On Wed, 2005-08-10 at 14:54, Rick Stevens wrote: > Scot L. Harris wrote: > > On Wed, 2005-08-10 at 14:41, Jamie Bohr wrote: > > > >>I know this is off topic but ... > >> > >>I am looking to a vulnerability scanner for UNIX. Currently we (the > >>company I work for) are using TARA and have come to the conclusion > >>that either we need to switch to something else or give TARA a major > >>overhaul. Before we went down updating TARA I thought I would see > >>what else was out there that could be a direct TARA replacement and > >>possibly have more features, central reporting be one of them. > >> > >>Thank you for you time, > >> Jamie Bohr > > > > > > Are you looking for something like nessus? You can get some fairly > > comprehensive web based reports from nessus for the systems on your > > network. > > Yes, nessus is good, but beware of false positives from nessus. It may > report that you have package foobar-X.Y which has a certain > vulnerability, when in fact you have foobar-X.Y-xx.yy where that has > been fixed. Nessus doesn't necessarily know about fixes in incremental > releases. It looks at the signon message or behaviour of the program > and bases its recommendations on that. Just wanted you to be aware of > that. > > You can also use nmap to portscan your systems and see which ports a > given machine is listening on. We also use portsentry and snort to > watch things go bump on the network, as well as firewalling the kapok > out of things. You are correct, running the tool is not the same as understanding the output. :) The user does need to understand how the tool works and how to interpret the results. As you indicate nessus does not know about versions of programs that have had patches applied to resolve potential security bugs. Used correctly nessus is fairly good at providing a picture of an environment and where more effort may be needed.