Nessus update may be required for bugs and vulnerabilities fixing, and to enable some new features as well. While using of an old scanning engine or plugin feed may lead to incorrect scan results.
However, during the update process of Nessus engine, you need to stop it. What about the running and scheduled scanning tasks?
Someone might think that it is possible to put running Nessus scan task on pause and launch it when update process is finished. Well, not really. All paused scan tasks will be marked as “aborted” after updating.
Even if Tenable will ever fix this, delayed scans may still be incorrect. Different targets should be scanned at the right time. It’s not a good idea to scan windows desktops after the end of the working day, when they will be probably turned off.
There is also a problem with the scheduled tasks. If we turn off Nessus when scanning task should be started we will lose the results. And if this scan results are used in some complex report, we may never know that report is not complete.
As a rule, the best time for update when no scan task is running and will not launch soon. And detecting a good time window is not a trivial task when you are dealing with a huge amount of scan task. For task API is more suitable than GUI.
How to determine which scans are running now and which will be launched in the near future (today)?
Just make /scans query (How to do it and how to authorize, read here: “Retrieving scan results through Nessus API”)
Possible values of scan “status” according to API manual:
Thus, if for some scans “status”: “running”, it would be a good idea to wait until they are completed.
How long to wait?
In order to estimate the time required to complete scanning task we can make /scans/[id] query (see example in “Retrieving scan results through Nessus API” post) to see the difference between “last_modification_date” and “creation_date” for past scans. This will give us an approximate time (in seconds) for completion of the scanning task.
As for the schedules scans, see rrules, timezone and starttime params of /scans query
- rrules – line of scheduler settings
- timezone – a region that observes a uniform standard time (Country/City)
- starttime – time in format YYYYMMDDTHHMMSS when first scan will be launched
I have not found a clear description of the rrules, but there are some examples:
Once on Friday, June 17th, 2016 at 2:30 PM
Every 3 days at 2:30 PM , starting on Friday, June 17th, 2016
Repeats every 2 weeks on Monday, Wednesday, Friday at 2:30 PM, starting on Friday, June 17th, 2016
Every 2 months (repeating by the day) at 2:30 PM, starting Friday, June 17th, 2016
Every 2 months (repeating by the week) at 2:30 PM, starting Friday, June 17th, 2016
Every 2 years on June 17th at 2:30 PM
Well, you get the idea. You should detect the start time using rrules line and starttime “timestamp”.
If you are lucky enough to use only the weekly scans, then it is sufficient to look at the day of the week (FR). For my tasks it will be something like this:
Scan Name|Scan ID|rrules|starttime|timezone Scan5|32|FREQ=WEEKLY;INTERVAL=1;BYDAY=FR|20160212T120000|Europe/Moscow Scan32|677|FREQ=WEEKLY;INTERVAL=1;BYDAY=FR|20150525T000000|Europe/Moscow Scan12|523|FREQ=WEEKLY;INTERVAL=1;BYDAY=FR|20160212T140000|Europe/Moscow Scan23|630|FREQ=WEEKLY;INTERVAL=1;BYDAY=FR|20160212T130000|Europe/Moscow
20160212T130000 -> 14:00:00
Last scan for today (Scan12) will start at 14.00, I can wait for its completion, and can update Nessus safely.
Nessus guys, if you’re reading this, please add field “next launch time for the scheduled scan task” to the /scans output. It will really make life much easy. Plz! =)
And finally a few obvious commands about the update:
Linux nessus.domain <kernel>.el6.x86_64 #1 SMP [...] x86_64 x86_64 x86_64 GNU/Linux
Download from support portal (https://support.tenable.com/support-center) this file:
scp Nessus-6.7.0-es6.x86_64.rpm firstname.lastname@example.org:/home/leonov
service nessusd stop
rpm -Uvh Nessus-6.7.0-es6.x86_64.rpm
service nessusd start