Using Nessus Professional Feed and c2a to monitor configuration files on Unix hosts

When you purchase Nessus Professionalfeed, one of the things you can download from the support portal is a utility called c2a.

Using this utility we can use Nessus scans to monitor files (and in particular configuration files) on hosts using the md5sum utility to determine whether or not the file has changed.

To do this we need to:

  1. Download c2a from the support portal and place it on the Unix host we wish to monitor for changes.
  2. Create a list of files we wish to monitor
  3. Use c2a to create a .audit file based upon this list
  4. Create a scan policy that uses this .audit file
  5. Create a scan that runs on a periodic basis that uses this new scan policy

Downloading c2a

C2a can be downloaded from the support portal in the Compliance area, under Compliance check tools.   After you’ve downloaded it, upload it to your Unix host (unless you’ve downloaded it directly to your unix host) and type:

tar -xvzf ./c2a-1.0.2.tar.gz

(This might change slightly if c2a gets updated)

then type:

cd /c2a

Creating a list of files to be monitored

The next step is to create a list of files to be monitored.   This file needs to be plain text, one file per line.   You can either create this file manually using vi, nano, or emacs, or alternatively, generate this file using a creative unix command.

Lets say we want to monitor all the files in /etc.   We could type:

find /etc > etcfiles.txt 

This is a quick and dirty way to generate a long list of files.

Creating the .audit file

Now that we’ve created the list of files to be monitored, we now need to generate the audit file.   Lets assume that we want to use the file we created above, etcfiles.txt.   We’d type:

./c2a.pl -md5 -f ./etcfiles.txt -o etcfilemonitor.audit

and sit back and wait.

After a few minutes, the file etc monitor.audit will be created.   It should look something like this:

#
# This file is auto-generated with c2a.pl script
# Copyright 2007 Tenable Network Security Inc.
#
<check_type : "Unix">
<custom_item>
 #System : "Linux"
 type : FILE_CHECK
description : "Check MD5 for /etc/passwd"
 file : "/etc/passwd"
 md5 : "789f03cc6078e418b9b759c2d8434b12"
</custom_item>
</check_type>

Obviously your .audit is likely to contain multiple items.

If you’re familiar with .audit, you can see that this creates an md5sum of each individual file, and then does a check based upon in.

Now we want to download this file (in this case  etcfilemonitor.audit) so we can put it in a scanning policy.

Creating a Scan Policy

Now that we have a .audit file we need to create a scan policy.   This scan policy, at a minimum, must have the following:

1. Administrative level credentials for the unix host to be monitored, or alternatively credentials with privilege elevation.

 

 

 

 

 

 

 

 

 

2. Plugin ID 21157, Unix Compliance Checks, must be enabled in the plugins section

 

 

 

 

 

3. The .audit file you just created must be uploaded to the Unix Compliance Checks area under preferences.

 

 

 

 

 

 

Once we’ve created this scan policy, we’re ready to create our scan!

Creating the Scan

We create a scan of this type just like we do with any other scan, we give it a name, a schedule, and a target list:

 

 

 

 

 

 

Once our scan has completed, if the md5 of the configuration file has not changed, it will come up as an Informational item in our report.  However, if the md5 of the configuration file has changed, it will come up as a high result.

 

Source: Nessus and SecurityCenter