13. Compliance and Special Scans

Compliance in the IT security world is the primary approach for organizations to keep their information and assets protected and secure.

With cybercrime on the rise, governments see the need to protect their citizens and pass rules and regulations on privacy and IT security in the hopes to protect our identities and assets. Information Security bodies such as the Information Systems Audit and Control Association (ISACA) or the International Organization for Standardization (ISO) publish IT security standards, frameworks and guidelines such as the Control Objectives for Information and Related Technology (COBIT) or the ISO 27000 series which cover information security standards. The German Federal Office for Information Security (BSI), for example, publishes the IT-Grundschutz catalogs. This is a collection of documents that provide useful information for detecting weaknesses and combating attacks on IT environments. To better protect against credit card data theft the Payment Card Industry Security Standards Council publishes the payment Card Industry Data Security Standard (PCI DSS).

All these privacy laws, standards, frameworks, rules and regulations are to force and assist organizations to implement the appropriate safeguards to protect themselves and their information assets from attacks. In order to implement these laws, standards, frameworks, rules and regulations within an organization the organization will have to create an IT security framework consisting of policies, standards, baselines, guidelines and detailed procedures.

Security scanners such as the Greenbone Security Manager (GSM) can assist IT security professionals to check their IT security safeguards against the aforementioned regulations, standards and frameworks for compliance.

In the following sections we will describe how the GSM can be utilized to perform certain compliance checks.

13.1. Generic Policy Scans

When performing policy scans, there are several groups each with four NVTs that can be configured accordingly. In the policy section of the NVTs database at least two of these four policy NVTs are required to run a policy scan. The four NVT types are:

  • Base
    This NVT performs the actual scan/function of the actual policy scan.
  • Matches
    This NVT summarizes any items which match the checks performed by the base NVT.
  • Violations
    This NVT summarizes any items which did not match the checks performed by the base NVT.
  • Errors
    This NVT summarizes any items where some errors occurred when running the policy scan.

Note

The base NVT must be selected for a policy check since it performs the actual tests. The other three plug-ins may be selected according to the needs. For example, if matching patterns are of no concern then only the violation’s plug-in should be selected additionally.

13.1.1. Checking File Content

File content checks belong to policy audits which do not explicitly test for vulnerabilities but rather test the compliance of file contents (e.g. configuration files) regarding a given policy.

The GSM provides a policy module to check if a file content is compliant with a given policy.

In general this is an authenticated check, i.e. the scan engine will have to log into the target system to perform the check.

The file content check can only be performed on systems supporting the command grep. Normally this means Linux or Linux-like systems.

Four different NVTs in the family Policy provide the file content check:

  • File Content: This NVT performs the actual file content check.
  • File Content: Matches: This NVT shows the patterns and files which passed the file content check (the predefined pattern matches in the file).
  • File Content: Violations: This NVT shows the patterns and files which did not pass the file content check (the predefined pattern does not match in the file).
  • File Content: Errors: This NVT shows the files in which errors occurred (e.g. the file is not found on the target system).

13.1.1.1. Patterns

  1. Create a reference file with the patterns to check. Following is an example:
filename|pattern|presence/absence
/tmp/filecontent_test|^paramter1=true.*$|presence
/tmp/filecontent_test|^paramter2=true.*$|presence
/tmp/filecontent_test|^paramter3=true.*$|absence
/tmp/filecontent_test_notthere|^paramter3=true.*$|absence

Note

This file must contain the row filename|pattern|presence/absence.

The subsequent rows each contain a test entry.

Each row contains three elements which are separated by |. The first field contains the path and file name, the second field contains the pattern to check (as a regular expression) and the third field indicates if a pattern has to be present or absent.

  1. Click edit for the scan configuration.

  2. In the section Edit Network Vulnerability Test Families click edit for Policy.

    → All NVTs that allow special configuration are listed (see figure Editing the family of NVTs).

    _images/filecheck_content.png

    Editing the family of NVTs

  3. Click edit for File Content.

  4. Activate the checkbox Upload file.

    Tip

    Activate the checkbox Replace existing file with to upload a new reference file (see figure Uploading the reference file). The possibilities to change is only available if the scan configuration is not in use.

    _images/filecheck_content_edit.png

    Uploading the reference file

  5. Click Browse... and select the previously created reference file.

  6. Click Save to save the NVT.

  7. Click Save to save the family of NVTs.

  8. Click Save to save the scan configuration.

13.1.1.2. Severity

The severity of the NVTs depend on the GOS version used. Since GOS 4.2, the violation NVTs have a default score of 10. In the past these NVTs had a default score of 0 (log message) and overrides were required for different scores. The new default score of 10 can be changed using overrides as well.

By sectioning the report plug-ins in three different NVTs it is now possible to create distinct overrides on the severity according to the needs.

In the following picture the severities of File Content: Violations and File Content: Errors have been changed (see Chapter Overrides and False Positives) which will be shown in the reports accordingly.

_images/filecheck_content_overrides.png

Overrides changing the severity

13.1.1.3. Example

Note

The overrides can be created either before or after a scan. The latter is easier since the appropriate reference can be created through a simple click in the result page.

  1. Download policy_file_content_example.xml and the correspronding test file filecontent_test.

    Important

    External links to the Greenbone download website are case-sensitive.

    Note that upper cases, lower cases and special characters have to be entered exactly as they are written in the footnotes.

  2. Extract the test file to the /tmp/ directory on the target system.

  3. Select Scans > Tasks in the menu bar.

  4. Create a task for the target on which the test file was saved by clicking new.

    Note

    The scan has to be an authenticated scan with the appropriate SSH credentials.

  5. In the row of the newly created task click start.

13.1.2. Checking Registry Content

The registry is a database in Microsoft Windows that contains important information about system hardware, installed programs and settings and profiles of each of the user accounts on the computer. Microsoft Windows continually refers to the information in the registry.

Due to the nature of the Microsoft Windows registry every program/application installed under Microsoft Windows will register itself in the Microsoft Windows registry and as such has a registry entry. Even malware and other malicious code usually leaves traces within the registry. The registry can be utilized to search for specific applications or malware related information such as version levels and numbers. Also, missing or changed registry settings could point to a potential security policy violation on an endpoint.

The GSM provides a policy auditing module to verify registry entries on target systems. This module checks for the presence or absence of registry settings as well as registry violations. Since the registry is unique to Microsoft Windows systems, this check can only be run on these systems. To access the registry on the target system the check needs to authenticate on the target system.

Four different NVTs in the family Policy provide the registry content check:

  • Windows Registry Check: This NVT performs the actual registry content check on the files.
  • Windows Registry Check: OK: This NVT shows the registry setting which passed the registry check (registry content OK).
  • Windows Registry Check: Violations: This NVT shows the registry content which did not pass the registry check (wrong registry content).
  • Windows Registry Check: Errors: This NVT shows the files in which errors occurred (e.g. registry content not found on the target system).

13.1.2.1. Registry Content Pattern

  1. Create a reference file with the reference registry content. Following is an example:
Present|Hive|Key|Value|ValueType|ValueContent
TRUE|HKLM|SOFTWARE\Macromedia\FlashPlayer\SafeVersions|8.0|REG_DWORD|33
TRUE|HKLM|SOFTWARE\Microsoft\Internet Explorer
TRUE|HKLM|SOFTWARE\Microsoft\Internet Explorer|Version|REG_SZ|9.11.10240.16384
TRUE|HKLM|SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\
 System|LocalAccountTokenFilterPolicy|REG_DWORD|1
FALSE|HKLM|SOFTWARE\Virus
TRUE|HKLM|SOFTWARE\ShouldNotBeHere
TRUE|HKLM|SOFTWARE\Macromedia\FlashPlayer\SafeVersions|8.0|REG_DWORD|*

Note

This file must contain the row Present|Hive|Key|Value|ValueType|ValueContent.

The subsequent rows each contain a test entry.

Each row contains a registry entry to be checked. Each row contains six elements which are separated by |.

The first field sets if a registry entry should be present or not, the second the hive the registry entry is located in, the third the key, the fourth the value, the fifth the value type and the sixth the value content. If a star * is used in the last column any value is valid and accepted for existence or non-existence.

  1. Click edit for the scan configuration.

  2. In the section Edit Network Vulnerability Test Families click edit for Policy.

    → All NVTs that allow special configuration are listed (see figure Editing the family of NVTs).

