This is an Ansible role for installing Nessus Agent, specifically for the CISA Continuous Diagnostics and Mitigation (CDM) environment.
Note that the command to link the Nessus Agent to the Tenable/Nessus
server (nessuscli agent link
) is not run by this Ansible role. It
must be run at instance startup via
cloud-init
or a separate Ansible playbook.
The reason for this is that this Ansible role is used to build AWS
AMIs, and the linking command generates the Tenable tag even if run
with the --offline-install
option. This causes all instances
generates from that AMI to have the same Tenable tag, and the Tenable
server cannot handle such duplicate agents.
I would prefer to perform all configuration at AMI build time; but, unless Nessus modifies their code to, for example, allow one to specify the linking parameters ahead of time we are stuck with this substandard solution.
In order to execute the Molecule tests for this Ansible role in GitHub Actions, a build user must exist in AWS. The accompanying Terraform code will create the user with the appropriate name and permissions. This only needs to be run once per project, per AWS account. This user can also be used to run the Molecule tests on your local machine.
Before the build user can be created, you will need a profile in your
AWS credentials file that allows you to read and write your remote
Terraform state. (You almost certainly do not want to use local
Terraform state for this long-lived build user.) If the build user is
to be created in the CISA COOL environment, for example, then you will
need the cool-terraform-backend
profile.
The easiest way to set up the Terraform remote state profile is to
make use of our
aws-profile-sync
utility. Follow the usage instructions in that repository before
continuing with the next steps, and note that you will need to know
where your team stores their remote profile data in order to use
aws-profile-sync
.
To create the build user, follow these instructions:
cd terraform
terraform init --upgrade=true
terraform apply
Once the user is created you will need to update the repository's
secrets
with the new encrypted environment variables. This should be done
using the
terraform-to-secrets
tool available in the development
guide. Instructions for
how to use this tool can be found in the "Terraform IAM Credentials
to GitHub Secrets"
section.
of the Project Setup README.
If you have appropriate permissions for the repository you can view existing secrets on the appropriate page in the repository's settings.
None.
Variable | Description | Default | Required |
---|---|---|---|
cdm_nessus_agent_install_directory | The directory where Nessus Agent is installed. | /opt/nessus_agent |
No |
cdm_nessus_agent_third_party_bucket_name | The name of the AWS S3 bucket where third-party software is located. | cisa-cool-third-party-production |
No |
cdm_nessus_agent_version | The version of Nessus Agent to install. | 10.7.3 |
No |
This role can be installed via the command:
ansible-galaxy install --role-file path/to/requirements.yml
where requirements.yml
looks like:
---
- name: cdm_nessus_agent
src: https://github.com/cisagov/ansible-role-cdm-nessus-agent
and may contain other roles as well.
For more information about installing Ansible roles via a YAML file,
please see the ansible-galaxy
documentation.
Here's how to use it in a playbook:
- hosts: all
become: true
become_method: sudo
tasks:
- name: Install Nessus Agent for CDM
ansible.builtin.include_role:
name: cdm_nessus_agent
We welcome contributions! Please see CONTRIBUTING.md
for
details.
This project is in the worldwide public domain.
This project is in the public domain within the United States, and copyright and related rights in the work worldwide are waived through the CC0 1.0 Universal public domain dedication.
All contributions to this project will be released under the CC0 dedication. By submitting a pull request, you are agreeing to comply with this waiver of copyright interest.
Shane Frasier - [email protected]