Remediating A Nessus Agent Connection Issue

Every so often a machine may not check in to Tenable for some time, for some reason.
Whatever the reason may be, we’ve got to get it linked up again, and preferably in a “silent” manner.

Here’s a script to assist with that:

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
#!/bin/sh

# Retrieves the Tenable group
group=$(/Library/NessusAgent/run/sbin/nessuscli fix --secure --list | grep -io ' .*group' | tr -d ' ')

# Unlinks the Nessus Agent and pauses the script during the process
/Library/NessusAgent/run/sbin/nessuscli agent unlink --force

sleep 3

# Links the Nessus Agent to the Tenable instance
/Library/NessusAgent/run/sbin/nessuscli agent link \
--key=<INSERT_NESSUS_KEY> \
--host=<INSERT_NESSUS_HOST> \
--port=<INSERT_NESSUS_PORT> \
--groups=$group

exit 0

So how did we get here?

  1. Let’s focus on the $group variable first:
  • Nessus includes a robust command line interface when installed, and this particular command allows us to list registration info and log data for this install.
    In particular we want the group name. As this is just a re-link, we want to keep the MacBook in the same group.
  • We can find the group by piping in grep groups and get a result like this:
1
2
sudo /Library/NessusAgent/run/sbin/nessuscli fix --secure --list | grep groups
groups: admin_group
  • Once we’ve got the group, we’ll iterate on that by “grep-ing” for just the group name
1
2
sudo /Library/NessusAgent/run/sbin/nessuscli fix --secure --list | grep -o 'admin_group'
admin_group
  • Now this is fine if we’ve only got one group in the organization, but like many orgs we have many groups.
    For example: if we’ve got an admin group, security group, IT group, and creative group; then we’ve got to account for all of them.
    This is where the wildcard (*) will come into play.
    So let’s run this command instead:
1
2
sudo /Library/NessusAgent/run/sbin/nessuscli fix --secure --list | grep -io ' .*group'
  admin_group
  • We’ve now isolated the group, and the wildcard will account for machines in other groups.
    If we run the command on a creative MacBook, we will receive creative_group instead.
  • We are almost done setting up the variable, but there’s a space before our group name.
    This is where the translate (td) command comes in. So let’s pipe that in there.
1
2
sudo /Library/NessusAgent/run/sbin/nessuscli fix --secure --list | grep -io ' .*group' | tr -d ' '
admin_group
  • That final command deletes characters that match the quoted string. In this case, spaces.

Troubleshooting Note: If you forget the space before .*group, then your output will look like this:

1
groups: admin_group

or this

1
groups:admin_group
  1. For the next piece of the script we have to un-link the Nessus Agent, or we will receive an error message along the lines of this:
1
2
3
[error] [agent] Link fail: [409] Agent with uuid agentUuid=<AGENT_UUID> attempt
to link, but another agent in container containerUuid=<CONTAINER_UUID> with
different token already exists.
  1. We then put the script to sleep for moment while Nessus un-links.

  2. Finally, we link the Nessus Agent back to our Tenable instance utilizing the group we gathered earlier.

NOTE: If you’re utilizing Tenable’s cloud offering, you can use --cloud as opposed to having to specify --host and --port

This script can be run silently, but if you do want to put the onus on the end-user, then you can definitely throw this into Self-Service.

Take it easy y’all.