Tenable Compliance Audits Scan (MySQL DB, Credit Card Data, etc)

Tenable Vulnerability Management can perform vulnerability scans of network services as well as log in to servers to discover any missing patches. However, a lack of vulnerabilities does not mean the servers are configured correctly or are “compliant” with a particular standard.

You can use Tenable Vulnerability Management to perform vulnerability scans and compliance audits to obtain all of this data at one time. If you know how a server is configured, how it is patched, and what vulnerabilities are present, you can determine measures to mitigate risk.

When configuring a scan or policy, you can include one or more compliance checks, also known as audits. Each compliance check requires specific credentials.

Some compliance checks are preconfigured by Tenable, but you can also create and upload custom audits.

For more information on compliance checks and creating custom audits, see the Compliance Checks Reference.

https://docs.tenable.com/vulnerability-management/Content/Scans/Compliance.htm

Credit Card Data Scanning

Note: https://community.tenable.com/s/question/0D53a00008SyrMgCAJ/credit-card-data-scanning?language=en_US

1. Click New Scan button.
2. Click Policy Compliance Auditing template.
3. Fill out Settings and Credentials for what target you want to scan.
4. Click on Compliance tab.
5. Filter the categories on Unix File Contents or Windows File Contents based on what your target is.
6. Find the TNS File Analysis - Credit Card Number entry and click on it to add to the right pane.
7. Save or Launch your scan.

Using American Express as an example... the check has the following rules in it.

1. file_extension : "pdf" | "doc" | "xls" | "xlsx" | "xlsm" | "xlsb" | "xml" | "xltx" | "xltm" | "docx" | "docm" | "dotx" | "dot" | "txt"
2. regex : "([^0-9-]|^)(3[47][0-9]{2}( |-|)[0-9]{6}( |-|)[0-9]{5})([^0-9-]|$)"
3. expect : "American Express" | "CCAX" | "amex" | "credit" | "AMEX" | "CCN"
4. max_size : "50K"

• It must be a file with the listed file_extension
• Content somewhere in the file must match the regex.
• One of the expect keywords must also exist in the file.
• All of these must exist in the first 50k bytes of the file.

I have a text file which contain the following data

CCN# 1122-3344-5566-7788

CCN 1122-3344-5566-7788

American Express 1133-2244-5566-7788

American Express 3714-4963-5398-431

American Express 371449635398431

 

and audit file have the following configuration

<item>

 type      : FILE_CONTENT_CHECK

 description  : "PII - Determine if a file contains a valid American Express credit card number."

 file_extension : "pdf" | "doc" | "xls" | "xlsx" | "xlsm" | "xlsb" | "xml" | "xltx" | "xltm" | "docx" | "docm" | "dotx" | "dot" | "txt"

 regex     : "([^0-9-]|^)(3[47][0-9]{2}( |-|)[0-9]{6}( |-|)[0-9]{5})([^0-9-]|$)"

 regex_replace : "\3"

 expect     : "American Express" | "CCAX" | "amex" | "credit" | "AMEX" | "CCN"

 max_size    : "50K"

 only_show   : "4"

</item>

Search 'nessus' on text file

<check_type:"WindowsFiles">

<item>

type       : FILE_CONTENT_CHECK

description   : "Text File that Contains the word Nessus"

file_extension  : "txt"

expect      : "Nessus"

include_paths  : "D:\" 

</item>

</check_type>

MySQL DB Compliance Scan

Tenable Nessus: 

1 Create a New Scan Using Advanced Scan Template

2 Add your target(s) using fqdn or ip

3 Customize Port Scan Range if your MySQL DB is using a custom port

In this screenshot, I am using port 30334 as an example for this MySQL DB

4 Create database credential

5 Add Latest Download MYSQL Comliance Audit File

6 Save then launch scan

7 Check Compliance Result

The CIS benchmark that was published was specified for MySQL Enterprise, and did not contain any recommendations for community versions.

 

The audit has 2 checks to see if it is relevant for the target you are scanning:

• MySQL 8.0 is installed - runs `show variables like 'version' ;` and looks for '"version", regex:"8\..*"'
• MySQL 8.0 Enterprise Edition is installed - runs `show variables like 'license' ;` and looks for '"license", "Commercial"'

 

That 2nd check is most likely blocking the audit from running on your system, assuming you do not have a licensed version.

 

If you would like to attempt running the audits on that target, you can do the following:

• download the audit files from https://www.tenable.com/audits/CIS_MySQL_8.0_Enterprise_Benchmark_v1.2.0_Level_1_DB and https://www.tenable.com/audits/CIS_MySQL_8.0_Enterprise_Benchmark_v1.2.0_Level_2_DB
• find the `<custom_item>` that has a "description" of "MySQL 8.0 Enterprise Edition is installed" and comment it out by placing "#" in front of all lines starting with `<custom_item>` and ending with `</custom_item>`.
• upload the audit files to your scan policy as "custom uploads"
• launch a scan with your custom audits.

Troubleshooting

 Testing MySQL Port :

PS C:\Users\NETSEC> Test-NetConnection -port 30334 -Computername "dbprovider.us-east-1.clawcloudrun.com"                                                                                                                                                                                                                                                            ComputerName     : dbprovider.us-east-1.claw.com
RemoteAddress    : 47.91.114.12
RemotePort       : 30334
InterfaceAlias   : Ethernet
SourceAddress    : 10.0.0.9
TcpTestSucceeded : True

MYSQL Shell Connect from Windows

MySQL  JS > \connect [email protected]
Creating a session to '[email protected]'
Please provide the password for '[email protected]': ****************
Save password for '[email protected]'? [Y]es/[N]o/Ne[v]er (default No): yes
Fetching schema names for auto-completion... Press ^C to stop.
Your MySQL connection id is 10060431
Server version: 8.0.40-azure Source distribution
No default schema selected; type \use <schema> to set one.
MySQL  mysql-test.mysql.database.azure.com:3306 ssl  JS >

Videos

 

References