How to Reset Passwords for Tenable.sc

Accidentally locked yourself out of your Tenable.sc (formerly Security Center) admin account? Don't worry! This post walks you through the steps to reset your password on version 5.11 and newer. If you're running an older version, you can find instructions in my previous blog post. We'll cover how to reset the password, unlock your account, and clear any pesky login failures.

Important Security Note: Directly modifying the database should be done with caution. Ensure you have a backup of your Security Center configuration before proceeding.

Reset the admin account password

root@earth# /opt/sc/support/bin/sqlite3 /opt/sc/application.db "update userauth set password = '943807ff8e7f4735e2a4774f0cf9ceec1044889088737759ef1f329beb40de00107446dffa66fdcc3d557c1b5109800b8f5083cd4e6cd018c5739135f9ceeb12', salt = 'e+xmTMivzO0Jmyl3XLcDIKcnXOWaKYzWCRRJu2ebr41K8sHJjtYy7JGJwR3IfohbFLUHWzVlivXtt8Dn/ok2tg==', hashtype = 2 where username='admin';"

This command resets the 'admin' user's password to 'password'. It's essential to log in and update this password right away. You can also use this command to reset the password of any other Tenable.sc user by replacing 'admin' with their username. This command does not unlock the account.

Clear Login Failures

root@earth# sqlite3 /opt/sc/application.db "update userauth set failedLogins='0' where username='admin';"

This command resets the count of failed login attempts for the 'admin' user or anther specified user.

Unlock the admin Account

root@earth# sqlite3 /opt/sc/application.db "update userauth set locked='0' where username='admin';"

Use this command to restore access to a locked 'admin' account. Note that this action only unlocks the account; the password remains the same.

 
After running these commands, you should now be able to log in to your Tenable.sc administrator account. Keep in mind that the password has been reset to a specific, secure value behind the scenes. For security, your very first step after logging in should be to change this password through the Tenable.sc interface. If you run into any problems or have more questions, please leave a comment below.

Taming Runaway tmux Sessions and Keeping Your Scans Smooth

This post tackles a common issue encountered during vulnerability scans with Tenable.sc (formerly Security Center). It addresses the problem of lingering tmux sessions that can hinder login attempts and system responsiveness.

The Problem

Recently, a critical plugin (21745) triggered on a Red Hat Enterprise Linux 8 (RHEL 8) system during a Tenable.sc scan. The scan user account wasn't locked out, but SSH login attempts hung indefinitely despite system logs showing a successful login. A reboot temporarily resolved the issue, but it kept reoccurring.

The Culprit: Unclosed tmux Sessions

Tenable.sc leverages tmux, a terminal multiplexer, to manage multiple connections during a scan. When a connection is established, tmux typically creates a session. The problem arose when these tmux sessions weren't being automatically closed after the scan completed. This led to a situation where the scan user ended up with thousands of orphaned sessions, causing login issues.

Fixing the Runaway Sessions

1. Automatic Cleanup

• Edit the system-wide tmux configuration file ( /etc/tmux.conf ).
• Add the line set -g destroy-unattached on to the configuration file. This instructs tmux to automatically terminate any sessions that are not actively in use.
• To implement this change:

scanuser@remotesystem> sudo echo "set -g destroy-unattached on" >> /etc/tmux.conf

2. User-Specific Control (Optional)

• This approach allows tmux usage only for the designated scan user ( scanuser ). 
• Create a custom shell script ( /etc/profile.d/custom.sh ) with the following content:

[ "$USER" != "scanuser" ]
 then if [ "$PS1" ]
   then parent=$(ps -o ppid= -p $$)
        name=$(ps -o comm= -p $parent) 
        case "$name" in (sshd|login) exec tmux
        esac 
 fi 
fi 

This script checks the current user and only allows tmux execution if the user is "scanuser" and the parent process is either "sshd" (SSH daemon) or "login" (login shell).

Understanding the Tools

tmux: An open-source terminal multiplexer that allows managing multiple terminal sessions within a single window. You can split your terminal into different panes, detach from sessions, and reattach later, similar to the "screen" application.

Tenable Plugin 21745: This is an informational plugin that gathers and displays information from other plugins, triggered in this instance due to potential login failures.

Additional Resources

• Tmux Cheat Sheet & Quick Reference: https://tmuxcheatsheet.com/
• A beginner's guide to tmux: https://www.redhat.com/en/blog/introduction-tmux-linux

By implementing these solutions, you can ensure that your Tenable.sc scans run smoothly without encountering issues caused by lingering tmux sessions.

Login hangs for scanning account

The Problem

I ran into this issue the other day. Tenable.sc (formerly Security Center) was reporting a hit on plugin 21745 for a Red Hat Enterprise Linux 8 (RHEL 8) system. I checked on the account used on the systems for scanning and it wasn't locked out or anything. When I tried to SSH into the system with the credentials, it would just hang. The system logs showed "login successful". When I rebooted the system was able to login normally again, but the problem would come back eventually.

The Cause

When the Nessus scanner connects to a system, it's scanning, it makes several connections to the host. Each connection starts a TMUX session. The problem is the TMUX sessions where not being closed after the Nessus scanner disconnected from the system. It turned out that the account used for security scanning had around 2,000 TMUX sessions running.

The Fix

Add "set -g destroy-unattached on" to the /etc/tmux.conf file.

scanuser@remotesystem> sudo echo "set -g destroy-unattached on" >> /etc/tmux.conf

This will append this line "set -g destroy-unattached on" into the /etc/tmux.conf configuration file. This will auto close sessions not being actively used.

Anther Fix

Set system wide rules for TMUX on the effected systems so only the account used by the Nessus scanner will have use of the TMUX terminal multiplexer. /etc/profile.d/custom.sh

[ "$USER" != "scanuser" ]
 then if [ "$PS1" ]
   then parent=$(ps -o ppid= -p $$)
        name=$(ps -o comm= -p $parent) 
        case "$name" in (sshd|login) exec tmux
        esac 
 fi 
fi 

Defs

TMUX is an open-source terminal multiplexer for Unix type systems. Multiple terminal sessions can be accessed simultaneously by splitting the terminal into different screens. Can also detach remote sessions and reattach later, similar to what the screen application can do.

 
Tenable Plugin a plugin is a script deployed by the Nessus scanner to check for security vulnerabilities. In this case plugin 21745 is an info plugin, it displays info from other plugins. This plugin is triggered (displayed) whenever a login failure occurs.

Other useful links

Tmux Cheat Sheet & Quick Reference
https://tmuxcheatsheet.com/
A beginner's guide to tmux
https://www.redhat.com/sysadmin/introduction-tmux-linux

Manually Update Plugins on a Nessus Scanner (Windows)

I had an issue the other day with one of my Nessus Vulnerability Scanners which is being managed by Security Center. In Security Center the status of one of the Nessus scanners showed "Plugin Out of Sync". I tried to push the plugins to the Nessus scanner from the Security Center, but I was getting a status error of "Connection timed out".  So basically I was getting a latency issue on the connection. The Nessus scanner and the Security Center are in different states, so this may be why there is so much latency. I just built this Nessus scanner, so there were just too many plugins to be pushed over the wire by Security Center. To fix this issue, I just manually copied the plugins to the Nessus scanner. Then I manually loaded the plugins into the Nessus scanner. After I did this, I have not had this issue again.

Manually updating the Plugins can sometimes fix error or scanner status of "Protocol error". These instructions work on Nessus 5x and 6x, when managed by Security Center 4x or 5x.

Follow the instructions below to manually install plugins for the Nessus scanner on a Windows computer. For Linux computers click here.

1. Login to the Nessus scanner.

2. Open PowerShell or the Windows command line (CMD) as privileged user.

3. Stop the Nessus service

# net stop "Tenable Nessus"

4. Remove the Nessus scanner from Security Center

5. Reset the scanner

# …\Program Files\Tenable\Nessus>nessuscli fetch fix --reset

6. Connect the Nessus scanner

# …\Program Files\Tenable\Nessus>nessuscli fetch –security-center

7. Load the plugins into Nessus

# …\Program Files\Tenable\Nessus>nessuscli update plugins_file.tar.qz

8. Start the Nessus scanner

# net start “Tenable Nessus”

9. Login to the web interface for Nessus and verify that the configuration is complete.
https://localhost:8834

10. Login to the web interface for the Security Center. Add the Nessus scanner back and verify connectivity.

Your done.

Related posts
On this Blog

How to clear Nessus Plugin 42873 on Security Center

I use Security Center with Nessus scanners from Tenable to do vulnerability scanning on my servers. Sometimes the scanner finds hits on itself, such as a hit on plugin 42873 "SSL Medium Strength Cipher Suites Supported" on the Security Center. Below I show the steps needed to disable 3DES on Security Center..

To disable 3DES within Security Center do the following:
1. Open the file /opt/sc/support/conf/sslciphers.conf

2. Search for DES-CBC3-SHA

3. After the colon that precedes the above string, add an exclamation mark which is the signal to disable the given cipher.

4. The whole string should look like :!DES-CBC3-SHA:

Once complete, restart the SC service and complete a rescan and this vulnerability should be remediation.

To clear the other part of this hit, make sure the server is using SSL ciphers have encryption key length of over 112 bits. 

