In previous attempts to improve my use of Nessus and share the results with the admins that need it I failed at getting Inprotect to function properly. So I took a step back and decided to attack this problem one step at a time.
1.) automate the scanning of a Class B. Frankly covering 2 Class Cs a week isn't gonna cut it, say roughly two and a half years to get full coverage!
2.) automate report sharing.
3.) parse the daylights out of the data for trending and analysis.
Enter a fruitful Google search and lo there sits Autonessus, at the time it had recently been renamed to Seccubus. It's small, light weight, damn this looks handy!
To bypass the cron scheduler and create a constant scan cycle to minimize scan overlap and / or dead cycles I created a little Perl script that wraps the native do-scan process and scanmonitor.pl was born.
Basic workflow of a scan
1.) Vulnerability Assessment Admin runs a scanmonitor.pl script.
2.) scanmonitor.pl checks for any currently running processes and bombs if there is a process already in use. (ensures a single scan process per scan engine)
3.) scanmonitor.pl evaluates the scangroup.txt file, reading one line at a time.
4.) scanmonitor.pl calls the script 'do-scan' and passes do-scan the subnet name to be scanned.
5.) do-scan evaluates the primary and secondary config files.
6.) do-scan calls the 'nessus' command and passes nessus the scan engine, target subnet, and scan policy information.
7.) do-scan monitors the Nessus job and upon completion generates both .nbe and .nessus formatted report files.
8.) do-scan quits
9.) scanmontor.pl monitors the do-scan process and upon completion reads the next line of the scangroup.txt file and calls another do-scan job.
10.) scanmonitor.pl will continue to run until the admin sends a kill command, process crashes, or the system is shutdown.
2.) scanmonitor.pl checks for any currently running processes and bombs if there is a process already in use. (ensures a single scan process per scan engine)
3.) scanmonitor.pl evaluates the scangroup.txt file, reading one line at a time.
4.) scanmonitor.pl calls the script 'do-scan' and passes do-scan the subnet name to be scanned.
5.) do-scan evaluates the primary and secondary config files.
6.) do-scan calls the 'nessus' command and passes nessus the scan engine, target subnet, and scan policy information.
7.) do-scan monitors the Nessus job and upon completion generates both .nbe and .nessus formatted report files.
8.) do-scan quits
9.) scanmontor.pl monitors the do-scan process and upon completion reads the next line of the scangroup.txt file and calls another do-scan job.
10.) scanmonitor.pl will continue to run until the admin sends a kill command, process crashes, or the system is shutdown.
With a no pause interval between scan groups (subnets) I can cover an entire Class B using a fairly intense Nessus policy in about 16 hours.
With a 6 minute interval between scan groups (subnets) I can cover the same Class B using the same fairly intense Nessus policy in just under 7 days.
By not using a hard schedule and allowing for the nature dynamics of the network environment to affect the scan subnet sequence there is a level of randomness to the scan pattern. I do not hit the same subnets at the same time on the same day every time.
**Note, the scanmonitor.pl is primarily used for desktop and DHCP enabled environments. I still use hard fixed schedules for the bulk of my servers to minimize potential negative impact.
