On Jun 3, 2008, at 7:37 PM, Rolf lastname wrote: > Probably on the lame side - we are running Linux on an embedded > platform, and want to run a vulnerability scan. > > Do I run the server and client side against my device (If I can't > add software)? Does this make sense? It seems Nessus wants me to > run software on my embedded device also... Any pointing in a > generally relevant direction is greatly appreciated...
Nessus is agent-less - there's no need to install any software on the client side. And while it does offer the ability to perform checks locally by logging in remotely via ssh or SMB, these checks are for Windows and more mainstream distros (RedHat, SuSE, Debian, etc) and unix variants (Solaris, AIX, HP/UX, etc), not distros targeting the embedded space. Still, Nessus does have a large number of checks that are remote and could uncover issues remotely: default passwords, protocol or configuration weaknesses, service detection, even vulnerabilities. Is the device running SNMP? Nessus can report if it gives out information it shouldn't, because say its community name is guessable. Does it run a web server? Nessus can report which methods it supports, how it encrypts traffic, whether it's affected by cross-site scripting issues, etc. It all depends on what services the device makes available remotely. George -- [EMAIL PROTECTED] _______________________________________________ Nessus mailing list [email protected] http://mail.nessus.org/mailman/listinfo/nessus
