TenableCoreOS SC

Tenable Core for SecurityCenter User
Guide
Last Updated: November 08, 2018

Table of Contents
Welcome to Tenable Core for SecurityCenter 5
Get Started with Tenable Core for SecurityCenter 10
SecurityCenter System Requirements 11
Installation and Updates 12
Install Tenable Core for SecurityCenter 13
Update Tenable Core Offline 14
Manual Setup 15
Configure Static IP Addresses 16
Create a New Account 18
Increase Disk Space 21
SecurityCenter Configuration 23
System Layout for SecurityCenter 25
Dashboard 26
Add Server 27
Edit Server 29
Delete Server 31
System 32
Edit Machine Host Name 33
Edit Time and Time Zone 34
Restart 35
Shutdown 36
Change Performance Profile 37
Copyright © 2018. Tenable Network Security, Inc. All rights reserved. Tenable Network Security, Nessus, SecurityCenter Continuous View, Passive Vulnerability Scanner, and Log Correlation Engine are
registered trademarks of Tenable Network Security, Inc. All other products or services are trademarks of their respective owners.
System Log 38
Filters 39
Networking 40
Add Bond 41
Add Team 43
Add Bridge 44
Add VLAN 45
Storage 46
Rename File System 47
Delete File System 48
Accounts 49
Create User 50
Edit User 51
Change Password 52
Services 53
Targets 54
System Services 55
Sockets 56
Timers 57
Create Timer 58
Paths 59
Diagnostic Reports 60
Generate Report 61
SecurityCenter 62
Terminal 65
Backup/Restore 66
Backup 67
Restore 70
Update Management 72
Software Updates 75
SSL/TLS Security Certificates 77
Server Certificate 78
Trusted Certificate Authority Certificates 81
Welcome to Tenable Core for SecurityCenter
Tenable Core is Tenable's newest platform for Tenable products. Tenable Core combines the applic-
ation-hosting functionality provided through Tenable Appliance and adds a base operating system,
which streamlines and simplifies deployment by creating an individual build for each Tenable on-
premises application. Tenable Core is a deployment architecture that uses a secure, stable platform to
shorten the time to first scan.
To quickly get started with Tenable Core + Security Center, click Get Started.
Features
l Built upon CentOS 7 and hardened by targeting the CIS standards for RedHat 7 with SELinux
Enabled.
l Provides automatic install and updates via Tenable Public Repositories.
l Consists of Tenable Core and SecurityCenter. These are independent of one other.
l Root access is now enabled to Tenable Core builds.
See the following list for additional information about CIS standards adopted:
l SELinux: SELinux is enabled by default on this image
l CIS Benchmarks: Tenable has implemented the following parts of the CIS Level 1 Benchmark on
the Tenable Core:
CIS Level 1 - 1.x

l CIS 1.1.1.* (Disable mounting of miscellaneous filesystems)
l CIS 1.1.21 (Ensure sticky bit is set on all world-writable directories)
l CIS 1.4.* (Bootloader adjustments)
l CIS 1.4.1 Ensure permissions on bootloader config are configured
l CIS 1.4.2 Ensure bootloader password is set - set superusers
l CIS 1.7.1.* (Messaging/banners)
l Ensure message of the day is configured properly
l Ensure local login warning banner is configured properly
l Ensure remote login warning banner is configured properly
l Ensure GDM login banner is configured - banner message enabled
l Ensure GDM login banner is configured - banner message text
CIS Level 1 - 2.x
l CIS 2.2.* (disabled packages)
l x11
l avahi-server
l CUPS
l nfs
l Rpc
CIS level 1 - 3.x
l CIS 3.1.* (packet redirects)
l 3.1.2 Ensure packet redirect sending is disabled - 'net.ipv4.conf.all.send_redirects = 0'
l 3.1.2 Ensure packet redirect sending is disabled - 'net.ipv4.conf.default.send_redir-

ects = 0'
l CIS 3.2.* (ipv4, icmp, etc)
l 3.2.1 Ensure source routed packets are not accepted - 'net.ipv4.conf.all.accept_

source_route = 0'
l 3.2.1 Ensure source routed packets are not accepted - 'net.ipv4.conf.default.accept_

source_route = 0'
l 3.2.2 Ensure ICMP redirects are not accepted - 'net.ipv4.conf.all.accept_redirects = 0'
l 3.2.2 Ensure ICMP redirects are not accepted - 'net.ipv4.conf.default.accept_redirects

