Re: Vulnerability scanning and reporting software

[Adam Goldstein <adam.goldstein () DARTMOUTH EDU>]

At Dartmouth, we have developed a vulnerability assessment process based
on Nessus and are getting ready to release an open-source Nessus
analysis console (Achilles) that we developed in-house.

I have used Nessus for a long time but found it challenging to work with
results from a large number of hosts.  With Achilles, we manage results
for over 8000 hosts and have a front-end console that sys-admins and
other folks can use to review and update info on the findings for the
systems they manage.

Among other features, it also provides a customizable ranking method
that helps assign severity ratings for a particular institution.  For
those who may be interested, I will send out an announcement to the
group when we make the project available.

- Adam

--
Adam Goldstein
Dartmouth College
--

David Taylor wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> Hi all,
>
>
>
> As everyone else we have various systems on our campus that either
> provide critical infrastructure, hosts some kind of sensitive data,
> etc. We call these Critical Hosts and have a database to keep track of
> them.
>
>
>
> We would like to take a more proactive step in ensuring they are
> up-to-date with patches (OS and 3rd party), identify weak passwords
> and other weaknesses.  We are a decentralized campus for the most part
> and dont have a campus-wide Active Directory infrastructure.
>
>
>
> Our Critical Hosts run various operating systems which include
> Microsoft Windows, UNIX, Linux and Mac  OS X. We are hoping to find a
> solution that will be compatible on these platforms and have the
> ability to send alerts to a central console so that we can check the
> status of each system on a monthly (or on demand) basis.
>
>
>
> We had eEye Digital come out to give us a presentation on their Retina
> and REM console.  I was hoping that some of you might have some
> suggestions for other Vendors that do this type of thing.  We would
> like to get a list together and compare functionality and cost then
> maybe evaluate.
>
>
>
> We would appreciate any suggestions.
>
>
>
>
> - -------------------------------
> David Taylor
> University of Pennsylvania
> Office of Information Security
> 215-898-1236
> - -------------------------------
>
>
>
> The information contained in this e-mail message is intended only for
> the personal and confidential use of the recipient(s) named above. If
> the reader of this message is not the intended recipient or an agent
> responsible for delivering it to the intended recipient, you are
> hereby notified that you have received this document in error and that
> any review, dissemination, distribution, or copying of this message is
> strictly prohibited. If you have received this communication in error,
> please notify us immediately by e-mail, and delete the original message.
>
>
>
>
> -----BEGIN PGP SIGNATURE-----
> Version: 9.6.3 (Build 3017)
>
> wj8DBQFHKgDDrFOwyUiOUlwRAjoIAJ0R6+2sW++4sc+XOw5U9ydrnSSDmwCgqMA9
> aPJMDIdd8Ch2QmCoUZ9b/2k=
> =UicG
> -----END PGP SIGNATURE-----