Looking at the default Nessus profiles, it seems to scan only common ports for the PCI scan. Still I would include all the ports because when a third party scans the environment (annual pentest) they probably will as well; you want to avoid new findings and be in control. My external quarterly ASV scan vendor also scans all IP’s on all ports, even when the machine is down.
One thing Nessus does do/know is what the PCI rules are, which sometimes helps with findings. (it says why it is not PCI compliant) Even though the rules aren’t that strict for the internal scans, as 11.2.3.b says: For external scans, no vulnerabilities exist that are scored 4.0 or higher by the CVSS. For internal scans, all “high risk” vulnerabilities as defined in PCI DSS Requirement 6.1 are resolved. So no matter the CVSS score, with a good risk methodology you can get a case internally with a high CVSS score but a low risk which may be acceptable. No matter if you use OpenVAS, Nessus or something else you still need to decide your threshold for which findings make it to your report and then determine the risk. (I always make my own report for the customers and include the default reports with raw data as well) Thijs Stuurman Security Operations Center | KPN Internedservices [email protected]<mailto:[email protected]> | [email protected]<mailto:[email protected]> T: +31(0)299476185 | M: +31(0)624366778 PGP Key-ID: 0x16ADC048 (https://pgp.surfnet.nl/) Fingerprint: 2EDB 9B42 D6E8 7D4B 6E02 8BE5 6D46 8007 16AD C048 W: https://www.internedservices.nl<https://www.internedservices.nl/> | L: http://nl.linkedin.com/in/thijsstuurman Van: Ahmad Al-Talafha [mailto:[email protected]] Verzonden: donderdag 24 augustus 2017 11:15 Aan: Thijs Stuurman <[email protected]>; Eero Volotinen <[email protected]> CC: [email protected] Onderwerp: RE: [Openvas-discuss] DSS PCI NVT family missing Thanks Thijs, I am conducting an internal scan, and testing openvas. I was confused because we have Nessus and there is a policy related to PCI DSS and thought I could find the same in openVAS Best Regards, Ahmad Al Talafha From: Thijs Stuurman [mailto:[email protected]] Sent: Thursday, August 24, 2017 12:11 PM To: Ahmad Al-Talafha <[email protected]<mailto:[email protected]>>; Eero Volotinen <[email protected]<mailto:[email protected]>> Cc: [email protected]<mailto:[email protected]> Subject: RE: [Openvas-discuss] DSS PCI NVT family missing I suppose the default scan config “Full and fast” would suffice. Personally I do not use OpenVAS for PCI environments and opted for a Nessus VM which has a PCI internal vulnerability scan option. The only reason for that is because the PCI auditors (and our customers) know and trust Nessus and it clearly shows it is a PCI internal scan which was performed. It just makes the audits easier. If in any doubt, contact your PCI auditor to verify what he thinks is acceptable. Thijs Stuurman Security Operations Center | KPN Internedservices [email protected]<mailto:[email protected]> | [email protected]<mailto:[email protected]> T: +31(0)299476185 | M: +31(0)624366778 PGP Key-ID: 0x16ADC048 (https://pgp.surfnet.nl/) Fingerprint: 2EDB 9B42 D6E8 7D4B 6E02 8BE5 6D46 8007 16AD C048 W: https://www.internedservices.nl<https://www.internedservices.nl/> | L: http://nl.linkedin.com/in/thijsstuurman Van: Openvas-discuss [mailto:[email protected]] Namens Ahmad Al-Talafha Verzonden: donderdag 24 augustus 2017 11:02 Aan: Eero Volotinen <[email protected]<mailto:[email protected]>> CC: [email protected]<mailto:[email protected]> Onderwerp: Re: [Openvas-discuss] DSS PCI NVT family missing Hi Eero, Please can you tell me in this case which NVT family to choose, and how I can check if all plugins are enabled Best Regards, Ahmad Al Talafha From: [email protected]<mailto:[email protected]> [mailto:[email protected]] On Behalf Of Eero Volotinen Sent: Thursday, August 24, 2017 10:32 AM To: Ahmad Al-Talafha <[email protected]<mailto:[email protected]>> Cc: [email protected]<mailto:[email protected]> Subject: Re: [Openvas-discuss] DSS PCI NVT family missing There is no such as PCI family in openvas. For internal PCI scanning you need to enable all plugins and scan all tcp ports. Eero 2017-08-24 10:07 GMT+03:00 Ahmad Al-Talafha <[email protected]<mailto:[email protected]>>: Dears, Hope this mail finds you well I am using openvas Version 7.0.2, and I am trying to run a PCI compliance scan but I cant find PCI family in the NVTs. My NVTs status shows “Too old (14 days) - Please check the automatic synchronization of your system” Please advise on this case, what I am missing Best Regards, Ahmad Al Talafha _______________________________________________ Openvas-discuss mailing list [email protected]<mailto:[email protected]> https://lists.wald.intevation.org/cgi-bin/mailman/listinfo/openvas-discuss
_______________________________________________ Openvas-discuss mailing list [email protected] https://lists.wald.intevation.org/cgi-bin/mailman/listinfo/openvas-discuss
