# Tenable Security Center Notes.md ## Quick Reference Security Center (dashboard): https://security-center.pvt.xdr.accenturefederalcyber.com (SAML Login) Nessus Manager (client-based scanning): https://nessus-manager-0.pvt.xdr.accenturefederalcyber.com:8834/ (Creds in Vault) ## Service ``` systemctl status SecurityCenter systemctl start nessusd systemctl status nessusagent ``` ## Show Version ``` sudo /opt/nessus/sbin/nessuscli -v sudo /opt/nessus_agent/sbin/nessuscli -v ``` ## Log location ``` /opt/sc/admin/logs /opt/sc/support/logs ``` ## Upgrading Nessus and Tenable.sc (Security Center) - Download the latest RPM from [Tenable Download - Nessus](https://www.tenable.com/downloads/nessus) - Check the sha256 on your mac with `shasum -a 256 Nessus-8.15.1-es7.x86_64.rpm` - Use `teleport scp` to upload the file to the TEST and PROD repo server; See [How to add a new package to the Reposerver](Reposerver%20Notes.md) - Update the tenable repo per the Reposerver Notes above - Stop the service and take an EBS snapshot as a backup - `systemctl stop SecurityCenter` - `systemctl start nessusd` - Use the AWS cli to take a snapshot of all EBS volumes ``` aws --profile mdr-test-c2-gov ec2 create-snapshots --instance-specification 'InstanceId=i-01d72189085662b1e,ExcludeBootVolume=false' --tag-specifications 'ResourceType=snapshot,Tags=[{Key=Name,Value=security-center-0-pre-upgrade-backup-5.19.1}]' ``` - Note: You can upgrade all three Nessus servers at the same time with - `salt nessus* cmd.run 'yum clean all && yum makecache fast'` - Run `yum clean all && yum makecache fast` on the appropriate server or `salt nessus* pkg.upgrade name=Nessus` on salt-master to update the software from the repo server - For Nessus, you need to start the software after the upgrade with - `systemctl start nessusd.service` - `salt nessus* cmd.run 'systemctl start nessusd.service'` - For Tenable.sc, use this command: `yum update SecurityCenter` - To ensure everything is working, log into [Tenable.sc](https://security-center.pvt.xdr.accenturefederalcyber.com) with admin creds and look at the Resources > Nessus Scanners then click on Options > Update Status - If the Scanner shows a status of "Protocol Error" you were too fast and need to be patient; go browse a conservative news source for 5 minutes ;-) NOTE: The Tenable Agents upgrade themselves through the Nessus Manager. ### Security Patches Occasionally Tenable will release patches for Tenable.sc. These patches need to be installed on the commandline and not through the reposerver. - Download the security patch to your Mac. But what if I am using a Windows laptop? Stop following these instructions and request a Mac laptop. - Check the hash against the tenable provided one - `shasum -a 256 SC-202110.1-5.x-rh7-64.tgz` - `sha256sum SC-202204.3-5.x-rh7-64.tgz` ( Or on RedHat) - Use teleport scp/web UI to upload the file directly to the Tenable.sc server ( see Reposerver Notes for example command. ) - Stop Tenable.sc and take a backup via snapshots - `systemctl stop SecurityCenter` - Use the AWS cli to take a snapshot of all EBS volumes ``` aws --profile mdr-test-c2-gov ec2 create-snapshots --instance-specification 'InstanceId=i-01d72189085662b1e,ExcludeBootVolume=false' --tag-specifications 'ResourceType=snapshot,Tags=[{Key=Name,Value=security-center-0-pre-upgrade-backup-5.21.0}]' ``` - Extract patch and apply per the Release Notes on Tenable's website ## General Setup ### svc-scan See [Tenable Knowledge Article - SSH Public Key Authentication for scanning](https://community.tenable.com/s/article/SSH-Public-Key-Authentication). The private key for `svc-scan` is not in Vault because if you lose/need it, just generate a new one and push it out. ### Add Custom CAs See [Tenable Knowledge Article - Upload a Custom CA certificate to Tenable.sc](https://community.tenable.com/s/article/Upload-a-Custom-CA-certificate-custom-CA-inc-to-Tenable-sc-Formerly-SecurityCenter) These certs include the xdr root ca and intermediate from XDR WWW Certificates Subordinate CA v2 in AWS. I also grabbed the MDR Root CA G1. The Splunk Common CA is the last cert. custom_CA.inc ``` -----BEGIN CERTIFICATE----- MIICMDCCAbagAwIBAgIRAMbEtbFaI4iLYDpPJmXv2gEwCgYIKoZIzj0EAwQwWTEL MAkGA1UEBhMCVVMxIzAhBgNVBAoMGkFjY2VudHVyZSBGZWRlcmFsIFNlcnZpY2Vz MQwwCgYDVQQLDANYRFIxFzAVBgNVBAMMDlhEUiBSb290IENBIHYyMB4XDTIxMDcy MDEyNDUxNVoXDTQxMDcyMDEzNDUxNVowWTELMAkGA1UEBhMCVVMxIzAhBgNVBAoM GkFjY2VudHVyZSBGZWRlcmFsIFNlcnZpY2VzMQwwCgYDVQQLDANYRFIxFzAVBgNV BAMMDlhEUiBSb290IENBIHYyMHYwEAYHKoZIzj0CAQYFK4EEACIDYgAEf6Q0EcG/ uqmW0O7Noib9hNFEtOsyEukuafbiAafMiylZciffEen9IwIzVKiYnB4XlXZtNOR0 lZ8kL0g6/Rae+Uv1kai003/x467d/tFZ+903Png0WnaO4p5CSnvEu0MYo0IwQDAP BgNVHRMBAf8EBTADAQH/MB0GA1UdDgQWBBTG1bEdYBEYwTY9Z+Fe2CasGqIbhDAO BgNVHQ8BAf8EBAMCAYYwCgYIKoZIzj0EAwQDaAAwZQIxAOC2w/OXRYWilDhwdq87 WdB2rUwZjfxp+xhdOvMStJ3q4lP8rK7o2Pr4DYZa0em8OQIwK7Q3qBek13CMNZW/ +qqdgMSx314YjZ/TO+iFdmFU6NWmlQbvxwkSQb1P9eUHHg8a -----END CERTIFICATE----- -----BEGIN CERTIFICATE----- MIIC3jCCAmWgAwIBAgIQWn917mkxT+UIOotY4wuNuDAKBggqhkjOPQQDBDBZMQsw CQYDVQQGEwJVUzEjMCEGA1UECgwaQWNjZW50dXJlIEZlZGVyYWwgU2VydmljZXMx DDAKBgNVBAsMA1hEUjEXMBUGA1UEAwwOWERSIFJvb3QgQ0EgdjIwHhcNMjEwNzIw MTM0MjAyWhcNMzEwNzIwMTQ0MjAyWjBxMQswCQYDVQQGEwJVUzEjMCEGA1UECgwa QWNjZW50dXJlIEZlZGVyYWwgU2VydmljZXMxDDAKBgNVBAsMA1hEUjEvMC0GA1UE AwwmWERSIFdXVyBDZXJ0aWZpY2F0ZXMgU3Vib3JkaW5hdGUgQ0EgdjIwdjAQBgcq hkjOPQIBBgUrgQQAIgNiAATCpwEwGIOWZ0K75kjTfP/es56Z9jEWXwC4UhEEQvoI YhmNY73qonoIZAtIVvZz+OPaPvnYktn2jVVayKTfQ/2o9XA6qGt+na9DpTJTI4Tz 8E/UZNRYvzE07xcUY203tCejgdkwgdYwEgYDVR0TAQH/BAgwBgEB/wIBADAfBgNV HSMEGDAWgBTG1bEdYBEYwTY9Z+Fe2CasGqIbhDAdBgNVHQ4EFgQU11FCJaVVaKkD 4Oehxb2H6MlLMoswDgYDVR0PAQH/BAQDAgGGMHAGA1UdHwRpMGcwZaBjoGGGX2h0 dHA6Ly94ZHItcm9vdC1jcmwuczMudXMtZ292LWVhc3QtMS5hbWF6b25hd3MuY29t L2NybC9mNThhZTAwMS03YmEzLTRmYjItOTM1YS1iZjEyYWFkMzRlYzYuY3JsMAoG CCqGSM49BAMEA2cAMGQCMEzlN7pLk/jix5zGRUGHtGulNeS7HKz6Lv3hM6TpyI5w RihbKlFFOVLdazR3MBwbYQIwewoRoLZk+amBmQ44no6xY1OiAjRldrPQWSPJn9oC zYbzWMbtQSVkMXjeBoxeD4Zw -----END CERTIFICATE----- -----BEGIN CERTIFICATE----- MIIGJTCCBA2gAwIBAgIUcUQCVA7Avwnb2KrvgYnz8CLJ3pwwDQYJKoZIhvcNAQEL BQAwgZkxCzAJBgNVBAYTAlVTMREwDwYDVQQIDAhWaXJnaW5pYTEQMA4GA1UEBwwH RmFpcmZheDEjMCEGA1UECgwaQWNjZW50dXJlIEZlZGVyYWwgU2VydmljZXMxJzAl BgNVBAsMHk1hbmFnZWQgRGV0ZWN0aW9uIGFuZCBSZXNwb25zZTEXMBUGA1UEAwwO TURSIFJvb3QgQ0EgRzEwHhcNMjAwMzA0MTczMzA0WhcNNDAwMjI4MTczMzA0WjCB mTELMAkGA1UEBhMCVVMxETAPBgNVBAgMCFZpcmdpbmlhMRAwDgYDVQQHDAdGYWly ZmF4MSMwIQYDVQQKDBpBY2NlbnR1cmUgRmVkZXJhbCBTZXJ2aWNlczEnMCUGA1UE CwweTWFuYWdlZCBEZXRlY3Rpb24gYW5kIFJlc3BvbnNlMRcwFQYDVQQDDA5NRFIg Um9vdCBDQSBHMTCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIBAK3JMDyi 7cvfc+HghS2KfJnIEU4gCggkWoSdsqJTQgFqba8hVaMKWBqX9hdEUD/VVUly1102 qYzrUnIuw/MP0TsIq2F2nLIo4DgzkQDrwlhJ2PR521i+G/zbPbWHGMY3iigyF8dq xsiDcRVGzowfAWXOXIheu0PEmebXNG1v31qmY9jIEm2XBioN1Sw9EXnIQ/KKGRZw inUB7tQ5sQdut5vBkwdXnJ1DqHs3G8YoKFlBHwtBO6D35yvV9x+kIo8swc1ZLX2s C5zqUfRegJauuyAKs3jMKv+46h/+tNY50WiWxq3OtYAufWAB/mugCl6qXwMgh954 fuj/Ae9UKGsPdFJqEOeaM8vICkr8+emfKsNOvQRo8BXcsWcbewxths0Gwtg52IoB Ds9/FuGObTD93nFBDjBSzFXtRUTUesS/tipD4Xq5eU3bAGn/NlZsKIICFgjlojQd NmmHBpR6qXJa9u+ude006I4wvasVg/DjT84N9uAslnosru45gLbtq87bSAkHZ/yX LZ+VtId5X3lQkrXrnhF7HTNEdxDGEJVEmsyiZ97KqDnE6Z0P365cOr6Azn4CBH8M AhCTys3FxtY1yiNgK31PfqhD9x8sYiik9VVr9wlhSJfknb4m7gfFzhC3XE0Sg9e8 cuNyVTeDgFu0zik/DeluvTASjkUVQz8Yp4kpAgMBAAGjYzBhMB0GA1UdDgQWBBRN 5wVAfulvKor9WuSXt2wTaAKdLTAfBgNVHSMEGDAWgBRN5wVAfulvKor9WuSXt2wT aAKdLTAPBgNVHRMBAf8EBTADAQH/MA4GA1UdDwEB/wQEAwIBhjANBgkqhkiG9w0B AQsFAAOCAgEACm4nmg4MnWkSNT6uIoBNr32jGkuclPOErsL4u/geUgLdXtet/eQv 9cYNmb9KbzbR1dcM1Gp0vpnQy/i01Hylwo4qEgYd8J0ejS40do0jPGhai6fbIdOl uOlOueVA5zYX2dmal3BLUpqoCOf3ewuxh6YljPmSiyv9Rmwpcsq3SiOqMabFKQ71 PQWZeVPoE9go2IV+6W2OtRNEOSZWUbYulYC39M4AU3XExjV5cq0FKiV3UNk3wEs8 uNaU3p3s5jatS/+6w/zqgdN6NtGIB0WVxT7csGN4UdU7YUWAcM03mDEb2jbXuav3 XbFDS26UyK84DQbat4OC00rQ9CipP1QKf5MlXkfjYvEcfW7zx/3Sg5Ep56xHbX3H MuJbqmywhuuUPREEWWIii6BY3O0QgZIs2lGvqzvSifYok0eYoJfXk1tnZkFKzxVT 8miXSOepnXUAhgAaQUhDFb3l0weUW3HdK21hSwf1QpV60Yo0svjffbzPfQnydGZL l2ybCdf6Gr6nxQZuDy2Ipg6nn+PHgdExijsdsaWHwJ2ql4vDK6sgxFyzfHS6sHwL zNYfQ73J6FrTCJlcHCXKMGad07Jkd5y6N9za4MiZ7/Zw/NKNaRIdym6aEeNS7N9O ahHDgZnPWV/ZNudKV6pqKZbxyUIHYf4CRA4Z+JKqauY4LpyVWNdW64c= -----END CERTIFICATE----- ``` #Splunk common CA ``` -----BEGIN CERTIFICATE----- MIIDejCCAmICCQCNHBN8tj/FwzANBgkqhkiG9w0BAQsFADB/MQswCQYDVQQGEwJV UzELMAkGA1UECAwCQ0ExFjAUBgNVBAcMDVNhbiBGcmFuY2lzY28xDzANBgNVBAoM BlNwbHVuazEXMBUGA1UEAwwOU3BsdW5rQ29tbW9uQ0ExITAfBgkqhkiG9w0BCQEW EnN1cHBvcnRAc3BsdW5rLmNvbTAeFw0xNzAxMzAyMDI2NTRaFw0yNzAxMjgyMDI2 NTRaMH8xCzAJBgNVBAYTAlVTMQswCQYDVQQIDAJDQTEWMBQGA1UEBwwNU2FuIEZy YW5jaXNjbzEPMA0GA1UECgwGU3BsdW5rMRcwFQYDVQQDDA5TcGx1bmtDb21tb25D QTEhMB8GCSqGSIb3DQEJARYSc3VwcG9ydEBzcGx1bmsuY29tMIIBIjANBgkqhkiG 9w0BAQEFAAOCAQ8AMIIBCgKCAQEAzB9ltVEGk73QvPlxXtA0qMW/SLDQlQMFJ/C/ tXRVJdQsmcW4WsaETteeWZh8AgozO1LqOa3I6UmrWLcv4LmUAh/T3iZWXzHLIqFN WLSVU+2g0Xkn43xSgQEPSvEK1NqZRZv1SWvx3+oGHgu03AZrqTj0HyLujqUDARFX sRvBPW/VfDkomHj9b8IuK3qOUwQtIOUr+oKx1tM1J7VNN5NflLw9NdHtlfblw0Ys 5xI5Qxu3rcCxkKQuwz9KRe4iijOIRMAKX28pbakxU9Nk38Ac3PNadgIk0s7R829k 980sqGWkd06+C17OxgjpQbvLOR20FtmQybttUsXGR7Bp07YStwIDAQABMA0GCSqG SIb3DQEBCwUAA4IBAQCxhQd6KXP2VzK2cwAqdK74bGwl5WnvsyqdPWkdANiKksr4 ZybJZNfdfRso3fA2oK1R8i5Ca8LK3V/UuAsXvG6/ikJtWsJ9jf+eYLou8lS6NVJO xDN/gxPcHrhToGqi1wfPwDQrNVofZcuQNklcdgZ1+XVuotfTCOXHrRoNmZX+HgkY gEtPG+r1VwSFowfYqyFXQ5CUeRa3JB7/ObF15WfGUYplbd3wQz/M3PLNKLvz5a1z LMNXDwN5Pvyb2epyO8LPJu4dGTB4jOGpYLUjG1UUqJo9Oa6D99rv6sId+8qjERtl ZZc1oaC0PKSzBmq+TpbR27B8Zra3gpoA+gavdRZj -----END CERTIFICATE----- ``` custom_feed_info.inc ``` PLUGIN_SET = "202109011330"; PLUGIN_FEED = "Custom"; ``` Create a compressed tar archive of the 2 files: (Note: Applications such as 7-Zip or running the tar command on macOS are known not to work for this) `tar -zcvf upload_this.tar.gz custom_feed_info.inc custom_CA.inc` # Tenable Nessus Manager Notes Nessus manager is just a Nessus installation that includes the agent handler. As of this writing, it does not support SSO. The URL is https://nessus-manager-0.pvt.xdr.accenturefederalcyber.com:8834/ . The creds are in Vault. ## setup `systemctl status nessusd` Use admin user to login ( shared cred in Vault ) ## Agent setup `systemctl status nessusagent` The agent