This post tackles a common issue encountered during vulnerability scans with Tenable.sc (formerly Security Center). It addresses the problem of lingering tmux sessions that can hinder login attempts and system responsiveness.
The Problem
Recently, a critical plugin (21745) triggered on a Red Hat Enterprise Linux 8 (RHEL 8) system during a Tenable.sc scan. The scan user account wasn't locked out, but SSH login attempts hung indefinitely despite system logs showing a successful login. A reboot temporarily resolved the issue, but it kept reoccurring.
The Culprit: Unclosed tmux Sessions
Tenable.sc leverages tmux, a terminal multiplexer, to manage multiple connections during a scan. When a connection is established, tmux typically creates a session. The problem arose when these tmux sessions weren't being automatically closed after the scan completed. This led to a situation where the scan user ended up with thousands of orphaned sessions, causing login issues.
Fixing the Runaway Sessions
1. Automatic Cleanup
- Edit the system-wide tmux configuration file ( /etc/tmux.conf ).
- Add the line set -g destroy-unattached on to the configuration file. This instructs tmux to automatically terminate any sessions that are not actively in use.
- To implement this change:
2. User-Specific Control (Optional)
- This approach allows tmux usage only for the designated scan user ( scanuser ).
- Create a custom shell script ( /etc/profile.d/custom.sh ) with the following content:
[ "$USER" != "scanuser" ] then if [ "$PS1" ] then parent=$(ps -o ppid= -p $$) name=$(ps -o comm= -p $parent) case "$name" in (sshd|login) exec tmux esac fi fi
This script checks the current user and only allows tmux execution if the user is "scanuser" and the parent process is either "sshd" (SSH daemon) or "login" (login shell).
Understanding the Tools
tmux: An open-source terminal multiplexer that allows managing multiple terminal sessions within a single window. You can split your terminal into different panes, detach from sessions, and reattach later, similar to the "screen" application.Tenable Plugin 21745: This is an informational plugin that gathers and displays information from other plugins, triggered in this instance due to potential login failures.
Additional Resources
- Tmux Cheat Sheet & Quick Reference: https://tmuxcheatsheet.com/
- A beginner's guide to tmux: https://www.redhat.com/en/blog/introduction-tmux-linux
By implementing these solutions, you can ensure that your Tenable.sc scans run smoothly without encountering issues caused by lingering tmux sessions.
No comments:
Post a Comment