Today a new version of Pantera WAS was released!. If you previously installed on OSX according to my directions here and here then there is only one thing you need to do to get this update working.
After you have downloaded and decompressed the new version, change into that director and run the command: python ez_setup.py FormBuild.
After that, you should be able to start the new 0.1.2 version with the command: python ./pantera.py
-Patrick
Just Another Security Blog
Thursday, November 30, 2006
Tuesday, November 07, 2006
Pantera WAS on Mac OSX / Python Update
This is a follow up to the previous post. After much help from Simon Roses Femerling, we were able to determin that step #13 below is due to OSX shipping with older versions of Python (2.3.5). Before installing Pantera, it is recommended that you first update to version 2.4.X of Python (2.4.4 as of this writing). This can be downloaded from the Python.Org website.
The new version of Python will install the executable in /usr/local/bin . Depending on your PATH varible, this may conflict with the default version in /usr/bin. To aleviate this issue, run the command: sudo mv /usr/bin/python /usr/bin/old.python
After this is done, you should be able to skip step #13 in the previous post.
***Please note that upgrading to 2.5 of Python will NOT work.
The new version of Python will install the executable in /usr/local/bin . Depending on your PATH varible, this may conflict with the default version in /usr/bin. To aleviate this issue, run the command: sudo mv /usr/bin/python /usr/bin/old.python
After this is done, you should be able to skip step #13 in the previous post.
***Please note that upgrading to 2.5 of Python will NOT work.
Tuesday, October 31, 2006
Pantera Web Assessment Studio on Mac OSX
Recently a new web-app testing tool was donated to the OWASP project. This tool, Pantera can be installed on Mac OSX(Intel), using the following instructions:
1.) Download the pyOpenSSL python module from here.
2.) Cd into the directory and run the command python setup.py build.
3.) Install the module, python setup.py install.
4.) Download the MAC OSX binary package of the MySQL database from the mySQL site.
5.) Install MySQL according to these instructions.
6.) Start MySQL by running the follwing commands:
shell> cd /usr/local/mysql
shell> sudo ./bin/mysqld_safe
(ENTER YOUR PASSWORD, IF NECESSARY)
(PRESS CONTROL-Z)
shell> bg
(PRESS CONTROL-D OR ENTER "EXIT" TO EXIT THE SHELL)
7.) Download mysql-python from here.
8.) You will need to modify your pather varible to get the mysql-python package to compile correctly. First run the command, set | grep PATH you should get something resembling PATH=/bin:/sbin:/usr/bin:/usr/local/bin:/usr/sbin now cut and paste that output and append "/usr/local/mysql/bin" to the end so that your resulting command should look something like:
PATH=/bin:/sbin:/usr/bin:/usr/local/bin:/usr/sbin:/usr/local/mysql/bin.
9.) Now run python setup.py build from inside the mysql-python directory. When that completes run python setup.py install.
10.) Next we need to configure the pantera database. Do this by running mysql -u root and then CREATE DATABASE pantera; from the mysql prompt.
11.) **optional, feel free to lockdown the mysql database and assign a password to root at this point. Google and the pantera documentation are your friends for this.
12.) After you have created the database, from inside the pantera directory, run the following command: mysql -u root panteradb < doc/pantera_sql_create_script.txt
13.) Now, you are almost ready to run pantera. However, the panteraPlugins.py file seems to have a syntax error in it. So, use vi to edit the file. Skip down to line 458 and insert a # sign in from of the line reading "remove(c for c in self.plugin_list if c == d)"
14.) Once this is done, edit the panteracfg.xml file to include your database username and password. If you skipped step #11 above, then you just need to modify the db_login to look like:root
15.) Configure firefox to use 127.0.0.1 port 8080 as your proxy, run the command python pantera.py from inside the pantera directory, and point your browser to http://pantera.
1.) Download the pyOpenSSL python module from here.
2.) Cd into the directory and run the command python setup.py build.
