Compliance plugins are available under the Policy Compliance plugin family. This section lists the plugins available under this family, which showcase the kind of infrastructure for which a compliance audit can be done. For each type of infrastructure element, such as servers, networks, and databases, the appropriate policy file, credentials, and plugin needs to be selected as mentioned in the preceding sections in this chapter.
Using this plugin, one can check the compliance parameters set under the Policies option of the Windows framework. The examples of some of the checks conducted under Windows audit include the following:
- Registry setting
- File permissions
- Password policy
- Lockout policy
- Auditing policy
- User rights policy
- Service audits
The Windows File Content option allows Nessus to check Windows file types (Excel, Adobe, or text files), which may contain sensitive data such as Personal Identifiable Information (PII) and credit card details.
Nessus can do a compliance check on different flavors of Unix such as Solaris, Red Hat, AIX, HP-UX, SUSE, Gentoo, and freebsd. Key checks include the following:
- Password management
- File permissions
- Password file management
- Permission management
- Root access management
- Running processes
Using this plugin, a Cisco machine running a configuration file for Cisco IOS devices can be checked. Compliance checks can be done against saved, running, or startup configurations. Examples include the following:
- Access list applied to interfaces
- SNMP community strings are protected by ACLs
- Unrequited services are disabled
- An SNMP default community string is changed
Nessus can also check compliance of the different databases against security policies. Databases that are supported include MS SQL, Oracle, MySQL PostgreSQL, IBM DB2, and Informix/DRDA. To ensure the completeness of a report, the account used to log in to the database should have an SYSDBA or SA permission. Database compliance check plugins typically use SELECT queries to fetch security configurations from the database. Following are few examples:
- Checking for logins with no expiration details
- Checking if unauthorized stored procedures are enabled
Payment Card Industry Data Security Standard (PCI-DSS) is a well-known standard used for payment cards. Nessus offers PCI DSS compliance plugins to check the configuration against the requirement in this standard.
The VMware vCenter/vSphere Compliance Check plugin uses the VMware SOAP API to audit ESX VMware, ESXi, and vCenter/vSphere virtualization software. Credential information to conduct an audit can be added to VMware vCenter SOAP API Settings in the Advanced section of a policy. Examples include the following:
- Missing patches
- Missing security updates
Some other platforms that are included in Nessus's compliance check options include the following (please cross-check the updated documentation on Tenable's official website, https://support.tenable.com/) A few sections of this chapter has been referenced from learning material available on Nessus website http://www.tenable.com: