Tenable Vulnerability Management Tips and Tricks, Performance Tuning, Agent, Troubleshooting - NETSEC

Latest

Learning, Sharing, Creating

Cybersecurity Memo

Monday, July 15, 2024

Tenable Vulnerability Management Tips and Tricks, Performance Tuning, Agent, Troubleshooting

Tenable Vulnerability Management® (formerly known as Tenable.io), https://cloud.tenable.com/,  allows security and audit teams to share multiple Tenable Nessus, Tenable Nessus Agent, and Tenable Nessus Network Monitor scanners, scan schedules, scan policies, and scan results among an unlimited set of users or groups.

Tenable One is an Exposure Management Platform to help organizations gain visibility across the modern attack surface, focus efforts to prevent likely attacks and accurately communicate cyber risk to support optimal business performance.

The platform combines the broadest vulnerability coverage spanning IT assets, cloud resources, containers, web apps, and identity systems, builds on the speed and breadth of vulnerability coverage from Tenable Research, and adds comprehensive analytics to prioritize actions and communicate cyber risk. Tenable One allows organizations to: 
  • Gain comprehensive visibility across the modern attack surface
  • Anticipate threats and prioritize efforts to prevent attacks
  • Communicate cyber risk to make better decisions

Tenable Vulnerability Management exists as a standalone product, or can be purchased as part of the Tenable One Exposure Management platform.





Diagram


Architecture:


Topology


Scan Links:
  • https://cloud.tenable.com/tio/app.html#/assess/scans
  • https://cloud.tenable.com/tio/app.html#/settings/sensors/
Asset Link:
  • https://cloud.tenable.com/tio/app.html#/assets-uw/
Sensors Link:
  • https://cloud.tenable.com/tio/app.html#/settings/sensors/

Disable Certain Plugins Using nessusd.rules

The nessusd.rules file is an editable, text-based file used to configure Nessus scans to allow and reject ports, IP addresses, IP ranges, plugins, and targets. Please note that if the scans are launching from Tenable.sc or Tenable.ioall scans that use this Nessus scanner will be subject to the nessusd.rules file.

By default, based on your operating system, the nessusd.rules file can be found in the following locations:

  • Linux
    /opt/nessus/etc/nessus/nessusd.rules 
  • Windows (default location)
    C:\ProgramData\Tenable\Nessus\conf\nessusd.rules

    Note: The ProgramData folder is by default a hidden folder in Windows. In addition, the path specified is the default but can vary if Nessus was installed on another drive (i.e. E:\Programdata\...\). For more information, see the Microsoft article Show hidden files.


Note: https://community.tenable.com/s/article/What-is-the-Nessus-rules-file?language=en_US



root@az-h-22ub:/opt/nessus_agent/etc/nessus# cat nessusd.rules
#
# Nessus rules
#
#
# Target Syntax: accept|reject address/netmask:port[-port_max]
#
# Reject any target on 10.42.123.x
#   reject 10.42.123.0/24
# Reject connecting to port 80 for 10.0.0.1
#   reject 10.0.0.1:80
# Reject connecting to ports 8000 - 10000 (inclusive) for any host in the 192.168.0.0/24 subnet
#   reject 192.168.0.0/24:8000-10000
# Reject connecting to ports 1 - 1024 (inclusive) for the host 2001:db8::abcd
#   reject [2001:db8::abcd]:1-1024
#
#
# Plugin Syntax: plugin-accept|plugin-reject id[-id_max]
#
# Reject plugin #10335
#   plugin-reject 10335
# Allow plugins #10000 through #40000 (inclusive)
#   plugin-accept 10000-40000
#
#
# Default Rule Syntax (if no other rules apply): default accept|reject
#
# Accept everything else
#   default accept
# Reject everything else
#   default reject

default accept



Best Practice: Run Credentialed Scans

How to Create Managed Credentials in Tenable.io

Setting up Managed Credentials allows you to use a single set of credentials on multiple scans.


  1. Choose the type of credentials you want to create (Window, SSH, etc.).
  2. Choose your authentication method, enter your credentials, and select the appropriate permissions for the group/user(s) for access.
  3. Click Create to complete the setup.
A animated GIF file on creating managed credentials.

