Nessus で脆弱性診断 — Nessus-2.2.2a for Red Hat Enterprise Linux 3

  Linux

Nessus インストール

インストールスクリプトが用意されているのでそれを利用してインストールする。
ワークディレクトリに移動する。

# cd /usr/local/src/

インストールスクリプトと MD5 をダウンロードする。

# wget http://ftp.nessus.org/nessus/nessus-2.2.2a/nessus-installer/nessus-installer.sh
# wget http://ftp.nessus.org/nessus/nessus-2.2.2a/nessus-installer/MD5 -O nessus-installer.sh.md5

MD5 でファイルの完全性を確認する。

# cat nessus-installer.sh.md5

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

MD5 (nessus-installer.sh) = 335637b7cacfb7fe10cdbb33e84192bf
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (Darwin)

iD8DBQFBvaZE8JEETRRZWhoRAnmCAJ9ATxzBXdw0i3i+aeMRjBiT0hz05wCgluVF
sESmZJQboW8bE8urH09J9RA=
=gb+1
-----END PGP SIGNATURE-----
# md5sum nessus-installer.sh
335637b7cacfb7fe10cdbb33e84192bf nessus-installer.sh

インストールスクリプトを実行する。

# bash nessus-installer.sh

[Enter] で進む。

--------------------------------------------------------------------------------
NESSUS INSTALLATION SCRIPT
--------------------------------------------------------------------------------


Welcome to the Nessus Installation Script !

This script will install Nessus 2.2.2a (STABLE) on your system.

Please note that you will need root privileges at some point so that
the installation can complete.

Nessus is released under the version 2 of the GNU General Public License
(see http://www.gnu.org/licences/gpl.html for details).

To get the latest version of Nessus, visit http://www.nessus.org


Press ENTER to continue

インストール先のディレクトリを入力する。 ここでは /usr/local/nessus-2.2.2a としている。
/usr/local にインストールする場合は、何も入力せず [Enter] でよい。

--------------------------------------------------------------------------------
Nessus installation : installation location
--------------------------------------------------------------------------------


Where do you want the whole Nessus package to be installed ?
[/usr/local] /usr/local/nessus-2.2.2a

/usr/local/nessus-2.2.2a ディレクトリが存在しないので作ってもよいかという質問。 [Enter] で。

/usr/local/nessus-2.2.2a does not exist - do you want to create it ? [y]

インストールする準備ができましたメッセージ。 [Enter] を押すと勝手にコンパイル・インストールが始まる。

--------------------------------------------------------------------------------
Nessus installation : Ready to install
--------------------------------------------------------------------------------


Nessus is now ready to be installed on this host.
The installation process will first compile it then install it


Press ENTER to continue

コンパイルのときにエラーが出てる…なんか気持ち悪いなぁ…。解決できる能力もないので放置!!
gtk の warning は、GUI 用の開発環境を入れてないから。いらんわ!放置!!

x -- Compiling
x -- Installing
x - Compiling the NASL interpretor
x -- Configuring the sources for your system
x -- Compiling
exec.c: In function `execute_nasl_script':
exec.c:1822: warning: assignment discards qualifiers from pointer target type
nasl_func.c: In function `insert_nasl_func':
nasl_func.c:100: warning: passing arg 4 of `qsort' from incompatible pointer type
x -- Installing
x - Compiling the core
x -- Configuring the sources for your system
configure: warning: **** gtk not found
x -- Compiling
read_target_file.c: In function `read_target_file':
read_target_file.c:165: warning: initialization discards qualifiers from pointer target type
x -- Installing
x - Compiling the plugins
x -- Configuring the sources for your system
x -- Compiling
x -- Installing

ライブラリパスを通す設定をするかというメッセージ。とりあえずするので [Enter]。

/usr/local/nessus-2.2.2a/lib is not in /etc/ld.so.conf - shall I add it ? [y]

plugin をダウンロードしたければ Activation Code を入力しよう。
Activation Code の入手は無料。ここ から登録できる。悪戯防止のためかな?

--------------------------------------------------------------------------------
Nessus installation : Registration
--------------------------------------------------------------------------------

If you want to get a full plugin feed from http://www.nessus.org, you need
to register at http://www.nessus.org/plugins/.

