Adds Nessus Security Manager Module

Modified from 'nessus security receivers', which we don't appear to
need/want.

To be tagged v2.0.5

base/nessus/instance_nessus_receiver/main.tf → base/nessus/instance_nessus_manager/main.tf

@@ -13,28 +13,28 @@ data "aws_kms_key" "ebs-key" {
   key_id = "alias/ebs_root_encrypt_decrypt"
 }
 
-resource "aws_network_interface" "nessus-receiver-interface" {
-  count = var.nessus_receiver_count
+resource "aws_network_interface" "nessus-manager-interface" {
+  count = var.nessus_manager_count
   subnet_id = var.public_subnets[count.index % 3]
-  security_groups = [ data.aws_security_group.typical-host.id, aws_security_group.nessus_receiver.id ]
-  description = "nessus-receiver-${count.index}"
-  tags = merge(var.standard_tags, var.tags, { Name = "nessus-receiver-${count.index}" })
+  security_groups = [ data.aws_security_group.typical-host.id, aws_security_group.nessus_manager.id ]
+  description = "nessus-manager-${count.index}"
+  tags = merge(var.standard_tags, var.tags, { Name = "nessus-manager-${count.index}" })
 }
 
 resource "aws_eip" "instance" {
-  count = var.nessus_receiver_count
+  count = var.nessus_manager_count
   vpc = true
-  tags = merge(var.standard_tags, var.tags, { Name = "nessus-receiver-${count.index}" })
+  tags = merge(var.standard_tags, var.tags, { Name = "nessus-manager-${count.index}" })
 }
 
 resource "aws_eip_association" "instance" {
-  count = var.nessus_receiver_count
-  network_interface_id = aws_network_interface.nessus-receiver-interface[count.index].id
+  count = var.nessus_manager_count
+  network_interface_id = aws_network_interface.nessus-manager-interface[count.index].id
   allocation_id = aws_eip.instance[count.index].id
 }
 
-resource "aws_instance" "nessus-receiver-instance" {
-  count = var.nessus_receiver_count
+resource "aws_instance" "nessus-manager-instance" {
+  count = var.nessus_manager_count
   tenancy = "default"
   ebs_optimized = true
   disable_api_termination = var.instance_termination_protection
@@ -138,21 +138,21 @@ resource "aws_instance" "nessus-receiver-instance" {
 
   network_interface {
     device_index = 0
-    network_interface_id = aws_network_interface.nessus-receiver-interface[count.index].id
+    network_interface_id = aws_network_interface.nessus-manager-interface[count.index].id
   }
 
   user_data = data.template_cloudinit_config.cloud-init[count.index].rendered
-  tags = merge( var.standard_tags, var.tags, { Name = "nessus-receiver-${count.index}" })
-  volume_tags = merge( var.standard_tags, var.tags, { Name = "nessus-receiver-${count.index}" })
+  tags = merge( var.standard_tags, var.tags, { Name = "nessus-manager-${count.index}" })
+  volume_tags = merge( var.standard_tags, var.tags, { Name = "nessus-manager-${count.index}" })
 }
 
 data "template_file" "cloud-init" {
-  count = var.nessus_receiver_count
+  count = var.nessus_manager_count
   template = file("${path.module}/cloud-init/cloud-init.tpl")
 
   vars = {
-    hostname = "nessus-receiver-${count.index}"
-    fqdn = "nessus-receiver-${count.index}.${var.dns_info["private"]["zone"]}"
+    hostname = "nessus-manager-${count.index}"
+    fqdn = "nessus-manager-${count.index}.${var.dns_info["private"]["zone"]}"
     environment = var.environment
     salt_master  = var.salt_master
     proxy = var.proxy
@@ -165,7 +165,7 @@ data "template_file" "cloud-init" {
 # Render a multi-part cloud-init config making use of the part
 # above, and other source files
 data "template_cloudinit_config" "cloud-init" {
-  count = var.nessus_receiver_count
+  count = var.nessus_manager_count
   gzip          = true
   base64_encode = true
 
@@ -183,12 +183,12 @@ data "template_cloudinit_config" "cloud-init" {
   #}
 }
 
-module "private_dns_record_nessus-receiver" {
-  count = var.nessus_receiver_count
+module "private_dns_record_nessus-manager" {
+  count = var.nessus_manager_count
   source = "../../../submodules/dns/private_A_record"
 
-  name = "nessus-receiver-${count.index}"
-  ip_addresses = [ aws_instance.nessus-receiver-instance[count.index].private_ip ]
+  name = "nessus-manager-${count.index}"
+  ip_addresses = [ aws_instance.nessus-manager-instance[count.index].private_ip ]
   dns_info = var.dns_info
   reverse_enabled = var.reverse_enabled
 
@@ -197,11 +197,11 @@ module "private_dns_record_nessus-receiver" {
   }
 }
 
-module "public_dns_record_nessus-receiver" {
-  count = var.nessus_receiver_count
+module "public_dns_record_nessus-manager" {
+  count = var.nessus_manager_count
   source = "../../../submodules/dns/public_A_record"
 
-  name = "nessus-receiver-${count.index}"
+  name = "nessus-manager-${count.index}"
   ip_addresses = [ aws_eip.instance[count.index].public_ip ]
   dns_info = var.dns_info
 

base/nessus/instance_nessus_manager/outputs.tf

@@ -0,0 +1,8 @@
+output private_dns {
+  value = module.private_dns_record_nessus-manager[*].forward
+}
+
+output public_dns {
+  value = module.public_dns_record_nessus-manager[*].forward
+}
+

base/nessus/instance_nessus_manager/securitygroup-server.tf

@@ -0,0 +1,69 @@
+# SG Summary - Server
+#     Ingress: 
+#       22 - sync from other security centers
+#       443 - User access
+#     Egress:  
+#       25 - smtp
+#       443 - updates
+#       tcp/1243 - "Communicating with Log Correlation Engine" (unneeded in xdr)
+#       tcp/8834-8835 - Communicating With Nessus - to vpc-managers
+resource "aws_security_group" "nessus_manager" {
+  name_prefix = "nessus_manager"
+  tags = merge( var.standard_tags, var.tags, { Name = "nessus_manager" } )
+  vpc_id      = var.vpc_id
+  description = "Nessus Security Scanner"
+}
+
+#-----------------------------------------------------------------
+# Inbound access
+#-----------------------------------------------------------------
+resource "aws_security_group_rule" "nessus_manager_inbound_nessus" {
+  security_group_id        = aws_security_group.nessus_manager.id
+  type                     = "ingress"
+  cidr_blocks              = var.cidr_map["vpc-private-services"] # Nessus Security Center
+  from_port                = 8834
+  to_port                  = 8834 # no 8835 according to https://docs.tenable.com/nessusagent/Content/RequirementsDataflow.htm
+  protocol                 = "tcp"
+  description              = "Inbound Nessus"
+}
+
+resource "aws_security_group_rule" "http-in-external-c2-users" {
+  # Wow. What was I thinking with c2_services_external_ips? 
+  # Regardless, it's not used often to address 'all' customers.
+  #
+  # This deserves some explanation.  Terraform "for_each" expects to be
+  # getting as input a map of values to iterate over as part of the foreach.
+  # The keys of the map are used to name each of these objects created.  Looking
+  # in the terraform plan output of a for_each you'll see things like:
+  #
+  # aws_security_group_rule.resource_name["key-value-from-foreach"] will be created
+  #
+  # Our c2_services_external_ips is a list of maps, not a map of maps.  The for-expression
+  # makes a new thing that is a map of maps, where the key value is the description with
+  # blanks removed.
+  #
+  # We could have made the variable more natively-friendly to for_each but this seemed
+  # like a better solution for what we were trying to accomplish.
+  for_each = { for s in var.c2_services_external_ips : replace(s.description,"/\\s*/","") => s }
+
+  description = "inbound nessus agent - ${each.value.description}"
+  type = "ingress"
+  from_port = 8834
+  to_port = 8834
+  protocol = "tcp"
+  cidr_blocks = each.value.cidr_blocks
+  security_group_id = aws_security_group.nessus_manager.id
+}
+
+#-----------------------------------------------------------------
+# Outbound access
+#-----------------------------------------------------------------
+#resource "aws_security_group_rule" "nessus_manager_outbound_all_ports" {
+#  security_group_id        = aws_security_group.nessus_manager.id
+#  type                     = "egress"
+#  cidr_blocks              = [ "10.0.0.0/8" ]
+#  from_port                = -1
+#  to_port                  = -1
+#  protocol                 = "all"
+#  description              = "Outbound to All Ports"
+#}

base/nessus/instance_nessus_receiver/vars.tf → base/nessus/instance_nessus_manager/vars.tf

@@ -1,4 +1,4 @@
-variable "nessus_receiver_count" {
+variable "nessus_manager_count" {
   type = number
 }
 
