The Challenge of Scan Verification
As vulnerability managers and security engineers we rely on credentialed scans to provide accurate visibility into our environment. An uncredentialed scan is essentially a surface-level check, missing most critical vulnerabilities that require authenticated access (like missing patches or insecure configurations).
When managing Tenable environments (Nessus or Tenable.sc), confirming that every asset in a large scan successfully ran with credentials is a critical, yet highly inefficient task. Since the definitive check demands manually reviewing Nessus Plugin ID 19506 (Nessus Scan Information) for the credentialed=true value on every host, this drill-down approach is simply too time-consuming.
The Solution: check-scans.sh
To solve this problem and reclaim time, I developed a simple Bash script called check-scans.sh.
This script automates the verification process, allowing vulnerability managers to confirm scan integrity quickly and efficiently without having to manually sift through the user interface.
The Script's Core Utility
The primary purpose of check-scans.sh is straightforward: verify that scans were conducted with credentials.
It targets the operational need to ensure that the foundational data used for patching and risk analysis is reliable. If Plugin 19506 is missing or shows credentialed=false, the script flags that asset, pointing you directly to the hosts that require re-scanning or troubleshooting.
How to Implement and Run the Script
The script is available in my GitHub repository. It requires minimal setup, making it easy to integrate into your existing workflow.
1. Getting the Script
You can find the source code and usage details here: https://github.com/2bitninja/check-scans
To get the script, clone the repository and navigate into the directory:
No comments:
Post a Comment