If you already registered and received an activation code, please enter
it below if you want to activate it now :

Activation code : XXXX-XXXX-XXXX-XXXX-XXXX

インストール終了。

--------------------------------------------------------------------------------
Nessus installation : Finished
--------------------------------------------------------------------------------


Congratulations ! Nessus is now installed on this host

. Create a nessusd certificate using /usr/local/nessus-2.2.2a/sbin/nessus-mkcert
. Add a nessusd user use /usr/local/nessus-2.2.2a/sbin/nessus-adduser
. Start the Nessus daemon (nessusd) use /usr/local/nessus-2.2.2a/sbin/nessusd -D
. Start the Nessus client (nessus) use /usr/local/nessus-2.2.2a/bin/nessus
. To uninstall Nessus, use /usr/local/nessus-2.2.2a/sbin/uninstall-nessus

. Remember to invoke '/usr/local/nessus-2.2.2a/sbin/nessus-update-plugins'
periodically to update your list of plugins

. A step by step demo of Nessus is available at :
http://www.nessus.org/demo/


Press ENTER to quit

設定

便宜上のリンク張り。

# cd /usr/local/
# ln -s nessus-2.2.2a nessus

ライブラリパスの変更。 アンド適用。

# vi /etc/ld.so.conf

--- /etc/ld.so.conf.orig
+++ /etc/ld.so.conf
@@ -2,4 +2,4 @@
/usr/X11R6/lib
/usr/lib/qt-3.1/lib
/usr/lib/mysql
-/usr/local/nessus-2.2.2a/lib
+/usr/local/nessus/lib

# ldconfig

コンフィグのパスの変更。

# vi /usr/local/nessus/etc/nessus/nessusd.conf

--- /
usr/local/nessus/etc/nessus/nessusd.conf.orig
+++ /usr/local/nessus/etc/nessus/nessusd.conf
@@ -5,7 +5,7 @@
# Every line starting with a '#' is a comment

# Path to the security checks folder :
-plugins_folder = /usr/local/nessus-2.2.2a/lib/nessus/plugins
+plugins_folder = /usr/local/nessus/lib/nessus/plugins

# Maximum number of simultaneous hosts tested :
max_hosts = 30
@@ -17,7 +17,7 @@
be_nice = no

# Log file (or 'syslog') :
-logfile = /usr/local/nessus-2.2.2a/var/nessus/logs/nessusd.messages
+logfile = /usr/local/nessus/var/nessus/logs/nessusd.messages

# Shall we log every details of the attack ?
log_whole_attack = yes
@@ -26,13 +26,13 @@
log_plugins_name_at_load = no

# Dump file for debugging output, use `-' for stdout
-dumpfile = /usr/local/nessus-2.2.2a/var/nessus/logs/nessusd.dump
+dumpfile = /usr/local/nessus/var/nessus/logs/nessusd.dump

# Rules file :
-rules = /usr/local/nessus-2.2.2a/etc/nessus/nessusd.rules
+rules = /usr/local/nessus/etc/nessus/nessusd.rules

# Users database :
-users = /usr/local/nessus-2.2.2a/etc/nessus/nessusd.users
+users = /usr/local/nessus/etc/nessus/nessusd.users

# CGI paths to check for (cgi-bin:/cgi-aws:/ can do)
cgi_path = /cgi-bin:/scripts
@@ -118,9 +118,9 @@
#
# Added by nessus-mkcert
#
-cert_file=/usr/local/nessus-2.2.2a/com/nessus/CA/servercert.pem
-key_file=/usr/local/nessus-2.2.2a/var/nessus/CA/serverkey.pem
-ca_file=/usr/local/nessus-2.2.2a/com/nessus/CA/cacert.pem
+cert_file=/usr/local/nessus/com/nessus/CA/servercert.pem
+key_file=/usr/local/nessus/var/nessus/CA/serverkey.pem
+ca_file=/usr/local/nessus/com/nessus/CA/cacert.pem
# If you decide to protect your private key with a password,
# uncomment and change next line
# pem_password=password

ログのパスを変更。

# vi /usr/local/nessus/etc/nessus/nessusd.conf

--- /usr/local/nessus/etc/nessus/nessusd.conf.orig
+++ /usr/local/nessus/etc/nessus/nessusd.conf
@@ -17,7 +17,8 @@
be_nice = no

# Log file (or 'syslog') :
-logfile = /usr/local/nessus/var/nessus/logs/nessusd.messages
+#logfile = /usr/local/nessus/var/nessus/logs/nessusd.messages
+logfile = /var/log/nessusd/nessusd.messages

# Shall we log every details of the attack ?
log_whole_attack = yes
@@ -26,7 +27,8 @@
log_plugins_name_at_load = no

# Dump file for debugging output, use `-' for stdout
-dumpfile = /usr/local/nessus/var/nessus/logs/nessusd.dump
+#dumpfile = /usr/local/nessus/var/nessus/logs/nessusd.dump
+dumpfile = /var/nessusd/log/nessusd.dump

# Rules file :
rules = /usr/local/nessus/etc/nessus/nessusd.rules

# mkdir /var/log/nessusd
# chmod 700 /var/log/nessusd/

マニュアルパスの追加。

# vi /etc/man.config

--- /etc/man.config.orig
+++ /etc/man.config
@@ -142,3 +142,10 @@
.Z /bin/zcat
.F
.Y
+
+#
+# Nessus
+#
+MANPATH /usr/local/nessus/man
+MANPATH_MAP /usr/local/nessus/bin /usr/local/nessus/man
+MANPATH_MAP /usr/local/nessus/sbin /usr/local/nessus/man

証明書の作成。

# /usr/local/nessus/sbin/nessus-mkcert

-------------------------------------------------------------------------------
Creation of the Nessus SSL Certificate
-------------------------------------------------------------------------------

This script will now ask you the relevant information to create the SSL
certificate of Nessus. Note that this information will *NOT* be sent to
anybody (everything stays local), but anyone with the ability to connect to your
Nessus daemon will be able to retrieve this information.


