I am new to NixOS and I am attempting to get a successful scan using Tenable (Nessus). Does anyone have experience getting a successful scan using this tool?
I’ve recently tried to package the nessus agent here: nessus-agent: init at 10.5.1 · matrss/nixpkgs@35523c1 · GitHub (to run it I also created a simple systemd service that was just modeled after the default nessusagent systemd service provided with the Ubuntu package, just changed to run in the FHS env).
This runs fine in its own little sandbox, seemed to collect some data (open ports, IPs, etc.) and could see everything that is installed with nix, but since nessus has no idea about nix it will report no installed packages. Also there was another issue with the agent: it seemingly reported everything back to the nessus manager without issue, but the manager was unable to compile a report from that. No idea why.
Due to this issue we have switched to use authenticated scanning instead of agent-based scanning. This was very simple: just add the nessus scanners ssh public key to the root users authorized keys (and think about all the implications of that), e.g. like this:
users.users.root.openssh.authorizedKeys.keys = [
# Nessus Scanner
"<public key>"
];
and make sure that the scanner can reach the system. A standard NixOS configuration seems to contain all the usual diagnostics tools that nessus expects and it gather its information fine, but again obviously without any idea about installed packages.