Audit System At CESNET-CERTS - WSEAS
WSEAS TRANSACTIONS on COMPUTERSPavel VachekAudit System at CESNET-CERTSPAVEL VACHEKCESNET-CERTSCESNET, Association of Legal EntitiesZikova 4, 160 00 Prague 6THE CZECH REPUBLICPavel.Vachek@cesnet.cz http://www.ces.netAbstract: CESNET-CERTS, the Computer Security Incident Response Team of the CESNET Association inPrague, Czech Republic, uses several security tools based on freely licensed programs. One of them is anenhanced system for host security auditing which is based on Nessus and runs on a PC server under Linux. Ane-mail interface developed in-house allows users to perform basic host security audits simply and securelywithout having to study the extensive Nessus manuals and/or installing the Nessus server. The use of a similaropen-source program OpenVAS within the Audit System is also considered.Key-Words: Cesnet Association, Host security audit, Nessus, OpenVas, Pc, Linux, E-mail interfaceYet another security service offered by theCESNET-CERTS is the CESNET Audit system [5]which is the main topic of this paper.1 IntroductionMost academic networks consist of a number of localarea networks with computers running severaloperating systems, especially some versions of MSWindows, MacOS, Unix and Linux distributions.Keeping heterogenous networks safe requiresspecially trained staff and experience shows thatremoving infections from compromised hosts inlarge heterogenous networks can become anightmare.Host security improves significantly if authorizedadministrators can check security of their machineswhenever necessary, e.g., before and after applyingsecurity patches, and any time the machine seems tobehave strangely. Making this security checkavailable for almost everybody has been the goal ofthe CESNET Audit project.Fortunately, there are some tools available to thesecurity-minded administrators and advanced userswhich can make their tasks easier. The CESNETCERTS security team adapted some of them to theirneeds and has been using them successfully forseveral years.Nessus is a widely known and highly valued hostvulnerability scanner, originally distributed underthe GPL license. Nessus ranks high in security toolsurveys [6]. It is used by more than 75 thousandorganizations worldwide. Its description can befound in [7], [8] and [9]. Renaud Deraison, theauthor of Nessus, is one of the founders of theTenable Network Security company [10] whichcurrently handles the program maintenance anddevelopment.One of them is the OTRS (Open-source TicketRequest System) which makes the handling ofIncident Reports for our security staff much simpler.The OTRS as modified and used by CESNETCERTS is described in [1].At the time of writing this paper, the followingNessus versions are available:Another useful security service developed by theCESNET-CERTS is the CESNET IntrusionDetection System [2] which is based on the LaBreaprogram [3]. LaBrea intercepts and tarpits allconnection attempts caused by malware or byhackers. Should CESNET IDS find out that theattack originated from some part of the CESNET2network, it sends appropriate e-mail notice toadministrators of respective originating network.Connection attempts originating outside CESNET2are reported to the DSHIELD distributed securityproject [4]. The CESNET IDS is quite easy to set up,gives no false positives and requires very littlemaintenance (if any).ISSN: 1109-27501451 Nessus version 2.2.11 is an old versionwhich is still distributed in source codeunder the GPL license. Tenable does notsupport this version any more. Nessus 3.2.1 has been until recently thelatest version. Otherwise, all features of thefollowing version 4.0.1 apply. Nessus 4.0.1, currently the latest version, isbeing offered free of charge but its licensehas been closed and source code is notIssue 9, Volume 8, September 2009