3.) Install the module, python setup.py install.
4.) Download the MAC OSX binary package of the MySQL database from the mySQL site.
5.) Install MySQL according to these instructions.
6.) Start MySQL by running the follwing commands:
shell> cd /usr/local/mysql
shell> sudo ./bin/mysqld_safe
(ENTER YOUR PASSWORD, IF NECESSARY)
(PRESS CONTROL-Z)
shell> bg
(PRESS CONTROL-D OR ENTER "EXIT" TO EXIT THE SHELL)
7.) Download mysql-python from here.
8.) You will need to modify your pather varible to get the mysql-python package to compile correctly. First run the command, set | grep PATH you should get something resembling PATH=/bin:/sbin:/usr/bin:/usr/local/bin:/usr/sbin now cut and paste that output and append "/usr/local/mysql/bin" to the end so that your resulting command should look something like:
PATH=/bin:/sbin:/usr/bin:/usr/local/bin:/usr/sbin:/usr/local/mysql/bin.
9.) Now run python setup.py build from inside the mysql-python directory. When that completes run python setup.py install.
10.) Next we need to configure the pantera database. Do this by running mysql -u root and then CREATE DATABASE pantera; from the mysql prompt.
11.) **optional, feel free to lockdown the mysql database and assign a password to root at this point. Google and the pantera documentation are your friends for this.
12.) After you have created the database, from inside the pantera directory, run the following command: mysql -u root panteradb < doc/pantera_sql_create_script.txt
13.) Now, you are almost ready to run pantera. However, the panteraPlugins.py file seems to have a syntax error in it. So, use vi to edit the file. Skip down to line 458 and insert a # sign in from of the line reading "remove(c for c in self.plugin_list if c == d)"
14.) Once this is done, edit the panteracfg.xml file to include your database username and password. If you skipped step #11 above, then you just need to modify the db_login to look like:
15.) Configure firefox to use 127.0.0.1 port 8080 as your proxy, run the command python pantera.py from inside the pantera directory, and point your browser to http://pantera.
Monday, October 23, 2006
Ruby on Rails for Gentoo
First use emerge to install Ruby, next use emerge to install "rubygems"..
Now you can use rubygems to install Rails, ActiveRecord, etc.. You will need to answer Y to each of the dependencies.
# gem install rails
Bulk updating Gem source index for: http://gems.rubyforge.org
Install required dependency rake? [Yn]
Install required dependency activesupport? [Yn]
Install required dependency activerecord? [Yn]
Install required dependency actionpack? [Yn]
Install required dependency actionmailer? [Yn]
Install required dependency actionwebservice? [Yn]
Successfully installed rails-1.1.6
Successfully installed rake-0.7.1
Successfully installed activesupport-1.3.1
Successfully installed activerecord-1.14.4
Successfully installed actionpack-1.12.5
Successfully installed actionmailer-1.2.5
Successfully installed actionwebservice-1.1.6
Installing ri documentation for rake-0.7.1...
Installing ri documentation for activesupport-1.3.1...
While generating documentation for activesupport-1.3.1
... MESSAGE: Unhandled special: Special: type=17, text=""
... RDOC args: --ri --op /usr/lib/ruby/gems/1.8/doc/activesupport-1.3.1/ri --qui et lib
(continuing with the rest of the installation)
Installing ri documentation for activerecord-1.14.4...
Installing ri documentation for actionpack-1.12.5...
While generating documentation for actionpack-1.12.5
... MESSAGE: Unhandled special: Special: type=17, text=""
... RDOC args: --ri --op /usr/lib/ruby/gems/1.8/doc/actionpack-1.12.5/ri --quiet lib
(continuing with the rest of the installation)
Installing ri documentation for actionmailer-1.2.5...
Installing ri documentation for actionwebservice-1.1.6...
Installing RDoc documentation for rake-0.7.1...
Installing RDoc documentation for activesupport-1.3.1...
Installing RDoc documentation for activerecord-1.14.4...
Installing RDoc documentation for actionpack-1.12.5...
Installing RDoc documentation for actionmailer-1.2.5...
Installing RDoc documentation for actionwebservice-1.1.6...
After this completes, you can now create a test rails project by issuing the command: "rails test", after changing to your web directory (/var/www/localhost/htdocs/) by default.
# cd /var/www/localhost/htdocs/
# rails photos
create
create app/controllers
create app/helpers
create app/models
create app/views/layouts
create config/environments
create components
create db
create doc
create lib
create lib/tasks
[...SNIP...]
You can now start the WeBrick webserver included with Rails.
# ruby ./script/server -d test
=> Booting WEBrick...
=> Rails application started on http://0.0.0.0:3000
[2006-10-23 12:52:56] INFO WEBrick 1.3.1
[2006-10-23 12:52:56] INFO ruby 1.8.5 (2006-08-25) [i686-linux]
At this point you should be able to point your browser to http://127.0.0.1:3000/ and get the Ruby on Rails Welcome page.
For more information on integration your Ruby on Rails installation with apache2 and FastCGI, please refer to: http://gentoo-wiki.com/HOWTO_RoR.
Now you can use rubygems to install Rails, ActiveRecord, etc.. You will need to answer Y to each of the dependencies.
# gem install rails
Bulk updating Gem source index for: http://gems.rubyforge.org
Install required dependency rake? [Yn]
Install required dependency activesupport? [Yn]
Install required dependency activerecord? [Yn]
Install required dependency actionpack? [Yn]
Install required dependency actionmailer? [Yn]
Install required dependency actionwebservice? [Yn]
Successfully installed rails-1.1.6
Successfully installed rake-0.7.1
Successfully installed activesupport-1.3.1
Successfully installed activerecord-1.14.4
Successfully installed actionpack-1.12.5
Successfully installed actionmailer-1.2.5
Successfully installed actionwebservice-1.1.6
Installing ri documentation for rake-0.7.1...
Installing ri documentation for activesupport-1.3.1...
While generating documentation for activesupport-1.3.1
... MESSAGE: Unhandled special: Special: type=17, text=""
... RDOC args: --ri --op /usr/lib/ruby/gems/1.8/doc/activesupport-1.3.1/ri --qui et lib
(continuing with the rest of the installation)
Installing ri documentation for activerecord-1.14.4...
Installing ri documentation for actionpack-1.12.5...
While generating documentation for actionpack-1.12.5
... MESSAGE: Unhandled special: Special: type=17, text=""
... RDOC args: --ri --op /usr/lib/ruby/gems/1.8/doc/actionpack-1.12.5/ri --quiet lib
(continuing with the rest of the installation)
Installing ri documentation for actionmailer-1.2.5...
Installing ri documentation for actionwebservice-1.1.6...
Installing RDoc documentation for rake-0.7.1...
Installing RDoc documentation for activesupport-1.3.1...
Installing RDoc documentation for activerecord-1.14.4...
Installing RDoc documentation for actionpack-1.12.5...
Installing RDoc documentation for actionmailer-1.2.5...
Installing RDoc documentation for actionwebservice-1.1.6...
After this completes, you can now create a test rails project by issuing the command: "rails test", after changing to your web directory (/var/www/localhost/htdocs/) by default.
# cd /var/www/localhost/htdocs/
# rails photos
create
create app/controllers
create app/helpers
create app/models
create app/views/layouts
create config/environments
create components
create db
create doc
create lib
create lib/tasks
[...SNIP...]
You can now start the WeBrick webserver included with Rails.
# ruby ./script/server -d test
=> Booting WEBrick...
=> Rails application started on http://0.0.0.0:3000
[2006-10-23 12:52:56] INFO WEBrick 1.3.1
[2006-10-23 12:52:56] INFO ruby 1.8.5 (2006-08-25) [i686-linux]
At this point you should be able to point your browser to http://127.0.0.1:3000/ and get the Ruby on Rails Welcome page.
For more information on integration your Ruby on Rails installation with apache2 and FastCGI, please refer to: http://gentoo-wiki.com/HOWTO_RoR.
Tuesday, August 22, 2006
Mac OSX Essential Security Tools
Having recently converted to a Mac Book Pro, I have been on a quest to locate security tools capable of running on this platform. Here is are the tools I found that I now cannot live without:
KisMAC - This tool is supposed to allow you to do all the cool wireless stuff from OSX. I downloaded it and whil it did look cool, I quickly discovered one huge drawback. It turns out that is monitor/ passive mode is not supported with the Airport Extreme wireless cards in the new Mac Book Pro's. However, I have downloaded the newest Alpha version and found that it now supports passive mode in these cards! The only functionality now lacking is the ability to reinject packets. Hopefully this functionality will be there soon. Packet reinjection is necessary to perform the different Auth/ Deauth flood attacks used to generate more traffic for cracking WEP. This video provides a cool overview of cracking WEP with KisMAC.
Nessus 3.X - New with version 3.x of nessus, the Nessus developers decided to stop distribuing source code. As we have seen, it is possible to get Nessus 3.x running on other platforms. However, it turns out that OSX is now one of the supported platforms. The install and operation of OSX package is seamless. It comes with both the client and the server.
Paros Proxy - Paros proxy is an extremely well designed proxy that is a must for doing web application security testing. Because it is coded in java, it is cross platform. As long as you have JRE installed, Paros proxy functions right out of the box.
Parallels - Think of this as VMWare for MAC, only better. No annoying need to add "vmware" tools into your guest OS, etc. Using Parallels I was able boot all of my favorite Linux-based LiveCD Security Toolkits, such as Backtrack. This gives you instant access to a wealth of security tools (nmap, spike proxy, etc). By editing the CDROM setting to "Use an Image File:", you can now configure Parallels to boot from an ISO file. The only limitation I noticed was that the wireless card is not virtualized. However, since most wireless security tools won't function properly when operating though an abstration layer anyway, this is definately a minor limitation.
VirtueDesktops - Although this application is not actually a security tool, it is unbelievably cool. Its a desktop switching tool that is adds a high level of functionality while adding a super high level of eye-candy as well. Check out this video to see exactly what I am talking about. --Note, this video only shows 2 desktops in a left to right config. You can also add additional desktops on a vertical axis as well.
KisMAC - This tool is supposed to allow you to do all the cool wireless stuff from OSX. I downloaded it and whil it did look cool, I quickly discovered one huge drawback. It turns out that is monitor/ passive mode is not supported with the Airport Extreme wireless cards in the new Mac Book Pro's. However, I have downloaded the newest Alpha version and found that it now supports passive mode in these cards! The only functionality now lacking is the ability to reinject packets. Hopefully this functionality will be there soon. Packet reinjection is necessary to perform the different Auth/ Deauth flood attacks used to generate more traffic for cracking WEP. This video provides a cool overview of cracking WEP with KisMAC.
Nessus 3.X - New with version 3.x of nessus, the Nessus developers decided to stop distribuing source code. As we have seen, it is possible to get Nessus 3.x running on other platforms. However, it turns out that OSX is now one of the supported platforms. The install and operation of OSX package is seamless. It comes with both the client and the server.
Paros Proxy - Paros proxy is an extremely well designed proxy that is a must for doing web application security testing. Because it is coded in java, it is cross platform. As long as you have JRE installed, Paros proxy functions right out of the box.
Parallels - Think of this as VMWare for MAC, only better. No annoying need to add "vmware" tools into your guest OS, etc. Using Parallels I was able boot all of my favorite Linux-based LiveCD Security Toolkits, such as Backtrack. This gives you instant access to a wealth of security tools (nmap, spike proxy, etc). By editing the CDROM setting to "Use an Image File:", you can now configure Parallels to boot from an ISO file. The only limitation I noticed was that the wireless card is not virtualized. However, since most wireless security tools won't function properly when operating though an abstration layer anyway, this is definately a minor limitation.
