Tenable.sc automated Plugin Updates in Airgapped or otherwise Offline Environments

If you ever need to deploy a Tenable.sc in an Airgapped or otherwise online environment and need guidance on how to implement automated Pluginupdates this is the righ blogpost for you!

Prerequisite

Note that you will require a valid Tenable.sc subscription and with that comes:

  • A license file matching the hostname of your Tenable.sc host – which can be applied via the normal admin webinterface or during the setup wizard without any internet connectivity
  • A plugin activation code which you do not apply in the Tenable.sc admin interface in an offline setup. Make sure to not activate the key (for example by temporarily connecting the sc to the internet) as a already activated key will not let you download the plugins via the Offline Download Website!

Plugin Download

The Download of the Plugins is rather straight forward. On the internet facing side of your airgap you can automated the download of the Plugins quite easily using curl or wget following the following documentation provided by Tenable:

https://docs.tenable.com/tenablesc/Content/OfflineNessusPluginUpdate.htm

And make sure to use the correct download URLs also documented here:

https://community.tenable.com/s/article/How-to-Download-md5-Checksums-for-Offline-Plugin-Update-Files

If you are using the Tenable Core appliance do not be discouraged by the following paragraph in the documentation:

https://docs.tenable.com/tenablesc/Content/OfflineNessusPluginUpdate.htm

You can just scp the most recent CentOS 7 Nessus Installer to the core appliance and follow the steps provided in the documentation if you are on the Tenable Core appliance as well.

This procedure is only to generate a challenge code which is probably used to sign the Plugin Package so it will only work on the intended system – probably to prevent License violations.

Data Transfer over Airgap

The mechanism to transfer the Plugin and SC Feed tar.gz files is not part of this article. Use whatever Data Transfer you have in place to either:

  • Place the plugin Update files on the Tenable.sc underlying System itself – or
  • Place the plugin Update files on any System that can reach the API of Tenable.sc

Applying the Plugin Updates to SC

There are multiple ways how you can script to upload and process the Plugins in Tenable.sc:

1. Update the Plugins via CLI / PHP

Probably the easiest way is to just apply the Updates on a scheduled / cronjob via simple php executions in a shell script:

#!/bin/bash
su - tns
/opt/sc/support/bin/php /opt/sc/src/tools/pluginUpdate.php /tmp/sc-plugins-diff.tar.gz
/opt/sc/support/bin/php /opt/sc/src/tools/feedUpdate.php /tmp/SecurityCenterFeed48.tar.gz

For this the Plugin files obviously have to reside on the System that Tenable.sc is installed on or otherwise accessible from that system in a mounted share or similar! The Same of course applies for Passive and LCE / Event Update files if you are on SCCV!

A successful plugin update will look like this in the Tenable.sc log:

Note that you will not got an auth / login event as no user login is performed this way!

2. Update the Plugins via API using the pyTenable API wrapper script

If you want to use the API to upload the Plugins I recommend you use the pyTenable API Wrapper which will allow you to use a fairly simple python script:

#!/usr/bin/env python
from tenable.sc import TenableSC

import logging
logging.basicConfig(level=logging.DEBUG)

sc = TenableSC('172.16.121.133')
sc.login('admin', 'password')

with open('sc-plugins-diff.tar.gz', 'rb') as plugfile:
	sc.feeds.process('active', plugfile)

with open('SecurityCenterFeed48.tar.gz', 'rb') as plugfile:
	sc.feeds.process('active', plugfile)

No this are not the IP, Username, and Password of a productive Tenable.sc System! :) Also rather use API Keys now that they are available in Tenable.sc as well:

https://pytenable.readthedocs.io/en/stable/sc.html

https://docs.tenable.com/tenablesc/Content/EnableAPIKeys.htm

A successfull active plugin update with the above debug logging activated will look like this:

and it will look like this in the Tenable.sc log:

Note that the API Script will perform a login and thus be log an auth event!

Using the API you can chose to call the API either from the Tenable.sc machine itself (including the Tenable Core Appliance which comes with python preinstalled) or perform the API call from a different system – for example a central update system in your airgapped environemt.

Getting pyTenable and dependencies on the Airgapped Tenable.sc System

Next Step – how to get pyTenable and its dependencies onto the airgapped Tenable.sc host?

Luckily the Tenable Core Appliance comes with pip3 and python3 preinstalled so its rather simple:

First we use any internet connected Linux or macOS System with python3 and pip3 installed to download pyTenable and all of its dependencies and package it into a tar.gz file:

mkdir wheelhouse && pip3 download pytenable -d wheelhouse
tar -zcf wheelhouse.tar.gz wheelhouse

Which should look like this:

Now transfer the wheelhouse.tar.gz file to the Tenable Core Appliance (or any other Tenable.sc CentOS installation with pip3) and install the pip3 packages offline with:

tar xzf wheelhouse.tar.gz
pip3 install wheelhouse/*

Which in turn should look like this:

et vóila – now you can use pyTenable on the Core Appliance:

There is probably no point in doing all of this for only a simple plugin update as the php cli way explained above will only take one line and everything is already there on the Core appliance.

However if you want to do more complex automation on the Airgapped Tenable.sc Host like automatically import .nessus scan result files from not directly connected nessus scanners than a python script can make sense at some point.

Conclusion

With these simple steps you can ensure that an offline Tenable.sc system is receiving scheduled Plugin Updates automagically!

I hope this helped at least one person out there! Have fun!

About SebastianB

read it in my blog
This entry was posted in miscellaneous and tagged , , , , , , . Bookmark the permalink.