Tenable Solutions

Configuration Auditing

Tenable's Nessus vulnerability scanner can be used to audit the settings and configuration of operating systems, applications, databases and network devices. Unlike vulnerability testing, an audit policy is used to check various values to ensure that they are configured to the correct policy. Example policies for auditing include password complexity, ensuring the logging is enabled and testing that anti-virus software is installed properly.

Many of Tenable's audit policies have been certified by the US Government or Center for Internet Security to ensure that Nessus accurately tests for best practice and required configuration settings.

Configuration auditing is a key component of Tenable Network Security's Unified Security Monitoring approach. When combined with vulnerability scanning and real-time monitoring with the Tenable Passive Vulnerability Scanner (PVS) and Tenable Log Correlation Engine (LCE), Tenable SecurityCenter offers some powerful features such as:

  • Detecting system change events in real-time and then performing a configuration audit
  • Ensuring that logging is configured correctly for Windows and Unix hosts
  • Auditing the configuration of a web application's operating system, application and SQL database

Audit policies may also be deployed to search for documents that contain sensitive data such as credit card or Social Security numbers.

A basic tenet of most IT management practices is to minimize variance. Even though your organization may consist of certain types of operating systems and hardware, small changes in drivers, software, security policies, patch updates and sometimes even usage can have dramatic effects on the underlying configuration. As time goes by, these servers and desktop computers can have their configuration drift further away from a "known good" standard, which makes maintaining them more difficult.

Application Auditing

Configuration settings of applications such as web servers and anti-virus can be tested against a policy.

Content Auditing

Office documents and files can be searched for credit card numbers and other sensitive content.

Database Auditing

SQL database settings as well as setting so the host operating systems can be tested for compliance.

Operating System Auditing

Access control, system hardening, error reporting, security settings and more can be tested against many types of industry and government policies.

Router Auditing

Authentication, security and configuration settings can be audited against a policy.