Nessus
Reducing The Load Nessus Puts On The System
When Nessus performs its scans, it can perform multiple tests on multiple hosts simultaneously. This can put a rather large load on your NST system. If you are running from a Live CD on a system with too little RAM, its possible to run out of memory and lock your system. You can reduce the load by adjusting the "max_hosts", "max_checks", and "be_nice" settings found in the "/etc/nessus/nessusd.conf" file. The following snip of the "/etc/nessus/nessusd.conf" file demonstrates values you might use to reduce the load:
# Maximum number of simultaneous hosts tested : max_hosts = 3 # Maximum number of simultaneous checks against each host tested : max_checks = 5 # Niceness. If set to 'yes', nessusd will renice itself to 10. be_nice = yes
Determining The Password For The Nessus Client
If you use the Nessus client, you'll be required to enter a user name and password when you connect to the Nessus server. By default, you will need to enter root as the user ID and the value of NSTCTPASSWD found in /etc/nst.conf.
This password is not set by the nstpasswd script which is used to set many of the encrypted passwords found on they system. The Nessus client/server installation on the NST requires a "clear text" password. The Nessus server uses the value of the NSTCTPASSWD variable found in /etc/nst.conf. Alternatively, you can use the grep and sed commands to examine and change it. All changes need to be done PRIOR to starting up Nessus server.
[root@probe root]# grep NSTCTPASSWD /etc/nst.conf # - You may want to modify NSTCTPASSWD prior to starting NSTCTPASSWD="shoth7pheigh" [root@probe root]# sed -i -e 's/^NSTCTPASSWD=.*/NSTCTPASSWD="NEWPASSWORD"/' /etc/nst.conf [root@probe root]# grep NSTCTPASSWD /etc/nst.conf # - You may want to modify NSTCTPASSWD prior to starting NSTCTPASSWD="NEWPASSWORD" [root@probe root]#
Preventing System Lock Ups
We discovered that the Nessus daemon likes to create very large log and dump files under the /var/nessus/logs directory. Unfortunately, this can chew through a lot of RAM on a live boot of the NST and result in system lock ups.
We recommend that you if you want to run Nessus, that you use a full installation of the NST. If don't want to install NST onto a system's hard disk, but still want to run Nessus, you could install NST onto a external USB hard disk or memory stick. This would allow the NST to use a full file system without chewing through RAM, yet still leave your original system untouched. See the "NST USB FAQ" for details.
If you really want to run Nessus from a live ISO boot, you are going to want to disable a lot of the logging to reduce the size of the output files. You will need to modify the following lines in your /etc/nessus/nessusd.conf configuration file. The /etc/nessus/nessusd.conf file is much larger than shown - we are only showing the portion to be modified.
# Log file (or 'syslog') : logfile = /var/nessus/logs/nessusd.messages # Shall we log every details of the attack ? log_whole_attack = yes # Log the name of the plugins that are loaded by the server ? log_plugins_name_at_load = no # Dump file for debugging output, use `-' for stdout dumpfile = /var/nessus/logs/nessusd.dump
The trick is to change logfile and dumpfile settings to /dev/null. This causes all of the output to be discarded. We're also going to set log_whole_attack to no. The modified section of the /etc/nessus/nessusd.conf file would then look like:
# Log file (or 'syslog') : logfile = /dev/null # Shall we log every details of the attack ? log_whole_attack = no # Log the name of the plugins that are loaded by the server ? log_plugins_name_at_load = no # Dump file for debugging output, use `-' for stdout dumpfile = /dev/null
Note: Unfortunately, this condition was not detected until after the 1.2.0 release of the NST. In future releases, you will only need to edit this configuration file if you need to enable the logging or dump features.
