This user should be only used for this purpose. The user will need to be created, have ssh keys created, and logins restricted to only coming from the nessus scanning host.
Description
Status | Subtype | Assigned | Task | ||
---|---|---|---|---|---|
Resolved | Dwisehaupt | T243110 OKR 2019-2020 Q3: Increase visibility and awareness of Fundraising system health and wellness | |||
Resolved | Dwisehaupt | T246839 Run authenticated scans of hosts checking against a known standard / benchmark | |||
Resolved | Dwisehaupt | T246840 Create and configure nessus_check user for running authenticated scans |
Event Timeline
Finally got this tested and successfully ran a credentialed check on frpm1001.
This wasn't noted anywhere in the documentation, but I found a link stating that they keys need to be in PEM format for the nessus service to be able to load them. To do that, you can use: ssh-keygen -t rsa -b 4096 -m PEM -f keyfile -C user@host
In order to add the ssh keypair, you have to upload the private key through the web interface. This means if you generate it on the net monitoring host, you must transfer it to your local host for the upload. Not ideal but i haven't found away around that yet. You can always use shred -u keyfile afterwards to remove the file from your localhost.
Up next is to broaden the distribution of the pubkey and look at what scans will be of use.
Also needed were iptables adjustments to allow ssh from the net monitoring host. These will need to be done across all the builds we wish to run the checks on.
User added to all hosts and iptables updates done and put in place.
[frack::puppet] 547759c7 Exempt nessus_check user from login notifications [frack::puppet] d6185f79 Add nessus_check user to all builds [frack::puppet::private] 2e0c1e0 Allow bismuth the ssh to all roles for credentialed scans