Tenable Compliance Audits Scan (MySQL DB, Credit Card Data, etc)

Tenable Vulnerability Management can perform vulnerability scans of network services as well as log in to servers to discover any missing patches. However, a lack of vulnerabilities does not mean the servers are configured correctly or are “compliant” with a particular standard.

You can use Tenable Vulnerability Management to perform vulnerability scans and compliance audits to obtain all of this data at one time. If you know how a server is configured, how it is patched, and what vulnerabilities are present, you can determine measures to mitigate risk.

When configuring a scan or policy, you can include one or more compliance checks, also known as audits. Each compliance check requires specific credentials.

Some compliance checks are preconfigured by Tenable, but you can also create and upload custom audits.

For more information on compliance checks and creating custom audits, see the Compliance Checks Reference.

https://docs.tenable.com/vulnerability-management/Content/Scans/Compliance.htm

Credit Card Data Scanning

Note: https://community.tenable.com/s/question/0D53a00008SyrMgCAJ/credit-card-data-scanning?language=en_US

1. Click New Scan button.
2. Click Policy Compliance Auditing template.
3. Fill out Settings and Credentials for what target you want to scan.
4. Click on Compliance tab.
5. Filter the categories on Unix File Contents or Windows File Contents based on what your target is.
6. Find the TNS File Analysis - Credit Card Number entry and click on it to add to the right pane.
7. Save or Launch your scan.

Using American Express as an example... the check has the following rules in it.

1. file_extension : "pdf" | "doc" | "xls" | "xlsx" | "xlsm" | "xlsb" | "xml" | "xltx" | "xltm" | "docx" | "docm" | "dotx" | "dot" | "txt"
2. regex : "([^0-9-]|^)(3[47][0-9]{2}( |-|)[0-9]{6}( |-|)[0-9]{5})([^0-9-]|$)"
3. expect : "American Express" | "CCAX" | "amex" | "credit" | "AMEX" | "CCN"
4. max_size : "50K"

• It must be a file with the listed file_extension
• Content somewhere in the file must match the regex.
• One of the expect keywords must also exist in the file.
• All of these must exist in the first 50k bytes of the file.

I have a text file which contain the following data

CCN# 1122-3344-5566-7788

CCN 1122-3344-5566-7788

American Express 1133-2244-5566-7788

American Express 3714-4963-5398-431

American Express 371449635398431

 

and audit file have the following configuration

<item>

 type      : FILE_CONTENT_CHECK

 description  : "PII - Determine if a file contains a valid American Express credit card number."

 file_extension : "pdf" | "doc" | "xls" | "xlsx" | "xlsm" | "xlsb" | "xml" | "xltx" | "xltm" | "docx" | "docm" | "dotx" | "dot" | "txt"

 regex     : "([^0-9-]|^)(3[47][0-9]{2}( |-|)[0-9]{6}( |-|)[0-9]{5})([^0-9-]|$)"

 regex_replace : "\3"

 expect     : "American Express" | "CCAX" | "amex" | "credit" | "AMEX" | "CCN"

 max_size    : "50K"

 only_show   : "4"

</item>

Search 'nessus' on text file

<check_type:"WindowsFiles">

<item>

type       : FILE_CONTENT_CHECK

description   : "Text File that Contains the word Nessus"

file_extension  : "txt"

expect      : "Nessus"

include_paths  : "D:\" 

</item>

</check_type>

MySQL DB Compliance Scan

Tenable Nessus: 

1 Create a New Scan Using Advanced Scan Template

2 Add your target(s) using fqdn or ip

3 Customize Port Scan Range if your MySQL DB is using a custom port

In this screenshot, I am using port 30334 as an example for this MySQL DB

4 Create database credential

5 Add Latest Download MYSQL Comliance Audit File

6 Save then launch scan

7 Check Compliance Result

The CIS benchmark that was published was specified for MySQL Enterprise, and did not contain any recommendations for community versions.

 

The audit has 2 checks to see if it is relevant for the target you are scanning:

• MySQL 8.0 is installed - runs `show variables like 'version' ;` and looks for '"version", regex:"8\..*"'
• MySQL 8.0 Enterprise Edition is installed - runs `show variables like 'license' ;` and looks for '"license", "Commercial"'

 

That 2nd check is most likely blocking the audit from running on your system, assuming you do not have a licensed version.

