Tenable One is an Exposure Management Platform to help organizations gain visibility across the modern attack surface, focus efforts to prevent likely attacks and accurately communicate cyber risk to support optimal business performance.
The platform combines the broadest vulnerability coverage spanning IT assets, cloud resources, containers, web apps, and identity systems, builds on the speed and breadth of vulnerability coverage from Tenable Research, and adds comprehensive analytics to prioritize actions and communicate cyber risk. Tenable One allows organizations to:
- Gain comprehensive visibility across the modern attack surface
- Anticipate threats and prioritize efforts to prevent attacks
- Communicate cyber risk to make better decisions
Tenable Vulnerability Management exists as a standalone product, or can be purchased as part of the Tenable One Exposure Management platform.
Diagram
- https://cloud.tenable.com/tio/app.html#/assess/scans
- https://cloud.tenable.com/tio/app.html#/settings/sensors/
- https://cloud.tenable.com/tio/app.html#/assets-uw/
- https://cloud.tenable.com/tio/app.html#/settings/sensors/
Disable Certain Plugins Using nessusd.rules
The nessusd.rules file is an editable, text-based file used to configure Nessus scans to allow and reject ports, IP addresses, IP ranges, plugins, and targets. Please note that if the scans are launching from Tenable.sc or Tenable.io, all scans that use this Nessus scanner will be subject to the nessusd.rules file.By default, based on your operating system, the nessusd.rules file can be found in the following locations:
- Linux
/opt/nessus/etc/nessus/nessusd.rules
- Windows (default location)
C:\ProgramData\Tenable\Nessus\conf\nessusd.rules
Note: The ProgramData folder is by default a hidden folder in Windows. In addition, the path specified is the default but can vary if Nessus was installed on another drive (i.e. E:\Programdata\...\). For more information, see the Microsoft article Show hidden files.
root@az-h-22ub:/opt/nessus_agent/etc/nessus# cat nessusd.rules
#
# Nessus rules
#
#
# Target Syntax: accept|reject address/netmask:port[-port_max]
#
# Reject any target on 10.42.123.x
# reject 10.42.123.0/24
# Reject connecting to port 80 for 10.0.0.1
# reject 10.0.0.1:80
# Reject connecting to ports 8000 - 10000 (inclusive) for any host in the 192.168.0.0/24 subnet
# reject 192.168.0.0/24:8000-10000
# Reject connecting to ports 1 - 1024 (inclusive) for the host 2001:db8::abcd
# reject [2001:db8::abcd]:1-1024
#
#
# Plugin Syntax: plugin-accept|plugin-reject id[-id_max]
#
# Reject plugin #10335
# plugin-reject 10335
# Allow plugins #10000 through #40000 (inclusive)
# plugin-accept 10000-40000
#
#
# Default Rule Syntax (if no other rules apply): default accept|reject
#
# Accept everything else
# default accept
# Reject everything else
# default reject
default accept
Best Practice: Run Credentialed Scans
How to Create Managed Credentials in Tenable.io
Setting up Managed Credentials allows you to use a single set of credentials on multiple scans.
- Choose the type of credentials you want to create (Window, SSH, etc.).
- Choose your authentication method, enter your credentials, and select the appropriate permissions for the group/user(s) for access.
- Click Create to complete the setup.
Create a Managed Credential. (Note: this will open in a new window.)
How to Apply Managed Credentials to a Scan
Adding credentials to a scan template is easy. Let's get started with a basic scan.
- Under Vulnerability Management, click Create Scan.
- Choose the Basic Network Scan Template.
- Fill out basic scan setup details (Name, Targets, etc).
- In the left panel, click Credentials to open the menu to add managed credentials.
- Assign Managed Credentials (and/or scan-specific credentials, which are not reusable by other scans).
To get started with this configuration, create a basic scan to apply your managed credentials. (Note: the basic scan link will open in a new window.)
Automatically Delete Stale Assets With Asset Age Out
Automatically Delete Stale Assets With Asset Age Out
- Asset Age Out is an optional configuration used to permanently delete licensed assets on your container, on a specific network.
- It is recommended to enable Asset Age Out on all networks you configure to better manage licenses and data retention.
Use case: An organization has a corporate policy to retain security data for no longer than 6-months. Asset Age Out would be enabled for all networks, set to 180 days.
Setting Up Asset Age Out
- Click the Asset Age Out toggle to permanently delete assets in your network after a specific number of days. All asset records and associated vulnerabilities are deleted and cannot be recovered. The deleted assets no longer count towards your license.
