Multi-line Scripts in Windows and Unix Audits

Change Summary:

A pair of changes have recently been published that will make the conversion of custom audit scripts to the Tenable audit language a bit easier.

For Windows Powershell scripts, the AUDIT_POWERSHELL check type can now include a multi-line script placed in the “powershell_args” field of the check item.  This change allows the user to paste a script into the audit file, wrapped with single quotes, and only have to escape the single quotes inside of the script with a backslash.

For Unix shell scripts, the CMD_EXEC check type can also include multi-line shell scripts.  A shell script can be put into the “cmd” field of the check item, wrapped with double quotes, and having the existing backslashes and double quotes in the script escaped with a backslash.

Potential Impacts:

Although the scripts are now able to be inserted into an audit file with little change, existing protections on commands that can be run are still enforced.

For Windows Powershell, there is a limit to the size of the script that can be pasted.  The limit is just under 8kb characters when encoded with Base64.

The functionality uses Base64 encoding to more consistently transfer the scripts to the targets. For Windows Powershell, the Base64 is built in as a native feature, but for the Unix functionality, an openssl or base64 package must be installed and available in the scanning user’s path on the target host.

Target Release Date:

August 2, 2021

Additional Notes:

To support the conversion of a directory of Powershell and shell scripts, a utility has been created that can assist in the creation of an audit file.  The utility is located at https://github.com/tenable/audit_scripts/tree/master/batch_create