Tenable Vulnerability Management (Tenable.io) Basics Including Sensor and Agent Installation

Tenable Vulnerability ManagementTenable Vulnerability Management® (formerly known as Tenable.io) allows security and audit teams to share multiple Tenable Nessus, Tenable Nessus Agent, and Tenable Nessus Network Monitor scanners, scan schedules, scan policies, and scan results among an unlimited set of users or groups.

Tenable Vulnerability Management can schedule scans, push policies, view scan findings, and control multiple Tenable Nessus scanners from the cloud. This enables the deployment of Tenable Nessus scanners throughout networks to both public and private clouds as well as multiple physical locations.

In this post, I am gonna show some basic steps to bring this popular Tenable Vulnerability Scanning tools into your environment as quick as I can. 

If need read more marterials, please go to Tenable Docs sit, Get Started with Tenable Vulnerability Management. You can use the following getting started sequence to configure and mature your Tenable Vulnerability Management deployment.

1. Prepare a Deployment Plan
2. Install and Link Scanners
3. Configure Scans
4. Additional Tenable Vulnerability Management Configurations
5. Review and Analyze
6. Expand

Diagram

While the main Tenable Vulnerability Management interface is hosted in the cloud, and scanners are placed where needed:

Compare with other Tenable Products

Tenable Security Center (Formerly Tenable.sc)

Whole Tenable.sc Architecture is hosted entirely on premise:

Essentially, this means that Tenable.sc customers are responsible for the hardware for the entire infrastructure, including data storage. The Tenable Vulnerability Management “console” (and data storage) is hosted in the cloud and is therefore Tenable's responsibility.

Your Tenable.sc is on-prem, with all your Nessus Pro scanners linked to Tenable.sc providing all the remote scanning of your network.

For devices which are not on your network (remote workstations) then you need to use Nessus Agents.

Tenable.sc does not directly support Nessus Agents, so you need a collector for your Agent data.

You can either use the older method of having your Nessus Agents communicate with Nessus Manager, which then forwards those to Tenable.sc

or you the modern way of use Tenable.io as your collector, and then Tenable.sc collecting the Agent data from Tenable.io. You do not login to Tenable.io, you still use Tenable.sc as your console.

How Tenable.io Agent and Scanner Works -  Traffic  flow Diagram

Tenable One

Tenable One is an Exposure Management Platform to help organizations gain visibility across the modern attack surface, focus efforts to prevent likely attacks and accurately communicate cyber risk to support optimal business performance.

Tenable One Standard Products

Tenable Vulnerability Management

Tenable Web App Scanning

Tenable Cloud Security

Lumin Exposure View

Asset Inventory

Identity Exposure

Tenable One Enterprise Products

All products in Tenable One Standard, plus:

Attack Path Analysis

Tenable Attack Surface Management

Tenable PCI ASV Scanning

Note: Tenable Vulnerability Management excludes PCI Quarterly External scan data from dashboards, reports, and workbenches intentionally. This is due to the scan's paranoid nature, which may lead to false positives that Tenable Vulnerability Management would otherwise not detect.

In Tenable PCI ASV, you can create the following scans using scan templates:

• Vulnerability Management Scan using the Internal PCI Network Scan and PCI Quarterly External Scan templates

• Tenable Web App Scanning scan using the PCI template

PCI DSS requires organizations to complete quarterly internal network scans, so you may also need to create a scan using the PCI Internal Network Scan template. However, you do not need to submit the internal network scan results for ASV review and validation.

Install Scanner 

Sensors access Tenable Vulnerability Management through the following site: <port> - sensor.cloud.tenable.com:443. All sensors (Tenable Nessus scanners, Tenable Nessus Agents, Tenable Nessus Network Monitor) need access to cloud.tenable.com:443.