- In the text box below, enter the number of days that Tenable.io should wait before permanently deleting assets that have not been seen on a scan. The minimum value is 14 and the maximum value is 365.
Best practice: Unless your organization has policies to retain data for a specific period of time, Tenable recommends deleting newly added networks after 180 days or less.
Use Cloud Agents to Gain Vulnerability Insights on Remote Assets
Use Cloud Agents to Gain Vulnerability Insights on Remote Assets
Nessus Agents help provide visibility on assets in a mobile workforce or in environments and networks where implementing a Nessus Scanner is not possible.Nessus Agents are highly beneficial for remote / mobile workers, providing vulnerability insights on assets that are not located in an environment controlled by the IT or IS team. If an organization employs a remote sales force, for example, the assets assigned to those team members may rarely, if ever, be in a physical location under the administration of a company’s IT or IS staff. These situations require a different solution to ensure proper asset coverage is achieved.
BENEFITS OF CREDENTIALED SCANNING:
- Provides coverage to mobile assets.
- Can be built-in to the company "golden image."
- Automatic updates to agent software.
- Automatic updates to agent plugins.
- Require only an Internet connection.
Since agents do not perform remote checks or compliance scans, please ensure that implementing agents is the most appropriate path for your organization.
Deploy Agents in Your Environment
To deploy Nessus Agents in your environment:
- Navigate to https://www.tenable.com/downloads/nessus-agents.
- Download the appropriate agent package / installation for your environment.
- Install the Nessus Agent manually or via your existing software deployment solution.
Note that your Tenable.io linking key will be required to link agents to your Tenable.io container.
- https://docs.tenable.com/other/nessusagent/Nessus_Agent_Large_Scale_Deployment_Guide.pdf
Remove Agent:
Troubleshooting Agent Link issue - Not showing in Tenable Cloud
Error: "Linked failed an agent with the UUID already exists"
Agent Re-link
Agent Not Connect to Cloud Troubleshooting
1. 你看看日志,
/opt/nessus_agent/var/nessus/logs/backend.log
确保能连 到 sensor.cloud.tenable.com:443, 也就是https://sensor.cloud.tenable.com
2. 移除已安装的agent,重新安装一次: yum remove NessusAgent
3. 用这个命令试试重新安装: /opt/nessus_agent/sbin/nessuscli agent link --key=24d35777c41aaaaf8e686e3725412ef44aaaaa71e076aaa1aa59aaa4 --host=sensor.cloud.tenable.com --port=443
4. 再看看日志,是否连上。如果有这样报错,[error] [agent] Link fail: [409] Agent with uuid agentUuid=7691f4bc-4515-4ed1-8d2e-1bc5943bce9e attempt to link, but another agent in container containerUuid=bd44c111-6d27-480e-b4ac-47e1f12c3bc8 with different token already exists..
5. 停止agent服务: systemctl stop nessusagent
6. 然后移除ID,rm /etc/tenable_tag /etc/machine_id
7. 开始服务看看是否可以了。 systemctl start nessusagent
Agent Scan CPU Usage Issue
Commands in Linux:
How to Use Exclusion Lists to Avoid Duplication
How to Use Exclusion Lists to Avoid Duplication
An exclusions list designates specific assets that you do not want your vulnerability management solution to scan.
Exclusion lists can be particularly useful to help maintain good scan hygiene and performance. If you run non-credentialed scans, for example, you may not collect enough data to uniquely identify a firewall or Layer 3 switch when multiple interfaces are scanned. An exclusion list can remove duplicate IP addresses in situations like this assessment.
BENEFITS OF AN EXCLUSIONS LIST:
- Prevent duplication of assets with multiple NICs.
- Exclude resources from scans that may affect performance, operations, or availability.
- Configure a scan to target only a specific area of your network.
- Restrict the scanning of specific hosts based on a selected schedule.
Since exclusions can create a visibility gap, you may want to consider additional mitigations or assessment methods for assets you exclude from network scanning.
Create an Exclusions List in Tenable.io
It is easy to create an exclusion list. Follow these steps to create one.
Navigate to Settings > Exclusions or click here to get started in a new browser tab.
- Click the ⊕ Create Exclusion button. The Create an Exclusion page appears.
- Add targets and/or networks to exclude.
- Click Save to save the exclusions list for use in your scan configurations.
Documentation link: Exclusion Settings.
Note: Exclusions apply to all Nessus scanners.
