CentOS mirrors the Red Hat distributions libraries and most of its configuration. The CIS Apache configuration checks expect the Apache software to reside in /usr/local/apache2 , which is not where it resides on CentOS. To rectify this problem we can use some simple Linux commands to create a symbolic link that allows the compliance checks to find the Apache configuration:
|
Setting up Nessus for Compliance Checking
The NessusClient needs credentials on the target host to perform compliance checking on the operating system and Apache configuration. This procedure has been covered on the Tenable Blog in several posts (For example, "Configuring Nessus To Scan Through Firewalls"), and in the Nessus Product Documentation.
If you want to audit a database configuration, provide Nessus with database credentials, the name of the database to test and the database type as shown:
The login provided must exist in the database and have the appropriate permissions. To setup access permissions on the MySQL server, execute the following command on the database:
| mysql> grant all on oscomm.* to nessus@'192.168.10.122' identified by 'areallylongandcomplicatedbypass'; |
The SQL statement above creates a user called "nessus" and grants permission to all tables in the "oscomm" database. The user name in this example is "nessus" but it can be anything.
Reviewing the Results
When the scan completes, you will see results that you may not see in a network-based scan. For example, in our PCI compliant post, Nessus found problems with the MySQL configuration. The compliance audit scan with login credentials goes much deeper and finds that the database is using insecure passwords:
The compliance checking can check the strength of the password by measuring the size of the hash and against a required certain length. Passwords are often the weakest link in your defenses, and this check provides a great way to test them. The database is also not using SSL for communications:
The above check audits the MySQL configuration and tests if SSL is enabled for communications with the MySQL server. Compliance checking also identifies missing functionality. For example, the CIS benchmarks for Apache servers require that mod_security be installed and configured. The compliance checking does not find this on our target system and reports on it:
Conclusion
Nessus provides several different ways to test your systems for vulnerabilities and compliance against multiple standards. Network-based scans provide a thorough view of the vulnerabilities available to remote attackers. Standards, such as PCI-DSS, help guide you in the configuration of such scans and the security level of your systems as a whole. Security benchmarks, such as those from CIS, offer very detailed system hardening guidelines. System hardening is crucial to securing your systems and preventing attacks. For example, if an attacker does penetrate a system, hardening the operating system can lessen the impact and make an attacker work hard to collect sensitive information. Nessus provides a way to audit your systems on a regular basis and ensure that the hardening guidelines are followed. You can even create your own audit files and test your systems against internal policies and procedures.
References
Related Articles
Study: Tenable Offers Fastest, Broadest Coverage of CISA's KEV Catalog
October 23, 2023Tenable ranked first in multiple vulnerability management categories, including the most comprehensive coverage and quickest detection of CISA's Known Exploited Vulnerabilities, according to a Miercom report commissioned by Tenable.
Tuning Network Assessments for Performance and Resource Usage
September 13, 2022Using the correct tool for the job and optimizing scanner placement will have a large impact on scan efficiency with Nessus, Tenable.io and Tenable.sc.
Terrascan Joins the Nessus Community, Enabling Nessus To Validate Modern Cloud Infrastructures
May 17, 2022The addition of Terrascan to the Nessus family of products helps users better secure cloud native infrastructure by identifying misconfigurations, security weaknesses, and policy violations by scanning Infrastructure as Code repositories.
Cybersecurity Snapshot: Apply Zero Trust to Critical Infrastructure’s OT/ICS, CSA Advises, as Five Eyes Spotlight Tech Startups’ Security
November 1, 2024Should critical infrastructure orgs boost OT/ICS systems’ security with zero trust? Absolutely, the CSA says. Meanwhile, the Five Eyes countries offer cyber advice to tech startups. Plus, a survey finds “shadow AI” weakening data governance. And get the latest on MFA methods, CISO trends and Uncle Sam’s AI strategy.
FY 2024 State and Local Cybersecurity Grant Program Adds CISA KEV as a Performance Measure
October 31, 2024The CISA Known Exploited Vulnerabilities (KEV) catalog and enhanced logging guidelines are among the new measurement tools added for the 2024 State and Local Cybersecurity Grant Program.
Cybersecurity Snapshot: New Guides Offer Best Practices for Preventing Shadow AI and for Deploying Secure Software Updates
October 25, 2024Looking for help with shadow AI? Want to boost your software updates’ safety? New publications offer valuable tips. Plus, learn why GenAI and data security have become top drivers of cyber strategies. And get the latest on the top “no-nos” for software security; the EU’s new cyber law; and CISOs’ communications with boards.
- Nessus
- Security Frameworks