Running Nessus In A Virtual Machine
It is possible to run Nessus within the NST Virtual Machine. This has several advantages over a Live CD boot (permanent disk storage for one). However, there is apparently a big performance hit as shown in the output below:
[root@nic /]# service nessusd start Starting Nessus services: **** This host seems to be running under VMware. **** Nessus performance is abysmal when running under VMware **** We do not recommend you use this setup in production [ OK ] [root@nic /]#
Registering A Nessus Installation
Using The NST WUI
The NST WUI allows you to specify your Nessus activation code when updating the Nessus rules. The activation code only needs to be specified the first time you update your rules (leave the field blank on subsequent updates).
Using The Command Line
After setting up Nessus on a NST probe with the local rule set, you may decide that they would like to register your Nessus installation. This will greatly increase the number of rules Nessus will have at its disposal. In order to register your Nessus installation, you will need to request a registration code from the Nessus web site (http://www.nessus.org). You will then need to run the nessus-fetch command as shown below:
[root@nic /]# nessus-fetch --register 9732-2C31-316C-7C06-5A32 Your activation code has been registered properly - thank you. Now fetching the newest plugin set from plugins.nessus.org... Your Nessus installation is now up-to-date. Make sure to call regularly use the command 'nessus-update-plugins' to stay up-to-date To automate the update process, please visit <http://www.nessus.org/documentation/index.php?doc=cron> [root@nic /]#
Keeping The Nessus Rules Up To Date
After registering your system with Nessus, there are several ways to keep you Nessus plugins up to date.
- Use the NST WUI to update your Nessus plugins.
- Run the nessus-update-plugins command to manually update the plugins.
- Add a cron entry, or symbolic link to run the nessus-update-plugins command automatically (NOTE: the crond service must be running). The following would enable the updates once per day.
[root@nic ~] ln -s $(which nessus-update-plugins) /etc/cron.daily/ [root@nic ~] service crond start Starting crond: [ OK ] [root@nic ~]
Upgrading To Nessus v3.0.5
[[File:Warning.png|16px] This whole section needs updating.....The lowest version of Nessus available currently is 3.2 and that does not have a FC11 package. Also Inprotect has been removed from the NST.
The Nessus license does not permit v3.0.5 to be included in the NST distribution. The following provides the steps necessary to upgrade a NST system to Nessus v3.0.5.
Requirements
- Registration at the Nessus site.
- A hard disk installation of NST v1.5.0 (a virtual hard disk installation will work - but is not optimal).
Caveats
- The "html_graph" option is no longer available as an output method (performing Nessus scans using the NST WUI will still be possible, but a little awkward).
- The upgrade disables the X GUI Nessus client. You will need to download a separate Nessus client package if you need this feature (the new client does not need to be installed on the NST system - a Windows version is available as well).
- You may need to setup Inprotect by running the nstinprotect script outside of the NST WUI (it takes so long for the Inprotect setup to complete with a full Nessus install, that the installation may fail to complete before the loading of the page times out).
Instructions
Register At the Nessus Site
In order to install Nessus v3.0.5, you will need to register at the Nessus web site. Once registered, you will be able to download the necessary RPM and you will receive a activation code via email which will be used to activate your installation.
Download RPM and Copy To NST
Unfortunately, you will need to download and copy the appropriate RPM for Nessus to the: "/tmp" directory on your NST system by hand (this is due to the fact that you need to register at the Nessus site). Here are the steps which you will need to follow:
- Go to the Nessus download area: "http://www.nessus.org/download/".
- From the pull down list, select "Nessus 3.0.5 for Linux" and press the "Download" button.
- Complete the registration process (use a working email address when you register as you will need the registration code later).
- Download the file: "Nessus-3.0.5-fc5.i386.rpm".
- Transfer the downloaded file to the: "/tmp" directory on your NST system.
After completing this step, you should see results similar to those shown below on your NST system:
-rw-r--r-- 1 root root 8053747 Jun 14 08:39 /tmp/Nessus-3.0.5-fc5.i386.rpm
Update Your NST WUI
We are going to be using a automated patch/update script to extract, install and update files from the Nessus RPM we downloaded onto the NST system. Before proceeding to the "NST System Patch Management" page, one should make sure that they have the most recent version of the NST WUI installed on the system.
