Manually Update Plugins on a Nessus Scanner (Windows)

I had an issue the other day with one of my Nessus Vulnerability Scanners which is being managed by Security Center. In Security Center the status of one of the Nessus scanners showed "Plugin Out of Sync". I tried to push the plugins to the Nessus scanner from the Security Center, but I was getting a status error of "Connection timed out".  So basically I was getting a latency issue on the connection. The Nessus scanner and the Security Center are in different states, so this may be why there is so much latency. I just built this Nessus scanner, so there were just too many plugins to be pushed over the wire by Security Center. To fix this issue, I just manually copied the plugins to the Nessus scanner. Then I manually loaded the plugins into the Nessus scanner. After I did this, I have not had this issue again.

Manually updating the Plugins can sometimes fix error or scanner status of "Protocol error". These instructions work on Nessus 5x and 6x, when managed by Security Center 4x or 5x.

Follow the instructions below to manually install plugins for the Nessus scanner on a Windows computer. For Linux computers click here.

1. Login to the Nessus scanner.

2. Open PowerShell or the Windows command line (CMD) as privileged user.

3. Stop the Nessus service

# net stop "Tenable Nessus"

4. Remove the Nessus scanner from Security Center

5. Reset the scanner

# …\Program Files\Tenable\Nessus>nessuscli fetch fix --reset

6. Connect the Nessus scanner

# …\Program Files\Tenable\Nessus>nessuscli fetch –security-center

7. Load the plugins into Nessus

# …\Program Files\Tenable\Nessus>nessuscli update plugins_file.tar.qz

8. Start the Nessus scanner

# net start “Tenable Nessus”

9. Login to the web interface for Nessus and verify that the configuration is complete.
https://localhost:8834

10. Login to the web interface for the Security Center. Add the Nessus scanner back and verify connectivity.

Your done.

Related posts
On this Blog

Using SCP on Windows Command Prompt

In this post, I show how to move files between a Windows machine and a UNIX machine, using the command line. When I say a UNIX machine, I mean all UNIX based operating systems such as UNIX, Linux, FreeBSD and Mac OS. In this post I will be using the free PuTTY utility called PSCP.

As you know SSH is not supported in Windows, you will need to download a 3rd party program.
The People who make PuTTY, which gives SSH terminal emulation on Windows machines, has a program called PSCP. PSCP gives you the ability to use SCP or SFTP form the Windows command prompt.

You could use a GUI program that lets you SCP or SFTP the files. The issue with this approach is that an application with a GUI has limitations. If you use a command line tool, like PSCP, to move the files then you can also put it in a script. A script that can be used by the Windows Task manager or the UNIX crontab. PSCP is free and doesn't need to be installed.

Download pscp from  PuTTY download page.

After you download PSCP move it to your My  Documents folder. As the program doesn't need to be installed, It is ready to use as soon as you download it. All you need to do, to use PSCP is follow the examples below.

Run the command as shown below to move files from the Windows machine to a UNIX machine

Command Prompt

C:\> pscp.exe files man@earth:/path

Run the command as shown below to move files form a UNIX machine to a Windows machine.

Command Prompt

C:\> pscp.exe man@earth:/path/files  C:/path/

In the example above, man is the user name and earth is the name of the UNIX server. The user name can be left off if the user account in Windows have the same name as the user account on the UNIX server. I would highly recommend that you use the same user name on both systems.

Some options
If you want to force the use of ether SCP or SFTP add -scp or -sftp right after pscp.exe. If you want to use a SSH agent to manage you SSH Keys add the -agent option. I will go more into how to use SSH Key with PSCP in a future post.

Draw Back
In the method I shown here, you must start the SCP or SFTP session from the Windows machine. The Windows machine can't accept incoming requests, because there is no SSH sever running on the the Windows machine.

References
PuTTY documention

Updating Java in NetBackup

These are my notes on updating the embedded Java in NetBackup. The Symantec NetBackup patches can't keep up with the Java security patches from Oracle. The way to get around this is to use the Java installed on the server instead of the embedded Java in NetBackup. Sometimes System administrators will just link the embedded program to the system program, this is not what I'm doing here. It is similar though, the fix I'm explaining here is supported by Symantec. The examples I give on this post are from a Solaris 10 (x86) server, but the steps below will work on any server that NetBackup runs on. The embedded Java is installed on all NetBackup servers and clients.

First we need to find all the java on the server. Running the commands java -version or which java is not enough. These commands only show the main Java on the server, as shown by the examples below. # java -version
Java version "1.6.0_33"
Java(TM) SE Runtime Environment (build 1.6.0_33-b03)
Java HotSpot(TM) Server VM (build 20.8-b03, mixed mode)
# which java
/usr/bin/java
Use the find command to find all the Java on your server. # find / -name java -type f
/usr/jdk/instances/jdk1.6.0/bin/amd64/java
/usr/jdk/instances/jdk1.6.0/bin/java
/usr/jdk/instances/jdk1.6.0/jre/bin/java
/usr/jdk/instances/jdk1.6.0/jre/bin/amd64/java
/usr/jdk/instances/jdk1.5.0/bin/java
/usr/jdk/instances/jdk1.5.0/bin/amd64/java
/usr/jdk/instances/jdk1.5.0/jre/bin/java
/usr/jdk/instances/jdk1.5.0/jre/bin/amd64/java
/usr/openv/java/jre/java
/usr/openv/java/jre/amd64/java The last two lines in the above example are the embedded Java in NetBackup.

To find out what version of Java is on the server. Put the path statements above into the terminal with  -version at the end. Like the example below.
# /usr/jdk/instances/jdk1.6.0/bin/java -version
Java version "1.6.0_33"
Java(TM) SE Runtime Environment (build 1.6.0_33-b03)
Java HotSpot(TM) Server VM (build 20.8-b03, mixed mode)
Open the .nbjConf in your favorite editor. # vi /usr/openv/java/.nbjConf
Change the JAVA_PATH to: JAVA_PATH=/usr/jdk/instances/jdk1.6.0/jre/bin/java
If NetBackup uses a different version of Java then the Java installed on your system it will still work for the client. I have tested this with NetBackup 7.1, which was using java 1.6.0_26, and set it up to work with Java 1.5.0_36. The Media server and the Master server need to have the same version of Java in order to work though.

Test Nebackup by performing a backup. If there are no errors then delete the two embedded Java files for NetBackup.

References:
NetBackup Instructions

If you have any questions or comments, please post them below.