Tenable Nessus
Tenable Nessus is a proprietary vulnerability scanner developed by Tenable. The scanner allows the security team to scan devices and check them against the nessus database that contains thousands of known vulnerabilities and patch them before they are exploited. There are three components to the tenable setup, the server, scanners and the agents.
Access is via the URL https://nessus.hmcts.net/ which is an Azure Entra ID enterprise application called Nessus. (See below for renewing certs)
This runbook will cover the following
- Tenable environments
- Deploying agents
- Verifying agent installation.
This runbook does not cover the finer details of the Terraform bootstrap module.
Environments
There are three environments, Prod, Non-Prod and Sbox, the non-prod VM scalesets reside within the prod resource group.
Production and Non-Production
Subscription: HMCTS-SOC-PROD
Resource Group: soc-tenable-prod-rg
server: tenable-sc-prod-vm00
VM ScaleSets: nessus-scanners-prod / nessus-scanners-nonprod
Sbox
Subscription: soc-tenable-sbox-rg
Resource Group: HMCTS-SOC-SBOX
server: tenable-sc-sbox-vm00
VM ScaleSets: nessus-scanners-sbox
Deploying Agents
The agent is deployed using terraform bootstrap module terraform-module-vm-bootstrap. The module is designed to install to Linux and Windows machines.
The example given below is specific to the Heritage environment.
Steps to setup deployment
- Call the terraform-bootstrap-module from the terraform-module-vm-bootstrap
module "vm-bootstrap" {
count = var.install_splunk_uf == true || var.nessus_install == true ? var.vm_count : 0
source = "git::https://github.com/hmcts/terraform-module-vm-bootstrap.git?ref=master"
virtual_machine_type = "vm"
virtual_machine_id = azurerm_virtual_machine.general_purpose_vm[count.index].id
os_type = local.os_type
nessus_server = var.nessus_server
nessus_key = var.nessus_key
nessus_groups = var.nessus_groups
install_dynatrace_oneagent = false
install_azure_monitor = false
}
- Add all the required variables
variable "nessus_install" {
default = false
}
variable "nessus_server" {}
variable "nessus_key_name" {
default = null
}
variable "nessus_groups" {
default = null
}
data "azurerm_key_vault_secret" "nessus_key" {
count = var.nessus_install ? 1 : 0
provider = azurerm.soc
name = var.nessus_key_name
key_vault_id = data.azurerm_key_vault.soc_vault[0].id
}
- Run associated Heritage VM pipeline on Azure DevOps
Verifying Agent Installation
After deployment of the Nessus agent, it will register with the Nessus Manager host inside to the appropriate agent group.
Permissions for PlatOps to access the Nessus Manager is currently being setup by SecOps; until access is enabled, they will confirm the node in the console to validate agent installation and configuration, please contact Ian Knight from SecOps to verify that the agent can be seen on the Tenable Server.
Connect to the Tenable Server
- Ensure you have JIT access and you are connected to the VPN
- Get the SSH config from Azure (valid for 1 hour)
az ssh config --resource-group bastion-prod-rg --vm-name bastion-prod --prefer-private-ip --file ./sshconfig Paste into ~/.ssh/config
- Start port-forwarding/SSH tunnel to Nessus host. To port forward to the Tenable Server, run the following command replacing the variable with the intended IP.
