Tenable Vulnerability Management® (formerly known as Tenable.io) allows security and audit teams to share multiple Tenable Nessus, Tenable Nessus Agent, and Tenable Nessus Network Monitor scanners, scan schedules, scan policies, and scan results among an unlimited set of users or groups.
Tenable Vulnerability Management can schedule scans, push policies, view scan findings, and control multiple Tenable Nessus scanners from the cloud. This enables the deployment of Tenable Nessus scanners throughout networks to both public and private clouds as well as multiple physical locations.
In this post, I am gonna show some basic steps to bring this popular Tenable Vulnerability Scanning tools into your environment as quick as I can.
If need read more marterials, please go to Tenable Docs sit, Get Started with Tenable Vulnerability Management. You can use the following getting started sequence to configure and mature your Tenable Vulnerability Management deployment.
- Prepare a Deployment Plan
- Install and Link Scanners
- Configure Scans
- Additional Tenable Vulnerability Management Configurations
- Review and Analyze
- Expand
Diagram
Compare with other Tenable Products
Tenable Security Center (Formerly Tenable.sc)
Essentially, this means that Tenable.sc customers are responsible for the hardware for the entire infrastructure, including data storage. The Tenable Vulnerability Management “console” (and data storage) is hosted in the cloud and is therefore Tenable‘s responsibility.
Your Tenable.sc is on-prem, with all your Nessus Pro scanners linked to Tenable.sc providing all the remote scanning of your network.
For devices which are not on your network (remote workstations) then you need to use Nessus Agents.
Tenable.sc does not directly support Nessus Agents, so you need a collector for your Agent data.
You can either use the older method of having your Nessus Agents communicate with Nessus Manager, which then forwards those to Tenable.sc
or you the modern way of use Tenable.io as your collector, and then Tenable.sc collecting the Agent data from Tenable.io. You do not login to Tenable.io, you still use Tenable.sc as your console.
Tenable One
Tenable Vulnerability Management |
Tenable Web App Scanning |
Tenable Cloud Security |
Lumin Exposure View |
Asset Inventory |
Identity Exposure |
All products in Tenable One Standard, plus:
Attack Path Analysis |
Tenable Attack Surface Management |
Tenable PCI ASV Scanning
Note: Tenable Vulnerability Management excludes PCI Quarterly External scan data from dashboards, reports, and workbenches intentionally. This is due to the scan’s paranoid nature, which may lead to false positives that Tenable Vulnerability Management would otherwise not detect.
In Tenable PCI ASV, you can create the following scans using scan templates:
-
Vulnerability Management Scan using the Internal PCI Network Scan and PCI Quarterly External Scan templates
-
Tenable Web App Scanning scan using the PCI template
Install Scanner in On-Prem Windows
Install Scanner in Cloud Environment – Azure
Install Scanner in Linux
root@u-20-1-test:~# curl -H 'X-Key: 0d169e0728bf08521839b3be97015d6061aace1a831f8c4a0ffef4ec03914f9c' 'https://sensor.cloud.tenable.com/install/scanner?name=scanner-name&groups=scanner-group' | bash
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
** Beginning Nessus installation process. **0 --:--:-- --:--:-- --:--:-- 0
100 9129 0 9129 0 0 18442 0 --:--:-- --:--:-- --:--:-- 18442
Downloading Nessus install package for Ubuntu.
Installing Nessus.
Selecting previously unselected package nessus.
(Reading database ... 143634 files and directories currently installed.)
Preparing to unpack Nessus-ubuntu1404_amd64.deb ...
Unpacking nessus (10.5.3) ...
Setting up nessus (10.5.3) ...
HMAC : (Module_Integrity) : Pass
SHA1 : (KAT_Digest) : Pass
SHA2 : (KAT_Digest) : Pass
SHA3 : (KAT_Digest) : Pass
TDES : (KAT_Cipher) : Pass
AES_GCM : (KAT_Cipher) : Pass
AES_ECB_Decrypt : (KAT_Cipher) : Pass
RSA : (KAT_Signature) : RNG : (Continuous_RNG_Test) : Pass
Pass
ECDSA : (PCT_Signature) : Pass
ECDSA : (PCT_Signature) : Pass
DSA : (PCT_Signature) : Pass
TLS13_KDF_EXTRACT : (KAT_KDF) : Pass
TLS13_KDF_EXPAND : (KAT_KDF) : Pass
TLS12_PRF : (KAT_KDF) : Pass
PBKDF2 : (KAT_KDF) : Pass
SSHKDF : (KAT_KDF) : Pass
KBKDF : (KAT_KDF) : Pass
HKDF : (KAT_KDF) : Pass
SSKDF : (KAT_KDF) : Pass
X963KDF : (KAT_KDF) : Pass
X942KDF : (KAT_KDF) : Pass
HASH : (DRBG) : Pass
CTR : (DRBG) : Pass
HMAC : (DRBG) : Pass
DH : (KAT_KA) : Pass
ECDH : (KAT_KA) : Pass
RSA_Encrypt : (KAT_AsymmetricCipher) : Pass
RSA_Decrypt : (KAT_AsymmetricCipher) : Pass
RSA_Decrypt : (KAT_AsymmetricCipher) : Pass
INSTALL PASSED
Unpacking Nessus Scanner Core Components...
Created symlink /etc/systemd/system/nessusd.service → /lib/systemd/system/nessusd.service.
Created symlink /etc/systemd/system/multi-user.target.wants/nessusd.service → /lib/systemd/system/nessusd.service.
- You can start Nessus Scanner by typing /bin/systemctl start nessusd.service
- Then go to https://u-20-1-test:8834/ to configure your scanner
Applying auto-configuration.
Starting Nessus.
Waiting for Nessus to start and link...
......................
Auto-configuration complete.
Nessus is now linked to sensor.cloud.tenable.com:443
root@u-20-1-test:~#
Linked Scanner:
Scanner Details:
Web Application Scanning
Enter URL as your targets :
Infrastructure Scan (Vulnerability Management Scan)
External Scan
Internal Scan:
Report
From the three dots of each scan, choose Export:
Videos
References
- https://cloud.tenable.com/