Create a Managed Credential. (Note: this will open in a new window.)


How to Apply Managed Credentials to a Scan

Adding credentials to a scan template is easy. Let's get started with a basic scan.


  1. Under Vulnerability Management, click Create Scan.
  2. Choose the Basic Network Scan Template.
  3. Fill out basic scan setup details (Name, Targets, etc).
  4. In the left panel, click Credentials to open the menu to add managed credentials.
  5. Assign Managed Credentials (and/or scan-specific credentials, which are not reusable by other scans).

To get started with this configuration, create a basic scan to apply your managed credentials. (Note: the basic scan link will open in a new window.)

An animated GIF file on adding credentials to a scan.


Automatically Delete Stale Assets With Asset Age Out

Automatically Delete Stale Assets With Asset Age Out

  • Asset Age Out is an optional configuration used to permanently delete licensed assets on your container, on a specific network.
  • It is recommended to enable Asset Age Out on all networks you configure to better manage licenses and data retention.

Use case: An organization has a corporate policy to retain security data for no longer than 6-months. Asset Age Out would be enabled for all networks, set to 180 days.


Setting Up Asset Age Out

  • Click the Asset Age Out toggle to permanently delete assets in your network after a specific number of days. All asset records and associated vulnerabilities are deleted and cannot be recovered. The deleted assets no longer count towards your license.
  • In the text box below, enter the number of days that Tenable.io should wait before permanently deleting assets that have not been seen on a scan. The minimum value is 14 and the maximum value is 365.


Best practice: Unless your organization has policies to retain data for a specific period of time, Tenable recommends deleting newly added networks after 180 days or less.





Use Cloud Agents to Gain Vulnerability Insights on Remote Assets


Use Cloud Agents to Gain Vulnerability Insights on Remote Assets

Nessus Agents help provide visibility on assets in a mobile workforce or in environments and networks where implementing a Nessus Scanner is not possible.

Nessus Agents are highly beneficial for remote / mobile workers, providing vulnerability insights on assets that are not located in an environment controlled by the IT or IS team. If an organization employs a remote sales force, for example, the assets assigned to those team members may rarely, if ever, be in a physical location under the administration of a company’s IT or IS staff. These situations require a different solution to ensure proper asset coverage is achieved.

BENEFITS OF CREDENTIALED SCANNING:
  • Provides coverage to mobile assets.
  • Can be built-in to the company "golden image."
  • Automatic updates to agent software.
  • Automatic updates to agent plugins.
  • Require only an Internet connection.

Since agents do not perform remote checks or compliance scans, please ensure that implementing agents is the most appropriate path for your organization.


Deploy Agents in Your Environment

To deploy Nessus Agents in your environment:


  1. Navigate to https://www.tenable.com/downloads/nessus-agents.
  2. Download the appropriate agent package / installation for your environment.
  3. Install the Nessus Agent manually or via your existing software deployment solution.

Note that your Tenable.io linking key will be required to link agents to your Tenable.io container.


Agent Deployment Guide: 
  • https://docs.tenable.com/other/nessusagent/Nessus_Agent_Large_Scale_Deployment_Guide.pdf

Remove Agent:

1. Unlink from Tenable Vulnerability Management Portal
2. Run remove commands from system

root@az-h-22ub:~# dpkg -r NessusAgent
(Reading database ... 170997 files and directories currently installed.)
Removing nessusagent (10.6.4) ...
root@az-h-22ub:~# 

https://docs.tenable.com/nessus-agent/10_7/Content/RemoveNessusAgentLinux.htm


Troubleshooting Agent Link issue - Not showing in Tenable Cloud


Check log

 /opt/nessus_agent/var/nessus/logs/backend.log

443 Connection to tenable.io
Connection to cloud.tenable.com:443 failed

Check your dns name resolution (e.g. nslookup tenable.com), check internet acccess wget https://www.tenable.com


Error: "Linked failed an agent with the UUID already exists"

# systemctl stop nessusagent
# rm /etc/tenable_tag /etc/machine_id
# systemctl start nessusagent

Agent Re-link

/opt/nessus_agent/sbin/nessuscli agent link --key=24adyf1234f8e686e3725412ef1234345353567e076cca1cf59b2e4 --host=sensor.cloud.tenable.com --port=443


