There are two approaches we can follow while performing configuration review:
Automated Approach using Nessus:
1. Tool Configuration: Install Nessus on the system and configure it for the specific environment. Ensure Nessus is regularly updated with the latest plugins and definitions for accurate assessments.
2. Select Technology: Identify the technology (e.g., PHP, MySQL, Ubuntu, Apache, etc.) for which you want to perform the configuration review.
3.Run Nessus Scan: Launch Nessus and select the appropriate configuration review template based on the CIS benchmark for the identified technology. Initiate a scan to analyze the system's configuration.
4.Review Results: Analyze the results generated by Nessus, which will provide a list of potential configuration weaknesses. Pay attention to severity levels(FAILED and WARNING) and prioritize findings accordingly.
5.Manual Verification: Manually verify the results to eliminate false positives and confirm the accuracy of identified issues. Cross-reference the Nessus findings with the specific sections of the CIS benchmark for additional validation.
6. Report Writing: Mention all the FAILED and WARNING severity findings in the report after eliminating the false positives provided by the automated tool.
7.Address Findings: Develop a plan to address and remediate the weaknesses identified during the automated scan. Implement changes to align the system with the recommended configurations.
Manual Approach following CIS Benchmarks:
1. Identify Technology and Version: Determine the version of the technology in use (e.g., PHP, MySQL, Ubuntu, Apache, etc.) on the system.
2. Access CIS Benchmarks: Obtain the relevant CIS benchmark documentation for the identified technology and version.
3. Review Benchmark Documentation: Thoroughly study the CIS benchmark documentation, focusing on recommended best practices and security configurations. Understand the specific configuration settings and security guidelines provided.
4.Manual Configuration Review: Manually review the system's configuration settings based on the guidelines outlined in the CIS benchmark. Compare the current configuration against the recommended settings and note any deviations.
5. Document Findings: Document the findings, including any discrepancies or weaknesses identified during the manual review. Clearly outline the steps taken and the specific configurations that need attention.
6. Address Configuration Gaps: Develop a plan to address and rectify the configuration gaps identified during the manual review. Implement changes to align the system with the recommended configurations from the CIS benchmark.
7. Validation: Test and validate the changes made to ensure they do not adversely affect the system's functionality or security. Confirm that the system now adheres to the recommended configurations outlined in the CIS benchmark.
Here is an example of issue discovered in CIS benchmark:
While performing configuration review of AWS using CIS Benchmark, we came across an issue which if exploited could have had a serious impact. The root user is the one whose account is the most privileged user. In case of the root user getting compromised, an entire organization’s infrastructure could be compromised. That’s why it is very important for the root user to set up Multi Factor Authentication (MFA) so that even in case of a breach, an attacker will not be able to gain access to the root user account. This configuration is listed in the document “CIS Amazon Web Services Foundations Benchmark v2.0.0” under section 1.5. In the CIS Benchmark document, the issue description, Rationale and steps to find the issue are mentioned. Since the steps are mentioned, it becomes very easy for system admins to understand where the issue lies which are found under the configuration review with CIS Benchmark. Given below is an example of how the Benchmark looks:
