So I have found a few scenarios that call for modifications to my Coverage Validation process.
The first is for scan results that did not have ‘Log Live Hosts’ turned on in the scanner. This damages the results in a way if your scanning while networks as things like a firewall or router may respond for the device and cause a false love host with out using the plugin as a verification, but none the less it happens and you need a way to check for coverage. So I have built a modified version that just pulls hosts from the header section of the scan results and makes the assumption everything in the results was alive.
The second was a client that runs a dynamic DHCP network. I needed a way to track the MAC addresses for hosts I scanned vs. an inventory so I added in another block that works as a translation list for the scan results of MAC to IP address. Luckily if Nessus finds this information via any plugin it adds it to the header tags for the scanned hosts in the results. This way you end up with a CSV block of MAC, IP Address (note that some machines will have more than one MAC address, the results will have all of them).
These turned out helpful for me in special scenarios so have at them.
I had a set of scans that had the following logic flow today.
Scan with 95% or better coverage and all scans should be authenticated.
You run into some interesting things as you think this through:
To gather coverage you need to have a target inventory and the script must be aware of what 100% consists of.
To validate authentication its not enough to look for failed items - what if you rescan them, why did it fail, and what if you rescan them how will the script logic work.
What to do when you find extra hosts not in the inventory.
This is the set of issues at this point I have set out to code and enough have been finished I found the script useful as another team needed to use the logic.
So this pre beta code is available as a work in progress. It is able with a command line
java CoverageValidate inventory *.nessus
To import multiple scan files and an inventory and output lists of missing, extra, and hosts that auth failed.
As you can even see in the code, it is a work in progress but its available so if you run with it share the wealth and send me a copy as I am looking for more ideas.