John Scherff wrote:
QUESTION: Can wildcards or ranges be used for text values in
REGISTRY_SETTING audits?
This is currently not supported.
I recently used Nessus compliance auditing to check for the presence of
four critical Symantec AV services on all systems. (See first four
items in Listing 1.) It works great.
Excellent. Thanks for posting for other users to see.
Then I wrote an audit rule to check for the version of SAV running on
the host and the version of AV signatures installed. (See last two
items in Listing 1.) Prior to running the scan, I use sed to replace
the placeholders savVersion and defVersion. I get the latest def
version from the Symantec web site using a rather clunky script I wrote
(see excerpt in Listing 2). This also works great.
Also excellent. I'd also like to point out this blog entry we wrote a
while back which details how virus auditing is performed by Nessus:
http://blog.tenablesecurity.com/2007/02/auditing_antivi.html
Unfortunately, I found that there are many slightly different, but
recent, versions of the SAV client running on our systems. I also found
that most clients are using virus signatures that are one or two days
older than the most recent one (probably due to the centralized nature
of our malware management architecture.)
SO...
What I need is to be able to specify a range of valid virus definitions
(e.g., the last three) and a range or wildcard value for valid software
versions. The nessus compliance audit documentation doesn't mention the
ability to do this.
Is it possible?
Right now, functionality like:
reg_item: "20070411" | "20070412" | "20070413"
isn't part of the Windows Compliance Checks. The UNIX side has an "if"
set of statements, but this isn't available on the Windows side (yet).
I'd rather point you to the raw NASL for the auditing virus deployments
like I outlined in the above blog.
Ron Gula, CTO
Tenable Network Security
_______________________________________________
Nessus mailing list
Nessus@list.nessus.org
http://mail.nessus.org/mailman/listinfo/nessus