    _images/policy_registry_content_family.png

    Editing the family of NVTs

  3. Click edit for Windows Registry Check.

  4. Activate the checkbox Upload file.

    Tip

    Activate the checkbox Replace existing file with to upload a new reference file (see figure Uploading the reference file). The possibilities to change is only available if the scan configuration is not in use.

    _images/filecheck_content_edit.png

    Uploading the reference file

  5. Click Browse... and select the previously created reference file.

  6. Click Save to save the NVT.

  7. Click Save to save the family of NVTs.

  8. Click Save to save the scan configuration.

13.1.2.2. Severity

The severity of the NVTs depend on the GOS version used. Since GOS 4.2, the violation NVTs have a default score of 10. In the past these NVTs had a default score of 0 (log message) and overrides were required for different scores. The new default score of 10 can be changed using overrides as well.

By sectioning the report plug-ins in three different NVTs it is now possible to create distinct overrides on the severity according to the needs.

In the following picture the severities of Registry Content: Violations and Registry Content: Errors have been changed (see Chapter Overrides and False Positives) which will be shown in the reports accordingly.

_images/Severity_Darstellung_Registry_Content_scan_en.png

Overrides changing the severity

13.1.2.3. Example

Note

The overrides can be created either before or after a scan. The latter is easier since the appropriate reference can be created through a simple click in the result page.

  1. Download policy_registry_ScanConfig.xml and the correspronding test file.

    Important

    External links to the Greenbone download website are case-sensitive.

    Note that upper cases, lower cases and special characters have to be entered exactly as they are written in the footnotes.

  2. Extract the test file to the /tmp/ directory on the target system.

  3. Select Scans > Tasks in the menu bar.

  4. Create a task for the target on which the test file was saved by clicking new.

    Note

    The scan has to be an authenticated scan with the appropriate SSH credentials.

  5. In the row of the newly created task click start.

13.1.3. Checking File Checksums

File checksum checks belong to policy audits which do not explicitly test for vulnerabilities but rather test the integrity of files.

The GSM provides a policy auditing module to verify file integrity on target systems. This module checks the file content by MD5 or SHA1 checksums. In general, this is an authenticated check, i.e. the scan engine will have to log into the target system to perform the check. The file checksum check can only be performed on systems supporting checksums. Normally this means Linux or Linux-like systems. The GSM provides however as well a module for checksum checks for Microsoft Windows systems (see Microsoft Windows).

Four different NVTs in the family Policy provide the file checksum check:

  • File Checksums: This NVT performs the actual checksum check on the files.
  • File Checksums: Matches: This NVT shows the files which passed the checksum check (checksum matches).
  • File Checksums: Violations: This NVT shows the files which did not pass the checksum check (wrong checksum).
  • File Checksums: Errors: This NVT shows the files in which errors occurred (e.g. file not found on the target system).

13.1.3.1. Checksum Patterns

  1. Create a reference file with the reference checksums. Following is an example:
Checksum|File|Checksumtype
6597ecf8208cf64b2b0eaa52d8169c07|/bin/login|md5
ed3ed98cb2efa9256817948cd27e5a4d9be2bdb8|/bin/bash|sha1
7c59061203b2b67f2b5c51e0d0d01c0d|/bin/pwd|md5

Note

This file must contain the row Checksum|File|Checksumtype.

The subsequent rows each contain a test entry.

Each row contain three elements which are separated by |.

The first field contains the checksum in hex, the second field the path and file name and the third field the checksum type. Currently MD5 and SHA1 checksums are supported.

Important

Checksums and checksum types must be lowercase.

  1. Click edit for the scan configuration.

  2. In the section Edit Network Vulnerability Test Families click edit for Policy.

    → All NVTs that allow special configuration are listed (see figure Editing the family of NVTs).

    _images/policy_file_checksums_family.png

    Editing the family of NVTs

  3. Click edit for File Checksums.

  4. Activate the checkbox Upload file.

    Tip

    Activate the checkbox Replace existing file with to upload a new reference file (see figure Uploading the reference file). The possibilities to change is only available if the scan configuration is not in use.

    _images/filecheck_content_edit.png

    Uploading the reference file

  5. Click Browse... and select the previously created reference file.

  6. Click Save to save the NVT.

  7. Click Save to save the family of NVTs.

  8. Click Save to save the scan configuration.

13.1.3.2. Severity

The severity of the NVTs depend on the GOS version used. Since GOS 4.2, the violation NVTs have a default score of 10. In the past these NVTs had a default score of 0 (log message) and overrides were required for different scores. The new default score of 10 can be changed using overrides as well.

By sectioning the report plug-ins in three different NVTs it is now possible to create distinct overrides on the severity according to the needs.

In the following picture the severities of File Checksum: Violations and File Checksum: Errors have been changed (see Chapter Overrides and False Positives) which will be shown in the reports accordingly.

_images/policy_file_checksums_overrides.png

Overrides changing the severity

13.1.3.3. Example

Note

The overrides can be created either before or after a scan. The latter is easier since the appropriate reference can be created through a simple click in the result page.

  1. Download policy_file_checksums_example.xml and the correspronding test file policy_file_checksums_testfiles.

    Important

    External links to the Greenbone download website are case-sensitive.

    Note that upper cases, lower cases and special characters have to be entered exactly as they are written in the footnotes.

  2. Extract the test file to the /tmp/ directory on the target system, e.g. by tar -xvC /tmp/ -f policy_file_checksums_testfiles.tar.gz.

  3. Select Scans > Tasks in the menu bar.

  4. Create a task for the target on which the test file was saved by clicking new.

    Note

    The scan has to be an authenticated scan with the appropriate SSH credentials.

  5. In the row of the newly created task click start.

13.1.3.4. Microsoft Windows

The GSM provides a similar module for Microsoft Windows systems for checksum checks. Since Microsoft Windows does not provide an internal program for creating checksums it has to be installed one either manually or automatically by the NVT. The GSM uses ReHash (http://rehash.sourceforge.net/) for creating checksums on Microsoft Windows systems.

As for Linux systems the NVTs for checksum checks are located in the family Policy.

  1. Click edit for the scan configuration.

  2. In the section Edit Network Vulnerability Test Families click edit for Policy.

    → All NVTs that allow special configuration are listed (see figure Editing the family of NVTs).

    _images/policy_file_checksums_nvt_win.png

    Editing the family of NVTs

  3. Click edit for Windows file Checksums.

  4. Activate the checkbox Upload file.

    Tip

    Activate the checkbox Replace existing file with to upload a new reference file (see figure Uploading the reference file). The possibilities to change is only available if the scan configuration is not in use.

    _images/filecheck_content_edit.png

    Uploading the reference file

  5. Click Browse... and select the previously created reference file.

  6. Click Save to save the NVT.

  7. Click Save to save the family of NVTs.

  8. Click Save to save the scan configuration.

Note

There are two operating modes for these checks:

  • Using a tool that was installed on the target system manually
  • The tool ReHash will automatically be installed and deinstalled as well if requested on the target system during the checking routine.

Through the preferences it can be set if the checksum program ReHash should be deleted after the check or not. The program can be left on the target system, e.g. to speed up recurring tests and therefore do not have to be transferred each time. It can further be set if the checksum program should be installed automatically on the target system. If not it has to be installed manually (under C:\\Windows\\system32 on 32-bit system) or C:\\Windows\\SysWOW64 (on 64-bit systems)) and has to be executable for the authenticated user. The file with the reference checksums must be uploaded in the preferences as it is done for the Linux checksum check. The file has the same structure as the one for Linux.

13.1.3.5. Example Windows

Note

The overrides can be created either before or after a scan. The latter is easier since the appropriate reference can be created through a simple click in the result page.

  1. Download sample_config-Windows_file_Policy.xml and the correspronding test file windows_checksums_testfiles.zip.

    Important

    External links to the Greenbone download website are case-sensitive.

    Note that upper cases, lower cases and special characters have to be entered exactly as they are written in the footnotes.

  2. Extract the test file to the C:\ directory on the target system.

  3. Select Scans > Tasks in the menu bar.

  4. Create a task for the target on which the test file was saved by clicking new.

    Note

    The scan has to be an authenticated scan with the appropriate SSH credentials.

  5. In the row of the newly created task click start.

13.1.4. CPE-Based

For detailed information about CPE see Chapter CPE.

13.1.4.1. Simple CPE-Based Checks for Security Policies

With any executed scan, CPEs for the identified products are stored. This happens independently of whether the product actually reveals a security problem or not. On this basis it is possible to describe simple security policies and the checks for compliance with these. With the Greenbone Security Manager it is possible to describe policies to check for the presence as well as for the absence of a product. These cases can be associated with a severity to appear in the scan report.

