Performing Nessus Credentialed Checks and automated compliance audits on VCSA’s underlying PhotonOS requires the creation of a privileged scanning account that defaults to the bash shell at logon.

Note: Privileged account usage should be heavily monitored for unauthorized activity.

PhotonOS

PhotonOS is an open-source, lightweight Linux distribution optimized for running VMware’s vCenter Server. Tenable has released over 1,800 Local Security Checks for PhotonOS.

vCenter Server Appliance (VCSA) Roles:

VMware has established the following VCSA Roles. The scanning account must be a Super Administrator for scans to succeed, as it needs access to run privileged commands from the Bash Shell.

Operator

Local users with the operator user role can read vCenter Server configuration.

Administrator

Local users with the administrator user role can configure vCenter Server.

Super Administrator

Local users with the super administrator user role can configure vCenter Server, manage the local accounts, and use the Bash shell.

Creating the Scanning Account

To create a privileged scanning account:

  1. Login to the vCenter Server Appliance (VCSA) using an account with Super Administrator privileges. The default user with Super Administrator privileges is root.
  2. Once authenticated, you will be brought to the Appliance Shell’s Command> prompt. Run the following command from the Appliance Shell to create the scanning account:
    #This command will create a new user named nessus-scan. If you do not want nessus-scan to be the name of the account, change it before executing the command.
    localaccounts.user.add --username nessus-scan --role superAdmin --password
  3. When prompted, enter and then reenter a secure password.
  4. If the account is created successfully, you will be brought back to the Appliance Shell’s Command> prompt.

Note: It is an insecure practice to use password-based authentication for highly privileged accounts. Please consider Public Key Authentication using SSH keys.

Change the Scanning Account’s Login Shell

The default login shell for new vCenter Server Appliance (VCSA) user accounts is the Appliance Shell (/bin/appliancesh). To perform Nessus Credentialed Checks on PhotonOS, the scanning account’s login shell must be changed from /bin/appliancesh to /bin/bash. To change the scanning account’s login shell:

  1. Issue the shell command from the Appliance Shell’s Command> prompt to change from the Appliance Shell to the Bash Shell.
  2. Set the scanning account’s login shell to /bin/bash by executing the following command:
    #This command will change the nessus-scan accounts login shell to /bin/bash. Change name of the account, if necessary.
    chsh nessus-scan --shell /bin/bash
  3. Confirm the change by viewing the scanning account’s login shell in /etc/passwd by issuing the cat /etc/passwd command:

Public Key Authentication for Tenable Nessus Scanning Account

Nessus supports DSA and RSA SSH key formats, and Public Key Authentication is automatically enabled on vCenter Server Appliance’s (VCSA) PhotonOS. Use the following steps to create SSH keys for your Tenable Nessus scanning account. Complete the following steps while logged into the vCenter Server Appliance (VCSA) as the account you created earlier in this tutorial.

Note: The following example uses the account name nessus-scan. Please replace nessus-scan with your Tenable Nessus scanning account name.

Create the Directory Structure

By default, PhotonOS stores the public keys used to grant login access in the .ssh/authorized_keys file. To prepare for key creation, you first need to create the .ssh directory:

  1. Change your location to the scanning account user’s home directory:
    #This command will change the directory location to the nessus-scan accounts home directory. Change name of the account, if necessary.
    cd /home/nessus-scan/
  2. Create the new .ssh directory:
    #This command will create a new directory named .ssh.
    mkdir .ssh
  3. Confirm that the .ssh directory was created by changing your location to .ssh
    #This command will change the directory location to .ssh.
    cd .ssh

Create the Key Pair

Create a new RSA key pair using ssh-keygen:

  1. Issue the following command to generate your RSA key pair:
    #This command will initiate RSA key pair creation.
    ssh-keygen -t rsa -m pem
  2. When prompted with Enter file in which to save the key, press enter. This will save the public and private key pair to the default location.
  3. When prompted, enter and then re-enter a secure password/passphrase.
  4. If key creation is successful you will be prompted with an output similar to the following:
  5. Once the public and private key pair are created, append the authorized_keys file with the new public key:
    #This command will append the authorized_keys file with the contents of id_rsa.pub.
    cat id_rsa.pub >> authorized_keys
  6. Transfer the id_rsa private key file to a secure location and then delete the key files from their default location:
    #This command will delete the rsa key files.
    rm -rf id_rsa*

Note: The private key file must be protected from unauthorized access, as it serves as proof of identity for the privileged scanning account.

Conclusion

Your Tenable Nessus scanning account is now configured for public key authentication. You can upload your private key to Nessus and conduct an authenticated scan against your vCenter Server Appliance (VCSA).

SecureStrux

SecureStrux

As a cybersecurity firm with deep roots in the Department of Defense (DoD) cybersecurity community, we provide specialized services in the areas of compliance, vulnerability management, cybersecurity strategies, and engineering solutions. Since 2013, we’ve partnered with hundreds of organizations within and outside the DoD to understand and proactively manage their risk. Our strength within the DoD has allowed us to easily translate best practices to our clients in other industries including Energy, Manufacturing, Architecture, Education, and Aerospace.