Mailing List Archive

setting to disable a plugin by default
is there a setting for plugins to disable them by default? the nikto.nasl
has a nice checkbox.. any other way? I have one with reverse logic (errors
if false) that is quite handy, btu also rings high when you forget to put in
credentials.

alternatively, I suppose, I could use a snippet of code to require
credentials.

--
Doug Nordwall
Unix, Network, and Security Administrator
You mean the vision is subject to low subscription rates?!!? - Scott Stone,
on MMORPGs
Re: setting to disable a plugin by default [ In reply to ]
Doug Nordwall wrote:
> is there a setting for plugins to disable them by default? the nikto.nasl
> has a nice checkbox.. any other way? I have one with reverse logic (errors
> if false) that is quite handy, btu also rings high when you forget to put in
> credentials.
>
> alternatively, I suppose, I could use a snippet of code to require
> credentials.

I have a similar problem with a plugin that requires root credentials.

If you enter the wrong root password my script will get errors from the
target (e.g. permission denied reading /etc/shadow) and thus fail.

So instead of trying to catch all possible exceptions, I decided to
write a check to see if root managed to successfully login, which requires:

1. entered username (handled by ssh_func.inc)
2. entered password (handled by ssh_func.inc)
3. correct username/password entered
4. su/sudo selected
5. su/sudo password entered (no password causes Nessus to hang)
6. correct su/sudo password entered

The best way I found was to do the normal checking for a successful SSH
connection which handles 1-3, then issue the 'id' command and check if
you get uid=0 back, that way you know you've got through 4-6 and now
have a root prompt.

Calling one plugin from another would be a nice thing to have - i.e. my
plugin checks for a valid root login, but if it fails I'd like it to
call hostlevel_check_failed.nasl and set the bit in the KB, rather than
me having to issue a security_note() for every failed plugin - and do
the above checks in every plugin instead of just script_exclude_keys().

But anyway, back to your main problem: if you want to disable the whole
plugin and not just a preference, can't you just save the scan policy
with it disabled in the plugin list, that way you don't have to code up
a checkbox/preference.

--
Simon John
nessus at the-jedi.co.uk

_______________________________________________
Plugins-writers mailing list
Plugins-writers@list.nessus.org
http://mail.nessus.org/mailman/listinfo/plugins-writers
Re: setting to disable a plugin by default [ In reply to ]
Perhaps you are correct that it is more of a user training issue than
anything, or I should make a new family for inverse logic plugins, so
they don't provide a stream of red alerts ;)



On Feb 12, 2009, at 6:33 AM, Simon John <nessus@the-jedi.co.uk> wrote:

> Doug Nordwall wrote:
>> is there a setting for plugins to disable them by default? the
>> nikto.nasl
>> has a nice checkbox.. any other way? I have one with reverse logic
>> (errors
>> if false) that is quite handy, btu also rings high when you forget
>> to put in
>> credentials.
>>
>> alternatively, I suppose, I could use a snippet of code to require
>> credentials.
>
> I have a similar problem with a plugin that requires root credentials.
>
> If you enter the wrong root password my script will get errors from
> the
> target (e.g. permission denied reading /etc/shadow) and thus fail.
>
> So instead of trying to catch all possible exceptions, I decided to
> write a check to see if root managed to successfully login, which
> requires:
>
> 1. entered username (handled by ssh_func.inc)
> 2. entered password (handled by ssh_func.inc)
> 3. correct username/password entered
> 4. su/sudo selected
> 5. su/sudo password entered (no password causes Nessus to hang)
> 6. correct su/sudo password entered
>
> The best way I found was to do the normal checking for a successful
> SSH
> connection which handles 1-3, then issue the 'id' command and check if
> you get uid=0 back, that way you know you've got through 4-6 and now
> have a root prompt.
>
> Calling one plugin from another would be a nice thing to have - i.e.
> my
> plugin checks for a valid root login, but if it fails I'd like it to
> call hostlevel_check_failed.nasl and set the bit in the KB, rather
> than
> me having to issue a security_note() for every failed plugin - and do
> the above checks in every plugin instead of just
> script_exclude_keys().
>
> But anyway, back to your main problem: if you want to disable the
> whole
> plugin and not just a preference, can't you just save the scan policy
> with it disabled in the plugin list, that way you don't have to code
> up
> a checkbox/preference.
>
> --
> Simon John
> nessus at the-jedi.co.uk
>
> _______________________________________________
> Plugins-writers mailing list
> Plugins-writers@list.nessus.org
> http://mail.nessus.org/mailman/listinfo/plugins-writers
_______________________________________________
Plugins-writers mailing list
Plugins-writers@list.nessus.org
http://mail.nessus.org/mailman/listinfo/plugins-writers