Home

tentools is PowerShell module that automates tenable.sc and Nessus tasks.

Purpose

Automation helps turn time-intensive, recurring tasks into fast, repeatable tasks with minimal user involvement. Removing the requirement to click through the tenable.sc server webpages reduces human-error and can help standardize processes by encouraging the reuse of configuration files that can be stored in source control.

Automating tenable.sc deployments also results in higher quality deployments, as upfront consideration is required, then saved to a configuration file that can be reused in future deployments. When a process is easy and simplified, people will be more willing to follow it.

If important changes are required on short notice, addressing them quickly becomes possible. This also leads to a more secure deployment, as updating becomes much easier and more predictable.

Roles

With over 100 commands, the scope of this project touches on multiple roles, including the Systems Engineer that sets up the system and services, the Security Manager that manages the organizational tasks, and the Analyst that uses the results of scans and reports and uploads them to centralized repositories.

Systems Engineer

When a new server is deployed, there are a number of steps that must be executed before the server is ready to perform scans and generate reports.

While tentools does not help automate the installation of services, it does help systems engineers automate the deployment of tenable.sc, which can be a multi-hour process.

• Creates the initial administrator account and sets the license
• Sets appropriate CA and web server certificates
• Can create and manage the following en masse:
  • Organizations
  • Users
  • Credentials
  • Audit files
  • Credentials
  • Policies
  • Scanners
  • Scan Zones
  • Repositories
  • Dashboards

Once these are created, the security manager can then begin setting up their environment.

Security Manager

Security Managers are basically the administrators of the organization and performs a majority of the tasks.

• Create Report Attributes, such as those required by DISA and eMASS
• Import policies, such ACAS policies
• Import reports
• Import audit files
• Import dashboards
• Import assets
• Create scans with the required:
  • repository
  • policy
  • targets
  • credentials

Once these are set, the Analyst can then use them as needed.

Analyst

Analysts generally focus on scans, reports and dashboards.

# Run the STIG scan
Get-TNScan -Name 'DISA STIG MSSQL 2012 Database v1r20' | Start-TNScan -Wait
# Export the zip to upload to eMASS
Get-TNReport -Name 'DISA ASR' | Start-TNReport -Wait | Save-TNReportResult -Path C:\temp

Simplified deployment

If you hold all three roles, you can deploy your entire environment in one simple command called Start-TNDeploy. This wrapper command accepts input from a JSON file with all of your configuration values, such as the one below.

{
    "ComputerName": "securitycenter",
    "AdministratorCredential": "admin",
    "Scanner": "localhost",
    "ScannerCredential": "admin",
    "Repository": [
        "Vulnerabilities",
        "Audits"
    ],
    "Organization": "Acme",
    "SecurityManagerCredential": "secman",
    "IpRange": "192.168.100.0/24",
    "PolicyFilePath": "C:\\sc\\scan_policies",
    "AuditFilePath": "C:\\sc\\portal_audits\\Database\\DISA*MSSQL*",
    "DashboardFilePath": "C:\\sc\\dashboards",
    "AssetFilePath": "C:\\sc\\asset_lists",
    "ReportFilePath": "C:\\sc\\reports",
    "ScanZone": "All Computers",
    "ScanCredentialHash": [
        {
            "Credential": "ad\\nessus",
            "Name": "Windows Scanner Account",
            "Type": "windows",
            "AuthType": "password"
        },
        {
            "Credential": "acasaccount",
            "PrivilegeEscalation": "sudo",
            "Name": "Linux Scanner Account",
            "Type": "ssh",
            "AuthType": "password"
        },
        {
            "Credential": "sa",
            "Name": "SQL Server sqladmin account",
            "CredentialHash": {
                "SQLServerAuthType": "SQL",
                "dbType": "SQL Server"
            },
            "Type": "database",
            "AuthType": "password"
        }
    ]
}

To create a well-stocked deployment, just add that to a JSON file, then pipe that file to Start-TNDeploy.