Get the Scanner Key from Portal's Settings -> Sensors:

Linked Scanners:

Installing Nessus on Linux or other OS

Note: It will take a while (5 minuets) for scanner/agent to be installed and linked to sensor.cloud.tenable.com:443

root@u-20-1-test:~# curl -H 'X-Key: 0d169e0728bf08520ffef4ec03914f9c' 'https://sensor.cloud.tenable.com/install/scanner?name=scanner-name&groups=scanner-group' | bash
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
** Beginning Nessus installation process. **0 --:--:-- --:--:-- --:--:--     0
100  9129    0  9129    0     0  18442      0 --:--:-- --:--:-- --:--:-- 18442
Downloading Nessus install package for Ubuntu.
Installing Nessus.
Selecting previously unselected package nessus.
(Reading database ... 143634 files and directories currently installed.)
Preparing to unpack Nessus-ubuntu1404_amd64.deb ...
Unpacking nessus (10.5.3) ...
Setting up nessus (10.5.3) ...
HMAC : (Module_Integrity) : Pass
SHA1 : (KAT_Digest) : Pass
SHA2 : (KAT_Digest) : Pass
SHA3 : (KAT_Digest) : Pass
TDES : (KAT_Cipher) : Pass
AES_GCM : (KAT_Cipher) : Pass
AES_ECB_Decrypt : (KAT_Cipher) : Pass
RSA : (KAT_Signature) : RNG : (Continuous_RNG_Test) : Pass
Pass
ECDSA : (PCT_Signature) : Pass
ECDSA : (PCT_Signature) : Pass
DSA : (PCT_Signature) : Pass
TLS13_KDF_EXTRACT : (KAT_KDF) : Pass
TLS13_KDF_EXPAND : (KAT_KDF) : Pass
TLS12_PRF : (KAT_KDF) : Pass
PBKDF2 : (KAT_KDF) : Pass
SSHKDF : (KAT_KDF) : Pass
KBKDF : (KAT_KDF) : Pass
HKDF : (KAT_KDF) : Pass
SSKDF : (KAT_KDF) : Pass
X963KDF : (KAT_KDF) : Pass
X942KDF : (KAT_KDF) : Pass
HASH : (DRBG) : Pass
CTR : (DRBG) : Pass
HMAC : (DRBG) : Pass
DH : (KAT_KA) : Pass
ECDH : (KAT_KA) : Pass
RSA_Encrypt : (KAT_AsymmetricCipher) : Pass
RSA_Decrypt : (KAT_AsymmetricCipher) : Pass
RSA_Decrypt : (KAT_AsymmetricCipher) : Pass
INSTALL PASSED
Unpacking Nessus Scanner Core Components...
Created symlink /etc/systemd/system/nessusd.service → /lib/systemd/system/nessusd.service.
Created symlink /etc/systemd/system/multi-user.target.wants/nessusd.service → /lib/systemd/system/nessusd.service.

 - You can start Nessus Scanner by typing /bin/systemctl start nessusd.service
 - Then go to https://u-20-1-test:8834/ to configure your scanner

Applying auto-configuration.
Starting Nessus.
Waiting for Nessus to start and link...
......................
Auto-configuration complete.
Nessus is now linked to sensor.cloud.tenable.com:443
root@u-20-1-test:~#

Using Linking Key to set up your sensor

Linked Scanner:

Scanner Details:

How to change sensor's link:

Note: https://community.tenable.com/s/article/How-to-link-a-scanner-to-Tenable-io-via-the-command-line?language=en_US

Linux (as root):

# service nessusd stop
# cd /opt/nessus/sbin
# ./nessuscli fix --reset-all
# ./nessuscli adduser
# ./nessuscli managed link --key=<LINKING KEY> --cloud
# service nessusd start

Add Nessus Agent

From Settings - Sensors - Nessus Agents - Add Nessus Agent, you will be able to generate agent key and get the guide how to install agent.

Related KB:https://docs.tenable.com/nessus-agent/Content/InstallNessusAgentLinux.htm

Vulnerability Management - Settings - Sensors - Agent Group - Add Nessus Agent

 

Linking Key

24d35777c41ecdff8e686e3725412ef4412d01a2dd019171e076cca1cf59b2e4

Agents can be linked to Tenable Vulnerability Management using the following setup instructions. Once linked, they will automatically download all necessary plugins. This process takes several minutes and is required before an agent will return results.

