Performing Nessus Credentialed Checks and automated compliance audits on VCSA’s underlying PhotonOS requires the creation of a privileged scanning account that defaults to the bash shell at logon.
Note: Privileged account usage should be heavily monitored for unauthorized activity.
PhotonOS
PhotonOS is an open-source, lightweight Linux distribution optimized for running VMware’s vCenter Server. Tenable has released over 1,800 Local Security Checks for PhotonOS.
vCenter Server Appliance (VCSA) Roles:
VMware has established the following VCSA Roles. The scanning account must be a Super Administrator for scans to succeed, as it needs access to run privileged commands from the Bash Shell.
Operator
Local users with the operator user role can read vCenter Server configuration.
Administrator
Local users with the administrator user role can configure vCenter Server.
Super Administrator
Local users with the super administrator user role can configure vCenter Server, manage the local accounts, and use the Bash shell.
Creating the Scanning Account
To create a privileged scanning account:
- Login to the vCenter Server Appliance (VCSA) using an account with Super Administrator privileges. The default user with Super Administrator privileges is root.
- Once authenticated, you will be brought to the Appliance Shell’s Command> prompt. Run the following command from the Appliance Shell to create the scanning account:
#This command will create a new user named nessus-scan. If you do not want nessus-scan to be the name of the account, change it before executing the command.
localaccounts.user.add --username nessus-scan --role superAdmin --password
- When prompted, enter and then reenter a secure password.
- If the account is created successfully, you will be brought back to the Appliance Shell’s
Command>
prompt.
Note: It is an insecure practice to use password-based authentication for highly privileged accounts. Please consider Public Key Authentication using SSH keys.
Change the Scanning Account’s Login Shell
The default login shell for new vCenter Server Appliance (VCSA) user accounts is the Appliance Shell (/bin/appliancesh
). To perform Nessus Credentialed Checks on PhotonOS, the scanning account’s login shell must be changed from /bin/appliancesh
to /bin/bash
. To change the scanning account’s login shell:
- Issue the
shell
command from the Appliance Shell’sCommand>
prompt to change from the Appliance Shell to the Bash Shell. - Set the scanning account’s login shell to
/bin/bash
by executing the following command:
#This command will change the nessus-scan accounts login shell to /bin/bash. Change name of the account, if necessary.
chsh nessus-scan --shell /bin/bash
- Confirm the change by viewing the scanning account’s login shell in
/etc/passwd
by issuing thecat /etc/passwd
command:
Public Key Authentication for Tenable Nessus Scanning Account
Nessus supports DSA and RSA SSH key formats, and Public Key Authentication is automatically enabled on vCenter Server Appliance’s (VCSA) PhotonOS. Use the following steps to create SSH keys for your Tenable Nessus scanning account. Complete the following steps while logged into the vCenter Server Appliance (VCSA) as the account you created earlier in this tutorial.
Note: The following example uses the account name nessus-scan. Please replace nessus-scan with your Tenable Nessus scanning account name.
Create the Directory Structure
By default, PhotonOS stores the public keys used to grant login access in the .ssh/authorized_keys
file. To prepare for key creation, you first need to create the .ssh
directory:
- Change your location to the scanning account user’s home directory:
#This command will change the directory location to the nessus-scan accounts home directory. Change name of the account, if necessary.
cd /home/nessus-scan/ - Create the new
.ssh
directory:
#This command will create a new directory named .ssh.
mkdir .ssh - Confirm that the
.ssh
directory was created by changing your location to.ssh
#This command will change the directory location to .ssh.
cd .ssh
Create the Key Pair
Create a new RSA key pair using ssh-keygen
:
- Issue the following command to generate your RSA key pair:
#This command will initiate RSA key pair creation.
ssh-keygen -t rsa -m pem - When prompted with
Enter file in which to save the key
, press enter. This will save the public and private key pair to the default location. - When prompted, enter and then re-enter a secure password/passphrase.
- If key creation is successful you will be prompted with an output similar to the following:
- Once the public and private key pair are created, append the
authorized_keys
file with the new public key:
#This command will append the authorized_keys file with the contents of id_rsa.pub.
cat id_rsa.pub >> authorized_keys - Transfer the
id_rsa
private key file to a secure location and then delete the key files from their default location:
#This command will delete the rsa key files.
rm -rf id_rsa*
Note: The private key file must be protected from unauthorized access, as it serves as proof of identity for the privileged scanning account.
Conclusion
Your Tenable Nessus scanning account is now configured for public key authentication. You can upload your private key to Nessus and conduct an authenticated scan against your vCenter Server Appliance (VCSA).