Agent Not Connect to Cloud Troubleshooting


Steps

1. 你看看日志,

/opt/nessus_agent/var/nessus/logs/backend.log

确保能连 到 sensor.cloud.tenable.com:443, 也就是https://sensor.cloud.tenable.com

2. 移除已安装的agent,重新安装一次: yum remove NessusAgent

3. 用这个命令试试重新安装:  /opt/nessus_agent/sbin/nessuscli agent link --key=24d35777c41aaaaf8e686e3725412ef44aaaaa71e076aaa1aa59aaa4 --host=sensor.cloud.tenable.com --port=443

4. 再看看日志,是否连上。如果有这样报错,[error] [agent] Link fail: [409] Agent with uuid agentUuid=7691f4bc-4515-4ed1-8d2e-1bc5943bce9e attempt to link, but another agent in container containerUuid=bd44c111-6d27-480e-b4ac-47e1f12c3bc8 with different token already exists..

5. 停止agent服务: systemctl stop nessusagent

6. 然后移除ID,rm /etc/tenable_tag /etc/machine_id

7. 开始服务看看是否可以了。 systemctl start nessusagent

 

Agent Scan CPU Usage Issue


CPU goes high during scan period:

Scan - Edit a Scan - Settings - Advanced:


Change Performance for CPU and Plugin Compilation 





50+% less CPU usage when using Performance Low settings:


Commands in Linux:

root@az-h-22ub:~# /opt/nessus_agent/sbin/nessuscli fix --set plugin_load_performance_mode=low
root@az-h-22ub:~# /opt/nessus_agent/sbin/nessuscli fix --set scan_performance_mode=low
root@az-h-22ub:~# systemctl restart nessusagent



How to Use Exclusion Lists to Avoid Duplication


How to Use Exclusion Lists to Avoid Duplication

An exclusions list designates specific assets that you do not want your vulnerability management solution to scan.


Exclusion lists can be particularly useful to help maintain good scan hygiene and performance. If you run non-credentialed scans, for example, you may not collect enough data to uniquely identify a firewall or Layer 3 switch when multiple interfaces are scanned. An exclusion list can remove duplicate IP addresses in situations like this assessment.


BENEFITS OF AN EXCLUSIONS LIST:

  • Prevent duplication of assets with multiple NICs.
  • Exclude resources from scans that may affect performance, operations, or availability.
  • Configure a scan to target only a specific area of your network.
  • Restrict the scanning of specific hosts based on a selected schedule.

Since exclusions can create a visibility gap, you may want to consider additional mitigations or assessment methods for assets you exclude from network scanning.


Create an Exclusions List in Tenable.io

It is easy to create an exclusion list. Follow these steps to create one.


Navigate to Settings > Exclusions or click here to get started in a new browser tab.


  1. Click the ⊕ Create Exclusion button. The Create an Exclusion page appears.
  2. Add targets and/or networks to exclude.
  3. Click Save to save the exclusions list for use in your scan configurations.

Documentation link: Exclusion Settings.


Note: Exclusions apply to all Nessus scanners.


Use Case: Resolving Multiple NICs

Tenable does not recommend scanning through firewalls. Scanning through firewalls can cause IP address duplication and issues merging multiple network interface controllers (NICs) into a single asset. If you must perform a non-credentialed scan on multiple NICs, you may want to identify and exclude any duplicate IPs using an exclusions list.

STEPS TO USE EXCLUSIONS LISTS TO RESOLVE MULTIPLE NICS:

  1. Scan the assets with credentials to uniquely identify any cases where an asset has multiple NICs.
  2. Add any extra IPs that do not provide value to your exclusions list.
  3. Correct any reporting inaccuracies by deleting duplicate IP addresses through the UI or API.

Best Practice: Run Remediation Scans

The option for a Remediation scan on a specific plugin, to select the plugin and launch a scan is just an option on TVM (Tenable.io) and SecurityCenter. But you can run an Advanced Scan Policy and select defaults, on the plugins tab, disable all plugins except the one you are checking for (may also want to enable plugin 19506 - Nessus Scan Information).

Best Practice: Run Remediation Scans

The purpose of running a remediation scan is to provide validation on the successful resolution of critical vulnerabilities in your network.