Installing Agent on Linux platforms

For Linux platforms, you can run the following command to both install and link, after modifying or removing the name and groups options.

curl -H 'X-Key: 24d35777c41ecdff8e686e3725412ef4412d01a2dd019171e076cca1cf59b2e4' 'https://sensor.cloud.tenable.com/install/agent?name=agent-name&groups=agent-group' | bash

Installing Agent on Mac platforms

1

Get an installer from the
Nessus Agent Download page.

2

Install the agent on your targets manually, via Group Policy, SCCM, or other third-party software deployment application.

3

During installation, use the following options to link to this manager:

• Host: sensor.cloud.tenable.com

• Port: 443

• The linking key above.

Following installation output will take 5 minutes to complete.

root@ubuntu-test1:~# curl -H 'X-Key: 24d35777c41ecdff8e686e3725412ef4412d01a2dd019171e076cca1cf59b2e4' 'https://sensor.cloud.tenable.com/install/agent?name=agent-name&groups=agent-group' | bash
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
100  8850    0  8850    0     0  15364      0 --:--:-- --:--:-- --:--:-- 15364
** Beginning Nessus Agent installation process. **
Downloading Nessus Agent install package for Ubuntu.
Installing Nessus Agent.
Selecting previously unselected package nessusagent.
(Reading database ... 104225 files and directories currently installed.)
Preparing to unpack NessusAgent-ubuntu1404_amd64.deb ...
Unpacking nessusagent (10.4.4) ...
Setting up nessusagent (10.4.4) ...
HMAC : (Module_Integrity) : Pass
SHA1 : (KAT_Digest) : Pass
SHA2 : (KAT_Digest) : Pass
SHA3 : (KAT_Digest) : Pass
TDES : (KAT_Cipher) : Pass
AES_GCM : (KAT_Cipher) : Pass
AES_ECB_Decrypt : (KAT_Cipher) : Pass
RSA : (KAT_Signature) : RNG : (Continuous_RNG_Test) : Pass
Pass
ECDSA : (PCT_Signature) : Pass
ECDSA : (PCT_Signature) : Pass
DSA : (PCT_Signature) : Pass
TLS13_KDF_EXTRACT : (KAT_KDF) : Pass
TLS13_KDF_EXPAND : (KAT_KDF) : Pass
TLS12_PRF : (KAT_KDF) : Pass
PBKDF2 : (KAT_KDF) : Pass
SSHKDF : (KAT_KDF) : Pass
KBKDF : (KAT_KDF) : Pass
HKDF : (KAT_KDF) : Pass
SSKDF : (KAT_KDF) : Pass
X963KDF : (KAT_KDF) : Pass
X942KDF : (KAT_KDF) : Pass
HASH : (DRBG) : Pass
CTR : (DRBG) : Pass
HMAC : (DRBG) : Pass
DH : (KAT_KA) : Pass
ECDH : (KAT_KA) : Pass
RSA_Encrypt : (KAT_AsymmetricCipher) : Pass
RSA_Decrypt : (KAT_AsymmetricCipher) : Pass
RSA_Decrypt : (KAT_AsymmetricCipher) : Pass
INSTALL PASSED
Unpacking Nessus Agent Core Components...
Created symlink /etc/systemd/system/nessusagent.service → /lib/systemd/system/nessusagent.service.
Created symlink /etc/systemd/system/multi-user.target.wants/nessusagent.service → /lib/systemd/system/nessusagent.service.
 - First, start Nessus Agent by typing /bin/systemctl start nessusagent.service
 - To link this agent, use the '/opt/nessus_agent/sbin/nessuscli agent' command.
   Type '/opt/nessus_agent/sbin/nessuscli agent help' for more info.
Applying auto-configuration.
Starting Nessus Agent.
Waiting for Nessus Agent to start and link...
......................
Auto-configuration complete.
The Nessus Agent is now linked to sensor.cloud.tenable.com:443
root@ubuntu-test1:~#

Once done, you can find it from Linked Agents page, and you might want to add it into one of your Agent Group for scanning.

