I'm just going to keep posting this until somebody answers me.
Sorry for the vague title, but I have multiple questions that fall under the larger scope of "unorganized ACAS system". So let me give you a bit of my background, then my problem, and hopefully we can meet somewhere in the middle to clean up this mess.
First interaction with ACAS was a few years ago, when in my previous job we transitioned from Retina to ACAS. In that environment, I only dealt with the scanning side of SC, standing up only the Nessus scanners within our enclave, and never dealing with actually installing and standing up the SC server, creating repositories, scan zones, etc. In my current job, I now have access to everything.
I'm stepping into a system that has been stood up and is currently in use. Unfortunately, because of my lack of experience with SC, I'm a bit confused on how all of this works. Currently, this is how the ACAS server is set up:
ACAS server (VM)
1x scan zone
1x Nessus scanner
480 assets (mostly windows, some linux)
Ok, now here is where it gets strange. The scan zone has 6 different IP ranges. Some of it ranges, some of it subnets. The repository is set up similar, with only one repository with a number of ranges in it. Then you get over to the nessus scanners. There's only one scanner and, as far as I can tell, it's the SC itself. It only has one entry: localhost.
So, to recap, we have 4 available IP's associated with the ACAS server. One IP is the SC itself, the other three IP's are supposed to be for the Nessus Scanners, but they're not being used (at least they're not in the Nessus Scanner section). The only scanner in the Nessus Scanner section is the localhost.
- Is the above setup correct? Just because it's functioning (which it is), that doesn't mean it's right.
- Should the different subnets be in different scan zones?
- Should I add the other IP's as nessus scanners? Should I remove them?
Honestly, that's just the tip of the iceberg. When I showed up, they had multiple scans running daily and they were all overlapping each other. A full network scan, a workstation scan, a windows workstation scan, etc. And then the assets. Looking at it right now, there's roughly 40 separate asset lists. Most are empty, with the ones with actual IP's in them once again overlapping each other. Heck, the "Full Network Scan" didn't even have all the right creds in it nor was it hitting all the boxes. The whole thing top to bottom is a mess.
Thanks in advance to any and all that respond. If I can at least get the scan zones and scanners sorted out, I can manage the rest.