{"id":30732419,"url":"https://github.com/adscanpro/photon5-nessus-audit","last_synced_at":"2025-09-03T17:08:54.908Z","repository":{"id":313035334,"uuid":"1049633218","full_name":"ADScanPro/photon5-nessus-audit","owner":"ADScanPro","description":"Nessus Unix Compliance audit for VMware Photon OS 5. MIT-licensed. Contributions welcome.","archived":false,"fork":false,"pushed_at":"2025-09-03T13:30:33.000Z","size":105,"stargazers_count":1,"open_issues_count":0,"forks_count":0,"subscribers_count":0,"default_branch":"main","last_synced_at":"2025-09-03T15:24:41.035Z","etag":null,"topics":[],"latest_commit_sha":null,"homepage":"https://www.adscanpro.com","language":"Ruby","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"mit","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/ADScanPro.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":"CONTRIBUTING.md","funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null,"notice":null,"maintainers":null,"copyright":null,"agents":null,"dco":null,"cla":null}},"created_at":"2025-09-03T09:11:57.000Z","updated_at":"2025-09-03T13:30:37.000Z","dependencies_parsed_at":"2025-09-03T15:24:42.379Z","dependency_job_id":"b4cb59bf-e66a-4f95-8174-952020cd6d12","html_url":"https://github.com/ADScanPro/photon5-nessus-audit","commit_stats":null,"previous_names":["adscanpro/photon5-nessus-audit"],"tags_count":null,"template":false,"template_full_name":null,"purl":"pkg:github/ADScanPro/photon5-nessus-audit","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/ADScanPro%2Fphoton5-nessus-audit","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/ADScanPro%2Fphoton5-nessus-audit/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/ADScanPro%2Fphoton5-nessus-audit/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/ADScanPro%2Fphoton5-nessus-audit/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/ADScanPro","download_url":"https://codeload.github.com/ADScanPro/photon5-nessus-audit/tar.gz/refs/heads/main","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/ADScanPro%2Fphoton5-nessus-audit/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":273477127,"owners_count":25112618,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","status":"online","status_checked_at":"2025-09-03T02:00:09.631Z","response_time":76,"last_error":null,"robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":true,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":[],"created_at":"2025-09-03T17:06:33.750Z","updated_at":"2025-09-03T17:08:54.896Z","avatar_url":"https://github.com/ADScanPro.png","language":"Ruby","funding_links":[],"categories":[],"sub_categories":[],"readme":"# Photon OS 5 Nessus Unix Compliance Audit\n\nThis repository contains a custom Tenable Nessus Unix Compliance audit for VMware Photon OS 5: `photon_5_nessus_unix.audit`.\n\nThe audit was built by converting Photon 5 STIG-like Ruby controls (PHTN-50-*.rb) to Unix `custom_item`s. Each `custom_item` in the `.audit` file includes a \"Source: PHTN-50-xxxxx.rb\" comment for traceability.