Albert Puigsech Galicia wrote:
Hello list!
I am interested in verifying remotely some local UNIX vulnerabilities using nessus plugins, the reason why I need that plugins is to connect to some terminal service (telnet, ssh, remote shell) and execute some commands in the analyzed host.
Different nail, different hammer...
(...)
Well... My question is �what do you think that is the best way to check local vulnerabilities using nessus? or �is better to code a simple local C program and don't use nessus to do it?
There are a few ways here, none of which are possible within Nessus (yet):
1- run a tool to analyse the configuration locally, you could use <plug>Tiger</plug> [1], Titan [2], the CIS benchmarks [3] or similar local tools that can analyse both running processes and files
2- use a patch management tool to extract the OS configuration (installed programs) from the system (rpm -Va, dpkg --get-selections, showrev -a , instfix -a, swlist, you name it...) and check against a database of vulnerable software or put that info in the report.
Actually, some of the tools above can do that, but you can also use tools more suited to the task. I don't know of a generic tool that fully covers all UNIX yet, but OVAL [4] is starting to provide one.
3.- Recover all the system configuration (/etc...), and run just a tight set of commands (like 'find / \( -perm -4000 -o -perm -2000 \) -type f -exec /bin/ls -ld {} \;') and put that info in the report.
You could even consider doing this for remote devices (like a Cisco switch/router with 'show run')
I believe coding a NASL script that uses the knowledge base (a remote connection to the server is available, and a user/password is known) could do 2) and 3) since that usually implies running a limited set of applications (the package management applications, if available). Whileas I don't think you could fully code 1) in a NASL script since there are a lot of checks that are done on that side and it usually involves executing arbitrary code (which you don't want to do unless you are really sure you won't mess it up).
Notice that 3) is risky, but 1) is even riskier (if you are using an administrator account for the remote logging). In any case, I wouldn't want a remote vulnerability assessment tool to run arbitrary commands remotely (even if it got a username/password to do so). I would rather run this myself (if possible or needed). YMMV.
Regards
Javier
[1] http://www.nongnu.org/tiger/ [2] http://www.fish.com/titan [3] http://www.cisecurity.com/ [4] http://oval.mitre.org _______________________________________________ Nessus mailing list [EMAIL PROTECTED] http://mail.nessus.org/mailman/listinfo/nessus
