Nessus: Difference between revisions

From MediaWiki
Jump to navigationJump to search
Line 123: Line 123:
If you were able to find the results, congratulations, you have just verified that your '''Nessus''' server is running.
If you were able to find the results, congratulations, you have just verified that your '''Nessus''' server is running.


=== Final Comments ===
=== Inprotect Notes ===
 
At this point you should have your '''NST''' system upgraded to '''Nessus''' v3.0.5. If you would like to setup '''Inprotect''' to work with the new system, you should proceed as follows:
 
* Go to the "''Inprotect Management''" page in the '''NST WUI'''.
 
* Make sure that it shows that the related services ('''nessusd''', '''mysqld''', '''sendmail''', '''crond''', and '''ntpd''') are setup and running (if not, use the buttons provided to set them up).
 
* Unfortunately, you probably will NOT be able to start '''Inprotect''' using the '''NST''' interface (as it takes too long to come up). So, you will need to run the following command from the '''NST''' console or ssh connection (NOTE: Replace "''PASSWD''" with your own password):
 
 
<div class="screen">
  <div class="screenTitle">Installing Inprotect</div>
  <div class="userInput"><span class="prompt">[root@probe ~]# </span>nstinprotect -v -m setup --update-now --passwd PASSWD &</div>
  <pre class="computerOutput">
### Start Time: 2007-06-14 13:02:32
+ SUCCESS + Shutdown "sched.pl" (pid 5373) process
+ SUCCESS + Removed "sched.pl" from /etc/rc.d/rc.local
+ SUCCESS + Removed crontab entries
+ BEGIN  + Remove files/directories
+ SUCCESS + Removed directory: "/etc/inprotect"
+ SUCCESS + Removed directory: "/var/log/inprotect"
+ END    + Remove files/directories
+ BEGIN  + Removing symlinks
+ SUCCESS + Removed symlink: "/var/www/html/inprotect"
+ END    + Removing symlinks
 
+ BEGIN  + Updating MySQL Server
+ SUCCESS + Dropped the inprotect database
+ SUCCESS + Removed inprotect user (if present) from MySQL user table
+ END    + Updating MySQL Server
 
+ BEGIN  + Verifying environment
+ SUCCESS + Able to adminster MySQL on this host
+ SUCCESS + MySQL server is running and we can administer
+ SUCCESS + The "sendmail" service is running
+ SUCCESS + Found or created directory: "/etc/inprotect"
+ SUCCESS + Created symlink: "/var/www/html/inprotect"
+ END    + Verifying environment
 
+ SUCCESS + Created config file: /etc/inprotect/inprotect.cfg
+ SUCCESS + Created config file: /etc/inprotect/config.php
+ BEGIN  + Updating MySQL Server
+ SUCCESS + Initialized "inprotect" database
+ SUCCESS + Enabled inprotect user to modify inprotect database
+ SUCCESS + Updated inprotect root login password
+ SUCCESS + Inserted this NST probe into nessus_servers table
+ SUCCESS + Updated Inprotect URL to: "https://192.168.0.249/inprotect"
+ END    + Updating MySQL Server
 
+ SUCCESS + Updated crontab entry
+ NOTE    + crond is already running no need to start
+ SUCCESS + Added "sched.pl" to /etc/rc.d/rc.local
+ NOTE    + Started the "sched.pl" process
+ NOTE    + Running: /usr/local/bin/updateplugins.pl ...
*** The plugins that have the ability to crash remote services or hosts
have been disabled. You should activate them if you want your security
audit to be complete
*** The plugins that have the ability to crash remote services or hosts
have been disabled. You should activate them if you want your security
audit to be complete
 
*** inprotect setup complete.
***
*** You should now be able to use the inprotect package by pointing your
*** browser at:
***
***      https://192.168.0.249/inprotect
-------------------------------------------------------------
### End Time: 2007-06-14 13:16:16  Duration: +0000 00:11:50
 
</pre>
  <div class="userInput"><span class="prompt">[root@probe ~]# </span></div>
</div>
 
* The above will take awhile to complete (it takes a long time to import all of the '''Nessus''' rules into '''Inprotect''').
 
* After the '''Inprotect''' task completes, return to the "''Inprotect Management''" page and select the "''Use Inprotect''" button.
 
* The '''Inprotect''' home page should indicate that there are more than 14000 plugins in the database (this is why it took so long to update '''Inprotect''').
 
* If you have not setup '''Inprotect''' on a '''NST''' system before, proceed to the "''Inprotect Setup Guide''" at: "http://nst.sourceforge.net/nst/docs/inprotect/index.html".

Revision as of 12:22, 14 June 2007

Upgrading To Nessus v3.0.5

The Nessus license does not permit v3.0.5 to be included in the NST distribution. The following provides the steps necessary to upgrade a NST system to Nessus v3.0.5.