\n\n## Usage\n- Import `photon_5_nessus_unix.audit` into a Nessus (or Tenable.sc/Manager) compliance policy.\n- Select Check Type: Unix.\n- Run the scan with SSH credentials that allow reading config files and running `sshd -T` and `auditctl -l` (root recommended or equivalent sudo rights).\n- This audit is intended for Photon OS 5. A platform guard checks `/etc/os-release`.\n\n## Mapping (PHTN-50 control -\u003e audit custom item)\n\n### SSHD hardening\n- PHTN-50-000200 -\u003e SyslogFacility AUTHPRIV/AUTH (CMD_EXEC)\n- PHTN-50-000201 -\u003e LogLevel INFO (CMD_EXEC)\n- PHTN-50-000069 -\u003e ClientAliveInterval 900 (CMD_EXEC)\n- PHTN-50-000203 -\u003e ClientAliveCountMax 0 (CMD_EXEC)\n- PHTN-50-000221 -\u003e LoginGraceTime 30 (CMD_EXEC)\n- PHTN-50-000207 -\u003e PermitEmptyPasswords no (CMD_EXEC)\n- PHTN-50-000208 -\u003e PermitUserEnvironment no (CMD_EXEC)\n- PHTN-50-000211 -\u003e GSSAPIAuthentication no (CMD_EXEC)\n- PHTN-50-000214 -\u003e KerberosAuthentication no (CMD_EXEC)\n- PHTN-50-000216 -\u003e PrintLastLog yes (CMD_EXEC)\n- PHTN-50-000215 -\u003e Compression no (CMD_EXEC)\n- PHTN-50-000212 -\u003e X11Forwarding no (CMD_EXEC)\n- PHTN-50-000217 -\u003e IgnoreRhosts yes (CMD_EXEC)\n- PHTN-50-000218 -\u003e IgnoreUserKnownHosts yes (CMD_EXEC)\n- PHTN-50-000219 -\u003e MaxAuthTries 6 (CMD_EXEC)\n- PHTN-50-000213 -\u003e StrictModes yes (CMD_EXEC)\n- PHTN-50-000220 -\u003e AllowTcpForwarding no (CMD_EXEC)\n- PHTN-50-000005 -\u003e Banner /etc/issue (CMD_EXEC)\n- PHTN-50-000079 -\u003e Ciphers approved set (CMD_EXEC)\n- PHTN-50-000239 -\u003e MACs approved set (CMD_EXEC)\n- PHTN-50-000188 -\u003e HostbasedAuthentication no (CMD_EXEC)\n- PHTN-50-000233 -\u003e SSH public host keys 0644 root:root (CMD_EXEC)\n- PHTN-50-000234 -\u003e SSH private host keys 0600 root:root (CMD_EXEC)\n\n### PAM and password policy\n- PHTN-50-000059 -\u003e pam_unix.so uses sha512 (FILE_CONTENT_CHECK)\n- PHTN-50-000247 -\u003e no nullok in system-password/system-auth (FILE_CONTENT_CHECK)\n- PHTN-50-000197 -\u003e pam_pwquality on password line (FILE_CONTENT_CHECK)\n- PHTN-50-000044 -\u003e minlen \u003e= 15 (FILE_CONTENT_CHECK)\n- PHTN-50-000035 -\u003e ucredit = -1 (FILE_CONTENT_CHECK)\n- PHTN-50-000037 -\u003e dcredit = -1 (FILE_CONTENT_CHECK)\n- PHTN-50-000036 -\u003e lcredit = -1 (FILE_CONTENT_CHECK)\n- PHTN-50-000086 -\u003e ocredit = -1 (FILE_CONTENT_CHECK)\n- PHTN-50-000038 -\u003e difok \u003e= 8 (FILE_CONTENT_CHECK)\n- PHTN-50-000184 -\u003e dictcheck = 1 (FILE_CONTENT_CHECK)\n- PHTN-50-000235 -\u003e enforce_for_root present (FILE_CONTENT_CHECK)\n- PHTN-50-000043 -\u003e pwhistory remember \u003e= 5 (FILE_CONTENT_CHECK)\n- PHTN-50-000243 -\u003e pwhistory use_authtok present (FILE_CONTENT_CHECK)\n- PHTN-50-000206 -\u003e pam_faildelay delay=4000000 in system-auth (FILE_CONTENT_CHECK)\n- PHTN-50-000192 -\u003e