Hi,
First post, but I've been using Nessus, nasl's and .audit files for a
couple of years now.
I've recently been writing a few plugins that require root privileges,
for example to parse /etc/ssh/sshd_config, so they need to use the new
ability to use su or sudo (which I noticed doesn't appear to feature in
Security Center 3?)
Anyway, I've noticed some oddities which may or may not be bugs.....
Firstly the knowledgebase item "Secret/SSH/sudo-password" does not seem
to return to the script if the password is incorrect. I can only assume
that Nessus tries to login and if it fails unsets the variable - along
with "Secret/SSH/sudo" it seems also.
I was hoping to read the password from the knowledgebase to ensure that
the user had actually given a password and elected to use su/sudo, so I
could otherwise raise a security note saying something like "Plugin
could not run due to lack of root credentials", and exit gracefully
before attempting to login.
The second reason for wanting to check for a sudo-password is that there
seems to be another bug in that if the user elects to use su/sudo in the
GUI, but provides no password, the plugin just sits there doing nothing,
never times out and doesn't send any network traffic....
Also, is the return value of ssh_cmd() a newline terminated string, as
'if (buf !~ "^0\n$") {' doesn't seem to match, but knock off the newline
and dollar, and it works fine.
On a partially un-related note, has anyone else noticed that the options
to use amap, nikto, su, sudo and sometimes nmap are missing from the GUI
when you try to create a new scan policy? I've had to create my policies
and manually edit ~/.nessus-client/Policies.xml to put the items in. The
binaries are all in root's $PATH, so that's not it, and they do work.
v3.0 client/server didn't seem to have the problem.
Nessus 3.2.1 and NessusClient 3.2.1.1 on Fedora Core 9 (32-bit) and 10
(64-bit).
Regards.
--
Simon John
nessus at the-jedi.co.uk
_______________________________________________
Plugins-writers mailing list
Plugins-writers@list.nessus.org
http://mail.nessus.org/mailman/listinfo/plugins-writers
First post, but I've been using Nessus, nasl's and .audit files for a
couple of years now.
I've recently been writing a few plugins that require root privileges,
for example to parse /etc/ssh/sshd_config, so they need to use the new
ability to use su or sudo (which I noticed doesn't appear to feature in
Security Center 3?)
Anyway, I've noticed some oddities which may or may not be bugs.....
Firstly the knowledgebase item "Secret/SSH/sudo-password" does not seem
to return to the script if the password is incorrect. I can only assume
that Nessus tries to login and if it fails unsets the variable - along
with "Secret/SSH/sudo" it seems also.
I was hoping to read the password from the knowledgebase to ensure that
the user had actually given a password and elected to use su/sudo, so I
could otherwise raise a security note saying something like "Plugin
could not run due to lack of root credentials", and exit gracefully
before attempting to login.
The second reason for wanting to check for a sudo-password is that there
seems to be another bug in that if the user elects to use su/sudo in the
GUI, but provides no password, the plugin just sits there doing nothing,
never times out and doesn't send any network traffic....
Also, is the return value of ssh_cmd() a newline terminated string, as
'if (buf !~ "^0\n$") {' doesn't seem to match, but knock off the newline
and dollar, and it works fine.
On a partially un-related note, has anyone else noticed that the options
to use amap, nikto, su, sudo and sometimes nmap are missing from the GUI
when you try to create a new scan policy? I've had to create my policies
and manually edit ~/.nessus-client/Policies.xml to put the items in. The
binaries are all in root's $PATH, so that's not it, and they do work.
v3.0 client/server didn't seem to have the problem.
Nessus 3.2.1 and NessusClient 3.2.1.1 on Fedora Core 9 (32-bit) and 10
(64-bit).
Regards.
--
Simon John
nessus at the-jedi.co.uk
_______________________________________________
Plugins-writers mailing list
Plugins-writers@list.nessus.org
http://mail.nessus.org/mailman/listinfo/plugins-writers