Middleware Enumeration and Compliance Auditing

Summary

This feature greatly simplifies middleware compliance auditing, expands detection and brings reporting of multiple middleware instances to the product.

Change

The middleware detection plugins have been updated to run the find command, check running processes and, in select cases, parse directory information from configuration files.  

Enabling the 'Perform thorough tests' setting will allow the find command to run extensive searches including longer timeouts and higher depth limit (possibly unrestricted). If this setting is not enabled, the search will be limited to default locations with a shorter timeout and lower depth limit. A new Advanced policy setting in Nessus, Tenable.io, and Tenable.sc named "Include Filepath" is being added under Unix find command Options. This new setting allows you to add paths to be searched for applications when using the ‘find’ command not covered by default search paths. See the Advanced Scan Settings section of the product documentation for more information and recommendations.

Audits have been updated to use this expanded detection logic from the new Middleware Configuration Detection (Linux / Unix) plugin. This is the plugin responsible for running and storing the middleware data within the database. The audits pull the data and run an audit on each of the installed instances.

Impact

Customers should see increased detection of middleware within their environment, simplified configuration for compliance auditing and reporting of multiple instances with path information.

Compliance audits effectively have 2 types of variables in use:

• Utility variables to assist in the acquisition of data
• Value variables to compare against a configured system

Utility variable values will no longer be required within the Audit file, but rather retrieved during the evaluation of the detection plugin. Value variables will still need to be defined for the audit checks to successfully return.

Scan results are returned for each application instance that is discovered on the target. If the scan target contains multiple instances, then the path will be populated in the scan output. For instance, if there are multiple instances of Apache Tomcat on a scan target you may return results like the following:

From the example above, there are two Tomcat instances discovered on this target. One instance is using config files discovered at path "/opt/tomcat/apache-tomcat-9.0.40/conf/server.xml" while the other is using path "/usr/share/tomcat/conf/server.xml."

NOTE: Some audits are using conditionals that include platform checks. In those cases, only the instances and versions which match the platform check will be included in the scan results. 

Affected Plugins 

• Middleware Configuration Detection (Linux / Unix) (143443)
• Apache HTTP Server (141394)
• Apache Tomcat (130175) 
• Oracle Weblogic Server (73913)
• IBM WebSphere Application Server (143265)
• IBM HTTP Server (143441)

Affected Audits

• CIS Apache HTTP Server 2.2 L1 v3.6.0 Middleware
• CIS Apache HTTP Server 2.2 L2 v3.6.0 Middleware
• CIS Apache HTTP Server 2.4 L1 v1.5.0 Middleware
• CIS Apache HTTP Server 2.4 L2 v1.5.0 Middleware
• DISA STIG Apache Server 2.2 Unix v1r11 Middleware
• DISA STIG Apache Site 2.2 Unix v1r11 Middleware
• DISA STIG Apache Server 2.4 Unix Server v2r1 Middleware
• DISA STIG Apache Server 2.4 Unix Site v1r1 Middleware
• CIS Apache Tomcat 7 L1 v1.1.0 Middleware
• CIS Apache Tomcat 7 L2 v1.1.0 Middleware
• CIS Apache Tomcat 8 L1 v1.1.0 Middleware
• CIS Apache Tomcat 8 L2 v1.1.0 Middleware
• CIS Apache Tomcat 9 L1 v1.0.0 Middleware
• CIS Apache Tomcat 9 L2 v1.0.0 Middleware
• DISA IBM WebSphere Traditional 9 STIG v1r1 Middleware
• Oracle WebLogic Server 12c v1r6 Middleware
• TNS IBM HTTP Server Best Practice Middleware

Target Release Date

23 Dec 2020* 

* The new middleware audit functionality is supported in Tenable.sc 5.17 and higher.

----------------------------------------------------------------------------------------------------

Tenable Research Release Highlights are posted in advance of significant new releases or updates to existing plugins or audit files that are important for early customer notification.