Requirements

  • Registration at the Nessus site.
  • A hard disk installation of NST v1.5.0 (a virtual hard disk installation will work - but is not optimal).


Caveats

  • The "html_graph" option is no longer available as an output method (performing Nessus scans using the NST WUI will still be possible, but a little awkward).
  • The upgrade disables the X GUI Nessus client. You will need to download a separate Nessus client package if you need this feature (the new client does not need to be installed on the NST system - a Windows version is available as well).
  • You may need to setup Inprotect by running the nstinprotect script outside of the NST WUI (it takes so long for the Inprotect setup to complete with a full Nessus install, that the installation may fail to complete before the loading of the page times out).

Instructions

Register At the Nessus Site

In order to install Nessus v3.0.5, you will need to register at the Nessus web site. Once registered, you will be able to download the necessary RPM and you will receive a activation code via email which will be used to activate your installation.

Download RPM and Copy To NST

Unfortunately, you will need to download and copy the appropriate RPM for Nessus to the: "/tmp" directory on your NST system by hand (this is due to the fact that you need to register at the Nessus site). Here are the steps which you will need to follow:

  • From the pull down list, select "Nessus 3.0.5 for Linux" and press the "Download" button.
  • Complete the registration process (use a working email address when you register as you will need the registration code later).
  • Download the file: "Nessus-3.0.5-fc5.i386.rpm".
  • Transfer the downloaded file to the: "/tmp" directory on your NST system.

After completing this step, you should see results similar to those shown below on your NST system:

After Downloading RPM
[root@probe ~]# ls -l /tmp/Nessus*
-rw-r--r-- 1 root root 8053747 Jun 14 08:39 /tmp/Nessus-3.0.5-fc5.i386.rpm
[root@probe ~]#

Update Your NST WUI

We are going to be using a automated patch/update script to extract, install and update files from the Nessus RPM we downloaded onto the NST system. Before proceeding to the "NST System Patch Management" page, one should make sure that they have the most recent version of the NST WUI installed on the system.

  • From the main NST WUI index page, locate the "Downloads & Updates" row in the "System" table and select the "NST WUI Updates" link.
  • Select the radio button next to the: "v1.5.0" choice.
  • Press the: "Download/Install NST WUI Management Interface" button.
  • This will download the latest version of the NST WUI and restart the web server on your NST system. NOTE: This might cause processes launched directly from the NST WUI to terminate and you may need to restart them.
  • You may need to force your browser to reload the updated CSS and JavaScript files after the NST WUI update (on Firefox, hold down the Shift key while pressing the browser Reload button).

After the installation completes, you should be ready to proceed to updating your NST system.

Install System Update: U200706131

A update (U200706131) has been provided that will complete the installation of the Nessus RPM onto the NST system. Here are the steps you need to follow to install the update:

  • From the main NST WUI Index, locate the "Downloads & Updates" row in the "System" table and select the "NST System Patch Management" link.
  • From the "NST System Patch Management" page, press the: "Retrieve/Update Patch Information" button near the bottom of the page (this will download the latest list of available patches and updates for your NST system).
  • After the download completes, you should see update: "U200706131" listed in your patch table.
  • Select the radio button next to update: "U200706131" and press the "Patch NST System" button found below the table of available patches/updates.
  • Depending upon the speed of your NST system, the update may take a few moments to complete - be patient (DO NOT HIT YOUR BROWSER'S RELOAD BUTTON)!
  • At the bottom of the output (showing the results of applying the update), one should see an indication that the update completed successfully (if it failed, it means that you downloaded the wrong RPM from the Nessus site, or did not copy it to the appropriate location).

Setup/Start Nessus

At this point, you should be able to setup and start the Nessus server:

  • On the main NST WUI index page, locate the "Active Scanners" row in the "Security" table and select the "Nessus Management" link.
  • From the "Nessus Management" page, scroll to the "Setup & Start Nessus" section, set the Options to: "-v -rdir /var/nst" and press the: "Start Nessus" button.
  • Wait for Nessus to come up (you will see a "Nessus Starting/Busy" section on the "Nessus Management" page until Nessus is ready).
  • Once Nessus is ready (it can seem to take forever the first time), locate the Activation Code you received from the Nessus site after registration. It has the form: "D733-779D-BD5E-DBB9-8913".
  • Locate the "Update Nessus Plugins" section on the "Nessus Management" page and enter your Activation Code into the field provided and press the: "Update Plugins" button.
  • Be patient as the Nessus plugins are updated.

Run A Test Nessus Scan

At this point the Nessus server should be fully initialized and ready for use on the NST system. To verify that it is working, perform a quick Nessus scan of the NST system itself.