Get-Content C:\github\demo.json | ConvertFrom-Json | Start-TNDeploy

After entering all of the required passwords for your accounts (administrator, security manager, nessus scanner, scan credentials), sit back and let PowerShell take care of the rest as seen in the video below.

That last frame of that video was basically this result, which shows how the tenable.sc has been fully stocked:

ServerUri         : securitycenter:443
AuditPolicy       : {DISA STIG MSSQL 2012 Database v1r20, DISA STIG MSSQL 2012 Instance-DB v1r20, DISA STIG MSSQL 2012 Instance-OS v1r20, DISA STIG MSSQL 2014 Database v1r6...}
ComputerName      : securitycenter
DISADetailedASR   : DISA ASR
ImportedAsset     : {BPG 5.4 - Bad, No Auth Attempted, BPG 5.4 - Bad, Error, - CMRS Daily Publishing, BPG 5.4 - Endpoint No Agent Differential Scan...}
ImportedAudit     : {DISA STIG MSSQL 2012 Database v1r20, DISA STIG MSSQL 2012 Instance-DB v1r20, DISA STIG MSSQL 2012 Instance-OS v1r20, DISA STIG MSSQL 2014 Database v1r6...}
ImportedDashboard : Acme Scan Summary
ImportedPolicy    : {Acme - Agent Differential Scan Policy (DRAFT), Acme - Agent Scan BPG, Acme - Configuration (STIG) Scan, Acme - Malware Scan...}
ImportedReport    : Test Import File
IpRange           : 192.168.100.0/24
Organization      : Acme
ReportAttribute   : DISA
Repository        : {Vulnerabilities, Audits}
ScanCredential    : {Windows Scanner Account, Linux Scanner Account, SQL Server sqladmin account}
Scanner           : localhost
ScannerCredential : admin
Scans             : {Acme - Agent Differential Scan Policy (DRAFT), Acme - Agent Scan BPG, Acme - Configuration (STIG) Scan, Acme - Malware Scan...}
ScanZone          : All Computers
SecurityManager   : secman
ServerType        : tenable.sc
Status            : Success

From here, you can run the necessary scans and export the reports for eMASS.

# Run the STIG scan
Get-TNScan -Name 'DISA STIG MSSQL 2012 Database v1r20' | Start-TNScan -Wait
# Export the zip to upload to eMASS
Get-TNReport -Name 'DISA ASR' | Start-TNReport -Wait | Save-TNReportResult -Path C:\temp

Linux deployment

tentools also works on PowerShell (pwsh) on Linux. Here is an example:

{
    "ComputerName": "securitycenter",
    "AdministratorCredential": "admin",
    "Scanner": "localhost",
    "ScannerCredential": "admin",
    "Repository": [
        "Vulnerabilities",
        "Audits"
    ],
    "Organization": "Acme",
    "SecurityManagerCredential": "secman",
    "IpRange": "192.168.100.0/24",
    "PolicyFilePath": "/mnt/c/sc/scan_policies",
    "AuditFilePath": "/mnt/c/sc/portal_audits/Database/DISA*MSSQL*",
    "DashboardFilePath": "/mnt/c/sc/dashboards",
    "AssetFilePath": "/mnt/c/sc/asset_lists",
    "ReportFilePath": "/mnt/c/sc/reports",
    "ScanZone": "All Computers",
    "ScanCredentialHash": [
        {
            "Credential": "ad/nessus",
            "Name": "Windows Scanner Account",
            "Type": "windows",
            "AuthType": "password"
        },
        {
            "Credential": "acasaccount",
            "PrivilegeEscalation": "sudo",
            "Name": "Linux Scanner Account",
            "Type": "ssh",
            "AuthType": "password"
        },
        {
            "Credential": "sa",
            "Name": "SQL Server sqladmin account",
            "CredentialHash": {
                "SQLServerAuthType": "SQL",
                "dbType": "SQL Server"
            },
            "Type": "database",
            "AuthType": "password"
        }
    ]
}

And now, you can get the contents of the JSON file then pipe that file to Start-TNDeploy.

Get-Content /mnt/c/github/linux.json | ConvertFrom-Json | Start-TNDeploy