Publicly available Tenable .audit scripts

Publicly available Tenable .audit scripts. This is most likely a slowpoke news, but I just found out that Tenable .audit files with formalized Compliance Management checks are publicly available and can be downloaded without any registration. ?? However, you must accept the looooong license agreement.

Tenable .audit script

So, I have two (completely theoretical!) questions ?:

  1. What if someone supports the .audit format in some compliance tool and gives the end user an ability to use this content by Tenable to asses their systems? Will it be fair and legal?
  2. What if someone uses this content as a source of inspiration for his own content, for example, in a form of OVAL/SCAP or some scripts? Will it be fair and legal?

Well, each Tenable .audit script contains the header “script is released under the Tenable Subscription License” with reference to NESSUS® SOFTWARE LICENSE AND SUBSCRIPTION AGREEMENT.

#
# This script is Copyright (C) 2004-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
#
# This script is released under the Tenable Subscription License and
# may not be used from within scripts released under another license
# without authorization from Tenable, Inc.
#
# See the following licenses for details:
#
# http://static.tenable.com/prod_docs/Nessus_6_SLA_and_Subscription_Agreement.pdf

This document was last updated on 12.08.17. For example, there is still Nessus Home and not Nessus Essentials.

NESSUS® SOFTWARE LICENSE AND SUBSCRIPTION AGREEMENT

The document does not mention .audit scripts directly. But it mentions “Plugins”. Maybe by plugins they mean only Nasl plugins, maybe also .audit. In any case, .audit fils should be considered as part of the “Licensed Materials”.

Honestly, I did not find a single point prohibiting the use of these files (as is), as an input for tools that were not made by Tenable. Maybe only the general limitation in “5. Intellectual Property.”: “Your rights with respect to the Licensed Materials are limited to the right to use the Licensed Materials pursuant to the terms and conditions in this Agreement. Any rights in or to the Licensed Materials (including rights of use) not expressly granted in this Agreement are reserved by Tenable“. So, for me it seems a gray zone.

Speaking about the use of Tenable .audit files to make other forms of security content, I found the most interesting limitations in “6. No Reverse Engineering, Other Restrictions“. “You may not directly or indirectly: […] translate or create derivative works of all or any part of the Licensed Materials“. When you convert .audit files to some other form, it will probably create a derivative work. However, it’s unclear how this combines with the fact that .audit files are often based on publically available documents or documents that are the intellectual property of third parties, such as Center for Internet Security.

In any case, it seems that getting the checks from Tenable .audit files can cause problems and it’s better to avoid this. Especially if you work for a security vendor or service provider, because “You may not use the if You are, or You work for, a competitor of Tenable’s in the network security software industry. For the avoidance of doubt, You may not include or redistribute the Licensed Materials on physical or virtual appliances to perform on-site scans.

There is also a great section “3(c). Custom Nessus Plugin Development and Distribution“. “Tenable allows users to write and develop new Nessus plugins; however, You must have an active Nessus subscription in order to add plugins to Your Nessus scanner“. It’s obviously about Nasl scripts and there are the restriction on public distribution of custom plugins that use some APIs and “.inc” libraries. But if .audit scripts are legally “plugins”, you can create your own custom content in such form and use such files in any tools, if this makes sense.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.