@@ -35,6 +35,11 @@ variable "reverse_enabled" {
   default = true
 }
 
+variable "c2_services_external_ips" {
+  type = list(object({cidr_blocks=list(string),description=string}))
+  default = []
+}
+
 variable "trusted_ips" { type = list(string) }
 variable "proxy" { type = string }
 variable "salt_master" { type = string }

base/nessus/instance_nessus_receiver/outputs.tf

@@ -1,8 +0,0 @@
-output private_dns {
-  value = module.private_dns_record_nessus-receiver[*].forward
-}
-
-output public_dns {
-  value = module.public_dns_record_nessus-receiver[*].forward
-}
-

base/nessus/instance_nessus_receiver/securitygroup-server.tf

@@ -1,91 +0,0 @@
-# SG Summary - Server
-#     Ingress: 
-#       22 - sync from other security centers
-#       443 - User access
-#     Egress:  
-#       25 - smtp
-#       443 - updates
-#       tcp/1243 - "Communicating with Log Correlation Engine" (unneeded in xdr)
-#       tcp/8834-8835 - Communicating With Nessus - to vpc-receivers
-resource "aws_security_group" "nessus_receiver" {
-  name_prefix = "nessus_receiver"
-  tags = merge( var.standard_tags, var.tags, { Name = "nessus_receiver" } )
-  vpc_id      = var.vpc_id
-  description = "Nessus Security Scanner"
-}
-
-#-----------------------------------------------------------------
-# Inbound access
-#-----------------------------------------------------------------
-resource "aws_security_group_rule" "nessus_receiver_inbound_icmp" {
-  security_group_id        = aws_security_group.nessus_receiver.id
-  type                     = "ingress"
-  cidr_blocks              = [ "10.0.0.0/8" ]
-  from_port                = -1
-  to_port                  = -1
-  protocol                 = "ICMP"
-  description              = "Inbound pings"
-}
-
-resource "aws_security_group_rule" "nessus_receiver_inbound_22" {
-  security_group_id        = aws_security_group.nessus_receiver.id
-  type                     = "ingress"
-  cidr_blocks              = toset(concat(var.cidr_map["vpc-access"], var.cidr_map["vpc-private-services"]))
-  from_port                = 22
-  to_port                  = 22
-  protocol                 = "tcp"
-  description              = "Inbound SSH (from access)"
-}
-
-resource "aws_security_group_rule" "nessus_receiver_inbound_3022" {
-  security_group_id        = aws_security_group.nessus_receiver.id
-  type                     = "ingress"
-  cidr_blocks              = var.cidr_map["vpc-access"]
-  from_port                = 3022
-  to_port                  = 3022
-  protocol                 = "tcp"
-  description              = "Inbound Teleport (from access)"
-}
-
-resource "aws_security_group_rule" "nessus_receiver_inbound_443" {
-  security_group_id        = aws_security_group.nessus_receiver.id
-  type                     = "ingress"
-  cidr_blocks              = toset(concat(var.cidr_map["vpc-access"], var.cidr_map["vpc-private-services"]))
-  from_port                = 443
-  to_port                  = 443
-  protocol                 = "tcp"
-  description              = "Inbound 443 (from access)"
-}
-
-resource "aws_security_group_rule" "nessus_receiver_inbound_nessus" {
-  security_group_id        = aws_security_group.nessus_receiver.id
-  type                     = "ingress"
-  cidr_blocks              = [ "0.0.0.0/0" ]
-  from_port                = 8834
-  to_port                  = 8834 # no 8835 according to https://docs.tenable.com/nessusagent/Content/RequirementsDataflow.htm
-  protocol                 = "tcp"
-  description              = "Inbound Nessus"
-}
-
-resource "aws_security_group_rule" "nessus_receiver_inbound_scan_ourselves" {
-  security_group_id        = aws_security_group.nessus_receiver.id
-  source_security_group_id = aws_security_group.nessus_receiver.id
-  type                     = "ingress"
-  from_port                = -1
-  to_port                  = -1
-  protocol                 = "all"
-  description              = "Inbound Scanning of Ourselves"
-}
-
-#-----------------------------------------------------------------
-# Outbound access
-#-----------------------------------------------------------------
-#resource "aws_security_group_rule" "nessus_receiver_outbound_all_ports" {
-#  security_group_id        = aws_security_group.nessus_receiver.id
-#  type                     = "egress"
-#  cidr_blocks              = [ "10.0.0.0/8" ]
-#  from_port                = -1
-#  to_port                  = -1
-#  protocol                 = "all"
-#  description              = "Outbound to All Ports"
-#}

base/nessus/instance_security_center/securitygroup-server.tf

@@ -43,9 +43,9 @@ resource "aws_security_group_rule" "security_center_inbound_443_from_alb" {
 resource "aws_security_group_rule" "security_center_outbound_nessus" {
   security_group_id        = aws_security_group.security_center.id
   type                     = "egress"
-  cidr_blocks              = var.cidr_map["vpc-scanners"]
+  cidr_blocks              = concat(var.cidr_map["vpc-scanners"], var.cidr_map["vpc-private-services"]) # Scanners and managers
   from_port                = 8834
   to_port                  = 8835
   protocol                 = "tcp"
-  description              = "Outbound to Scanners"
+  description              = "Outbound to Scanners and Managers"
 }