• https://cloud.tenable.com/tio/app.html#/settings/sensors/agents/agents-list?agent_id_agents-list.st=name.0

To start the scan from TVM (previously Tenable.io) portal:

• https://cloud.tenable.com/tio/app.html#/assess

Relink an agent:

change the key:

root@ubuntu-test1:~# /opt/nessus_agent/sbin/nessuscli agent link --key=edcc5d5f2a68706a9ac28aafac288ae367c8497ba68f4641029b0d8b70a39895 
[info] [agent] Loading manager settings from configuration: sensor.cloud.tenable.com:443
[info] [agent] Successfully linked to sensor.cloud.tenable.com:443
root@ubuntu-test1:~#

Manual Installation Steps:

1. On the Tenable Nessus Agent Download Page, download the package specific to your operating system.

2. Run Linux Install Commands from https://docs.tenable.com/nessus-agent/Content/InstallNessusAgentLinux.htm

3. Link the Agent using the Command Line

At the command prompt, use the nessuscli agent link command. For example:

/opt/nessus_agent/sbin/nessuscli agent link

--key=00abcd00000efgh11111i0k222lmopq3333st4455u66v777777w88xy9999zabc00

--name=MyOSXAgent --groups="All" --host=yourcompany.com --port=8834 --cloud

Note: You must copy and paste the entire link command on the same line. Otherwise, you receive an error.

4. Manually Start Nessus Agent Service and enable service starts anytime the host is rebooted.

After installing a Nessus Agent, you must manually start the service using the /sbin/service nessusagent start command. Tenable also recommends running systemctl enable nessusagent to ensure that the Nessus Agent service starts anytime the host is rebooted.

Execute a basic agent scan:

Choose Specific Agent Group to scan. 

Tenable Agent Installation On CentOS

 https://docs.tenable.com/nessus-agent/10_7/Content/InstallNessusAgentLinux.htm

1. Download Tenable Agent from https://www.tenable.com/downloads/nessus-agents

2. Install agent using following command

• # dnf install NessusAgent-<version number>-es8.x86_64.rpm

3. Link Agent to cloud (Tenable Vulnerability Management)

• /opt/nessus_agent/sbin/nessuscli agent link --key=24d34567c41ecdf2e686e3715412ef412d01a2d019171e07cca1cf59b2e4 --cloud

4. Change uuid or Remove a file to regenerate configuration file if uuid is duplicated. (optional)

•     /etc/tenable_tag ; /etc/machine_id

If you attempt to clone an agent and link it to Tenable Nessus Manager or Tenable Vulnerability Management, a 409 error may appear. This error appears because another machine was linked with the same UUID value in the /etc/machine_id or /etc/tenable_tag file. To resolve this issue, replace the value in the /etc/tenable_tag file with a valid UUIDv4 value. If the /etc/machine_id file does not exist, you can delete /etc/tenable_tag to generate a new value.

Tags

Tag Agent

Creat Group

Vulnerability Management - Settings - Sensors - Agent Group - Add Agent Group

Static Tag or Dynamic Tag

• Filter asset and vulnerability
• Filter for dashboards and reports
• Create permissions for asset access control

Best practice for using Tags effectively

• use consistent naming convention
• limit number of tags
• Aligh with business goals

Portal - settings - tags

• add tags
• assign tags to asset

Exclusions

Portal - settings - exclusions

- create a exclusions for a window not doing scan. 

Host Discovery Scans

Select scanner type : internal or external

Tagets: tags, or ip ranges

Scan window:

Schedule : recommdation is weekly. 

Notifications

Compliance Scan

Credential Required.