13.1.4.2. Checking Policy Compliance

This example demonstrates how to check the compliance of a policy regarding specific products in an IT infrastructure and how the reporting with the corresponding severity can be done. The information about whether a certain product is present on the target system is gathered by a single Network Vulnerability Test (NVT) or even independently by a number of special NVTs. This means that for a certain product an optimized scan configuration that only concentrates on this product and does not do any other scan activity can be specified.

Advantages
The advantage of such a special scan configuration is a considerably faster execution of the scan compared to a comprehensive scan configuration such as Full and Fast.
Disadvantages
The disadvantage of a special scan configuration is that some experience is required to select the right set of NVTs to maximize the probability of success. Initially it is easier to apply a comprehensive scan configuration. In this case it is not necessary to care about the product character, only the CPE identifier is entered.

This example follows the simple approach.

  1. Select Configuration > Scan Configs in the menu bar.

  2. Create a new scan configuration by clicking new.

  3. Define the name of the scan configuration (see figure Creating a new scan configuration).

  4. Select Full and Fast as the base (see figure Creating a new scan configuration).

    Note

    This is necessary because Full and Fast is a pre-configured scan configuration and thus can not be modified.

    _images/cpe_policy_new_scanconfig.png

    Creating a new scan configuration

  5. Click Create.

    → The scan configuration is created and can be edited directly.

  6. Unfold the section Network Vulnerability Test Preferences by clicking unfold.

    → All NVTs that allow special configuration are listed.

  7. Click edit of a specific NVT (see figure Overview of NVTs).

    Tip

    This short-cut avoids having to click through the family structures to get to the desired NVT (the here used NVTs are in the family Policy).

    _images/cpe_policy_edit_cpepolicy.png

    Overview of NVTs

  8. Specify a single CPE directly in the input box Single CPE or import a list of CPEs in a file by activating the checkbox Upload file, clicking Browse... and selecting the file (see figure Editing an NVT).

    Below is an example for checking for Internet Explorer 9 and ClamAV 0.98:

    cpe:/a:microsoft:ie:9
    cpe:/a:clamav:clamav:0.99
    

    For this example the stated CPEs must be present to comply. This means whether there are some installations violating this policy (e.g. missing or wrong products/versions) is of interest.

  9. Click Save to save the NVT.

    _images/cpe_policy_setcpepolicy1.png

    Editing an NVT

  10. Click Save to save the scan configuration.

    Note

    The severity of the NVTs depends on the GOS version used. Since GOS 4.2, the violation NVTs have a default score of 10. In the past they had a default score of 0 (log message) and overrides were required for different scores. The new default score of 10 can be changed using overrides as well.

    In this example violations of the policy should be reported with different severity. For this a new override has to be created.

  11. Select Scans > Overrides in the menu bar.

  12. Create a new override by clicking new.

  13. Enter “1.3.6.1.4.1.25623.1.0.103964” (for the NVT CPE-based Policy Check Violations) in the input box NVT OID (see figure Creating a new override).

  14. Select “5.0 (Medium)” in the drop-down-list New Severity (see figure Creating a new override).

  15. Click Save.

    _images/cpe_policy_override.png

    Creating a new override

    Note

    In case the detection efficiency should be increased by applying local security checks it is required to configure remote access via the Credentials feature.

  16. To do so, select Configuration > Credentials in the menu bar and create a new credential by clicking new. Save the credential by clicking Create (see Creating a new credential).

    If not done yet, create a corresponding user account on the Windows systems. A low privileged user account is sufficient.

    _images/cpe_policy_newcredential.png

    Creating a new credential

  17. Select Configuration > Targets in the menu bar.

  18. Create a new target by clicking new.

  19. Define the target systems and, if applicable, choose the respective credentials (see figure Creating a new target).

    _images/cpe_policy_newtarget.png

    Creating a new target

  20. Click Save.

  21. Now the actual task is created. This means to combine the newly created scan configuration with the newly created targets.

    Select Scans > Tasks in the menu bar.

  22. Create a new task by clicking new and selecting New Task.

  23. Define the task with the desired scan configuration (see figure Creating a new task).

    _images/cpe_policy_newtask.png

    Creating a new task

  24. Click Create.

    → The task is created and displayed on the page Tasks.

  25. Start the scan by clicking start of the respective task.

    → The scan is running. As soon as the status changes to Done the complete report is available. At any the time the intermediate results can be reviewed.

    Note

    It can take a while for the scan to complete. The page is refreshing automatically if an auto-refresh is set (see Chapter Setting the Auto-Refresh).

  26. When the scan is completed select Scans > Reports in the menu bar.

    Tip

    To show only the results of the CPE-based policy checks, a suitable filter can be applied.

  27. Enter “cpe” in the input box Filter.

    → The reports for CPE-based policy checks are displayed (see figure Reports for CPE-based policy checks).

    _images/cpe_policy_reportlist.png

    Reports for CPE-based policy checks

  28. Click on the date of the report to show the results.

  29. Click on an item in the column Vulnerability to show details for the result.

    In this example ClamAV 0.99 was found on one of the target systems and reported as a log message (see figure Result with the severity Log).

    _images/cpe_policy_report_log.png

    Result with the severity Log

    Internet Explorer 9 on the other hand was not found on the target system because it will be reported as a medium risk as defined in the override (see figure Result with the severity Medium).

    _images/cpe_policy_report_medium.png

    Result with the severity Medium

13.1.4.3. Detecting the Presence of Problematic Products

This example demonstrates how the presence of a certain product in an IT infrastructure is classified as a severe problem and reported as such.

  1. Execute steps 1 to 6 of Checking Policy Compliance.

    Note

    When choosing a general scan like Full and Fast both cases are treated the same, presence of the product as a running service and presence of the product on a hard drive.

    This essentially means if it should be sure the desired product indeed runs as a service, running NVTs that check for the simple presence on the file system or in a registry should be avoided.

    If such details are not desired right now, the report details can still be checked for false positives and false negatives.

  2. This time a single CPE (Internet Explorer 6) will be searched.

    Click edit of the NVT CPE Policy Check — Single CPE.

  3. Enter the following in the input box Single CPE (see figure Editing CPE Policy Check – Single CPE):

    cpe:/a:microsoft:ie:6

    Note

    In this case it has to be set that the entered CPE must be “present”.

  4. For Check for select the radiobutton present (see figure Editing CPE Policy Check – Single CPE).

    _images/cpe_policy_setcpepolicy2.png

    Editing CPE Policy Check – Single CPE

  5. Click Save to save the NVT.

  6. Click Save to save the scan configuration.

    Note

    The severity of the NVTs depends on the GOS version used. Since GOS 4.2, the violation NVTs have a default score of 10. In the past these NVTs had a default score of 0 (log message) and overrides were required for different scores.

    The new default score of 10 can be changed using overrides as well.

    Note

    In case the mere availability of a product should be considered it is required to configure remote access via the Credentials feature to apply local security checks.

  7. Execute steps 16 to 25 of Checking Policy Compliance to enable local security checks, to create a new task with the target systems and to start it.

  8. When the scan is completed select Scans > Reports in the menu bar.

    Tip

    To show only the results of the CPE-based policy checks, a suitable filter can be applied.

  9. Enter “cpe” in the input box Filter.

    → The reports for CPE-based policy checks are displayed (see figure Reports for CPE-based policy checks).

  10. Click on the date of the report to show the results.

  11. Click on an item in the column Vulnerability to show details for the result.

    In this example Internet Explorer 6 was found on one of the target systems and reported as a severe problem as defined in the override (see figure Result with the severity High).

    _images/cpe_policy_report_high.png

    Result with the severity High

13.1.4.4. Detecting the Absence of Important Products

This example shows how the absence of a certain product in the IT infrastructure is defined and reported as a severe problem.

  1. Execute steps 1 to 6 of Checking Policy Compliance.

    Note

    When choosing a general scan like Full and Fast both cases are treated the same, presence of the product as a running service and presence of the product on a hard drive.

    This essentially means that if it should be sure the desired product indeed runs as a service, running NVTs that check for the simple presence on the file system or in a registry should be avoided.

    If such details are not desired right now, the report details can still be checked for false positives and false negatives.

  2. This time a single CPE (Norton Antivirus) will be searched.

    Click edit of the NVT CPE Policy Check – Single CPE.

