Glad I was able to answer my own message before I wasted someone else's time... I just realized that 21725 (savce_installed.nasl) does exactly what I was trying to do with audits, below. Still, I'd like to know if there's a way to do wildcards or text ranges in REGISTRY_SETTING audits. I plan to use these a LOT. John Scherff
________________________________ From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of John Scherff Sent: Tuesday, April 24, 2007 11:02 AM To: [email protected] Subject: SYMANTEC AV AUDITS QUESTION: Can wildcards or ranges be used for text values in REGISTRY_SETTING audits? I recently used Nessus compliance auditing to check for the presence of four critical Symantec AV services on all systems. (See first four items in Listing 1.) It works great. Then I wrote an audit rule to check for the version of SAV running on the host and the version of AV signatures installed. (See last two items in Listing 1.) Prior to running the scan, I use sed to replace the placeholders savVersion and defVersion. I get the latest def version from the Symantec web site using a rather clunky script I wrote (see excerpt in Listing 2). This also works great. Unfortunately, I found that there are many slightly different, but recent, versions of the SAV client running on our systems. I also found that most clients are using virus signatures that are one or two days older than the most recent one (probably due to the centralized nature of our malware management architecture.) SO... What I need is to be able to specify a range of valid virus definitions (e.g., the last three) and a range or wildcard value for valid software versions. The nessus compliance audit documentation doesn't mention the ability to do this. Is it possible? R/ John Scherff Sr. IT Security Engineer 24 Hour Fitness LISTING 1 <check_type: "Windows"> <group_policy: "Tenable Audit file"> <custom_item> type: SERVICE_POLICY description: "Symantec Antivirus service (Symantec Antivirus)" value_type: SERVICE_SET value_data: "Automatic" service_name: "Symantec Antivirus" </item> <custom_item> type: SERVICE_POLICY description: "Symantec virus definition monitoring and maintenance service (DefWatch)" value_type: SERVICE_SET value_data: "Automatic" service_name: "DefWatch" </item> <custom_item> type: SERVICE_POLICY description: "Symantec event propagation and logging service (ccEvtMgr)" value_type: SERVICE_SET value_data: "Automatic" service_name: "ccEvtMgr" </item> <custom_item> type: SERVICE_POLICY description: "Symantec settings storage and management service (ccSetMgr)" value_type: SERVICE_SET value_data: "Automatic" service_name: "ccSetMgr" </item> <custom_item> type: REGISTRY_SETTING description: "Symantec Antivirus Software Version" value_type: POLICY_TEXT value_data: "savVersion" reg_key: "HKLM\SOFTWARE\Intel\DLLUsage\VP6" reg_item: "C:\Program Files\Symantec AntiVirus\Rtvscan.exe" </item> <custom_item> type: REGISTRY_SETTING description: "Symantec Antivirus Definitions Version" value_type: POLICY_TEXT value_data: "C:\PROGRA~1\COMMON~1\SYMANT~1\VIRUSD~1\defVersion" reg_key: "HKLM\SOFTWARE\Symantec\SharedDefs" reg_item: "DEFWATCH_10" </item> </group_policy> </check_type> LISTING 2 defVersion=`wget -qO - http://definitions.symantec.com/defs/ <http://definitions.symantec.com/defs/> | egrep -o '[0-9]{8}-[0-9]{3}-i32' | cut -c1-12 | sort -u | tail -1 | tr - .` sed 's!defVersion!'$defVersion'!' \ Win32_SAV.audit > /tmp/scanPolicy.$$ sed 's!^\( Windows Compliance .*1 : = \)$!\1'/tmp/scanPolicy.$$'!' \ $scanConfig > /tmp/scanConfig.$$ NessusClient -c /tmp/scanConfig.$$ -T nbe -xq $scanHost \ $scanPort $scanUser $scanPass $scanTarget $scanResult rm -f /tmp/*.$$
_______________________________________________ Nessus mailing list [email protected] http://mail.nessus.org/mailman/listinfo/nessus
