What Does the Test Team Need to Perform a Host Compliance Audit?
We’ve talked in a previous post about how host compliance audits are a great way to get a low-level, detailed understanding of your hardening practices and security on a system-by-system basis. But it may not be clear exactly how this type of analysis is done and what your testing team would need to perform a host compliance audit. The short answer to that is: not much. This type of assessment is primarily a manual process. And while automated tools can be used in some cases to speed up the assessment, a lot of times they aren’t worth the trouble to the number of false positives the test is forced to weed out.
What’s Needed to Perform a Host Compliance Audit
This should be a pretty short list, but I’ll try and be inclusive to cover most of the scenarios we encounter:
- Administrative Credentials (preferably read-only) – Depending on the type of device we’re looking at, 99% of the time we’re going to need an administrative account to log in and look at all of the applied configuration settings. We ask for read-only where possible just adhere to the principle of least privilege and prevent any mistakes or accidental changes to configuration.
- Remote Access – Most of the time when we need to do a host compliance audit, it is part of a larger assessment that is being conducted. So we generally already have a laptop onsite that provides us remote access to your internal network or we are physically there conducting other types of tests. In cases where we just need to complete a host compliance audit, we’ll usually work with your organization’s security and IT teams to determine the easiest solution to get the access we need. Sometimes that’s just creating us a VPN account and other times we’ll ship a laptop that you can plug in that provides us remote access. Either way, a way to access the device we’re auditing is required.
- Configuration Files – For some devices and assessments, configuration files or group policy exports are just as good as actually logging into a system. These are not necessary if we have remote access, but can be used in lieu of direct remote access sometimes, further simplifying the process.
What else can I expect?
So now that you know there’s not much to worry about from a technical perspective, as far as prep time or access provisioning goes, is there anything else you should know about a host compliance audit? Well given the relatively low set-up requirements, it stands to reason that the timeline for this type of testing can be fairly short as well. Since we don’t need any of the explicit approvals related to traditional penetration testing, we can get started on a host compliance audit quickly and a thorough assessment will usually take, at most, two days.
Unfortunately, documentation can be much more significant depending on the number of findings identified. Given that a host compliance audit is meant to assess configuration from the perspective of a published best practice standard, it’s not uncommon to see 50 – 100 findings. Since our write-ups are mostly custom and tailored on a per organization basis, a full report can take a week to get through the full quality assurance process.
So with all this in mind, you should feel a little more comfortable with what needs to be in place for us to conduct a host compliance audit. You should also have a rough idea of the timeline to complete this kind of assessment. If you’re looking for other ways to help you prepare, consider our list of the top 3 ways you can improve your results.