Mailing List Archive

Help with local security checks
Hi. I'm attempting to compile up nessus devel with the local security
checks, but it is not showing up in the nessus gui according to the
documentation. I am also in a bake off with another scanning tool which
supposedly does this.

Attached is the information I think would be useful. I am compiling on
fedora core 2:

[root@localhost root]# nessusd -d
This is Nessus 2.1.1 for Linux 2.6.5-1.358
compiled with gcc version 3.3.3 20040412 (Red Hat Linux 3.3.3-7)
Current setup :
nasl : 2.1.1
libnessus : 2.1.1
SSL support : enabled
SSL is used for client / server communication
Running as euid : 0

[root@localhost root]# rpm -qa | grep openssl
openssl-devel-0.9.7a-35
openssl-0.9.7a-35

[root@localhost root]# nessusd -D
/usr/local/lib/nessus/plugins/snmpwalk_portscan.nasl: bad signature.
Will not execute this script
/usr/local/lib/nessus/plugins/snmpwalk_portscan.nasl could not be loaded
/usr/local/lib/nessus/plugins/nikto.nasl: bad signature. Will not
execute this script
/usr/local/lib/nessus/plugins/nikto.nasl could not be loaded
/usr/local/lib/nessus/plugins/ssh_settings.nasl: bad signature. Will not
execute this script
/usr/local/lib/nessus/plugins/ssh_settings.nasl could not be loaded
/usr/local/lib/nessus/plugins/ssh_get_info.nasl: bad signature. Will not
execute this script
/usr/local/lib/nessus/plugins/ssh_get_info.nasl could not be loaded

Any ideas?
Thanks,
B.
Re: Help with local security checks [ In reply to ]
On Fri, Aug 20, 2004 at 08:07:33AM -0400, Info.Sec wrote:

> Hi. I'm attempting to compile up nessus devel with the local security
> checks,
...
> [root@localhost root]# nessusd -D
> /usr/local/lib/nessus/plugins/snmpwalk_portscan.nasl: bad signature.
> Will not execute this script
> /usr/local/lib/nessus/plugins/snmpwalk_portscan.nasl could not be loaded
> /usr/local/lib/nessus/plugins/nikto.nasl: bad signature. Will not
> execute this script
> /usr/local/lib/nessus/plugins/nikto.nasl could not be loaded
> /usr/local/lib/nessus/plugins/ssh_settings.nasl: bad signature. Will not
> execute this script
> /usr/local/lib/nessus/plugins/ssh_settings.nasl could not be loaded
> /usr/local/lib/nessus/plugins/ssh_get_info.nasl: bad signature. Will not
> execute this script
> /usr/local/lib/nessus/plugins/ssh_get_info.nasl could not be loaded

These warnings indicate the trusted scripts are not signed properly. From
what I understand, Renaud is on vacation and he's the only one with access
to the private key used for this.

By default, the nasl interpreter won't load trusted scripts that aren't
signed properly since they give one the ability to run arbitrary
commands on the targets themselves. If you can't wait until they're
signed properly (I have no idea when that will be) and are confident in
the security of your nessusd server, you can set
"nasl_no_signature_check = yes" in your nessusd.conf and restart the
server to tell the interpreter not to check the signature of trusted
scripts.

Aside: the presence of this configurable variable kind of defeats the
idea of trusted scripts, doesn't it? That is, if one has the ability to
modify scripts he almost certainly also has the ability to modify
nessusd.conf and restart the daemon.

George
--
theall@tifaware.com
Re: Help with local security checks [ In reply to ]
On Fri, Aug 20, 2004 at 10:51:55AM -0400, George Theall wrote:
> These warnings indicate the trusted scripts are not signed properly. From
> what I understand, Renaud is on vacation and he's the only one with access
> to the private key used for this.

Yes. Trusted scripts is a new thing and we need to get our act together
for such cases - I fixed the issue in CVS now, but this may happen again
while we're in the 2.1.x phase.

[...]
> Aside: the presence of this configurable variable kind of defeats the
> idea of trusted scripts, doesn't it?

No. The idea of the trusted scripts is to make sure that the scripts you
obtain (as a user) are the one we wrote (as the authors). Nothing else.


-- Renaud
Re: Help with local security checks [ In reply to ]
On Fri, Aug 20, 2004 at 08:04:20PM +0200, Renaud Deraison wrote:

> No. The idea of the trusted scripts is to make sure that the scripts you
> obtain (as a user) are the one we wrote (as the authors). Nothing else.

