Tenable Notes.md 21 KB
Tenable Security Center Notes.md
Quick Reference
Security Center (dashboard): https://security-center.pvt.xdr.accenturefederalcyber.com (SAML Login) Nessus Manager (client-based scanning): https://nessus-manager-0.pvt.xdr.accenturefederalcyber.com:8834/ (Creds in Vault)
Service
systemctl status SecurityCenter
systemctl start nessusd
systemctl status nessusagent
Show Version
sudo /opt/nessus/sbin/nessuscli -v
sudo /opt/nessus_agent/sbin/nessuscli -v
Log location Tenable.SC
/opt/sc/admin/logs
/opt/sc/support/logs
Log location Nessus
/opt/nessus/var/nessus/logs
Upgrading Nessus or Tenable.sc (Security Center)
- Download the latest RPM from Tenable Download - Nessus
- Check the sha256 on your mac with
shasum -a 256 Nessus-8.15.1-es7.x86_64.rpm - Use
teleport scpto upload the file to the TEST and PROD repo server; See How to add a new package to the Reposerver - Update the tenable repo per the Reposerver Notes above
Stop the service and take an EBS snapshot as a backup
systemctl stop SecurityCentersystemctl start nessusdUse the AWS cli to take a snapshot of all EBS volumes
aws --profile mdr-test-c2-gov ec2 create-snapshots --instance-specification 'InstanceId=i-01d72189085662b1e,ExcludeBootVolume=false' --tag-specifications 'ResourceType=snapshot,Tags=[{Key=Name,Value=security-center-0-pre-upgrade-backup-5.21}]'
Note: You can upgrade all three Nessus servers at the same time with
salt nessus* cmd.run 'yum clean all && yum makecache fast'
Run
yum clean all && yum makecache faston the appropriate server orsalt nessus* pkg.upgrade name=Nessuson salt-master to update the software from the repo serverFor Nessus, you need to start the software after the upgrade with
systemctl start nessusd.servicesalt nessus* cmd.run 'systemctl start nessusd.service'
For Tenable.sc, use this command:
yum update SecurityCenterTo ensure everything is working, log into Tenable.sc with admin creds and look at the Resources > Nessus Scanners then click on Options > Update Status
If the Scanner shows a status of "Protocol Error" you were too fast and need to be patient; go browse a conservative news source for 5 minutes ;-)
NOTE: The Tenable Agents upgrade themselves through the Nessus Manager.
Security Patches
Occasionally Tenable will release patches for Tenable.sc. These patches need to be installed on the commandline and not through the reposerver.
- Download the security patch to your Mac. But what if I am using a Windows laptop? Stop following these instructions and request a Mac laptop.
- Check the hash against the tenable provided one
shasum -a 256 SC-202110.1-5.x-rh7-64.tgzsha256sum SC-202204.3-5.x-rh7-64.tgz( Or on RedHat)
- Use teleport scp/web UI to upload the file directly to the Tenable.sc server ( see Reposerver Notes for example command. )
Stop Tenable.sc and take a backup via snapshots
systemctl stop SecurityCenterUse the AWS cli to take a snapshot of all EBS volumes
aws --profile mdr-test-c2-gov ec2 create-snapshots --instance-specification 'InstanceId=i-01d72189085662b1e,ExcludeBootVolume=false' --tag-specifications 'ResourceType=snapshot,Tags=[{Key=Name,Value=security-center-0-pre-upgrade-backup-5.21.0}]'
Extract patch and apply per the Release Notes on Tenable's website
General Setup
svc-scan
See Tenable Knowledge Article - SSH Public Key Authentication for scanning. The private key for svc-scan is not in Vault because if you lose/need it, just generate a new one and push it out.
Add Custom CAs
See Tenable Knowledge Article - Upload a Custom CA certificate to Tenable.sc
These certs include the xdr root ca and intermediate from XDR WWW Certificates Subordinate CA v2 in AWS. I also grabbed the MDR Root CA G1. The Splunk Common CA is the next cert. AWS RDS does not let us use our own custom certificate so we must accept their certificate.
custom_CA.inc
-----BEGIN CERTIFICATE-----
MIICMDCCAbagAwIBAgIRAMbEtbFaI4iLYDpPJmXv2gEwCgYIKoZIzj0EAwQwWTEL
MAkGA1UEBhMCVVMxIzAhBgNVBAoMGkFjY2VudHVyZSBGZWRlcmFsIFNlcnZpY2Vz
MQwwCgYDVQQLDANYRFIxFzAVBgNVBAMMDlhEUiBSb290IENBIHYyMB4XDTIxMDcy
MDEyNDUxNVoXDTQxMDcyMDEzNDUxNVowWTELMAkGA1UEBhMCVVMxIzAhBgNVBAoM
GkFjY2VudHVyZSBGZWRlcmFsIFNlcnZpY2VzMQwwCgYDVQQLDANYRFIxFzAVBgNV
BAMMDlhEUiBSb290IENBIHYyMHYwEAYHKoZIzj0CAQYFK4EEACIDYgAEf6Q0EcG/
uqmW0O7Noib9hNFEtOsyEukuafbiAafMiylZciffEen9IwIzVKiYnB4XlXZtNOR0
lZ8kL0g6/Rae+Uv1kai003/x467d/tFZ+903Png0WnaO4p5CSnvEu0MYo0IwQDAP
BgNVHRMBAf8EBTADAQH/MB0GA1UdDgQWBBTG1bEdYBEYwTY9Z+Fe2CasGqIbhDAO
BgNVHQ8BAf8EBAMCAYYwCgYIKoZIzj0EAwQDaAAwZQIxAOC2w/OXRYWilDhwdq87
WdB2rUwZjfxp+xhdOvMStJ3q4lP8rK7o2Pr4DYZa0em8OQIwK7Q3qBek13CMNZW/
+qqdgMSx314YjZ/TO+iFdmFU6NWmlQbvxwkSQb1P9eUHHg8a
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
MIIC3jCCAmWgAwIBAgIQWn917mkxT+UIOotY4wuNuDAKBggqhkjOPQQDBDBZMQsw
CQYDVQQGEwJVUzEjMCEGA1UECgwaQWNjZW50dXJlIEZlZGVyYWwgU2VydmljZXMx
DDAKBgNVBAsMA1hEUjEXMBUGA1UEAwwOWERSIFJvb3QgQ0EgdjIwHhcNMjEwNzIw
MTM0MjAyWhcNMzEwNzIwMTQ0MjAyWjBxMQswCQYDVQQGEwJVUzEjMCEGA1UECgwa
QWNjZW50dXJlIEZlZGVyYWwgU2VydmljZXMxDDAKBgNVBAsMA1hEUjEvMC0GA1UE
AwwmWERSIFdXVyBDZXJ0aWZpY2F0ZXMgU3Vib3JkaW5hdGUgQ0EgdjIwdjAQBgcq
hkjOPQIBBgUrgQQAIgNiAATCpwEwGIOWZ0K75kjTfP/es56Z9jEWXwC4UhEEQvoI
YhmNY73qonoIZAtIVvZz+OPaPvnYktn2jVVayKTfQ/2o9XA6qGt+na9DpTJTI4Tz
8E/UZNRYvzE07xcUY203tCejgdkwgdYwEgYDVR0TAQH/BAgwBgEB/wIBADAfBgNV
HSMEGDAWgBTG1bEdYBEYwTY9Z+Fe2CasGqIbhDAdBgNVHQ4EFgQU11FCJaVVaKkD
4Oehxb2H6MlLMoswDgYDVR0PAQH/BAQDAgGGMHAGA1UdHwRpMGcwZaBjoGGGX2h0
dHA6Ly94ZHItcm9vdC1jcmwuczMudXMtZ292LWVhc3QtMS5hbWF6b25hd3MuY29t
L2NybC9mNThhZTAwMS03YmEzLTRmYjItOTM1YS1iZjEyYWFkMzRlYzYuY3JsMAoG
CCqGSM49BAMEA2cAMGQCMEzlN7pLk/jix5zGRUGHtGulNeS7HKz6Lv3hM6TpyI5w
RihbKlFFOVLdazR3MBwbYQIwewoRoLZk+amBmQ44no6xY1OiAjRldrPQWSPJn9oC
zYbzWMbtQSVkMXjeBoxeD4Zw
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
MIIGJTCCBA2gAwIBAgIUcUQCVA7Avwnb2KrvgYnz8CLJ3pwwDQYJKoZIhvcNAQEL
BQAwgZkxCzAJBgNVBAYTAlVTMREwDwYDVQQIDAhWaXJnaW5pYTEQMA4GA1UEBwwH
RmFpcmZheDEjMCEGA1UECgwaQWNjZW50dXJlIEZlZGVyYWwgU2VydmljZXMxJzAl
BgNVBAsMHk1hbmFnZWQgRGV0ZWN0aW9uIGFuZCBSZXNwb25zZTEXMBUGA1UEAwwO
TURSIFJvb3QgQ0EgRzEwHhcNMjAwMzA0MTczMzA0WhcNNDAwMjI4MTczMzA0WjCB
mTELMAkGA1UEBhMCVVMxETAPBgNVBAgMCFZpcmdpbmlhMRAwDgYDVQQHDAdGYWly
ZmF4MSMwIQYDVQQKDBpBY2NlbnR1cmUgRmVkZXJhbCBTZXJ2aWNlczEnMCUGA1UE
CwweTWFuYWdlZCBEZXRlY3Rpb24gYW5kIFJlc3BvbnNlMRcwFQYDVQQDDA5NRFIg
Um9vdCBDQSBHMTCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIBAK3JMDyi
7cvfc+HghS2KfJnIEU4gCggkWoSdsqJTQgFqba8hVaMKWBqX9hdEUD/VVUly1102
qYzrUnIuw/MP0TsIq2F2nLIo4DgzkQDrwlhJ2PR521i+G/zbPbWHGMY3iigyF8dq
xsiDcRVGzowfAWXOXIheu0PEmebXNG1v31qmY9jIEm2XBioN1Sw9EXnIQ/KKGRZw
inUB7tQ5sQdut5vBkwdXnJ1DqHs3G8YoKFlBHwtBO6D35yvV9x+kIo8swc1ZLX2s
C5zqUfRegJauuyAKs3jMKv+46h/+tNY50WiWxq3OtYAufWAB/mugCl6qXwMgh954
fuj/Ae9UKGsPdFJqEOeaM8vICkr8+emfKsNOvQRo8BXcsWcbewxths0Gwtg52IoB
Ds9/FuGObTD93nFBDjBSzFXtRUTUesS/tipD4Xq5eU3bAGn/NlZsKIICFgjlojQd
NmmHBpR6qXJa9u+ude006I4wvasVg/DjT84N9uAslnosru45gLbtq87bSAkHZ/yX
LZ+VtId5X3lQkrXrnhF7HTNEdxDGEJVEmsyiZ97KqDnE6Z0P365cOr6Azn4CBH8M
AhCTys3FxtY1yiNgK31PfqhD9x8sYiik9VVr9wlhSJfknb4m7gfFzhC3XE0Sg9e8
cuNyVTeDgFu0zik/DeluvTASjkUVQz8Yp4kpAgMBAAGjYzBhMB0GA1UdDgQWBBRN
5wVAfulvKor9WuSXt2wTaAKdLTAfBgNVHSMEGDAWgBRN5wVAfulvKor9WuSXt2wT
aAKdLTAPBgNVHRMBAf8EBTADAQH/MA4GA1UdDwEB/wQEAwIBhjANBgkqhkiG9w0B
AQsFAAOCAgEACm4nmg4MnWkSNT6uIoBNr32jGkuclPOErsL4u/geUgLdXtet/eQv
9cYNmb9KbzbR1dcM1Gp0vpnQy/i01Hylwo4qEgYd8J0ejS40do0jPGhai6fbIdOl
uOlOueVA5zYX2dmal3BLUpqoCOf3ewuxh6YljPmSiyv9Rmwpcsq3SiOqMabFKQ71
PQWZeVPoE9go2IV+6W2OtRNEOSZWUbYulYC39M4AU3XExjV5cq0FKiV3UNk3wEs8
uNaU3p3s5jatS/+6w/zqgdN6NtGIB0WVxT7csGN4UdU7YUWAcM03mDEb2jbXuav3
XbFDS26UyK84DQbat4OC00rQ9CipP1QKf5MlXkfjYvEcfW7zx/3Sg5Ep56xHbX3H
MuJbqmywhuuUPREEWWIii6BY3O0QgZIs2lGvqzvSifYok0eYoJfXk1tnZkFKzxVT
8miXSOepnXUAhgAaQUhDFb3l0weUW3HdK21hSwf1QpV60Yo0svjffbzPfQnydGZL
l2ybCdf6Gr6nxQZuDy2Ipg6nn+PHgdExijsdsaWHwJ2ql4vDK6sgxFyzfHS6sHwL
zNYfQ73J6FrTCJlcHCXKMGad07Jkd5y6N9za4MiZ7/Zw/NKNaRIdym6aEeNS7N9O
ahHDgZnPWV/ZNudKV6pqKZbxyUIHYf4CRA4Z+JKqauY4LpyVWNdW64c=
-----END CERTIFICATE-----
#Splunk common CA
-----BEGIN CERTIFICATE-----
MIIDejCCAmICCQCNHBN8tj/FwzANBgkqhkiG9w0BAQsFADB/MQswCQYDVQQGEwJV
UzELMAkGA1UECAwCQ0ExFjAUBgNVBAcMDVNhbiBGcmFuY2lzY28xDzANBgNVBAoM
BlNwbHVuazEXMBUGA1UEAwwOU3BsdW5rQ29tbW9uQ0ExITAfBgkqhkiG9w0BCQEW
EnN1cHBvcnRAc3BsdW5rLmNvbTAeFw0xNzAxMzAyMDI2NTRaFw0yNzAxMjgyMDI2
NTRaMH8xCzAJBgNVBAYTAlVTMQswCQYDVQQIDAJDQTEWMBQGA1UEBwwNU2FuIEZy
YW5jaXNjbzEPMA0GA1UECgwGU3BsdW5rMRcwFQYDVQQDDA5TcGx1bmtDb21tb25D
QTEhMB8GCSqGSIb3DQEJARYSc3VwcG9ydEBzcGx1bmsuY29tMIIBIjANBgkqhkiG
9w0BAQEFAAOCAQ8AMIIBCgKCAQEAzB9ltVEGk73QvPlxXtA0qMW/SLDQlQMFJ/C/
tXRVJdQsmcW4WsaETteeWZh8AgozO1LqOa3I6UmrWLcv4LmUAh/T3iZWXzHLIqFN
WLSVU+2g0Xkn43xSgQEPSvEK1NqZRZv1SWvx3+oGHgu03AZrqTj0HyLujqUDARFX
sRvBPW/VfDkomHj9b8IuK3qOUwQtIOUr+oKx1tM1J7VNN5NflLw9NdHtlfblw0Ys
5xI5Qxu3rcCxkKQuwz9KRe4iijOIRMAKX28pbakxU9Nk38Ac3PNadgIk0s7R829k
980sqGWkd06+C17OxgjpQbvLOR20FtmQybttUsXGR7Bp07YStwIDAQABMA0GCSqG
SIb3DQEBCwUAA4IBAQCxhQd6KXP2VzK2cwAqdK74bGwl5WnvsyqdPWkdANiKksr4
ZybJZNfdfRso3fA2oK1R8i5Ca8LK3V/UuAsXvG6/ikJtWsJ9jf+eYLou8lS6NVJO
xDN/gxPcHrhToGqi1wfPwDQrNVofZcuQNklcdgZ1+XVuotfTCOXHrRoNmZX+HgkY
gEtPG+r1VwSFowfYqyFXQ5CUeRa3JB7/ObF15WfGUYplbd3wQz/M3PLNKLvz5a1z
LMNXDwN5Pvyb2epyO8LPJu4dGTB4jOGpYLUjG1UUqJo9Oa6D99rv6sId+8qjERtl
ZZc1oaC0PKSzBmq+TpbR27B8Zra3gpoA+gavdRZj
-----END CERTIFICATE-----
AWS RDS us-gov-east-1-bundle.pem
-----BEGIN CERTIFICATE-----
MIICtjCCAjugAwIBAgIQCojG1Zix0YArC/bBkU7eOjAKBggqhkjOPQQDAzCBmjEL
MAkGA1UEBhMCVVMxIjAgBgNVBAoMGUFtYXpvbiBXZWIgU2VydmljZXMsIEluYy4x
EzARBgNVBAsMCkFtYXpvbiBSRFMxCzAJBgNVBAgMAldBMTMwMQYDVQQDDCpBbWF6
b24gUkRTIHVzLWdvdi1lYXN0LTEgUm9vdCBDQSBFQ0MzODQgRzExEDAOBgNVBAcM
B1NlYXR0bGUwIBcNMjEwNTI2MjIyODU4WhgPMjEyMTA1MjYyMzI4NThaMIGaMQsw
CQYDVQQGEwJVUzEiMCAGA1UECgwZQW1hem9uIFdlYiBTZXJ2aWNlcywgSW5jLjET
MBEGA1UECwwKQW1hem9uIFJEUzELMAkGA1UECAwCV0ExMzAxBgNVBAMMKkFtYXpv
biBSRFMgdXMtZ292LWVhc3QtMSBSb290IENBIEVDQzM4NCBHMTEQMA4GA1UEBwwH
U2VhdHRsZTB2MBAGByqGSM49AgEGBSuBBAAiA2IABKZfn/XfCIlHTE/YF5lH9D2h
H71kG3RaC92hBPbyncbDMf2Q7JeYwhknKahWmSO/EP0Nj+9iCFimT/Jb9o9ykkKl
gOvv/M6SQAuKsC/24PxwC8QV1miuTMUd7fGhNjQUHKNCMEAwDwYDVR0TAQH/BAUw
AwEB/zAdBgNVHQ4EFgQUniTlDl2igVgummx44YNMd5t4mMgwDgYDVR0PAQH/BAQD
AgGGMAoGCCqGSM49BAMDA2kAMGYCMQCSb8X09cnFdS90i1nqRLhancNU8bCFoI86
hqyctq0ftvXXmEe0bA+JnpIm5p/UKUUCMQCYYYQFfkeZtD4SOxSIE+WzfghJFaAq
/s17Q6LU2tCl4/csuzsTAl/vCc0JVynH340=
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
MIIGBjCCA+6gAwIBAgIQaoLp1Iv1/fO7VY8+oWlsgjANBgkqhkiG9w0BAQwFADCB
mzELMAkGA1UEBhMCVVMxIjAgBgNVBAoMGUFtYXpvbiBXZWIgU2VydmljZXMsIElu
Yy4xEzARBgNVBAsMCkFtYXpvbiBSRFMxCzAJBgNVBAgMAldBMTQwMgYDVQQDDCtB
bWF6b24gUkRTIHVzLWdvdi1lYXN0LTEgUm9vdCBDQSBSU0E0MDk2IEcxMRAwDgYD
VQQHDAdTZWF0dGxlMCAXDTIxMDUyNjIyMjMwNloYDzIxMjEwNTI2MjMyMzA2WjCB
mzELMAkGA1UEBhMCVVMxIjAgBgNVBAoMGUFtYXpvbiBXZWIgU2VydmljZXMsIElu
Yy4xEzARBgNVBAsMCkFtYXpvbiBSRFMxCzAJBgNVBAgMAldBMTQwMgYDVQQDDCtB
bWF6b24gUkRTIHVzLWdvdi1lYXN0LTEgUm9vdCBDQSBSU0E0MDk2IEcxMRAwDgYD
VQQHDAdTZWF0dGxlMIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAsiIo
3SyckN+EuZZLEcIgGyfqlO1AuVh2MF+dCrIxvuX9L+Nv6hLck9ArKVIuGotkp3im
37BzilxaY+3GI+FkMq7aQo9TLYHKX78ZVqMGBWIuIskm/iwHgFtoscecGEwRekLc
Hswl1Odi4y/vmLTHgZIar8fIEB6OIhUO9q0fT9zY+LX9IuH51NjaePsbMHxksrmm
tbmz1zqUsANu/0bG73B1vMfRs3DmCesm+v8hlBDVawla4zPY9/f8pnpIwfOeEjKw
M+llHdLALFjNV4BCdOuwCl0O2XtSX8450knBxsEA5iXoGkZXc6GrsEq7pK6ZZ/7W
/08ejAMrS36Hi3bEYB/RLiG9X6yGgy5QRn7vnXDxFX9DaZID9k1SUbzP8YidGtDc
UnyeQ7gkJQazrPSn71bnNLiL2H3DW6dPxaZwTotLVpXn4WbNtei9zfP0gl5B86CX
35Ac4NP/6QAdgUeSJ/1sX+IIf3N65NkXWcOtpDIrvseLXyeNxWne27oUNPJ0wgE2
/2vNlvbXpNIERNcxCYTzgVHMQ9T2rJdrSeyzRpcGF8NODHGPOmc9XI6WWWvrs9kI
9sCd6LZZ+ViAZPLAwd4k7vttMX5tAXtRREREaqClr5mG/G/lQ+V3GacBR8Z7/i9Y
St+ETUgxPLoiVtoQmiBigj/u8WeYlMDtw9koUxcCAwEAAaNCMEAwDwYDVR0TAQH/
BAUwAwEB/zAdBgNVHQ4EFgQUHamNV9Qjt8qSO4R8YI9jX7QABIUwDgYDVR0PAQH/
BAQDAgGGMA0GCSqGSIb3DQEBDAUAA4ICAQCiqAqTb+r4proOPxDjpuOBLaxhqGkC
aU3uBi8iUBiw/8tgVXVeqIrmUNI3t8cMWySYjPcL3Pkaui6lV2kX3XUV9QrAWaFC
Za+nuZNlmLvV27KrvEh9KhW9kqsudibq7fGYureVuEi1JtCczp6JlBzSA+m1a0Nh
y/rRRHQ0g/uoEnIdQrqdJL4pBBLdgSLOFD/O56obO0uoRq1x60g67+J5d3OGfRSW
kb8lR2Ub6HlcD+WDnpLtxyQDSkyK5pFjRKmljxQIZ9FcQfG4P8tXkef130Kbr6ZA
caMKRUtj4FjozuuHi0E7Tv/vujjhg1vEjK471uM5ZHpEqUQaxLo9MbJZJl5SfFum
RSut5ebM/NQnhF+RES08xOG1UFoIjSZ4cmAaA8ggn+vjsBBZitWJ1jc4pk6MhySA
qRJuMeYVCNK/dNCYk/me+Z8y6KvNl6ih00A2RQDlVFySH3Lvo2MGMX/F3qJTUlWX
YWKEslCGhte7755AFgfa9dMKv5ir8tg6NdOLVgSQVU3rVv0F2XM7URxkNtaczgC+
rSX682gTqnZcK2hrWy2cuktN1N8i0FqX1n8tNLQwpeDvcJXgoVATsZUb6aDHmTJR
k+8N+RsNwC/hHzKs2Vj4YKNP8MelxWcgtu0/QJAtq1/4YFMRY7qv1pCfcQGfg8Sx
JFiKTJMbfPV2uQ==
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
MIIEBzCCAu+gAwIBAgIRAOYJ9HCNT4ONuUhBhtQkCWowDQYJKoZIhvcNAQEMBQAw
gZsxCzAJBgNVBAYTAlVTMSIwIAYDVQQKDBlBbWF6b24gV2ViIFNlcnZpY2VzLCBJ
bmMuMRMwEQYDVQQLDApBbWF6b24gUkRTMQswCQYDVQQIDAJXQTE0MDIGA1UEAwwr
QW1hem9uIFJEUyB1cy1nb3YtZWFzdC0xIFJvb3QgQ0EgUlNBMjA0OCBHMTEQMA4G
A1UEBwwHU2VhdHRsZTAgFw0yMjA0MTUyMzE0NDlaGA8yMDYyMDQxNjAwMTQ0OVow
gZsxCzAJBgNVBAYTAlVTMSIwIAYDVQQKDBlBbWF6b24gV2ViIFNlcnZpY2VzLCBJ
bmMuMRMwEQYDVQQLDApBbWF6b24gUkRTMQswCQYDVQQIDAJXQTE0MDIGA1UEAwwr
QW1hem9uIFJEUyB1cy1nb3YtZWFzdC0xIFJvb3QgQ0EgUlNBMjA0OCBHMTEQMA4G
A1UEBwwHU2VhdHRsZTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBANwz
j5S2lfJdNxNGf4zrSXUR+23coWdO6oXUJgkj0c8DZnnLer/4dAa2Aah9wsq/TxmJ
YgzBganNQEghy1ru0GqA7R/NYePXqikTPfVgcNrVRBzPA69/C0bHT+/3XGYkPrxP
HNER5ctaLhgu4zkF9DI6m9ajPbEV/6nZMKYczhaigqW7Ff/eq3TKtisZLj8KrDYd
gswBTLgil5GV+CGdmlb32fCpBrTnrXyqUe/WANv0hTD4IZ/+caUVjAaiSLYiMNMw
+oO1872rtK4kjF4U2TOzkOl4kbvvuhSOA+qDUBUwf0HmJc4+Y6/cRBsqbxJ4R21G
Tpj/XOc+aoU+lgvDGcsCAwEAAaNCMEAwDwYDVR0TAQH/BAUwAwEB/zAdBgNVHQ4E
FgQUvFFLeSz7XHbjkKaCFM2LQlOEQO4wDgYDVR0PAQH/BAQDAgGGMA0GCSqGSIb3
DQEBDAUAA4IBAQCd4a9nrcjbtCZFGV5RzJUzSw/oDIJVKYMicehsecZLgVY+DwiC
l2IuaPZWu3YpjXerWz7BPBJUhx43u4Bi+yWWrnz+i0porH6jrCGrfi8uou3TRwni
BcRvq3v8vJZ23HY6NGbVdrtqD2g2lWRFqwRJXxs+uueqfLlS40uahVyJgldfbWfE
AetbBBycjgaj4MPVURdylqXpl8dIhUIwHs3k4gFsAmzwF7hg+HzpDlCY/1TLCp0B
k88UItrPSHCAVAefPk5PhjwLC7MDE3ZBJQxdT4R1nXuEEoFaqqxL81RLcqpUI6PU
4Nv4+7bXbAfksPVRtf4bOoVLH7HOm7WJdRym
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
MIIEKDCCAxCgAwIBAgIQaC/DN4ySdcKe6GO0sGy0UTANBgkqhkiG9w0BAQwFADCB
mzELMAkGA1UEBhMCVVMxIjAgBgNVBAoMGUFtYXpvbiBXZWIgU2VydmljZXMsIElu
Yy4xEzARBgNVBAsMCkFtYXpvbiBSRFMxCzAJBgNVBAgMAldBMTQwMgYDVQQDDCtB
bWF6b24gUkRTIHVzLWdvdi1lYXN0LTEgUm9vdCBDQSBSU0EyMDQ4IEcxMRAwDgYD
VQQHDAdTZWF0dGxlMB4XDTIyMDQyMDE5MjEyNloXDTI3MDQyMDIwMjEyNlowgZsx
CzAJBgNVBAYTAlVTMRAwDgYDVQQHDAdTZWF0dGxlMRMwEQYDVQQIDApXYXNoaW5n
dG9uMSIwIAYDVQQKDBlBbWF6b24gV2ViIFNlcnZpY2VzLCBJbmMuMRMwEQYDVQQL
DApBbWF6b24gUkRTMSwwKgYDVQQDDCNBbWF6b24gUkRTIHVzLWdvdi1lYXN0LTEg
UlNBMjA0OCBHMTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBANBmYrBC
7lik4c1tB2MSsc43/Qr0xCfmz2j7e2J93pGKohtfttGZ5E0VOy2uUJoLt624/Mnj
5c+XFqMVblAoq4PBw3MuNIOBiA663hAqvj0JJG8FV3CgQ459D3liBY/3zCVEdWsu
LxigOiXJUFY5ve0PXo3uQjzmfZtDUJqUCS7kGx7zXuo8MGd5RoqS+O52i/t7uoJz
dbufzw/h1SBwcmB3qyZBW9j0wR/d7Hp7UgP3Dp5oyo7+yP7QNiIpj5U8Wi8CZAoe
rGBTp70A3LdTuD8xCFcSVgNEoFIZspfj5QBkbxqydhMG2z57PUF83K+AZET4IUdN
SX/+xteRlLCjhUUCAwEAAaNmMGQwEgYDVR0TAQH/BAgwBgEB/wIBADAfBgNVHSME
GDAWgBS8UUt5LPtcduOQpoIUzYtCU4RA7jAdBgNVHQ4EFgQUXUiCehbDGqpot4A6
AhrG+Qb3UYgwDgYDVR0PAQH/BAQDAgGGMA0GCSqGSIb3DQEBDAUAA4IBAQAwwFi4
7WlTUfMccehtJSq7TUZd1wRzJkqhY1Y9KjbJCvqiSSJ3VlCtMAbYf3PUKba7LLwl
alfhr9DqJfo1R3CNKnWXtNtDzeZ7i60aTP6MQ5BdfQhd99FcmHrMqwN45js0paTl
2L0hHK346K1dcT82MW5Xk9/oUVFMnNRKT/52g77J+qwZkHDol0k1X59bB7oFH6E/
B8WCnDwhzPlfiUUmVAcZpoR2C53JWCbTv0U2FBLjVaVXUdqZ8byC8sB6aw7Y8tH7
+PXMAGpLrenHkp+ozeTLtnmGbtDGFSlRkJU+Zw0i2CtPaoo541Q2BVZjipTl1Tir
F9yG3bosMKACSbYb
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
MIIGKDCCBBCgAwIBAgIQM1fysiDjNGgSOYoR3sgNfzANBgkqhkiG9w0BAQwFADCB
mzELMAkGA1UEBhMCVVMxIjAgBgNVBAoMGUFtYXpvbiBXZWIgU2VydmljZXMsIElu
Yy4xEzARBgNVBAsMCkFtYXpvbiBSRFMxCzAJBgNVBAgMAldBMTQwMgYDVQQDDCtB
bWF6b24gUkRTIHVzLWdvdi1lYXN0LTEgUm9vdCBDQSBSU0E0MDk2IEcxMRAwDgYD
VQQHDAdTZWF0dGxlMB4XDTIyMDEwMzIwNDIxNVoXDTI3MDEwMzIxNDIxNVowgZsx
CzAJBgNVBAYTAlVTMRAwDgYDVQQHDAdTZWF0dGxlMRMwEQYDVQQIDApXYXNoaW5n
dG9uMSIwIAYDVQQKDBlBbWF6b24gV2ViIFNlcnZpY2VzLCBJbmMuMRMwEQYDVQQL
DApBbWF6b24gUkRTMSwwKgYDVQQDDCNBbWF6b24gUkRTIHVzLWdvdi1lYXN0LTEg
UlNBNDA5NiBHMTCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIBALJiyqfe
gXrub2uSh1eR/d7VAIY374euUlLC7gtQinEmMA9VB7Y83wXVQTK8KQBfUE5hjbFv
X74o24PLPG20lWHRgRzWOHmM2FyOnH/60qIq6XghgDAdKjfdkXJEJehOXxMyfX5L
DMeuSx6M8GcUNneQqy9pazNrNmI9vlZ/stNy6ZWOV3SRZFndh+aBLM5017mVYYxP
4nWqgtKNKy6IfgoSE+E4afsCLIxc0eqAyagZS4Q7fWqH09zReE7ub3Kh9HNLTFZB
OPEuqtSdP/B2+1Pd/LkUKg/WwuONilmUvbN9izfDAUWqoUlcf02idPvPJtA/5QtC
uv3o3WIasVgYBmGWFNo2qVyCuIobg4VpcErv93t6gqxTBXFbBq0DVC6zdi3J0m/B
0NyuXfhCaVR6wsxp5fplIHg9YNDed9imA663kr0xGHLeMPect7WiXvD0/5pDHxT5
b83VIni1jKR1cdFVfVRa2P8PnaSfwpt8pDktN5myvuuRJTQFciHY+deAEJoqbds+
NTHI8LI8n1JNBfAEZ3JZp1zOT3IR/VX+8dr2U1k6Au/+hRaMv7mwcl7XARITzyv4
4MPSsyETdxV/ynFf4+kl9StHP6Q3U5uIefIHN9ym9KyTD2Vnn9pAV5wnBouTedHy
e9dX4YexiDoZm0FQxH8T5yoSrlpNM3amn7SJAgMBAAGjZjBkMBIGA1UdEwEB/wQI
MAYBAf8CAQAwHwYDVR0jBBgwFoAUHamNV9Qjt8qSO4R8YI9jX7QABIUwHQYDVR0O
BBYEFNXibIWRgW6CRAigCl7DVtfjt/Y7MA4GA1UdDwEB/wQEAwIBhjANBgkqhkiG
9w0BAQwFAAOCAgEAfCQj7InnmGDg0fyf+zars52bIskE5SYJM6XpV8Ng6osDu6Xa
qEVfs1pBR2qPLbGqzW0nQOxe/fEmopWbaL9Mi8xez71MIa+mSF8mPf5WcxOf+T2A
Y5SsXuHOLTxkj163XuOd0iF21Q1fCw2KnCDQFdNFpFSt4Y/+g92ug2lpuiYsTo2b
55BAMLu0sXITDt4VnV9C2ZixpxNMlTnPEkCG3MW1buImPJSHXfIjCTb/IuPcu+WR
Ny5wuxa9xAZN7q+1OGXkec8QHRNi0eEOq/tz0RSuYyDEq9/Lo7x5aSrK44Vpg/kn
DowRNAnyvrp4y1hUe6AsMaQ+2coWQsGJIJDAIIW0e1B+3nnkOTP2lNn1nTH8ynBV
JuHd5FY08Hbup3vJ986Yw72wQpWTO8Kic/7X2x/m6fThUbQ4YNlLWq0FzQe2nuIB
4eY5ToUO3FL9+6v+7jVWkwxO0X9VowJFpEtOOW8S25crc5Jyqifdle90y/a4POmc
FEHDnUmk3b+2cTszHahAXYvRcriGHHo7LnHCn/5hujhXGdWi9OSMMjrAs+G1io/H
mkdC2vLM4zfK4GPKHG/tUw9Ovqu9rZtpvXtnj10RgfWsysmUH0AzOXqFCvM2UAdp
hkOYz6ouPjqgbIC84cVSzuJBkiCcfLlSoaUS4IIY3FOSztwsxtr2DrA8HBo=
-----END CERTIFICATE-----
custom_feed_info.inc
PLUGIN_SET = "202109011330";
PLUGIN_FEED = "Custom";
Create a compressed tar archive of the 2 files: (Note: Applications such as 7-Zip or running the tar command on macOS are known not to work for this)
tar -zcvf upload_this.tar.gz custom_feed_info.inc custom_CA.inc
Audit File Annoyances
See https://docs.tenable.com/nessus/compliancechecksreference/Content/UnixBANNER_CHECK.htm for additional help
CIS benchmarks variables
Banner Text
Copy the banner from an SSH cmd prompt and paste it into the compliance checks settings text box.
NTP server address: 169.254.169.123 log server: 192.168.0.1
Tenable Nessus Manager Notes
Nessus manager is just a Nessus installation that includes the agent handler. As of this writing, it does not support SSO. The URL is https://nessus-manager-0.pvt.xdr.accenturefederalcyber.com:8834/ . The creds are in Vault.
setup
systemctl status nessusd
Use admin user to login ( shared cred in Vault )
Agent setup
systemctl status nessusagent
The agent key is generated and viewable in the Nessus Manager.
Scans are run and then sent to SC. The Agent Synchronization Job on SC pulls the scans from the Nessus mananger.
In Nessus manager, the agent scans are scheduled. Agents are linked to the Nessus Manager through the Linking Key in the Nessus Manager.
Agent Troubleshooting
When you are setting up a new server and you see this error for the Nessus agent, it means the Nessus Manager already has your agent in its inventory. To fix this, log into the Nessus Manager > Sensors > Find your agent > click on X to delete. Restart the agent to have it enroll again. Creds for Nessus Manager are in Vault.
Error message:
[error] [agent] Link fail: [409] An agent with the uuid '53543366-b28f-41de-937c-81d736e93a90' already exists
Tenable.sc Scanning Strategy
Tenable does not have a way to pull host information from AWS. To keep things dynamic and not require us to update IP lists, a host discovery scan is setup with all possible IPs. After the host discovery scan runs, the dynamic assets lists should pick up the correct IPs and scan only those IPs. This keeps the scan times shorter.
XDR Host Discovery (scan) -> Systems that have been Scanned (assets list) -> XDR OS Discovery (scan) -> All XDR IP / Agents (assets list) -> XDR Vulnerability Scan (scan)
Scan Troubleshooting
To run a diagnostic scan on a single IP, put the IP as the target of the scan and as the diagnostic target. You can put anything in the password. Note that you will not be able to view the results only send them to support.
Running a scan on a single host
- Go to test tenable or the prod tenable
- Got to scans->active scans
- Find the 'single host' (test) or
Single IP(prod) CIS scan you are interested in, and click on the name or 'edit' - Go to targets, change to 'ip/dns name', enter IP
- Hit 'play', and click link 'view scan results' if you're fast, otherwise switch to Scan Results
- Wait for complete, then view results.
Working with Audit Files
They are stored here: /opt/sc/orgs/1/uploads
Generating a diag for Support
You can save some time by generating a debug file when opening a support ticket.
- Log in as an admin user.
- Go to System > Diagnostics.
- Click Create Diagnostics File.
- Leave all chapters selected, Be sure to select "Strip IPs from Chapters".
- Click Generate File.
- When that completes, click Download Diagnostics File.
- Upload it at the Tenable Community Portal https://community.tenable.com/s/ after logging in. - > Cases > Related > Uploads.