= 0'
l 3.2.3 Ensure secure ICMP redirects are not accepted - 'net.ipv4.conf.all.secure_redir-

ects = 0'
l 3.2.3 Ensure secure ICMP redirects are not accepted - 'net.ipv4.conf.default.secure_

redirects = 0'
l 3.2.4 Ensure suspicious packets are logged - 'net.ipv4.conf.all.log_martians = 1'
l 3.2.4 Ensure suspicious packets are logged - 'net.ipv4.conf.default.log_martians = 1'
l 3.2.5 Ensure broadcast ICMP requests are ignored
l 3.2.6 Ensure bogus ICMP responses are ignored
l 3.2.7 Ensure Reverse Path Filtering is enabled - 'net.ipv4.conf.all.rp_filter = 1'
l 3.2.7 Ensure Reverse Path Filtering is enabled - 'net.ipv4.conf.default.rp_filter = 1'
l 3.2.8 Ensure TCP SYN Cookies is enabled
l CIS 3.3.* (IPv6)
l 3.3.1 Ensure IPv6 router advertisements are not accepted
l 3.3.2 Ensure IPv6 redirects are not accepted
l CIS 3.4.* (tcp)
l 3.4.1 Ensure TCP Wrappers is installed
l CIS 3.5.* (network protocols)
l 3.5.1 Ensure DCCP is disabled
l 3.5.2 Ensure SCTP is disabled
l 3.5.3 Ensure RDS is disabled
l 3.5.4 Ensure TIPC is disabled
CIS Level 1 - 4.x
l CIS 4.2.* (rsyslog)
l 4.2.1.3 Ensure rsyslog default file permissions configured
l 4.2.1.4 Ensure rsyslog is configured to send logs to a remote log host
Note: 4.2.1.4 requires knowing the address of the central log host, thus not easily
done in the kickstart.
l 4.2.4 Ensure permissions on all logfiles are configured
CIS Level 1 - 5.x
l CIS 5.1.* (cron permissions)
l 5.1.2 Ensure permissions on /etc/crontab are configured
l 5.1.3 Ensure permissions on /etc/cron.hourly are configured
l 5.1.4 Ensure permissions on /etc/cron.daily are configured
l 5.1.5 Ensure permissions on /etc/cron.weekly are configured
l 5.1.6 Ensure permissions on /etc/cron.monthly are configured
l 5.1.7 Ensure permissions on /etc/cron.d are configured
l 5.1.8 Ensure at/cron is restricted to authorized users - at.allow
l 5.1.8 Ensure at/cron is restricted to authorized users - at.deny
l 5.1.8 Ensure at/cron is restricted to authorized users - cron.allow
l 5.1.8 Ensure at/cron is restricted to authorized users - cron.deny
l CIS 5.2.11 (Turn off Weak Ciphers for SSH)
l CIS 5.3.* (password/pam)
l 5.3.1 Ensure password creation requirements are configured - dcredit
l 5.3.1 Ensure password creation requirements are configured - lcredit
l 5.3.1 Ensure password creation requirements are configured - minlen
l 5.3.1 Ensure password creation requirements are configured - ocredit
l 5.3.1 Ensure password creation requirements are configured - ucredit
l 5.3.2 Lockout for failed password attempts - password-auth 'auth [default=die] pam_
faillock.so authfail audit deny=5 unlock_time=900'
l 5.3.2 Lockout for failed password attempts - password-auth 'auth [success=1 default-
t=bad] pam_unix.so'
l 5.3.2 Lockout for failed password attempts - password-auth 'auth required pam_fail-
lock.so preauth audit silent deny=5 unlock_time=900'
l 5.3.2 Lockout for failed password attempts - password-auth 'auth sufficient pam_fail-
lock.so authsucc audit deny=5 unlock_time=900'
l 5.3.2 Lockout for failed password attempts - system-auth 'auth [default=die] pam_
faillock.so authfail audit deny=5 unlock_time=900'
l 5.3.2 Lockout for failed password attempts - system-auth 'auth [success=1 default-
t=bad] pam_unix.so'
l 5.3.2 Lockout for failed password attempts - system-auth 'auth required pam_fail-
lock.so preauth audit silent deny=5 unlock_time=900'
l 5.3.2 Lockout for failed password attempts - system-auth 'auth sufficient pam_fail-
lock.so authsucc audit deny=5 unlock_time=900'
l 5.3.3 Ensure password reuse is limited - password-auth
l 5.3.3 Ensure password reuse is limited - system-auth
l CIS 5.4.* (user prefs)
l 5.4.1.2 Ensure minimum days between password changes is 7 or more
l 5.4.1.4 Ensure inactive password lock is 30 days or less
l 5.4.4 Ensure default user umask is 027 or more restrictive - /etc/bashrc
l CIS 5.6.* (wheel group)
l 5.6 Ensure access to the su command is restricted - pam_wheel.so
l 5.6 Ensure access to the su command is restricted - wheel group contains root
CIS Level 1 - 6.x
l CIS 6.1.* (misc conf permissions)
l 6.1.6 Ensure permissions on /etc/passwd- are configured
l 6.1.8 Ensure permissions on /etc/group- are configured
Get Started with Tenable Core for SecurityCenter
These processes will help you set up and get started with SecurityCenter in Tenable Core.
SecurityCenter System Requirements
Installation and Updates
Manual Setup
Configuration of Static IP Addresses
Create a New Account
Increase Disk Space
SecurityCenter Configuration
SecurityCenter System Requirements
When SecurityCenter runs on Tenable Core, specific system specifications are added and must be main-
tained for version of SecurityCenter provided on Tenable Core. For more guidance or for requirements
needed to upgrade to another version, refer to SecurityCenter Hardware Requirements in the
SecurityCenter User Guide.
Provided Specifications for SecurityCenter Full Safe + Local Checks
Disk
Version Hosts Managed CPU Cores Memory
Space
Tenable Core + Secur- 2,500 active IPs 4 2GHz cores 8 GB RAM 180
ityCenter 5.x days:
250
GB
Provided Specifications for SecurityCenter Full Safe + Local Checks + 1 Configuration

Audit
Disk
Version Hosts Managed CPU Cores Memory
Space
Tenable Core + Secur- 2,500 active IPs 4 2GHz cores 8 GB RAM 180
ityCenter 5.x days:
450
GB
Installation and Updates
You can download and install Tenable Core or update an existing version of Tenable Core.
Note: If you have internet access, updates occur automatically based on default or custom con-
figurations. You can also schedule manual updates. For more information on automatic and scheduled
updates, see Update Management.
Install Tenable Core for SecurityCenter
Update Tenable Core Offline
Install Tenable Core for SecurityCenter
To install Tenable Core for SecurityCenter, you must first download the Tenable VMware Virtual
Machine image from the Tenable Downloads page.
The image is provided as a .ova file and is available for VMware Server, VMware Player, VMware ESX,
VMware Workstation, and VMware Fusion (http://vmware.com/) with the operating system and applic-
ations in a 64-bit version.
Note: You can install the .ova file without an internet connection.
Note: The suggested system requirements for hardware are 225 GB disk, 8 GB memory, and four 2 GHz
CPU cores. This may need to be increased based on system usage. For more information, see Secur-
ityCenter System Requirements in the SecurityCenter User Guide.
1. Navigate to the Tenable Core + SecurityCenter section of the Tenable Downloads page.
2. Click to download the .ova file.
3. Once the download is complete, import the .ova into your environment.
4. Adjust the default VM settings as needed.
5. Turn on the VMware image per the setup steps for your environment.
The boot process appears in the VM console dialogue box.
Note: The application services may take several minutes to start.
Update Tenable Core Offline
You can install updates to Tenable Core without an internet connection by obtaining the Tenable Core
Offline Update ISO file from the Internet and copying it to your Tenable Core machine.
1. Navigate to the Tenable Core Offline Update ISO section of the Tenable Downloads page.
2. Click and download the ISO file.
3. Upload the file via scp.
Example:
scp local-iso-file.iso user@host:/srv/tenablecore/offlineiso/tenable-

offline-updates.iso
Note: The target line may vary; however, the destination must be the following path:
/srv/tenablecore/offlineiso/tenable-offline-updates.iso
After the upload, updates are applied automatically at the configured time set on the Update Man-
agement page or on the next reboot. You can also manually install updates on the Software Updates
page.
Note: Once the ISO file is uploaded, no further action is needed. However, you can make subsequent
updates by replacing the existing ISO file if desired.
Manual Setup
For users that want to automate VM deployment using tools like Ansible, Puppet, Chef, etc., use the fol-
lowing scripts to complete the process manually.
1. Run the /usr/libexec/tenablecore/wizard/wizardadduser.sh shell script.
2. Provide two lines of input on standard input.
3. The first line is the username.
4. The second line is the password.
Example
$ pkexec /usr/libexec/tenablecore/wizard/wizardadduser.sh <<'EOF'

newadmin
suP3rsaF3p4ssw()rd
EOF
or
$ pkexec /usr/libexec/tenablecore/wizard/wizardadduser.sh
newadmin
suP3rsaF3p4ssw()rd
5. Logout of the wizard account/session.
Configure Static IP Addresses
Static IP addresses can only be configured after creating an admin user and configuring a DHCP con-
nection.
Note: Make sure Wired connection 1 is selected.
Note: An alternative connection can be made by going to the connection list and modifying it.
Device List
Enter the following to view the current device list.
$ nmcli device status