- From the main NST WUI index page, locate the "Downloads & Updates" row in the "System" table and select the "NST WUI Updates" link.
- Select the radio button next to the: "v1.5.0" choice.
- Press the: "Download/Install NST WUI Management Interface" button.
- This will download the latest version of the NST WUI and restart the web server on your NST system. NOTE: This might cause processes launched directly from the NST WUI to terminate and you may need to restart them.
- You may need to force your browser to reload the updated CSS and JavaScript files after the NST WUI update (on Firefox, hold down the Shift key while pressing the browser Reload button).
After the installation completes, you should be ready to proceed to updating your NST system.
Install System Update: U200706131
A update (U200706131) has been provided that will complete the installation of the Nessus RPM onto the NST system. Here are the steps you need to follow to install the update:
- From the main NST WUI Index, locate the "Downloads & Updates" row in the "System" table and select the "NST System Patch Management" link.
- From the "NST System Patch Management" page, press the: "Retrieve/Update Patch Information" button near the bottom of the page (this will download the latest list of available patches and updates for your NST system).
- After the download completes, you should see update: "U200706131" listed in your patch table.
- Select the radio button next to update: "U200706131" and press the "Patch NST System" button found below the table of available patches/updates.
- Depending upon the speed of your NST system, the update may take a few moments to complete - be patient (DO NOT HIT YOUR BROWSER'S RELOAD BUTTON)!
- At the bottom of the output (showing the results of applying the update), one should see an indication that the update completed successfully (if it failed, it means that you downloaded the wrong RPM from the Nessus site, or did not copy it to the appropriate location).
Setup/Start Nessus
At this point, you should be able to setup and start the Nessus server:
- On the main NST WUI index page, locate the "Active Scanners" row in the "Security" table and select the "Nessus Management" link.
- From the "Nessus Management" page, scroll to the "Setup & Start Nessus" section, set the Options to: "-v -rdir /var/nst" and press the: "Start Nessus" button.
- Wait for Nessus to come up (you will see a "Nessus Starting/Busy" section on the "Nessus Management" page until Nessus is ready).
- Once Nessus is ready (it can seem to take forever the first time), locate the Activation Code you received from the Nessus site after registration. It has the form: "D733-779D-BD5E-DBB9-8913".
- Locate the "Update Nessus Plugins" section on the "Nessus Management" page and enter your Activation Code into the field provided and press the: "Update Plugins" button.
- Be patient as the Nessus plugins are updated.
Run A Test Nessus Scan
At this point the Nessus server should be fully initialized and ready for use on the NST system. To verify that it is working, perform a quick Nessus scan of the NST system itself.
- Scroll to the "Run Nessus Scans" section on the "Nessus Management Page".
- Enter a Address of: "127.0.0.1".
- Enter the Options of: "-V -x -T html". NOTE: The "html_graph" option is not available in v3.0.5 of Nessus, so make sure you specified the options shown here as they won't match the default options on the page!
- Press the: "Start Scan" button.
It will take awhile for the scan to complete. You can press the "Refresh" button as you wait for it to complete. Once it completes, you will see a new section titled: "Unknown Results" and it will contain a single button: "View /var/nst/nessus/results". The results are "Unknown" as the "html" output option was specified and the NST WUI is only designed to work with the "html_graph" output. However, you can still view the results:
- Select the: "View /var/nst/nessus/results" button.
- You should see the results within the NST File Viewer.
- From the NST File Viewer page, select the "Browse" button.
- Locate the "Files" section and select the link labeled "results" on the left hand side of the table.
- You should be taken to a HTML page showing the results of the Nessus scan.
If you were able to find the results, congratulations, you have just verified that your Nessus server is running.
Inprotect Setup (Optional)
At this point you should have your NST system upgraded to Nessus v3.0.5. If you would like to setup Inprotect to work with the new system, you should proceed as follows:
- Go to the "Inprotect Management" page in the NST WUI.
