The easy part:

1. emerge nessus
2. nessus-mkcert
3. nessus-user-add
4. register at nessus website to get the actiovation code for plugin feeds (FYI: #GPL plugins: 1299, #registered plugins: 9575), so unless you register you get a very small subset of (probably outdated) scanners.
5. nessus-fetch –register <activation-code>
6. nessus-update-plugins (it probably makes sense to add it to cron).

Ok, now for scanning the most obvious choice is to run a nessus client with GTK interface. If we don’t want to do this we can either:

• run the graphical console remotely
• run a command-line interface.

The tricky part: Scanning using command line interface:

nessus -V -q 127.0.0.1 1241 <user> <password> <host file> <output file.nbe>

It works fine although generates a warning that “potentially unsafe plugins have been disabled”. While it makes sense for a big and critical network, you may also want to do the “unsafe” scan occasionally. How to enable it?

The first trick, is that nessus creates a “.nessusrc” file in your home directory. The first try — “safe_checks=no” – doesn’t help. Second, you figure out that there is also a nessus-wide file /etc/nessus/nessusd.conf”, which has the same option (overriding the local one) by default set to “yes”. Unfortuantely, no warning is generated when this happenes. Unfortunately, this doesn’t help either

I found the solution analyzing the config file that was created after using nessus with a GUI (with all the plugins enabled). It turns out that such a file the following entry is being added:

begin(PLUGIN_SET)
 14250 = yes
 15094 = yes
 15185 = yes
...
end(PLUGIN_SET)

So all the plugins are explicitly enabled. Only then AND if both safe_checks in the global and local config files are set to “no”, unsafe plugins are executed. Unfortuantely, I don’t know how to set this option from the command line. Also as the new plugins are being instaled, the list would need to be kept updated (does nessus client do this?).

Another solution can be using Net::Nessus::ScanLite from CPAN (unfortunately it seems a bit outdated ~Dec 2003). I haven’t tried it, but it looks ok, and also it supports reading of plugins (so that we can enable/disable some) and also relieves us from parsing the NBE file. Problem: Net::Nessus::ScanLite uses Net:Nessus::Client, which doesn’t compile (for a number of reasons) and, moreover, is not aware that Nessus uses SSL. Surprisingly enough, ScanLite is aware of this and it somehow works around this. How — I don’t know.

Host <short hostname> Hostname <full hostname> Port port User user LocalForward 54320 localhost:5432 Dynamic Forward 9050