TOC & Recently Viewed

Recently Viewed Topics

Run Nessus on Linux with init.d Script as a Non-Privileged User

Limitations

These steps are for use with Nessus 6.7 or later.

When scanning localhost, Nessus plugins assume that they are running as root. Therefore, certain types of scans may fail. For example, because Nessus is now running as a non-privileged user, file content Compliance Audits may fail or return erroneous results since the plugins are not able to access all directories.

Because nessuscli does not have a --no-root mode, running commands with nessuscli as root could potentially create files in the Nessus install directory owned by root, which can prohibit Nessus from accessing them successfully. Use care when running nessuscli, and potentially fix permissions with chown after using it.

Steps

  1. If you have not already, perform a Nessus Linux Install.
  2. Create a non-root account to run the Nessus service.

    sudo useradd -r nonprivuser

  3. Remove 'world' permissions on Nessus binaries in the /sbin directory.

    sudo chmod 750 /opt/nessus/sbin/*

  4. Change ownership of /opt/nessus to the non-root user.

    sudo chown nonprivuser:nonprivuser -R /opt/nessus

  5. Set capabilities on nessusd and nessus-service.

    Tip:

    cap_net_admin is used to put the interface in promiscuous mode.

    cap_net_raw is used to create raw sockets for packet forgery.

    cap_sys_resource is used to set resource limits.

    If this is only a manager, and you do not want this instance of Nessus install to perform scans, you need to provide it only with the capability to change its resource limits.

    sudo setcap "cap_sys_resource+eip" /opt/nessus/sbin/nessusd

    sudo setcap "cap_sys_resource+eip" /opt/nessus/sbin/nessus-service

    If you want this instance of Nessus to perform scans, you need to add additional permissions to allow packet forgery and enabling promiscuous mode on the interface.

    sudo setcap "cap_net_admin,cap_net_raw,cap_sys_resource+eip" /opt/nessus/sbin/nessusd

    sudo setcap "cap_net_admin,cap_net_raw,cap_sys_resource+eip" /opt/nessus/sbin/nessus-service

  6. Remove and add the following lines to the /etc/init.d/nessusd script:

    Remove: /opt/nessus/sbin/nessus-service -q -D

    Add: daemon --user=nonprivuser /opt/nessus/sbin/nessus-service -q -D --no-root

    The resulting script should appear as follows:

    start() {

        KIND="$NESSUS_NAME"

        echo -n $"Starting $NESSUS_NAME : "

        daemon --user=nonprivuser /opt/nessus/sbin/nessus-service -q -D --no-root

        echo "."

        return 0

    }

  7. Start nessusd.

    In this step, Nessus starts as root, but init.d starts it as nonprivuser.

    sudo service nessusd start

Copyright 2017 Tenable, Inc. All rights reserved. Tenable Network Security, Nessus, SecurityCenter, SecurityCenter Continuous View and Log Correlation Engine are registered trademarks of Tenable, Inc.  Tenable, Tenable.io, Assure, and The Cyber Exposure Company are trademarks of Tenable, Inc.  All other products or services are trademarks of their respective owners.