-------------------------------------------------------------------------------
Creation of the Nessus SSL Certificate
-------------------------------------------------------------------------------
This script will now ask you the relevant information to create the SSL
certificate of Nessus. Note that this information will *NOT* be sent to
anybody (everything stays local), but anyone with the ability to connect to your
Nessus daemon will be able to retrieve this information.
CA certificate life time in days [1460]: [Enter]
Server certificate life time in days [365]: [Enter]
Your country (two letter code) [FR]: JP
Your state or province name [none]: [Enter]
Your location (e.g. town) [Paris]: Saitama
Your organization [Nessus Users United]: RougeNetwork
# exit
-------------------------------------------------------------------------------
Creation of the Nessus SSL Certificate
-------------------------------------------------------------------------------
Congratulations. Your server certificate was properly created.
/usr/local/etc/nessus/nessusd.conf updated
The following files were created :
. Certification authority :
Certificate = /usr/local/com/nessus/CA/cacert.pem
Private key = /usr/local/var/nessus/CA/cakey.pem
. Nessus Server :
Certificate = /usr/local/com/nessus/CA/servercert.pem
Private key = /usr/local/var/nessus/CA/serverkey.pem
Press [ENTER] to exit
[Enter]
# /usr/local/sbin/nessus-rmuser who ユーザ削除はこちら
Using /var/tmp as a temporary file holder
Add a new nessusd user
----------------------
Login : who
Authentication (pass/cert) [pass] : [Enter]
Login password : password[Enter]
Login password (again) : password[Enter] (確認のため同じパスワード)
User rules
----------
nessusd has a rules system which allows you to restrict the hosts
that who has the right to test. For instance, you may want
him to be able to scan his own host only.
Please see the nessus-adduser(8) man page for the rules syntax
Enter the rules for this user, and hit ctrl-D once you are done :
(the user can have an empty rules set)
default deny
accept 192.168.1.1/24
^D
Login : who
Password : ***********
DN :
Rules :
default deny
accept 192.168.1.1/24
Is that ok ? (y/n) [y] y
user added.
$ nessus -q localhost 1241 who password targets.txt results.txt
192.168.1.1
192.168.1.2
192.168.1.3
www.example.com
実行する毎に下記が表示されるこれに答えると、~/.nessusrc が作成されたあとに nessus が実行される。
Please choose your level of SSL paranoia (Hint: if you want to manage many
servers from your client, choose 2. Otherwise, choose 1, or 3, if you are
paranoid.
2[Enter]
SSL への拘りを選択する。
そもそもクライアント/サーバ間の SSL の必要性が不明なので適当に選択します。
(通信路を暗号化する手段ならもっとお手軽なのがあるんだけどな)
どうやら、
*** The plugins that have the ability to crash remote services or hosts
have been disabled. You should activate them if you want your security
audit to be complete
クラッシュさせるためのプラグインは無効です。
完全な監査を望むならそれを有効にすべきです。
1. /usr/local/etc/nessus/nessusd.conf にて
safe_checks = no
2. ~/.nessusrc にて
begin(SCANNER_SET) 〜 end(SCANNER_SET) のオプションを 1 つ以上 yes
3. ~/.nessusrc にて
begin(PLUGIN_SET) 〜 end(PLUGIN_SET) のオプションを 1 つ以上 yes
の 3 条件を満たすと有効になるっぽいけど、ソースがあまりにも汚いので不明。
※文句をつけておきながら、それを有効にさせないのはどうかと思うよ。