Run Nessus on Linux with Systemd as a Non-Privileged User

Limitations

• When scanning localhost, Nessus plugins assume that they are running as root. Therefore, certain types of scans may fail. For example, because Nessus is now running as a non-privileged user, file content Compliance Audits may fail or return erroneous results since the plugins are not able to access all directories.
• nessuscli does not have a --no-root mode. Running commands with nessuscli as root could potentially create files in the Nessus install directory owned by root, which can prohibit Nessus from accessing them successfully. Use care when running nessuscli, and potentially fix permissions with chown after using it.

Steps

1. Do one of the following:
   • If you have not already, install Nessus.
   • If you already installed Nessus and are running it, stop nessusd.

2. Create a non-root account to run the Nessus service.

   sudo useradd -r -m nonprivuser

3. Remove world permissions on Nessus binaries in the /sbin directory.

   sudo chmod 750 /opt/nessus/sbin/*

4. Change ownership of /opt/nessus to the non-root user.

   sudo chown nonprivuser:nonprivuser -R /opt/nessus

   Note: You need to complete steps 3 and 4 every time Tenable Nessus is updated.

5. Set capabilities on nessusd and nessus-service.

   Tip: Use cap_net_admin to put interface in promiscuous mode.
   Use cap_net_raw to create raw sockets for packet forgery.
   Use cap_sys_resource to set resource limits.
   

   If this is only a manager, and you do not want this instance of Nessus to perform scans, you need to provide it only with the capability to change its resource limits.

   sudo setcap "cap_sys_resource+eip" /opt/nessus/sbin/nessusd

   sudo setcap "cap_sys_resource+eip" /opt/nessus/sbin/nessus-service

   If you want this instance of Nessus to perform scans, you need to add more permissions to allow packet forgery and enabling promiscuous mode on the interface.

   sudo setcap "cap_net_admin,cap_net_raw,cap_sys_resource+eip" /opt/nessus/sbin/nessusd

   sudo setcap "cap_net_admin,cap_net_raw,cap_sys_resource+eip" /opt/nessus/sbin/nessus-service

6. Create an override configuration file by running the following two commands:

   mkdir -p /etc/systemd/system/nessusd.service.d/

   printf '[Service]\nExecStart=\nExecStart=/opt/nessus/sbin/nessus-service -q --no-root\nUser=nonprivuser\n' > /etc/systemd/system/nessusd.service.d/override.conf

   This file overrides the ExecStart and User options in the nessusd service unit file (/usr/lib/systemd/system/nessusd.service) with the non-privileged settings.

7. Reload the systemd manager configuration to include the override configuration file by running the following command:

   sudo systemctl daemon-reload

8. Start nessusd by running the following command:

   sudo service nessusd start

9. Verify Tenable Nessus is running as a non-privileged user by running the following command:

   service nessusd status

If Tenable Nessus is running as a non-privileged user, override.conf shows under /etc/systemd/system/nessusd.service.d and CGroup (Control Group) shows that you started both nessus-service and nessusd with the --no-root parameter.