Nessus インストール
インストールスクリプトが用意されているのでそれを利用してインストールする。
ワークディレクトリに移動する。
# cd /usr/local/src/
インストールスクリプトと MD5 をダウンロードする。
# wget http://ftp.nessus.org/nessus/nessus-2.2.2a/nessus-installer/nessus-installer.sh
# wget http://ftp.nessus.org/nessus/nessus-2.2.2a/nessus-installer/MD5 -O nessus-installer.sh.md5
MD5 でファイルの完全性を確認する。
# cat nessus-installer.sh.md5
Hash: SHA1
MD5 (nessus-installer.sh) = 335637b7cacfb7fe10cdbb33e84192bf
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (Darwin)
iD8DBQFBvaZE8JEETRRZWhoRAnmCAJ9ATxzBXdw0i3i+aeMRjBiT0hz05wCgluVF
sESmZJQboW8bE8urH09J9RA=
=gb+1
-----END PGP SIGNATURE-----
# md5sum nessus-installer.sh
335637b7cacfb7fe10cdbb33e84192bf nessus-installer.sh
インストールスクリプトを実行する。
# bash nessus-installer.sh
[Enter] で進む。
NESSUS INSTALLATION SCRIPT
--------------------------------------------------------------------------------
Welcome to the Nessus Installation Script !
This script will install Nessus 2.2.2a (STABLE) on your system.
Please note that you will need root privileges at some point so that
the installation can complete.
Nessus is released under the version 2 of the GNU General Public License
(see http://www.gnu.org/licences/gpl.html for details).
To get the latest version of Nessus, visit http://www.nessus.org
Press ENTER to continue
インストール先のディレクトリを入力する。 ここでは /usr/local/nessus-2.2.2a としている。
/usr/local にインストールする場合は、何も入力せず [Enter] でよい。
Nessus installation : installation location
--------------------------------------------------------------------------------
Where do you want the whole Nessus package to be installed ?
[/usr/local] /usr/local/nessus-2.2.2a
/usr/local/nessus-2.2.2a ディレクトリが存在しないので作ってもよいかという質問。 [Enter] で。
インストールする準備ができましたメッセージ。 [Enter] を押すと勝手にコンパイル・インストールが始まる。
Nessus installation : Ready to install
--------------------------------------------------------------------------------
Nessus is now ready to be installed on this host.
The installation process will first compile it then install it
Press ENTER to continue
コンパイルのときにエラーが出てる…なんか気持ち悪いなぁ…。解決できる能力もないので放置!!
gtk の warning は、GUI 用の開発環境を入れてないから。いらんわ!放置!!
x -- Installing
x - Compiling the NASL interpretor
x -- Configuring the sources for your system
x -- Compiling
exec.c: In function `execute_nasl_script':
exec.c:1822: warning: assignment discards qualifiers from pointer target type
nasl_func.c: In function `insert_nasl_func':
nasl_func.c:100: warning: passing arg 4 of `qsort' from incompatible pointer type
x -- Installing
x - Compiling the core
x -- Configuring the sources for your system
configure: warning: **** gtk not found
x -- Compiling
read_target_file.c: In function `read_target_file':
read_target_file.c:165: warning: initialization discards qualifiers from pointer target type
x -- Installing
x - Compiling the plugins
x -- Configuring the sources for your system
x -- Compiling
x -- Installing
ライブラリパスを通す設定をするかというメッセージ。とりあえずするので [Enter]。
plugin をダウンロードしたければ Activation Code を入力しよう。
Activation Code の入手は無料。ここ から登録できる。悪戯防止のためかな?
Nessus installation : Registration
--------------------------------------------------------------------------------
If you want to get a full plugin feed from http://www.nessus.org, you need
to register at http://www.nessus.org/plugins/.
