Officially, this is unsupported. It may break your appliance, cause Tenable’s tools to stop working, etc. I thought it would be worthwhile to put together another HOWTO, though. I recently got a bit frustrated with the Passive Vulnerability Scanner, and wanted access to the command-line tools. I didn’t want to spend a lot of time setting up and managing yet another operating system and going through Dependency Heck installing RPMs.
I probably don’t need to say this, but keep in mind that installing an SSH server on the appliance is a security risk. The appliance’s package management system is disabled by default and has an empty repository list, so you get no update notice if your SSH server suddenly goes out of style. I recommend following these instructions and only enabling SSH on network interfaces accessible to the VM host.
I recommend deciding which IP address to bind to before starting. The appliance doesn’t come with a text editor, so you’ll have to install one or make creative use of ‘cat’ and ‘sed’ if you decide to change your mind on interfaces later.
First, you’re going to need another Linux VM to do this. I use BackTrack for just about everything. Your instructions may vary slightly from these (probably they’ll be easier). I’m going to assume BT5 + VMWare though. You’ll need BackTrack installed on a system so that you can add an extra package.
You’ll want to attach the Tenable Appliance’s ‘data’ hard disk to your VM. To do this, first shut down the Tenable Appliance from the console. Make sure that it’s off, not suspended. Attach the ‘data’ hard disk to your BT5 VM. Make sure that you choose to not copy the disk, but to use the actual file that the other VM uses.
Boot up BT5. Your bootlog will show that the extra hard disk was identified, but that it has a disklabel that can’t be read. This is because the Tenable Appliance uses LVM (logical volume management, a fancy disk management system for Linux that allows for fancy things like mirroring, disk portability, etc). You won’t be able to mount the disk just yet.
On the BT5 console, install LVM2. ‘apt-get install lvm2’.
Now run the command ‘vgscan’ from the command line. This will tell the the logical volume manager to take a look at each hard disk in your system for disks with an LVM label.
Now run the command ‘vgchange -ay TAvg’. This will tell LVM that the TAvg (‘Tenable Appliance Volume Group’) has volumes available for mounting.
Now run the command ‘mount /dev/TAvg/TAlv /mnt’. Congratulations, you’re almost done! The Tenable appliance hard drive is accessible on your BT5 system under /mnt .
Now chroot to /mnt . This is a handy little trick that runs a new shell treating / as /mnt . This is needed so that we can install the packages onto Tenable’s hard drive without touching your BT5 installation. Just type ‘chroot /mnt’ on the command line. Be sure that the next commands are executed on this shell!
Type ‘rpm -ivh /tmp/tcp_wrappers-7.6-40.7.el5.i386.rpm’. You’ll see some hash-marks as it installs.
Type ‘rpm -ivh –nodeps /tmp/openssh-server-4.3p2-72.el5.ie86.rpm’
Type ‘adduser <your user name>’. This will make you a user account to actually SSH into.
Type ‘passwd <your user name>’. This will let you set the password for your user.
Type ‘exit’. You should now be back in the BT5 shell, non-chroot’d.
Edit /mnt/etc/passwd with your favorite editor, and set your new user account number to 0. The user and groupid are the 3rd and 4th field in the passwd file, and probably both were set to 501 when the account was created. The last line of the file should look like this:
Edit /mnt/etc/ssh/sshd_config . Set the ListenAddress line to the IP of the interface that want to listen to.
As an optional step I install netcat onto my appliance. Openssh-server comes with sftp installed, so you can always upload netcat to the appliance later, once it is running.
As another optional series of things to do, you can mount their OS disk (which doesn’t require LVM), and edit the grub menu.lst file. I found it convenient to comment out the lines “hiddenmenu” and “password”, and to set the option “timeout=30” so that I can boot the appliance into single-user mode later.
Shutdown your BT5 VM. Remove the ‘data’ hard disk from the VM, but don’t delete the hard disk file. Make sure that the file is still pointed to by your Appliance VM, and start it up.
SSH to your tenable appliance with your username and password. Congratulations! Now you can debug scripts, and even add yum repositories and install all that fancy software that you need to Get Your Job Done.
Photo by cdrummbks
PS: I’ve been asked about the “Whole Earth Catalogue” pictures. The Whole Earth Catalogue byline was “Access to Tools.” My name for blog posts that tell you how to use, modify, and build software tools for ICS security testing is in the spirit of the Whole Earth crew.