If that's the case, wouldn't it have been simpler to just sign the
plugin distribution file? And why is the new nasl function pread() only
available to trusted scripts?

George
--
theall@tifaware.com
Re: Help with local security checks [ In reply to ]
Thanks.

nasl_no_signature_check=yes makes the gui work perfectly!
Re: Help with local security checks [ In reply to ]
On Fri, Aug 20, 2004 at 02:31:08PM -0400, George Theall wrote:
> On Fri, Aug 20, 2004 at 08:04:20PM +0200, Renaud Deraison wrote:
>
> > No. The idea of the trusted scripts is to make sure that the scripts you
> > obtain (as a user) are the one we wrote (as the authors). Nothing else.
>
> If that's the case, wouldn't it have been simpler to just sign the
> plugin distribution file?

There are other ways to obtain new scripts (ie: fetch them using CVS)
and we may move away from a gigantic tar archive in later releases in
favor of something else. By signing the scripts themselves, we pave the
way for more flexibility in the future.

> And why is the new nasl function pread() only
> available to trusted scripts?

Because you don't want an untrusted script to execute arbitrary commands
on your local system.


-- Renaud
Re: Help with local security checks [ In reply to ]
On Sat, Aug 21, 2004 at 11:21:28AM +0200, Renaud Deraison wrote:

> Because you don't want an untrusted script to execute arbitrary commands
> on your local system.

True, but how can I ensure that if nasl_no_signature_check can be
enabled in the config? Further, this seems to go beyond the purpose of
simply ensuring the authenticity of the scripts.

George
--
theall@tifaware.com
Re: Help with local security checks [ In reply to ]
On Sat, Aug 21, 2004 at 06:59:32AM -0400, George Theall wrote:
> On Sat, Aug 21, 2004 at 11:21:28AM +0200, Renaud Deraison wrote:
>
> > Because you don't want an untrusted script to execute arbitrary commands
> > on your local system.
>
> True, but how can I ensure that if nasl_no_signature_check can be
> enabled in the config? Further, this seems to go beyond the purpose of
> simply ensuring the authenticity of the scripts.

Because if you can change the configuration file, then you are root. If
you are root, you can already execute commands with super-user
privileges. There's nothing Nessus can do to lower the damages you can
do.

Now, if you choose to set nasl_no_signature_check to yes in the config
file, then you're aiming a gun at your foot. For most users, this option
must remain untouched. For people who want to write their own plugins,
then it can be enabled.


-- Renaud
Re: Help with local security checks [ In reply to ]
On Sun, Aug 22, 2004 at 02:17:35PM +0200, Renaud Deraison wrote:

> Because if you can change the configuration file, then you are root. If
> you are root, you can already execute commands with super-user
> privileges.

Not everyone managing a Nessus server will have full root authority; no
doubt some will supposedly be constrained by sudo and the like.

> There's nothing Nessus can do to lower the damages you can
> do.

Because signature checking can be disabled, I have to agree.

George
--
theall@tifaware.com
Re: Help with local security checks [ In reply to ]
On Sun, Aug 22, 2004 at 02:02:07PM -0400, George Theall wrote:
> On Sun, Aug 22, 2004 at 02:17:35PM +0200, Renaud Deraison wrote:
>
> > Because if you can change the configuration file, then you are root. If
> > you are root, you can already execute commands with super-user
> > privileges.
>
> Not everyone managing a Nessus server will have full root authority; no
> doubt some will supposedly be constrained by sudo and the like.

Ah - I understand your point now. I can include a ./configure option
to disable this option, that should be easy enough.


-- Renaud
Re: Help with local security checks [ In reply to ]
>Date: Sun, 22 Aug 2004 14:17:35 +0200
>From: Renaud Deraison <deraison@nessus.org>
>Subject: Re: [Nessus-devel] Help with local security checks
>To: nessus-devel@list.nessus.org
>
>
>
>Because if you can change the configuration file, then you are root. If
>you are root, you can already execute commands with super-user
>privileges. There's nothing Nessus can do to lower the damages you can
>do.
>
>Now, if you choose to set nasl_no_signature_check to yes in the config
>file, then you're aiming a gun at your foot. For most users, this option
>must remain untouched. For people who want to write their own plugins,
>then it can be enabled.
>
>
> -- Renaud
>
>
I am new to the list, so hi all.

Renaud, would it be possible to allow users to sign scripts and then
include in the config file a list of "trusted" signers (along with their
public key) which by default would be just you? That way users can
still write and run their own scripts but don't have to turn off the
signature checking entirely. Just a thought.

Chuck