DragonFly On-Line Manual Pages

Search: Section:  

NESSUS-ADDUSER(8)                User Manuals                NESSUS-ADDUSER(8)


NAME

       nessus-adduser - add a user in the nessusd userbase


SYNOPSIS

       nessus-adduser


DESCRIPTION

       The Nessus Security Scanner comes with its own user base which contains
       the list of who can use the services of nessusd, and what restriction
       (or rules) each user has.

       nessus-adduser is a simple program which will add a user in the proper
       nessusd configuration files, and will send a signal to nessusd if it is
       running to notify it of the changes.

       The program is straightforward and asks for the following items:

       o Login
              the login name of the nessusd user to add

       o Password
              the password that the user will use to connect to nessusd

       o Authentification type
              the authentification method the client will use. The recommended
              method is "cipher". However, if you compiled nessusd without the
              cipher support or if you are using a Nessus client which does
              not support the cipher layer, you'll have to use "plaintext"

       o Rules
              the set of rules to apply to the user. See below.


RULES

       Each user has his own set of rules. Rules are here to restrict the
       rights of the users. For instance, you can add user "joe" so that he
       can only test the host "192.168.1.1", whereas you can add user "bob" so
       that he can test whatever IP address he wishes.

       Each rule fits on one line. A user can have an unlimited amount of
       rules (and can even have no rule at all).

       The syntax is:
              accept|deny ip/mask
       and
              default accept|deny

       Where mask is the CIDR netmask of the rule.

       The default statement must be the last rule and defines the policy of
       the user.

       The following rule set will allow the user to test 192.168.1.0/24,
       192.168.3.0/24 and 172.22.0.0/16, but nothing else:
              accept 192.168.1.0/24
              accept 192.168.3.0/24
              accept 172.22.0.0/16
              default deny

       The following rule set will allow the user to test whatever he wants,
       except the network 192.168.1.0/24:
              deny 192.168.1.0/24
              default accept

       The keyword client_ip has been defined, and is replaced at run time by
       the IP address of the nessusd user. For instance, if you want your
       users to be able to only be able to scan the system they come from,
       then you want them to have the following ruleset:
              accept client_ip
              default deny


SEE ALSO

       nessus-rmuser(8), nessusd(8), nessus(1)


MORE INFORMATION ABOUT THE NESSUS PROJECT

       The canonical places where you will find more information about the
       Nessus project are:
              http://www.nessus.org/ <> (Official site)
              http://cvs.nessus.org <> (Developers site)


AUTHOR

       nessus-adduser was quickly written by Renaud Deraison
       <deraison@cvs.nessus.org>


BUGS

       nessus-adduser creates temporary files in $TMPDIR/.  If this variable
       is not set, then it will use /var/tmp which may be a security risk
       depending of your configuration.

       If you set your TMPDIR variable to /tmp, then you are in trouble.

The Nessus Project                April 2000                 NESSUS-ADDUSER(8)

Search: Section: