Run Nessus on FreeBSD as a Non-Privileged User
Limitations
- When scanning localhost, Nessus plugins assume that they are running as root. Therefore, certain types of scans may fail. For example, because Nessus is now running as a non-privileged user, file content Compliance Audits may fail or return erroneous results since the plugins are not able to access all directories.
- nessuscli does not have a --no-root mode. Running commands with nessuscli as root could potentially create files in the Nessus install directory owned by root, which could cause Nessus to be unable to access them appropriately. Use care when running nessuscli, and potentially fix permissions with chown after using it.
Note: Unless otherwise noted, execute the following commands in a root login shell.
- If you have not already done so, Install Nessus on FreeBSD.pkg add Nessus-*.txz
- Create a non-root account to run the Nessus service.
In this example, the user creates nonprivuser in the nonprivgroup.# adduser
Username: nonprivuser
Full name: NonPrivUser
Uid (Leave empty for default):
Login group [nonprivuser]:
Login group is nonprivuser. Invite nonprivuser into other groups? []:
Login class [default]:
Shell (sh csh tcsh bash rbash nologin) [sh]:
Home directory [/home/nonprivuser]:
Home directory permissions (Leave empty for default):
Use password-based authentication? [yes]:
Use an empty password? (yes/no) [no]:
Use a random password? (yes/no) [no]:
Enter password:
Enter password again:
Lock out the account after creation? [no]:
Username : nonprivuser
Password : *****
Full Name : NonPrivUser
Uid : 1003
Class :
Groups : nonprivuser
Home : /home/nonprivuser
Home Mode :
Shell : /bin/sh
Locked : no
OK? (yes/no): yes
adduser: INFO: Successfully added (nonprivuser) to the user database.
Add another user? (yes/no): no
Goodbye! - Remove 'world' permissions on Nessus binaries in the /sbin directory.chmod 750 /usr/local/nessus/sbin/*
- Change ownership of /opt/nessus to the non-root user.chown -R nonprivuser:nonprivuser /usr/local/nessus
- Create a group to give the non-root user access to the /dev/bpf device and allow them to use raw sockets.pw groupadd access_bpf
pw groupmod access_bpf -m nonprivuser - Confirm that nonprivuser appears in the group.
- Next, check your system limit values.
Using the ulimit -a command, verify that each parameter has, at minimum, the following values.
This example shows FreeBSD 10 values:# ulimit -a
cpu time (seconds, -t) unlimited
file size (512-blocks, -f) unlimited
data seg size (kbytes, -d) 33554432
stack size (kbytes, -s) 524288
core file size (512-blocks, -c) unlimited
max memory size (kbytes, -m) unlimited
locked memory (kbytes, -l) unlimited
max user processes (-u) 6670
open files (-n) 58329
virtual mem size (kbytes, -v) unlimited
swap limit (kbytes, -w) unlimited
sbsize (bytes, -b) unlimited
pseudo-terminals (-p) unlimited - If any of the values in Step 6. do not meet the minimum requirements, take the following steps to modify values.
Using a text editor, edit the /etc/sysctl.conf file.
Next, using the service command, restart the sysctl service:service sysctl restart
Alternatively, you can reboot your system.
Verify the new, minimum required values by using the ulimit -a command again. - Next, using a text editor, modify the /usr/local/etc/rc.d/nessusd service script to remove and add the following lines:
Remove:/usr/local/nessus/sbin/nessus-service -D -q
Add: chown root:access_bpf /dev/bpf
Add: chmod 660 /dev/bpf
Add:daemon -u nonprivuser /usr/local/nessus/sbin/nessus-service -D -q --no-root
The resulting script should appear as follows:
# pw groupshow access_bpf
access_bpf:*:1003:nonprivuser
access_bpf:*:1003:nonprivuser
nessusd_start() {
echo 'Starting Nessus...'
chown root:access_bpf /dev/bpf
chmod 660 /dev/bpf
daemon -u nonprivuser /usr/local/nessus/sbin/nessus-service -D -q --no-root
}
nessusd_stop() {
test -f /usr/local/nessus/var/nessus/nessus-service.pid && kill `cat /usr/local/nessus/var/nessus/nessus-service.pid` && echo 'Stopping Nessus...' && sleep 3
}