Chilcott, Mike wrote: > Using the Nessus Client I created many (approx 85) .nessus files, because > we have large Class B network - and I wanted to space out each of the scans > over a couple of days. I then created .sh files and placed them into the > crontab to run at scheduled times and days. If I run them with the default > scan everything works, but I want to make better use of the product, and am > stumped... > I used the baseline scan policy of Microsoft Patches, and only selected > the Microsoft patches for 06, 07, and 08. We have a standard software image > so I really don't need to scan for the other miscellaneous software, so I > then save this policy as "new ms patches" - now here is where I am stumped - > I want all 85 of these .nessus files to use this new ms patches policy and > next month when MS comes out with 4 patches I am going to have to go into > each of those 85 files to select the new patches. > > I though I could use the "Share this policy across multiple sessions" but > it will not work. I found in the docs the following: "Note that a policy > which has the "Share this policy across multiple sessions" option selected > cannot be saved to a .nessus file. Using this option means that the policy is > to become one of the default policies displayed whenever the NessusClient is > started or whenever the "New Session" option is selected from the main menu. > Any thought or ideas so I don't have to go in and modify 85 .nessus files > each month? > > Thanks - Mike
Hi Mike, Several comments. Bad news first -- the NessusClient was not designed to do what you are trying to do. Managing multiple scan policies, perhaps multiple credentials, multiple targets/assets and mulitple schedules is something that the Security Center does. Having said that, I'd look at a few areas you might be able to improve on. - Scan Time If you are just doing credentialed patch auditing, turn off all network port scanning and just log into the target machines. This is extremely fast with Nessus. If you have to audit open ports, enabled the WMI port scanner. I would really encourage you to post your current scan times and settings, make changes and post the new scan times There's also possibly more optimization you can make based on CPU load, hosts/scanner and checks/host settings after that. Unless you have a political requirement to scan 85 distinct networks, I'd really work on reducing your scan time. - Policy Management If you enable a family in a .nessus file, then it will automatically enable new checks that are in that family. If you specifically enable some checks, the Nessus Client assumes other checks (like new checks) are disabled. Understand you might not want to test for older plugins, but there are not that many of them compared to what was shipped this year and the years you are testing for. I would strongly consider simply enabling the entire family and avoiding having to re-edit your files. - Policy Sharing with the Nessus Client The function of sharing a policy across sessions is a manifestation of the client. The actual .nessus files don't change. Since you are batching these files, making something global won't actually change the settings in your 85 scan polices. Ron Gula Tenable Network Security _______________________________________________ Nessus mailing list [email protected] http://mail.nessus.org/mailman/listinfo/nessus
