CentOS 5 に nessus をインストールする


次に、nessus サーバの SSL 証明書を作成します。

# /opt/nessus/sbin/nessus-mkcert


**** This host seems to be running under VMware.
**** Nessus performance is abysmal when running under VMware
**** We do not recommand you use this setup in production


nessusd (Nessus) 3.0.6. for Linux
(C) 1998 - 2007 Tenable Network Security, Inc.


-------------------------------------------------------------------------------
                        Creation of the Nessus SSL Certificate
-------------------------------------------------------------------------------

This script will now ask you the relevant information to create the SSL
certificate of Nessus. Note that this information will *NOT* be sent to
anybody (everything stays local), but anyone with the ability to connect to your
Nessus daemon will be able to retrieve this information.


CA certificate life time in days [1460]: [Enter]
Server certificate life time in days [365]: [Enter]
Your country (two letter code) [FR]: JP
Your state or province name [none]: [Enter]
Your location (e.g. town) [Paris]: Tokyo
Your organization [Nessus Users United]: TEST




-------------------------------------------------------------------------------
                        Creation of the Nessus SSL Certificate
-------------------------------------------------------------------------------

Congratulations. Your server certificate was properly created.

/opt/nessus//etc/nessus/nessusd.conf updated
 
The following files were created : 

. Certification authority : 
   Certificate = /opt/nessus//com/nessus/CA/cacert.pem
   Private key = /opt/nessus//var/nessus/CA/cakey.pem

. Nessus Server : 
    Certificate = /opt/nessus//com/nessus/CA/servercert.pem
    Private key = /opt/nessus//var/nessus/CA/serverkey.pem

Press [ENTER] to exit
[Enter]
#

SSL証明書の作成完了。

これでようやく準備が終わりましたので、実際にスキャンを実行してみます。

ただし、この段階では NessusClient をインストールしていませんので、
GUI での操作はできません。

とりあえず、コマンドラインからスキャンを実行してみます。

その前に、スキャン対象を定義したターゲットファイルを作成しておきます。

# cat /tmp/targets 
1.1.1.2
1.1.1.3
#

コマンドラインからバッチモードでスキャンを実行します。

コマンドの書式は次の通り。

nessus -q [nessus サーバ] [接続ポート] [ユーザ名] [パスワード] 
                          [ターゲットファイル] [レポート出力ファイル]


# /opt/nessus/bin/nessus -q 127.0.0.1 1241 nessus nessus /tmp/targets /tmp/result
Please choose your level of SSL paranoia (Hint: if you want to manage many
servers from your client, choose 2. Otherwise, choose 1, or 3, if you are 
paranoid.
1
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number: 1 (0x1)
        Signature Algorithm: md5WithRSAEncryption
        Issuer: C=FR, ST=none, L=Paris, O=Nessus Users United, OU=Certification 
     Authority for cnetos.test, CN=cnetos.test/emailAddress=ca@cnetos.test
        Validity
            Not Before: Aug  5 05:39:09 2007 GMT
            Not After : Aug  4 05:39:09 2008 GMT
        Subject: C=FR, ST=none, L=Paris, O=Nessus Users United, OU=Server 
     certificate for cnetos.test, CN=cnetos.test/emailAddress=nessusd@cnetos.test
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
            RSA Public Key: (1024 bit)
                Modulus (1024 bit):
                    00:b7:70:f9:66:5d:78:b2:0e:57:36:cb:87:85:08:
                    aa:37:c6:08:42:c5:c8:4e:c1:17:12:27:de:4e:22:
                    d1:90:92:5e:07:e1:87:2d:0b:35:ec:ca:74:f6:1c:
                    c8:f5:f0:23:1c:dd:7e:4c:d1:f2:ad:fc:80:25:31:
                    cf:d8:18:d0:d1:df:21:af:08:ac:ab:4f:7e:22:57:
                    d9:cf:a7:d4:1a:5d:b2:52:00:4f:81:c5:b4:bb:ee:
                    04:d2:04:35:60:c7:77:0e:30:47:22:a7:06:42:93:
                    e2:bd:b6:8d:39:56:11:a3:54:2c:29:04:68:bf:fd:
                    83:8a:e8:bb:ed:d3:ee:23:0b
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            Netscape Cert Type: 
                SSL Server
            X509v3 Key Usage: 
                Digital Signature, Non Repudiation, Key Encipherment
            Netscape Comment: 
                OpenSSL Generated Certificate
            X509v3 Subject Key Identifier: 
                A1:E2:48:0D:55:91:1E:C1:51:DE:4F:07:7A:54:23:7F:45:07:27:8B
            X509v3 Authority Key Identifier: 
                keyid:E7:24:8E:25:37:96:03:51:EE:CD:22:DA:0C:38:2C:A0:A8:87:11:E7
                DirName:/C=FR/ST=none/L=Paris/O=Nessus Users United/OU=Certification 
         Authority for cnetos.test/CN=cnetos.test/emailAddress=ca@cnetos.test
                serial:8B:67:3D:F6:2F:23:35:3B

            X509v3 Subject Alternative Name: 
                email:nessusd@cnetos.test
            X509v3 Issuer Alternative Name: 
                <EMPTY>

    Signature Algorithm: md5WithRSAEncryption
        2b:36:b5:ac:e7:3c:6d:0e:8f:bb:01:cd:0c:d8:af:84:ef:9a:
        78:3e:41:da:68:4c:17:bf:43:be:2c:1a:7e:35:c6:b6:1d:ee:
        8c:7b:c4:3e:08:c1:51:3d:d4:d1:d3:73:04:f0:ac:f3:57:3f:
        d5:ac:03:82:33:4d:e5:41:1c:37:2e:40:95:89:d0:2a:34:7d:
        62:31:cc:5b:51:a1:95:70:96:8a:cb:3a:df:4d:61:d2:2d:ed:
        48:c1:a8:ab:27:d2:7e:86:ef:4c:22:0d:57:78:a8:5b:73:b9:
        b6:fb:5d:71:25:1c:89:22:b2:84:e2:82:1c:1b:94:7a:c5:1c:
        ec:c6

Do you accept it ? (y/n) y
*** The plugins that have the ability to crash remote services or hosts
have been disabled. You should activate them if you want your security
audit to be complete
#

初めての接続なので SSL の確認があり、その後スキャンが実行されました。

上記コマンドの場合、スキャンの結果は /tmp/result に記録されます。

試しに、もう 1 回実行してみると SSL の確認は初回だけなので、
このような感じになります。

# /opt/nessus/bin/nessus -q 127.0.0.1 1241 nessus nessus /tmp/targets /tmp/result
*** The plugins that have the ability to crash remote services or hosts
have been disabled. You should activate them if you want your security
audit to be complete
#

                                          1 / 2 / 3