We routinely use file content checking to retrieve and evaluate configuration settings for the Bandolier security audit files. This is a function of the Compliance Checks plugins for Windows and Unix. It works well as long as the file name is known. What if you want to search for specific content but do not know the file name? There is another type of file content searching in Nessus designed to do just that for Windows servers and workstations. The Windows File Contents Compliance Checks plugin is found alongside the other compliance checks in the Policy Compliance family.

In the traditional IT world, this type of file content search is often used to locate things like credit card numbers, social security numbers, or other sensitive content hanging around in places where it should not be. Tenable provides an extensive library of audit files for searching various types of sensitive content. For control systems, I see a couple of potential uses for this type of auditing.

1.) Identifying unencrypted sensitive data in installation and temporary files. Working on Bandolier, we’ve seen that some installations leave behind temp files that include things like configuration details and even user and password information. You can use your imagination for other ways sensitive data might get left behind–from an operator keeping information in a text file to an undocumented application function that leaves sensitive data behind. A file content audit file can help identify these scenarios. It is only as difficult as deciding on the search terms and the file types you want to inspect.

2.) Identifying unencrypted sensitive control system data on non-control networks. Whether you’re concerned with PCII, NERC CIP-003 R4 or just good security, keeping sensitive control system data from floating around on the business network is a valid concern and one that is not easily controlled. Speaking from experience, you may be surprised how much infromation you can find hanging around on local drives and even semi-public shared drives. Again, you can use your imagination for search terms and locations but a place to start might be searching for files that contain IP addresses from your control system subnets.

Let’s say you have a control network subnet that is 172.16.50.xxx. Here’s a simple example of an audit file that will search for it:

—

<check_type : “WindowsFiles”>

<item>
type: FILE_CONTENT_CHECK
description: “The file contains sensitive SCADA IP addressing information”
file_extension: “txt” |”doc” |”xls” |”pdf”
regex: “172.16.50.*”
expect: “172.16.50.*”
max_size : “50K”
</item>

</check_type>

—

Before you run off to search your entire network, there are some performance issues to consider. As you can imagine, searching file content can be resource intensive. Start by testing in a non-production environment so you can evaluate the impact of different types of searches. You can hone in on particular file types and limit file size to save resources.

For Unix systems, there is not a separate plugin for file content searching but there is an option in the regular audit file language called “CMD_EXEC”. As the name implies, you can essentially run any Unix command including grep. This comes with the same performance impact warning as above – be careful how you use it and please remember to test.

Have thoughts or ideas on other ways this can be used? Would love to see your comments.