Tuesday, April 22, 2014

Nessus and Name Resolution

For those of you who like having a name displayed in the results that you export as PDF and send them off to the boss, instead of the IP addresses, there is a way of doing that through Nessus.

All you need to do is look for plugin 12053 results. Obviously, you need to have it enabled before you launch the scan. Once you have the results back, look for the results of this plugin and you’ll see all the names of the targets that have been scanned. Filter the results accordingly and you’re the star!

Thursday, April 17, 2014

Managing Disk Space on Appliance for SecurityCenter

There are two things you can do here, your choice but both are 'good to know':
1. Increase the disk space (latest version of appliance supports this feature). I have attached a doc on how to accomplish this - please see page 53.

2. Change the settings related to data expiration. This is the best way of deleting data from SC automatically. Please have a quick look at these options below and set them up according to your needs/setup on SC. This will help you bring down disk usage drastically.

Please have a look here and change the number of days by logging in as admin -> configuration -> expiration

Active: Active scanning data is stored in a repository from Nessus scans ( :/opt/sc4/repositories/<repoID>/hdb.* ) Example:  :/opt/sc4/repositories/1/hdb.*

Passive: Does this apply to you?
FYI PVS data is stored in the "active" repository /opt/sc4/repositories/<repoID>/hdb* ) Example:  :/opt/sc4/repositories/1/hdb.*

Compliance: Data derived from an .audit file plugin id 1,000,000 or higher stored in the "active" repository /opt/sc4/repositories/<repoID>/hdb* )  :Example: /opt/sc4/repositories/1/hdb.*

Mitigated: Separate data store from active repository ( :/opt/sc4/repositories/<repoID>/hdb-Patched.* ) Example: :/opt/sc4/repositories/1/hdb-Patched.*

Vulnerability Trending data: This setting can consume a lot of disk on the SC console.
This item creates daily snapshot of the active repository These files can be found here on the filesystem:  :/opt/sc4/repositories/<repoID>/VDB/<date>/ Example:  :/opt/sc4/repositories/1/VDB/2012-06-12/
for items that use trending data reports and such these files are not compressed for performance purposes.

Closed Tickets: Are you using SC4 for ticketing?
Scan results: Individual scan results. Once a scan is imported SC does no processing of that scan data unless told to so by the user.

Individual scan results can be found here on the file system:  :/opt/sc4/orgs/<orgID>/VDB/<date>/scanid* Example:  :/opt/sc4/orgs/1/VDB/2012-06-12/43522*
It can be useful time to time to see what the single scan found on that day vs the data of the repository.

Report results: Reports that an Individual may run are not deleted automatically unless with this setting.
A users report files can be found here on the file system  :/opt/sc4/orgs/<orgID>/users/<userID>/reports Example:  :/opt/sc4/orgs/1/users/1/reports

 - Trending data is what generally grows the most. This can be controlled by adjusting the number of days retention logged in as admin under System-> Configuration->Data Expiration->Vulnerability Trending Data value; after changing this to a lower value, data older than X days will be removed during the next nightlyCleanup job.
 - You can also disable trending per repository by going to Repositories->Repositories, selecting the repository you want to disable trending on, click Edit, then uncheck "Trending". If trending was enabled before, the old trending data will still be saved until the data expiration threshold value is reached then it will gradually be removed with each passing day until it is finally all gone.

Thursday, April 10, 2014

The heart that bleeds... heartbleed and Nessus

The Heartbleed bug has caused some serious grief. Hard.
Not knowing is always worse than knowing what the damage is. In this case, its the 'not knowing'. The bug has existed for a couple of years. Could have been used for ManInTheMiddle type attacks. Not sure if was deliberate or by accident..
Tenable, as always, has done a great job - came out with great plugins in record time.
Renaud has posted a great article on how to use these and there's also a great post on the Tenable Blog by Ken.


Monday, April 7, 2014

Types of Access Control

Types of Access Control

Non-discretionary access control

Access is set and controlled by the overall security administrator.
Users do not have the capability to change, modify or set the ownership/access to objects

Mandatory access control

The system owner sets the access levels and users are put into different categories with different access levels.
Famous example: SELinux

Discretionary Access Control – DAC

Owner of the object decides the level of privilege that a user can have

RSBAC – rule-set based access control

Ø  Linux-based.
Ø  Exists since 1996, active development since 2000
Ø  Works at kernel level
Ø  Based on GFAC – generalized framework for access control
Several modules:
·        MAC – Mandatory access control
·        PM – Primary module
·        FC – Function control module
·        FF – File flag module
·        MS – Malware scan module
·        RC – Role compatibility module  
·        SIM – Security information modification module
·        Auth – Authentication module
·        ACL – Access control list module

RBAC – role based access control

Access is based on the role that a certain user has – access level to which is decided by the owner



CUI – constrained user interface

Ø  The user is only shown the options that he is allowed access to.
Ø  Similar to VBAC – view-based access control.
The user is only shown a view that displays options available at his access-level

CDAC – content dependent access control

Ø  Based on GFAC
Ø  Access is granted or denied based on the content and its level of secrecy or sensitivity.

CBAC – context-based access control

Ø  Works on context, or sequence of events that are detectable.
Ø  Mostly used in Firewalls.
Ø  Could be used to deny access based on how many requests are being sent in for access to a certain object. Or what sequence the requests are coming in.

TRBAC – Temporal role based access control

Ø  Time-based and Roles based.
Ø  The role is based on time that has been decided by the owner.
Ø  Could be a certain time-zone or a certain time-based window that the access is based upon.