ssh -L 5000:<VM-PRIVATE-IP>:8834 bastion-prod-rg-bastion-prod
- Go to browser https://localhost:5000
Troubleshooting Agents
Prerequisites
Linux Agents
Check if the agent has deployed correctly
systemctl status
Remove agent from server
rpm -qa | grep -i NessusAgent
rpm -e NessusAgent-10.1.3-es7.x86_64
Windows Agents
Commands to check Machine connectivity
tnc nessus-scanners-nonprod000005.platform.hmcts.net
tnc -port 8834 nessus-scanners-nonprod000005.platform.hmcts.net
Nessus Link commands
Open CMD as an Admin
Cd into C:\Program Files\Tenable\Nessus Agent
Check if the agent is linked to a scanner with the command below
nessuscli agent status
You should see a response similar to output below
C:\Program Files\Tenable\Nessus Agent>nessuscli agent status
Running: Yes
Linked to: nessus-scanners-nonprod000005.platform.hmcts.net:8834
Link status: Connected to nessus-scanners-nonprod000005.platform.hmcts.net:8834
Last successful connection with controller: 10 secs ago
Proxy: None
Plugin set: (null)
Scanning: No (0 jobs pending, 0 smart scan configs)
Scans run today: 0 of 10 limit
Last scanned: Never
Last connect: 1655998378
Last connection attempt: 1655998378
Important links
https://docs.tenable.com/nessus/Content/NessusCLIAgent.htm#Nessuscli-Commands
https://docs.tenable.com/nessus/Content/RemoveNessusAgentLinux.htm
Security Center SSL
Tenables Security Center is hosted on a VM for it’s environment, created using an Azure marketplace image published by Tenable. These VMs have a certificate which can expire, causing a “BadGateway: This corporate app can’t be accessed.” error message. The cert can be quickly checked by opening the Tenables Security Center VM’s IP address via a web browser on a Windows jump box (JBOX01-PROD).
Tenable Security Center also sits behind App Proxy, that uses a wildcard cert. If Security Center is not presenting a valid certificate App Proxy will fail to validate the cert and the user will not be able to access Security Center.
Updating the SSL Certificate
If the Tenables Security Center cert “tenable-sc.platform.hmcts.net” has expired, a new one can be accessed from the key vault acmehmctssocXXXX. It should be valid, as it is automatically refreshed by the Function App acmehmctssocXXXX.
(Link to Cert Generation)[https://hmcts.github.io/ops-runbooks/Certificates/letsencrypt.html]
Security Center requires the certificate in a .crt and .key format but Azure KeyVault it will most likely present it as a single .pfx file which contains both the cert and the key.
After downloading the .pfx file, convert it to a .crt and .key file pair use the following commands:
# Extract the private key. You may be asked for an Import password, this is blank, so press enter. Then you will be prompted to enter a PEM password. Create something to use in the next two stages but will not need after that.
openssl pkcs12 -in your-certificate-and-key-combined.pfx -nocerts -out keyfile.key
# Decrypt the key, you will be prompted to enter a password, this is the password you entered in the previous step.
openssl rsa -in keyfile.key -out SecurityCenter.key
# Extract the certificate
openssl pkcs12 -in your-certificate-and-key-combined.pfx -clcerts -nokeys -out SecurityCenter.crt
Once you have the .crt and .key files on your machine, you will have to upload them to the Security Center VM. Open an SSH tunnel to the correct environment, then start your SSH connection to the Tenables Security Center VM, via it’s IP address. Authentication is via the https://microsoft.com/devicelogin URL method as MFA is required. Once connected, beware the SSL connection will close if idle for more than 5 minutes.
The files should be placed in the /opt/sc/support/conf directory, use sudo su to gain access.
Option 1 - Update files “`bash
Copy the existing expired cert files
cd /opt/sc/support/conf/ cp SecurityCenter.key SecurityCenter_250424.key cp SecurityCenter.crt SecurityCenter_250424.crt
Add the new cert files by using 2 terminal sessions. Open local SecurityCenter.key using text editor in one session and the remote SecurityCenter.key file in a 2nd session. Copy and paste the contents, then save the remote file. Repeat with the .crt file.
Option 2 - Adding new files
```bash
# Add the 2 new files to `/opt/sc/support/conf` which should be owned by the `tns` user and group and have 0640 permissions.
chown tns:tns /opt/sc/support/conf/SecurityCenter.crt
chown tns:tns /opt/sc/support/conf/SecurityCenter.key
chmod 640 /opt/sc/support/conf/SecurityCenter.crt
chmod 640 /opt/sc/support/conf/SecurityCenter.key
Once the files are ready, restart the Security Center service to apply the new certificate.
systemctl restart SecurityCenter