Advanced
Mailing List Archive

Mailing List Archive

  1. Home >
  2. Nessus>
  3. users
restricting client options
rwhitcro at uwo
Sep 18, 2008, 8:34 AM
Post #1 of 3 (2141 views)
Permalink
My question relates to nessus' client/server model, and more
specifically, its config files.

We have a Linux server running the nessus daemon and I'm connecting to
it with a Windows client. What I'm not grasping is how the admin of the
nessus server sets restrictions on what the client can and can't do when
requesting a scan. My apologies if the answer is clearly documented;
I've been unable to find it.

An example of this is the "Log details of the scan on the server"
checkbox in the Options tab of the nessus client. Due to the volume of
scans we'll be doing, as well as the log verbosity, I don't want to log
every launched/not-launched nasl for every target host -- the log gets
ridiculously large very quickly.

What I'd like to see happen is that we offer the nessus client to
departmental sysadmins who can manage their own scans, though we
(central IT) will manage the nessus server itself. The problem I see
here is that I don't want nessus client users (sysadmins) to be able to
check the "Log details of the scan on the server" (for example) and fill
up my logs.

So, where can the nessus server admin set these restrictions that will
override settings specified by the client?

Thanks for reading,
-rw
_______________________________________________
Nessus mailing list
Nessus@list.nessus.org
http://mail.nessus.org/mailman/listinfo/nessus
Re: restricting client options [ In reply to ]
rgula at tenablesecurity
Sep 18, 2008, 10:42 AM
Post #2 of 3 (2061 views)
Permalink
hi Rich,

The model puts a lot of control into the NessusClient and there is
not a lot of options to limit certain preferences at the client
that can't be overwritten by the NesussClient.

You could allow the various Sysadmins to use their own scanners
and send you their Nessus reports.

The Security Center has all sort of roll based and policy based
tools so you can restrict certain users to only be able to perform
certain types of scans. This is not something we were planning
on enforcing at the Nessus scanner daemon itself, aside from
limiting what certain Nessus users could actual scan for targets.

Ron Gula
Tenable Network Security


Rich Whitcroft wrote:
> My question relates to nessus' client/server model, and more
> specifically, its config files.
>
> We have a Linux server running the nessus daemon and I'm connecting to
> it with a Windows client. What I'm not grasping is how the admin of the
> nessus server sets restrictions on what the client can and can't do when
> requesting a scan. My apologies if the answer is clearly documented;
> I've been unable to find it.
>
> An example of this is the "Log details of the scan on the server"
> checkbox in the Options tab of the nessus client. Due to the volume of
> scans we'll be doing, as well as the log verbosity, I don't want to log
> every launched/not-launched nasl for every target host -- the log gets
> ridiculously large very quickly.
>
> What I'd like to see happen is that we offer the nessus client to
> departmental sysadmins who can manage their own scans, though we
> (central IT) will manage the nessus server itself. The problem I see
> here is that I don't want nessus client users (sysadmins) to be able to
> check the "Log details of the scan on the server" (for example) and fill
> up my logs.
>
> So, where can the nessus server admin set these restrictions that will
> override settings specified by the client?
>
> Thanks for reading,
> -rw
> _______________________________________________
> Nessus mailing list
> Nessus@list.nessus.org
> http://mail.nessus.org/mailman/listinfo/nessus
>

_______________________________________________
Nessus mailing list
Nessus@list.nessus.org
http://mail.nessus.org/mailman/listinfo/nessus
Re: restricting client options [ In reply to ]
Jason.Haar at trimble
Sep 18, 2008, 3:07 PM
Post #3 of 3 (2052 views)
Permalink
Rich Whitcroft wrote:
> An example of this is the "Log details of the scan on the server"
> checkbox in the Options tab of the nessus client. Due to the volume of
> scans we'll be doing, as well as the log verbosity, I don't want to log
> every launched/not-launched nasl for every target host -- the log gets
> ridiculously large very quickly.
>
> ...
> The problem I see
> here is that I don't want nessus client users (sysadmins) to be able to
> check the "Log details of the scan on the server" (for example) and fill
> up my logs.
>
Why don't you just set a script to clean the area out every night?

e.g.

find /opt/nessus/var/nessus/users/ -name kbs - exec rm -rf {} \;

You could add exclusions around that, move to another area,
delete-if-older-than - all sorts of things...

--
Cheers

Jason Haar
Information Security Manager, Trimble Navigation Ltd.
Phone: +64 3 9635 377 Fax: +64 3 9635 417
PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1

_______________________________________________
Nessus mailing list
Nessus@list.nessus.org
http://mail.nessus.org/mailman/listinfo/nessus

©2024 GT.net. A Gossamer Threads company.
5th Floor, 455 Granville St., Vancouver, BC V6C 1T1, Canada | Legal