[unisog] Automating scan processing was Re: Outsourcing security scanning (internal and external)

Jonathan Glass jonathan.glass at oit.gatech.edu
Sat Oct 8 13:23:59 GMT 2005


Quoting Russell Fulton <r.fulton at auckland.ac.nz>:

>
>
> Isac Balder wrote:
> >
> >>From my expierence the majority of the work involved
> > in proper scanning and the subsequent follow-up
> > (verification of vulnerabilities, remediation of
> > vulnerabilities, verification of remediation, insert X
> > political hurdles) is going to fall on your lap as the
> > asset owner at the end of the day.
>
> Yes, this is my assessment too. The scanning is the easy bit. The main
> reason I don't do more automated vulnerability assessment is simply
> because I don't have the resources to do all the follow up work.  One of
> my long term projects is to automate 'cleaning' of the vulnerability
> reports (eliminating stuff we don't care about or have decided that we
> have to live with) and delivering this information to faculty IT
> managers in a form that they find useful.  Even if the outsourcing
> handles this satisfactorily you still need to make sure that stuff gets
> delivered to those responsible for the systems and that things get fixed
> or it is a total waste of money.  Both of these are non trivial im my
> experience.
>
> We do do vulnerability assessments of new systems as they go into
> service and this takes several hours, most of that time is spent taking
> the raw results of the scan and massaging it into a form that is useful
> for the system admins.
>
> On this note has an one written anything for post processing results
> from nessus scans?  I'm aware of various perl modules for processing
> output -- what I was thinking of is something that works at a higher
> level, e.g. reads the xml eliminates specified 'alerts' and builds
> tables of systems on one axis and vulnerabilitys in columns.
>
> I'm also interested in what nessus plugins people are using for large
> scale scanning and for scanning machines as they appear on the network
> (especially the wireless network ;)
>
> Russell.
>

I have modified nessQuick to support multiple scans.  It imports a Nessus NBE
file into a MySQL DB (working on porting it to Postgresql).  Two php pages
create an executive overview page and display the scan results on a per host
basis.  These pages and modifications have been provided back to the nessQuick
project maintainer, but he's a bit too busy to publish any of them right now.

I use this for scanning hundreds of machine on a monthly basis, and present the
results to upper management.  I then visit each scan result and generate a PDF
and email it to the system owner.  I'm working on automating the PDF generation,
and integrating the scan results page into our Critical Server web interface
(where departments register any server they qualify as Business Critical, along
with the services it runs).

I don't have my web space up at this new job, so I've attached a zip file here
for those who may be interested.  For those who aren't interested, I apologize
for the wasted bandwidth.
--
Jonathan Glass
OIT - Information Security
Information Security Engineer III
Georgia Institute of Technology
Office: 404-385-6900
-------------- next part --------------
A non-text attachment was scrubbed...
Name: nessQuick-GT.zip
Type: application/x-zip-compressed
Size: 4756 bytes
Desc: not available
Url : http://www.dshield.org/pipermail/unisog/attachments/20051008/eb620657/nessQuick-GT.bin


More information about the unisog mailing list