Tenable

From Dikapedia
Jump to: navigation, search

What is Tenable?

Ref: https://docs.tenable.com/nessus-agent/Content/GettingStarted.htm

Tenable Nessus Agents are lightweight, low-footprint programs that you install locally on hosts to supplement traditional network-based scanning or to provide visibility into gaps that traditional scanning misses. Tenable Nessus Agents collect vulnerability, compliance, and system data, and report that information back to a manager for analysis. With Tenable Nessus Agents, you extend scan flexibility and coverage. You can scan hosts and endpoints that intermittently connect to the internet without using credentials. You can also run large-scale concurrent agent scans with little network impact.


About Tenable Nessus Agents

Ref: https://docs.tenable.com/nessus-agent/Content/GettingStarted.htm

Tenable Nessus Agents help you address the challenges of traditional network-based scanning, specifically for the assets where it's impossible or nearly impossible to collect information about your organization's security posture consistently. Traditional scanning typically occurs at selected intervals or during designated windows and requires systems to be accessible when a scan executes. If laptops or other transient devices are not accessible when a scan executes, they are excluded from the scan, leaving you unaware of vulnerabilities on those devices.

Once installed on servers, portable devices, or other assets found in today’s complex IT environments, Tenable Nessus Agents identify vulnerabilities, policy violations, misconfigurations, and malware on the hosts where they are installed and report results back to the managing product. You can manage Tenable Nessus Agents with Tenable Nessus Manager or Tenable Vulnerability Management.


Tenable Nessus Agent CLI Commands

Tenable Documentation: https://docs.tenable.com/nessus-agent/Content/NessusCLIAgent.htm


Install the Nessus Agent

1. Install 

sudo rpm -ivh ./NessusAgent-10.4.0-es7.x86_64.rpm

2. Start and enable the service to run at boot 

sudo systemctl start nessusagent
sudo systemctl enable nessusagent

3. Verify Nessus agent is running 

sudo systemctl status nessusagent


Check Nessus Agent Status

This shows what manager/IP it is linked or connected to. 

sudo /opt/nessus_agent/sbin/nessuscli agent status


Check Agent UUID

Run: 

sudo /opt/nessus_agent/sbin/nessuscli agent status --show-uuid

or 

cat /etc/tenable_tag


Linking the Nessus Agent

If you notice that the nessuscli agent status is showing that the endpoint is not linked/connected to anything, then run the following command: 

sudo /opt/nessus_agent/sbin/nessuscli agent link --key=<key_id> --host=<IP address> --port=<port> group=<group>


Log Files

https://docs.tenable.com/nessus-agent/Content/ManageLogs.htm


Troubleshooting

409 Agent with UUID Already Exists

Steps for resolution: https://community.tenable.com/s/article/Nessus-Agent-409-UUID-Error?language=en_US

  1. Stop the agent
sudo systemctl stop nessusagent
  1. Remove the file containing the UUID
rm /etc/tenable_tag
  1. Start the agent
sudo systemctl start nessusagent
  1. Try relinking
sudo /opt/nessus_agent/sbin/nessuscli agent link --key=<key_id> --host=<IP address> --port=<port> group=<group>


Backported Vulnerabilities

When a vulnerability is found in a specific version of a software the vendor often releases a new version to mitigate the vulnerability. It is common for a linux distribution that contains the vulnerable version to backport a patch to the original version rather than replacing the vulnerable software with the new version. If Nessus did not account for this, software with backported patches would be flagged as vulnerable based on version number, even though the vulnerability has been mitigated.

Nessus instead relies on backport.inc to prevent the false positives. backport.inc contains mappings of known service banners to service banners that have arbitrarily high version numbers. This way when the known service banner is found on a target, the mapping in backport.inc makes the software appear to be on a higher version, when version check plugins run.

Read more here: https://community.tenable.com/s/article/How-does-Nessus-Handle-Backported-Patches?language=en_US

Its not done within Tenable.io or Tenable.sc, its done on the actual Nessus Pro scanner(s), or the "manager". You need to update the file backport.inc. In Linux that would be /opt/nessus/lib/nessus/plugins/backport.inc

Retrieved from "https://dikapedia.com/wiki/index.php?title=Tenable&oldid=3007"