  • Scroll to the "Run Nessus Scans" section on the "Nessus Management Page".
  • Enter a Address of: "127.0.0.1".
  • Enter the Options of: "-V -x -T html". NOTE: The "html_graph" option is not available in v3.0.5 of Nessus, so make sure you specified the options shown here as they won't match the default options on the page!
  • Press the: "Start Scan" button.

It will take awhile for the scan to complete. You can press the "Refresh" button as you wait for it to complete. Once it completes, you will see a new section titled: "Unknown Results" and it will contain a single button: "View /var/nst/nessus/results". The results are "Unknown" as the "html" output option was specified and the NST WUI is only designed to work with the "html_graph" output. However, you can still view the results:

  • Select the: "View /var/nst/nessus/results" button.
  • You should see the results within the NST File Viewer.
  • From the NST File Viewer page, select the "Browse" button.
  • Locate the "Files" section and select the link labeled "results" on the left hand side of the table.
  • You should be taken to a HTML page showing the results of the Nessus scan.

If you were able to find the results, congratulations, you have just verified that your Nessus server is running.

Inprotect Notes

At this point you should have your NST system upgraded to Nessus v3.0.5. If you would like to setup Inprotect to work with the new system, you should proceed as follows:

  • Go to the "Inprotect Management" page in the NST WUI.
  • Make sure that it shows that the related services (nessusd, mysqld, sendmail, crond, and ntpd) are setup and running (if not, use the buttons provided to set them up).
  • Unfortunately, you probably will NOT be able to start Inprotect using the NST interface (as it takes too long to come up). So, you will need to run the following command from the NST console or ssh connection (NOTE: Replace "PASSWD" with your own password):


Installing Inprotect
[root@probe ~]# nstinprotect -v -m setup --update-now --passwd PASSWD &
### Start Time: 2007-06-14 13:02:32
+ SUCCESS + Shutdown "sched.pl" (pid 5373) process
+ SUCCESS + Removed "sched.pl" from /etc/rc.d/rc.local
+ SUCCESS + Removed crontab entries
+ BEGIN   + Remove files/directories
+ SUCCESS + Removed directory: "/etc/inprotect"
+ SUCCESS + Removed directory: "/var/log/inprotect"
+ END     + Remove files/directories
+ BEGIN   + Removing symlinks
+ SUCCESS + Removed symlink: "/var/www/html/inprotect"
+ END     + Removing symlinks

+ BEGIN   + Updating MySQL Server
+ SUCCESS + Dropped the inprotect database
+ SUCCESS + Removed inprotect user (if present) from MySQL user table
+ END     + Updating MySQL Server

+ BEGIN   + Verifying environment
+ SUCCESS + Able to adminster MySQL on this host
+ SUCCESS + MySQL server is running and we can administer
+ SUCCESS + The "sendmail" service is running
+ SUCCESS + Found or created directory: "/etc/inprotect"
+ SUCCESS + Created symlink: "/var/www/html/inprotect"
+ END     + Verifying environment

+ SUCCESS + Created config file: /etc/inprotect/inprotect.cfg
+ SUCCESS + Created config file: /etc/inprotect/config.php
+ BEGIN   + Updating MySQL Server
+ SUCCESS + Initialized "inprotect" database
+ SUCCESS + Enabled inprotect user to modify inprotect database
+ SUCCESS + Updated inprotect root login password
+ SUCCESS + Inserted this NST probe into nessus_servers table
+ SUCCESS + Updated Inprotect URL to: "https://192.168.0.249/inprotect"
+ END     + Updating MySQL Server

+ SUCCESS + Updated crontab entry
+ NOTE    + crond is already running no need to start
+ SUCCESS + Added "sched.pl" to /etc/rc.d/rc.local
+ NOTE    + Started the "sched.pl" process
+ NOTE    + Running: /usr/local/bin/updateplugins.pl ...
 *** The plugins that have the ability to crash remote services or hosts
have been disabled. You should activate them if you want your security
audit to be complete
*** The plugins that have the ability to crash remote services or hosts
have been disabled. You should activate them if you want your security
audit to be complete

*** inprotect setup complete.
***
*** You should now be able to use the inprotect package by pointing your
*** browser at:
***
***       https://192.168.0.249/inprotect
-------------------------------------------------------------
### End Time: 2007-06-14 13:16:16  Duration: +0000 00:11:50

[root@probe ~]#
  • The above will take awhile to complete (it takes a long time to import all of the Nessus rules into Inprotect).
  • After the Inprotect task completes, return to the "Inprotect Management" page and select the "Use Inprotect" button.
  • The Inprotect home page should indicate that there are more than 14000 plugins in the database (this is why it took so long to update Inprotect).