Nessus Test Assets allow for on demand vulnerability scanning and auditing of all deployment runs (i.e., both newly provisioned and long standing). There are two was in which Nessus Test Assets can be used:
- Part of a Deployment - By default, adding a Nessus Test Asset to a deployment will scan all hosts that are part of that deployment. If one or more targets are specified in the deployment properties (see below), only those specific targets will be scanned.
- Test-Only Deployment - Nessus Test Asset is stood up as its own deployment run and will scan targets specified in the deployment properties (see below).
Nessus 6.4 documentation can be found at the Tenable site here: http://static.tenable.com/documentation/nessus_6.4_user_guide.pdf
Nessus Test Assets accept the deployment properties described below.
- nessus.targets : Specifies the target host(s) to scan. Should only be used as part of a Test-Only Deployment
Targets can be entered by single IP address (e.g., nessus.targets=192.168.0.1), set of IPs (e.g., nessus.targets=192.168.1.1,192.168.1.3,192.168.1.24), IP range (e.g., nessus.targets=192.168.0.1-192.168.0.255), subnet with CIDR notation (e.g., nessus.targets=192.168.0.0/24), resolvable host (e.g., nessus.targets=www.nessus.org), or a single IPv6 address (e.g., nessus.targets=link6%eth0, fe80::2120d:17ff:fe57:333b, fe80:0000:0000:0000:0216:cbff:fe92:88d0%eth0).
- nessus.format : Specifies the format of the report.
Options are pdf, html, and db (nessus and csv formatted reports will be generated in addition. Default is pdf). Example: nessus.format=html
- nessus.chapters : Specifies the chapters to include in report. See http://static.tenable.com/documentation/nessus_6.4_user_guide.pdf for information about Nessus Chapters.
Expecting a semi-colon delimited string comprised of some combination of the following options: vuln_hosts_summary, vuln_by_host, compliance_exec, remediations, vuln_by_plugin, compliance (e.g., nessus.chapters=vuln_by_host;vuln_by_plugin)
Default: vuln_hosts_summary or vuln_hosts_summary;compliance if audit file is detected
The following describes the different components of a Nessus Test Asset.
nessus-config.properties: This file allows the user to specify what files within the test asset correspond to one of the following configuration files
nessusPolicy=nessus_policy_Full_Scan_Policy.nessus nessus.credentials=nessus-credentials.txt nessus.audit=test.audit nessus.audit-category=Unix
nessus.policy=nessus_policy_Full_Scan_Policy.nessus nessus.credentials=nessus-credentials.txt nessus.audit=test.audit nessus.audit-category=Unix
- Policy File : A .nessus file that details what families of plugins to run during scanning. These files can be created on a nessus scanner and exported.
- Credentials File : This file allows for the inclusion of credentials within a Nessus scan. Each set of credentials must be passed by detailing the following information:
Credential Type : WINDOWS_PASSWORD, SSH_PASSWORD, SSH_SUDO, SSH_SU
Username : the username of the user for the given credentials
Password : the password of the user for the given credentials
* The following two fields must be provided if the credentials are of type SSH_SUDO or SSH_SU *
Escalation Account : the account username to escalate to
Escalation Password : the password required to escalate permissions
* Multiple credentials can be passed as long as they are separated by the pattern: --break--
- Audit File : This file allows for the configuration of audits to be run against the system(s) in question, and for their compliance to that audit to be measured ie: passed, or failed. Audit files can be of two types, Unix and windows. In order for an audit file to run, there must be credentials of that corresponding type included as well.
The audit file in the basic Nessus test asset is included to display the intended use and reporting changes that come with the inclusion of an audit file in a Nessus scan, as the audit itself merely determines whether or not the system (if unix) has a password greater than 14 characters.
<check_type: "Unix"> <item> name: "min_password_length" description: "Minimum password length" value: "14..MAX" </item> </check_type>