DEVICE TYPE STATE CONNECTION
ens160 ethernet connected Wired connection 1
lo loopback unmanaged --
Note: Make sure Wired connection 1 is selected from the list of available connections.
Note: The value in the DEVICE column.
Add Connection
Enter the following to fetch the connection associated with that device.
$ conn=$(nmcli -g general.connection device show ens160)

$ echo "$conn"
Static Connection
Enter the following to configure a static connection.
$ nmcli connection modify "$conn" connection.autoconnect yes ipv4.method
manual ipv4.addr "10.0.0.1/24" ipv4.dns "10.0.1.1, 10.0.1.2" ipv4.gateway
"10.0.0.254"
Restart or Reboot the Connection

Enter the following to restart.
$ nmcli connection down "$conn" && nmcli connection up "$conn"
or
Enter one of the following to reboot.
$ systemctl reboot
$ shutdown -r now
$ reboot
Create a New Account
1. For the initial log in, administrative users must create an account.
2. The initial screen will request a login. Enter the following:

l Username: wizard
l Password: admin
3. The Initial Account Setup screen will appear with a new window to create the new admin-
istrator. Enter the new user account information.
4.
Note: The password must contain at least one capital letter, one numeric character, one non-
alphanumeric character, and must be at least 14 characters long.
5. A confirmation message will display. Click Finish Setup to complete the new account creation
and log out.
6. Click the Create Account button. A new screen with a new log in window will appear.
7. Enter the newly created account information to log in to the system.
Caution: Select the Reuse my password for privileged tasks option at the bottom of the log in
screen to ensure access to all of the root administrative tasks. If this is not selected, some root
tasks will not work.
Increase Disk Space
Complete the following process to add disk space to your system.
Before you begin:

