We’ve covered a number of ways to safely and effectively use Nessus in control system environments, most notably using the Bandolier security audit files in conjunction with the Nessus policy compliance plugins. In my post about NERC CIP 007 R1 Testing, I alluded to file integrity checking for Linux and Unix servers. Since we haven’t covered that from a technical angle, here’s a quick introduction.
Tenable provides a Perl script (the “c2a” tool) that makes easy work of generating the md5 checksums and the audit files. It basically works like this: you provide a list of files and directories to the script, it outputs an audit file that’s ready to go. The only work you may have to do is opening the script to edit the variable that points to your md5sum or md5 binary. Here’s what a check looks like:
description: “Check MD5 for /etc/passwd”
The c2a script will work recursively through a directory (just include a trailing slash in the path) so you can generate hundreds of these checks at once if you’re so inclined.
So why do this? Like I said in the previous post, this isn’t a replacement for a full-blown file integrity monitoring tool. It is, however, a very low-impact way to do basic file integrity checking. Like everything else with Bandolier and the Nessus credentialed scanning functions, there is nothing to install on your control system servers and workstations — no client, agent, or software of any kind.
You can easily generate checks for your key application directories and combine them with your set of Bandolier files. It’s great for testing changes like we talked about in the context of the NERC CIP requirement but there is also obvious security benefit in knowing that a file has changed when it shouldn’t have.