  3. Enter the following in the input box Single CPE (see figure Editing CPE Policy Check – Single CPE):

    cpe:/a:symantec:norton_antivirus

    Note

    In this case it has to be set that the entered CPE must be “missing”.

  4. For Check for select the radiobutton missing (see figure Editing CPE Policy Check – Single CPE).

    _images/cpe_policy_setcpepolicy3.png

    Editing CPE Policy Check – Single CPE

  5. Click Save to save the NVT.

  6. Click Save to save the scan configuration.

    Note

    The severity of the NVTs depends on the GOS version used. Since GOS 4.2, the violation NVTs have a default score of 10. In the past these NVTs had a default score of 0 (log message) and overrides were required for different scores. The new default score of 10 can be changed using overrides as well.

    Note

    In case the mere availability of a product should be considered it is required to configure remote access via the Credentials feature to apply local security checks. If just running network services should be searched it normally does not help but rather increase the number of false positives.

  7. Execute steps 16 to 25 of Checking Policy Compliance to enable local security checks, to create a new task with the target systems and to start it.

  8. When the scan is completed select Scans > Reports in the menu bar.

    Tip

    To show only the results of the CPE-based policy checks, a suitable filter can be applied.

  9. Enter “cpe” in the input box Filter.

    → The reports for CPE-based policy checks are displayed (see figure Reports for CPE-based policy checks).

  10. Click on the date of the report to show the results.

  11. Click on an item in the column Vulnerability to show details for the result.

    In this example Norton Antivirus was not found on one of the target systems.

    _images/cpe_policy_missing_report.png

    Missing important product

13.2. Standard Policies

13.2.1. IT-Grundschutz

With the Greenbone Security Manager (GSM) it is possible to automatically check either the German IT-Grundschutz catalogs or the modernized IT-Grundschutz compendium as published and maintained by the German Federal Office for Information Security (BSI).

The current “15. Ergänzungslieferung” with tests for over 80 measures is supported for the IT-Grundschutz catalogs. That is the maximum number of measures which is possible to support with automatic tests.

Some measures are quite comprehensive and actually consist of several single tests. A couple of measures address a specific operating system and hence will only be applied to those. The number and type of tested systems remains irrelevant for the GSM.

This makes the GSM the fastest co-worker for executing an IT-Grundschutz audit. And it opens the opportunity to install a check for breaches as a permanent background process.

13.2.1.1. Checking IT-Grundschutz

This example executes a check according to the German IT-Grundschutz, where IT-Grundschutz catalogs and IT-Grundschutz compendium can be selected.

  1. Download the scan configuration IT-Grundschutz Scan.

    For verinice integration use the scan configuration IT-Grundschutz Scan incl. Discovery for verinice.

    Important

    External links to the Greenbone download website are case-sensitive.

    Note that upper cases, lower cases and special characters have to be entered exactly as they are written in the footnotes.

  2. Select Configuration > Scan Configs in the menu bar.

  3. Click upload.

  4. Click Browse... and select the previously downloaded scan configuration (see figure Importing a scan configuration).

  5. Click Create.

    → The imported scan configuration is displayed on the page Scan Configs (see figure Imported scan configuration on the page Scan Configs).

    _images/itgrundschutz_importscanconfig.png

    Importing a scan configuration

    _images/itgrundschutz_scanconfig.png

    Imported scan configuration on the page Scan Configs

    Note

    This covers the settings to execute all checks. The actual checks are not explicitly selected so that rather a summary result is generated.

Test for IT-Grundschutz catalogs
  1. Click edit of the scan configuration.

  2. In the section Edit Network Vulnerability Test Families click edit for Compliance.

    → All NVTs that allow special configuration are listed. Two NVTs are selected per default: Compliance Tests and IT-Grundschutz, 15. EL (see figure NVTs of the family Compliance).

    _images/itgrundschutz_family_15EL.png

    NVTs of the family Compliance

  3. Click edit for Compliance Tests.

  4. For Launch IT-Grundschutz (15. EL) select the radiobutton yes (see figure Editing the NVT Compliance Tests).

    _images/itgrundschutz_compliance_15EL.png

    Editing the NVT Compliance Tests

  5. Click Save to save the NVT.

  6. Click edit for IT-Grundschutz, 15. EL.

  7. For Berichtformat select the radiobutton of the desired report format (see figure Selecting the report format).

    • Text: Textual report format
    • Tabellarisch: Tabular report format
    • Text und Tabellarisch: Textual and tabular report format
  8. Click Save to save the NVT.

  9. Click Save to save the family of NVTs.

  10. Click Save to save the scan configuration.

Test for IT-Grundschutz compendium
  1. Click edit of the scan configuration.

  2. In the section Edit Network Vulnerability Test Families click edit for Compliance.

    → All NVTs that allow special configuration are listed (see figure NVTs of the family Compliance).

    _images/itgrundschutz_family_kompendium.png

    NVTs of the family Compliance

  3. Activate the checkboxes for Compliance Tests and IT-Grundschutz, Kompendium.

  4. Click edit for Compliance Tests.

  5. For Launch latest IT-Grundschutz version select the radiobutton yes (see figure Editing the NVT Compliance Tests).

  6. For Level of Security (IT-Grundschutz) select the radiobutton of the level which was introduced in the modernized IT-Grundschutz compendium (see figure Editing the NVT Compliance Tests).

    _images/itgrundschutz_compliance_kompendium.png

    Editing the NVT Compliance Tests

  7. Click Save to save the NVT.

  8. Click edit for IT-Grundschutz, Kompendium.

  9. For Berichtformat select the radiobutton of the desired report format (see figure Selecting the report format).

    • Text: Textual report format
    • Tabellarisch: Tabular report format
    • Text und Tabellarisch: Textual and tabular report format
    _images/itgrundschutz_select_report_format.png

    Selecting the report format

  10. Click Save to save the NVT.

  11. Click Save to save the family of NVTs.

  12. Click Save to save the scan configuration.

Note

The majority of checks for the measures is based on local security checks. For these respective access needs to be configured.

  1. Execute steps 16 to 25 of Checking Policy Compliance.
  2. When the scan is completed select Scans > Reports in the menu bar.
_images/itgrundschutz_reportlist.png

Report for the IT-Grundschutz scan

  1. Click on the date of the report to show the results.

    Note

    For the textual form of the report the severity category “Low” in the filter has to be enabled. For the tabular form of the report the category “Log” in the filter has to be enabled.

  2. To do so, click edit in the filter bar.

    → The window for editing the filter is opened.

  3. For Severity (Class) activate the checkbox Low or Log.

  4. Click Update.

Note

The number of reports depends on the selected report format. The entry in the column Location is general/IT-Grundschutz for the textual report and general/IT-Grundschutz-T for the tabular report. When both report formats were chosen, they both appear with the same name but with their corresponding entry in the column Location (see figure Report for IT-Grundschutz scan in both report formats).

_images/it_grundschutz_both_export_formats.png

Report for IT-Grundschutz scan in both report formats

13.2.1.2. Importing Results into a Spreadsheet Application

The results can be imported into a spreadsheet application, e.g. Microsoft Excel, Apache OpenOffice Calc or LibreOffice Calc as follows:

  1. Move the mouse over Report: Results.

    → A drop-down-list is opened (see figure Opening the page Report: Summary and Download).

    _images/report_dropdownlist_ITGrundschutz.png

    Opening the page Report: Summary and Download

  2. Click Report: Summary and Download.

    Note

    The report is available in a full or a filtered version. In the filtered version, the currently applied filter (besides rows and first) is considered.

  3. In the row of the desired version, select ITG in the drop-down-list in the column Download (see figure Exporting a report).

  4. In the row of the desired version click download.

    → The report is exported as a CSV file.

    _images/it_grundschutz_download.png

    Exporting a report

  5. Open the spreadsheet application and open the previously exported CSV file.

    Note

    This example shows the import using LibreOffice Calc 5.2.7.2.

  6. Select Unicode (UTF-8) in the drop-down-list Character set.

  7. Select the radiobutton Separated by, activate the checkbox Other and enter | (vertical line) in the input box.

  8. Select in the drop-down-list Text delimiter.

  9. Mark the last column in the preview window and select Text in the drop-down-list Column type.

    _images/it_grundschutz_officeimport.png

    Adjusting the import settings

  10. Click OK.

    → The report is opened in the spreadsheet application and can be used for further analysis.

13.2.1.3. Importing Results into IT-Grundschutz Tools

There is a number of tools available to assist IT-Grundschutz processes with structured approach, data entries and management.

