Getting Tenable.SC working with Nessus Agents

What do Nessus Agents do

Nessus Agent is a lightweight piece of software that You can install on a host to do patch management and vulnerability/compliance checking with out having some central server with credentials logging into every machine you have. For example the Nessus Credentialed scans. Instead the agent software just reports back to the central server and keeps polling to see if any commands have been given.

Nessus Agent can run patch level/vulnerability scan/malware scan or configuration compliance checks.

Requirements

I assume that when thinking about Nessus Agent based scans with Tenable.sc You already have a Tenable.SC license and working installation.

Tenable.SC needs to have access to the TCP port 8834 on the Nessus Manager.

Nessus Manager preferrably has internet access to download updates and activate the license.

Nessus Agents need access to the TCP port 8834 on the Nessus Manager.

Licensing hassle

In order to get Nessus Agents info into Tenable.SC there are some extra steps You need to take besides the Tenable.SC and Nessus Scanner installation. You actually also need to install Nessus Manager to get Agents working. Regular Nessus scanners haven’t got the ability to work with Agents.

To actually get Nessus Manager, it turned out to be a bit of a hassle. As it turns out, although the software comes with the Tenable.SC license, You actually need to ask for it separately. After a short e-mail exchange with support and some signed documents later, You will actually get Nessus Manager license added to your Tenable account.

The installation

After You get the license key, download the regular “Tenable Core + Nessus” software from https://www.tenable.com/downloads/tenable-appliance and install the VM. The install will be the same as for regular Nessus Scanner.

After having set up the VM open Your web browser and go to the appliance web page https://nessus-manager-ip-here:8834/, then the wizard will open. From there select Nessus Manager instead of Nessus Scanner and insert the license key when prompted. The setup will also ask for you to create an account for you self.. It will take a while for the wizard to download and compile all the needed components. After it completes you have a ready working Nessus Manager.

After the wizard completes, login to the the Appliance with the account You created during the wizard. First thing You need to do is create a “group” for the agents. IE for your web servers call it “Web Servers” or for Client PC’s call it “Client PC’s”. After having created the groups you now can proceed to linking your Agents.

To install the agents first You need to download the proper Agent software from https://www.tenable.com/downloads/nessus-agents. Installation is quite straight forward. As an example on a 64bit Centos7 machine, it would go like this:

  • Copy the Agent to the machine
  • Elevate privileges to root or use sudo
  • Install the agent by issuing the “rpm -i NessusAgent-7.5.1-es7.x86_64.rpm” command. You should get the following output:
    warning: NessusAgent-7.5.1-es7.x86_64.rpm: Header V4 RSA/SHA1 Signature, key ID 1c0c4a5d: NOKEY
    You must first start Nessus Agent by typing /bin/systemctl start nessusagent.service
    To link this agent to the Nessus Manager, use the ‘/opt/nessus_agent/sbin/nessuscli agent’ command.
    Type ‘/opt/nessus_agent/sbin/nessuscli agent help’ for more info.

Next you need to link Your agent to the Nessus Manager. In order to do that copy the “Linking Key” from Nessus Manager, which can be found at the Agents page in the “Linked Agents” section. After having found the key you can create your linking command on your client. Which is looks something like this:
/opt/nessus_agent/sbin/nessuscli agent lin/opt/nessus_agent/sbin/nessuscli agent link –key=”your-linking-key” –host=”your-nessus-manager-address” –port=8834 –groups=”Web Servers”

After issuing the previous command on the client it should now show up in the linked agents list where You got the linking key from. After having linked the agent to the manager you also need to start the service as was mentioned in the output from the rpm.

It will take a bit of time for the agent to come online. I initially thought something was broken. But it actually took ~5min for the client to go into the “initializing state” for a bitand then again offline. But after being in the initializing state the list started showing some more inf about the client, not only IP address. After that it stay’s offline again for some time, for me it was something like 15-20min and then the host started showing up as online. During that period might as well link the Nessus Manager and Tenable.SC.

Linking Nessus Manager and Tenable.SC goes is the same as with regular Nessus Scanner.

Running your first Agent scan

After having linked Your agents to Nessus Manager and Nessus Manager to Tenable.SC You can now define and run Agent scans.

Unlike how scanning works with Tenable.SC and Nessus Scanner, the agent scan needs to be defined and run on Nessus Manager instead. Tenable.SC only imports the reports actually although the button says run scan.

So you need to log in to Nessus Manager and under scans you should create a new scan. For every scan you need to select a group that the scan gets run on and also the interval if you want it to be a recurring one.

5 Comments

  1. Have you been successful at installing a Nessus Agent on the Nessus Manager, so it can be scanned, as well? I am on a RHEL 6 server and am struggling. The agent initializes, then goes offline.

    • Huxx

      November 11, 2020 at 09:40

      To scan a Manager you don’t actually need to install an agent on the same machine and link it. Not to waste resources, I used the manager appliance to be a regular scanner also and running a regular “basic network scan” targeting the Manager machine (assuming that it is the designated scanner for that subnet) will actually end up giving you all the package/patch level info just like an agent scan would.

      • Unfortunately, I have a requirement to install nessus agents on all servers. So I can’t just scan them with the traditional credentialed scans. I need agent scans.

        • Huxx

          November 23, 2020 at 20:10

          I didn’t mean a credentialed scan. The Nessus Manager itself seems to act almost as an Agent when you target that specific host itself with a regular network scan using the “Basic Network Scan” policy.

  2. Thank you for this post, as you know Tenable’s documentation isn’t always the best.

Leave a Reply

Your email address will not be published. Required fields are marked *