Run Nessus on FreeBSD as a non-privileged User

Limitations

  • For use with Nessus 6.7 or later.
  • When scanning localhost, Nessus plugins assume that they are running as root. Therefore, certain types of scans may fail. For example, because Nessus is now running as a non-privileged user, file content Compliance Audits may fail or return erroneous results since the plugins are not able to access all directories.
  • nessuscli does not have a --no-root mode. Running commands with nessuscli as root could potentially create files in the Nessus install directory owned by root, which could cause Nessus to be unable to access them appropriately. Use care when running nessuscli, and potentially fix permissions with chown after using it.

Note: Unless otherwise noted, execute the following commands in a root login shell.

  1. If you have not already done so, Install Nessus on FreeBSD.
    pkg add Nessus-*.txz
  2. Create a non-root account which will run the Nessus service.
    In this example, nonprivuser is created in the nonprivgroup.
    # adduser
    Username: nonprivuser
    Full name: NonPrivUser
    Uid (Leave empty for default):
    Login group [nonprivuser]:
    Login group is nonprivuser. Invite nonprivuser into other groups? []:
    Login class [default]:
    Shell (sh csh tcsh bash rbash nologin) [sh]:
    Home directory [/home/nonprivuser]:
    Home directory permissions (Leave empty for default):
    Use password-based authentication? [yes]:
    Use an empty password? (yes/no) [no]:
    Use a random password? (yes/no) [no]:
    Enter password:
    Enter password again:
    Lock out the account after creation? [no]:
    Username : nonprivuser
    Password : *****
    Full Name : NonPrivUser
    Uid : 1003
    Class :
    Groups : nonprivuser
    Home : /home/nonprivuser
    Home Mode :
    Shell : /bin/sh
    Locked : no
    OK? (yes/no): yes
    adduser: INFO: Successfully added (nonprivuser) to the user database.
    Add another user? (yes/no): no
    Goodbye!
  3. Remove 'world' permissions on Nessus binaries in the /sbin directory.
    chmod 750 /usr/local/nessus/sbin/*
  4. Change ownership of /opt/nessus to the non-root user.
    chown -R nonprivuser:nonprivuser /usr/local/nessus
  5. Create a group to give the non-root user access to the /dev/bpf device and allow them to use raw sockets.
    pw groupadd access_bpf
    pw groupmod access_bpf -m nonprivuser
  6. Confirm the nonprivuser was added to the group.
  7. # pw groupshow access_bpf
    access_bpf:*:1003:nonprivuser

  8. Next, check your system limit values.
    Using the ulimit -a command, verify that each parameter has, at minimum, the following values.
    This example displays FreeBSD 10 values:
    # ulimit -a
    cpu time           (seconds, -t)       unlimited
    file size          (512-blocks, -f)    unlimited
    data seg size      (kbytes, -d)        33554432
    stack size         (kbytes, -s)        524288
    core file size     (512-blocks, -c)    unlimited
    max memory size    (kbytes, -m)        unlimited
    locked memory       (kbytes, -l)        unlimited
    max user processes  (-u)                6670
    open files          (-n)                58329
    virtual mem size    (kbytes, -v)        unlimited
    swap limit          (kbytes, -w)        unlimited
    sbsize              (bytes, -b)         unlimited
    pseudo-terminals    (-p)                unlimited
  9. If any of the values in Step 6. do not meet the minimum requirements, take the following steps to modify values.

    Using a text editor, edit the /etc/sysctl.conf file.
    Next, using the service command, restart the sysctl service:
    service sysctl restart

    Alternatively, you can reboot your system.
    Verify the new, minimum required values by using the ulimit -a command again.
  10. Next, using a text editor, modify the /usr/local/etc/rc.d/nessusd service script to remove and add the following lines:
    Remove: /usr/local/nessus/sbin/nessus-service -D -q
    Add: chown root:access_bpf /dev/bpf
    Add: chmod 660 /dev/bpf
    Add: daemon -u nonprivuser /usr/local/nessus/sbin/nessus-service -D -q --no-root

    The resulting script should appear as follows:
  11. nessusd_start() {
      echo 'Starting Nessus...'
      chown root:access_bpf /dev/bpf
      chmod 660 /dev/bpf
      daemon -u nonprivuser /usr/local/nessus/sbin/nessus-service -D -q --no-root
    }

    nessusd_stop() {
      test -f /usr/local/nessus/var/nessus/nessus-service.pid && kill `cat /usr/local/nessus/var/nessus/nessus-service.pid` && echo 'Stopping Nessus...' && sleep 3
    }

Copyright © 2017. Tenable Network Security, Inc. All rights reserved. Tenable Network Security, Nessus, SecurityCenter Continuous View, Passive Vulnerability Scanner, and Log Correlation Engine are registered trademarks of Tenable Network Security, Inc. All other products or services are trademarks of their respective owners.