Weekly Edition
Return to the Press page
| |||||||||||||
|
| |||||||||||||
Installing and Configuring Nessus (O'ReillyNet)
Here's an O'ReillyNet
how-to on installing and configuring Nessus, an open source network
vulnerability scanner. "Why Nessus? You just can't beat
free. There are commercial vulnerability scanners available and they may be
useful in their own right, but consider that Nessus is comparable to some
commercial scanners that can cost hundreds of thousands of dollars. In
addition Nessus is open source, and its source is published under the
GPL."
(Log in to post comments)
Installing and Configuring Nessus (O'ReillyNet) Posted Apr 23, 2004 21:02 UTC (Fri) by Ross (subscriber, #4065) [Link] I find it annoying that a supposed security tool has such an insecureinstall method. It absolutely insists that you compile and install it as root or give it your root password so that it can do it itself. They even provide a shell script on a website so that you can completely automate the install. It should act like any other program and not check for what user you run And no install script should ever read your root password in. Not only Sorry to rant but this has bothered me for many years.
Installing and Configuring Nessus (O'ReillyNet) Posted Apr 23, 2004 23:50 UTC (Fri) by dvrabel (subscriber, #9500) [Link] It's worse. It may create a SUID root shell that's world readable/executable.
Installing and Configuring Nessus (O'ReillyNet) Posted Apr 24, 2004 2:25 UTC (Sat) by dlang (✭ supporter ✭, #313) [Link] scanning tools frequently need functions that are only available to root (the ability to send non-standard packets over the network for example)I haven't looked nessus over to see if it REALLY needs to run as root, but I would not be at all surprised if it does. David Lang
Installing and Configuring Nessus (O'ReillyNet) Posted Apr 24, 2004 2:28 UTC (Sat) by sholden (guest, #7881) [Link] That's to run, installing is a different matter.
Installing and Configuring Nessus (O'ReillyNet) Posted Apr 24, 2004 4:26 UTC (Sat) by Ross (subscriber, #4065) [Link] Sure, I know the server has to run as root because it needs to create rawpackets and bind to low port numbers. But I can grant it those rights without giving it everything else. And I can run it in a chroot() jail. But that's mostly unrelated to what I said above where I'm complaining about the install process. Those techniques are not so simple in that case. For example it's hard to put an entire build environment in a subtree.
Installing and Configuring Nessus (O'ReillyNet) Posted Apr 26, 2004 8:43 UTC (Mon) by beejaybee (guest, #1581) [Link] Well I compile as an unpriveliged user, then su to run "make install".BTW Nessus uses nmap to do port scanning, nmap needs root priveleges to do anything "interesting". I don't think this is at all unreasonable.
Installing and Configuring Nessus (O'ReillyNet) Posted Apr 26, 2004 8:57 UTC (Mon) by Ross (subscriber, #4065) [Link] Again, I wasn't talking about running the software. As stated above Iunderstand that raw packets and low port numbers are needed for the server side of Nessus. I was talking about the install process.
|
|
||||||||||||