VirtueDesktops - Although this application is not actually a security tool, it is unbelievably cool. Its a desktop switching tool that is adds a high level of functionality while adding a super high level of eye-candy as well. Check out this video to see exactly what I am talking about. --Note, this video only shows 2 desktops in a left to right config. You can also add additional desktops on a vertical axis as well.
Wednesday, August 09, 2006
Top 10 DNS Infrastructure Best Practices
(This is something I wrote for my company's public newsletter)..
Top 10 DNS Infrastructure Best Practices
A corporation's Domain Name System (DNS) Infrastructure plays an integral, but often overlooked role, in the overall security posture of the network environment. Not only should these services be configured securely, they should also be designed to provide a very high level of availability and redundancy.
1. "Split Horizon" DNS refers to the practice of separating DNS into an external and internal view. This provides a logical separation between the DNS information available to internal network clients and what is made publicly available to the internet at large. DNS store a wealth of information regarding the configuration of a network. Being able to enumerate this information is an invaluable resource for would-be attackers. By separating the publicly available information from that required by internal clients, adds a very critical layer of protection. Split horizon DNS can be accomplished in several methods, but separation on physical devices is the preferred.
2. Recursion in simple terms is the ability of a DNS server to answer client requests for domains which it is not authoritative for. Using a split horizon DNS deployment model, there are two primary sets of DNS servers, internal and external. Internal servers should be configured to perform recursion to service the requests of the internal network clients. However, external DNS servers should be explicitly configured to deny recursion. External DNS servers should solely answer requests for the domains for which they are the authoritative for. Public DNS servers which allow recursion have been recently exploited in as amplification machines in Distributed Denial of Service (DDoS) attacks. Not only does this consume valuable machine and bandwidth resources, but there also could be legal ramifications for an organization whose servers were exploited.
3. DNS by design has the ability to offer a high level of availability and redundancy. An organization should have two or more primary DNS servers. These devices should be both geographic and carrier diverse. Having multiple DNS servers in the same physical location on the same internet connection provides very limited redundancy. A single carrier outage or fiber cut can instantly isolate all of your DNS servers. Instead, these should be distributed in across different geographical regions utilizing different internet providers. This can be accomplished by placing the servers in either a remote office, a collocation facility, or utilizing a hosted DNS provider. Ideally an organization should have a minimum of two (2) DNS servers with three (3) being the recommended number.
4.The NS records for an organization's domain name provide public DNS servers with the information needed to find the authoritative nameservers for that domain. These records are uploaded from your domain registrar to the Top Level Domain (TLD) DNS servers. As changes are made to your DNS infrastructure, its imperative that your NS records updated to reflect these changes.
5. Lame Delegation is a term that is used to refer to servers that are listed as authoritative for a specific domain but do not answer authoritatively. This can cause delayed responses, increased workload on both an organization's and the TLD DNS servers and is a problem that has plagued the internet for several years now. The extent of this problem can be seen by looking for the "Lame" keyword in the server logs of any active recursive DNS server. This problem can be avoided by keeping the NS and SOA records for your domains accurate and up to date.
6. Zone transfers are the ability for a slave DNS server to pull records from a master server to a slave. This allows you to host all of your zonefiles on a master machine and have them automatically propagate to slave machines after a change is made. The ability to transfer an entire zonefile for a domain also provides a easy way for would-be attackers to enumerate an organizations network. Because of this DNS servers should be configured to limit zone transfer requested to the IP addresses of designated slave machines.
7. MX records are the DNS records that allow your organization to receive email. Each domain should have a minimum of two (2) MX records. These records also have a preference number associated with them. The lower numerical value of the preference translates into the higher priority mail gateway. Therefore, if you have two (2) gateways, a primary and a secondary, then the primary would have a MX preference value of ten (10) and the secondary of twenty (20) so that the primary would be the higher priority mail gateway.
