Inprotect

User Tools

Site Tools

Trace: install_walkthrough faq
merge_kkline:faq

Question: How do I perform backend admin functions. 

Answer: Login/su to root, cd /opt/Inprotect/sbin/ backend script is nessusCron_1.60.pl view usage as such

[root@fs1 sbin]# ./nessusCron_1.60.pl 

NESSUSCRON     ::    Inprotect Job Manager for Nessus    ::    VERSION: 1.64

————————————————————————————- 

      USAGE: ./nessusCron.pl [-cdij:k:l:no:qr:st:u:v:w:h?]
        -d :: Enable Full Debug to Log and Leave Temp Files in Place after scan
        -c :: Process Work in Queue via Nessus Client Mode
        -s :: Process Work in Queue via ScanLite Mode
        -r :: Reset Kill all jobs (REQUIRES ARGUMENT 'yes')
             EX: ./nessusCron.pl -r yes
        -i :: Import Scan Report in nbe format
              -t : TargetFile /Path/Name
              -o : OutFile /Path/Name
              -j : JobType [C|M|R|S] (Cron/Manual/Request/Scheduler)
              -k : JobName
             EX: ./nessusCron.pl -i -t /tmp/targets -o /tmp/nessus_test.out -j C -k "My Server Farm"
        -q :: Queue Subnets for Scanning !!Warning: (gun owners) this is nessus full-auto equiv!!
              -l : [ORG|AUDIT] list available ORG/AUDIT names
              -t : [now|20070101000000] (queue all subnets not scanned since [TIME]
              -o : [ORG] - additional filter subnets queued to only selectED [ORG]
              -n : override default [enabled] scan notifications to [DISABLED]
              -u : [CREDID]  - override default credential id for scanning
              -v : [VSET]    - override defaultVSET for Queue
              -w : [WINAUDIT] /PATH/NAME of Windows Compliance Audit to Run
                    if ( ! $winaudit =~ /^// ) { $winaudit = "$config{winAuditDir)/$winaudit"; }
             EX: ./nessusCron.pl -q -o Finance -t now
             EX: ./nessusCron.pl -q -t now -n -u 31 -v 3 -w FDCC_v90_v2.audit
        -h :: Get This Help
      Nessus Cron is the backend interface to managing scans. nessus cron will provide a number of inprotect functions.
      By default, this should be implemented in scanlite in the following format:
      */1 * * * * /usr/bin/perl /var/www/Eprotect/sbin/nessusCron_1.00.pl -s > /dev/null 2>&1
      Additional Tasks include:
              Queueing all or individual subnet zones based on dt last scanned
              Inprotect Reset
              Import Reports (Typically due to exceeding long scans  failed jobs  etc )

Question: Running count on the dashboard is “0” and Running scans has one or more entry. 

Answer: (The count is determined by counting nessusCron processes / apache may not be allowing shell_exec().  Check this manually to see if there is actually an issue by

[ps –ef | grep nessusCron | grep –v | wc –l ] = count Count number of entries in the browser if count is within one [ script starts every minute / process may have no work to do ( so the Running Scans will be 1 less ) ] all is well

Question: Scan kicks off never shows up under running jobs 

Answer: Likely db schema and front-end code are out of sync, a wrong table schema is causing the scan to fail or a bug in the nessusCron backend script exists.  Troubleshooting should be done by running in debug mode as such [ ./nessusCron_1.10.pl -d –s ]

Question: Numerous Jobs are in status of Running and no nessusCron processes exists per [ps –ef | grep nessusCron | grep –v | wc –l ] = 0 

Answer: Something is wrong with nessusCron.pl or potentially a server failed while a scan is running and / or mysql database shutdown / restarted.  Eventually will invest in code to detect / prevent failure by detecting and waiting for database to come back on line.  All running scans should be flagged as complete/failed through an Inprotect reset by

[./nessusCron_1.10.pl –r yes]

Question: How do I queue all subnets for the monthly scans 

Answer: [./nessusCron_1.10.pl –q –t now

Question: What about importing reports? 

Answer:   Importing reports in the current build is really only needed when you have to use a portable node to scan a host and you can not get access to the network from the central node.  So a manual job is run via command-line using an export of a known profile.  The results are written to disk, which then can be brought back to the central node for import into the database.

Question: How do I run compliance audits? 

Answer:  Well first you need to have a direct feed.  Direct feeds provide access to the following three plugins:

21156 – Windows Compliance Checks 21157 – Windows File Contents Compliance Checks 24760 – Unix Compliance Checks Additionally you need to upload various audit files to directories as configured via the Inprotect Settings Compliance location directory variables example: (defaults) 

Unix checks: /opt/Inprotect/usr/share/Inprotect/compliance/unix
 Win checks: /opt/Inprotect/usr/share/Inprotect/compliance/win
    Win File checks: /opt/Inprotect/usr/share/Inprotect/compliance/win_file_contents

Additionally requires enabling compliance checks under Inprotect Settings. Currently a profile needs selected with those checks enabled. Future revevs compliances checks will will automatically filter availables servers list to those with direct feeds only. Limit profiles to that with the aforementioned plugins enabled ( or automatically append them to the plugins list ). Furthermore will ensure a credential was supplied as part of the validation steps. For now ensure you setup all the prerequisites.

merge_kkline/faq.txt · Last modified: 2008/07/31 12:03 by kkline

Page Tools

Except where otherwise noted, content on this wiki is licensed under the following license: CC Attribution-Noncommercial-Share Alike 4.0 International
CC Attribution-Noncommercial-Share Alike 4.0 International Donate Powered by PHP Valid HTML5 Valid CSS Driven by DokuWiki