WSEAS TRANSACTIONS on COMPUTERSPavel Vachekavailable. Nessus versions 3 and 4 aredistributed only in binary form for Linux,FreeBSD, Solaris, MacOS, and MSWindows/Vista.minutes and requires the results in HTML format.So he sends the following PGP-signed e-mail:From: test@example.czDate: Fri, 21 Aug 2009 14:50:21 0200To: audit@audit.example.netSubject: AUDIT 20090821Nessus proper needs external security plugins toperform security audits. Each plugin specifies onesecurity test to be performed. Some 30 thousand testplugins exist in August 2009. Home users may run apart of these plugins free of charge using the PluginHomeFeed. However, the full set of security pluginsfor any business use is available using the PluginProfessionalFeed [11] which costs 1200 USD/year.target: 192.168.123.45config: fullformat: htmltcpscan: alldelay: 2 mendNessus operates using the client-server mode. Bothcommand-line and GUI-based clients exist. InstallingNessus server and clients is not difficult but learningto fully master all their capabilities takes quite a lotof time. The e-mail interface described below allowsusers to run basic Nessus audits simply and securelywithout having to install server and/or clients andwithout having to learn all their features, simply bysending an appropriate PGP-signed e-mail messageto the Audit server.Seven seconds later, the auditing server respondswith the following PGP-signed reply:From: audit@audit.example.netDate: Fri, 21 Aug 2009 12:50:28 0000To: test@example.czSubject: Re: AUDIT 20090821AUDIT v. 53 (4.3.2009) start: Fri Aug21 12:50:22 2009 GMTAudit configuration requested inQfile:CONFIG: fullFORMAT: htmlTCPSCAN: allTARGET: 192.168.123.45DELAY: 120 seconds (- Fri Aug 2112:52:26 2009 GMT)2 Running Nessus Audit Using E-mailInterfaceConsider a user test@example.cz who needs to checksecurity of his host 192.168.123.45 using theCESNET Audit e-mail interface. E-mail address ofthe Nessus auditing server and client isaudit@audit.example.net. This user can choose fromthe following options: Audit request ssssssssss.tttttttttt.rrrr' queued.run only safe tests (some vulnerabilities maynot be detected but neither the operatingsystem nor running services will be affectednegatively), orrun all security tests including thosepotentially dangerous (more vulnerabilitiesmay be detected but some services or theoperating system might crash)The following important data can be found in thismail: check responses of default TCP/UDP portsonly (test runs faster but some runningservices may not be detected), orcheck responses of all TCP ports (this testtakes a longer time but it should discover allrunning services) results of security scan may be returned invarious formats, e.g., text, html, xml security audit can start after a delayspecified in hours and minutes.This queue is inspected every minute. Atappropriate time, Nessus is started using parametersfound in the oldest queued file Qfile. After thesecurity audit has terminated, a PGP-signed mailsimilar to the following is sent:From: audit@audit.example.netDate: Fri, 21 Aug 2009 13:00:03 0000To: test@example.czSubject: Re: AUDIT 20090821Hello,please find the results of your Nessussecurity audit in the attached file.Our user has chosen to run all security tests, checkresponses of all TCP ports, select a delay of 2ISSN: 1109-2750security audit should start at 12:52:26GMTFileQfile NFIG,FORMAT, TCPSCAN, and TARGETparameters has been queued.1452Issue 9, Volume 8, September 2009
WSEAS TRANSACTIONS on COMPUTERSPavel VachekThe following Fig.3 shows another part of securityaudit result with detailed description of detectedproblem as well as its importance, link to furtherinformation if possible, Nessus ID and perhaps alsoa suggested problem solution:Audit request queued on Fri Aug 2112:50:26 2009 GMT.Launch scheduled for Fri Aug 2112:52:26 2009 GMT.Launching audit on Fri Aug 21 12:52:012009 - 25 second(s) ahead of schedule.Parameters supplied in ssssssssss.tttttttttt.rrrr':CONFIG: fullFORMAT: htmlTCPSCAN: allTARGET: 192.168.123.45WarningSynopsis: Remote DNS server is vulnerable tocache snooping attacks.Description: The remote DNS server answers toqueries for third-party domains which do nothave the recursion bit set. This may allow aremote