CA certificate life time in days [1460]:
Server certificate life time in days [365]:
Your country (two letter code) [FR]: JP
Your state or province name [none]:
Your location (e.g. town) [Paris]: Tokyo
Your organization [Nessus Users United]:
-------------------------------------------------------------------------------
Creation of the Nessus SSL Certificate
-------------------------------------------------------------------------------

Congratulations. Your server certificate was properly created.

/usr/local/nessus-2.2.2a/etc/nessus/nessusd.conf updated

The following files were created :

. Certification authority :
Certificate = /usr/local/nessus-2.2.2a/com/nessus/CA/cacert.pem
Private key = /usr/local/nessus-2.2.2a/var/nessus/CA/cakey.pem

. Nessus Server :
Certificate = /usr/local/nessus-2.2.2a/com/nessus/CA/servercert.pem
Private key = /usr/local/nessus-2.2.2a/var/nessus/CA/serverkey.pem

Press [ENTER] to exit

ユーザーの作成。

# /usr/local/nessus/sbin/nessus-adduser

ユーザー名とパスワードを入力。 ここでは nessus というユーザーを作成している。

  Using /var/tmp as a temporary file holder

Add a new nessusd user
----------------------

Login : nessus
Authentication (pass/cert) [pass] :
Login password : ***********
Login password (again) : ***********

User rules
----------
nessusd has a rules system which allows you to restrict the hosts
that shinago has the right to test. For instance, you may want
him to be able to scan his own host only.

Please see the nessus-adduser(8) man page for the rules syntax

Enter the rules for this user, and hit ctrl-D once you are done :
(the user can have an empty rules set)

[Ctrl] + [D]で抜ける。

Login             : nessus
Password : ***********
DN :
Rules :


Is that ok ? (y/n) [y]
user added.

起動スクリプトを作成する。 nessusd.init
自動起動はしないほうが身のため。必要なときに起動するように。

# vi /etc/rc.d/init.d/nessusd

#!/bin/sh
#
# nessusd This shell script takes care of starting and stopping
# nessusd (Nessus security scanner Daemon).
#
# chkconfig: 345 85 15
# description: Nessus is a security auditing tool.
# processname: nessusd
# config: /usr/local/nessus/etc/nessus/nessusd.conf

# Source function library.
. /etc/init.d/functions

PATH=/usr/local/nessus/sbin:/usr/local/nessus/bin:$PATH

# -a 127.0.0.1 : restricted to localhost, add it for restricted access
#OPTIONS="-a 127.0.0.1"
OPTIONS=""

RETVAL=0

prog="nessusd"

start() {
echo -n $"Starting $prog: "
if [ -r /usr/local/nessus/var/nessus/CA/serverkey.pem ]; then
daemon nessusd $OPTIONS -D
RETVAL=$?
[ $RETVAL -eq 0 ] && touch /var/lock/subsys/ nessusd
echo
else
echo -n " (you need to run nessus-mkcert first!)"
echo_failure
echo
RETVAL=1
fi
return $RETVAL
}

stop() {
echo -n $"Stopping $prog: "
killproc nessusd
RETVAL=$?
[ $RETVAL -eq 0 ] && rm -f /var/lock/subsys/nessusd
echo
return $RETVAL
}

restart() {
stop
start
}

case "$1" in
start)
start
;;
stop)
stop
;;
restart)
restart
;;
condrestart)
if [ -f /var/lock/subsys/nessusd ]; then
restart
fi
;;
status)
status $prog
;;
*)
echo $"Usage: $0 {start|stop|restart|condrestart|status}"
exit 1
esac

exit $RETVAL


# chmod +x /etc/rc.d/init.d/nessusd

起動してみる。。。

# /etc/rc.d/init.d/nessusd start

プラグインを最新にアップデートする。(-v オプションは更新されたプラグイン名を表示する。)
更新されたプラグインを有効にするには、nessusd を再起動する必要があるので注意。

# /usr/local/nessus/sbin/nessus-update-plugins -v
# /etc/init.d/nessusd restart

運用のために

常にプラグインを最新に保つために、cron に仕込む。
前述にもあるが、更新されたプラグインを有効にするには、nessusd を再起動する必要があるので注意。

# cd /etc/cron.daily/
# ln -s /usr/local/nessus/sbin/nessus-update-plugins

ログがあふれないように logrotate を設定する。

# vi /etc/logrotate.d/nessusd

/var/log/nessusd/nessusd.dump /var/log/nessusd/nessusd.messages {
notifempty
missingok
}