New Snowflake Compliance Plugin and Audit files Summary...
New Snowflake Compliance Plugin and Audit files Summary Customers can now measure compliance against the Snowflake Platform with new plugin ID Snowflake Compliance Checks (206112) on Tenable Vulnerability Management and Nessus. This plugin is published as a part of the Audit Cloud Infrastructure compliance template and will use a new credential type of Snowflake API. The plugin will retrieve all target data using the Snowflake SQL API and will evaluate actual values against a given audit policy. Two audits implementing the CIS benchmark will be released along with the plugin: CIS Snowflake Foundations v1.0.0 Level 1 CIS Snowflake Foundations v1.0.0 Level 2 These audits contain a total of 39 checks across 2 profiles with 20 checks being fully automated. Some examples include: Identity and Access Management 1.2 Ensure Snowflake SCIM integration is configured to automatically provision and deprovision users and groups (i.e. roles) 1.7 Ensure authentication key pairs are rotated every 180 days 1.8 Ensure that users who did not log in for 90 days are disabled Data Protection 4.1 Ensure yearly rekeying is enabled for a Snowflake account 4.5 Ensure that the REQUIRE_STORAGE_INTEGRATION_FOR_STAGE_CREATION account parameter is set to true Additional Notes For those that are interested in creating custom audit content for their environment, the audit supports the following structure. <check_type: "Snowflake"> <custom_item> type : SQL_POLICY description : "Ensure yearly rekeying is enabled for a Snowflake account" sql_request : "SHOW PARAMETERS LIKE 'PERIODIC_DATA_REKEYING' IN ACCOUNT;" sql_types : REGEX, REGEX, REGEX_OR_NULL, REGEX_OR_NULL, REGEX_OR_NULL, REGEX_OR_NULL sql_expect : "PERIODIC_DATA_REKEYING", "true", ".*", ".*", ".*", ".*" </custom_item> </check_type> The 'sql_request' tag contains SQL statements executed through the Snowflake REST API endpoint. The 'sql_expect' tag will evaluate the data for a passing or failing result. Target Release Date ImmediateNew CIS Ubuntu Linux 24.04 LTS Benchmark v1.0.0 Audits...
New CIS Ubuntu Linux 24.04 LTS Benchmark v1.0.0 Audits Summary Customers can now measure compliance against the latest version of this CIS benchmark: Ubuntu Linux 24.04 v1.0.0 The new audit files include Level 1 Server, Level 2 Server, Level 1 Workstation, and Level 2 Workstation profiles. These audits have been certified through CIS and can be viewed along with Tenable's other certified products at https://www.cisecurity.org/partner/tenable. The v1.0.0 benchmarks and audits include updates to several checks in the following sections: 1.5 Configure Additional Process Hardening This section has been updated to improve several additional hardening checks, such as: 1.5.1 Ensure address space layout randomization is enabled 1.5.2 Ensure ptrace_scope is restricted 1.5.3 Ensure core dumps are restricted 2 Services Updated recommendations for service checks: 2.2.4 Ensure telnet client is not installed 2.2.6 Ensure ftp client is not installed 2.1.4 Ensure dns server services are not in use 5.1 - Configure SSH Server Updated recommendations for additional SSH settings: 5.1.2 Ensure permissions on SSH private host key files are configured 5.1.17 Ensure sshd MaxSessions is configured 6 Logging and Auditing Updated recommendations for logging and auditing section 6.1.2.1.1 Ensure systemd-journal-remote is installed 6.1.2.3 Ensure journald Compress is configured 6.1.3.4 Ensure rsyslog log file creation mode is configured There are many more changes and updates to these versions. Please review the CIS benchmark changelog for additional information. Tenable Audits CIS Ubuntu Linux 24.04 v1.0.0 - Level 1 Server CIS Ubuntu Linux 24.04 v1.0.0 - Level 2 Server CIS Ubuntu Linux 24.04 v1.0.0 - Level 1 Workstation CIS Ubuntu Linux 24.04 v1.0.0 - Level 2 Workstation Target Release Date Immediate
New CIS Microsoft SQL Server 2019 Benchmark v1.0.0 Summary...
New CIS Microsoft SQL Server 2019 Benchmark v1.0.0 Summary Customers can now measure compliance against the latest major version of Microsoft SQL Server with the new CIS Microsoft SQL Server 2019 audits. These audits have been certified through CIS and can be viewed along with Tenable's other certified products at https://www.cisecurity.org/partner/tenable. Tenable Benchmarks CIS Microsoft SQL Server 2019 Database Engine L1 v1.0.0 CIS Microsoft SQL Server 2019 AWS RDS L1 v1.0.0 Target Release Date 9 Mar 2020 Additional Notes: This audit includes a profile for Level 1 - Database Engine along with Level 1 - Workstation AWS RDS. __________________________________ Tenable Research Release Highlights are posted in advance of significant new releases or updates to existing plugins or audit files that are important for early customer notification.New CIS Amazon Web Services Foundations Benchmark v3.0.0...
