Skip to content

Instantly share code, notes, and snippets.

@cactaceae21

cactaceae21/instructions.md

Last active April 1, 2024 06:10
Show Gist options
  • Save cactaceae21/f1484f4c47212920a948ed73022af645 to your computer and use it in GitHub Desktop.
Save cactaceae21/f1484f4c47212920a948ed73022af645 to your computer and use it in GitHub Desktop.
Download ZIP
Removing hosts from Security Center data #tenable #sccv #nessus
Raw
instructions.md

To remove the additional IP from the repository and your license count through a manual process you will need to target the desired IPs/DNS in a scan with a specific configuration. SecurityCenter needs to identify those hosts as inactive, meaning they provide no results from a scan that targets them. To accomplish that you will need to do the following:

  • You will need to run a scan against those addresses, however you will have to create a policy that you know will not return any data for those addresses.

  • Click on 'Scans' and then on 'Policies'

  • Click on 'Add'

  • Select the 'Advanced Scan' template

  • Name the policy properly.

  • In the Host Discovery tab uncheck 'Ping the remote host' and in the 'Port Scanning' tab make sure to uncheck all port scanning options. That will make Security Center runs the plugins against the targets without pinging them first.

  • Click on the 'Plugins' tab and select a plugin family that you know will not return any results and has more than 100 plugins in it. (Usually the 'Amazon Linux Local Security Checks' is a good choice but of course it depends on your targets)

  • Click 'Submit' to complete your policy.

  • Create a scan to be used with the policy you just created.

  • Click on 'Scan' and then 'Scans'

  • Click on 'Add'

  • Name the scan properly.

  • Select the policy you just created

  • Select 'Schedule' as 'Template'

  • In the 'Settings' tab, select the scan zone and in the 'Import Repository' select where that data should go.

**NOTE: the results from the scan (which we expect to be nothing) should be put in a repository where you know there is data from those IP addresses. That way SC will understand that those hosts are 'inactive'. You want to make sure this procedure occurs for all the repositories containing data of those hosts, otherwise you will still have data from them in Security Center.

  • Still in the 'Settings' tab, in the 'Advanced' area make sure that 'Immediately remove vulnerabilities from scanned hosts that do not reply' is enabled.
  • In the 'Target' field make sure to include those hosts IP addresses.
  • Click 'Submit'

Once that is completed for all the repositories containing data from those hosts verify that there is no data for them in Security Center.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment