CIP-007 R4, AV, and Nessus WMI audit checks
We recently took another look at how the Bandolier security audit files can help with NERC CIP auditing. There is a good article over in the SCADApedia but we wanted to make sure we were doing as much as possible since it is a concern for many of our asset owner friends. One thing that kept popping out was the CIP-007 R4 requirement concerning “Malicious Software Prevention” — it seemed like we should at least be able to determine if antivirus software is installed on a Windows machine.
Tenable offers this type of check for specific vendors: Clam, Kaspersky, Panda, Symantec, and Trend Micro. Those are great if you know what product to expect but we needed something generic so I kept looking. I ended up following a hunch about the Windows Security Center and found what I was looking for using WMI. The “SecurityCenter” namespace has information about the vendor, product name, version, and even a Boolean value that indicates if the signatures are up to date — score! Now all we have to do is write the audit check… here’s my first stab:
<if>
<condition type: “or”>
<custom_item>
type: WMI_POLICY
description: “Determine if AntiVirus software is installed”
value_type: POLICY_TEXT
value_data: “”
wmi_namespace: “root/SecurityCenter”
wmi_request: “SELECT displayName FROM AntiVirusProduct”
wmi_attribute: “displayName”
wmi_key: “displayName”
check_type: CHECK_EQUAL
</item>
</condition><then>
<report type:”FAILED”>
description: “Determine if AntiVirus software is installed”
</report>
</then><else>
<report type:”PASSED”>
description: “Determine if AntiVirus software is installed”
</report><custom_item>
type: WMI_POLICY
description: “Determine if AntiVirus software is current”
value_type: POLICY_DWORD
value_data: “1″
wmi_namespace: “root/SecurityCenter”
wmi_request: “SELECT productUptoDate FROM AntiVirusProduct”
wmi_attribute: “productUptoDate”
wmi_key: “productUptoDate”
check_type: CHECK_EQUAL
</item></else>
</if>
In the first condition check, the CHECK_EQUAL combined with a null value and some forced reporting essentially becomes an “IF EXISTS” check. It’s a little convoluted but is the only way I could make it work in my testing so far. If an anti-virus product exists, the second custom item determines if the signatures are current.
Whether you are concerned about CIP compliance or not, this is can be a useful security check. Look for it to be included in future Bandolier audit files or go use it on your own now. I’ll be exploring further the SecurityCenter WMI namespace so stay tuned for more updates.
Author: Jason Holcomb
Posted: November 4th, 2008 under Assessment Tools, Bandolier.
Comments: 2
Comments
Comment from RaSchi
Time: November 5, 2008, 8:24 am
Sounds really good, but then again, an open WMI interface (i.e. DCOM if I’m not mistaken) may not exactly be what you want in a secure control system.
Wouldn’t it be nice if there was a way to make selected WMI information available via SMB shares?
Comment from Jason Holcomb
Time: November 5, 2008, 12:13 pm
Good observation and question. It would be nice if the WMI features would work via SMB like the rest of the audit checks.
If you’re using the Windows firewall, you’ll have to enable the “Allow remote administration exception” for these checks to work. I suggest limiting this exception to the IP address of the Nessus scanner and you could further authenticate the session with IPSEC. Whether it is worth the effort will depend on several factors — number of control system workstations and servers to audit, expertise of the administrators, current host-based firewall policies, etc…
Write a comment