Back up your machine.
Note: You can add disks by selecting disk instead of space on the current distribution in the Physical
Volumes section.
Add Disk Space
1. Shut down your virtual machine.
2. Add additional disk space to your server.
3. Reboot your virtual machine.
4. Log in to Tenable Core.
5. In the left navigation pane, click Storage.
The Storage page appears.
The Drives section on the right side of the screen displays the updated disk space.
Configure A New Physical Volume
1. On the Storage page, in the Volume Groups section, click the current volume.
A new page appears.
2. In the Physical Volumes header, click the + button.
3. Select the option to add the extra free space as a new physical volume.
4. Click the Add button.
Expand the Logical Volume
1. On the Storage page, click the file system that contains the target partition /root.
A new page appears.
2. In the Logical Volumes section, click the file system that contains the target partition/root.
The file option expands into a drop down.
3. Next to the size option, click Grow.
An expansion prompt displays.
4. Move the slider to the right (increase) to reflect the new disk space size.
5. Click the Resize button.
The file system /root file displays the increased disk space.
SecurityCenter Configuration
After installing SecurityCenter on Tenable Core, you can navigate to the SecurityCenter interface and
configure the application.
Note: Public key infrastructure (PKI)-based client authentication for SecurityCenter is no longer con-
figured through Tenable Core. For more information, refer to Configuration Settings in the Secur-
ityCenter User Guide.
1. Click SecurityCenter.
2. In the SECURITYCENTER INSTALLATION INFO: section, click the URL.
The SecurityCenter Quick Setup Guide page opens in a new tab.
3. Follow the prompts in the guide.
System Layout for SecurityCenter
The system pages are divided into two sections, both of which can be accessed from the expanding left
panel. These are the Dashboard section, which displays a list of the systems running on the server,
and the server navigation pane, from which a user can navigate to all other server features (as listed
below).
l System
l System Log
l Networking
l Storage
l Accounts
l Services
l Diagnostic Reports
l SecurityCenter
l Terminal
l Update Management
l Backup/Restore
l Software Updates
l SSL/TLS Certificates
Dashboard
The Dashboard displays a list of systems running on the server. The graph provides information for
CPU usage, memory usage, disk I/O, and network traffic. Click on the options above the graph to view
the corresponding data.
A list of servers are displayed beneath the graph.
Add Server
Steps
1. In the far left navigation pane, click the Dashboard option. The Dashboard page displays.
2. Click the Add Server icon ( ) in the Server heading. A new window will display.
3. Enter the IP address or Host name for the machine to be added.
4. Click the color bar displayed to select the desired color to identify the added machine.
5. Click Add. A new window may display if the new machine requires authentication.
6. Click Connect A new window will appear.
7. Enter the User name and Password for the new machine and click Log In. The window will close.
8. The new machine will be added to the list. If the new machine does not appear immediately,
refresh the screen.
Tip: Accounts can be synchronized using the Synchronize Account and Passwords link in the authen-
tication credentials window in step five.
Edit Server
The server name and color designation can be edited. To edit the displayed server information:
Steps
1. In the far left navigation page, click the Dashboard option. The Dashboard page displays.
2. Click the edit server icon in the Server header. Two new icons will display to the right of the lis-
ted servers.
3. Click on the edit icon. A new window will display.
4. Make the desired edits and click Set.
Delete Server
Steps
1. In the left navigation pane, click the Dashboard option. The Dashboard page displays.
2. Click the check icon in the Server heading. Two new icons will display to the right of the listed
servers.
3. Click the delete icon and the server will be deleted.
System
The System page provides information and graphs about the system on which the machine is running.
Graphs provide information for the CPU usage, memory usage, disk I/O, and network traffic. In addi-
tion, information for hardware and operating system details are displayed.
Users can view machine SSH fingerprints, view and change the machine host name, time and time
zone, restart or shutdown the system, or change the performance profile.
Edit Machine Host Name
Steps
1. In the left navigation pane, click the System option. The System page displays.
2. Click the link next to the Host Name option in the information list that is left of the graph charts.
A new window will appear with the options to enter/edit the Pretty Host Name and Real Host
Name.
3. Enter the Pretty Host Name for the machine. The Real Host Name will update as the Pretty
Host Name is entered.
4. Click Change to update the name. The new name will be displayed next to the Hostname option.
Edit Time and Time Zone
Steps
1. In the left navigation pane, click the System option. The System page displays
2. Click the link next to the System Time option in the information list that is left of the graph
charts. A new window will appear.
3. Select the correct time zone from the Time Zone drop down list.
Tip: Type the first few letters of the desired time zone to filter the list.
4. Next, select the Set Time option for Automatic or Manual updates.
5. Click Change to confirm the updated time settings. The updated time information will be dis-
played next to the System Time option.
Restart
Steps
2. Next to the Power Optionsitem, click the Restart button or select it from the drop down menu.
A new window will appear.
3. Enter a message for the users in the text box.
4. Select the delay time from the drop down menu. This is the time that the restart will start.
Choose from one of the minute increments or enter a specific time. There is also an option to
restart immediately with no delay.
5. Click the Restart button to initiate and save the updated information.
Shutdown
Steps
2. Next to the Power Optionsitem, click the arrow by Restart to display the drop down menu.
Select Shut Down. A new window will appear.
3. Enter a message for the users in the text box.
4. Select the delay time from the drop down menu. This is the time that the shut down will start.
Choose from one of the minute increments or enter a specific time. There is also an option to
Shut Down immediately with no delay.
5. Click Shut Down to initiate and save the updated information.
Change Performance Profile
Steps
2. Click on the link next to the Performance Profile option in the information list that is left of the
graph charts. A new window will appear displaying Performance Profile options.
3. Select the desired Performance Profile. The recommended profile is labeled in the list.
4. Click Change Profile to confirm the new selection.
System Log
View the System Log when errors are encountered in the system. The System Log lists, categorizes,
and stores system issues that have occurred within the last seven days. Click on an individual entry
(row) to get additional information.
Filters
Several log type filters are available. The Everything option is selected by default. Select another
option using the drop down menu at the top of the page. The logs are listed with the most recent entry
displayed first. Previous days are divided into sections with the corresponding date displayed in the
header.
The logs can be filtered using the drop down menu. Click on the date to display the filter options for
the logs.
Networking
The Networking page provides real-time system sending/receiving information, interface connection
options, and logs. The Interfaces section provides options for Add Bond, Add Bridge, Add Team,
and Add VLAN. The Add Bond option provides a method for aggregating multiple network interfaces
into a single bonded interface. Configure team settings with the Add Team option. Use the Add
