TOC & Recently Viewed

Recently Viewed Topics

Run Nessus on Linux with Systemd as a Non-Privileged User

Limitations

  • For use with Nessus 6.7 or later.
  • When scanning localhost, Nessus plugins assume that they are running as root. Therefore, certain types of scans may fail. For example, because Nessus is now running as a non-privileged user, file content Compliance Audits may fail or return erroneous results since the plugins are not able to access all directories.
  • nessuscli does not have a --no-root mode. Running commands with nessuscli as root could potentially create files in the Nessus install directory owned by root, which can prohibit Nessus from accessing them successfully. Use care when running nessuscli, and potentially fix permissions with chown after using it.

Steps

  1. If you have not already, install Nessus.
  2. Create a non-root account to run the Nessus service.

    sudo useradd -r nonprivuser

  3. Remove 'world' permissions on Nessus binaries in the /sbin directory.

    sudo chmod 750 /opt/nessus/sbin/*

  4. Change ownership of /opt/nessus to the non-root user.

    sudo chown nonprivuser:nonprivuser -R /opt/nessus

  5. Set capabilities on nessusd and nessus-service.

    Tip: cap_net_admin is used to put interface in promiscuous mode.
    cap_net_raw is used to create raw sockets for packet forgery.
    cap_sys_resource is used to set resource limits.

    If this is only a manager, and you do not want this instance of Nessus to perform scans, you need to provide it only with the capability to change its resource limits.

    sudo setcap "cap_sys_resource+eip" /opt/nessus/sbin/nessusd

    sudo setcap "cap_sys_resource+eip" /opt/nessus/sbin/nessus-service

    If you want this instance of Nessus to perform scans, you need to add additional permissions to allow packet forgery and enabling promiscuous mode on the interface.

    sudo setcap "cap_net_admin,cap_net_raw,cap_sys_resource+eip" /opt/nessus/sbin/nessusd

    sudo setcap "cap_net_admin,cap_net_raw,cap_sys_resource+eip" /opt/nessus/sbin/nessus-service

  6. Remove and add the following lines to the /usr/lib/systemd/system/nessusd.service script:

    • Remove: ExecStart=/opt/nessus_pr/sbin/nessus-service -q
    • Add: ExecStart=/opt/nessus_pr/sbin/nessus-service -q --no-root
    • Add: User=nonprivuser

    The resulting script should appear as follows:

    [Service]

    Type=simple

    PIDFile=/opt/nessus_pr/var/nessus/nessus-service.pid

    ExecStart=/opt/nessus_pr/sbin/nessus-service -q --no-root

    Restart=on-abort

    ExecReload=/usr/bin/pkill nessusd

    EnvironmentFile=-/etc/sysconfig/nessusd

    User=nonprivuser

     

    [Install]

    WantedBy=multi-user.target

  7. Reload and start nessusd.

    In this step, Nessus restarts as root, but systemd starts it as nonprivuser.

    sudo systemctl daemon-reload

    sudo service nessusd start

Copyright 2017 Tenable, Inc. All rights reserved. Tenable Network Security, Nessus, SecurityCenter, SecurityCenter Continuous View and Log Correlation Engine are registered trademarks of Tenable, Inc.  Tenable, Tenable.io, Assure, and The Cyber Exposure Company are trademarks of Tenable, Inc.  All other products or services are trademarks of their respective owners.