Fermilab
Security Scanning using Nessus
Introduction
The “Nessus”
project
provides a free security scanner to the Internet community. This
security scanner uses a client/server
architecture. Fermilab Computer Security Team has established two
Nessus servers than can be used to scan hosts in the FNAL.GOV domain. Users
who have registered hosts can use
these servers to scan their registered hosts.
Fermilab Nessus Servers
Two Nessus
servers are available for
scanning IP address in the FNAL.GOV (131.225.0.0/16) and
MINOS-SOUDAN.ORG domains.
The host shamus.fnal.gov
uses an IP address in the FNAL.GOV domain and the host outdoors.deemz.net uses
an
IP address that is outside the
FNAL.GOV domain.
Once a user has gained a KCA certificate, they can connect to the web frontend provided on shamus and request scans
of their registered systems from either server.
Authentication to the Nessus web frontend is via an X.509 certificate
that is
issued by the Fermilab Kerberized Certificate Authority (KCA) when
presented
with a valid Kerberos credential.
Equipped with a KCA cert? If so...
Otherwise, keep reading
Nessus Server Accounts
No special accounts are needed to schedule scans on the Nessus server.
Provided you have a valid KCA certificate, your experience on the site
will be tailored directly to you. Registered machines, clusters,
vhosts, etc, will all pertain to your specific account.
X.509
Certificates
X.509
certificates are obtained by Nessus client users
for authentication to the web frontend.
Certificates are digital
documents attesting to the binding of a
public
key to an individual or other entity.
They allow verification of
the claim that a given public key
does in
fact belong to a given individual.
Certificates help prevent
someone from using a phony key to
impersonate
someone else.
A certificate issued by
the Fermilab KCA verifies that the presenter has proven their identity
by
possessing a valid Kerberos credential.
In their
simplest form, certificates
contain a public key and a name.
Certificates issued by the
Fermilab KCA contain the user’s
Kerberos
principal name as part of the certificate’s distinguished
name.
These certificates also
contain an
expiration date, the name of the certifying authority that issued the
certificate, and a serial number. Most
importantly, the certificate contains the digital signature of the
Fermilab KCA
that issued (signed) the certificate.
The most widely accepted
format for certificates is defined by
the ITU-T
X.509 international standard.
Instructions for Windows people using get-cert
- Install getcert
- Extract the contents of the zip file
- Open the directory that is created
- Make a decision
- If your Windows username is the same as your Kerberos username
- Double click
Get-Cert.CMD
- Enter your Kerberos password when asked to
- If you're Windows username is not the same as your Kerberos username
- Open a command line and change to the extracted directory
- Manually run the Get-Cert.CMD file and provide your Kerberos username
Get-Cert.CMD myuser
- Enter your Kerberos password when asked to
Instructions for Windows people using Network Identity Manager
By virtue of being in the domain with NIM installed, if you log in, you will be issued a KCA
cert without any intervention.
Instructions for Linux people
- Install getcert or grab it with
yum from the Scientific Linux repository (
yum install krb5-workstation-fermi)
- Obtain an X.509 certificate from the KCA as described here
Instructions for Everyone
After you get a certificate
- Open up a web browser and surf to this URL
- Start by selecting from one of the items at the top left of the page. Each will display different scan choices.
- Choose a set of plugins to use. The search box can be used to select specific plugins.
- Click the "Start Scan" button at the bottom of the page. Your
scan results will be emailed to you.
Scans are scheduled every 5
minutes.
Depending on the current system load, your scan could take
anywhere from 1 to 30 minutes to finish
Last Modified: 05/02/2007