Certain scans, when we run them at our site, we expect to always use authentication and log in via ssh. We’ve got this working, but on a semi-regular basis, for one reason or another, we’ll trigger the scan against the wrong sort of machine, or perhaps one that’s being rebuilt, doesn’t have scanning keys set up yet, etc. causing authentication to fail. This produces what looks like a ‘clean’ scan, when in fact we’re just not seeing the non-updated software and so forth.
Of course you can detect this by looking at log-level plugin output, but I’d like to make it very obvious.
I’ve considered writing a simple VT to throw a max-priority vulnerability if ssh login fails; that I could do, but it doesn’t seem like exactly the right thing. Can a VT (also, or instead) call/return something to cancel/halt the entire scan? That seems like more of what I think I want - at that point it should be obvious the scan failed and we don’t have to worry about downstream automated systems getting confused by the results.
Is there a simple solution or best practice for this?