attacker to determine which domains haverecently been resolved via this name server,and therefore which hosts have been recentlyvisited. For instance, if an attacker wasinterested in whether your company utilizes theonline services of a particular financialinstitution, they would be able to use thisattack to build a statistical model regardingcompany usage of aforementioned financialinstitution. Of course, the attack can also beused to find B2B partners, web-surfingpatterns, external mail servers, and more.Best regards,the CESNET AUDIT robot.Attached file RESFILE.html contains the auditresults. The following Fig.1 shows an examplesummary of detected security holes (importantsecurity problems), security warnings (possibleproblems) and security notes (informationalmessages):AddressPort/ServiceSee also: For a much more detailed discussionof the potential risks of allowing DNS cacheinformation to be queried anonymously, ads/pdf/dns cache snooping.pdfIssue192.168.123.45 domain (53/tcp)Security hole192.168.123.45 smtp (25/tcp)Security notesRisk factor: Medium / CVSS Base Score : 5 unknown (33/tcp) Security notes192.168.123.45 general/tcpSecurity notes192.168.123.45 ntp (123/udp)Security notes192.168.123.45 domain (53/udp)Security warningdomain (53/udp)Nessus ID : 12217Fig.3: Another possible part of security audit resultFig.1: First part of security audit resultThe following Fig.4 summarizes important internalparameters of the auditing server:Thanks to the “TCPSCAN: all” parameter, Nessuswas able to detect as well as to classify correctly anSSH server running on a non-standard TCP port 33 –see Fig.2:Information about this scan :Nessus version : 4.0.1Plugin feed version : 200908210123Type of plugin feed : ProfessionalFeed (Direct)Scanner IP : 192.168.123.90Port scanner(s) : nessus tcp scannerPort range : 0-65535Thorough tests : yesExperimental tests : noParanoia level : 1Report Verbosity : 1Safe checks : noOptimize the test : noCGI scanning : enabledWeb application tests : disabledMax hosts : 10Max checks : 10Recv timeout : 5Backports : NoneScan Start Date : 2009/8/21 12:52Scan duration : 410 secInformational unknown (33/tcp)Synopsis : An SSH server is listening on thisport.Description : It is possible to obtaininformation about the remote SSH server bysending an empty authentication request.Risk factor : NonePlugin output : SSH version : SSH-2.0OpenSSH 5.2SSH supported authentication :publickey,passwordNessus ID : 10267Fig.4: Summary of server internal parametersFig.2: SSH server running on a non-standard portISSN: 1109-27501453Issue 9, Volume 8, September 2009
WSEAS TRANSACTIONS on COMPUTERSPavel Vachek /opt/nessus/sbin/nessus-mkcert3 Auditing server configurationLinux on the auditing server runs in runlevel 3, i.e.,without any graphic user interface. Both the Nessusserver and command-line client are installed on thismachine. However, the Nessus GUI client must belaunched at least once on an accessible machine togenerate the appropriate client configuration file;afterwards, this resulting configuration file is to becopied to the auditing server.Command /opt/nessus/sbin/nessus-addusercreates nessusd account for user root (authentication password, password e.g., Secret). Forsimplicity, rules may be empty (press CTRL-Donly); this means that user root can audit anyInternet machine. Individual Nessus users accessingNessus through the E-mail interface will be limitedusing PERM directory as described later.The auditing server will run as few network servicesas possible - e.g., SSH (OpenSSH), SMTP (Postfix)and NTP (ntpd) only. Firewall will let these servicescommunicate with selected IP addresses only toprotect the server from Denial of Service and spamattacks.The following or similar data should be set in thenessusd.conf file:max hosts 10max checks 10log whole attack nodumpfile /dev/nullport range 0-65535optimize test nochecks read timeout 5safe checks noauto enable dependencies yesuse mac addr nolisten address 127.0.0.1 (if access from externalNessus clients is to be