Skip to main content

Tenable Nessus

Tenable Nessus is a proprietary vulnerability scanner developed by Tenable. The scanner allows the security team to scan devices and check them against the nessus database that contains thousands of known vulnerabilities and patch them before they are exploited. There are three components to the tenable setup, the server, scanners and the agents.

Access is via the URL https://nessus.hmcts.net/ which is an Azure Entra ID enterprise application called Nessus. (See below for renewing certs)

This runbook will cover the following

  • Tenable environments
  • Deploying agents
  • Verifying agent installation.

This runbook does not cover the finer details of the Terraform bootstrap module.

Environments

There are three environments, Prod, Non-Prod and Sbox, the non-prod VM scalesets reside within the prod resource group.

Production and Non-Production

Subscription: HMCTS-SOC-PROD

Resource Group: soc-tenable-prod-rg

server: tenable-sc-prod-vm00

VM ScaleSets: nessus-scanners-prod / nessus-scanners-nonprod

Sbox

Subscription: soc-tenable-sbox-rg

Resource Group: HMCTS-SOC-SBOX

server: tenable-sc-sbox-vm00

VM ScaleSets: nessus-scanners-sbox

Deploying Agents

The agent is deployed using terraform bootstrap module terraform-module-vm-bootstrap. The module is designed to install to Linux and Windows machines.

The example given below is specific to the Heritage environment.

Steps to setup deployment

module "vm-bootstrap" {
  count  = var.install_splunk_uf == true || var.nessus_install == true ? var.vm_count : 0
  source = "git::https://github.com/hmcts/terraform-module-vm-bootstrap.git?ref=master"

  virtual_machine_type         = "vm"
  virtual_machine_id           = azurerm_virtual_machine.general_purpose_vm[count.index].id
  os_type                      = local.os_type
  nessus_server                = var.nessus_server
  nessus_key                   = var.nessus_key
  nessus_groups                = var.nessus_groups
  install_dynatrace_oneagent   = false
  install_azure_monitor        = false
}
  • Add all the required variables
variable "nessus_install" {
default = false
}

variable "nessus_server" {}

variable "nessus_key_name" {
default = null
}

variable "nessus_groups" {
default = null
}

data "azurerm_key_vault_secret" "nessus_key" {
count    = var.nessus_install ? 1 : 0
provider = azurerm.soc

name         = var.nessus_key_name
key_vault_id = data.azurerm_key_vault.soc_vault[0].id
}
  • Run associated Heritage VM pipeline on Azure DevOps

Verifying Agent Installation

After deployment of the Nessus agent, it will register with the Nessus Manager host inside to the appropriate agent group.

Permissions for PlatOps to access the Nessus Manager is currently being setup by SecOps; until access is enabled, they will confirm the node in the console to validate agent installation and configuration, please contact Ian Knight from SecOps to verify that the agent can be seen on the Tenable Server.

Connect to the Tenable Server

  • Ensure you have JIT access and you are connected to the VPN
  • Get the SSH config from Azure (valid for 1 hour)
az ssh config --resource-group bastion-prod-rg --vm-name bastion-prod --prefer-private-ip --file ./sshconfig Paste into ~/.ssh/config
  • Start port-forwarding/SSH tunnel to Nessus host. To port forward to the Tenable Server, run the following command replacing the variable with the intended IP.
ssh -L 5000:<VM-PRIVATE-IP>:8834 bastion-prod-rg-bastion-prod
  • Go to browser https://localhost:5000

Troubleshooting Agents

Prerequisites

  • Enable JIT access to non-prod or Production Bastion, you can do that here.
  • Connect to F5.