pam_faillock preauth before pam_unix, authfail after (FILE_CONTENT_CHECK)\n- PHTN-50-000108 -\u003e faillock unlock_time = 0 (FILE_CONTENT_CHECK)\n- PHTN-50-000004 -\u003e faillock deny \u003c= 3 and fail_interval \u003e= 900 (FILE_CONTENT_CHECK)\n- PHTN-50-000193 -\u003e faillock.conf silent (FILE_CONTENT_CHECK)\n- PHTN-50-000194 -\u003e faillock.conf audit (FILE_CONTENT_CHECK)\n- PHTN-50-000195 -\u003e faillock.conf even_deny_root (FILE_CONTENT_CHECK)\n- PHTN-50-000196 -\u003e faillock.conf dir = /var/log/faillock (FILE_CONTENT_CHECK)\n\n### login.defs\n- PHTN-50-000039 -\u003e ENCRYPT_METHOD SHA512 (FILE_CONTENT_CHECK)\n- PHTN-50-000041 -\u003e PASS_MIN_DAYS 1 (FILE_CONTENT_CHECK)\n- PHTN-50-000042 -\u003e PASS_MAX_DAYS \u003c= 90 (FILE_CONTENT_CHECK)\n- PHTN-50-000185 -\u003e FAIL_DELAY \u003e= 4 (FILE_CONTENT_CHECK)\n- PHTN-50-000187 -\u003e UMASK 077 (FILE_CONTENT_CHECK)\n- PHTN-50-000209 -\u003e CREATE_HOME yes (FILE_CONTENT_CHECK)\n\n### auditd (auditctl -l)\n- PHTN-50-000003 -\u003e watch useradd/groupadd (CMD_EXEC)\n- PHTN-50-000076 -\u003e watch usermod/groupmod (CMD_EXEC)\n- PHTN-50-000078 -\u003e watch userdel/groupdel (CMD_EXEC)\n- PHTN-50-000204 -\u003e watch passwd/shadow/group/gshadow (CMD_EXEC)\n- PHTN-50-000173 -\u003e watch faillog/lastlog/tallylog (CMD_EXEC)\n- PHTN-50-000238 -\u003e watch /etc/security/opasswd (CMD_EXEC)\n- PHTN-50-000019 -\u003e execpriv execve rules (b32/b64) (CMD_EXEC)\n- PHTN-50-000031 -\u003e DAC permission modification syscalls (b32/b64) (CMD_EXEC)\n- PHTN-50-000175 -\u003e init_module rules (b32/b64) (CMD_EXEC)\n\n### Package manager (tdnf)\n- PHTN-50-000130 -\u003e gpgcheck enabled (FILE_CONTENT_CHECK)\n- PHTN-50-000161 -\u003e clean_requirements_on_remove enabled (FILE_CONTENT_CHECK)\n- PHTN-50-000199 -\u003e repos gpgcheck=1 (CMD_EXEC)\n\n### Time synchronization\n- PHTN-50-000121 -\u003e timesyncd NTP configured (optional) (FILE_CONTENT_CHECK)\n- PHTN-50-000121 -\u003e ntpd servers/peer/multicastclient configured (optional) (FILE_CONTENT_CHECK)\n- PHTN-50-000121 -\u003e chrony server configured (optional) (FILE_CONTENT_CHECK)\n\n### rsyslog\n- PHTN-50-000074 -\u003e $umask 0037 (FILE_CONTENT_CHECK)\n- PHTN-50-000111 -\u003e remote offload to syslog server (FILE_CONTENT_CHECK)\n- PHTN-50-000242 -\u003e rsyslog enabled and running (CMD_EXEC)\n- PHTN-50-000241 -\u003e rsyslog installed (CMD_EXEC)\n\n### Accounts, packages and boot security\n- PHTN-50-000007 -\u003e limits.conf maxlogins 10 (FILE_CONTENT_CHECK)\n- PHTN-50-000012 -\u003e rsyslog logs auth.*,authpriv.*,daemon.