PaulDotCom mailing list archives
Nessus file/directory Auditing
From: rgula at tenablesecurity.com (Ron Gula)
Date: Mon, 22 Mar 2010 11:54:13 -0400
On 3/22/2010 8:27 AM, k41zen wrote:
All, Anyone got any info on how the Nessus Content Auditing element of Nessus works? It claims to check document keywords such as "TOP SECRET" or "CONFIDENTIAL" and I'm curious as to how it does this. On top of this, I'm looking for a tool that could login to an SMB share and report back on files that are prefixed with something specific. Is this possible with Nessus? Finally I'm also looking to scan an SMB share, searching for directories and sub-directories called something specific and then need to be able to check the perms on these to report back when a specific group which should be denied access is missing. Is this possible with Nessus?
In the Tenable ProfessionalFeed, we have a plugin that leverages credentials, SMB and WMI to allow searches of files on remote computers. You can do complex string searches and also specify what sorts of file names and directories you want to look for. It's also smart enough to inteligently seach .docx, .xlsx and .pdf files which encode their data. The audit policies are written in XML and have lots of simple keywords for specifying regex, files, .etc. For example, here is the check for MasteCard: <check_type:"WindowsFiles"> <item> type: FILE_CONTENT_CHECK description: "Determine if a file contains a MasterCard #" file_extension: "doc" | "xls" | "pdf" regex: "([^0-9-]|^)(5[0-9]{3}( |-|)([0-9]{4})( |-|)([0-9]{4})( |-|)([0-9]{4}))([^0-9-]|$)" expect: "MasterCard" max_size : "1M" only_show: "4" </item> </item> Here is running the test from the command line: [root at megalon plugins]# /opt/nessus/bin/nasl -t 192.168.20.16 ./compliance_check_windows_file_content.nbin Windows File Contents Compliance Checks, version 1.6.2 Which file contains your security policy : /root/cc.audit Login : Administrator Password : Domain : "Determine if a file contains a MasterCard #" : [FAILED] - error message: The following files do not match your policy : Share: C$, path: \sensitive data\datatest.pdf (XXXXXXXXXXXXX4444) Share: C$, path: \sensitive data\datatest.xls (XXXXXXXXXXXX7734) Share: C$, path: \sensitive data\look-at-me.pdf (XXXXXXXXXXXXX4444) If you just want to find files that are named something and are not concerned about their actual content, this is also something Nessus can do for you. Below is a search for a system that had a PDF or DOC with the word 'data' in the path or name. [root at megalon plugins]# /opt/nessus/bin/nasl -t 192.168.20.16 ./compliance_check_windows_file_content.nbin Windows File Contents Compliance Checks, version 1.6.2 Which file contains your security policy : /root/data.audit Login : Administrator Password : Domain : "Files with data in name" : [FAILED] - error message: The following files do not match your policy : Share: C$, path: \sensitive data\copy of ssn-by-state.xls Share: C$, path: \sensitive data\datatest.pdf Share: C$, path: \sensitive data\datatest.xls Share: C$, path: \sensitive data\look-at-me.pdf Share: C$, path: \sensitive data\ron gula.doc Share: C$, path: \sensitive data\ssn-by-state-no-table.doc Share: C$, path: \sensitive data\ssn-by-state-no-table.pdf Share: C$, path: \sensitive data\ssn-by-state.doc Share: C$, path: \sensitive data\ssn-by-state.pdf -- Ron Gula, CEO Tenable Network Security
Current thread:
- Nessus file/directory Auditing k41zen (Mar 22)
- Nessus file/directory Auditing Ron Gula (Mar 22)
- Nessus file/directory Auditing Chris Merkel (Mar 22)