You are here: Additional Information > Appendix A: Example Unix Compliance File

Appendix A: Example Unix Compliance File

Note: The following file, tenable_unix_compliance_template.audit, is available from the Tenable Support Portal. This file lists the different types of Unix compliance checks that can be performed using Tenable’s Unix compliance module. The actual file may have updates that are not reflected here.

#

# (C) 2008-2010 Tenable Network Security, Inc.

#

# This script is released under the Tenable Subscription License and

# may not be used from within scripts released under another license

# without authorization from Tenable Network Security, Inc.

#

# See the following licenses for details:

#

# http://cgi.tenablesecurity.com/Nessus_3_SLA_and_Subscription_Agreement.pdf

# http://cgi.tenablesecurity.com/Subscription_Agreement.pdf

#

# @PROFESSIONALFEED@

#

# $Revision: 1.11 $

# $Date: 2010/11/04 15:54:36 $

#

# NAME : Cert UNIX Security Checklist v2.0

#

#

# Description : This file is used to demonstrate the wide range of

# checks that can be performed using Tenable's Unix

# compliance module. It consists of all the currently

# implemented built-in checks along with examples of all

# the other Customizable checks. See:

# https://plugins-customers.nessus.org/support-center/nessus_compliance_checks.pdf

# For more information.

#

#

###################################

# #

# File permission related checks #

# #

###################################

 

 

<check_type:"Unix">

 

# Example 1.

# File check example with owner and group

# fields set and mode field set in Numeric

# format

 

<custom_item>

#system : "Linux"

type : FILE_CHECK

description : "Permission and ownership check /etc/inetd.conf"

info : "Checking that /etc/inetd.conf has owner/group of root and is mode '600'"

file : "/etc/inetd.conf"

owner : "root"

group : "root"

mode : "600"

</custom_item>

 

 

# Example 2.

# File check example with just owner field set

# and mode set.

 

<custom_item>

#system : "Linux"

type : FILE_CHECK

description : "Permission and ownership check /etc/hosts.equiv"

info : "Checking that /etc/hosts.equiv is owned by root and mode '500'"

file : "/etc/hosts.equiv"

owner : "root"

mode : "-r-x------"

</custom_item>

 

# Example 3.

# File check example with just file field set

# starting with "~". This check will search

# and audit the file ".rhosts" in home directories

# of all accounts listed in /etc/passwd.

 

<custom_item>

#system : "Linux"

type : FILE_CHECK

description : "Permission and ownership check ~/.rhosts"

info : "Checking that .rhosts in home directories have the specified ownership/mode"

file : "~/.rhosts"

owner : "root"

mode : "600"

</custom_item>

 

 

# Example 4.

# File check example with mode field having

# sticky bit set. Notice the first integer in

# the mode field 1 indicates that sticky bit is

# set. The first integer can be modified to check

# for SUID and SGUID fields. Use the table below

# to determine the first integer field.

#

# 0 000 setuid, setgid, sticky bits are cleared

# 1 001 sticky bit is set

# 2 010 setgid bit is set

# 3 011 setgid and sticky bits are set

# 4 100 setuid bit is set

# 5 101 setuid and sticky bits are set

# 6 110 setuid and setgid bits are set

# 7 111 setuid, setgid, sticky bits are set

 

<custom_item>

#system : "Linux"

type : FILE_CHECK

description : "Permission and ownership check /var/tmp"

info : "Checking that /var/tmp is owned by root and mode '1777'"

file : "/var/tmp"

owner : "root"

mode : "1777"

</custom_item>

 

# Example 5.

# File check example with mode field having

# sticky bit set in textual form and is owned by root.

 

<custom_item>

#system : "Linux"

type : FILE_CHECK

description : "Permission and ownership check /tmp"

info : "Checking that the /tmp mode has the sticky bit set in textual form and is owned by root"

file : "/tmp"

owner : "root"

mode : "-rwxrwxrwt"

</custom_item>

 

####################################

# #

# Service/Process related checks #

# #

####################################

 

# Example 6.

# Process check to audit if fingerd is turned

# OFF on a given host.

 

<custom_item>

#system : "Linux"

type : PROCESS_CHECK

description : "Check fingerd process status"

info : "This check looks for the finger daemon to be 'OFF'"

name : "fingerd"

status : OFF

</custom_item>

 

# Example 7.

# Process check to audit if sshd is turned

# ON on a given host.

 

<custom_item>

#system : "Linux"

type : PROCESS_CHECK

description : "Check sshd process status"

info : "This check looks for the ssh daemon to be 'ON'"

name : "sshd"

status : ON

</custom_item>

 

###############################

# #

# File Content related checks #

# #

###############################

 