Reference Plugin 42873
https://www.openssl.org/blog/blog/2016/08/24/sweet32/

Reset Admin account on Security Center

The other day I got locked out of my admin account for the Security Center 5 from Tenable. In order to get back into the system I needed to reset the admin password. Below I show how to reset the admin password on Security Center 5. For this to work you must have elevated privileges, such as root.

Note- There is a newer version of these instructions. These instructions are for Security Center 5.10 and below, for Tenable.sc 5.11 and higher please visit this page: How to Reset Passwords for Tenable.sc

Reset the admin account password

root@earth> sqlite3 /opt/sc/application.db "update userauth set password = 'bbd29bd33eb161d738536b59e37db31e' where username='admin';"

This command sets the admin password to password

Clear login failures.

root@earth> sqlite3 /opt/sc/application.db "update userauth set failedLogins='0' where username='admin';"

Unlock the admin account

root@earth> sqlite3 /opt/sc/application.db "update userauth set locked='0' where username='admin';"

After following these steps you will be able to login to the admin account with the password set to password. If you have any questions or comments please post them below.

Manually Update Plugins for your PVS

I had an issue the other day with one of my Passive Vulnerability Scanners (PVS) which is being managed by Security Center. In Security Center the status of one of the PVS scanners showed "Plugin Out of Sync". I tried to push the plugins to the PVS scanner from the Security Center, but I was getting a status error of "Connection timed out".  So basically I was getting a latency issue on the connection. The PVS scanner and the Security Center are in different states, so this may be why there is so much latency. I just built this PVS scanner, so there were just too many plugins to be pushed over the wire by Security Center. To fix this issue, I just manually copied the plugins to the PVS scanner. Then I manually loaded the plugins into the PVS scanner. After I did this, I have not had this issue again.

Follow the instructions below to manually install plugins for the PVS scanner.

1. Login to the PVS scanner.

root@earth> ssh pvs

2. Stop the PVS service.

root@nessus> service pvs stop

3. Load the plugins into PVS.

root@nessus> /opt/pvs/var/pvs --update-plugins  plugins_file.tar.gz 

4. Start the PVS service

root@nessus> service pvs start

5. Login with an admin account to the web interface for the Security Center and check the status of the PVS.

You're done.

If you have any questions or comments please post them below.

Related post on this Blog
Manually Update Plugins on a Nessus Scanner
Reset Admin account on Security Center
How to Reset a Nessus Scanner

Manually Update Plugins on a Nessus Scanner (Linux)

I had an issue the other day with one of my Nessus Vulnerability Scanners which is being managed by Security Center. In Security Center the status of one of the Nessus scanners showed "Plugin Out of Sync". I tried to push the plugins to the Nessus scanner from the Security Center, but I was getting a status error of "Connection timed out".  So basically I was getting a latency issue on the connection. The Nessus scanner and the Security Center are in different states, so this may be why there is so much latency. I just built this Nessus scanner, so there were just too many plugins to be pushed over the wire by Security Center. To fix this issue, I just manually copied the plugins to the Nessus scanner. Then I manually loaded the plugins into the Nessus scanner. After I did this, I have not had this issue again.

Manually updating the Plugins can sometimes fix error or scanner status of "Protocol error". These instructions work on Nessus 5x and 6x, when managed by Security Center 4x or 5x.

Follow the instructions below to manually install plugins for the Nessus scanner on a Linux server. To do this on a Windows computer go here.

1. Login to the Nessus scanner.

root@earth> ssh nessus

2. Stop the Nessus service.

root@nessus> service nessusd stop

3. Remove the scanner from Security Center.

4. Reset the scanner

root@nessus> /opt/nessus/sbin/nessuscli fix --reset
Resetting Nessus configuration will permanently erase all your settings and causes Nessus to become unregistered.
Do you want to proceed? (y/n) [n]: y
Successfully reset Nessus configuration.

5. Connect the Nessus scanner.

root@nessus> /opt/nessus/sbin/nessuscli fetch --security-center
nessud can now be started, SeccrityCenter will upload the plugins

6. Manually copy over the plugins file.
    Copy the file tar.gz file from Security Center to or download latest plugins from Tenable.

Note - In Security Center The plugins are located here: /opt/sc/data/plugins

7. Load the plugins into Nessus.

root@nessus> /opt/nessus/sbin/nessuscli update plugins_file.tar.gz

* Update successful. The changes will be automatically processed by Nessus 

8. Start the Nessus service

root@nessus> service nessusd start

9. Login to the web interface for Nessus and wait for the bar to complete.

root@nessus> firefox https://localhost:8834

10. Login to the web interface for the Security Center. Add the Nessus scanner back and verify connectivity.

You're done.

If you have any questions or comments please post them below.

Related posts
Manually Update Plugins for your PVS
Reset Admin account on Security Center