The German Federal Office for Information Security (BSI) offers an overview on IT-Grundschutz tools on its website.

Note

For importing the results of an IT-Grundschutz scan into one of these tools contact the vendor of the corresponding tool. For additional questions do not hesitate to contact the Greenbone Networks Support.

13.2.1.4. Result Classes of IT-Grundschutz Checks

The following result classes can occur for a check:

  • Not fulfilled (FAIL)

    It was detected that the target system does not fulfill the measure.

  • Fulfilled (OK)

    It was detected that the target system does fulfill the measure.

  • Error (ERR)

    It was not possible to execute the test routine properly.

    Example: Some checks require credentials. If the credentials are missing, the check cannot be executed for technical reasons. In case no credentials are provided, many of the checks will have this status.

  • Check of this measure is not available (NA)

    In general it is assumed that this measure can automatically be checked for, but an implementation is not yet available. For newly released “Ergänzungslieferungen” this is initially true for a number of measures. However, the Greenbone Security Feed is updated continuously, and eventually all measures will be implemented.

  • Check of the measure is not implemented (NI)

    A number of measures of the IT-Grundschutz catalogs are kept too general to create an explicit automatic check. Other measures describe checks that can only be done physically and thus also belong to this class of test that cannot be implemented at all.

  • Check not suited for the target system (NS)

    Some measures refer exclusively to a special type of operating system. If the target system runs another operating system type, the measure does not apply.

  • This measure is deprecated (DEP)

    Some updates (“Ergänzungslieferungen”) removed some measures without a replacement. Old IDs of such deprecated measures are never re-used. The results marked as DEP can be safely ignored but the entries remain for completeness.

13.2.1.5. Supported measures

This overview refers to the current “Ergänzungslieferung”. The measure IDs link to the corresponding detailed information available on the website of BSI.

The following test types are distinguished:

  • Remote: For the check it is only necessary to have network connection to the target system.
  • Credentials: For the check it is required to use an account on the target system.
BSI reference Title Test type Note
M4.2 Screen lock Credentials Windows: Can only test for local accounts. Linux: Only default screen savers in Gnome and KDE.
M4.3 Use of anti virus protection software Credentials  
M4.4 Compliant handling of drives for removable media and external data storage devices Credentials  
M4.5 Logging of telecommunication equipment Credentials  
M4.7 Changing of default passwords Remote Test only via SSH and Telnet.
M4.9 Use of the security mechanisms of XWindows Credentials  
M4.14 Mandatory password protection in Unix Credentials  
M4.15 Secure login Credentials  
M4.16 Access restrictions of user IDs and / or terminals Credentials  
M4.17 Locking and deleting unneeded accounts and terminals Credentials  
M4.18 Administrative and technical securing of access to monitoring and single-user mode Credentials  
M4.19 Restrictive allocation of attributes for UNIX system files and directories Credentials  
M4.20 Restrictive allocation of attributes for UNIX user files and directories Credentials  
M4.21 Preventing of unauthorized escalation of administrator rights Credentials  
M4.22 Preventing of loss of confidentiality of sensitive data in the UNIX system Credentials  
M4.23 Safe access of executable files Credentials  
M4.33 Use of a virus scanning program for storage media exchange and data transfer Credentials  
M4.36 Disabling of certain fax receiving phone numbers Credentials Cisco devices can only be tested via telnet because they do not support blowfish-cbc encryption.
M4.37 Disabling of certain fax sending phone numbers Credentials Cisco devices can only be tested via telnet because they do not support blowfish-cbc encryption.
M4.40 Preventing the unauthorized use of the computer microphone Credentials Only implemented for Linux. Under Windows, it is not possible to determine the status of the microphone via registry/WMI.
M4.48 Password protection if Windows systems Credentials  
M4.49 Securing of the boot process of Windows systems Credentials  
M4.52 Equipment protection under Windows NT-based systems Credentials  
M4.57 Deactivation of automatic CD-ROM recognition Credentials  
M4.80 Secure access methods for remote administration Remote  
M4.94 Protection of web server files Remote  
M4.96 Disabling of DNS Credentials  
M4.97 One service per server Remote  
M4.98 Limit communication though a packet filter to a minimum Credentials Microsoft Windows Firewall is being tested. For Vista and newer any firewall that is installed conforming to the system.
M4.106 Activation of system wide logging Credentials  
M4.135 Restrictive assigning of access rights to system files Credentials  
M4.147 Secure use of EFS under Windows Credentials  
M4.200 Use of USB storage media Credentials  
M4.227 Use of a local NTP server for time synchronization Credentials  
M4.238 Use of a local packet filter Credentials Microsoft Windows Firewall is being tested. For Vista and newer any firewall that is installed conforming to the system.
M4.244 Secure system configuration of Windows client operating systems Credentials  
M4.277 Securing of the SMB, LDAP and RCP communication of Windows servers Credentials  
M4.284 Handling of services of Windows Server 2003 Credentials  
M4.285 Uninstallation of unneeded client services of Windows Server 2003 Credentials  
M4.287 Secure administration of VoIP middleware Remote  
M4.300 Information protection of printers, copies and multi-function equipment Remote  
M4.305 Use of storage quotas Credentials  
M4.310 Implementation of LDAP access to file services Remote  
M4.313 Providing of secure domain controllers Credentials  
M4.325 Deletion of swap files Credentials  
M4.326 Providing the NTFS properties on a Samba file server Credentials  
M4.328 Secure base configuration of a Samba server Credentials  
M4.331 Secure configuration of the operating system for a samba server Credentials  
M4.332 Secure configuration of access controls of a Samba server Credentials  
M4.333 Secure configuration of Winbind under Samba Credentials  
M4.334 SMB message signing and Samba Credentials  
M4.338 Use of Windows Vista and new file and registry virtualization Credentials Only a general test if file and registry virtualization is enabled.
M4.339 Avoidance of unauthorized use of portable media under Windows Vista and later Credentials  
M4.340 Use of the Windows user account control UAC starting with Windows Vista Credentials  
M4.341 Integrity protection starting with Windows Vista Credentials Where possible technically implemented (active UAC and protected mode in different zones).
M4.342 Activation of last access certificate stamp starting with Windows Vista Credentials  
M4.344 Monitoring of Windows Vista-, Windows 7 and Windows Server 2008-Systems Credentials  
M4.368 Regular audits of the terminal server environment Credentials  
M5.8 Regular security check of the network Remote Only a message is being displayed that tests should be performed with up-to-date plug-ins.
M5.17 Use of the security mechanisms of NFS Credentials  
M5.18 Use of the security mechanisms of NIS Credentials  
M5.19 Use of the security mechanisms of sendmail Remote  
M5.19 Use of the security mechanisms of sendmail Credentials  
M5.20 Use of the security mechanisms of rlogin, rsh and rcp Credentials  
M5.21 Secure use of telnet, ftp, tftp and rexec Credentials  
M5.34 Use of one time passwords Credentials  
M5.59 Protection from DNS-spoofing with authentication mechanisms Credentials  
M5.63 Use of GnuPG or PGP Credentials  
M5.64 Secure shell Remote  
M5.66 Use of TLS/SSL Remote  
M5.72 Deactivation of not required net services Credentials Only displays the services in question.
M5.90 Use of IPSec under Windows Credentials  
M5.91 Use of personal firewalls for clients Credentials Microsoft Windows Firewall is being tested. For Vista and newer any firewall that is installed conforming to the system. On Linux systems, displaying if the iptables rules, if possible.
M5.109 Use of an e-mail scanner on the mailserver Remote  
M5.123 Securing of the network communication under Windows Credentials  
M5.131 Securing of the IP protocols under Windows Server 2003 Credentials  
M5.145 Secure use of CUPS Credentials  
M5.147 Securing of the communication with directory services Remote  

13.2.2. PCI DSS

13.2.2.1. Payment Card Industry Data Security Standard

The Payment Card Industry Data Security Standard (PCI DSS) is a security standard for payment card transactions and is supported by the major payment systems MasterCard, Visa, AMEX, Discover and JCB.

All organizations processing card payments and/or storing or transferring card data are required to perform compliance validation according to PCI DSS. Non-compliance or lack of validation means the risk of being fined or, ultimately, losing the ability to process payment cards.

