Run Nessus on Linux with init.d Script as a Non-Privileged User
Limitations
When scanning localhost, Nessus plugins assume that they are running as root. Therefore, certain types of scans may fail. For example, because Nessus is now running as a non-privileged user, file content Compliance Audits may fail or return erroneous results since the plugins are not able to access all directories.
Because nessuscli does not have a --no-root mode, running commands with nessuscli as root could potentially create files in the Nessus install directory owned by root, which can prohibit Nessus from accessing them successfully. Use care when running nessuscli, and potentially fix permissions with chown after using it.
Steps
- If you have not already, install Nessus.
-
Create a non-root account to run the Nessus service.
sudo useradd -r -m nonprivuser
-
Remove 'world' permissions on Nessus binaries in the /sbin directory.
sudo chmod 750 /opt/nessus/sbin/*
-
Change ownership of /opt/nessus to the non-root user.
sudo chown nonprivuser:nonprivuser -R /opt/nessus
-
Set capabilities on nessusd and nessus-service.
Tip:
Use cap_net_admin to put the interface in promiscuous mode.
Use cap_net_raw to create raw sockets for packet forgery.
Use cap_sys_resource to set resource limits.
If this is only a manager, and you do not want this instance of Nessus install to perform scans, you need to provide it only with the capability to change its resource limits.
sudo setcap "cap_sys_resource+eip" /opt/nessus/sbin/nessusd
sudo setcap "cap_sys_resource+eip" /opt/nessus/sbin/nessus-service
If you want this instance of Nessus to perform scans, you need to add extra permissions to allow packet forgery and enabling promiscuous mode on the interface.
sudo setcap "cap_net_admin,cap_net_raw,cap_sys_resource+eip" /opt/nessus/sbin/nessusd
sudo setcap "cap_net_admin,cap_net_raw,cap_sys_resource+eip" /opt/nessus/sbin/nessus-service
-
Add the following line to the
/etc/init.d/nessusd
script:CentOSdaemon --user=nonprivuser /opt/nessus/sbin/nessus-service -q -D --no-root
Debianstart-stop-daemon --start --oknodo --user nonprivuser --name nessus --pidfile --chuid nonprivuser --startas /opt/nessus/sbin/nessus-service -- -q -D --no-root
Depending on your operating system, the resulting script should appear as follows:
CentOSstart() {
KIND="$NESSUS_NAME"
echo -n $"Starting $NESSUS_NAME : "
daemon --user=nonprivuser /opt/nessus/sbin/nessus-service -q -D --no-root
echo "."
return 0
}
Debianstart() {
KIND="$NESSUS_NAME"
echo -n $"Starting $NESSUS_NAME : "
start-stop-daemon --start --oknodo --user nonprivuser --name nessus --pidfile --chuid nonprivuser --startas /opt/nessus/sbin/nessus-service -- -q -D --no-root
echo "."
return 0
}
-
Start nessusd.
In this step, Nessus starts as root, but init.d starts it as nonprivuser.
sudo service nessusd start
Note: If you are running Nessus on Debian, after starting Nessus, run the
chown -R nonprivuser:nonprivuser /opt/nessus
command to regain ownership of directories created at runtime.