8. All MX records should have a corresponding PTR record. RFC1912 dictates that all mail gateways should have Reverse DNS entries configured. Many mail servers are configured to not accept email from gateways which don't have proper Reverse DNS entries.
9. DNS server versions often provide a would-be attacker with valuable information about the DNS application running on that machine. Published exploits corresponding to that specific version of the application can quickly be located and launched. For this reason, DNS server versions should be modified to obfuscate the actual running version number.
10. Zone file serial numbers are used by master DNS servers to inform the salve servers when a zone file has been changed and needs to be transferred. Every time a change is made to the zone file, the serial number should be incremented. If this is not done, DNS zone data can quickly become out of sync, causing enterprise-wide problems.
1. "Split Horizon" DNS refers to the practice of separating DNS into an external and internal view. This provides a logical separation between the DNS information available to internal network clients and what is made publicly available to the internet at large. DNS store a wealth of information regarding the configuration of a network. Being able to enumerate this information is an invaluable resource for would-be attackers. By separating the publicly available information from that required by internal clients, adds a very critical layer of protection. Split horizon DNS can be accomplished in several methods, but separation on physical devices is the preferred.
2. Recursion in simple terms is the ability of a DNS server to answer client requests for domains which it is not authoritative for. Using a split horizon DNS deployment model, there are two primary sets of DNS servers, internal and external. Internal servers should be configured to perform recursion to service the requests of the internal network clients. However, external DNS servers should be explicitly configured to deny recursion. External DNS servers should solely answer requests for the domains for which they are the authoritative for. Public DNS servers which allow recursion have been recently exploited in as amplification machines in Distributed Denial of Service (DDoS) attacks. Not only does this consume valuable machine and bandwidth resources, but there also could be legal ramifications for an organization whose servers were exploited.
3. DNS by design has the ability to offer a high level of availability and redundancy. An organization should have two or more primary DNS servers. These devices should be both geographic and carrier diverse. Having multiple DNS servers in the same physical location on the same internet connection provides very limited redundancy. A single carrier outage or fiber cut can instantly isolate all of your DNS servers. Instead, these should be distributed in across different geographical regions utilizing different internet providers. This can be accomplished by placing the servers in either a remote office, a collocation facility, or utilizing a hosted DNS provider. Ideally an organization should have a minimum of two (2) DNS servers with three (3) being the recommended number.
4.The NS records for an organization's domain name provide public DNS servers with the information needed to find the authoritative nameservers for that domain. These records are uploaded from your domain registrar to the Top Level Domain (TLD) DNS servers. As changes are made to your DNS infrastructure, its imperative that your NS records updated to reflect these changes.
5. Lame Delegation is a term that is used to refer to servers that are listed as authoritative for a specific domain but do not answer authoritatively. This can cause delayed responses, increased workload on both an organization's and the TLD DNS servers and is a problem that has plagued the internet for several years now. The extent of this problem can be seen by looking for the "Lame" keyword in the server logs of any active recursive DNS server. This problem can be avoided by keeping the NS and SOA records for your domains accurate and up to date.
6. Zone transfers are the ability for a slave DNS server to pull records from a master server to a slave. This allows you to host all of your zonefiles on a master machine and have them automatically propagate to slave machines after a change is made. The ability to transfer an entire zonefile for a domain also provides a easy way for would-be attackers to enumerate an organizations network. Because of this DNS servers should be configured to limit zone transfer requested to the IP addresses of designated slave machines.
7. MX records are the DNS records that allow your organization to receive email. Each domain should have a minimum of two (2) MX records. These records also have a preference number associated with them. The lower numerical value of the preference translates into the higher priority mail gateway. Therefore, if you have two (2) gateways, a primary and a secondary, then the primary would have a MX preference value of ten (10) and the secondary of twenty (20) so that the primary would be the higher priority mail gateway.
