Manualshelf

Developers guide

ManualsBrandsRed Hat ManualsComputer equipmentNETWORK 4.1.0 -
51525354555657585960
Chapter 7
Copyright © 2008-2013 Inverse inc.
Optional components 51
Using Nessus:
trigger=Nessus::<violationId>
Using OpenVAS:
trigger=OpenVAS::<violationId>
Where violationId is either the ID of the Nessus plugin or the OID of the OpenVAS plugin to check for.
Once you have finished the configuration, you need to reload the violation related database contents
using:
$ pfcmd reload violations
Note
Violations will trigger if the plugin is higher than a low severity vulnerability.
Scan on registration
To perform a system scan before giving access to a host on the network you need to enable the
scan.registration parameter in pf.conf. If you want to scan a device that have been auto-
registered as a 802.1x connection, you need to enable scan.dot1x parameter in pf.conf. The
default EAP-Type that will be scanned is MS-CHAP-V2 but you can configure other EAP-Type (such as
MD5-Challenge) by adding them to scan.dot1x_type as a comma-separated list of values (look at
dictionary.freeradius.internal file bundled with FreeRADIUS for the list of EAP-Type).
It is also recommended to adjust scan.duration to reflect how long the scan takes. A progress bar of
this duration will be shown to the user while he is waiting. By default, we set this variable to 60s.
Hosting Nessus / OpenVAS remotely
Because of the CPU intensive nature of an automated vulnerability assessment, we recommend that it is
hosted on a separate server for large environments. To do so, a couple of things are required:
PacketFence needs to be able to communicate to the server on the port specified by the vulnerability
engine used
The scanning server need to be able to access the targets. In other words, registration VLAN access is
required if scan on registration is enabled.
If you are using the OpenVAS scanning engine:
The scanning server need to be able to reach PacketFence’s Admin interface (on port 1443 by default)
by its DNS entry. Otherwise PacketFence won’t be notified of completed scans.
You must have a valid SSL certificate on your PacketFence server
If you are using the Nessus scanning engine: