Performing Nessus Scans on CMS Nodes
These instructions were developed using Nessus 2.2.5 for Linux.
Starting the Nessus Client
- Nessus is now installed on cmssrv15 for you (so you can go to
step 2) but if you want to download it anyway, you can download Nessus
package from www.nessus.org
- As of 2005-Sep-20, there is no Linux RPM. Instead, there
is a package that includes the client and server packages.
- You need to download this, install it on your system and
"delete
the nessusd executable, nasl and plugins. Don't delete the
libraries as the client needs the nessus libraries." Deleting
these files is necessary to comply with FNAL policy as described
on page 2 of http://computing.fnal.gov/cd/policy/cpolicy.pdf (last
sentence of second item under the heading "Rules to Protect
Fermilab Computing"): "Hacking is forbidden, including ...
The use or possession of security-probing or cracker tools
requires written authorization."
- The first time you start Nessus, you get asked about your
preferred "SSL paranoia level." Choosing "1" will work
- Read http://security.fnal.gov/Nessus/Fermilab_Security_Scanning_using_Nessus.htm
for details on how to log on. I had to make the change described
at http://security.fnal.gov/Nessus/Fermi_Nessus_Scanning_FAQ.htm#_Toc61246788.
Look on that page if you get other errors connecting (e.g., I had some
mismatch between my DN in the Fermilab phone directory and the Active
Directory, both of which need to match). If you need more help,
you can contact nessus-users@fnal.gov.
- So far, it has been my experience that if you do not get an error
immediately after pressing the "Login" button on the client, then you
are being logged in; note that this takes several seconds (around 20
seconds) where the client appears to be hanging. If you are
successful, it moves you to the "Plugins" tab.
Configuring the Nessus Client for Scanning CMS Nodes
- Login to cmssrv15 (as yourself, not root); type "kx509; kxlist
-p" to generate the certificate and key files.
- Start the Nessus client and log in.
- Click the "Plugins" tab:
- click the "Enable all" button
- check the "Enable dependencies at runtime" option
- Click the "Scan Options" tab:
- Choose a port scanner. We used NMAP but that appears to
have disappeared as of 2005-10-25. So I chose the Nessus TCP
Scanner. If this is not there in the list anymore, then send
e-mail to nessus-users@fnal.gov
for advice.
- Uncheck the "Safe checks" option in order to run all checks
(note that this means that some potentially dangerous checks will be
performed on the host; so if you do not want this, leave this option
checked).
- Set the range of ports to scan to 1-65535
- Click the "Target" tab:
- Enter a comma separated list of hosts you want to scan.
If you want to scan a large number of hosts, you can list them one per
line in a text file and then read it in by clicking the "Read file..."
button and selecting the appropriate .
- Click the "Start Scan" button.
- When the scan is complete, a new window will pop up showing you
the results. Save the file in NBE format by clicking the "Save
Report..." button, choosing "NBE" as the "Report file format" and
choosing a name that indicates the range of hosts followed by the date
in YYYY-MM-DD format and ending with the ".nbe" extension. For
example, if you scanned all of the cmssrv* nodes on 2005-Oct-25, then
you could name the file cmssrv_2005-10-25.nbe.
Importing Scan Results into the Database
NOTE: It is a limitation of
Nessus (not nessus-php) that only the date (not the time) is saved in
the nessus report. This means that if you scan a node and import
the data, then fix the problems, scan the node again the same day and
then reimport it (at any time), your old scan data for that day will be
overwritten. It would be best just to wait until the next day and
do another scan then import it (note that it is the scan date, not the
import date that is important).
- Log in as root@cmssrv15
- Copy or move your .nbe file to /root/nessus/nessus_nbe_reports/
- cd /root/nessus/nessus-php-0.4
- ./add-nbe -n /root/nessus/nessus_nbe_reports/<report_name>
- You will see:
Welcome to Nessus-PHP's "add-nbe" interface.
Skipping script retrieval.
Adding report data for host <hostname>
<plus one similar line for each additional host report stored in
this .nbe file>
- Now you should be able to view this new data at
https://cmssrv15.fnal.gov/nessus (your CN for your DOE grids cert
will need to be added to /etc/httpd/conf.d/nessus-php.conf and your DOE
grid cert will need to be loaded into your browser). Note
that you MUST use https in the URL.
- Make sure you analyze this report for any "Security Holes".