How to Create a Custom Scan for Agent-less Assessment

This Help topic describes how to create and use a custom Saint scan for networks that use on-board agent-less assessment. The custom scan feature is useful if you are already using Saint assessment and want to integrate existing custom scans into NAC Manager. It also allows you to create a custom scan with assessment criteria that requires only a limited number of port scans and tests.

To create a custom scan, you must connect to the Saint web site and use the Saint web interface to configure the scan. After you have created the scan, you will be able to add it to your agent-less test set configuration and use it for your end-system assessment.

Use the following steps to create a custom scan.

Connect a monitor and keyboard to your NAC appliance, or connect via SSH.
From the CLI, "cd" to the directory /opt/nac/saint/saint.
NOTE: On some NAC appliances the second saint directory will include a version number, for example /opt/nac/saint/saint-8.5.11.
Start the Saint web service by entering the following command line argument:
./custom_policy_editor.pl -r -h <ip>
where <ip> is the IP address of the system that is going to connect to the Saint web service and configure the custom scan (for example, your laptop system).
NOTE: You cannot run custom_policy_editor.pl from any directory. You must "cd" to the directory /opt/nac/saint/saint.
During the web service startup, you are asked to create login user names and passwords for two accounts: saint and admin. The accounts are disabled by default, but they become enabled when you provide a password for them. After you complete the startup by providing the user names and passwords, you are ready to connect to the web service and configure your custom scan.
From the connecting system, connect to the Saint web service by entering the following URL in a web browser window:
http://<ip of NAC appliance>:1414
Login using the admin user name and password that you created during the web service startup. (The Welcome screen automatically displays the Saint username and password, so be sure to change it to the admin username and password.)
Click the Create option in the Custom Scan Level Selection screen once you have logged in.
Create a new scan by entering a name, choosing a template, and clicking the Add button.
Configure your custom scan by selecting the Vulnerability Checks, Port Scans, and other desired options in the Custom Scan Setup screen. Use the Save button at the bottom of the web page to save your scan (you may have to scroll down to see this button).
The custom scan has been created and you can close your web browser window.
Enter the name of the scan in your agent-less test set in NAC Manager.
1. From the NAC appliance command line, cd to the /opt/nac/saint/saint/config/policydirectory to determine the name of the scan.
  NOTE: On some NAC appliances the second saint directory will include a version number, for example /opt/nac/saint/saint-8.5.11/config/policy.
2. In the policy directory, there will be two files that contain the name of the scan as you entered it in the Saint web interface. For example, if you named the scan "MyCustom," you'll see the following two files in the directory: saint_data_MyCustom.probe and saint_data_MyCustom.conf. In this example, the scan name that you will enter into NAC Manager is saint_data_MyCustom. You can rename the scan if desired, as long as you rename both the .probe and .conf files. If you rename the scan, you will enter the new name into NAC Manager.
3. In NAC Manager, open the Manage Assessment Settings window (Tools > Manage Assessment Settings).
4. In the Assessment Configurations tab, select any configuration and click Edit. The Edit Assessment Configuration window opens.
5. In the Test Sets section of the window, you will see a list of all the test sets available for your assessment configurations. Select the agent-less test set that will be configured to use the custom scan, click the configuration menu button and select Edit. (Select Add Agent-less if you need to create a new test set.)
6. In the Scanning Level section of the Edit Agent-less Test Set window, select Custom from the drop-down list and enter the scan name as determined in step b. Click OK.
7. The agent-less test set with the custom scan can now be used in your assessment configurations.

	NOTE:	On some NAC appliances the second saint directory will include a version number, for example /opt/nac/saint/saint-8.5.11.

	NOTE:	You cannot run `custom_policy_editor.pl` from any directory. You must "cd" to the directory `/opt/nac/saint/saint`.

	NOTE:	On some NAC appliances the second saint directory will include a version number, for example /opt/nac/saint/saint-8.5.11/config/policy.

Refer to How to Set Up Assessment for information on creating Assessment Configurations.

Related Information