* (FILE_CONTENT_CHECK)\n- PHTN-50-000013 -\u003e OpenSSL FIPS provider installed (CMD_EXEC)\n- PHTN-50-000040 -\u003e Telnet not installed (CMD_EXEC)\n- PHTN-50-000046 -\u003e GRUB superusers/password_pbkdf2 (FILE_CONTENT_CHECK)\n- PHTN-50-000047 -\u003e modprobe disables nonessential modules (FILE_CONTENT_CHECK)\n- PHTN-50-000049 -\u003e No duplicate UIDs (CMD_EXEC)\n- PHTN-50-000066 -\u003e SELinux enforcing (CMD_EXEC)\n- PHTN-50-000073 -\u003e /var/log owner/perms (CMD_EXEC)\n- PHTN-50-000080 -\u003e kernel cmdline audit=1 (CMD_EXEC)\n- PHTN-50-000085 -\u003e /usr/lib ownership and perms (CMD_EXEC)\n- PHTN-50-000127 -\u003e AIDE installed (CMD_EXEC)\n- PHTN-50-000133 -\u003e sudo NOPASSWD re-auth enforcement (CMD_EXEC)\n- PHTN-50-000222 -\u003e ctrl-alt-del.target masked/inactive (CMD_EXEC)\n\n### Kernel/sysctl\n- PHTN-50-000231 -\u003e net.ipv4.ip_forward = 0 (CMD_EXEC, optional)\n- PHTN-50-000223 -\u003e accept_source_route = 0 for v4/v6 (CMD_EXEC)\n- PHTN-50-000224 -\u003e net.ipv4.icmp_echo_ignore_broadcasts = 1 (CMD_EXEC)\n- PHTN-50-000225 -\u003e accept_redirects = 0 (CMD_EXEC)\n- PHTN-50-000226 -\u003e secure_redirects = 0 (CMD_EXEC)\n- PHTN-50-000227 -\u003e send_redirects = 0 (CMD_EXEC)\n- PHTN-50-000228 -\u003e log_martians = 1 (CMD_EXEC)\n- PHTN-50-000229 -\u003e rp_filter = 1 (CMD_EXEC)\n- PHTN-50-000232 -\u003e net.ipv4.tcp_timestamps = 1 (CMD_EXEC)\n- PHTN-50-000068 -\u003e net.ipv4.tcp_syncookies = 1 (CMD_EXEC)\n- PHTN-50-000067 -\u003e kernel.dmesg_restrict = 1 (CMD_EXEC)\n- PHTN-50-000160 -\u003e kernel.randomize_va_space = 2 (CMD_EXEC)\n- PHTN-50-000105 -\u003e fs.protected_symlinks = 1 (CMD_EXEC)\n- PHTN-50-000244 -\u003e fs.protected_hardlinks = 1 (CMD_EXEC)\n- PHTN-50-000246 -\u003e fs.suid_dumpable = 0 (CMD_EXEC)\n- PHTN-50-000236 -\u003e systemd fallback DNS disabled (CMD_EXEC)\n\n### FIPS\n- PHTN-50-000182 -\u003e /proc/sys/crypto/fips_enabled = 1 (FILE_CONTENT_CHECK)\n\n## Notes\n- Some checks are marked optional because only one time service is typically in use.\n- The SSHD crypto checks (Ciphers/MACs) enforce that only approved algorithms are present. The command outputs are matched against an allow-list regex.\n- If you need to adapt values (e.g., different grace times or cipher suites), modify the corresponding `expect` lines in the `.audit` file.\n\n## Testing\n- Validate locally on a Photon OS 5 host:\n  - `sshd -T | grep -i \u003cparam\u003e`\n  - `grep \u003ckey\u003e /etc/pam.d/system-password`\n  - `grep \u003ckey\u003e /etc/security/pwquality.conf`\n  - `grep ENCRYPT_METHOD /etc/login.defs`\n  - `/sbin/auditctl -l`\n  - `grep -E '^(NTP|server)' /etc/systemd/timesyncd.conf /etc/ntp.conf /etc/chrony/chrony.conf 2\u003e/dev/null`\n\n## License\nMIT — see `LICENSE` for details.\n\n## Disclaimer\nThis audit is provided as a best-effort conversion for Photon OS 5 and may require tuning for your environment and Nessus version. \nAlways test in a non-production environment first.\n\n## Contributing\nSee `CONTRIBUTING.md`. PRs and issues are welcome.\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fadscanpro%2Fphoton5-nessus-audit","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fadscanpro%2Fphoton5-nessus-audit","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fadscanpro%2Fphoton5-nessus-audit/lists"}