Configuration Audits, Data Leakage, and Compliance

What is an audit?

Nessus can be used to log into Unix and Windows servers, Cisco devices, SCADA systems, IBM iSeries servers, and databases to determine if they have been configured in accordance to the local site security policy. Nessus can also search the entire hard drive of Windows and Unix systems, for unauthorized content.

It is important that organizations establish a site security policy before performing an audit to ensure assets are appropriately protected. A vulnerability assessment will determine if the systems are vulnerable to known exploits but will not determine, for example, if personnel records are being stored on a public server.

There is no absolute standard on security – it is a question of managing risk and this varies between organizations.

For example, consider the password requirements such as minimum/maximum password ages and account lockout policies. There may be very good reasons to change passwords frequently or infrequently. There may also be very good reasons to lock an account out if there have been more than five login failures, but if this is a mission critical system, setting something higher might be more prudent or even disabling lockouts altogether.

These configuration settings have much to do with system management and security policy, but not specifically system vulnerabilities or missing patches. Nessus can perform compliance checks for Unix and Windows servers. Policies can be either very simple or very complex depending on the requirements of each individual compliance scan.

Audit vs. Vulnerability Scan

Nessus can perform vulnerability scans of network services as well as log into servers to discover any missing patches. However, a lack of vulnerabilities does not mean the servers are configured correctly or are “compliant” with a particular standard.

The advantage of using Nessus to perform vulnerability scans and compliance audits is that all of this data can be obtained at one time. Knowing how a server is configured, how it is patched and what vulnerabilities are present can help determine measures to mitigate risk.

At a higher level, if this information is aggregated for an entire network or asset class (as with, security and risk can be analyzed globally. This allows auditors and network managers to spot trends in non-compliant systems and adjust controls to fix these on a larger scale.

Audit Reports

When an audit is performed, Nessus attempts to determine if the host is compliant, non-compliant or if the results are inconclusive.

Compliance results in Nessus are logged as Pass, Fail, and Warning. The log results as Info for passed, High for failed, and Medium for inconclusive (e.g., a permissions check for a file that is not found on the system).

Unlike a vulnerability check, which only reports if the vulnerability is actually present, a compliance check always reports something. This way, the data can be used as the basis of an audit report to show that a host passed or failed a specific test, or if it could not be properly tested.