Zate,
We automate the whole process with perl and shell scripts, use an Oracle
back-end to store the results, and display the results and
month-over-month trends with a PHP front-end. We also have an
email-based self-service scanning system wherein users can submit scan
requests directly to the scanning server with the server name(s) in the
subject block and scanning options in the message body. The HTML
results are sent back to them and to anyone they put in the CC block.
A word of caution: you must use strong access control for anything like
this, for obvious reasons. If you post your scan results on Apache as
many people do, you can easily restrict access using Active Directory
groups using something like the following in your httpd.conf file:
LDAPSharedCacheSize 2000000
LDAPCacheEntries 2048
LDAPCacheTTL 600
LDAPOpCacheEntries 2048
LDAPOpCacheTTL 600
<Directory /full-path-to-scan-report-directory>
SSLRequireSSL
AuthType Basic
AuthName "Windows User Credentials"
Order deny,allow
Allow from a.b.c.d/24
Deny from all
AuthLDAPAuthoritative on
AuthLDAPBindDN "cn=ldap-proxy-account,ou=blah,dc=example,dc=com"
AuthLDAPBindPassword "ldap-proxy-password"
AuthLDAPEnabled on
AuthLDAPGroupAttributeIsDN on
AuthLDAPURL
"ldap://example.com/ou=blah,dc=example,dc=com?sAMAccountName?sub?(object
class=user)"
require group cn=Nessus Report Viewers,ou=blah,dc=example,dc=com
</Directory>
Notes:
* The key here is the "require group" directive. This is an AD
global security or distribution group. Do NOT enclose this in quotes or
it will not work (even though other directives require quotes around the
DN).
* With recent versions of mod_ldap / mod_auth_ldap, you can't
specify just the domain for the base DN. You must go at least one level
deeper (e.g., OU).
* In the AuthLDAPURL directive, specifying just the domain name
(versus the FQDN of the domain controller) works for us because all our
DCs are also DNSs (AD-integrated) and a DNS query for the domain name
returns the NS records of the DNSs. This gives us fault-tolerance.
* The setup above does not encrypt the password between the
Apache server and the domain controller. We can get away with that
because both network segments are in a tightly controlled data center.
If that connection will traverse an untrusted network in your case, you
will want to use LDAP over SSL/TLS.
You can also authenticate via Kerberos with something like the following
(however, I've not yet found a way to use group-based access control):
<Directory /full-path-to-scan-report-directory>
AuthType Kerberos
AuthName "Kerberos Login"
KrbMethodNegotiate Off
KrbMethodK5Passwd On
KrbAuthoritative On
KrbAuthRealms EXAMPLE.COM
KrbVerifyKDC Off
require valid-user
SSLRequireSSL
</Directory>
Notes:
* The above configuration specifically turns off KDC
verification (does not use keytab, KrbMethodNegitiate = off,
KrbVerifyKDC = off). Again, our stuff is in a trusted environment. If
yours is not, don't do it this way.
* You will have to properly configure your /etc/krb5.conf for
this to work. On Red Hat / Fedora, this is trivially easy to do with
the authconfig command.
If you want to discuss more, send me your phone number off-list by
email. I'll try to call you when I'm not mired in PCI-DSS compliance
hurdles.
John Scherff
Sr. IT Security Analyst
24 Hour Fitness
________________________________
From: nessus-bounces@list.nessus.org
[mailto:nessus-bounces@list.nessus.org] On Behalf Of Zate Berg
Sent: Thursday, November 09, 2006 6:14 AM
To: nessus@list.nessus.org
Subject: Nessus in the Enterprise
Good Morning All,
I was wondering if anyone could contact me off the list to discuss how
they have Nessus setup and deployed in a large network. I am not
finding much information on things like reporting and a centralized web
interface.
Mainly looking for info such as
* what you run it on,
* how many scanners you use,
* how you manage user access to the scanners,
* do you use a central Web console of some kind? (does a full featured
one exist?)
* How do you store your reports?
Thanks :)
--
Zate
_______________________________________________
Nessus mailing list
Nessus@list.nessus.org
http://mail.nessus.org/mailman/listinfo/nessus