allowed, IP address ofexternal interface should be given here)3.1 Installing NessusTo access the up-to-date Nessus test plugins forcommercial purposes, buying the ProfessionalFeedlicense for an enterprise network is necessary.Tenable sends us our activation code and URL to loginto the Customer Support Portal. Mailedinstructions should be followed to activate theProfessionalFeed. We log into the auditing serverusing the root username. Using lynx or a similarbrowser, we download Nessus x.y.z for Linux andMD5.asc files from [12].Note: The following paths/filenames are valid for theOpenSUSE 10.x. Some data may slightly differ forother Linux distributions.where:max hosts . maximum number of hosts to test atthe same timemax checks . maximum numer of plugins to runconcurrently on each hostlog whole attack . log data on each pluginlauncheddumpfile . plugin error messages will be loggedhereport range . TCP and UDP ports to be tested(default: some 9000 ports according to/opt/nessus/var/nessus/services.txt)optimize test . banners of remote services aretrustworthychecks read timeout . 5 seconds for LANssafe checks . only safe tests should runauto enable dependencies . all necessary pluginsare launched automaticallyuse mac addr . tested machines are identifiedusing Ethernet addresseslisten address . nessusd listens on this interface IPaddressNessus-x.y.z-suse10.0.i586.rpm checksum should bechecked against the MD5.asc file. Both Nessus serverand command-line client are installed using rpm -Uvh Nessus-x.y.z-suse10.0.i586.rpmNessus server configuration file is created at fter,nessusd.conf). The following will be displayed:Create a nessusd certificate using/opt/nessus/sbin/nessus-mkcertAdd a nessusd user use/opt/nessus/sbin/nessus-adduserStart the Nessus daemon (nessusd) useby typing /etc/rc.d/nessusd startStart the Nessus client (nessus) use/opt/nessus/bin/nessusRegister your Nessus scanner athttp://www.nessus.org/register/ toobtain all the newest pluginsUsing the following command,3.2 Installing and configuring nessusd /etc/rc.d/nessusd startNessusd is started and all plugins are downloadedX.509 certificate is created usingISSN: 1109-27501454Issue 9, Volume 8, September 2009
WSEAS TRANSACTIONS on COMPUTERSPavel Vachektested. Security audit is launched by clicking on theSTART THE SCAN button. Audit results shouldagain be inspected and any problems concerningthis workstation should be fixed. After the audit,Nessus client configuration file /root/.nessusrc iscreated which allows running all test plugins. It iscopied to file .NESSUSRC and moved to theauditing server.from the Nessus plugin server. Command ps -ef grep nessusdshould display the following string if nesssusd islistening:nessusd: waiting for incomingconnectionsTo allow automatic plugin download, the followingshould be set in nessusd.conf on the auditingmachine:3.3 Installing and configuring Nessus clientThe following command# Automatic plugins updates - if enabled and nessusis registered, then# fetch the newest plugins from plugins.nessus.orgautomaticallyauto update yes# Number of hours to wait between two updatesauto update delay 24# Should we purge the plugin db at each update ?(slower)purge plugin db no nessus -x -T text -q localhost 1241 root Secrettargets results &checks both Nessus client and server operation usingthe command-line interface. In addition, a “safe”security audit of our auditing server is performedfrom within.Parameters are as follows:-x . X.509 certificate is not checked-T text . result file in ASCII text format-q . batch modelocalhost . nessusd server address1241 . nessusd listens on this TCP portroot . nessus usernameSecret . this user's passwordtargets . file containing a list of machines to betested (localhost)results . name of audit result file4 E-mail interface programsThere are two e-mail interface programs: auditXXand procXX. Both are written in the Perl language.Both the Perl interpreter and modules from [13] areneeded.AuditXX runs under the audit username. Its maintasks are: receiving e-mail