# Example 8

# File content check to audit if file /etc/host.conf

# contains the string described in the regex field.

#

 

<custom_item>

#System : "Linux"

type : FILE_CONTENT_CHECK

description : "This check reports a problem if the order is not 'order hosts,bind' in /etc/host.conf"

file : "/etc/host.conf"

search_locations : "/etc"

regex : "order hosts,bind"

expect : "order hosts,bind"

</custom_item>

 

# Example 9

# This is a better example of a file content check. It first looks

# for the string ".*LogLevel=.*" and if it matches it checks whether

# it matches .*LogLevel=9. For example, if the file was to have LogLevel=8

# this check will fail since the expected value is set to 9.

#

 

<custom_item>

#System : "Linux"

type : FILE_CONTENT_CHECK

description : "This check reports a problem when the log level setting in the sendmail.cf file is less than the value set in your security policy."

file : "sendmail.cf"

search_locations : "/etc:/etc/mail:/usr/local/etc/mail"

regex : ".*LogLevel=.*"

expect : ".*LogLevel=9"

</custom_item>

 

# Example 10

# With compliance checks you can cause the shell to execute a command

# and parse the result to determine compliance. The check below determines

# whether the version of FreeBSD on the remote system is compliant with

# corporate standards. Note that since we determine the system type using

# the "system" tag, the check will skip if the remote OS doesn't match

# the one specified.

 

<custom_item>

system : "FreeBSD"

type : CMD_EXEC

description : "Make sure that we are running FreeBSD 4.9 or higher"

cmd : "uname –a"

expect : "FreeBSD (4\.(9|[1-9][0-9])|[5-9]\.)"

</custom_item>

 

##################

# #

# Builtin Checks #

# #

##################

 

# Checks that are not customizable are built

# into the Unix compliance check module. Given below

# are the list of all the checks are the performed

# using the builtin functions. Please refer to the

# the Unix compliance checks documentation for more

# details about each check.

#

 

 

<item>

name: "minimum_password_length"

description : "Minimum password length"

value : "14..MAX"

</item>

 

<item>

name: "max_password_age"

description : "Maximum password age"

value: "1..90"

</item>

 

<item>

name: "min_password_age"

description : "Minimum password age"

value: "6..21"

</item>

 

<item>

name: "accounts_bad_home_permissions"

description : "Account with bad home permissions"

</item>

 

<item>

name: "accounts_without_home_dir"

description : "Accounts without home directory"

</item>

 

<item>

name: "invalid_login_shells"

description: "Accounts with invalid login shells"

</item>

 

<item>

name: "login_shells_with_suid"

description : "Accounts with suid login shells"

</item>

 

<item>

name: "login_shells_writeable"

description : "Accounts with writeable shells"

</item>

 

<item>

name: "login_shells_bad_owner"

description : "Shells with bad owner"

</item>

 

<item>

name: "passwd_file_consistency"

description : "Check passwd file consistency"

</item>

 

<item>

name: "passwd_zero_uid"

description : "Check zero UID account in /etc/passwd"

</item>

 

<item>

name : "passwd_duplicate_uid"

description : "Check duplicate accounts in /etc/passwd"

</item>

 

<item>

name : "passwd_duplicate_gid"

description : "Check duplicate gid in /etc/passwd"

</item>

 

<item>

name : "passwd_duplicate_username"

description : "Check duplicate username in /etc/passwd"

</item>

 

<item>

name : "passwd_duplicate_home"

description : "Check duplicate home in /etc/passwd"

</item>

 

<item>

name : "passwd_shadowed"

description : "Check every passwd is shadowed in /etc/passwd"

</item>

 

<item>

name: "passwd_invalid_gid"

description : "Check every GID in /etc/passwd resides in /etc/group"

</item>

 

<item>

name : "group_file_consistency"

description : "Check /etc/group file consistency"

</item>

 

<item>

name: "group_zero_gid"

description : "Check zero GUID in /etc/group"

</item>

 

<item>

name: "group_duplicate_name"

description : "Check duplicate group names in /etc/group"

</item>

 

<item>

name: "group_duplicate_gid"

description : "Check duplicate gid in /etc/group"

</item>

 

<item>

name : "group_duplicate_members"

description : "Check duplicate members in /etc/group"

</item>

 

<item>

name: "group_nonexistant_users"

description : "Check for nonexistent users in /etc/group"

</item>

 

</check_type>

Copyright © 2017. Tenable Network Security, Inc. All rights reserved. Tenable Network Security, Nessus, SecurityCenter Continuous View, Passive Vulnerability Scanner, and Log Correlation Engine are registered trademarks of Tenable Network Security, Inc. All other products or services are trademarks of their respective owners.