If you ever need to deploy a Tenable.sc in an Airgapped or otherwise online environment and need guidance on how to implement automated Pluginupdates this is the righ blogpost for you!
Note that you will require a valid Tenable.sc subscription and with that comes:
- A license file matching the hostname of your Tenable.sc host – which can be applied via the normal admin webinterface or during the setup wizard without any internet connectivity
- A plugin activation code which you do not apply in the Tenable.sc admin interface in an offline setup. Make sure to not activate the key (for example by temporarily connecting the sc to the internet) as a already activated key will not let you download the plugins via the Offline Download Website!
The Download of the Plugins is rather straight forward. On the internet facing side of your airgap you can automated the download of the Plugins quite easily using curl or wget following the following documentation provided by Tenable:
And make sure to use the correct download URLs also documented here:
If you are using the Tenable Core appliance do not be discouraged by the following paragraph in the documentation:
You can just scp the most recent CentOS 7 Nessus Installer to the core appliance and follow the steps provided in the documentation if you are on the Tenable Core appliance as well.
This procedure is only to generate a challenge code which is probably used to sign the Plugin Package so it will only work on the intended system – probably to prevent License violations.
Data Transfer over Airgap
The mechanism to transfer the Plugin and SC Feed tar.gz files is not part of this article. Use whatever Data Transfer you have in place to either:
- Place the plugin Update files on the Tenable.sc underlying System itself – or
- Place the plugin Update files on any System that can reach the API of Tenable.sc
Applying the Plugin Updates to SC
There are multiple ways how you can script to upload and process the Plugins in Tenable.sc:
1. Update the Plugins via CLI / PHP
Probably the easiest way is to just apply the Updates on a scheduled / cronjob via simple php executions in a shell script:
#!/bin/bash su - tns /opt/sc/support/bin/php /opt/sc/src/tools/pluginUpdate.php /tmp/sc-plugins-diff.tar.gz /opt/sc/support/bin/php /opt/sc/src/tools/feedUpdate.php /tmp/SecurityCenterFeed48.tar.gz
For this the Plugin files obviously have to reside on the System that Tenable.sc is installed on or otherwise accessible from that system in a mounted share or similar! The Same of course applies for Passive and LCE / Event Update files if you are on SCCV!
A successful plugin update will look like this in the Tenable.sc log:
2. Update the Plugins via API using the pyTenable API wrapper script
If you want to use the API to upload the Plugins I recommend you use the pyTenable API Wrapper which will allow you to use a fairly simple python script:
#!/usr/bin/env python from tenable.sc import TenableSC import logging logging.basicConfig(level=logging.DEBUG) sc = TenableSC('172.16.121.133') sc.login('admin', 'password') with open('sc-plugins-diff.tar.gz', 'rb') as plugfile: sc.feeds.process('active', plugfile) with open('SecurityCenterFeed48.tar.gz', 'rb') as plugfile: sc.feeds.process('active', plugfile)
No this are not the IP, Username, and Password of a productive Tenable.sc System! :) Also rather use API Keys now that they are available in Tenable.sc as well:
A successfull active plugin update with the above debug logging activated will look like this:
and it will look like this in the Tenable.sc log:
Using the API you can chose to call the API either from the Tenable.sc machine itself (including the Tenable Core Appliance which comes with python preinstalled) or perform the API call from a different system – for example a central update system in your airgapped environemt.
Getting pyTenable and dependencies on the Airgapped Tenable.sc System
Next Step – how to get pyTenable and its dependencies onto the airgapped Tenable.sc host?
Luckily the Tenable Core Appliance comes with pip3 and python3 preinstalled so its rather simple:
First we use any internet connected Linux or macOS System with python3 and pip3 installed to download pyTenable and all of its dependencies and package it into a tar.gz file:
mkdir wheelhouse && pip3 download pytenable -d wheelhouse tar -zcf wheelhouse.tar.gz wheelhouse
Which should look like this:
Now transfer the wheelhouse.tar.gz file to the Tenable Core Appliance (or any other Tenable.sc CentOS installation with pip3) and install the pip3 packages offline with:
tar xzf wheelhouse.tar.gz pip3 install wheelhouse/*
Which in turn should look like this:
et vóila – now you can use pyTenable on the Core Appliance:
There is probably no point in doing all of this for only a simple plugin update as the php cli way explained above will only take one line and everything is already there on the Core appliance.
However if you want to do more complex automation on the Airgapped Tenable.sc Host like automatically import .nessus scan result files from not directly connected nessus scanners than a python script can make sense at some point.
With these simple steps you can ensure that an offline Tenable.sc system is receiving scheduled Plugin Updates automagically!
I hope this helped at least one person out there! Have fun!