from local SMTP server checking for PGP signature presence andvalidity checking for correct length of receivedmessages (messages with excessive lengthare silently ignored but reported to theauditing server administrator; most likelycause for this may be spam or even ourown bounced outgoing messages) sending unsigned e-mail containing a shortsummary of allowed commands and theirpossible parameters in response to receivedunsigned e-mail extracting required audit parameters(CONFIG, FORMAT, DELAY, etc.) fromreceived valid mail building and queuing appropriate batch fileQfile sending PGP-signed response (especiallypositive acknowledgement message) toreceived signed e-mailThe following notice will be displayed:The plugins that have the ability tocrash remote services or hosts havebeen disabled. You should activate themif you want your security audit to becompleteAfter the audit has terminated, the results file shouldbe checked and any security problems of the auditingserver should be fixed.To allow all plugins including those potentiallydangerous, a GUI Nessus client must run on someother accessible machine – probably on a workstationon which GUI is running. NessusClient-x.y.zsuse10.3.i586.rpm together with MD5.asc should bedownloaded, checked and installed on thisworkstation. Command nessus &Program procXX runs under the root username. Itsmain tasks are: inspecting the queued batch files everyminutewill display the Nessus GUI interface. Allappropriate settings should be selected, especially theENABLE ALL option and address of machine to beISSN: 1109-27501455Issue 9, Volume 8, September 2009
WSEAS TRANSACTIONS on COMPUTERS Pavel Vachekchecking for existence of lock files. Thesefiles indicate whether another security auditis running or whether the Nessus clientcould not connect to the Nessus server; thelatter might happen, e.g., during Nessusplugin feed retrieval and this would be nocause for alarmlaunching security audit using appropriateparameters at proper time (i.e., if no otheraudit is running, security audit should startwith a tolerance of /- 30 seconds)returning the security audit results in a PGPsigned mail to the originating e-mailaddress.(file is any test file to be sent, e.g., in HTMLformat). After successful termination, the followingshould be displayed:xx input lines, yyy charactersread . sent.Recipients should check for correct mail deliveryand readability. MailtestXX proper might essages) might contain some as well.4.3 Installing and testing auditXXAuditXX (currently, audit53) should be copied to/home/audit/bin.AppropriatePGPKeyId,passphrase and server e-mail address must beinserted into the auditXX source file:Installation instructions of the e-mail interface onserver audit.example.net follow. Username audit iscreated to communicate using e-mail addressaudit@audit.example.net. Nessus server andcommand-line client, Postfix, sshd, ntpd, and procXXrun under the root username. from 'audit@audit.example.net';# server Email address keyid '037ADEADBEEF1256';# foraudit@audit.example.net pass 'AuditPwd';# Passphrase4.1 E-mail system configurationAudit.example.net is the only host accepting e-mailfor the auditing server. Zone file for the example.netdomain contains a single MX record for the audithost (no secondary backup MX servers are used toavoid possible spam):audit IN MX 10 auditUnder OpenSUSE 10.x, the followingnecessary to allow access to Perl modules: chmod -R 755 /usr/lib/perl5/site perl/5.8.8/*To test the auditXX operation, a short (or possiblyempty) unsigned e-mail should be sent to theauditing server. AuditXX should respond with an email similar to the following Fig.5:SMTP server Postfix is configured both for acceptingand sending e-mail. E-mail delivered toaudit@audit.example.net is forwarded to theauditXX standard input using the .forward file:\audit, " /home/audit/bin/auditXX"From: audit@audit.example.netDate: Fri, 21 Mar 2009 14:21:58 0000To: test@example.czSubject: Re: TEST 14.2 PGP and E-mail system operation .net are generated using gpg.Resulting