Nessus is a security scanner used to detecting security vulnerabilities in hardware and software.
This document presents the steps to:
install Nessus
perform Nessus scans
export Nessus scan results
1. Background
Tenable Nessus is a licensed 3rd party tool. Please see the following resources to learn more about Nessus:
2. Before you begin
Workstation
- The bootstrapper (te-bf), or equivalent operator accessible workstation, is required to host Nessus.
Access required
Follow IAM-R0005:
- Obtain a cluster admin role for each target cluster.
Follow IAM-R0004:
- Generate the KUBECONFIG for each target cluster.
Tools required
- kubectl
- ssh-keygen
Software
- A Nessus installer compatible with your workstation OS is required. Obtain the installer from https://www.tenable.com/downloads/nessus and transfer it to the Nessus workstation before continuing.
Licensing
- A single Tenable Nessus license (Pro, Export or Manager) activation code is required. If you don't have a license activation code, reach out to your team POC for third party licensing / software bill of materials.
3. Install Nessus
This section covers steps to install Nessus on the Nessus workstation.
If Nessus is already installed and activated then this section should be skipped.
If Nessus is no longer available (for example it was installed on a machine which no longer exists) then the license used to activate the prior instance of Nessus must be reset before continuing.
Export the path to the Nessus installer:
NESSUS_INSTALLER=
Install Nessus with dpkg:
dpkg -i ${NESSUS_INSTALLER:?}
Restart Nessus and confirm that it's running:
sudo systemctl restart nessusd sudo systemctl status nessusd
Get challenge code to register nessus offline:
/opt/nessus/sbin/nessuscli fetch --challenge
On an internet connected machine, visit the Nessus offline activation page https://plugins.nessus.org/v2/offline.php.
Copy the Nessus offline activation code and Nessus license activation code into the Nessus offline activation page and press "Submit"
The Nessus offline activation page should now show a Nessus plugin URL and product license. Both of these values are needed for next steps.
Save the Nessus plugin URL to a safe location for future reference as it will be needed later in this guide.
Save the license from the Nessus offline activation page to the Nessus workstation in a file named
/opt/nessus/etc/nessus/nessus.license
.Apply the license to Nessus:
/opt/nessus/sbin/nessuscli fetch --register-offline /opt/nessus/etc/nessus/nessus.license
Create an admin user:
Follow the prompts from
nessuscli adduser
to create anadmin
user. These credentials will later be used to perform scans and download results, so save them in a safe place./opt/nessus/sbin/nessuscli adduser
While Nessus is running, it's user interface is accessible on port 8834. Using your browser of choice, navigate to
https://<nessus-workstation-ip>:8834
and login as theadmin
user.
4. Update Nessus plugins
The latest Nessus plugins must be downloaded and applied to Nessus before running scans to ensure the scan results are relevant and up to date. The Nessus plugins must be obtained from Tenable directly by using the Nessus plugin URL obtained from the Nessus offline activation page.
Obtain the plugin bundle.
Option 1: Navigate to the Nessus plugin URL using your browser of choice and the bundle will be automatically downloaded.
Option 2: Download the bundle using wget
wget "${PLUGIN_URL:?}" -O plugin-updates.tar.gz
Transfer the plugin bundle to the Nessus workstation and export the location of the file:
NESSUS_PLUGIN_BUNDLE=
Apply the plugin updates to Nessus:
/opt/nessus/sbin/nessuscli update ${NESSUS_PLUGIN_BUNDLE:?}
Plugin updates take ~30 minutes to finish compiling. The next steps to create scans can be followed while this happens, but hold off on running the scans until plugins have finishing compiling.
5. Configure Nessus scans
Scans need to be created for each unique combination of target class and credential. This section will walk through how to create the needed scan through the Nessus UI.
Before continuing, confirm access to the Nessus UI at https://<nessus-workstation-ip>:8834
and login as the admin
user.
5.1. Collect network CIDRs
Nessus scans are created to scan the external and internal network CIDRs for the environment.
Collect the external and internal network CIDRs for the target appliance network (ideally this network is not overlapping with another neighboring environment).
The IP ranges will likely include the bootstrapper IP or other IPs which should not be scanned. Follow the commands below for each IP which should not be scanned (eg bootstrapper IP):
IGNORE_IP= IGNORE_IP_REASON= echo "# ${IGNORE_IP_REASON:?}" >> /opt/nessus/etc/nessus/nessusd.rules echo "reject ${IGNORE_IP:?}" >> /opt/nessus/etc/nessus/nessusd.rules
5.2. Host discovery scans
Network discovery scans are unauthenticated and are meant to sweep a network for targets and insecure network exposures.
