Fermilab Security Scanning using Nessus

Introduction

Nessus is a security scanner created by the company Tenable. Fermilab Computer Security Team has established two Nessus servers than can be used to scan hosts in the FNAL.GOV domain. Users who have registered hosts can use these servers to scan their registered hosts.

Fermilab Nessus Servers

Two Nessus servers are available for scanning IP address in the FNAL.GOV (131.225.0.0/16) and MINOS-SOUDAN.ORG domains.  The host shamus.fnal.gov uses an IP address in the FNAL.GOV domain and the host outdoors.deemz.net uses an IP address that is outside the FNAL.GOV domain.  Once a user has gained a KCA certificate, they can connect to the web frontend provided on shamus and request scans of their registered systems from either server.  Authentication to the Nessus web frontend is via an X.509 certificate that is issued by the Fermilab Kerberized Certificate Authority (KCA) when presented with a valid Kerberos credential.

Equipped with a KCA cert? If so...

Go to the web frontend

Otherwise, keep reading

Nessus Server Accounts

No special accounts are needed to schedule scans on the Nessus server. Provided you have a valid KCA certificate, your experience on the site will be tailored directly to you. Registered machines, clusters, vhosts, etc, will all pertain to your specific account.

X.509 Certificates

X.509 certificates are obtained by Nessus client users for authentication to the web frontend.  Certificates are digital documents attesting to the binding of a public key to an individual or other entity.  They allow verification of the claim that a given public key does in fact belong to a given individual.  Certificates help prevent someone from using a phony key to impersonate someone else.  A certificate issued by the Fermilab KCA verifies that the presenter has proven their identity by possessing a valid Kerberos credential.

In their simplest form, certificates contain a public key and a name.  Certificates issued by the Fermilab KCA contain the user’s Kerberos principal name as part of the certificate’s distinguished name.  These certificates also contain an expiration date, the name of the certifying authority that issued the certificate, and a serial number.  Most importantly, the certificate contains the digital signature of the Fermilab KCA that issued (signed) the certificate.  The most widely accepted format for certificates is defined by the ITU-T X.509 international standard.

Instructions for Windows people using Network Identity Manager

By virtue of being in the domain with NIM installed, if you log in, you will be issued a KCA cert without any intervention.

Instructions for Linux people

  1. Install getcert or grab it with yum from the Scientific Linux repository (yum install krb5-workstation-fermi)
  2. Obtain an X.509 certificate from the KCA as described here

Instructions for Everyone

After you get a certificate
  1. Open up a web browser and surf to this URL
  2. Start by selecting from one of the items at the top left of the page. Each will display different scan choices.
  3. Choose a set of plugins to use. The search box can be used to select specific plugins.
  4. Click the "Start Scan" button at the bottom of the page. Your scan results will be emailed to you.
    Scans are scheduled every 5 minutes.
    Depending on the current system load, your scan could take anywhere from 1 to 30 minutes to finish
Last Modified: 05/02/2007