rgula at tenablesecurity
Oct 2, 2008, 1:10 PM
Post #3 of 4
Chilcott, Mike wrote:
Re: Scanning a network fo MS Security Bulletins
[In reply to]
> Using the Nessus Client I created many (approx 85) .nessus files, because we have large Class B network - and I wanted to space out each of the scans over a couple of days. I then created .sh files and placed them into the crontab to run at scheduled times and days. If I run them with the default scan everything works, but I want to make better use of the product, and am stumped...
> I used the baseline scan policy of Microsoft Patches, and only selected the Microsoft patches for 06, 07, and 08. We have a standard software image so I really don't need to scan for the other miscellaneous software, so I then save this policy as "new ms patches" - now here is where I am stumped - I want all 85 of these .nessus files to use this new ms patches policy and next month when MS comes out with 4 patches I am going to have to go into each of those 85 files to select the new patches.
> I though I could use the "Share this policy across multiple sessions" but it will not work. I found in the docs the following: "Note that a policy which has the "Share this policy across multiple sessions" option selected cannot be saved to a .nessus file. Using this option means that the policy is to become one of the default policies displayed whenever the NessusClient is started or whenever the "New Session" option is selected from the main menu.
> Any thought or ideas so I don't have to go in and modify 85 .nessus files each month?
> Thanks - Mike
Bad news first -- the NessusClient was not designed to do what you
are trying to do. Managing multiple scan policies, perhaps multiple
credentials, multiple targets/assets and mulitple schedules is something
that the Security Center does.
Having said that, I'd look at a few areas you might be able to
- Scan Time
If you are just doing credentialed patch auditing, turn off all network
port scanning and just log into the target machines. This is extremely
fast with Nessus. If you have to audit open ports, enabled the WMI port
scanner. I would really encourage you to post your current scan times
and settings, make changes and post the new scan times There's also possibly
more optimization you can make based on CPU load, hosts/scanner and
checks/host settings after that. Unless you have a political requirement
to scan 85 distinct networks, I'd really work on reducing your scan time.
- Policy Management
If you enable a family in a .nessus file, then it will automatically
enable new checks that are in that family. If you specifically enable
some checks, the Nessus Client assumes other checks (like new checks)
are disabled. Understand you might not want to test for older plugins,
but there are not that many of them compared to what was shipped
this year and the years you are testing for. I would strongly consider
simply enabling the entire family and avoiding having to re-edit
- Policy Sharing with the Nessus Client
The function of sharing a policy across sessions is a manifestation
of the client. The actual .nessus files don't change. Since you are
batching these files, making something global won't actually change
the settings in your 85 scan polices.
Tenable Network Security
Nessus mailing list
Nessus [at] list