New CIS Amazon Web Services Foundations Benchmark v3.0.0 Summary Customers can now utilize the CIS Amazon Web Services Foundations Benchmark v3.0.0 in Tenable Cloud Security as well as within all products that support Audits. Both offerings have been certified through CIS and can be viewed along with Tenable's other certified products at https://www.cisecurity.org/partner/tenable. This benchmark is the latest revision for services and configurations that CIS has determined to be foundational to the core security of AWS products. Several examples of the services included are: The following have been updated to either add new automation steps, or renumbered as a result of recommendations being removed as they were no longer relevant: 2.4.1 Ensure that encryption is enabled for EFS file systems 3.3 Ensure AWS Config is enabled in all regions 3.4 Ensure S3 bucket access logging is enabled on the CloudTrail S3 bucket 3.5 Ensure CloudTrail logs are encrypted at rest using KMS CMKs 3.6 Ensure rotation for customer-created symmetric CMKs is enabled 3.7 Ensure VPC flow logging is enabled in all VPCs 3.8 Ensure that Object-level logging for write events is enabled for S3 bucket 3.9 Ensure that Object-level logging for read events is enabled for S3 bucket Audits CIS Amazon Web Services Foundations L1 3.0.0 CIS Amazon Web Services Foundations L2 3.0.0 Target Release Date The recommendations in this benchmark are available now and can be found in the Compliance section of Tenable Cloud Security as well as on the audits portal.New CIS Linux v2.0.0 Benchmark Audits Summary Customers can...
New CIS Linux v2.0.0 Benchmark Audits Summary Customers can now measure compliance against the latest versions of these CIS benchmarks: Red Hat 9 v2.0.0 AlmaLinux 9 v2.0.0 Oracle Linux 9 v2.0.0 Rocky Linux 9 v2.0.0 The new audit files include Level 1 Server, Level 2 Server, Level 1 Workstation, and Level 2 Workstation profiles. These audits have been certified through CIS and can be viewed along with Tenable's other certified products at https://www.cisecurity.org/partner/tenable. The v2.0.0 benchmarks and audits include new checks in the following sections: 1.1.1 - Configure Filesystem Kernel Modules This section has been expanded to include several additional kernel modules, for such as: 1.1.1.1 Ensure cramfs kernel module is not available 1.1.1.2 Ensure freevxfs kernel module is not available 1.1.1.8 Ensure usb-storage kernel module is not available 2.1 Configure Server Services New recommendations for additional services: 2.1.1 Ensure autofs services are not in use 2.1.10 Ensure nis server services are not in use 2.1.19 Ensure xinetd services are not in use 5.1 - Configure SSH Server New recommendations for additional SSH settings: 5.1.4 Ensure sshd Ciphers are configured 5.1.5 Ensure sshd KexAlgorithms is configured 5.3.1 - Configure PAM software packages New section to ensure latest version of PAM modules are installed 5.3.1.1 Ensure latest version of pam is installed 5.3.1.2 Ensure latest version of authselect is installed 5.3.1.3 Ensure latest version of libpwquality is installed There are many more changes and updates to these versions. Please review the CIS benchmark changelog for additional information. Tenable Audits CIS Red Hat Enterprise Linux 9 v2.0.0 - Level 1 Server CIS Red Hat Enterprise Linux 9 v2.0.0 - Level 2 Server CIS Red Hat Enterprise Linux 9 v2.0.0 - Level 1 Workstation CIS Red Hat Enterprise Linux 9 v2.0.0 - Level 2 Workstation CIS AlmaLinux 9 v2.0.0 - Level 1 Server CIS AlmaLinux 9 v2.0.0 - Level 2 Server CIS AlmaLinux 9 v2.0.0 - Level 1 Workstation CIS AlmaLinux 9 v2.0.0 - Level 2 Workstation CIS Oracle Linux 9 v2.0.0 - Level 1 Server CIS Oracle Linux 9 v2.0.0 - Level 2 Server CIS Oracle Linux 9 v2.0.0 - Level 1 Workstation CIS Oracle Linux 9 v2.0.0 - Level 2 Workstation CIS Rocky Linux 9 v2.0.0 - Level 1 Server CIS Rocky Linux 9 v2.0.0 - Level 2 Server CIS Rocky Linux 9 v2.0.0 - Level 1 Workstation CIS Rocky Linux 9 v2.0.0 - Level 2 Workstation Target Release Date ImmediateNew CIS Apple macOS Cloud-tailored v1.0.0 Benchmark Audits...
