Using Nessus for software patch management

Today’s blog is about using Nessus for software patch management.

While Nessus is a popular tool for network security scanning, it also has some less obvious uses too, such as patch management, or more specifically, reporting.

Through allowing Nessus access to a device via an authorised system account, it can audit the package inventory on the device.

As Nessus supports many different operating systems and distributions, it becomes possible to manage your patch reporting for all of your device types (such as AIX, Solaris, Linux, Windows, Cisco IOS, MacOS X) from a single point of reference.

As all package vulnerabilities known to Nessus are scored like any other vulnerability, it is possible to categorise and qualify the patches in which you choose to apply.

This enables the patching policy to be driven by qualified security needs, and not “just because the vendor recommends it”.

Nessus can also plug-in to tools such as WSUS and Red Hat Satellite, however I am yet to explore what functionality it brings (i guess it will audit only against authorised patches or something…).

So by creating a ‘nessus’ account on the host (non-root/non-Administrator of course) in order to list the package inventory

Creating a ‘nessus’ account on the WSUS or Red Hat Satellite server

Configure a scan policy with local authentication and configure WSUS/Satellite with the required credentials

Select only local scan checks, exclude operating systems and scan type which do not apply to software package releases

Configuring a policy can be time consuming – don’t worry about de-selecting *ALL* of them – just get most of them – it’s only to speed up the scan anyway as those which don’t apply shouldn’t return a hit, so refine it over many iterations by removing more unwanted checks on second and third pass and so on.

Save the scan

Schedule a scan using that policy you just saved against your targets

…and viola! once the scan is complete – you have a single cross-platform patch report for all of your machines!

Recent 0day IE vulnerability causes Microsoft to recommend EMET

A recent 0day on IE caused Microsoft to recommend a lesser-known but long-standing Microsoft tool called the Microsoft Enhanced Mitigation Experience Toolkit, which recently hit v3.0 and along with it official support from Microsoft for use in a production environment.

This is a monumental security milestone for Microsoft as it provides a fix to the reason why certain classes of malicious code can take place thus fixing the flaw which lets it happen rather than catching the attack in hand.

There is a profile included in EMET which you can import and this contains most of the popular applications, and if you review those apps there are certain mitigations turned off on certain apps hence showing evidence of some testing (which you shouldn’t then need to do yourself).

What EMET provides is a strong mitigation for a whole class of vulnerabilities of which target popular software such as web browsers, browser plugins, Adobe Acrobat, Shockwave Flash, and any other application exposed to data from untrusted sources like the internet. The EMET method of mitigation is so successful it is better than antivirus for blocking these types of attacks as it provides protection from future unknown threats of this kind and it never needs ‘updating’ with virus signatures.

I have successfully been running EMET for 5 or so months now in the dangerous ‘opt-out’ for everything configuration without issue. The only mitigation i had issue with was aslr for media players or realtime apps.

While some programs are genuinely badly designed and won’t work with many types of mitigations, the few which actually get killed really need to be questioned – do you want to run code which is so bad it triggers? What i find quite surprising is how many times EMET may close a plugin while i’m browsing!

This toolkit is a must for everyone with a Windows machine, simple. Download EMET now from Microsoft, located here:-

http://support.microsoft.com/kb/2458544