The validation of compliance depends on the volume of card transactions. Here, service providers are usually classified as Level 1 Service Provider. They must validate their cardholder data environment by an independent scanning vendor approved by the PCI Security Standards Council (PCI SSC) on a quarterly basis. In addition, an annual on-site PCI Security Audit has to be performed by an independent Qualified Security Assessor (QSA), also approved by the PCI SSC.

The Approved Scanning Vendor (ASV) is a service provider performing a vulnerability scan of the cardholder data environment visible to the Internet. As such the vulnerability scanners themselves cannot be classified or certified as ASVs. However, they are tools for the ASV to perform the vulnerability scan using the approved process.

13.2.2.2. Greenbone Security Manager and PCI DSS

According to PCI DSS (Version 3.1, Requirement 11.2) two types of vulnerability scans have to be performed on a quarterly basis and after significant changes to the cardholder data environment:

  • Vulnerability scan conducted by the ASV

  • Internal scan of the cardholder data environment

    The latter scan may be performed by employees of the organization and requires no approval by the PCI SSC.

The Greenbone Security Manager (GSM) can perform both of these scans. The false positive management features help to avoid significant work load of manually eliminating wrong alerts.

A merchant can use the GSM to check the security requirements prior to the ASV vulnerability scan in order to avoid costly re-scans.

This way, a merchant can use the GSM to check for PCI compliance on an ongoing basis even between the scans performed by the ASV.

Since security changes are stored immutable for audit compliance within the GSM, the correct security and compliance status can even be verified at all times in between the quarterly ASV scans.

Escalation methods can continuously inform an external auditor as well as internal experts about the security status. Summaries are sent to the responsible parties.

13.2.2.3. Policy Monitoring

The GSM can also check the system parameters according to the PCI DSS policy in the same way it periodically checks the technical aspects of other policies.

With a permanent background policy scan it is ensured that antivirus tools are not outdated or firewalls are not deactivated without notice. Such parameters can be monitored and escalated in the same way as software vulnerabilities.

Advantages for merchant:
  • Permanent policy monitoring
  • Flexible escalation
  • False positive management
  • Internal and external vulnerability scanning
  • Complete vulnerability analysis according to PCI DSS for internal scans
Advantages for the ASV:
  • False positive management
  • Static scan configuration for re-scans
  • Complete vulnerability analysis according to PCI DSS for external scans via Internet
  • Flexible reporting framework for individual scan reports

Tip

Greenbone Networks as the vendor of the GSM does not act as an ASV. But among Greenbone’s business partners security consultants who act as an ASV at the same time and can introduce the GSM into the security process can be found.

13.2.3. BSI TR-03116: Kryptographische Vorgaben für Projekte der Bundesregierung

The German Federal Office for Information Security (BSI) published a technical guideline “TR-03116: Kryptographische Vorgaben für Projekte der Bundesregierung”. Part 4 of this guideline describes the security requirements for services of the federal government using the cryptographic protocols SSL/TLS, S/MIME and OpenPGP.

The requirements are based on forecasts for the security of the algorithms and key length for the next seven years including 2022.

Greenbone Networks provides a scan configuration for testing the compliance of services with the technical guideline “TR-03116”. This configuration needs to be imported to the GSM subsequently.

This scan configuration tests if the scanned hosts and services use SSL/TLS. If this is the case, the compliance with the guideline is tested.

At least the following ciphers must be supported to pass the test:

  • TLS_ECDHE_ECDSA-WITH_AES_128_CBC_SHA256
  • TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
  • TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
  • TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256

If a preshared-key is used by the application in addition to the SSL/TLS algorithm one of the following ciphers is required:

  • TLS_RSA_PSK_WITH_AES_128_CBC_SHA256
  • TLS_ECDHE_PSK_WITH_AES_128_CBC_SHA256
  1. Download the scan configuration BSI TR-03116 Scan Config.

    Important

    External links to the Greenbone download website are case-sensitive.

    Note that upper cases, lower cases and special characters have to be entered exactly as they are written in the footnotes.

  2. Select Configuration > Scan Configuration in the menu bar.

  3. Click upload.

  4. Click Browse... and select the previously downloaded scan configuration.

  5. Click Create.

    → The imported scan configuration is displayed on the page Scan Configs.

  6. Click edit of the scan configuration.

  7. In the section Edit Network Vulnerability Test Families click edit for Policy.

    → All NVTs that allow special configuration are listed.

  8. Click edit for BSI-TR-03116-4 Policy.

  9. For Perform check select the radiobutton yes (see figure Editing a NVT).

    _images/bsitr0.png

    Editing a NVT

  10. Click Save to save the NVT.

  11. Click Save to save the family of NVTs.

  12. Click Save to save the scan configuration.

  13. Execute steps 16 to 25 of Checking Policy Compliance.

  14. When the scan is completed select Scans > Reports in the menu bar.

    → The scan report will show either matches or violations (see figures Result of a match and Report showing result of violations with severity Medium).

    _images/bsitr1.png

    Result of a match

    _images/bsitr3.png

    Report showing result of violations with severity Medium

Note

The severity of the NVTs depends on the GOS version used. Since GOS 4.2, the violation NVTs have a default score of 10. In the past these NVTs had a default score of 0 (log message) and overrides were required for different scores. The new default score of 10 can be changed using overrides as well.

13.2.4. Cyber Essentials

The Cyber Essentials are simple but yet effective requirements to protect organizations of any size against the most common cyber attacks. This UK government scheme, launched in 2014, addresses Internet-based threats to cyber security, namely hacking, phishing and password guessing. It reduces the risk of successful attacks which use widely available tools and demand little skill. The Cyber Essentials specify the requirements under five technical control themes:

  • Firewalls (boundary and/or host-based)
  • Secure Configuration
  • User Access Control
  • Malware Protection
  • Patch Management

The requirements for each technical control theme can be found here.

13.2.4.1. Testing for Compliance with Cyber Essentials

  1. Download the scan configuration Cyber Essentials Scan Config.

    Important

    External links to the Greenbone download website are case-sensitive.

    Note that upper cases, lower cases and special characters have to be entered exactly as they are written in the footnotes.

  2. Select Configurations > Scan Configs in the menu bar.

  3. Click upload.

  4. Click Browse... and select the previously downloaded scan configuration (see figure Importing a scan configuration).

    _images/policy_import_ce_config.png

    Importing a scan configuration

  5. Click Create.

    → The imported scan configuration is displayed on the page Scan Configs.

  6. Select Configuration > Targets in the menu bar.

  7. Create a new target by clicking new.

  8. Define the target systems. For more information see Creating a Target.

  9. Click Save.

  10. Now the actual task is created. This means to combine the newly created scan configuration with the newly created targets.

Select Scans > Tasks in the menu bar.
  1. Create a new task by clicking new and selecting New Task.

  2. Define the task with the desired scan configuration (see figure Creating a new task).

    _images/policy_create_ce_task.png

    Creating a new task

  3. Click Create.

  4. Start the scan by clicking start of the respective task.

    → The scan is running. As soon as the status changes to Done the complete report is available. At any the time the intermediate results can be reviewed.

    Note

    It can take a while for the scan to complete. The page is refreshing automatically if an auto-refresh is set (see Chapter Setting the Auto-Refresh).

  5. Select Scans > Reports in the menu bar.

  6. Click on the date of the report to show the results.

    The results are divided into (see figure Results of the Cyber Essentials scan):

    • Cyber Essentials. Only appears, if the tests can not be run against one hosts for any reason.
    • Cyber Essentials: Error. Summarizes requirements with errors (if any).
    • Cyber Essentials: Fail. Summarizes requirements the host does not comply with (if any).
    • Cyber Essentials: Ok. Summarizes requirements the host does comply with (if any).
    _images/policy_ce_report.png

    Results of the Cyber Essentials scan

Note

The technical control theme Malware Protection includes requirements for application whitelisting. This can be done with Greenbones CPE-based scans. See chapter Simple CPE-Based Checks for Security Policies for more information.

13.2.5. General Data Protection Regulation

The General Data Protection Regulation (GDPR) regulates the processing of personal data (relating to individuals in the EU) by another individual, a company or an organization for any use outside the personal sphere. For example, it applies to financial activities. Personal data is any information that relates to an identified or identifiable living individual. Examples are:

  • (Sur-) Name
  • E-Mail addresses belong to an individual (not like info@example.com)
  • IP address
  • Home address

Since the regulation does not refer to any technology, it applies to both digital and analogue processing/storage of personal data. For more information see also the webpage of the European Commission regarding the GDPR.

