Bandolier Update: Introduction to Compliance Checks

Dale posted an introduction to Bandolier a couple of weeks ago. I am increasingly excited about the value of this project. We are working with asset owners and vendors to identify a hardened configuration for twenty control system applications. We are then developing audit files for use in Nessus and other assessment tools that determine whether a system is configured according the hardened configuration. In Nessus, these are called “compliance checks”. Each check has a corresponding “.audit” file.

I want to discuss briefly the difference between compliance checks and traditional vulnerability scanning – it’s subtle but significant. Each has its own distinct purpose and value. Vulnerability scanning relies on a set of signatures of “known bad things”. The compliance checks, on the other hand, compare a system against the “known good”, hardened configuration. It does this by actually authenticating to the system and inspecting its configuration. Once authenticated, any number of things can be evaluated – user accounts, registry settings, configuration file settings, system settings, permissions, etc… More information can be found on the Tenable Security site in the Compliance Checks FAQ.

Tenable Security along with organizations like NIST and the Center for Internet Security, have developed best practice compliance checks for many operating systems and applications. The Bandolier project will use the same concept to develop .audit files specifically for the twenty control system applications that reside on a variety of Windows and UNIX platforms. This will allow asset owners to validate that their system is configured according to a vendor-supported best practice – at the OS and application levels.

I think this project will raise the level of security awareness from the asset owner and vendor perspectives. More importantly, it will put some useful tools into the hands of those responsible for maintaining security of their control system applications. Stay tuned for further updates.

4 comments to Bandolier Update: Introduction to Compliance Checks

  • That is actually a really great feature/concept. Does it have the ability to distinguish between different compliance standards, say NIST SP800-53 as apposed to NERC CIP 002-009, etc.?

  • Clint,

    Tenable has a set of audit files based on SP800-53. NIST simplified the process of creating those files by providing the content in a specification language known as XCCDF through their SCAP program. Bandolier, by the way, will also make the audit specifications available in XCCDF and OVAL formats for use in other tools beyond Nessus.

    As far as NERC CIP, I haven’t seen anything yet. The standard itself isn’t real prescriptive so most system-specific settings will be dictated by an organization’s security policy or some other best practice security standard (such as the audit files from Bandolier, perhaps).

  • Hi Jason and fellow Digital bonders,

    Sounds like a very interesting project, can you go into the details of which control applications you attend to review?

    Eyal.

  • Eyal,

    We are working with asset owners and vendors and have selected different types of applications (HMI, Real-time, Historians, etc…) that run on a variety of operating systems. There are several large vendors participating but we are not able to provide details at this time. Stay tuned, though, for further updates.

    JH

Leave a Reply