This version is compatible with:
- Puppet Enterprise 2019.8.x, 2019.7.x, 2019.5.x, 2019.4.x, 2019.3.x, 2019.2.x, 2019.1.x, 2019.0.x, 2018.1.x, 2017.3.x, 2017.2.x, 2016.4.x
- Puppet >= 4.10.0 < 7.0.0
- Debian, Ubuntu, , , , ,
- Bolt Quickstart
- Contributions - Guide for contributing to the module
nessus_agent module allows you to install, link nessus agents as well as perform other nessus agent tasks such as generating bug reports across linux and windows targets.
If you're a bolt aficionado, you can skip this section.
If you've never used bolt before, the easiest way to get started is with a bolt project. Bolt projects allow you to keep/organise your bolt automation in a single space. I've created a skeleton of a bolt project here: https://github.com/kinners00/bolt_sandbox.
- Download Bolt here and install
- Download/clone repo above
- Populate your own target inventory information in the
inventory.yamlfile (make sure and remove what you don't need and delete #s)
- Navigate to the
bolt_sandboxdirectory in your shell
- Install this module in your project by running
bolt module add kinners00-nessus_agent
bolt task showand
bolt plan showto find out what tasks and plans are available within this module
bolt <automation_type> show <myautomationitem>will give you more detailed info on how to use a given task or plan including required and optional parameters. Try it out by running
bolt task show nessus_agent::linkwithin the
As projects are self contained, this command will only work when your current working directory is the
bolt_sandbox directory (if cloned) or
bolt_sandbox-master (if downloaded).
~/code/bolt_sandbox > bolt task show nessus_agent::link
~/code/bolt_sandbox-master > bolt task show nessus_agent::link
Ps. There's some learning/sample tasks and a plan included in the
bolt_sandbox that'll help you get started with building your own tasks and plans. You can start by creating tasks and plans in their relevant directories within the
If you can't execute scripts under that directory, you can pass
--tmpdir flag on your bolt command followed by your chosen directory for example
Depending on your targets user level permissions, you may have to pass
--sudo-password-prompt flags on your bolt command. You can also add
run-as: root and
sudo-password: 'mysudopassword' to your config in your
inventory.yaml file to enable you to keep your bolt command shorter/neater.
bolt task run nessus_agent::install -t rhel installer_path="/tmp/NessusAgent-8.2.2-es7.x86_64.rpm" --user=rheluser --password='myregularpassword' --run-as=root --sudo-password='mysudopassword'
groups: - name: rhel targets: - 192.168.1.234 config: transport: ssh ssh: user: rheluser password: 'myregularpassword' run-as: root sudo-password: 'mysudopassword'
Tasks are cross platform so you only need to specify your targets and the task will work out what needs to be done per supported OS across *nix & windows. Whilst they are cross platform tasks, you can only run the
nessus_agent::generatelogs tasks on a mix of targets comprising of disparate oses at the same time.
bolt task run nessus_agent::install -t <targets> installer_path="C:\tmp\NessusAgent-8.2.2-x64.msi"
RPM & DEB are both supported
bolt task run nessus_agent::install -t <targets> installer_path="/tmp/NessusAgent-8.2.2-es7.x86_64.rpm"
If you're using tenable.io then at the very minimum, you'll only need to pass your linking key and your Nessus agents will pair with your tenable instance however they're a bunch of optional parameters you can take advantage of such agent name, groups, offline install and more.
Pair with Tenable.io
bolt task run nessus_agent::link -t <targets> key=836e1c023f20601162f908234835c0aa1c61c91a4c750a1f094b4adfc396cdde
Pair with Nessus Manager
Due to issues with use of the
$host variable on windows, I've named equivalent bolt parameter
server, which directly translates to
bolt task run nessus_agent::link -t <targets> key=<yourkey> server="188.8.131.52" port=8834
bolt task run nessus_agent::link -t <targets> key=<yourkey> groups="mygroup"
bolt task run nessus_agent::link -t <targets> key=<yourkey> groups="mygroup,mygroup2,mygroup3"
bolt task run nessus_agent::link -t <targets> key=<yourkey> name="mynode.nodecorp.com"
bolt task run nessus_agent::link -t <targets> key=<yourkey> offline_install=yes
Proxy host & Port
There are also additional flags around proxy usage with Tenable such as pass
bolt task run nessus_agent::link -t <targets> key=<yourkey> server=<myhost> port=<hostport> proxy_host="host.corp.com" proxy_port="8834"
bolt task run nessus_agent::unlink -t <targets>
bolt task run nessus_agent::generatelogs -t <targets>
Full log report
bolt task run nessus_agent::generatelogs -t <targets> level=full
The scrub functionality will sanitise the first two octets of IPV4 addresses.
bolt task run nessus_agent::generatelogs -t <targets> scrub=true
All of the parameters found in
nessus_agent::link tasks are supported in this "complete workflow" plan. This plan will allow you to specify a Nessus agent install package locally on your bolt workstation for upload to your remote targets. Once uploaded, it will then install the Nessus agent using the package provided and link the Tenable agent to tenable.io or Nessus Manager, depending on the flags passed.
bolt plan run nessus_agent::install_link -t <targets> install_file_local="/home/user/NessusAgent-8.2.2-x64.msi" install_file_destination="C:\tmp" installer_path="C:\tmp\NessusAgent-8.2.2-x64.msi" key=<yourkey> groups=<mygroups>
Skipping upload step
You can set
upload=false to skip the upload step and only install and link agents if you've already uploaded the Nessus agent installer to the target node(s) via alternate methods.
bolt plan run nessus_agent::install_link -t <targets> upload=false installer_path=<pathtoinstaller> key=<yourkey> groups=<mygroups>
When a Nessus agent log tarball is generated on linux, it has root ownership as default. This means that bolt can't download logs directly using SCP. To get around this, the
nessus_agent::generatelogs plan changes the ownership of these logs to a user you specify via the
user parameter which enables bolt to download them to your workstation. Once logs are downloaded, they are deleted from the target node.
bolt plan run nessus_agent::generatelogs -t rhel file_destination="tenablelogs" user=myuser level=full scrub=true
bolt plan run nessus_agent::generatelogs -t windows file_destination="tenablelogs" level=full scrub=true
If anyone would like to contribute to the module, that would be awesome and very much welcomed. Repo: https://github.com/kinners00/nessus_agent
If you're experiencing any bugs, please raise an issue below. Issues link: https://github.com/kinners00/nessus_agent/issues
What are tasks?
Modules can contain tasks that take action outside of a desired state managed by Puppet. It’s perfect for troubleshooting or deploying one-off changes, distributing scripts to run across your infrastructure, or automating changes that need to happen in a particular order as part of an application deployment.
Tasks in this module release
Unlinks Nessus agent from Tenable instance
What are plans?
Modules can contain plans that take action outside of a desired state managed by Puppet. It’s perfect for troubleshooting or deploying one-off changes, distributing scripts to run across your infrastructure, or automating changes that need to happen in a particular order as part of an application deployment.