There are no official technical requirements for the GDPR published. As stated in Art. 32 GDPR, the organization “shall implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk” of personal data. Many checklists for GDPR compliance are available, which contain amongst other requirements considerations for password management, auditing/logging and handling of removable media devices.

13.2.5.1. Testing Technical Requirements of GDPR

Following technical settings can be tested automatically with Greenbone:

  • Min. password length
  • Max. password age
  • Password complexity enforcement
  • Handling of removable media
  • Logging policy

Execute the following steps to test these settings on the hosts:

  1. Download the scan configuration GDPR Scan Config.

    Important

    External links to the Greenbone download website are case-sensitive.

    Note that upper cases, lower cases and special characters have to be entered exactly as they are written in the footnotes.

  2. Select Configurations > Scan Configs in the menu bar.

  3. Click upload.

  4. Click Browse... and select the previously downloaded scan configuration (see figure Importing a scan configuration).

    _images/policy_import_gdpr_config.png

    Importing a scan configuration

  5. Click Create.

    → The imported scan configuration is displayed on the page Scan Configs.

  6. Select Configuration > Targets in the menu bar.

  7. Create a new target by clicking new.

  8. Define the target systems. For more information see Creating a Target.

  9. Click Save.

  10. Now the actual task is created. This means to combine the newly created scan configuration with the newly created targets.

    Select Scans > Tasks in the menu bar.

  11. Create a new task by clicking new and selecting New Task.

  12. Define the task with the desired scan configuration (see figure Creating a new task).

    _images/policy_create_gdpr_task.png

    Creating a new task

  13. Click Create.

  14. Start the scan by clicking start of the respective task.

    → The scan is running. As soon as the status changes to Done the complete report is available. At any the time the intermediate results can be reviewed.

    Note

    It can take a while for the scan to complete. The page is refreshing automatically if an auto-refresh is set (see Chapter Setting the Auto-Refresh).

  15. Select Scans > Reports in the menu bar.

  16. Click on the date of the report to show the results (see figure Results of the GDPR scan).

    _images/policy_gdpr_report.png

    Results of the GDPR scan

Important

The settings found on the host have to comply with the organizations guidelines.

13.3. Special Policies

13.3.1. Mailserver Online Test

In September 2014 the Bavarian State Office for Data Protection performed the online test Mailserver: STARTTLS & Perfect Forward Secrecy. The organizations which were found to be affected by this test were asked to remove the security risks.

Using Greenbone Security Manager or OpenVAS respectively an organization can test themselves if their own mail servers comply with the security criteria. Execute the following steps to perform the test:

  1. Download the scan configuration Mailserver Online Test Scan Config.

    Important

    External links to the Greenbone download website are case-sensitive.

    Note that upper cases, lower cases and special characters have to be entered exactly as they are written in the footnotes.

  2. Select Configurations > Scan Configs in the menu bar.

  3. Click upload.

  4. Click Browse... and select the previously downloaded scan configuration.

  5. Click Create.

    → The imported scan configuration is displayed on the page Scan Configs.

  6. Select Configuration > Port Lists.

  7. Create a new port list by clicking new.

  8. Define the port list and enter “T:25” in the input box Port Ranges — Manual.

  9. Click Save.

  10. Select Configuration > Targets in the menu bar.

  11. Create a new target by clicking new.

  12. Define the target system containing the mailserver that should be tested and select the previously created port list in the drop-down-list Port List.

    Note

    Depending on the network settings it could make sense to select Consider Alive in the drop-down-list Alive Test.

  13. Click Save.

  14. Now the actual task is created. This means to combine the newly created scan configuration with the newly created targets.

    Select Scans > Tasks in the menu bar.

  15. Create a new task by clicking new and selecting New Task.

  16. Define the task with the desired scan configuration.

  17. Click Create.

  18. Start the scan by clicking start of the respective task.

    → The scan is running. As soon as the status changes to Done the complete report is available. At any the time the intermediate results can be reviewed.

    Note

    It can take about 30 to 40 minutes for the scan to complete because in general the scanner has to wait for some data from the mailservers a bit longer. The page is refreshing automatically if an auto-refresh is set (see Chapter Setting the Auto-Refresh).

  19. Select Scans > Reports in the menu bar.

    → The report contains different log entries for each mailserver.

    The missing StartTLS will initially only be displayed as a log message as it is a policy question how it should be assessed. For example, an override for this NVT can be created defining it as a high risk. The override can then be expanded to all hosts and possibly all tasks.

Note

Should monitoring be established, a schedule for this task can be created (e.g. every week on Sundays) as well as an alert (e.g. an e-mail). Combined with the respective overrides an automated warning system is being created in the background.

Footnotes

13.4. TLS-Map

The TLS (Transport Layer Security) protocol ensures the confidentiality, authenticity and integrity of communication in insecure networks. It establishes confidential communication between sender and receiver, for example web server and web browser. In the past years various security holes were detected for the often used protocol TLS 1.0 and used by attackers to actually read the communication.

With the Greenbone Security Manager (GSM) it is possible to identify systems that offer services using SSL/TLS protocols. Additionally, the GSM detects the protocol versions and offers encryption algorithms. Further details about the service can be achieved in case it can be properly identified.

13.4.1. Preparing the Scan

For a simplified export of the scan results Greenbone Networks prepared a special report format plug-in. The resulting data file makes it easy to further process the data.

  1. Download the TLS-Map Report Format Plug-in.

    Important

    External links to the Greenbone download website are case-sensitive.

    Note that upper cases, lower cases and special characters have to be entered exactly as they are written in the footnotes.

  2. Select Configuration > Report Formats.

  3. Click new.

  4. Click Browse... and select the previously downloaded report format plug-in.

  5. Click Create.

    → The imported report format is displayed on the page Report Formats.

  6. Verify the signature of the report format by clicking verify.

  7. In the row of the report format click edit.

  8. For Active select the radiobutton Yes.

  9. Click Save.

13.4.2. Checking for TLS and Exporting the Scan Results

Important

External links to the Greenbone download website are case-sensitive.

Note that upper cases, lower cases and special characters have to be entered exactly as they are written in the footnotes.

For an overview on TLS usage in the network or on single systems Greenbone Networks recommends using one of the following scan configurations:

  • TLS-Map Scan Config
    This scan configuration identifies the used protocol versions and the offered encryption algorithms but does not try to identify in-depth details of the service.
  • TLS-Map with service detection
    This scan configuration identifies the used protocol versions and the offered encryption algorithms. Additionally, it tries to identify in-depth details of the service. This identification takes more time and produces more network traffic compared to the simple scan configuration mentioned above.
  1. Download one of the scan configurations according to the needs.

  2. Select Configurations > Scan Configs in the menu bar.

  3. Click upload.

  4. Click Browse... and select the previously downloaded scan configuration.

  5. Click Create.

    → The imported scan configuration is displayed on the page Scan Configs.

    Note

    Select Configuration > Port Lists to have a look at the pre-configured port lists. By clicking new own port lists can be created. Choose a suitable list of ports that should be scanned. Pay attention that all ports of interest are covered by the list.

    The more extensive the list the longer the scan will take but this may also detect services at unusual ports.

    Consider that the TLS protocol is based on the TCP protocol. A port list with UDP port will slow down the scan without benefits. If any TCP ports should be covered All TCP should be selected.

  6. Select Configurations > Targets in the menu bar.

  7. Create a new target by clicking new.

  8. Define the target system and in the drop-down-list Port List select the desired port list.

  9. Click Save.

  10. Now the actual task is created. This means to combine the newly created scan configuration with the newly created target.

    Select Scans > Tasks in the menu bar.

  11. Create a new task by clicking new and selecting New Task.

  12. Define the task with the desired scan configuration.

  13. Click Create.

    → The task is created and displayed on the page Tasks.

  14. Start the scan by clicking start of the respective task.

    → The scan is running. As soon as the status changes to Done the complete report is available. At any the time the intermediate results can be reviewed.

    Note

    It can take a while for the scan to complete. The page is refreshing automatically if an auto-refresh is set (see Chapter Setting the Auto-Refresh).

  15. When the scan is completed select Scans > Reports in the menu bar.

  16. Click on the date of the report to show the results.

  17. Move the mouse over Report: Results.

→ A drop-down-list is opened (see figure Opening the page Report: Summary and Download).

_images/report_dropdownlist_TLS.png

Opening the page Report: Summary and Download

  1. Click Report: Summary and Download.

Note

The report is available in a full or a filtered version. In the filtered version, the currently applied filter (besides rows and first) is considered.

