Automate offline Tenable plugin updates

Automate offline Tenable plugin updates

Today we are going to work on something related to vulnerability management, but more for a tool manager role related job, which is to keep everything up to date and properly configured so analysts can do their job. If you have a Vulnerability Management infrastructure with Tenable.sc that is air gapped, you will need to update plugins offline.

Air gapped networks

When you are connected to internet from your Tenable.sc server, everything is easy and smooth, but if you don’t have that option because you are in a network where internet connectivity is not allowed, then you need to work on automating the process, otherwise it’s a pain to manually download the plugins and then go to the GUI in Tenable.sc and do it manually.

The most efficient way I found for this, is first downloading them from Tenable servers, then make them available on the air gapped network in a web server. From there you can download and load them to your server automatically via a bash script and CRON.

Download plugins

To get the download URLs for the Tenable plugins, you can either register a Nessus Scanner offline, or run a diagnostic report on Tenable.sc which will give you also the parameters needed. See below how to get it with both options.

Register Nessus Offline

If you install a new scanner, select Offline at the registration step and copy the challenge code.

Challenge Code

If you have your scanner installed and registered already, open a terminal in the Nessus scanner and run this command:

nessuscli fetch --challenge

This will give you a challenge code that you have to copy and paste in this page

You get back the license and the download link, which is what we are looking for.

URL

It will be something like this:

Edit 05/03/2022: The URL in the site is not correct for downloading Tenable.sc plugins, only Nessus. From here we are only interested in the user and password part. The correct URL starts with: https://plugins.nessus.org/get.php

https://plugins.nessus.org/get.php?f=all-2.0.tar.gz&u=3f09asdf0934…

Save that as is the URL you’ll use to download all the plugin files you need.

Diagnostic report in Tenable.sc

  1. Login to Tenable.sc as administrator

  2. Go to System > Diagnostics

  3. Create Diagnostics file and Download the file.

  4. Open the zip file and find sc-configuration.txt inside.

  5. Find these 2 values, which are long alphanumeric strings:

PluginSubscriptionLogin

PluginSubscriptionPassword
  1. You can build now the download URL:
https://plugins.nessus.org/get.php?f=all-2.0.tar.gz&u=PluginSubscriptionLogin_value&p=PluginSubscriptionPassword_value

Plugin files

Now the URL obtained with one of those 2 methods, we can download the different files we need. For tenable.sc there are 3 different files:

sc-plugins-diff.tar.gz
SecurityCenterFeed48.tar.gz
all-2.0.tar.gz

To download them just replace the filename in the URL and you’ll get them:

https://plugins.nessus.org/get.php?f=sc-plugins-diff.tar.gz&u=3f09assdf90rg…
https://plugins.nessus.org/get.php?f=SecurityCenterFeed48.tar.gz&u=3f09assdf90rg…
https://plugins.nessus.org/get.php?f=all-2.0.tar.gz&u=3f09asdf0934…

My suggestion would be to create a quick script in Bash or PowerShell in a system connected to internet to download them daily. Ideally, it’d be a system with access to the data diode that transfers files to your air gapped network, or with the possibility to transfer them via external storage. The script can be something like this:

#!/usr/bin/sh
curl https://plugins.nessus.org/get.php?f=all-2.0.tar.gz&u=3f09asdf0934… -o /data_diode/plugins/all-2.0.tar.gz
sleep 3
curl https://plugins.nessus.org/get.php?f=SecurityCenterFeed48.tar.gz&u=3f09assdf90rg… -o /data_diode/plugins/SecurityCenterFeed48.tar.gz
sleep 3
curl https://plugins.nessus.org/get.php?f=sc-plugins-diff.tar.gz&u=3f09assdf90rg… -o /data_diode/plugins/sc-plugins-diff.tar.gz

Transfer to air gapped network

Put the 3 files in the air gapped network, ideally in a web server accessible from the Tenable.sc server. You’d want a process to do this as painless as possible, either via a data diode if that’s allowed or via external storage.

Load plugins in Tenable.sc

Now let’s configure the download and update of plugins in our Tenable.sc. Open a terminal either with SSH or Tenable Core terminal tab(you’ll need root privileges for this task).