Linux Agents

Check if the agent has deployed correctly

systemctl status 

Remove agent from server

rpm -qa | grep -i NessusAgent
rpm -e NessusAgent-10.1.3-es7.x86_64

Windows Agents

Commands to check Machine connectivity tnc nessus-scanners-nonprod000005.platform.hmcts.net

tnc -port 8834 nessus-scanners-nonprod000005.platform.hmcts.net

Nessus Link commands

Open CMD as an Admin

Cd into C:\Program Files\Tenable\Nessus Agent

Check if the agent is linked to a scanner with the command below

nessuscli agent status

You should see a response similar to output below

C:\Program Files\Tenable\Nessus Agent>nessuscli agent status
Running: Yes
Linked to: nessus-scanners-nonprod000005.platform.hmcts.net:8834
Link status: Connected to nessus-scanners-nonprod000005.platform.hmcts.net:8834
Last successful connection with controller: 10 secs ago
Proxy: None
Plugin set: (null)
Scanning: No (0 jobs pending, 0 smart scan configs)
Scans run today: 0 of 10 limit
Last scanned: Never
Last connect: 1655998378
Last connection attempt: 1655998378
  • https://docs.tenable.com/nessus/Content/NessusCLIAgent.htm#Nessuscli-Commands

  • https://docs.tenable.com/nessus/Content/RemoveNessusAgentLinux.htm

Security Center SSL

Tenables Security Center is hosted on a VM for it’s environment, created using an Azure marketplace image published by Tenable. These VMs have a certificate which can expire, causing a “BadGateway: This corporate app can’t be accessed.” error message. The cert can be quickly checked by opening the Tenables Security Center VM’s IP address via a web browser on a Windows jump box (JBOX01-PROD).

Tenable Security Center also sits behind App Proxy, that uses a wildcard cert. If Security Center is not presenting a valid certificate App Proxy will fail to validate the cert and the user will not be able to access Security Center.

Updating the SSL Certificate

If the Tenables Security Center cert “tenable-sc.platform.hmcts.net” has expired, a new one can be accessed from the key vault acmehmctssocXXXX. It should be valid, as it is automatically refreshed by the Function App acmehmctssocXXXX.

(Link to Cert Generation)[https://hmcts.github.io/ops-runbooks/Certificates/letsencrypt.html]

Security Center requires the certificate in a .crt and .key format but Azure KeyVault it will most likely present it as a single .pfx file which contains both the cert and the key.

After downloading the .pfx file, convert it to a .crt and .key file pair use the following commands:

# Extract the private key.  You may be asked for an Import password, this is blank, so press enter. Then you will be prompted to enter a PEM password. Create something to use in the next two stages but will not need after that.
openssl pkcs12 -in your-certificate-and-key-combined.pfx -nocerts -out keyfile.key


# Decrypt the key, you will be prompted to enter a password, this is the password you entered in the previous step.
openssl rsa -in keyfile.key -out SecurityCenter.key


# Extract the certificate
openssl pkcs12 -in your-certificate-and-key-combined.pfx -clcerts -nokeys -out SecurityCenter.crt

Once you have the .crt and .key files on your machine, you will have to upload them to the Security Center VM. Open an SSH tunnel to the correct environment, then start your SSH connection to the Tenables Security Center VM, via it’s IP address. Authentication is via the https://microsoft.com/devicelogin URL method as MFA is required. Once connected, beware the SSL connection will close if idle for more than 5 minutes.

The files should be placed in the /opt/sc/support/conf directory, use sudo su to gain access.

Option 1 - Update files “`bash

Copy the existing expired cert files

cd /opt/sc/support/conf/ cp SecurityCenter.key SecurityCenter_250424.key cp SecurityCenter.crt SecurityCenter_250424.crt

Add the new cert files by using 2 terminal sessions. Open local SecurityCenter.key using text editor in one session and the remote SecurityCenter.key file in a 2nd session. Copy and paste the contents, then save the remote file. Repeat with the .crt file.


Option 2 - Adding new files
```bash
# Add the 2 new files to `/opt/sc/support/conf` which should be owned by the `tns` user and group and have 0640 permissions.
chown tns:tns /opt/sc/support/conf/SecurityCenter.crt
chown tns:tns /opt/sc/support/conf/SecurityCenter.key
chmod 640 /opt/sc/support/conf/SecurityCenter.crt
chmod 640 /opt/sc/support/conf/SecurityCenter.key

Once the files are ready, restart the Security Center service to apply the new certificate.

systemctl restart SecurityCenter
This page was last reviewed on 24 April 2025. It needs to be reviewed again on 24 April 2026 by the page owner platops-build-notices .
This page was set to be reviewed before 24 April 2026 by the page owner platops-build-notices. This might mean the content is out of date.