This scan will be configured to scan the external and internal network CIDRs identified in the previous section.
In the Nessus UI:
- Create a host discovery scan called
host-discovery
- Specify Hosts: both external and internal CIDRs
- Save and launch
5.3. Node OS scans
Node scans are authenticated and meant to inspect critical operating systems for known vulnerabilities, insecure configuration, and compliance.
Work through this section for both the root admin and root system clusters:
Export the cluster kubeconfig:
KUBECONFIG=
List all the cluster nodes:
kubectl --kubeconfig=${KUBECONFIG:?} get nodes -o wide
Note the column which shows the data IP for each node. Double check that the data IP is accessible from the Nessus workstation with ping before continuing.
ping <node_data_ip>
In the Nessus UI, start creating an "Advanced scan" with the name
nodeos-compliance-<cluster_name>
In the advanced scan, fill the hosts field with a comma separated list of all node data IPs from step 1
Follow Appendix: Add cluster node SSH Credentials to add scan credentials.
Navigate to the compliance tab and choose the latest available revision of "DISA STIG Ubuntu 20.04 v1". Save the compliance config as is without making any changes to the default values.
Save the scan configuration and launch the scan.
5.4. Take a break
The scans should take 30+ minutes to finish. Now is a good time to take a break or do something else until they are completed.
6. Export scan results
This section walks through the process to export scan results.
Follow the steps below for each completed scan to download the results.
Select the completed scan to review its results.
Click the "Report" button in the upper right.
Choose Report Format CSV and select all columns.
Click "Generate Report". After a short delay the report should be downloaded.
(Optional) If an HTML report is also required, instead choose Report Format HTML and whichever Report Template seems reasonable. The recommended report template is "Detailed Vulnerabilities By Plugin with Compliance/Remediation".
7. Next steps
The resulting CSV / HTML reports must be processed according to your environment security processes. When in doubt, reach out to a SecOps or Compliance POC for further instruction.
8. Appendix
8.1. Add cluster node SSH Credentials
This section walks through the process to obtain a set of ssh credentials for Nessus to scan the nodes of a target cluster.
Export the cluster kubeconfig:
KUBECONFIG=
List the cluster SSH keys
kubectl --kubeconfig=${KUBECONFIG} get -A secret | grep ssh-key
Identify the namespace of the "ssh-key" secret corresponding to the target cluster and export the namespace:
CLUSTER_NS=
Create a Nessus ssh directory:
NESSUS_FOLDER=nessus mkdir -p ${NESSUS_FOLDER}/.ssh
Export the ssh key pair to the Nessus ssh directory:
kubectl --kubeconfig=${KUBECONFIG:?} get -n ${CLUSTER_NS:?} secret/ssh-key -o jsonpath='{ .data.id_rsa }' | base64 -d > ${NESSUS_FOLDER}/.ssh/nessus-${CLUSTER_NS}-id_rsa kubectl --kubeconfig=${KUBECONFIG:?} get -n ${CLUSTER_NS:?} secret/ssh-key -o jsonpath='{ .data.id_rsa-cert\.pub }' | base64 -d > ${NESSUS_FOLDER}/.ssh/nessus-${CLUSTER_NS}-id_rsa-cert.pub
Fix the permissions of the key pair:
# fix permissions chmod 600 ${NESSUS_FOLDER}/.ssh/nessus-${CLUSTER_NS}-id_rsa chmod 600 ${NESSUS_FOLDER}/.ssh/nessus-${CLUSTER_NS}-id_rsa-cert.pub
Convert the private key to pem format with an empty passphrase:
ssh-keygen -p -m PEM -f ${NESSUS_FOLDER}/.ssh/nessus-${CLUSTER_NS}-id_rsa
Successful output should look something like the following:
Key has comment 'root@te-bd-bootstrapper' Enter new passphrase (empty for no passphrase): Enter same passphrase again: Your identification has been saved with the new passphrase.
Transfer
nessus-<cluster>-id_rsa
andnessus-<cluster>-id_rsa-cert.pub
to the workstation used to access the Nessus UI.In the Nessus UI, go to the scan settings Credentials tab.
Create a new SSH credential and choose "certificate" for authentication method.
Provide the following settings to the certificate ssh authentication method:
Username: "root"
User Certificate: Add file
nessus-<cluster>-id_rsa-cert.pub
Private key: Add file
nessus-<cluster>-id_rsa
Save the SSH settings.
Return to where this section was referenced.