  1. In the row of the full version, select TLS Map in the drop-down-list in the column Download.
  2. In the row of the full version click download.
→ The report is exported as a CSV file and can be used in spreadsheet applications.

The file contains one line per port and systems where an SSL/TLS protocol is offered:

IP,Host,Port,TLS-Version,Ciphers,Application-CPE
192.168.12.34,www.local,443,TLSv1.0;SSLv3,SSL3_RSA_RC4_128_SHA;TLS1_RSA_RC4_128_SHA,
  cpe:/a:apache:http_server:2.2.22;cpe:/a:php:php:5.4.4
192.168.56.78,www2.local,443,TLSv1.0;SSLv3,SSL3_RSA_RC4_128_SHA;TLS1_RSA_RC4_128_SHA,
  cpe:/a:apache:http_server:2.2.22

Separated by commas, each line contains the following information:

  • IP
    The IP address of the system where the service was detected.
  • Host
    The DNS name of the system in case it is available.
  • Port
    The port where the service was detected.
  • TLS-Version
    The protocol version offered by the service. In case more than one is offered, the versions are separated with semicolons.
  • Ciphers
    The encryption algorithms offered by the service. In case more than one is offered, the algorithms are separated with semicolons.
  • Application-CPE
    The detected application in CPE format. In case more than one is identified, the applications are separated with semicolons.

13.5. OVAL System Characteristics

The Open Vulnerability and Assessment Language (OVAL) is an approach for a standardized description of the (security) state of an IT system. OVAL files describe a vulnerability and define tests to identify the state in which a system is vulnerable. They usually refer to specific versions of software products for which a known vulnerability exists.

This means that in order to check for vulnerabilities described in an OVAL definition, information about the current state of the system is needed. This information is collected in a standardized format as well — the OVAL System Characteristics (SC).

There is a number of solutions which perform checks based on OVAL definitions and SC files. OVAL definitions are provided by various vendors. MITRE provides the OVAL Repository with more than 13,000 entries.

13.5.1. Preparing the Scan

Each OVAL SC file contains only information about one system. Collecting a large number of SCs from many different systems in one single step is possible when using the GSM.

Greenbone Networks provides two report format plug-ins:

  1. Download the desired report format plug-in.

    Important

    External links to the Greenbone download website are case-sensitive.

    Note that upper cases, lower cases and special characters have to be entered exactly as they are written in the footnotes.

  2. Select Configuration > Report Formats.

  3. Click new.

  4. Click Browse... and select the previously downloaded report format plug-in.

  5. Click Create.

    → The imported report format is displayed on the page Report Formats.

  6. Verify the signature of the report format by clicking verify.

  7. In the row of the report format click edit.

  8. For Active select Yes.

  9. Click Save.

13.5.2. Collecting and Exporting Scan Results as OVAL SCs

During a scan the Greenbone Security Manager (GSM) collects large amounts of data about the target system. This information is managed in an optimized data pool. Parts of this information are usable as a component of an OVAL System Characteristics.

Important

External links to the Greenbone download website are case-sensitive.

Note that upper cases, lower cases and special characters have to be entered exactly as they are written in the footnotes.

The creation of OVAL SC files is not enabled by default but has to be explicitly enabled. A scan configuration can be used to achieve this.

  1. Download the scan configuration Collect OVAL SC Scan Config.

  2. Select Configuration > Scan Configs in the menu bar.

  3. Click upload.

  4. Click Browse... and select the previously downloaded scan configuration (see figure Importing a scan configuration).

  5. Click Create.

    → The imported scan configuration is displayed on the page Scan Configs (see figure Imported scan configuration on the page Scan Configs).

    _images/oval-sc-import-scanconfig_500.png

    Importing a scan configuration

    _images/oval-sc-scanconf-imported_500.png

    Imported scan configuration on the page Scan Configs

    Note

    The most comprehensive results of a target system can be collected using authenticated scans. For this an account on the target system is required. Ensure that the account has the necessary privileges. For unixoid systems an account with low privileges is usually sufficient, for Windows system administrative privileges are required.

  6. To do so, select Configuration > Credentials in the menu bar and create a new credential by clicking new. Save the credential by clicking Create (see figure Creating a new credential).

    _images/cpe_policy_newcredential.png

    Creating a new credential

  7. Select Configuration > Targets in the menu bar.

  8. Create a new target by clicking new.

  9. Define the target system and, if applicable, choose the respective credentials (see figure Creating a new target).

    Note

    The example shows the creation of a Linux target. For a Windows target the credential must be set in the drop-down-list SMB instead of SSH.

    _images/newtarget_linux_credential_500.png

    Creating a new target

  10. Click Save.

  11. Now the actual task is created. This means to combine the newly created scan configuration with the newly created targets.

    Select Scans > Tasks in the menu bar.

  12. Create a new task by clicking new and selecting New Task.

  13. Define the task with the desired scan configuration (see figure Creating a new task).

    _images/oval_sc_new_task_500.png

    Creating a new task

  14. Click Create.

    → The task is created and displayed on the page Tasks.

  15. Start the scan by clicking start of the respective task.

    → The scan is running. As soon as the status changes to Done the complete report is available. At any the time the intermediate results can be reviewed.

    Note

    It can take a while for the scan to complete. The page is refreshing automatically if an auto-refresh is set (see Chapter Setting the Auto-Refresh).

  16. When the scan is completed, select Scans > Reports in the menu bar.

  17. Click on the date of the report to show the results.

    Note

    The results are returned in the severity category “Log”. By default, the category “Log” is suppressed.

  18. To adjust the displayed severity categories, click edit.

  19. For Severity (Class) activate the checkbox Log.

  20. Click Update.

  21. Move the mouse over Report: Results.

    → A drop-down-list is opened (see figure Opening the page Report: Summary and Download).

    _images/report_dropdownlist_OVAL.png

    Opening the page Report: Summary and Download

  22. Click Report: Summary and Download.

    Note

    The report is available in a full or a filtered version. In the filtered version, the currently applied filter (besides rows and first) is considered.

  23. In the row of the full version, select OVAL-SC or OVAL-SC Archive in the drop-down-list in the column Download.

  24. In the row of the full version click download.

    → The report is exported as an XML file or as a ZIP file containing XML files.

13.6. Policy Control Scans

Using the GSM it is possible to test a specific setting to compare a desired configuration with the current one.

  1. Download the scan configuration Policy Controls Scan Configuration.

    Important

    External links to the Greenbone download website are case-sensitive.

    Note that upper cases, lower cases and special characters have to be entered exactly as they are written in the footnotes.

  2. Select Configuration > Scan Configs in the menu bar.

  3. Click upload.

  4. Click Browse and select the previously downloaded scan configuration.

  5. Click Create.

    → The imported scan configuration is displayed on the page Scan Configs.

  6. Click edit of the scan configuration.

  7. In the section Edit Network Vulnerability Test Families click edit for Policy.

  8. Select the tests that should be executed.

  9. Click Save to save the family of NVTs.

  10. Click Save to save the scan configuration.

  11. To do so, select Configuration > Credentials in the menu bar and create a new credential by clicking new. Save the credential by clicking Create (see figure Creating a new credential).

    _images/cpe_policy_newcredential.png

    Creating a new credential

  12. Select Configurations > Targets in the menu bar.

  13. Create a new target by clicking new.

  14. Define the target system and, if applicable, choose the respective credentials (see figure Creating a new target).

    _images/policy_controls_scan_user.png

    Creating a new target

  15. Click Save.

  16. Now the actual task is created. This means to combine the newly created scan configuration with the newly created targets.

    Select Scans > Tasks in the menu bar.

  17. Create a new task by clicking new and selecting New Task.

  18. Define the task with the desired scan configuration (see figure Creating a new task).

    _images/policy_controls_task.png

    Creating a new task

  19. Click Create.

    → The task is created and displayed on the page Tasks.

  20. Start the scan by clicking start for the respective task.

    → The scan is running. As soon as the status changes to Done the complete report is available. At any the time the intermediate results can be reviewed.

    Note

    It can take a while for the scan to complete. The page is refreshing automatically if an auto-refresh is set (see Chapter Setting the Auto-Refresh).

  21. When the scan is completed, select Scans > Reports in the menu bar.

  22. Click on the date of the report to show the results.

Note

The results are returned in the severity category “Log”. By default, the category “Log” is suppressed.

  1. To adjust the displayed severity categories, click edit.
  2. For Severity (Class) activate the checkbox Log.
  3. Click Update.