I have created a short tutorial on how to run automated scans using the last version of Nessus, and I thought that the best place to put it will be the favorite site of the white hats.
The reason of this tutorial is that I didn't found another one on the web. Also, somebody from Tenable told to one of our contractors that automated scans are not supported anymore in Nessus, and we have to buy Tenable Security Center ($15.000+).
I first tried the Nessus version 4.0.2. I succeeded with that one, so I gave it a try to the newest version.
For both of them I have used the professional feed. On the last home feed version (4.2.2) the port 1241 is not opened, so maybe somebody else will have a fix for this.
1. First, you have to install Nessus.
2. For convenience I’ll create two folders:
a. /opt/nessus-scripts - to store the scripts and the host files
b. /opt/nessus-reports - to store the scan reports (named after the scan date)
3. You'll have to create a scan policy.
Because the firewall doesn’t allow me to connect to the port 8834 on my Nessus server, I created the policy using a Nessus 4.2 home feed version installed on a Windows 7 desktop.
Within the general tab of the policy configuration, be sure to set the visibility to “Private”. If the “Shared” visibility is used, the policy will be saved in the XML format, preventing it from exporting in the .nessus format.
As an example I created a policy named test, with the visibility set to Private. If the user used to create the policy is not a Nessus administrator, Private is the only option you have.
After you have created the policy, do a scan against any target using this policy. You don’t have to wait until the scan it is finished, you can stop it anytime.
Now, in the reports directory (/opt/nessus/var/nessus/username/reports/ for Linux) you’ll have created few files with the same name, but different extensions. One of them has the extension .nessus.v1 and the name something like a3ff3caf-b04d-c45f-9182-a53f93c9dd47c157243dcb7e12b7. Save this file using a friendly name with the .nessus extension.
Upload this file to the Nessus server. You can verify the name of the policy with the following command:
/opt/nessus/bin/nessus --dot-nessus example.nessus --list-policies
The results will be something like this:
List of policies contained in example.nessus:
4. In the /opt/nessus-scripts folder I created two files: one is targets.txt (contains the hosts to scan) and the second one is the actual script used to scan, ex scan_script.sh
The content of the script we are using to scan the targets is:
#echo "Report will appear as $DATE.html"
# Generate an html report with the parameters passed in the command line
$NESSUS --dot-nessus /opt/nessus-scripts/example.nessus --policy-name 'test' <host> 1241 <user> <password> --target-file /opt/nessus-scripts/targets.txt /opt/nessus-reports/$DATE.html
This script can be automated using crontab. Also, you can use different extensions for the scan (nbe, nessus or text).
You can import the .nbe to Arcsight. If you don’t have Arcsight or Tenable Security Center, you can use Seccubus (http://seccubus.com/ ) in order to automate the scans, and to do a delta reporting.
Because I didn’t invented the wheel,references:
1. Nessus 4.2 User guide and Install guide
2. Nessus scheduling and MySQL article http://www.securitygroove.com/index.php/tutorials/83-scheduling-nessus-scans-and-storing-the-results-in-mysql
3. This article on the blog self http://blog.upbeat.fr/post/407107943/automating-scans-on-nessus-4-2