A remediation scan is targeted to evaluate a specific plugin against a specific scan target or targets where a vulnerability was discovered in an earlier active scan.


BENEFITS OF REMEDIATION SCANS:

  • Targeted to specific vulnerabilities that previous scans identified on your network.
  • Validates remediation of the vulnerabilities identified in a previous scan.
  • Integrates easily into remediation testing cycles. Remediation scans are targeted scans to aid teams who are responsible for remediating only certain sets of vulnerabilities.

How to Launch a Remediation Scan in Tenable.io

Running a remediation scan requires the following user role and access group permissions:

a. Roles: Scan Operator, Standard, Scan Manager or Administrator

b. Access Group Permissions: Can Scan

Launch a remediation scan directly on the Vulnerability Details or the Asset Details pages using the Actions button on the top right of the page. This sets the scope of the scan to the plugin and specified asset(s).

Documentation links:


Note: Remediation scans on scan results can only be performed by using Tenable connected Nessus scanners.


Remediation Scan Tips

  • Tenable.io assigns a vulnerability state (new, active, fixed, resurfaced) to all vulnerabilities on your network. You can track and filter by vulnerability state to see the detection, resolution, and reappearance of vulnerabilities over time.

  • You can create an asset filter to view and report on assets where a vulnerability was recently mitigated.

  • In order to update the vulnerability state, the same Authentication level must be used. So it is important to identify if a plugin requires scan credentials and add credentials, if needed. Tenable.io does not automatically add credentials when creating a remediation scan. If scan credentials are missing or incorrect, the scanner will not have sufficient access to detect if the vulnerability is fixed and will not be able to assess and update the vulnerability state accordingly.

  • Tenable.io has a limit of 10k scans per container. When planning the remediation scan for a single plugin, Tenable advises targeting large groups of systems instead of creating multiple versions of the scan that only target a small number of systems.

  • Tenable recommends periodically deleting old remediation scans from the remediation scan folder to avoid reaching the 10k scan limit

Maximize Visibility on Vulnerability Mitigations

Tenable.io offers a Mitigation Summary dashboard to help you track vulnerabilities as they are fixed, get a summary of open vulnerabilities, and view current and mitigated vulnerabilities.


Follow the steps below to add this dashboard:

  1. Navigate to 'Dashboards' in the main navigation panel
  2. Click to add New Dashboard via the Template Library
  3. Search for 'Mitigation Summary'
  4. Click on the tile and choose 'Add' to include on your Dashboard for viewing and customizing.


Scan Troubleshooting

 

Visit Scans to view scan status and access scan results. If there is an error, a 'Warnings' tab will appear in the 'Scan Details' view. Click on 'View Error Info' to view documentation with recommended troubleshooting steps to resolve errors.

Quick Links to Scan Error Resources:


Scan Aborted



If your scan was aborted, that might be not caused by other operator or admin. The best practice is to leave some idle time between scans. 

cloud.tenable.com - Tenable Vulnerability Management

 
TVM - Tenable Vulnerability Management

Maximum concurrent scanning session is five. 


Tenable Partner Portal

 

MSSP Portal: https://cloud.tenable.com/tio/app.html#/mssp/dashboard

Accounts - Create Evaluation Account for one month trial of Tenable.io

Following modules:
Directly sign in from this evaluation account:

Here is how the evaluation account dashboard after logged in looks like




How to backup / restore Configuration and Scan Results

Export / Import .nessus or .db file

    You can import an exported Tenable Nessus (.nessus) or Tenable Nessus DB (.db) scan. With an imported scan, you can view scan results, export new reports for the scan, rename the scan, and update the description. You cannot launch imported scans or update policy settings.

    You can also import .nessus files as policies. For more information, see Import a Policy.

    Backup


    The Nessus back up includes the following back up folders:
    • /nessus/var/nessus/users/admin/auth/admin
    • /nessus/var/nessus/users/admin/auth/rules
    • /nessus/var/nessus/users/admin/policies.db

    Using the Nessus CLI, you can back up your Tenable Nessus to restore it later on any system, even if it is a different operating system. When you back up Tenable Nessus, your license information and settings are preserved. Tenable Nessus does not back up scan results.



    No comments:

    Post a Comment