private key is also copied into the rootkeyring. PGP-signed test e-mail containing simpletext and an attached file can be sent using ourprogram MailtestXX. PGP KeyId, passphrase,sending and receiving e-mail address must beinserted into the source file:AUDIT v. 53 (4.3.2009) start: Fri Aug21 14:21:58 2009 GMTThe following UNSIGNED text has T 1 from 'audit@audit.example.net';# server email address to 'test@example.cz, test2@example.cz'; #receiving address(es) keyid '037ADEADBEEF1256';# foraudit@audit.example.net pass 'AuditPwd';# Passphrase for PGP keyPlease resend using a correct PGP key.This may also help:CESNET AUDIT v. 53 (4.3.2009) HELP:CONFIG: previous full safeFORMAT:previous nbe html html graph text xml old-xml tex nsrTARGET:previous list of IP ordomain addresses to be testedTCPSCAN: previous all defaultLaunch the program as follows: MailtestXX fileISSN: 1109-2750was1456Issue 9, Volume 8, September 2009
WSEAS TRANSACTIONS on COMPUTERSDELAY:mm MVERBOSEENDPavel Vachektested. Filename format is:ssssssssss.rrrr or ssssssssss.tttttttttt.rrrr ssssssssss . requested start time of securityaudit in Unix epoch time tttttttttt . time of sending this request ifdelay specified in Unix epoch time rrrr . pseudorandom number to makefilenames unique.hh H mm M mm M hh H hh H (for debugging purposes)(end of input data)Fig.5: Response to a short unsigned e-mailDetails concerning any encountered errors and theircauses can be found in file /home/audit/DEBUG or inthe Postfix error log.Files CFG and CFG.sav contain the CONFIG,FORMAT, TARGET, and TCPSCAN parameters ofthe last successful security audit. For repeatedaudits, parameter values missing in e-mail arereplaced by the saved values in CFG. However, atleast one parameter must always be given so that anempty signed e-mail sent inadvertently does notlaunch scan by mistake.In the next step, correct receipt of PGP-signedmessages must be tested. Let us suppose that: user test@example.cz may run security auditof 10.1.2.3, 10.2.3.5user user@example.com may run securityaudit of 192.168.100.200.204Files in the /home/audit/AUDIT/PERM directorycontain a list of IP addresses which respective usersare allowed to test. Their format is simple:We shall call a PGP signing party with these users,sign their public keys and insert them into audit androot user keyrings. All data necessary for theoperation of security audits will be found within the /home/audit/AUDIT directory:# test@example.cz may test 10.1.2.3, 10.2.3.5:10.1.2.310.2.3.5 ls -R /home/audit/AUDIT/# user@example.com - 192.168.100.200.204# Several addresses (space or TAB separated) may# be given on each line192.168.100.200 192.168.100.201 192.168.100.202192.168.100.203 192.168.100.204/home/audit/AUDIT/: (created on 1st auditXX run)test@example.cz/(created on 1st receipt ofsigned e-mail from user)user@example.com/(created on 1st receipt ofsigned e-mail from test)PERM/(created on 1st receipt ofsigned e-mail)PROC/(created manually by root)QUEUE/(created on 1st auditXX run)# CIDR notation may also be used:# another user might be allowed to check whole# class B' e.cz:CFG CFG.sav(created by auditXX)Administrator of the auditing server creates thesefiles manually according to the users' requests. Heknows these users personally and he can check ifthey have a right to audit the respective machines.This is also the reason why auditing requests fromexternal users whom the audit administrator doesnot know personally are rejected; official networkadministrators of University and/or CESNETcustomer networks are allowed audits only of theirown respective networks as stated in the CESNETAudit System FAQ [14]./home/audit/AUDIT/user@example.com:CFG CFG.sav(created by auditXX)/home/audit/AUDIT/PERM:test@example.cz user@example.commanually by audit administrator)(files created/home/audit/AUDIT/PROC:NESSUSFAIL(lock file created and deletedby procXX if necessary)NESSUSLOCK(lock file created and deletedby procXX if necessary)RESFILE(result file created byprocXX)TARGFILE(list of tested hosts createdby procXX)Full operation of the e-mail interface can be testedeasily as described in Chapter 2 above. Completedebugging information of audit request processingcan be found in file /home/audit/DEBUG; anyimportant error message is sent to the user by e-mailin the format of his original e-mail, i.e., unsigned,inline (clearsigned) PGP, or PGP/MIME. Auditserver administrator is also informed using SMS ore-mail message./home/audit/AUDIT/QUEUE:Queued files are inserted by auditXX and removed byprocXX. Top (the oldest) file is the first one to beISSN: 1109-27501457Issue 9, Volume 8, September 2009
