Tenable Nessus

Tenable Nessus is a proprietary vulnerability scanner developed by Tenable. The scanner allows the security team to scan devices and check them against the nessus database that contains thousands of known vulnerabilities and patch them before they are exploited. There are three components to the tenable setup, the server, scanners and the agents. This runbook will cover the following

• Tenable environments
• Deploying agents
• Verifying agent installation.

This runbook does not cover the finer details of the Terraform bootstrap module.

Environments

There are three environments, Prod, Non-Prod and Sbox, the non-prod VM scalesets reside within the prod resource group.

Production and Non-Production

Subscription: HMCTS-SOC-PROD

Resource Group: soc-tenable-prod-rg

server: tenable-sc-prod-vm00

VM ScaleSets: nessus-scanners-prod / nessus-scanners-nonprod

Sbox

Subscription: soc-tenable-sbox-rg

Resource Group: HMCTS-SOC-SBOX

server: tenable-sc-sbox-vm00

VM ScaleSets: nessus-scanners-sbox

Deploying Agents

The agent is deployed using terraform bootstrap module terraform-module-vm-bootstrap. The module is designed to install to Linux and Windows machines.

The example given below is specific to the Heritage environment.

Steps to setup deployment

• Call the terraform-bootstrap-module from the terraform-module-vm-bootstrap

module "vm-bootstrap" {
  count  = var.install_splunk_uf == true || var.nessus_install == true ? var.vm_count : 0
  source = "git::https://github.com/hmcts/terraform-module-vm-bootstrap.git?ref=master"

  virtual_machine_type         = "vm"
  virtual_machine_id           = azurerm_virtual_machine.general_purpose_vm[count.index].id
  os_type                      = local.os_type
  nessus_server                = var.nessus_server
  nessus_key                   = var.nessus_key
  nessus_groups                = var.nessus_groups
  install_dynatrace_oneagent   = false
  install_azure_monitor        = false
}

• Add all the required variables

variable "nessus_install" {
default = false
}

variable "nessus_server" {}

variable "nessus_key_name" {
default = null
}

variable "nessus_groups" {
default = null
}

data "azurerm_key_vault_secret" "nessus_key" {
count    = var.nessus_install ? 1 : 0
provider = azurerm.soc

name         = var.nessus_key_name
key_vault_id = data.azurerm_key_vault.soc_vault[0].id
}

• Run associated Heritage VM pipeline on Azure DevOps

Verifying Agent Installation

After deployment of the Nessus agent, it will register with the Nessus Manager host inside to the appropriate agent group.

Permissions for PlatOps to access the Nessus Manager is currently being setup by SecOps; until access is enabled, they will confirm the node in the console to validate agent installation and configuration, please contact Ian Knight from SecOps to verify that the agent can be seen on the Tenable Server.

Connect to the Tenable Server

• Ensure you have JIT access and you are connected to the VPN
• Get the SSH config from Azure (valid for 1 hour)

az ssh config --resource-group bastion-prod-rg --vm-name bastion-prod --prefer-private-ip --file ./sshconfig Paste into ~/.ssh/config

• Start port-forwarding/SSH tunnel to Nessus host. To port forward to the Tenable Server, run the following command replacing the variable with the intended IP.

ssh -L 5000:<VM-PRIVATE-IP>:8834 bastion-prod-rg-bastion-prod

• Go to browser https://localhost:5000

Troubleshooting Agents

Prerequisites

• Enable JIT access to non-prod or Production Bastion, you can do that here.
• Connect to F5.

Linux Agents

Check if the agent has deployed correctly

systemctl status 

Remove agent from server

rpm -qa | grep -i NessusAgent

rpm -e NessusAgent-10.1.3-es7.x86_64

Windows Agents

Commands to check Machine connectivity tnc nessus-scanners-nonprod000005.platform.hmcts.net

tnc -port 8834 nessus-scanners-nonprod000005.platform.hmcts.net

Nessus Link commands

Open CMD as an Admin

Cd into C:\Program Files\Tenable\Nessus Agent

Check if the agent is linked to a scanner with the command below

nessuscli agent status

You should see a response similar to output below

C:\Program Files\Tenable\Nessus Agent>nessuscli agent status
Running: Yes
Linked to: nessus-scanners-nonprod000005.platform.hmcts.net:8834
Link status: Connected to nessus-scanners-nonprod000005.platform.hmcts.net:8834
Last successful connection with controller: 10 secs ago
Proxy: None
Plugin set: (null)
Scanning: No (0 jobs pending, 0 smart scan configs)
Scans run today: 0 of 10 limit
Last scanned: Never
Last connect: 1655998378
Last connection attempt: 1655998378

Important links

• https://docs.tenable.com/nessus/Content/NessusCLIAgent.htm#Nessuscli-Commands

• https://docs.tenable.com/nessus/Content/RemoveNessusAgentLinux.htm

This page was last reviewed on 26 January 2024. It needs to be reviewed again on 26 January 2025 by the page owner platops-build-notices .

This page was set to be reviewed before 26 January 2025 by the page owner platops-build-notices. This might mean the content is out of date.