Uninstall Nessus Agent

Uninstall a Tenable Nessus Agent on Linux (Tenable Nessus Agent 10.5)

Before you begin:

• Unlink the agent from the manager.

To uninstall Tenable Nessus Agent on Linux:

1. Type the remove command specific to your Linux-style operating system.

   Example Nessus Agent Remove Commands

   Red Hat 6 and 7, CentOS 6 and 7, Oracle Linux 6 and 7

   # yum remove NessusAgent

   Red Hat 8 and later, CentOS 8 and later, Oracle Linux 8 and later, Fedora, SUSE

   # dnf remove NessusAgent

   Debian/Kali and Ubuntu

   # dpkg -r NessusAgent

root@ubuntu-test1:~# systemctl status | grep agent
           │   │ └─11434 grep --color=auto agent
             ├─nessusagent.service
             │ ├─ 492 /opt/nessus_agent/sbin/nessus-agent-module -q
             │ └─9459 /opt/nessus_agent/sbin/nessus-service -q
             ├─snap.oracle-cloud-agent.oracle-cloud-agent.service
             │ ├─21152 /snap/oracle-cloud-agent/68/agent
             │ ├─21292 /snap/oracle-cloud-agent/current/plugins/gomon/gomon
             │ └─21313 /snap/oracle-cloud-agent/current/plugins/oci-wlp/oci-wlp
             ├─snap.oracle-cloud-agent.oracle-cloud-agent-updater.service
             │ └─21162 /snap/oracle-cloud-agent/68/updater/updater
root@ubuntu-test1:~# systemctl status nessusagent
● nessusagent.service - The Nessus Client Agent
   Loaded: loaded (/lib/systemd/system/nessusagent.service; enabled; vendor preset: enabled)
   Active: active (running) since Tue 2023-12-19 02:13:59 UTC; 2 weeks 4 days ago
 Main PID: 9459 (nessus-service)
    Tasks: 13 (limit: 1110)
   CGroup: /system.slice/nessusagent.service
           ├─ 490 nessusd -q
           ├─ 492 /opt/nessus_agent/sbin/nessus-agent-module -q
           └─9459 /opt/nessus_agent/sbin/nessus-service -q
Dec 30 21:11:33 ubuntu-test1 nessus-service[9459]: Cached 189 plugin libs in 317msec
Dec 30 21:11:33 ubuntu-test1 nessus-service[9459]: Cached 189 plugin libs in 164msec
Dec 31 21:14:22 ubuntu-test1 nessus-service[9459]: Cached 189 plugin libs in 314msec
plugin libs in 281msec
Jan 02 03:27:32 ubuntu-test1 nessus-service[9459]: Cached 189 plugin libs in 111msec
root@ubuntu-test1:~# dpkg -r nessusagent
(Reading database ... 104268 files and directories currently installed.)
Removing nessusagent (10.4.4) ...
root@ubuntu-test1:~#

Web Application Scanning

Choose Web Application Scanning Module from Drop down menu:

You can use Quick Actions - > Create a Web App scan 

There are a few scanning options / templates, such as PCI, API, Quick Scan, etc. Choose Quick Scan

Enter URL as your targets :

Infrastructure Or Network Scan (Vulnerability Management Scan)

Quick Actions - > Create a VM scan - > Basic Network Scan (A full system scan suitable for any host)

External Scan

Create a Scan - Basic Network Scan - > Scanner Type : Tenable Cloud Scanner 

Targets: <Public IP>, Domain Name / URL

Internal Scan:

If you have your installed internal scanner, you should be able to choose the one, as shown below, which we installed before. 

Agent Scan and Report

Agent Scan

create a new scan, and select a proper agent group you would like to scan. 

Configure your agent scan with a agent group. 

Report

From the three dots of each scan, choose Export:

You will have a few options for the exported report format:

Videos

 

Install and Configure Free Tenable Nessus Vulnerability Scanner in Windows:

References

• https://cloud.tenable.com/
• https://partners.tenable.com/
• https://cloud.tenable.com/tio/app.html#/settings