8. All MX records should have a corresponding PTR record. RFC1912 dictates that all mail gateways should have Reverse DNS entries configured. Many mail servers are configured to not accept email from gateways which don't have proper Reverse DNS entries.
9. DNS server versions often provide a would-be attacker with valuable information about the DNS application running on that machine. Published exploits corresponding to that specific version of the application can quickly be located and launched. For this reason, DNS server versions should be modified to obfuscate the actual running version number.
10. Zone file serial numbers are used by master DNS servers to inform the salve servers when a zone file has been changed and needs to be transferred. Every time a change is made to the zone file, the serial number should be incremented. If this is not done, DNS zone data can quickly become out of sync, causing enterprise-wide problems.
Nessus 3.0 on Gentoo
With the release of Nessus 3.x, the developers have made the decision to no longer distribute source code. Because of this, nessus binaries will only install on "supported platforms". However, I have recently discovered a way around this severe limitation.
This is a quick and dirty guide to get Nessus 3.0 to install on Gentoo.
First, download Nessus-3.0.3-fc5.i386.rpm from nessus.org
Use rpm2targz Nessus-3.0.3-fc5.i386.rpm to convert the package from RPM format to a gzip'ed tar file.
Move the resulting file to your / directory.
Use tar -zxvf Nessus-3.0.3-fc5.i386.tar.gz to decompress and un'tar the file.
Edit /etc/ld.so.conf and append /opt/nessus/lib to the end of the file.
Run ldconfig to make those changes take effect.
Next, cd into your /usr/lib directory and do the following:
ln -s libssl.so.0.9.7 libssl.so.6
ln -s libcrypto.so.0.9.7 libcrypto.so.6
You can now finish installing nessus as normal (e.g /opt/nessus/sbin/nessus-mkcert). You can also test your installation by running the command: /opt/nessus/sbin/nessusd -d
[UPDATE] You will need to edit /opt/nessus/sbin/nessus-update-plugins . Look for the line reading "gzip=/usr/bin/gzip" and change it to read "gzip=/bin/gzip"
[UPDATE 2] Instead of making the change to /etc/ld.so.conf above, you should create a file in the /etc/env.d/ directory called 08nessus. Then file should only contain the line: LDPATH=/opt/nessus/lib. This change is necessary because the env-update script will overwrite the changes you make directly to /etc/ls.so.conf.
This is a quick and dirty guide to get Nessus 3.0 to install on Gentoo.
First, download Nessus-3.0.3-fc5.i386.rpm from nessus.org
Use rpm2targz Nessus-3.0.3-fc5.i386.rpm to convert the package from RPM format to a gzip'ed tar file.
Move the resulting file to your / directory.
Use tar -zxvf Nessus-3.0.3-fc5.i386.tar.gz to decompress and un'tar the file.
Edit /etc/ld.so.conf and append /opt/nessus/lib to the end of the file.
Run ldconfig to make those changes take effect.
Next, cd into your /usr/lib directory and do the following:
ln -s libssl.so.0.9.7 libssl.so.6
ln -s libcrypto.so.0.9.7 libcrypto.so.6
You can now finish installing nessus as normal (e.g /opt/nessus/sbin/nessus-mkcert). You can also test your installation by running the command: /opt/nessus/sbin/nessusd -d
[UPDATE] You will need to edit /opt/nessus/sbin/nessus-update-plugins . Look for the line reading "gzip=/usr/bin/gzip" and change it to read "gzip=/bin/gzip"
[UPDATE 2] Instead of making the change to /etc/ld.so.conf above, you should create a file in the /etc/env.d/ directory called 08nessus. Then file should only contain the line: LDPATH=/opt/nessus/lib. This change is necessary because the env-update script will overwrite the changes you make directly to /etc/ls.so.conf.
Subscribe to:
Posts (Atom)