New CIS Apple macOS Cloud-tailored v1.0.0 Benchmark Audits Summary Customers can now measure compliance against the latest versions of these CIS benchmarks: Apple macOS 14.0 Sonoma Cloud-tailored v1.0.0 Apple macOS 13.0 Ventura Cloud-tailored v1.0.0 Apple macOS 12.0 Monterey Cloud-tailored v1.0.0 The new audit files include Level 1 and Level 2 profiles. These audits have been certified through CIS and can be viewed along with Tenable's other certified products at https://www.cisecurity.org/partner/tenable. The Apple macOS Cloud-tailored benchmarks offer guidance for macOS running specifically on a cloud platform, eliminating checks normally required on macOS devices relating to features such as Touch ID, Media Sharing, and Siri settings. Tenable Audits CIS Apple macOS 14.0 Sonoma Cloud-tailored v1.0.0 - Level 1 CIS Apple macOS 14.0 Sonoma Cloud-tailored v1.0.0 - Level 2 CIS Apple macOS 13.0 Ventura Cloud-tailored v1.0.0 - Level 1 CIS Apple macOS 13.0 Ventura Cloud-tailored v1.0.0 - Level 2 CIS Apple macOS 12.0 Monterey Cloud-tailored v1.0.0 - Level 1 CIS Apple macOS 12.0 Monterey Cloud-tailored v1.0.0 - Level 2 Target Release Date ImmediateResearch Highlight - New CIS Bottlerocket v1.0.0 Audit...
Research Highlight - New CIS Bottlerocket v1.0.0 Audit Files Summary Customers can now measure compliance against the latest release of Amazon Bottlerocket OS from CIS with the new Bottlerocket v1.0.0 audits. These audits cover both the CIS L1 and L2 guidance for Bottlerocket OS and include checks for host system filesystem configuration, access control, kernel network parameters, firewall rules, system logging, and more. They have been certified through CIS and can be viewed along with Tenable's other certified products at https://www.cisecurity.org/partner/tenable. Tenable Audit Files CIS_Bottlerocket_v1.0.0_L1.audit CIS_Bottlerocket_v1.0.0_L2.audit Target Release Date The audits can be downloaded from the Tenable Audits Portal on February 29th, 2024. Date of Release ImmediateNew CIS Cisco IOS 17 Benchmark v1.0.0 Audit Files Summary...
New CIS Cisco IOS 17 Benchmark v1.0.0 Audit Files Summary Customers can now measure compliance against the latest release of the Cisco IOS 17 Benchmark v1.0.0 from CIS with the new Cisco IOS 17 Benchmark v1.0.0 audits. These audits have been certified through CIS and can be viewed along with Tenable's other certified products at https://www.cisecurity.org/partner/tenable. Tenable Audit Files Cisco IOS 17 Benchmark v1.0.0 - Level 1 Cisco IOS 17 Benchmark v1.0.0 - Level 2 Target Release Date The audits can be download from the Tenable Audits Portal on July 18, 2022New RedHat OpenShift Container Platform Plugin and Audit...
New RedHat OpenShift Container Platform Plugin and Audit files Summary Customers can now measure compliance against RedHat OpenShift Container Platform with new plugin ID 161406 on Tenable.io and Nessus. This plugin will be published with a new credential type: OpenShift Container Platform. This plugin retrieves target data using the RedHat OpenShift Container Platform API and will evaluate actual values against a given audit policy. All data retrieval and communication is via the RedHat OpenShift Container Platform API. Additional Notes Two CIS audits will be released along with the plugin: CIS RedHat OpenShift Container Platform 4 v1.2.0 Level 1 CIS RedHat OpenShift Container Platform 4 v1.2.0 Level 2 Example audit structure <check_type: "OpenShift"> <custom_item> type : REST_API description : "Minimize the admission of containers with allowPrivilegeEscalation" request : "getSecurityContextConstraints" json_transform : ".items[] | .spec.clusterID as $clusterID | .items[] | \"Cluster ID: \($clusterID), Name: \(.metadata.name), UID: \(.metadata.uid), Allow Privilege Escalation: \(.allowPrivilegeEscalation)\"" expect : "Allow Privilege Escalation: false" </custom_item> </check_type> The 'request' tag references specific API endpoints for data retrieval. The 'json_transform' tag selects specific parts of returned data. Regex and expect tags will further filter and evaluate the data for a passing or failing result. Target Release Date January 27, 2023New CIS Microsoft Azure Foundations Benchmark v1.5.0 for...
New CIS Microsoft Azure Foundations Benchmark v1.5.0 for Tenable.cs Summary Customers can now measure compliance against the latest release of the CIS Microsoft Azure Foundations Benchmark v1.5.0 in Tenable.cs. These policies have been certified through CIS and can be viewed along with Tenable's other certified products at https://www.cisecurity.org/partner/tenable. Supported CIS Profiles CIS Microsoft Azure Foundations Benchmark v1.5.0 - Level 1 CIS Microsoft Azure Foundations Benchmark v1.5.0 - Level 2 Target Release Date Immediate