Bridge feature to create a single aggregate network from multiple communication networks. The Net-
working Logs section provides a daily log of activity for the system network.
Add Bond
Steps
1. In the left navigation pane, click the Networking option. The Networking page displays.
2. In the Interfaces heading, click the Add Bond button on the Interfaces section. A new window
appears.
3. Enter a Name for the bond.
4. Select the members (interfaces) to bond to in the Members section.
5. Select an option for MAC.
6. Select the Mode.
7. Select a Primary.
8. Select the type of Link Monitoring. The recommended type is labeled in the drop down list.
9. Enter the Monitoring Intervals with options to link up or down delay increments.
Add Team
Steps
2. In the Interfaces heading, click the Add Team button on the Interfaces section. A new window
will appear.
3. Enter the Team Name.
4. Select the Ports needed for the new team.
5. Select the Runner and Link Watch from the drop down list.
6. Enter the Link up and Link down delay increments.
Add Bridge
Steps
2. In the Interfaces heading, click the Add Bridge button on the Interfaces section. A new window
will appear.
3. Enter a Name for the bridge.
4. Select the Ports that will connect to the bridge.
5. Click the box next to Spanning Tree Protocol (STP) to get additional STP options.
6. Click Apply to add the new bridge.
Add VLAN
Steps
1. Click the Add VLAN button on the Interfaces section. A new window will appear.
2. Select the Parent from the drop down list.
3. Enter the VLAN Id and name.
4. Click Apply to confirm add the VLAN.
5. The new VLAN will display in the Interface list.
Storage
The Storage section provides real-time reading/writing graphs, File Systems information, and Stor-
age logs. The File Systems section lists each item noting the name, mount point, and size. Additional
details can be viewed by clicking on individual file systems (rows). The detailed view provides inform-
ation for capacity, logical volumes, and correlating file storage logs. The file system name can be
updated on the details page. In addition, single file systems can be deleted.
Rename File System
Steps
1. In the left navigation pane, click the Storage option. The Storage page displays.
2. In the File Systems section, click on the individual file in the file systems list. The details page
will appear.
3. Click the Rename button in the upper right section of the window. A new window will appear.
4. Enter the new name for the File System.
5. Click Create. The new name will immediately display on the page.
Delete File System
Steps
1. In the left navigation pane, click the Storage option. The Storage page displays.
2. In the File System section, click the individual file in the files systems list. The details page will
appear.
3. Click the red Delete button in the system heading.
4. Confirm that you want to delete the File System.
5.
Caution: Deleting a volume group will erase all data on it.
Accounts
New and existing users are managed through the Accounts section. User accounts are displayed in
cards on the main screen. Click on the user card to display the user's information. User information
can also be edited within the user information box.
Create User
Edit User
Change Password
Create User
Steps
1. In the left navigation pane, click on Accounts. The Accounts page displays.
2. Click the Create New User button at the top of the page. A new window will appear.
3. Enter the user's information in the new window.
Note: The password must be at least 14 characters.
4. Click the Create button at the bottom of the page.
5. A card with the newly created user will appear on the Accounts page.
Edit User
Click the User's card to access the user's information. The user's name, role, access and password can
be edited on this page. User sessions can be terminated using the Terminate Session button at the
top of the page. In addition, a user can be deleted by clicking the Delete button at the top of the page.
Change Password
Steps
1. In the left navigation pane, click on Accounts.
2. Click the user's card.
3. Click the Set Password button. A new window will appear.
4. Enter the required information in the fields - old password, new password, and confirm new
password.
5. Next, click the Set button.
6. The password is updated.
Services
The Services page provides detailed information for Targets, System Services, Sockets, Timers, and
Paths. From this page, a user can stop, start, restart, or reload any installed web service by clicking the
service and selecting the desired option from the drop-down box.
Note: Restarting a service will completely stop and restart the service. Reloading a service will only
reload the service's configuration files.
Targets
The Targets section provides a list of enabled, disabled, and static targets. Click on individual target
listing to view detailed information. The detailed listing provides options to start, stop, restart, and
reload. In addition, there are numerous options for enabling, disabling, and masking. A list of Service
Logs are, also, displayed on the details page.
System Services
The System Services section provides a list of enabled, disabled, and static services. Click on an indi-
vidual system services listing to view detailed information. The detailed listing provides options to
start, stop, restart, and reload. In addition, there are numerous options for enabling, disabling, and
masking. A list of Service Logs are, also, displayed on the details page.
Sockets
The Sockets section provides a list of enabled, disabled, and static sockets. Click on an individual
socket listing to view detailed information. The detailed listing provides options to start, stop, restart,
and reload. In addition, there are numerous options for enabling, disabling, an masking. A list of Ser-
vice Logs are, also, displayed on the details page.
Timers
The Timers section provides a list of enabled, disabled, and static sockets. Click on an individual timer
listing to view detailed information. The detailed listing provides options to start, stop, restart, and
reload. In addition, there are numerous options for enabling, disabling, an masking. A list of Service
Create Timer
Steps
1. In the left navigation pane, click the Services option. The Services page displays.
2. In the Services page heading, click the Create Timers button. A new window appears.
3. Enter the Service Name, Description, Command, and Run information.
4. Click Save. The new timer will display in the enabled section of the list.
Paths
The Paths section provides a list of enabled, disabled, and static paths. Click on an individual path list-
ing to view detailed information. The detailed listing provides options to start, stop, restart, and
reload. In addition, there are numerous options for enabling, disabling, an masking. A list of Service
Diagnostic Reports
Diagnostic Reports are helpful when issues are encountered. The Diagnostic Report can aid in
troubleshooting problems. If your support team or Tenable support requests a diagnostic report, click
the Diagnostic Report option in the left navigation pane. The Reports page displays.
Generate Report
Steps
1. Click the Create Report button.
2. A new window with a status bar will appear as the report generates.
3. When the report is complete, the status will display Done.
4. Click the Download Report button to save and print the report.
SecurityCenter
SecurityCenter is a comprehensive vulnerability analysis solution that provides complete visibility into
the security posture of your distributed and complex IT infrastructure. SecurityCenter consolidates and
evaluates vulnerability data from across your entire IT infrastructure, illustrates vulnerability trends
over time, and assesses risk with actionable context for effective remediation prioritization.
From the SecurityCenter page in Tenable Core, you can view log data and synchronize your ports to
Tenable Core's firewall.
Tip: From this page, you can also access the SecurityCenter interface and configure your instance of
SecurityCenter. Refer to SecurityCenter Configuration in the SecurityCenter User Guide for more
information.
To synchronize ports in the Tenable Core firewall:

1. In the SECURITYCENTER WEBSERVER CONFIGURATION: section, click the number in the Listen-
ing Configuration: field.
The CONFIGURE LISTENING SETUP dialogue box appears.
2. In the Ports (all IP addresses): field, enter all applicable ports, separating them with commas.
3. Check the Open matching firewall ports: box.
4. Click Change.
A success message appears briefly in the dialogue box. The dialogue box then closes.
To view SecurityCenter logs:

1. Select the desired log from the drop-down box.
2. Click View Log.

The log appears in the text box.
Terminal
The Terminal option provides a console for user specific command line interface.
Backup/Restore
On the Backup/Restore page, a user can manually back up data for their application, configure auto-
matic data backups, or restore the data and application to another state.
Backup
Restore
Backup
A user can back up an application and its data by either manually taking a backup for an application or
setting up an automatic backup schedule.
Before you begin:
l Configure your remote storage.
Note: You must configure remote storage prior to attempting a manual or automatic backup
because backups are stored in your remote storage. If you have not completed this process, a
prompt message displays at the top of the page.
l In the AVAILABLE MODULES: section, check the box next to the application.
Take a Backup
A user can manually take a backup of an application and its data as an alternative to setting an auto-
matic backup schedule or in between scheduled backups. To take a backup, click the Take Backup
Now button.
A BACKUP IN PROGRESS dialogue box appears and then disappears when the backup is complete.
- or -
Select and Schedule Automatic Backups

The default backup schedule for installed applications is daily at 2:30 AM local time. You can modify
the default backup setting in your installed application. To schedule automatic backups outside of the
default schedule:
Note: Eastern Time is the default time zone, and your scheduled backup will coincide with that unless
you Edit the Time and Time Zone.
1. In the AUTOMATIC BACKUPS: section, click Edit.
The EDIT TIMER CONFIGURATION dialogue box appears.
2. Enter the schedule data preferences.
Note: If both Day of week and Day of month are selected, the system will only perform updates
on days when those two items coincide (e.g., if Wednesday is selected for Day of week and 8 is
selected for Day of month, the system will only update on Wednesday's that fall on the 8th).
3. Click Save.
Note: If you click the link in the "Scheduled backups can be configured Here" message, you'll be
redirected to the Services page. From here, you can disable or re-enable automatic backups.
Restore
If a user needs to revert an application and its data to another state or migrate application data
between hosts, they can do so by restoring a backup.
Before you begin:

Enable access to port 8090 through any firewalls running between Tenable Core and the backup.
Note: Port 8090 must be accessible from your computer to restore a backup.
Restore a Backup
1. In the UPLOAD AND RESTORE: section, click Choose a file.

Your local drive appears.
2. Select the desired backup file and click Open.

A dialog box listing the details of the selected backup appears.
3. Click Restore.
Caution: If the backup cannot be completed for some reason (e.g., the file is not a valid backup or
the server has connectivity issues), an error message appears with details about the failure. Fol-
low the instructions in the error message and click Retry.
If the restore is successfully initiated, a dialog box appears with the Uploading the archive
task displayed and a percentage indicating the upload progress.
Caution: The upload fails if you log out or close the browser window during the upload. You can
minimize the browser or navigate to a new tab without disrupting the upload.
Once the upload is complete, a green check mark appears next to Uploading the archive.
Check marks appear next to each remaining task in the back-end restoration process as they are
completed.
A success message appears once the restore is complete.
Note: Once the Uploading the archive task is complete, you can close the browser or log out
without disrupting the restore process. However, you will not receive any indication when the
restore process is complete if you do log out or close the browser window before the success
message appears.
Update Management
You can review information about your scheduled automatic updates, navigate to the Services page to
disable or enable automatic update settings, change the automatic update schedule, or configure a
proxy server you do not have internet access.
Note: You can also make updates without internet access. Refer to Update Tenable Core Offline for
more information.
Note: Additional updates are needed for systems using Tenable.io On-prem. For more information, see
Manage Updates in the Tenable.io On-prem User Guide.
From the Updates Management page, do one or more of the following:
Disable or Enable Automatic Updates

