Note: Privileged account usage should be heavily monitored for unauthorized activity.
PhotonOS is an open-source, lightweight Linux distribution optimized for running VMware’s vCenter Server. Tenable has released over 1,800 Local Security Checks for PhotonOS.
vCenter Server Appliance (VCSA) Roles:
VMware has established the following VCSA Roles. The scanning account must be a Super Administrator for scans to succeed, as it needs access to run privileged commands from the Bash Shell.
Local users with the operator user role can read vCenter Server configuration.
Local users with the administrator user role can configure vCenter Server.
Local users with the super administrator user role can configure vCenter Server, manage the local accounts, and use the Bash shell.
Creating the Scanning Account
To create a privileged scanning account:
- Login to the vCenter Server Appliance (VCSA) using an account with Super Administrator privileges. The default user with Super Administrator privileges is root.
- Once authenticated, you will be brought to the Appliance Shell’s Command> prompt. Run the following command from the Appliance Shell to create the scanning account:
#This command will create a new user named nessus-scan. If you do not want nessus-scan to be the name of the account, change it before executing the command.
localaccounts.user.add --username nessus-scan --role superAdmin --password
- When prompted, enter and then reenter a secure password.
- If the account is created successfully, you will be brought back to the Appliance Shell’s
Note: It is an insecure practice to use password-based authentication for highly privileged accounts. Please consider Public Key Authentication using SSH keys.
Change the Scanning Account’s Login Shell
The default login shell for new vCenter Server Appliance (VCSA) user accounts is the Appliance Shell (
/bin/appliancesh). To perform Nessus Credentialed Checks on PhotonOS, the scanning account’s login shell must be changed from
/bin/bash. To change the scanning account’s login shell:
- Issue the
shellcommand from the Appliance Shell’s
Command>prompt to change from the Appliance Shell to the Bash Shell.
- Set the scanning account’s login shell to
/bin/bashby executing the following command:
#This command will change the nessus-scan accounts login shell to /bin/bash. Change name of the account, if necessary.
chsh nessus-scan --shell /bin/bash
- Confirm the change by viewing the scanning account’s login shell in
/etc/passwdby issuing the
Public Key Authentication for Tenable Nessus Scanning Account
Nessus supports DSA and RSA SSH key formats, and Public Key Authentication is automatically enabled on vCenter Server Appliance’s (VCSA) PhotonOS. Use the following steps to create SSH keys for your Tenable Nessus scanning account. Complete the following steps while logged into the vCenter Server Appliance (VCSA) as the account you created earlier in this tutorial.
Note: The following example uses the account name nessus-scan. Please replace nessus-scan with your Tenable Nessus scanning account name.
Create the Directory Structure
By default, PhotonOS stores the public keys used to grant login access in the
.ssh/authorized_keys file. To prepare for key creation, you first need to create the
- Change your location to the scanning account user’s home directory:
#This command will change the directory location to the nessus-scan accounts home directory. Change name of the account, if necessary.
- Create the new
#This command will create a new directory named .ssh.
- Confirm that the
.sshdirectory was created by changing your location to
#This command will change the directory location to .ssh.
Create the Key Pair
Create a new RSA key pair using
- Issue the following command to generate your RSA key pair:
#This command will initiate RSA key pair creation.
ssh-keygen -t rsa -m pem
- When prompted with
Enter file in which to save the key, press enter. This will save the public and private key pair to the default location.
- When prompted, enter and then re-enter a secure password/passphrase.
- If key creation is successful you will be prompted with an output similar to the following:
- Once the public and private key pair are created, append the
authorized_keysfile with the new public key:
#This command will append the authorized_keys file with the contents of id_rsa.pub.
cat id_rsa.pub >> authorized_keys
- Transfer the
id_rsaprivate key file to a secure location and then delete the key files from their default location:
#This command will delete the rsa key files.
rm -rf id_rsa*
Note: The private key file must be protected from unauthorized access, as it serves as proof of identity for the privileged scanning account.
Your Tenable Nessus scanning account is now configured for public key authentication. You can upload your private key to Nessus and conduct an authenticated scan against your vCenter Server Appliance (VCSA).