If you already registered and received an activation code, please enter
it below if you want to activate it now :
Activation code : XXXX-XXXX-XXXX-XXXX-XXXX
インストール終了。
Nessus installation : Finished
--------------------------------------------------------------------------------
Congratulations ! Nessus is now installed on this host
. Create a nessusd certificate using /usr/local/nessus-2.2.2a/sbin/nessus-mkcert
. Add a nessusd user use /usr/local/nessus-2.2.2a/sbin/nessus-adduser
. Start the Nessus daemon (nessusd) use /usr/local/nessus-2.2.2a/sbin/nessusd -D
. Start the Nessus client (nessus) use /usr/local/nessus-2.2.2a/bin/nessus
. To uninstall Nessus, use /usr/local/nessus-2.2.2a/sbin/uninstall-nessus
. Remember to invoke '/usr/local/nessus-2.2.2a/sbin/nessus-update-plugins'
periodically to update your list of plugins
. A step by step demo of Nessus is available at :
http://www.nessus.org/demo/
Press ENTER to quit
設定
便宜上のリンク張り。
# cd /usr/local/
# ln -s nessus-2.2.2a nessus
ライブラリパスの変更。 アンド適用。
# vi /etc/ld.so.conf
+++ /etc/ld.so.conf
@@ -2,4 +2,4 @@
/usr/X11R6/lib
/usr/lib/qt-3.1/lib
/usr/lib/mysql
-/usr/local/nessus-2.2.2a/lib
+/usr/local/nessus/lib
# ldconfig
コンフィグのパスの変更。
# vi /usr/local/nessus/etc/nessus/nessusd.conf
+++ /usr/local/nessus/etc/nessus/nessusd.conf
@@ -5,7 +5,7 @@
# Every line starting with a '#' is a comment
# Path to the security checks folder :
-plugins_folder = /usr/local/nessus-2.2.2a/lib/nessus/plugins
+plugins_folder = /usr/local/nessus/lib/nessus/plugins
# Maximum number of simultaneous hosts tested :
max_hosts = 30
@@ -17,7 +17,7 @@
be_nice = no
# Log file (or 'syslog') :
-logfile = /usr/local/nessus-2.2.2a/var/nessus/logs/nessusd.messages
+logfile = /usr/local/nessus/var/nessus/logs/nessusd.messages
# Shall we log every details of the attack ?
log_whole_attack = yes
@@ -26,13 +26,13 @@
log_plugins_name_at_load = no
# Dump file for debugging output, use `-' for stdout
-dumpfile = /usr/local/nessus-2.2.2a/var/nessus/logs/nessusd.dump
+dumpfile = /usr/local/nessus/var/nessus/logs/nessusd.dump
# Rules file :
-rules = /usr/local/nessus-2.2.2a/etc/nessus/nessusd.rules
+rules = /usr/local/nessus/etc/nessus/nessusd.rules
# Users database :
-users = /usr/local/nessus-2.2.2a/etc/nessus/nessusd.users
+users = /usr/local/nessus/etc/nessus/nessusd.users
# CGI paths to check for (cgi-bin:/cgi-aws:/ can do)
cgi_path = /cgi-bin:/scripts
@@ -118,9 +118,9 @@
#
# Added by nessus-mkcert
#
-cert_file=/usr/local/nessus-2.2.2a/com/nessus/CA/servercert.pem
-key_file=/usr/local/nessus-2.2.2a/var/nessus/CA/serverkey.pem
-ca_file=/usr/local/nessus-2.2.2a/com/nessus/CA/cacert.pem
+cert_file=/usr/local/nessus/com/nessus/CA/servercert.pem
+key_file=/usr/local/nessus/var/nessus/CA/serverkey.pem
+ca_file=/usr/local/nessus/com/nessus/CA/cacert.pem
# If you decide to protect your private key with a password,
# uncomment and change next line
# pem_password=password
ログのパスを変更。
# vi /usr/local/nessus/etc/nessus/nessusd.conf
+++ /usr/local/nessus/etc/nessus/nessusd.conf
@@ -17,7 +17,8 @@
be_nice = no
# Log file (or 'syslog') :
-logfile = /usr/local/nessus/var/nessus/logs/nessusd.messages
+#logfile = /usr/local/nessus/var/nessus/logs/nessusd.messages
+logfile = /var/log/nessusd/nessusd.messages
# Shall we log every details of the attack ?
log_whole_attack = yes
@@ -26,7 +27,8 @@
log_plugins_name_at_load = no
# Dump file for debugging output, use `-' for stdout
-dumpfile = /usr/local/nessus/var/nessus/logs/nessusd.dump
+#dumpfile = /usr/local/nessus/var/nessus/logs/nessusd.dump
+dumpfile = /var/nessusd/log/nessusd.dump
# Rules file :
rules = /usr/local/nessus/etc/nessus/nessusd.rules
# mkdir /var/log/nessusd
# chmod 700 /var/log/nessusd/
マニュアルパスの追加。
# vi /etc/man.config
+++ /etc/man.config
@@ -142,3 +142,10 @@
.Z /bin/zcat
.F
.Y
+
+#
+# Nessus
+#
+MANPATH /usr/local/nessus/man
+MANPATH_MAP /usr/local/nessus/bin /usr/local/nessus/man
+MANPATH_MAP /usr/local/nessus/sbin /usr/local/nessus/man
証明書の作成。
# /usr/local/nessus/sbin/nessus-mkcert
Creation of the Nessus SSL Certificate
-------------------------------------------------------------------------------
This script will now ask you the relevant information to create the SSL
certificate of Nessus. Note that this information will *NOT* be sent to
anybody (everything stays local), but anyone with the ability to connect to your
Nessus daemon will be able to retrieve this information.
