Choosing the right time for Nessus update. Nessus update may be required for bugs and vulnerabilities fixing, and to enable some new features as well. While using of an old scanning engine or plugin feed may lead to incorrect scan results.
However, during the update process of Nessus engine, you need to stop it. What about the running and scheduled scanning tasks?
Someone might think that it is possible to put running Nessus scan task on pause and launch it when update process is finished. Well, not really. All paused scan tasks will be marked as “aborted” after updating.
Even if Tenable will ever fix this, delayed scans may still be incorrect. Different targets should be scanned at the right time. It’s not a good idea to scan windows desktops after the end of the working day, when they will be probably turned off.
There is also a problem with the scheduled tasks. If we turn off Nessus when scanning task should be started we will lose the results. And if this scan results are used in some complex report, we may never know that report is not complete.
As a rule, the best time for update when no scan task is running and will not launch soon. And detecting a good time window is not a trivial task when you are dealing with a huge amount of scan task. For task API is more suitable than GUI.
How to determine which scans are running now and which will be launched in the near future (today)?
Just make /scans query (How to do it and how to authorize, read here: “Retrieving scan results through Nessus API”)
Possible values of scan “status” according to API manual:
- completed
- aborted
- imported
- pending
- running
- resuming
- canceling
- cancelled
- pausing
- paused
- stopping
- stopped
Thus, if for some scans “status”: “running”, it would be a good idea to wait until they are completed.
How long to wait?
In order to estimate the time required to complete scanning task we can make /scans/[id] query (see example in “Retrieving scan results through Nessus API” post) to see the difference between “last_modification_date” and “creation_date” for past scans. This will give us an approximate time (in seconds) for completion of the scanning task.
As for the schedules scans, see rrules, timezone and starttime params of /scans query
- rrules – line of scheduler settings
- timezone – a region that observes a uniform standard time (Country/City)
- starttime – time in format YYYYMMDDTHHMMSS when first scan will be launched
I have not found a clear description of the rrules, but there are some examples:
Once
Once on Friday, June 17th, 2016 at 2:30 PM
FREQ=ONETIME
Daily
Every 3 days at 2:30 PM , starting on Friday, June 17th, 2016
FREQ=DAILY;INTERVAL=3
Weekly
Repeats every 2 weeks on Monday, Wednesday, Friday at 2:30 PM, starting on Friday, June 17th, 2016
FREQ=WEEKLY;INTERVAL=2;BYDAY=MO,WE,FR
Monthly
Every 2 months (repeating by the day) at 2:30 PM, starting Friday, June 17th, 2016
FREQ=MONTHLY;INTERVAL=2;BYMONTHDAY=17
Every 2 months (repeating by the week) at 2:30 PM, starting Friday, June 17th, 2016
FREQ=MONTHLY;INTERVAL=2;BYDAY=3FR
Yearly
Every 2 years on June 17th at 2:30 PM
FREQ=YEARLY;INTERVAL=2
Well, you get the idea. You should detect the start time using rrules line and starttime “timestamp”.
If you are lucky enough to use only the weekly scans, then it is sufficient to look at the day of the week (FR). For my tasks it will be something like this:
Scan Name|Scan ID|rrules|starttime|timezone Scan5|32|FREQ=WEEKLY;INTERVAL=1;BYDAY=FR|20160212T120000|Europe/Moscow Scan32|677|FREQ=WEEKLY;INTERVAL=1;BYDAY=FR|20150525T000000|Europe/Moscow Scan12|523|FREQ=WEEKLY;INTERVAL=1;BYDAY=FR|20160212T140000|Europe/Moscow Scan23|630|FREQ=WEEKLY;INTERVAL=1;BYDAY=FR|20160212T130000|Europe/Moscow
20160212T130000 -> 14:00:00
Last scan for today (Scan12) will start at 14.00, I can wait for its completion, and can update Nessus safely.
Nessus guys, if you’re reading this, please add field “next launch time for the scheduled scan task” to the /scans output. It will really make life much easy. Plz! =)
And finally a few obvious commands about the update:
ssh nessus_host_user@nessus_host
uname -a
Linux nessus.domain <kernel>.el6.x86_64 #1 SMP [...] x86_64 x86_64 x86_64 GNU/Linux
exit
Download from support portal (https://support.tenable.com/support-center) this file:
Nessus-6.7.0-es6.x86_64.rpm
scp Nessus-6.7.0-es6.x86_64.rpm leonov@100.99.18.10:/home/leonov
service nessusd stop
rpm -Uvh Nessus-6.7.0-es6.x86_64.rpm
service nessusd start
Hi! My name is Alexander and I am a Vulnerability Management specialist. You can read more about me here. Currently, the best way to follow me is my Telegram channel @avleonovcom. I update it more often than this site. If you haven’t used Telegram yet, give it a try. It’s great. You can discuss my posts or ask questions at @avleonovchat.
А всех русскоязычных я приглашаю в ещё один телеграмм канал @avleonovrus, первым делом теперь пишу туда.
Pingback: Tenable Nessus: registration, installation, scanning and reporting | Alexander V. Leonov