WSEAS TRANSACTIONS on COMPUTERSPavel VachekComplete log of procXX operation can be found in/root/DEBUG; again, any important error messageis e-mailed both to the user and audit serveradministrator.4.4 Installing and checking procXX operationThis is even simpler. ProcXX (current version 66)should be copied into /root/bin. As in the case ofauditXX, the following must be inserted into thesource file: from 'audit@audit.example.net';mail address keyid '037ADEADBEEF1256';audit@audit.example.net pass 'AuditPwd';5 OpenVAS# server e-As mentioned in Chapter 2 above, Nessus version 2was released under the GPL license but thefollowing versions were released using a closedlicense in binary form only. In reaction to this, bythe end of 2005, a team of developers launched theOpenVAS Project [15] which is a fork of Nessusversion 2.2.5. The OpenVAS (Open VulnerabilityAssessment System) attempts to provide both theOpenVAS and its Plugin Feed free of charge usingGNU GPL.## PassphraseProcXX is launched by cron every minute; therefore,the following two lines should be put into crontab:# Checking the nessus audit queue every minute:* * * * * /audit/AUDIT/QUEUE/, procXX checks thefilename of the first, i.e., oldest file. Its leftmost partgives the Unix epoch time when the security audit isto be launched. At appropriate time and if no otherinstance of Nessus is running, a new Nessus client islaunched with appropriate parameters taken from thisQfile. At the same time, NESSUSLOCK file iscreated as described in the following paragraph.After Nessus terminates, procXX e-mails the securityaudit results to the appropriate user address anddeletes the Qfile. Afterwards, the first followingQfile (if any) is checked and the above process isrepeated immediately; otherwise, procXX terminatesand NESSUSLOCK is deleted.Rough comparison of Nessus and OpenVAS features(end of August 2009) is as follows:Latest version: Nessus: OpenVAS:Approximate number of test plugins: Nessus:30000 OpenVAS:13000Server communicates on default port: Nessus:TCP 1241 OpenVAS:TCP 9390Command-line client: Nessus:part of server OpenVAS:GUI klient "--disablegtk"Lock file/home/audit/AUDIT/PROC/NESSUSLOCK is createdwhen Nessus is launched. Existence of this fileindicates that no other security audit may be started.Immediately after its start, procXX checks if fileNESSUSLOCK exists. Should procXX learn that thisis so and that NESSUSLOCK is older than somepreselected value (several hours), it sends warningSMS and/or e-mail messages at regular intervals tothe audit server administrator.Plugin Feed Enhanced Security: Nessus:none OpenVAS:PGP-signed pluginsCost for Professional Users: Nessus:1200 USD/year OpenVAS:noneAnother lock file/home/audit/AUDIT/PROC/NESSUSFAIL is createdif Nessus is launched but terminates with an errormessage. So far, this has been recorded in caseswhen download of Nessus Plugin Feed wasunderway and a new instance of Nessus waslaunched at the same time. This is taken as an errorwhich may yet be recovered soon: NESSUSFAILindicates that launch of Nessus using appropriateQfile may be reattempted several times. To be able todistinguish the current Qfile which is to be reused, itsfilename is prefixed with character C'. Serveradministrator will be informed about every suchrepeated attempt as well as about the final outcome.ISSN: 1109-27504.0.12.0.4The above data shows that OpenVAS looks veryinteresting, especially but not only with regard to itszero cost. Its main disadvantage seems to be thesignificantly lower number of OpenVAS test pluginscompared to that of Nessus.While collecting further data on Nessus andOpenVAS, an interesting document [16] was found.Its main conclusions are: 1458Nessus discovered significantly more of allknown vulnerabilities (mainly older ones)OpenVAS found significantly more CVEIssue 9, Volume 8, September 2009