- Make sure that it shows that the related services (nessusd, mysqld, sendmail, crond, and ntpd) are setup and running (if not, use the buttons provided to set them up).
- Unfortunately, you probably will NOT be able to start Inprotect using the NST interface (as it takes too long to come up). So, you will need to run the following command from the NST console or ssh connection (NOTE: Replace "PASSWD" with your own password):
### Start Time: 2007-06-14 13:02:32 + SUCCESS + Shutdown "sched.pl" (pid 5373) process + SUCCESS + Removed "sched.pl" from /etc/rc.d/rc.local + SUCCESS + Removed crontab entries + BEGIN + Remove files/directories + SUCCESS + Removed directory: "/etc/inprotect" + SUCCESS + Removed directory: "/var/log/inprotect" + END + Remove files/directories + BEGIN + Removing symlinks + SUCCESS + Removed symlink: "/var/www/html/inprotect" + END + Removing symlinks + BEGIN + Updating MySQL Server + SUCCESS + Dropped the inprotect database + SUCCESS + Removed inprotect user (if present) from MySQL user table + END + Updating MySQL Server + BEGIN + Verifying environment + SUCCESS + Able to adminster MySQL on this host + SUCCESS + MySQL server is running and we can administer + SUCCESS + The "sendmail" service is running + SUCCESS + Found or created directory: "/etc/inprotect" + SUCCESS + Created symlink: "/var/www/html/inprotect" + END + Verifying environment + SUCCESS + Created config file: /etc/inprotect/inprotect.cfg + SUCCESS + Created config file: /etc/inprotect/config.php + BEGIN + Updating MySQL Server + SUCCESS + Initialized "inprotect" database + SUCCESS + Enabled inprotect user to modify inprotect database + SUCCESS + Updated inprotect root login password + SUCCESS + Inserted this NST probe into nessus_servers table + SUCCESS + Updated Inprotect URL to: "https://192.168.0.249/inprotect" + END + Updating MySQL Server + SUCCESS + Updated crontab entry + NOTE + crond is already running no need to start + SUCCESS + Added "sched.pl" to /etc/rc.d/rc.local + NOTE + Started the "sched.pl" process + NOTE + Running: /usr/local/bin/updateplugins.pl ... *** The plugins that have the ability to crash remote services or hosts have been disabled. You should activate them if you want your security audit to be complete *** The plugins that have the ability to crash remote services or hosts have been disabled. You should activate them if you want your security audit to be complete *** inprotect setup complete. *** *** You should now be able to use the inprotect package by pointing your *** browser at: *** *** https://192.168.0.249/inprotect ------------------------------------------------------------- ### End Time: 2007-06-14 13:16:16 Duration: +0000 00:11:50
- The above will take awhile to complete (it takes a long time to import all of the Nessus rules into Inprotect).
- After the Inprotect task completes, return to the "Inprotect Management" page and select the "Use Inprotect Interface" button.
- The Inprotect home page should indicate that there are more than 14000 plugins in the database (this is why it took so long to update Inprotect).
- If you have not setup Inprotect on a NST system before, proceed to the "Inprotect Setup Guide" at: "http://nst.sourceforge.net/nst/docs/inprotect/index.html".
Final Comments/References
- If you want the nessusd service to start the next time you reboot the system, either run the chkconfig command from the command line, or use the "Services" page (found in the "Control Management" row in the "System" table of the WUI index).
- If you want Inprotect to start the next time you reboot the system, enable the mysqld, sendmail, crond and ntpd services in addition to the nessusd service.
- The Nessus web site: "http://www.nessus.org/".
- The Inprotect web site: "http://inprotect.sourceforge.net/".
- If you have not setup Inprotect on a NST system before, proceed to the "Inprotect Setup Guide" at: "http://nst.sourceforge.net/nst/docs/inprotect/index.html".