key is generated and viewable in the Nessus Manager. Scans are run and then sent to SC. The Agent Synchronization Job on SC pulls the scans from the Nessus mananger. In Nessus manager, the agent scans are scheduled. Agents are linked to the Nessus Manager through the Linking Key in the Nessus Manager. ## Agent Troubleshooting When you are setting up a new server and you see this error for the Nessus agent, it means the Nessus Manager already has your agent in its inventory. To fix this, log into the Nessus Manager > Sensors > Find your agent > click on X to delete. Restart the agent to have it enroll again. Creds for Nessus Manager are in Vault. Error message: ``` [error] [agent] Link fail: [409] An agent with the uuid '53543366-b28f-41de-937c-81d736e93a90' already exists ``` # Tenable.sc Scanning Strategy Tenable does not have a way to pull host information from AWS. To keep things dynamic and not require us to update IP lists, a host discovery scan is setup with all possible IPs. After the host discovery scan runs, the dynamic assets lists should pick up the correct IPs and scan only those IPs. This keeps the scan times shorter. XDR Host Discovery (scan) -> Systems that have been Scanned (assets list) -> XDR OS Discovery (scan) -> All XDR IP / Agents (assets list) -> XDR Vulnerability Scan (scan) ## Scan Troubleshooting To run a diagnostic scan on a single IP, put the IP as the target of the scan and as the diagnostic target. You can put anything in the password. Note that you will not be able to view the results only send them to support. ## Running a scan on a single host 1. Go to test tenable or the prod tenable 2. Got to scans->active scans 3. Find the 'single host' (test) or `Single IP` (prod) CIS scan you are interested in, and click on the name or 'edit' 4. Go to targets, change to 'ip/dns name', enter IP 5. Hit 'play', and click link 'view scan results' if you're fast, otherwise switch to Scan Results 6. Wait for complete, then view results. ## Working with Audit Files They are stored here: /opt/sc/orgs/1/uploads ## Generating a diag for Support You can save some time by generating a debug file when opening a support ticket. 1. Log in as an admin user. 2. Go to System > Diagnostics. 3. Click Create Diagnostics File. 4. Leave all chapters selected, Be sure to select "Strip IPs from Chapters". 5. Click Generate File. 6. When that completes, click Download Diagnostics File. 7. Upload it at the Tenable Community Portal https://community.tenable.com/s/ after logging in. - > Cases > Related > Uploads.