WSEAS TRANSACTIONS on COMPUTERSPavel Vachekvulnerabilities which were discoveredduring last two years (2008 and 2009). Overall, OpenVAS is also a reliable andtrustworthy tool for security audit.A diagram summarizing the results of this document is shown in the following Fig.6:NESSUS x OpenVASDetection Efficiency Comparison9080All CVEs25 new CVEs70[%]605040nessus, openvas 'safe' tests30NESSUS, OpenVAS 'all' tests20100nessusNESSUSopenvasOpenVASFig.6: Comparison of Nessus and OpenVAS known vulnerability detection efficiencyOpenVAS on tested machines give identical results.In near future, CESNET Audit users should be ableto run OpenVAS audit of their machines after theNessus audit terminates simply
Nessus versions are available: Nessus version 2.2.11 is an old version which is still distributed in source code under the GPL license. Tenable does not support this version any more. Nessus 3.2.1 has been until recently the latest version. Otherwise, all features of the following version 4.0.1
The quality audit system is mainly classified in three different categories: i Internal Audit ii. External Audits iii. Regulatory Audit . Types Of Quality Audit. In food industries all three audit system may be used to carry out 1. Product manufacturing audit 2. Plant sanitation/GMP audit 3. Product Quality audit 4. HACCP audit
4.1 Quality management system audit 9.2.2.2 Quality management system audit - except: organization shall audit to verify compliance with MAQMSR, 2nd Ed. 4.2 Manufacturing process audit 9.2.2.3 Manufacturing process audit 4.3 Product audit 9.2.2.4 Product audit 4.4 Internal audit plans 9.2.2.1 Internal audit programme
INTERNAL AUDIT Example –Internal audit report [Short Client Name] Internal Audit Report Rev. [Rev Number] STEP ONE: Audit Plan Process to Audit (Audit Scope): Audit Date(s): Lead Auditor: Audit #: Auditor(s): Site(s) to Audit: Applicable Clauses of [ISO 9001 or AS9100] S
CHAPTER 12 Internal Audit Charters and Building the Internal Audit Function 273 12.1 Establishing an Internal Audit Function 274 12.2 Audit Charter: Audit Committee and Management Authority 274 12.3 Building the Internal Audit Staff 275 (a) Role of the CAE 277 (b) Internal Audit Management Responsibilities 278 (c) Internal Audit Staff .
Internal Audit Boot Camp Session 2: Phases of an Audit Program . IA Boot Camp 03/17/21 National Indian Gaming Commission Page 17 of 26 . It is important to understand and include audit steps within your audit program. Audit steps can be updated and created during the planning phase. Audit steps provide the auditor with the proper guidance to
AUDIT OF DEKALB COUNTY DATA CENTER PHYSICAL SECURITY AUDIT REPORT NO. 2018-007-IT John Greene Chief Audit Executive FINAL REPORT What We Did In accordance with the Office of Independent Internal Audit's (OIIA) Annual Audit Plan, we conducted a performance audit of the DeKalb County Data Center Physical Security.
AOL and Swisscom root certificates Products that use certificates that have been removed may no longer work. If these certificates are required, then you must configure and populate the cacerts with the missing certs. To add certs to the truststore, see keytool in Java Platform, Standard Edition Tools Reference guide.
2020 Sutherland, Alister Peasant seals and sealing practices in eastern England, c. 1200-1500 Ph.D. . 2015 Harris, Maureen ‘A schismatical people’: conflict between ministers and their parishioners in Warwickshire between 1660 and 1714. Ph.D. 2015 Harvey, Ben Pauper narratives in the Welsh borders, 1790 - 1840. Ph.D. 2015 Heaton, Michael English interwar farming: a study of the financial .
