Choosing the right time for Nessus update

Nessus update may be required for bugs and vulnerabilities fixing, and to enable some new features as well. While using of an old scanning engine or plugin feed may lead to incorrect scan results.

However, during the update process of Nessus engine, you need to stop it. What about the running and scheduled scanning tasks?

Switch off Nessus

Someone might think that it is possible to put running Nessus scan task on pause and launch it when update process is finished. Well, not really. All paused scan tasks will be marked as “aborted” after updating.

Even if Tenable will ever fix this, delayed scans may still be incorrect. Different targets should be scanned at the right time. It’s not a good idea to scan windows desktops after the end of the working day, when they will be probably turned off.

There is also a problem with the scheduled tasks. If we turn off Nessus when scanning task should be started we will lose the results. And if this scan results are used in some complex report, we may never know that report is not complete.

As a rule, the best time for update when no scan task is running and will not launch soon. And detecting a good time window is not a trivial task when you are dealing with a huge amount of scan task. For task API is more suitable than GUI.

How to determine which scans are running now and which will be launched in the near future (today)?

Just make /scans query (How to do it and how to authorize, read here: “Retrieving scan results through Nessus API”)

Possible values of scan “status” according to API manual:

  • completed
  • aborted
  • imported
  • pending
  • running
  • resuming
  • canceling
  • cancelled
  • pausing
  • paused
  • stopping
  • stopped

Thus, if for some scans “status”: “running”, it would be a good idea to wait until they are completed.

How long to wait?

In order to estimate the time required to complete scanning task we can make /scans/[id] query (see example in “Retrieving scan results through Nessus API” post) to see the difference between “last_modification_date” and “creation_date” for past scans. This will give us an approximate time (in seconds) for completion of the scanning task.

As for the schedules scans, see rrules, timezone and starttime params of /scans query

  • rrules – line of scheduler settings
  • timezone –  a region that observes a uniform standard time (Country/City)
  • starttime – time in format YYYYMMDDTHHMMSS when first scan will be launched

Nessus schedule master

I have not found a clear description of the rrules, but there are some examples:

Once

Once on Friday, June 17th, 2016 at 2:30 PM
FREQ=ONETIME

Daily

Every 3 days at 2:30 PM , starting on Friday, June 17th, 2016
FREQ=DAILY;INTERVAL=3

Weekly

Repeats every 2 weeks on Monday, Wednesday, Friday at 2:30 PM, starting on Friday, June 17th, 2016
FREQ=WEEKLY;INTERVAL=2;BYDAY=MO,WE,FR

Monthly

Every 2 months (repeating by the day) at 2:30 PM, starting Friday, June 17th, 2016
FREQ=MONTHLY;INTERVAL=2;BYMONTHDAY=17

Every 2 months (repeating by the week) at 2:30 PM, starting Friday, June 17th, 2016
FREQ=MONTHLY;INTERVAL=2;BYDAY=3FR

Yearly

Every 2 years on June 17th at 2:30 PM
FREQ=YEARLY;INTERVAL=2

Well, you get the idea. You should detect the start time using rrules line and starttime “timestamp”.

If you are lucky enough to use only the weekly scans, then it is sufficient to look at the day of the week (FR). For my tasks it will be something like this:

Scan Name|Scan ID|rrules|starttime|timezone
Scan5|32|FREQ=WEEKLY;INTERVAL=1;BYDAY=FR|20160212T120000|Europe/Moscow
Scan32|677|FREQ=WEEKLY;INTERVAL=1;BYDAY=FR|20150525T000000|Europe/Moscow
Scan12|523|FREQ=WEEKLY;INTERVAL=1;BYDAY=FR|20160212T140000|Europe/Moscow
Scan23|630|FREQ=WEEKLY;INTERVAL=1;BYDAY=FR|20160212T130000|Europe/Moscow

20160212T130000 -> 14:00:00

Last scan for today (Scan12) will start at 14.00, I can wait for its completion, and can update Nessus safely.

Nessus guys, if you’re reading this, please add field “next launch time for the  scheduled scan task” to the /scans output. It will really make life much easy. Plz!  =)

And finally a few obvious commands about the update:

ssh nessus_host_user@nessus_host
uname -a

Linux nessus.domain <kernel>.el6.x86_64 #1 SMP [...] x86_64 x86_64 x86_64 GNU/Linux

exit

Download from support portal (https://support.tenable.com/support-center) this file:
Nessus-6.7.0-es6.x86_64.rpm

scp Nessus-6.7.0-es6.x86_64.rpm leonov@100.99.18.10:/home/leonov

service nessusd stop
rpm -Uvh Nessus-6.7.0-es6.x86_64.rpm
service nessusd start

One thought on “Choosing the right time for Nessus update

  1. Pingback: Tenable Nessus: registration, installation, scanning and reporting | Alexander V. Leonov

Leave a Reply

Your email address will not be published. Required fields are marked *