 

If you would like to attempt running the audits on that target, you can do the following:

• download the audit files from https://www.tenable.com/audits/CIS_MySQL_8.0_Enterprise_Benchmark_v1.2.0_Level_1_DB and https://www.tenable.com/audits/CIS_MySQL_8.0_Enterprise_Benchmark_v1.2.0_Level_2_DB
• find the `<custom_item>` that has a "description" of "MySQL 8.0 Enterprise Edition is installed" and comment it out by placing "#" in front of all lines starting with `<custom_item>` and ending with `</custom_item>`.
• upload the audit files to your scan policy as "custom uploads"
• launch a scan with your custom audits.

Scanning user's Credentails Permissions:

https://docs.tenable.com/nessus/compliance-checks-reference/Content/MySQLComplianceChecks.htm

• mysql> CREATE USER 'scan_user'@'host';
• connect from 'host' this machine
• mysql> CREATE USER 'new_user'@'localhost' IDENTIFIED BY 'new_password';
• connect from only localhost
• mysql> drop user 'scan_user'@'host';
• mysql> create user 'scan_user'@'%' identified by 'DB_Password1234!';

• MySQL:

  • Log in with an account with global select privileges

    Example: >GRANT SELECT ON . TO 'scan_user'@'%';

  • Grant select on *.* to 'scan_user'@'%';

Troubleshooting

 Testing MySQL Port :

PS C:\Users\NETSEC> Test-NetConnection -port 30334 -Computername "dbprovider.us-east-1.clawcloudrun.com"                                                                                                                                                                                                                                                            ComputerName     : dbprovider.us-east-1.claw.com
RemoteAddress    : 47.91.114.12
RemotePort       : 30334
InterfaceAlias   : Ethernet
SourceAddress    : 10.0.0.9
TcpTestSucceeded : True

MYSQL Shell Connect from Windows

MySQL  JS > \connect [email protected]
Creating a session to '[email protected]'
Please provide the password for '[email protected]': ****************
Save password for '[email protected]'? [Y]es/[N]o/Ne[v]er (default No): yes
Fetching schema names for auto-completion... Press ^C to stop.
Your MySQL connection id is 10060431
Server version: 8.0.40-azure Source distribution
No default schema selected; type \use <schema> to set one.
MySQL  mysql-test.mysql.database.azure.com:3306 ssl  JS >

Run MySQL Docker

Some commands for you to run a MYSQL Docker:

docker pull mysql:8.2

docker run --name test-mysql -e MYSQL_ROOT_PASSWORD=Password1234! -d mysql

docker run --name test-mysql -e MYSQL_ROOT_PASSWORD=Password1234! -d mysql:8.2

docker run -p 3306:3306 --name test-mysql -e MYSQL_ROOT_PASSWORD=JonNetsecPassword1234! -d mysql:8.2

docker exec -it test-mysql bash

$ mysql -u root -p Enter password: ... mysql>

mysql> status
--------------
mysql  Ver 9.3.0 for Linux on x86_64 (MySQL Community Server - GPL)

Connection id:          9
Current database:
Current user:           root@localhost
SSL:                    Not in use
Current pager:          stdout
Using outfile:          ''
Using delimiter:        ;
Server version:         9.3.0 MySQL Community Server - GPL
Protocol version:       10
Connection:             Localhost via UNIX socket
Server characterset:    utf8mb4
Db     characterset:    utf8mb4
Client characterset:    latin1
Conn.  characterset:    latin1
UNIX socket:            /var/run/mysqld/mysqld.sock
Binary data as:         Hexadecimal
Uptime:                 3 min 14 sec

Threads: 2  Questions: 6  Slow queries: 0  Opens: 119  Flush tables: 3  Open tables: 38  Queries per second avg: 0.030
--------------

mysql>

mysql> select version();

+-----------+

| version() |

+-----------+

| 8.2.0     |

+-----------+

1 row in set (0.01 sec)

mysql> SELECT * FROM mysql.user;

Videos

 

Execute Database (MySQL) Compliance Check Using Tenable Nessus:

References