Use Case: Resolving Multiple NICs
Tenable does not recommend scanning through firewalls. Scanning through firewalls can cause IP address duplication and issues merging multiple network interface controllers (NICs) into a single asset. If you must perform a non-credentialed scan on multiple NICs, you may want to identify and exclude any duplicate IPs using an exclusions list.
STEPS TO USE EXCLUSIONS LISTS TO RESOLVE MULTIPLE NICS:
Best Practice: Run Remediation Scans
The option for a Remediation scan on a specific plugin, to select the plugin and launch a scan is just an option on TVM (Tenable.io) and SecurityCenter. But you can run an Advanced Scan Policy and select defaults, on the plugins tab, disable all plugins except the one you are checking for (may also want to enable plugin 19506 - Nessus Scan Information).Best Practice: Run Remediation Scans
The purpose of running a remediation scan is to provide validation on the successful resolution of critical vulnerabilities in your network.
A remediation scan is targeted to evaluate a specific plugin against a specific scan target or targets where a vulnerability was discovered in an earlier active scan.
BENEFITS OF REMEDIATION SCANS:
- Targeted to specific vulnerabilities that previous scans identified on your network.
- Validates remediation of the vulnerabilities identified in a previous scan.
- Integrates easily into remediation testing cycles. Remediation scans are targeted scans to aid teams who are responsible for remediating only certain sets of vulnerabilities.
How to Launch a Remediation Scan in Tenable.io
Running a remediation scan requires the following user role and access group permissions:
a. Roles: Scan Operator, Standard, Scan Manager or Administrator
b. Access Group Permissions: Can Scan
Launch a remediation scan directly on the Vulnerability Details or the Asset Details pages using the Actions button on the top right of the page. This sets the scope of the scan to the plugin and specified asset(s).
Documentation links:
- Launching a Remediation Scan via the UI
- Create Remediation Scans via the API
Note: Remediation scans on scan results can only be performed by using Tenable connected Nessus scanners.
Remediation Scan Tips
- Tenable.io assigns a vulnerability state (new, active, fixed, resurfaced) to all vulnerabilities on your network. You can track and filter by vulnerability state to see the detection, resolution, and reappearance of vulnerabilities over time.
- You can create an asset filter to view and report on assets where a vulnerability was recently mitigated.
- In order to update the vulnerability state, the same Authentication level must be used. So it is important to identify if a plugin requires scan credentials and add credentials, if needed. Tenable.io does not automatically add credentials when creating a remediation scan. If scan credentials are missing or incorrect, the scanner will not have sufficient access to detect if the vulnerability is fixed and will not be able to assess and update the vulnerability state accordingly.
- Tenable.io has a limit of 10k scans per container. When planning the remediation scan for a single plugin, Tenable advises targeting large groups of systems instead of creating multiple versions of the scan that only target a small number of systems.
- Tenable recommends periodically deleting old remediation scans from the remediation scan folder to avoid reaching the 10k scan limit
Maximize Visibility on Vulnerability Mitigations
Tenable.io offers a Mitigation Summary dashboard to help you track vulnerabilities as they are fixed, get a summary of open vulnerabilities, and view current and mitigated vulnerabilities.
Follow the steps below to add this dashboard:
- Navigate to 'Dashboards' in the main navigation panel
- Click to add New Dashboard via the Template Library
- Search for 'Mitigation Summary'
- Click on the tile and choose 'Add' to include on your Dashboard for viewing and customizing.
Scan Troubleshooting
Visit Scans to view scan status and access scan results. If there is an error, a 'Warnings' tab will appear in the 'Scan Details' view. Click on 'View Error Info' to view documentation with recommended troubleshooting steps to resolve errors.
Quick Links to Scan Error Resources:
- Tenable.io Scan Error Troubleshooting Guide
- Visit the Tenable Community for additional support
Scan Aborted
cloud.tenable.com - Tenable Vulnerability Management
Tenable Partner Portal
How to backup / restore Configuration and Scan Results
Export / Import .nessus or .db file
You can also import .nessus files as policies. For more information, see Import a Policy.
Backup
- /nessus/var/nessus/users/admin/auth/admin
- /nessus/var/nessus/users/admin/auth/rules
- /nessus/var/nessus/users/admin/policies.db
References
- Documentation
- What's New
- https://cloud.tenable.com/
- Tebable Vulnerability Management User Guide
- https://community.tenable.com/s/article/How-does-Nessus-determine-Network-Congestion-as-being-detected-during-scans
- https://community.tenable.com/s/article/Nessus-creating-network-congestion-and-using-too-many-resources
No comments:
Post a Comment