Nessus file/directory Auditing

[rgula at tenablesecurity.com (Ron Gula)]

On 3/22/2010 8:27 AM, k41zen wrote:
> All,
>
> Anyone got any info on how the Nessus Content Auditing element of Nessus works? It claims to check document keywords 
> such as "TOP SECRET" or "CONFIDENTIAL" and I'm curious as to how it does this.
>
> On top of this, I'm looking for a tool that could login to an SMB share and report back on files that are prefixed 
> with something specific. Is this possible with Nessus?
>
> Finally I'm also looking to scan an SMB share, searching for directories and sub-directories called something 
> specific and then need to be able to check the perms on these to report back when a specific group which should be 
> denied access is missing. Is this possible with Nessus?

In the Tenable ProfessionalFeed, we have a plugin that leverages
credentials, SMB and WMI to allow searches of files on remote computers.
You can do complex string searches and also specify what sorts of file
names and directories you want to look for. It's also smart enough to
inteligently seach .docx, .xlsx and .pdf files which encode their data.

The audit policies are written in XML and have lots of simple keywords
for specifying regex, files, .etc.

For example, here is the check for MasteCard:

<check_type:"WindowsFiles">
 <item>
   type: FILE_CONTENT_CHECK
   description: "Determine if a file contains a MasterCard #"
   file_extension: "doc" | "xls" | "pdf"
   regex: "([^0-9-]|^)(5[0-9]{3}( |-|)([0-9]{4})( |-|)([0-9]{4})(
|-|)([0-9]{4}))([^0-9-]|$)"
   expect: "MasterCard"
   max_size : "1M"
   only_show: "4"
 </item>
</item>

Here is running the test from the command line:

[root at megalon plugins]# /opt/nessus/bin/nasl -t 192.168.20.16
./compliance_check_windows_file_content.nbin


            Windows File Contents Compliance Checks, version 1.6.2

Which file contains your security policy : /root/cc.audit
Login : Administrator
Password :
Domain :
"Determine if a file contains a MasterCard #" : [FAILED]
 - error message:
The following files do not match your policy :
Share: C$, path: \sensitive data\datatest.pdf    (XXXXXXXXXXXXX4444)
Share: C$, path: \sensitive data\datatest.xls    (XXXXXXXXXXXX7734)
Share: C$, path: \sensitive data\look-at-me.pdf    (XXXXXXXXXXXXX4444)


If you just want to find files that are named something and are not
concerned about their actual content, this is also something Nessus can
do for you. Below is a search for a system that had a PDF or DOC with
the word 'data' in the path or name.

[root at megalon plugins]# /opt/nessus/bin/nasl -t 192.168.20.16
./compliance_check_windows_file_content.nbin


            Windows File Contents Compliance Checks, version 1.6.2

Which file contains your security policy : /root/data.audit
Login : Administrator
Password :
Domain :
"Files with data in name" : [FAILED]
 - error message:
The following files do not match your policy :
Share: C$, path: \sensitive data\copy of ssn-by-state.xls
Share: C$, path: \sensitive data\datatest.pdf
Share: C$, path: \sensitive data\datatest.xls
Share: C$, path: \sensitive data\look-at-me.pdf
Share: C$, path: \sensitive data\ron gula.doc
Share: C$, path: \sensitive data\ssn-by-state-no-table.doc
Share: C$, path: \sensitive data\ssn-by-state-no-table.pdf
Share: C$, path: \sensitive data\ssn-by-state.doc
Share: C$, path: \sensitive data\ssn-by-state.pdf

-- 
Ron Gula, CEO
Tenable Network Security