Glad I was able to answer my own message before I wasted someone else's
time...
I just realized that 21725 (savce_installed.nasl) does exactly what I
was trying to do with audits, below.
Still, I'd like to know if there's a way to do wildcards or text ranges
in REGISTRY_SETTING audits. I plan to use these a LOT.
John Scherff
________________________________
From: nessus-bounces@list.nessus.org
[mailto:nessus-bounces@list.nessus.org] On Behalf Of John Scherff
Sent: Tuesday, April 24, 2007 11:02 AM
To: nessus@list.nessus.org
Subject: SYMANTEC AV AUDITS
QUESTION: Can wildcards or ranges be used for text values in
REGISTRY_SETTING audits?
I recently used Nessus compliance auditing to check for the presence of
four critical Symantec AV services on all systems. (See first four
items in Listing 1.) It works great.
Then I wrote an audit rule to check for the version of SAV running on
the host and the version of AV signatures installed. (See last two
items in Listing 1.) Prior to running the scan, I use sed to replace
the placeholders savVersion and defVersion. I get the latest def
version from the Symantec web site using a rather clunky script I wrote
(see excerpt in Listing 2). This also works great.
Unfortunately, I found that there are many slightly different, but
recent, versions of the SAV client running on our systems. I also found
that most clients are using virus signatures that are one or two days
older than the most recent one (probably due to the centralized nature
of our malware management architecture.)
SO...
What I need is to be able to specify a range of valid virus definitions
(e.g., the last three) and a range or wildcard value for valid software
versions. The nessus compliance audit documentation doesn't mention the
ability to do this.
Is it possible?
R/ John Scherff
Sr. IT Security Engineer
24 Hour Fitness
LISTING 1
<check_type: "Windows">
<group_policy: "Tenable Audit file">
<custom_item>
type: SERVICE_POLICY
description: "Symantec Antivirus service (Symantec Antivirus)"
value_type: SERVICE_SET
value_data: "Automatic"
service_name: "Symantec Antivirus"
</item>
<custom_item>
type: SERVICE_POLICY
description: "Symantec virus definition monitoring and maintenance
service (DefWatch)"
value_type: SERVICE_SET
value_data: "Automatic"
service_name: "DefWatch"
</item>
<custom_item>
type: SERVICE_POLICY
description: "Symantec event propagation and logging service
(ccEvtMgr)"
value_type: SERVICE_SET
value_data: "Automatic"
service_name: "ccEvtMgr"
</item>
<custom_item>
type: SERVICE_POLICY
description: "Symantec settings storage and management service
(ccSetMgr)"
value_type: SERVICE_SET
value_data: "Automatic"
service_name: "ccSetMgr"
</item>
<custom_item>
type: REGISTRY_SETTING
description: "Symantec Antivirus Software Version"
value_type: POLICY_TEXT
value_data: "savVersion"
reg_key: "HKLM\SOFTWARE\Intel\DLLUsage\VP6"
reg_item: "C:\Program Files\Symantec AntiVirus\Rtvscan.exe"
</item>
<custom_item>
type: REGISTRY_SETTING
description: "Symantec Antivirus Definitions Version"
value_type: POLICY_TEXT
value_data: "C:\PROGRA~1\COMMON~1\SYMANT~1\VIRUSD~1\defVersion"
reg_key: "HKLM\SOFTWARE\Symantec\SharedDefs"
reg_item: "DEFWATCH_10"
</item>
</group_policy>
</check_type>
LISTING 2
defVersion=`wget -qO - http://definitions.symantec.com/defs/
<http://definitions.symantec.com/defs/> |
egrep -o '[0-9]{8}-[0-9]{3}-i32' | cut -c1-12 | sort -u | tail -1 | tr
- .`
sed 's!defVersion!'$defVersion'!' \
Win32_SAV.audit > /tmp/scanPolicy.$$
sed 's!^\( Windows Compliance .*1 : = \)$!\1'/tmp/scanPolicy.$$'!' \
$scanConfig > /tmp/scanConfig.$$
NessusClient -c /tmp/scanConfig.$$ -T nbe -xq $scanHost \
$scanPort $scanUser $scanPass $scanTarget $scanResult
rm -f /tmp/*.$$
_______________________________________________
Nessus mailing list
Nessus@list.nessus.org
http://mail.nessus.org/mailman/listinfo/nessus
