Setting up accounts for use with Nessus Scans on ESXi

FD

Recently had a request to add a non-root/out of the box root user for some Nessus scans recently. For ESXi hosts it’s a process of creating a localuser and running the contents of the below in a Powershell Script.

 

$esx_hosts = Get-VMHost | where {$_.ConnectionState -ne “NotResponding”}

foreach ($esx_host in $esx_hosts) {

Write-Host $esx_host -ForegroundColor Green

$esxcli = Get-EsxCli -VMhost $esx_host -V2

$arguments1 = $esxcli.system.account.add.CreateArgs()

$arguments1.id = ‘<INSERT “USERNAME” Here>’

$arguments1.password = ‘<INSERT 20 Char Password Here>’

$arguments1.passwordconfirmation = ‘<INSERT 20 Char Password Here>’

$arguments1.description = ‘Tenable user’

$esxcli.system.account.add.Invoke($arguments1)

$arguments2 = $esxcli.system.permission.set.CreateArgs()

$arguments2.id = ‘<Username>’

$arguments2.role = ‘Admin’

$esxcli.system.permission.set.Invoke($arguments2)

}

 

Virtual Apps (VCSA, VROPS, VRLIA etc)

 

Log in as root user and run these from the console.

 

useradd <Username>

mkdir /home/<Username>

chown tenable /home/<username>

usermod -G root,wheel <username>

passwd tenable ‘<INSERT 20 Char Password Here>’