|
Zate, We automate the whole process with perl and
shell scripts, use an Oracle back-end to store the results, and display the
results and month-over-month trends with a PHP front-end. We also have an
email-based self-service scanning system wherein users can submit scan requests
directly to the scanning server with the server name(s) in the subject block
and scanning options in the message body. The HTML results are sent back
to them and to anyone they put in the CC block. A word
of caution: you must use strong
access control for anything like this, for obvious reasons. If you post
your scan results on Apache as many people do, you can easily restrict access
using Active Directory groups using something like the following in your
httpd.conf file: LDAPSharedCacheSize
2000000 LDAPCacheEntries
2048 LDAPCacheTTL 600 LDAPOpCacheEntries
2048 LDAPOpCacheTTL
600 <Directory /full-path-to-scan-report-directory>
SSLRequireSSL AuthType
Basic AuthName
"Windows User Credentials" Order
deny,allow Allow from
a.b.c.d/24 Deny from
all
AuthLDAPAuthoritative on
AuthLDAPBindDN "cn=ldap-proxy-account,ou=blah,dc=example,dc=com"
AuthLDAPBindPassword "ldap-proxy-password"
AuthLDAPEnabled on
AuthLDAPGroupAttributeIsDN on
AuthLDAPURL "ldap://example.com/ou=blah,dc=example,dc=com?sAMAccountName?sub?(objectclass=user)" require
group cn=Nessus Report Viewers,ou=blah,dc=example,dc=com </Directory>
Notes: ·
The key
here is the “require group” directive. This is an AD global
security or distribution group. Do NOT enclose this in quotes or it will not
work (even though other directives require quotes around the DN). ·
With
recent versions of mod_ldap / mod_auth_ldap, you can’t specify just
the domain for the base DN. You must go at least one level deeper (e.g.,
OU). ·
In the
AuthLDAPURL directive, specifying just the domain name (versus the FQDN of the
domain controller) works for us because all our DCs are also DNSs
(AD-integrated) and a DNS query for the domain name returns the NS records of
the DNSs. This gives us fault-tolerance. ·
The
setup above does not encrypt the password between the Apache server and the
domain controller. We can get away with that because both network
segments are in a tightly controlled data center. If that connection will
traverse an untrusted network in your case, you will want to use LDAP over
SSL/TLS. You can also authenticate via Kerberos
with something like the following (however, I’ve not yet found a way to use
group-based access control): <Directory /full-path-to-scan-report-directory> AuthType
Kerberos
AuthName
"Kerberos
Login"
KrbMethodNegotiate Off
KrbMethodK5Passwd
On
KrbAuthoritative
On
KrbAuthRealms EXAMPLE.COM
KrbVerifyKDC
Off
require
valid-user
SSLRequireSSL
</Directory>
Notes: ·
The
above configuration specifically turns off KDC verification (does not use
keytab, KrbMethodNegitiate = off, KrbVerifyKDC = off). Again, our stuff
is in a trusted environment. If yours is not, don’t do it this way. ·
You will
have to properly configure your /etc/krb5.conf for this to work. On Red
Hat / Fedora, this is trivially easy to do with the authconfig command. If you want to discuss more, send me your
phone number off-list by email. I’ll try to call you when I’m
not mired in PCI-DSS compliance hurdles. John
Scherff Sr. IT
Security Analyst 24 Hour
Fitness From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On
Behalf Of Zate Berg Good Morning All, |
_______________________________________________ Nessus mailing list [email protected] http://mail.nessus.org/mailman/listinfo/nessus