CA certificate life time in days [1460]:
Server certificate life time in days [365]:
Your country (two letter code) [FR]: JP
Your state or province name [none]:
Your location (e.g. town) [Paris]: Tokyo
Your organization [Nessus Users United]:
Creation of the Nessus SSL Certificate
-------------------------------------------------------------------------------
Congratulations. Your server certificate was properly created.
/usr/local/nessus-2.2.2a/etc/nessus/nessusd.conf updated
The following files were created :
. Certification authority :
Certificate = /usr/local/nessus-2.2.2a/com/nessus/CA/cacert.pem
Private key = /usr/local/nessus-2.2.2a/var/nessus/CA/cakey.pem
. Nessus Server :
Certificate = /usr/local/nessus-2.2.2a/com/nessus/CA/servercert.pem
Private key = /usr/local/nessus-2.2.2a/var/nessus/CA/serverkey.pem
Press [ENTER] to exit
ユーザーの作成。
# /usr/local/nessus/sbin/nessus-adduser
ユーザー名とパスワードを入力。 ここでは nessus というユーザーを作成している。
Add a new nessusd user
----------------------
Login : nessus
Authentication (pass/cert) [pass] :
Login password : ***********
Login password (again) : ***********
User rules
----------
nessusd has a rules system which allows you to restrict the hosts
that shinago has the right to test. For instance, you may want
him to be able to scan his own host only.
Please see the nessus-adduser(8) man page for the rules syntax
Enter the rules for this user, and hit ctrl-D once you are done :
(the user can have an empty rules set)
[Ctrl] + [D]で抜ける。
Password : ***********
DN :
Rules :
Is that ok ? (y/n) [y]
user added.
起動スクリプトを作成する。 nessusd.init
自動起動はしないほうが身のため。必要なときに起動するように。
# vi /etc/rc.d/init.d/nessusd
#
# nessusd This shell script takes care of starting and stopping
# nessusd (Nessus security scanner Daemon).
#
# chkconfig: 345 85 15
# description: Nessus is a security auditing tool.
# processname: nessusd
# config: /usr/local/nessus/etc/nessus/nessusd.conf
# Source function library.
. /etc/init.d/functions
PATH=/usr/local/nessus/sbin:/usr/local/nessus/bin:$PATH
# -a 127.0.0.1 : restricted to localhost, add it for restricted access
#OPTIONS="-a 127.0.0.1"
OPTIONS=""
RETVAL=0
prog="nessusd"
start() {
echo -n $"Starting $prog: "
if [ -r /usr/local/nessus/var/nessus/CA/serverkey.pem ]; then
daemon nessusd $OPTIONS -D
RETVAL=$?
[ $RETVAL -eq 0 ] && touch /var/lock/subsys/ nessusd
echo
else
echo -n " (you need to run nessus-mkcert first!)"
echo_failure
echo
RETVAL=1
fi
return $RETVAL
}
stop() {
echo -n $"Stopping $prog: "
killproc nessusd
RETVAL=$?
[ $RETVAL -eq 0 ] && rm -f /var/lock/subsys/nessusd
echo
return $RETVAL
}
restart() {
stop
start
}
case "$1" in
start)
start
;;
stop)
stop
;;
restart)
restart
;;
condrestart)
if [ -f /var/lock/subsys/nessusd ]; then
restart
fi
;;
status)
status $prog
;;
*)
echo $"Usage: $0 {start|stop|restart|condrestart|status}"
exit 1
esac
exit $RETVAL
# chmod +x /etc/rc.d/init.d/nessusd
起動してみる。。。
# /etc/rc.d/init.d/nessusd start
プラグインを最新にアップデートする。(-v オプションは更新されたプラグイン名を表示する。)
更新されたプラグインを有効にするには、nessusd を再起動する必要があるので注意。
# /usr/local/nessus/sbin/nessus-update-plugins -v
# /etc/init.d/nessusd restart
運用のために
常にプラグインを最新に保つために、cron に仕込む。
前述にもあるが、更新されたプラグインを有効にするには、nessusd を再起動する必要があるので注意。
# cd /etc/cron.daily/
# ln -s /usr/local/nessus/sbin/nessus-update-plugins
ログがあふれないように logrotate を設定する。
# vi /etc/logrotate.d/nessusd
/var/log/nessusd/nessusd.dump /var/log/nessusd/nessusd.messages {
notifempty
missingok
}
