Excluding Docker directories in Log4j Linux/Unix detection...
Excluding Docker directories in Log4j Linux/Unix detection Summary The local log4j detection plugin for Linux/Unix will now exclude two directories used by Docker services to store containers. Change Before this update, plugin 156000, Apache Log4j Installed (Linux / Unix), would detect log4j JAR files on an asset’s filesystem using several methods, including using the find command to search for known filename patterns. If the scan target was running the Docker service and hosted containers that have log4j JAR files, the plugin would detect those files and attribute them to the host, instead of to the container. These findings are a result of examining the Docker image layers on the filesystem. As guest containers are often treated as separate machines from their host, these results were seen as false positives to customers. After this update, two directories used by the Docker service to store containers will be excluded by default from the find command’s search path: /var/lib/containerd /var/lib/docker/overlay2 As a result, the plugin will not detect log4j JAR files in these directories. If customers desire to scan these directories for log4j JAR files, the Include Filepath option in the Advanced Scan Settings configuration can be used to force scanning of these paths. This may be found under the Scan Policy Advanced Options. A note of caution that overriding the default behavior could affect scan performance or give results that are unable to be remediated since within a managed container. Tenable Cloud Security is designed to secure container images and provide pre-deployment validation. Impact Scans that use a default configuration may report fewer log4j detections from Linux/Unix assets that host a Docker service. Plugins 156000 - Apache Log4j Installed (Linux / Unix) Target Release Date September 9, 2024
Middleware Enumeration and Compliance Auditing Summary This...
Middleware Enumeration and Compliance Auditing Summary This feature greatly simplifies middleware compliance auditing, expands detection and brings reporting of multiple middleware instances to the product. Change The middleware detection plugins have been updated to run the find command, check running processes and, in select cases, parse directory information from configuration files. Enabling the 'Perform thorough tests' setting will allow the find command to run extensive searches including longer timeouts and higher depth limit (possibly unrestricted). If this setting is not enabled, the search will be limited to default locations with a shorter timeout and lower depth limit. A new Advanced policy setting in Nessus, Tenable.io, and Tenable.sc named "Include Filepath" is being added under Unix find command Options. This new setting allows you to add paths to be searched for applications when using the ‘find’ command not covered by default search paths. See the Advanced Scan Settings section of the product documentation for more information and recommendations. Audits have been updated to use this expanded detection logic from the new Middleware Configuration Detection (Linux / Unix) plugin. This is the plugin responsible for running and storing the middleware data within the database. The audits pull the data and run an audit on each of the installed instances. Impact Customers should see increased detection of middleware within their environment, simplified configuration for compliance auditing and reporting of multiple instances with path information. Compliance audits effectively have 2 types of variables in use: Utility variables to assist in the acquisition of data Value variables to compare against a configured system Utility variable values will no longer be required within the Audit file, but rather retrieved during the evaluation of the detection plugin. Value variables will still need to be defined for the audit checks to successfully return. Scan results are returned for each application instance that is discovered on the target. If the scan target contains multiple instances, then the path will be populated in the scan output. For instance, if there are multiple instances of Apache Tomcat on a scan target you may return results like the following: From the example above, there are two Tomcat instances discovered on this target. One instance is using config files discovered at path "/opt/tomcat/apache-tomcat-9.0.40/conf/server.xml" while the other is using path "/usr/share/tomcat/conf/server.xml." NOTE: Some audits are using conditionals that include platform checks. In those cases, only the instances and versions which match the platform check will be included in the scan results. Affected Plugins Middleware Configuration Detection (Linux / Unix) (143443) Apache HTTP Server (141394) Apache Tomcat (130175) Oracle Weblogic Server (73913) IBM WebSphere Application Server (143265) IBM HTTP Server (143441) Affected Audits CIS Apache HTTP Server 2.2 L1 v3.6.0 Middleware CIS Apache HTTP Server 2.2 L2 v3.6.0 Middleware CIS Apache HTTP Server 2.4 L1 v1.5.0 Middleware CIS Apache HTTP Server 2.4 L2 v1.5.0 Middleware DISA STIG Apache Server 2.2 Unix v1r11 Middleware DISA STIG Apache Site 2.2 Unix v1r11 Middleware DISA STIG Apache Server 2.4 Unix Server v2r1 Middleware DISA STIG Apache Server 2.4 Unix Site v1r1 Middleware CIS Apache Tomcat 7 L1 v1.1.0 Middleware CIS Apache Tomcat 7 L2 v1.1.0 Middleware CIS Apache Tomcat 8 L1 v1.1.0 Middleware CIS Apache Tomcat 8 L2 v1.1.0 Middleware CIS Apache Tomcat 9 L1 v1.0.0 Middleware CIS Apache Tomcat 9 L2 v1.0.0 Middleware DISA IBM WebSphere Traditional 9 STIG v1r1 Middleware Oracle WebLogic Server 12c v1r6 Middleware TNS IBM HTTP Server Best Practice Middleware Target Release Date 23 Dec 2020* * The new middleware audit functionality is supported in Tenable.sc 5.17 and higher. ---------------------------------------------------------------------------------------------------- Tenable Research Release Highlights are posted in advance of significant new releases or updates to existing plugins or audit files that are important for early customer notification.
