Tenable: Difference between revisions
(Created page with "====What is <b>Tenable</b>?==== ---- Ref: https://docs.tenable.com/nessus-agent/Content/GettingStarted.htm Tenable Nessus Agents are lightweight, low-footprint programs that you install locally on hosts to supplement traditional network-based scanning or to provide visibility into gaps that traditional scanning misses. Tenable Nessus Agents collect vulnerability, compliance, and system data, and report that information back to a manager for analysis. With Tenable Nessu...") |
No edit summary |
||
Line 34: | Line 34: | ||
sudo systemctl status nessusagent | sudo systemctl status nessusagent | ||
====Uninstall Nessus Agent==== | |||
---- | |||
sudo yum remove NessusAgent | |||
====Check Nessus Agent Status==== | ====Check Nessus Agent Status==== |
Latest revision as of 18:54, 17 October 2024
What is Tenable?
Ref: https://docs.tenable.com/nessus-agent/Content/GettingStarted.htm
Tenable Nessus Agents are lightweight, low-footprint programs that you install locally on hosts to supplement traditional network-based scanning or to provide visibility into gaps that traditional scanning misses. Tenable Nessus Agents collect vulnerability, compliance, and system data, and report that information back to a manager for analysis. With Tenable Nessus Agents, you extend scan flexibility and coverage. You can scan hosts and endpoints that intermittently connect to the internet without using credentials. You can also run large-scale concurrent agent scans with little network impact.
About Tenable Nessus Agents
Ref: https://docs.tenable.com/nessus-agent/Content/GettingStarted.htm
Tenable Nessus Agents help you address the challenges of traditional network-based scanning, specifically for the assets where it's impossible or nearly impossible to collect information about your organization's security posture consistently. Traditional scanning typically occurs at selected intervals or during designated windows and requires systems to be accessible when a scan executes. If laptops or other transient devices are not accessible when a scan executes, they are excluded from the scan, leaving you unaware of vulnerabilities on those devices.
Once installed on servers, portable devices, or other assets found in today’s complex IT environments, Tenable Nessus Agents identify vulnerabilities, policy violations, misconfigurations, and malware on the hosts where they are installed and report results back to the managing product. You can manage Tenable Nessus Agents with Tenable Nessus Manager or Tenable Vulnerability Management.
Tenable Nessus Agent CLI Commands
Tenable Documentation: https://docs.tenable.com/nessus-agent/Content/NessusCLIAgent.htm
Install the Nessus Agent
1. Install
sudo rpm -ivh ./NessusAgent-10.4.0-es7.x86_64.rpm
2. Start and enable the service to run at boot
sudo systemctl start nessusagent sudo systemctl enable nessusagent
3. Verify Nessus agent is running
sudo systemctl status nessusagent
Uninstall Nessus Agent
sudo yum remove NessusAgent
Check Nessus Agent Status
This shows what manager/IP it is linked or connected to.
sudo /opt/nessus_agent/sbin/nessuscli agent status
Check Agent UUID
Run:
sudo /opt/nessus_agent/sbin/nessuscli agent status --show-uuid
or
cat /etc/tenable_tag
Linking the Nessus Agent
If you notice that the nessuscli agent status is showing that the endpoint is not linked/connected to anything, then run the following command:
sudo /opt/nessus_agent/sbin/nessuscli agent link --key=<key_id> --host=<IP address> --port=<port> group=<group>
Log Files
https://docs.tenable.com/nessus-agent/Content/ManageLogs.htm
Troubleshooting
409 Agent with UUID Already Exists
Steps for resolution: https://community.tenable.com/s/article/Nessus-Agent-409-UUID-Error?language=en_US
- Stop the agent
sudo systemctl stop nessusagent
- Remove the file containing the UUID
rm /etc/tenable_tag
- Start the agent
sudo systemctl start nessusagent
- Try relinking
sudo /opt/nessus_agent/sbin/nessuscli agent link --key=<key_id> --host=<IP address> --port=<port> group=<group>
Backported Vulnerabilities
When a vulnerability is found in a specific version of a software the vendor often releases a new version to mitigate the vulnerability. It is common for a linux distribution that contains the vulnerable version to backport a patch to the original version rather than replacing the vulnerable software with the new version. If Nessus did not account for this, software with backported patches would be flagged as vulnerable based on version number, even though the vulnerability has been mitigated.
Nessus instead relies on backport.inc to prevent the false positives. backport.inc contains mappings of known service banners to service banners that have arbitrarily high version numbers. This way when the known service banner is found on a target, the mapping in backport.inc makes the software appear to be on a higher version, when version check plugins run.
Read more here: https://community.tenable.com/s/article/How-does-Nessus-Handle-Backported-Patches?language=en_US
Its not done within Tenable.io or Tenable.sc, its done on the actual Nessus Pro scanner(s), or the "manager". You need to update the file backport.inc. In Linux that would be /opt/nessus/lib/nessus/plugins/backport.inc