top of page
Search

Audit Google Cloud Platform with Nessus

1. Overview of Nessus

Nessus is a scanning and evaluation tool used to detect security vulnerabilities in computer systems, applications, and network devices. Developed by Tenable Network Security, Nessus is widely used in risk management and assessment activities.


In my experience, Nessus does not excel in specialized vulnerability scanning compared to tools like Acunetix, IBM Scan, or HCL Scan. However, it is particularly powerful in two areas: Auditing and Compliance. For complex systems requiring high integrity in processes and robust tool assurance, Nessus is the top choice for any Pentester and Auditor.


Nessus

2. Audit Google Cloud Platform with Nessus


2.1. Install Nessus on Ubuntu

Step 1: Download Nessus from the Tenable Network Security website. To download the Nessus version for Ubuntu, visit the following link:

Step 2: Use the following command to install Nessus:

bash

sudo dpkg -i Nessus-<version_number>-ubuntu<architecture>.deb


Step 3: Start Nessus with the command:

bash

sudo systemctl start nessusd


Step 4: Access the Nessus web interface at http://localhost:8834.

Nessus will prompt you to select a version to use, with several options available, including Nessus Expert, Nessus Professional, and Nessus Essentials. Here, I choose Nessus Professional with a default 7-day trial.

After completing the initial registration process, Nessus will take some time to load a vast library of plugins. During this time, it’s a good idea to grab a snack.


2.2. Connect Nessus with Google Cloud Platform

Connecting Nessus to Google Cloud Platform differs from other cloud platforms. While AWS and Azure configure easily by granting keys to third-party applications, Nessus works through Service Accounts with Google.

Step 1: Go to IAM & Admin > Service Accounts.

Step 2: Create a Service Account.

Step 3: Grant the Service Account Viewer role.

Step 4: Complete the process by clicking on the email of the newly created account.

Step 5: In the KEY tab, add a new key in JSON format.

Step 6: Save the key to your machine and ensure it is stored securely.


3. Using Nessus for Audit

Step 1: Log in to Nessus.

Step 2: Navigate to Scan >> My Scans >> Audit Cloud Infrastructure.

Step 3: Complete the fields for Name and Description.

In the Credentials tab, import the Google Cloud Platform key created in the previous steps.

If you notice a missing Compliance tab, you may need to reset the Nessus database with the following commands:

bash

sudo /opt/nessus/sbin/nessusd -R /sbin/service nessusd start


After waiting for Nessus to recompile its plugin library, you will see additional interfaces.

Nessus provides default compliance according to CIS security standards or allows customization to suit specific system needs. For this article, I use the default CIS Google Cloud Platform 1.3.0 L2 standard.

Step 4: Save and Scan.


3.1. Reading the Audit Results

Once the scan is complete, the results will be displayed:

Following CIS security standards, the Google Cloud Platform Audit results are divided into five main sections: Identity and Access Management, Logging and Monitoring, Networking, Virtual Machines, and Google Cloud Storage.

Here are some key points:


3.1.1. Identity and Access Management

  • Ensure company accounts are used instead of personal emails.

  • Ensure MFA is used for user accounts.

  • Ensure no ServiceAccount with admin privileges is used (similar to using API on AWS).

  • Ensure accounts inactive for over 90 days are disabled.

  • Ensure Encryption keys are rotated every 365 days and managed by Google KMS.

  • Ensure API Keys (if any) are rotated every 90 days.

3.1.2. Logging and Monitoring

  • Ensure Cloud Audit Logging is configured on all Projects and logs are securely stored in Google Bucket.

  • Ensure alerts are triggered when critical configurations change (e.g., Audit Configuration, Custom Role, VPC Firewall, VPC route, Cloud Storage IAM permission, SQL instance).

3.1.3. Networking

  • Avoid using the Default Network on all Projects.

  • Ensure SSH, RDP connections from the internet are restricted to the Project.

  • Ensure VPC Flow logs are enabled on all VPC Networks.

3.1.4. Virtual Machines

  • Ensure oslogin is enabled on all Projects.

  • Ensure IP forwarding is disabled on all Virtual Machines.

  • Ensure all VMs are encrypted with CSEK.

3.1.5. Google Cloud Storage

  • Ensure Google Cloud Storage is not publicly accessible from the internet (except for specific cases like building static websites).

  • Ensure log storage is used with all Cloud Storage.

  • Assign permissions accurately and appropriately to individuals allowed to access Cloud Storage following the Blackbox principle (default deny, allow specific functions as needed).

Comentários

bottom of page