Thursday, June 16, 2011

Using a .audit file with Nessus to scan a host

I've created this post because I couldn't find detailed directions.  Here's what took me down this path.  Auditing Windows 7 machines is a laborious task; there is no easy way to do it without sitting down with the DISA checklist and going through each check one by one.  As we move to SCAP-based tools, we should be able automate this; either by using OVAL and an XCCDf file, or using Retina and the XCCDF wizard.  I've started playing around with both of those methods, and I'm not 100% there yet.  I get them to run, but the results are not exactly what I expect.

One of my co-workers asked me about i2a, a utility put out by Tennable that converts .inf files to .audit files to use with Nessus.  (By the way, as I understand it, i2a only works with the professional version.  Audit files work with both the professional and free versions.)  If you look in the Windows 7 STIG, the templates folder contains .inf files. 

I copied the .inf file to the directory containing i2a. My command to create an .audit file was:

i2a-2.0.4 U_FSO_Win7_Analyze_only_V1R4.inf Win7.audit

This ran, and there were a few errors in the log file.  I believe that Nessus can not perform some of the checks in the .inf file, so they are flagged.

Next, I opened up Nessus.  Then, I created a new Policy:  Click on Policy, Add.
I gave my scan a name, Win7, checked my options, added my credentials, checked my plugins, then clicked on preferences.  Under preferences, I picked the Windows Compliance checks.  Then, I browsed for my Win7.audit file and added it as Policy File #1.

After this, it was as simple as setting up a new scan and using the policy I just created.  I'm going to start looking at the results to see how good a job Nessus does, and what needs to still be looked at manually.

4 comments:

  1. I have tried to run the DISA STIGs audits using the XCCDF wizard with no luck. Have you have a valid STIG scan ran using Retina yet? Also, we are looking at evaluating Nessus as an additional assessment tool.

    Sean

    ReplyDelete
  2. I know what your'e saying, sometimes it gives us the hardest life at work. Back in the days when we switched to Vista everything was such a mess with Nessus.

    ReplyDelete
  3. i don't think we have windows compliance option in nessus 5 homefeed. so how does one add a .audit file in nessus 5 HF.

    ReplyDelete