Home Explore Help
Register Sign In
AFS
/
infrastructure-notes
2
0
Fork 0
Files Issues 0 Pull Requests 0 Wiki
Tree: b020ec8ea4
Branches Tags
infrastructure-...
/
Tenable Notes.md

Tenable Notes.md 12 KB
History Raw

Tenable Security Center Notes.md

Quick Reference

Security Center (dashboard): https://security-center.pvt.xdr.accenturefederalcyber.com (SAML Login) Nessus Manager (client-based scanning): https://nessus-manager-0.pvt.xdr.accenturefederalcyber.com:8834/ (Creds in Vault)

Service

systemctl status SecurityCenter
systemctl start nessusd
systemctl status nessusagent

Show Version

sudo /opt/nessus/sbin/nessuscli -v
sudo /opt/nessus_agent/sbin/nessuscli -v

Log location

/opt/sc/admin/logs  
/opt/sc/support/logs

Upgrading Nessus and Tenable.sc (Security Center)

  • Download the latest RPM from Tenable Download - Nessus
  • Check the sha256 on your mac with shasum -a 256 Nessus-8.15.1-es7.x86_64.rpm
  • Use teleport scp to upload the file to the TEST and PROD repo server; See How to add a new package to the Reposerver
  • Update the tenable repo per the Reposerver Notes above

  • Stop the service and take an EBS snapshot as a backup

    • systemctl stop SecurityCenter
    • systemctl start nessusd

    • Use the AWS cli to take a snapshot of all EBS volumes

      aws --profile mdr-test-c2-gov ec2 create-snapshots --instance-specification 'InstanceId=i-01d72189085662b1e,ExcludeBootVolume=false' --tag-specifications 'ResourceType=snapshot,Tags=[{Key=Name,Value=security-center-0-pre-upgrade-backup-5.19.1}]'

  • Note: You can upgrade all three Nessus servers at the same time with

    • salt nessus* cmd.run 'yum clean all && yum makecache fast'

  • Run yum clean all && yum makecache fast on the appropriate server or salt nessus* pkg.upgrade name=Nessus on salt-master to update the software from the repo server

  • For Nessus, you need to start the software after the upgrade with

    • systemctl start nessusd.service
    • salt nessus* cmd.run 'systemctl start nessusd.service'

  • For Tenable.sc, use this command: yum update SecurityCenter

  • To ensure everything is working, log into Tenable.sc with admin creds and look at the Resources > Nessus Scanners then click on Options > Update Status

  • If the Scanner shows a status of "Protocol Error" you were too fast and need to be patient; go browse a conservative news source for 5 minutes ;-)

NOTE: The Tenable Agents upgrade themselves through the Nessus Manager.

Security Patches

Occasionally Tenable will release patches for Tenable.sc. These patches need to be installed on the commandline and not through the reposerver.

  • Download the security patch to your Mac. But what if I am using a Windows laptop? Stop following these instructions and request a Mac laptop.
  • Check the hash against the tenable provided one
    • shasum -a 256 SC-202110.1-5.x-rh7-64.tgz
    • sha256sum SC-202204.3-5.x-rh7-64.tgz ( Or on RedHat)
  • Use teleport scp/web UI to upload the file directly to the Tenable.sc server ( see Reposerver Notes for example command. )

  • Stop Tenable.sc and take a backup via snapshots

    • systemctl stop SecurityCenter

    • Use the AWS cli to take a snapshot of all EBS volumes

      aws --profile mdr-test-c2-gov ec2 create-snapshots --instance-specification 'InstanceId=i-01d72189085662b1e,ExcludeBootVolume=false' --tag-specifications 'ResourceType=snapshot,Tags=[{Key=Name,Value=security-center-0-pre-upgrade-backup-5.21.0}]'

  • Extract patch and apply per the Release Notes on Tenable's website

General Setup

svc-scan

See Tenable Knowledge Article - SSH Public Key Authentication for scanning. The private key for svc-scan is not in Vault because if you lose/need it, just generate a new one and push it out.

Add Custom CAs

See Tenable Knowledge Article - Upload a Custom CA certificate to Tenable.sc

These certs include the xdr root ca and intermediate from XDR WWW Certificates Subordinate CA v2 in AWS. I also grabbed the MDR Root CA G1. The Splunk Common CA is the last cert.

custom_CA.inc

-----BEGIN CERTIFICATE-----
MIICMDCCAbagAwIBAgIRAMbEtbFaI4iLYDpPJmXv2gEwCgYIKoZIzj0EAwQwWTEL
MAkGA1UEBhMCVVMxIzAhBgNVBAoMGkFjY2VudHVyZSBGZWRlcmFsIFNlcnZpY2Vz
MQwwCgYDVQQLDANYRFIxFzAVBgNVBAMMDlhEUiBSb290IENBIHYyMB4XDTIxMDcy
MDEyNDUxNVoXDTQxMDcyMDEzNDUxNVowWTELMAkGA1UEBhMCVVMxIzAhBgNVBAoM
GkFjY2VudHVyZSBGZWRlcmFsIFNlcnZpY2VzMQwwCgYDVQQLDANYRFIxFzAVBgNV
BAMMDlhEUiBSb290IENBIHYyMHYwEAYHKoZIzj0CAQYFK4EEACIDYgAEf6Q0EcG/
uqmW0O7Noib9hNFEtOsyEukuafbiAafMiylZciffEen9IwIzVKiYnB4XlXZtNOR0
lZ8kL0g6/Rae+Uv1kai003/x467d/tFZ+903Png0WnaO4p5CSnvEu0MYo0IwQDAP
BgNVHRMBAf8EBTADAQH/MB0GA1UdDgQWBBTG1bEdYBEYwTY9Z+Fe2CasGqIbhDAO
BgNVHQ8BAf8EBAMCAYYwCgYIKoZIzj0EAwQDaAAwZQIxAOC2w/OXRYWilDhwdq87
WdB2rUwZjfxp+xhdOvMStJ3q4lP8rK7o2Pr4DYZa0em8OQIwK7Q3qBek13CMNZW/
+qqdgMSx314YjZ/TO+iFdmFU6NWmlQbvxwkSQb1P9eUHHg8a
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
MIIC3jCCAmWgAwIBAgIQWn917mkxT+UIOotY4wuNuDAKBggqhkjOPQQDBDBZMQsw
CQYDVQQGEwJVUzEjMCEGA1UECgwaQWNjZW50dXJlIEZlZGVyYWwgU2VydmljZXMx
DDAKBgNVBAsMA1hEUjEXMBUGA1UEAwwOWERSIFJvb3QgQ0EgdjIwHhcNMjEwNzIw
MTM0MjAyWhcNMzEwNzIwMTQ0MjAyWjBxMQswCQYDVQQGEwJVUzEjMCEGA1UECgwa
QWNjZW50dXJlIEZlZGVyYWwgU2VydmljZXMxDDAKBgNVBAsMA1hEUjEvMC0GA1UE
AwwmWERSIFdXVyBDZXJ0aWZpY2F0ZXMgU3Vib3JkaW5hdGUgQ0EgdjIwdjAQBgcq
hkjOPQIBBgUrgQQAIgNiAATCpwEwGIOWZ0K75kjTfP/es56Z9jEWXwC4UhEEQvoI
YhmNY73qonoIZAtIVvZz+OPaPvnYktn2jVVayKTfQ/2o9XA6qGt+na9DpTJTI4Tz
8E/UZNRYvzE07xcUY203tCejgdkwgdYwEgYDVR0TAQH/BAgwBgEB/wIBADAfBgNV
HSMEGDAWgBTG1bEdYBEYwTY9Z+Fe2CasGqIbhDAdBgNVHQ4EFgQU11FCJaVVaKkD
4Oehxb2H6MlLMoswDgYDVR0PAQH/BAQDAgGGMHAGA1UdHwRpMGcwZaBjoGGGX2h0
dHA6Ly94ZHItcm9vdC1jcmwuczMudXMtZ292LWVhc3QtMS5hbWF6b25hd3MuY29t
L2NybC9mNThhZTAwMS03YmEzLTRmYjItOTM1YS1iZjEyYWFkMzRlYzYuY3JsMAoG
CCqGSM49BAMEA2cAMGQCMEzlN7pLk/jix5zGRUGHtGulNeS7HKz6Lv3hM6TpyI5w
RihbKlFFOVLdazR3MBwbYQIwewoRoLZk+amBmQ44no6xY1OiAjRldrPQWSPJn9oC
zYbzWMbtQSVkMXjeBoxeD4Zw
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
MIIGJTCCBA2gAwIBAgIUcUQCVA7Avwnb2KrvgYnz8CLJ3pwwDQYJKoZIhvcNAQEL
BQAwgZkxCzAJBgNVBAYTAlVTMREwDwYDVQQIDAhWaXJnaW5pYTEQMA4GA1UEBwwH
RmFpcmZheDEjMCEGA1UECgwaQWNjZW50dXJlIEZlZGVyYWwgU2VydmljZXMxJzAl
BgNVBAsMHk1hbmFnZWQgRGV0ZWN0aW9uIGFuZCBSZXNwb25zZTEXMBUGA1UEAwwO
TURSIFJvb3QgQ0EgRzEwHhcNMjAwMzA0MTczMzA0WhcNNDAwMjI4MTczMzA0WjCB
mTELMAkGA1UEBhMCVVMxETAPBgNVBAgMCFZpcmdpbmlhMRAwDgYDVQQHDAdGYWly
ZmF4MSMwIQYDVQQKDBpBY2NlbnR1cmUgRmVkZXJhbCBTZXJ2aWNlczEnMCUGA1UE
CwweTWFuYWdlZCBEZXRlY3Rpb24gYW5kIFJlc3BvbnNlMRcwFQYDVQQDDA5NRFIg
Um9vdCBDQSBHMTCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIBAK3JMDyi
7cvfc+HghS2KfJnIEU4gCggkWoSdsqJTQgFqba8hVaMKWBqX9hdEUD/VVUly1102
qYzrUnIuw/MP0TsIq2F2nLIo4DgzkQDrwlhJ2PR521i+G/zbPbWHGMY3iigyF8dq
xsiDcRVGzowfAWXOXIheu0PEmebXNG1v31qmY9jIEm2XBioN1Sw9EXnIQ/KKGRZw
inUB7tQ5sQdut5vBkwdXnJ1DqHs3G8YoKFlBHwtBO6D35yvV9x+kIo8swc1ZLX2s
C5zqUfRegJauuyAKs3jMKv+46h/+tNY50WiWxq3OtYAufWAB/mugCl6qXwMgh954
fuj/Ae9UKGsPdFJqEOeaM8vICkr8+emfKsNOvQRo8BXcsWcbewxths0Gwtg52IoB
Ds9/FuGObTD93nFBDjBSzFXtRUTUesS/tipD4Xq5eU3bAGn/NlZsKIICFgjlojQd
NmmHBpR6qXJa9u+ude006I4wvasVg/DjT84N9uAslnosru45gLbtq87bSAkHZ/yX
LZ+VtId5X3lQkrXrnhF7HTNEdxDGEJVEmsyiZ97KqDnE6Z0P365cOr6Azn4CBH8M
AhCTys3FxtY1yiNgK31PfqhD9x8sYiik9VVr9wlhSJfknb4m7gfFzhC3XE0Sg9e8
cuNyVTeDgFu0zik/DeluvTASjkUVQz8Yp4kpAgMBAAGjYzBhMB0GA1UdDgQWBBRN
5wVAfulvKor9WuSXt2wTaAKdLTAfBgNVHSMEGDAWgBRN5wVAfulvKor9WuSXt2wT
aAKdLTAPBgNVHRMBAf8EBTADAQH/MA4GA1UdDwEB/wQEAwIBhjANBgkqhkiG9w0B
AQsFAAOCAgEACm4nmg4MnWkSNT6uIoBNr32jGkuclPOErsL4u/geUgLdXtet/eQv
9cYNmb9KbzbR1dcM1Gp0vpnQy/i01Hylwo4qEgYd8J0ejS40do0jPGhai6fbIdOl
uOlOueVA5zYX2dmal3BLUpqoCOf3ewuxh6YljPmSiyv9Rmwpcsq3SiOqMabFKQ71
PQWZeVPoE9go2IV+6W2OtRNEOSZWUbYulYC39M4AU3XExjV5cq0FKiV3UNk3wEs8
uNaU3p3s5jatS/+6w/zqgdN6NtGIB0WVxT7csGN4UdU7YUWAcM03mDEb2jbXuav3
XbFDS26UyK84DQbat4OC00rQ9CipP1QKf5MlXkfjYvEcfW7zx/3Sg5Ep56xHbX3H
MuJbqmywhuuUPREEWWIii6BY3O0QgZIs2lGvqzvSifYok0eYoJfXk1tnZkFKzxVT
8miXSOepnXUAhgAaQUhDFb3l0weUW3HdK21hSwf1QpV60Yo0svjffbzPfQnydGZL
l2ybCdf6Gr6nxQZuDy2Ipg6nn+PHgdExijsdsaWHwJ2ql4vDK6sgxFyzfHS6sHwL
zNYfQ73J6FrTCJlcHCXKMGad07Jkd5y6N9za4MiZ7/Zw/NKNaRIdym6aEeNS7N9O
ahHDgZnPWV/ZNudKV6pqKZbxyUIHYf4CRA4Z+JKqauY4LpyVWNdW64c=
-----END CERTIFICATE-----

#Splunk common CA

-----BEGIN CERTIFICATE-----
MIIDejCCAmICCQCNHBN8tj/FwzANBgkqhkiG9w0BAQsFADB/MQswCQYDVQQGEwJV
UzELMAkGA1UECAwCQ0ExFjAUBgNVBAcMDVNhbiBGcmFuY2lzY28xDzANBgNVBAoM
BlNwbHVuazEXMBUGA1UEAwwOU3BsdW5rQ29tbW9uQ0ExITAfBgkqhkiG9w0BCQEW
EnN1cHBvcnRAc3BsdW5rLmNvbTAeFw0xNzAxMzAyMDI2NTRaFw0yNzAxMjgyMDI2
NTRaMH8xCzAJBgNVBAYTAlVTMQswCQYDVQQIDAJDQTEWMBQGA1UEBwwNU2FuIEZy
YW5jaXNjbzEPMA0GA1UECgwGU3BsdW5rMRcwFQYDVQQDDA5TcGx1bmtDb21tb25D
QTEhMB8GCSqGSIb3DQEJARYSc3VwcG9ydEBzcGx1bmsuY29tMIIBIjANBgkqhkiG
9w0BAQEFAAOCAQ8AMIIBCgKCAQEAzB9ltVEGk73QvPlxXtA0qMW/SLDQlQMFJ/C/
tXRVJdQsmcW4WsaETteeWZh8AgozO1LqOa3I6UmrWLcv4LmUAh/T3iZWXzHLIqFN
WLSVU+2g0Xkn43xSgQEPSvEK1NqZRZv1SWvx3+oGHgu03AZrqTj0HyLujqUDARFX
sRvBPW/VfDkomHj9b8IuK3qOUwQtIOUr+oKx1tM1J7VNN5NflLw9NdHtlfblw0Ys
5xI5Qxu3rcCxkKQuwz9KRe4iijOIRMAKX28pbakxU9Nk38Ac3PNadgIk0s7R829k
980sqGWkd06+C17OxgjpQbvLOR20FtmQybttUsXGR7Bp07YStwIDAQABMA0GCSqG
SIb3DQEBCwUAA4IBAQCxhQd6KXP2VzK2cwAqdK74bGwl5WnvsyqdPWkdANiKksr4
ZybJZNfdfRso3fA2oK1R8i5Ca8LK3V/UuAsXvG6/ikJtWsJ9jf+eYLou8lS6NVJO
xDN/gxPcHrhToGqi1wfPwDQrNVofZcuQNklcdgZ1+XVuotfTCOXHrRoNmZX+HgkY
gEtPG+r1VwSFowfYqyFXQ5CUeRa3JB7/ObF15WfGUYplbd3wQz/M3PLNKLvz5a1z
LMNXDwN5Pvyb2epyO8LPJu4dGTB4jOGpYLUjG1UUqJo9Oa6D99rv6sId+8qjERtl
ZZc1oaC0PKSzBmq+TpbR27B8Zra3gpoA+gavdRZj
-----END CERTIFICATE-----

custom_feed_info.inc

PLUGIN_SET = "202109011330";
PLUGIN_FEED = "Custom";

Create a compressed tar archive of the 2 files: (Note: Applications such as 7-Zip or running the tar command on macOS are known not to work for this)

tar -zcvf upload_this.tar.gz custom_feed_info.inc custom_CA.inc

Tenable Nessus Manager Notes

Nessus manager is just a Nessus installation that includes the agent handler. As of this writing, it does not support SSO. The URL is https://nessus-manager-0.pvt.xdr.accenturefederalcyber.com:8834/ . The creds are in Vault.

setup

systemctl status nessusd

Use admin user to login ( shared cred in Vault )

Agent setup

systemctl status nessusagent

The agent key is generated and viewable in the Nessus Manager.

Scans are run and then sent to SC. The Agent Synchronization Job on SC pulls the scans from the Nessus mananger.

In Nessus manager, the agent scans are scheduled. Agents are linked to the Nessus Manager through the Linking Key in the Nessus Manager.

Agent Troubleshooting

When you are setting up a new server and you see this error for the Nessus agent, it means the Nessus Manager already has your agent in its inventory. To fix this, log into the Nessus Manager > Sensors > Find your agent > click on X to delete. Restart the agent to have it enroll again. Creds for Nessus Manager are in Vault.

Error message:

[error] [agent] Link fail: [409] An agent with the uuid '53543366-b28f-41de-937c-81d736e93a90' already exists

Tenable.sc Scanning Strategy

Tenable does not have a way to pull host information from AWS. To keep things dynamic and not require us to update IP lists, a host discovery scan is setup with all possible IPs. After the host discovery scan runs, the dynamic assets lists should pick up the correct IPs and scan only those IPs. This keeps the scan times shorter.

XDR Host Discovery (scan) -> Systems that have been Scanned (assets list) -> XDR OS Discovery (scan) -> All XDR IP / Agents (assets list) -> XDR Vulnerability Scan (scan)

Scan Troubleshooting

To run a diagnostic scan on a single IP, put the IP as the target of the scan and as the diagnostic target. You can put anything in the password. Note that you will not be able to view the results only send them to support.

Running a scan on a single host

  1. Go to test tenable or the prod tenable
  2. Got to scans->active scans
  3. Find the 'single host' (test) or Single IP (prod) CIS scan you are interested in, and click on the name or 'edit'
  4. Go to targets, change to 'ip/dns name', enter IP
  5. Hit 'play', and click link 'view scan results' if you're fast, otherwise switch to Scan Results
  6. Wait for complete, then view results.