Nessus

Nessus vulnerability scanning — scan configuration, plugin management, and remediation tracking.

Nessus / Tenable Vulnerability Management

Scan Types

Credentialed scan:    Authenticates to the target (SSH keys, domain creds).
                      Sees installed packages, configs, patch levels.
                      Far more accurate — fewer false positives.

Uncredentialed scan:  External perspective only — banner grabbing, port scanning.
                      Sees what an attacker sees from the network.
                      More false positives, misses local vulns.

Always prefer credentialed scans for internal assessments.

Scan Policies and Templates

Common scan templates — choose based on objective

Basic Network Scan       — General-purpose, good starting point
Advanced Scan            — Full control over plugins and settings
Credentialed Patch Audit — Checks installed patches (requires creds)
Web Application Tests    — OWASP-focused web scanning
PCI-DSS                  — Quarterly external scan for PCI compliance
SCAP Compliance          — CIS benchmarks, DISA STIGs
Internal PCI Scan        — PCI internal vulnerability assessment
Malware Scan             — Detect known malware on hosts

API Operations (Tenable.io / Nessus)

Authenticate and list scans — Tenable.io API

# List all scans
curl -s -H "X-ApiKeys: accessKey=$TENABLE_ACCESS_KEY;secretKey=$TENABLE_SECRET_KEY" \
  "https://cloud.tenable.com/scans" \
  | jq '.scans[] | {id, name, status, last_modification_date}'

Launch a scan by ID

curl -s -X POST \
  -H "X-ApiKeys: accessKey=$TENABLE_ACCESS_KEY;secretKey=$TENABLE_SECRET_KEY" \
  "https://cloud.tenable.com/scans/$SCAN_ID/launch" \
  | jq '.'

Check scan status — poll until complete

curl -s -H "X-ApiKeys: accessKey=$TENABLE_ACCESS_KEY;secretKey=$TENABLE_SECRET_KEY" \
  "https://cloud.tenable.com/scans/$SCAN_ID" \
  | jq '{status: .info.status, targets: .info.targets, start: .info.scanner_start}'

Export scan results as CSV — for reporting

# Request export
FILE_ID=$(curl -s -X POST \
  -H "X-ApiKeys: accessKey=$TENABLE_ACCESS_KEY;secretKey=$TENABLE_SECRET_KEY" \
  -H "Content-Type: application/json" \
  -d '{"format":"csv"}' \
  "https://cloud.tenable.com/scans/$SCAN_ID/export" \
  | jq -r '.file')

# Check export status
curl -s -H "X-ApiKeys: accessKey=$TENABLE_ACCESS_KEY;secretKey=$TENABLE_SECRET_KEY" \
  "https://cloud.tenable.com/scans/$SCAN_ID/export/$FILE_ID/status" \
  | jq '.status'

# Download when ready
curl -s -H "X-ApiKeys: accessKey=$TENABLE_ACCESS_KEY;secretKey=$TENABLE_SECRET_KEY" \
  "https://cloud.tenable.com/scans/$SCAN_ID/export/$FILE_ID/download" \
  -o scan_results.csv

Export scan results as Nessus XML format

FILE_ID=$(curl -s -X POST \
  -H "X-ApiKeys: accessKey=$TENABLE_ACCESS_KEY;secretKey=$TENABLE_SECRET_KEY" \
  -H "Content-Type: application/json" \
  -d '{"format":"nessus"}' \
  "https://cloud.tenable.com/scans/$SCAN_ID/export" \
  | jq -r '.file')

List all assets — inventory of scanned hosts

curl -s -H "X-ApiKeys: accessKey=$TENABLE_ACCESS_KEY;secretKey=$TENABLE_SECRET_KEY" \
  "https://cloud.tenable.com/assets" \
  | jq '.assets[] | {id, fqdn: .fqdn[0], ipv4: .ipv4[0], last_seen, operating_system: .operating_system[0]}'

Nessus CLI (Local Scanner)

Start/stop/restart the Nessus service

sudo systemctl start nessusd
sudo systemctl stop nessusd
sudo systemctl status nessusd

Check Nessus plugin update status

/opt/nessus/sbin/nessuscli update --all

Reset Nessus admin password

/opt/nessus/sbin/nessuscli chpasswd admin

List Nessus users

/opt/nessus/sbin/nessuscli lsuser

Plugin Families

Plugins are grouped by family. Understanding families helps scope scans and prioritize findings.

Critical families to watch:
  - Backdoors              — Known malware backdoors
  - CGI abuses             — Web application vulnerabilities
  - Default Unix Accounts  — Default/weak credentials
  - Denial of Service      — DoS vulnerabilities
  - Firewalls              — Firewall misconfigurations
  - General                — Information gathering
  - Misc.                  — Uncategorized findings
  - Ubuntu Local Security  — OS-specific patches
  - Windows : Microsoft    — Windows patches
  - Policy Compliance      — CIS, STIG, custom compliance

Compliance Audits

Compliance audit file structure — .audit format

Audit files define checks:
  - CIS benchmarks (CIS_Ubuntu_22.04_L1.audit)
  - DISA STIGs (DISA_STIG_Ubuntu.audit)
  - Custom corporate policies

Each check has:
  type:        AUDIT_POLICY | REG_CHECK | FILE_CHECK | CMD_EXEC
  description: Human-readable check name
  solution:    Remediation guidance
  reference:   CIS section, STIG ID
  expect:      Expected value (pass/fail criteria)

Remediation Tracking

Parse Nessus CSV export — extract critical and high findings for remediation

# Extract critical and high vulns, deduplicate by plugin
awk -F',' 'NR>1 && ($4=="Critical" || $4=="High") {
  gsub(/"/, "", $0)
  printf "%-15s %-12s %s\n", $5, $4, $8
}' scan_results.csv | sort -u -t' ' -k3

Track remediation progress — compare two scan exports

# Extract plugin IDs from each scan
awk -F',' 'NR>1 {print $1}' scan_before.csv | sort -u > /tmp/before.txt
awk -F',' 'NR>1 {print $1}' scan_after.csv | sort -u > /tmp/after.txt

# Plugins present before but not after = remediated
comm -23 /tmp/before.txt /tmp/after.txt | wc -l
echo "vulnerabilities remediated"

# New plugins = regressions
comm -13 /tmp/before.txt /tmp/after.txt | wc -l
echo "new vulnerabilities"

CVSS Scoring Quick Reference

CVSS 3.x ranges:
  0.0           None
  0.1 - 3.9     Low
  4.0 - 6.9     Medium
  7.0 - 8.9     High
  9.0 - 10.0    Critical

Prioritize: Critical + exploitable + internet-facing = fix immediately
             High + credentialed finding = fix within SLA
             Medium = scheduled patching cycle
             Low/Info = document, no action required