------------------------------------------------------------------------------- Creation of the Nessus SSL Certificate ------------------------------------------------------------------------------- This script will now ask you the relevant information to create the SSL certificate of Nessus. Note that this information will *NOT* be sent to anybody (everything stays local), but anyone with the ability to connect to your Nessus daemon will be able to retrieve this information. CA certificate life time in days [1460]: [Enter] Server certificate life time in days [365]: [Enter] Your country (two letter code) [FR]: JP Your state or province name [none]: [Enter] Your location (e.g. town) [Paris]: Saitama Your organization [Nessus Users United]: RougeNetwork

------------------------------------------------------------------------------- Creation of the Nessus SSL Certificate ------------------------------------------------------------------------------- Congratulations. Your server certificate was properly created. /usr/local/etc/nessus/nessusd.conf updated The following files were created : . Certification authority : Certificate = /usr/local/com/nessus/CA/cacert.pem Private key = /usr/local/var/nessus/CA/cakey.pem . Nessus Server : Certificate = /usr/local/com/nessus/CA/servercert.pem Private key = /usr/local/var/nessus/CA/serverkey.pem Press [ENTER] to exit [Enter]

Using /var/tmp as a temporary file holder Add a new nessusd user ---------------------- Login : who Authentication (pass/cert) [pass] : [Enter] Login password : password[Enter] Login password (again) : password[Enter] (確認のため同じパスワード) User rules ---------- nessusd has a rules system which allows you to restrict the hosts that who has the right to test. For instance, you may want him to be able to scan his own host only. Please see the nessus-adduser(8) man page for the rules syntax Enter the rules for this user, and hit ctrl-D once you are done : (the user can have an empty rules set) default deny accept 192.168.1.1/24 ^D Login : who Password : *********** DN : Rules : default deny accept 192.168.1.1/24 Is that ok ? (y/n) [y] y user added.

192.168.1.1 192.168.1.2 192.168.1.3 www.example.com

Please choose your level of SSL paranoia (Hint: if you want to manage many servers from your client, choose 2. Otherwise, choose 1, or 3, if you are paranoid. 2[Enter] SSL への拘りを選択する。 そもそもクライアント／サーバ間の SSL の必要性が不明なので適当に選択します。 (通信路を暗号化する手段ならもっとお手軽なのがあるんだけどな)

これに答えると、~/.nessusrc が作成されたあとに nessus が実行される。

*** The plugins that have the ability to crash remote services or hosts have been disabled. You should activate them if you want your security audit to be complete クラッシュさせるためのプラグインは無効です。 完全な監査を望むならそれを有効にすべきです。

どうやら、
1. /usr/local/etc/nessus/nessusd.conf にて
   safe_checks = no
2. ~/.nessusrc にて
   begin(SCANNER_SET) 〜 end(SCANNER_SET) のオプションを 1 つ以上 yes
3. ~/.nessusrc にて
   begin(PLUGIN_SET) 〜 end(PLUGIN_SET) のオプションを 1 つ以上 yes
の 3 条件を満たすと有効になるっぽいけど、ソースがあまりにも汚いので不明。
※文句をつけておきながら、それを有効にさせないのはどうかと思うよ。