Script to download plugins(run as normal user)

#!/usr/bin/sh

curl http://www.repoplace.local/plugins/all-2.0.tar.gz -o /plugins/all-2.0.tar.gz
sleep 3
curl http://www.repoplace.local/plugins/SecurityCenterFeed48.tar.gz -o /plugins/SecurityCenterFeed48.tar.gz
sleep 3
curl http://www.repoplace.local/plugins/sc-plugins-diff.tar.gz -o /plugins/sc-plugins-diff.tar.gz

Script to load plugins in Tenable.sc(this one needs to be run as root):

#!/usr/bin/sh

#Run as root

/bin/su -c "/opt/sc/support/bin/php /opt/sc/src/tools/pluginUpdate.php /tmp/sc-plugins-diff.tar.gz" - tns

/bin/su -c "/opt/sc/support/bin/php /opt/sc/src/tools/pluginUpdate.php /tmp/SecurityCenterFeed48.tar.gz" - tns

Mi suggestion is combining both in one script, we download and then load the plugins to Tenable.sc; put the script in CRON to run daily or every time we put new plugins in the air gapped network, and it will do the job for us 😉.

If you have your Nessus scanners managed by Tenable.sc, then after a few minutes of processing they will update plugins automatically from your Tenable.sc server. However, this process can fail if the network latency is high or you have low bandwidth in your connection to some of the scanners - Scans still will work in those conditions, but plugins can fail to transfer automatically.

There is a solution suggested by Tenable, which is increasing the Scanner Timeout settings as you can see here.

You can try that, for me still didn’t work because of high latency connections, or at least didn’t work 100% of the time, which is not acceptable if you want a fully unattended process.

In the same referenced article, a way to do an initial push of plugins is explained, but I have a similar method that is valid for every regular update for any scanner where you have trouble with this.

Nessus plugin update automation

I first set public key authentication from Tenable.sc server or another jump server with SSH access to the Nessus scanners. That way I don’t need passwords in my script.

If you use your Tenable.sc server, you’ll already have downloaded the all-2.0.tar.gz file following the previous steps, if not, setup a similar process to automate downloads to your jump server, only for that file.

Create or copy a small script to run the plugin update locally on the scanner. This is the script, just one line of code, assuming your user is admin, change the location according to your environment:

/opt/nessus/sbin/nessuscli update /home/admin/all-2.0.tar.gz

Set this in SUDOERS file to run as root with no password:

Admin ALL = (root) NOPASSWD /home/admin/update_scanner.sh

Where update_scanner.sh is the name of the script mentioned above.

IMPORTANT: change permissions to ‘update_scanner.sh’ so only root can edit it, or you have a privilege escalation vulnerability if somebody can change the content of the file.

chown root: update_scanner.sh

chmod 750 update_scanner.sh

This is the script that transfers the plugins file - all-2.0.tar.gz - and runs the update locally to all scanners:

#/usr/bin/sh

# This is a script to copy plugins Nessus scanners and then load them
# There are 2 variables accepted via commandline
# $1 = first parameter (/source_path/source_filename)
# $2 = second parameter (file that contains list of hosts)

SOURCEFILE=$1

HOSTFILE=$2

if [ -f $SOURCEFILE ]
then
    printf "File found, preparing to transfer\n"
    while read server
    do
        scp -p $SOURCEFILE ${server}:
        ssh -t ${server} "sudo /home/admin/update_scanner.sh"
    done < $HOSTFILE
else
    printf "File \"$SOURCEFILE\" not found\n"
    exit 0
fi
exit 0

Now, prepare a text file with all scanners that need to update plugins with this format

admin@scanner1
admin@scanner2
...

Change the username according to your environment

Run the script like this:

./transfer_plugins ./all-2.0.tar.gz scanners.txt

Notice that this will copy the plugin file to all hosts specified in the file scanners.txt sequentially, for me that’s OK as I only have a couple of problematic scanners, if you have many, a parallel transfer would be more efficient; I leave that task to the reader 😉

After a few minutes, depending on the time it takes to send the plugins to the scanner, you should see the scanners as ‘Working’ in Tenable.sc GUI again.

Last setp could be putting all this together in CRON so it runs everytime you put new plugins on the web server of your airgapped network.

Conclusion

An air gapped network always means more maintenance work, but with imagination and scripting we can make our life easier and let everything flow without repetitive manual tasks.

This process can easily be adapted to quarter updates for Tenable software; maybe I’ll show you that in a future post.


See also