Performing Nessus Credentialed Checks and automated compliance audits on VCSA’s underlying PhotonOS requires the creation of a privileged scanning account that defaults to the bash shell at logon.
Note: Privileged account usage should be heavily monitored for unauthorized activity.
PhotonOS is an open-source, lightweight Linux distribution optimized for running VMware’s vCenter Server. Tenable has released over 1,800 Local Security Checks for PhotonOS.
VMware has established the following VCSA Roles. The scanning account must be a Super Administrator for scans to succeed, as it needs access to run privileged commands from the Bash Shell.
Local users with the operator user role can read vCenter Server configuration.
Local users with the administrator user role can configure vCenter Server.
Local users with the super administrator user role can configure vCenter Server, manage the local accounts, and use the Bash shell.
To create a privileged scanning account:
#This command will create a new user named nessus-scan. If you do
not want nessus-scan to be the name of the account, change it before
executing the command.localaccounts.user.add --username nessus-scan --role superAdmin --passwordCommand> prompt.Note: It is an insecure practice to use password-based authentication for highly privileged accounts. Please consider Public Key Authentication using SSH keys.
The default login shell for new vCenter Server Appliance (VCSA) user accounts is the Appliance Shell (/bin/appliancesh). To perform Nessus Credentialed Checks on PhotonOS, the scanning account’s login shell must be changed from /bin/appliancesh to /bin/bash. To change the scanning account’s login shell:
shell command from the Appliance Shell’s Command> prompt to change from the Appliance Shell to the Bash Shell./bin/bash by executing the following command:#This command will change the nessus-scan accounts login shell to /bin/bash. Change name of the account, if necessary.chsh nessus-scan --shell /bin/bash/etc/passwd by issuing the cat /etc/passwd command:
Nessus supports DSA and RSA SSH key formats, and Public Key Authentication is automatically enabled on vCenter Server Appliance’s (VCSA) PhotonOS. Use the following steps to create SSH keys for your Tenable Nessus scanning account. Complete the following steps while logged into the vCenter Server Appliance (VCSA) as the account you created earlier in this tutorial.
Note: The following example uses the account name nessus-scan. Please replace nessus-scan with your Tenable Nessus scanning account name.
By default, PhotonOS stores the public keys used to grant login access in the .ssh/authorized_keys file. To prepare for key creation, you first need to create the .ssh directory:
#This command will change the directory location to the
nessus-scan accounts home directory. Change name of the account, if
necessary.
cd /home/nessus-scan/.ssh directory:#This command will create a new directory named .ssh.
mkdir .ssh.ssh directory was created by changing your location to .ssh
#This command will change the directory location to .ssh.
cd .sshCreate a new RSA key pair using ssh-keygen:
Enter file in which to save the key, press enter. This will save the public and private key pair to the default location.
authorized_keys file with the new public key:#This command will append the authorized_keys file with the contents of id_rsa.pub.
cat id_rsa.pub >> authorized_keysid_rsa private key file to a secure location and then delete the key files from their default location:#This command will delete the rsa key files.
rm -rf id_rsa*Note: The private key file must be protected from unauthorized access, as it serves as proof of identity for the privileged scanning account.
Your Tenable Nessus scanning account is now configured for public key authentication. You can upload your private key to Nessus and conduct an authenticated scan against your vCenter Server Appliance (VCSA).