1. In the AUTOMATIC UPDATES: section, click the Here link in "Scheduled updates can be con-
figured Here."
The Services page opens.
2. From the drop-down box next to the service, select the desired settings.
Change Automatic Update Schedule
1. In the AUTOMATIC UPDATES: section in the Timer Config Line, click Edit.
The EDIT TIMER CONFIGURATION dialogue box appears.
Note: Eastern Time is the default time zone, and your scheduled backup will coincide with that
unless you Edit the Time and Time Zone.
2. Enter the automatic update schedule preferences.
Note: If both Day of week and Day of month are selected, the system will only perform updates
on days when those two items coincide (e.g., if Wednesday is selected for Day of week and 8 is
selected for Day of month, the system will only update on Wednesday's that fall on the 8th).
3. Click Save.
4. Refresh the screen to update the page.

The updated configuration displays in the AUTOMATIC UPDATES: section.
Configure a Proxy Server

1. In the Proxy Configuration section, complete the Proxy Host:, Proxy Username:, and Proxy
Password: fields.
2. Click Save Proxy.
Software Updates
The Software Updates page provides information for necessary system updates. Click the Check for
Updates button to scan the system for uninstalled updates.
If updates are found, an Install all updates button will appear at the top of the page. Click the button
to install the updates.
Updates Requiring Restart

When updates are made to any of the following packages, you must restart the Tenable Core virtual
machine for the updates to take effect.
l kernel
l glibc
l linux-firmware
l systemd
l udev
SSL/TLS Security Certificates
From the SSL/TLS Security Certificates page, the user can manage their Server and Trusted Certificate
Authority certificates.
Server Certificate
Trusted Certificate Authority Certificate
Server Certificate
When a user initially signs in to Tenable Core, a default self-signed security certificate is installed. This
default certificate is an auto-generated placeholder for the custom certificate; it is not signed by a
recognized certificate authority and, if not updated with a valid certificate, will cause security warnings
to display in the browser.
Replacing this certificate with a custom certificate allows the user to access Tenable Core securely
without receiving error messages. A user can also replace these custom certificates as needed or
remove the custom certificate entirely, which will then be replaced with a new self-signed auto-gen-
erated certificate.
Before you begin:
l Make sure you have the custom security certificate and server key from your organization (.DER,
.PEM, or .CRT are all accepted file extensions).
l Make sure you're in the left navigation pane for the appropriate server.
Note: The left navigation pane will list system pages vertically. Click the host navigation
button in the expanding panel to navigate to the left navigation pane from another section.
To Upload a Custom Security Certificate

1. Click SSL/TLS Certificates.
2. On the System Certificate tab, scroll to the Update Certificate section.
3. Locate Server Certificate: and click Choose File.
4. Select the custom certificate.
5. Find Server Key: and click Choose File.
6. Select the server key.
7. Click Install Server Certificates. A success message displays letting you know the upload was
successful.
8. From the Services page, restart the Cockpit web service to enable the new certificate.
Note: By default, the custom certificate will apply to all supported Tenable applications you have
installed. To override this setting, click the product tab (e.g., Nessus) and uncheck the Reuse System
Certificate box.
Note: You can replace your custom certificate or server key with a new one by uploading a new file,
which will override the existing file.
- or -
To Remove Custom Certificate/Revert to Default Certificate

1. From the left navigation pane for the appropriate server, click SSL/TLS Certificates.
2. On the System Certificate tab, scroll to the Update Certificate section.
3. Click Reset Server Certificates. The CONFIRM RESET window appears.
4. Click Reset in the CONFIRM RESET window. A success message displays letting you know the
reset was successful.
Trusted Certificate Authority Certificates
Uploading a Trusted Certificate Authority certificate authenticates the user to a supported

Tenable application and allows the user to securely access an application without having to
log in using a password each time.
Caution: You need to add a Trusted Certificate Authority certificate only when using the SSL/TLS Cer-
tificates to authenticate to Nessus, Nessus Network Monitor, or SecurityCenter or when authenticating
SecurityCenter to its Nessus scanners.
Before you begin:
l Make sure you have the Trusted Certificate Authority certificate (.DER, .PEM, or .CRT are all accep-
ted file extensions).
l Make sure you're in the left navigation pane for the appropriate server.
Note: The left navigation pane will list system pages vertically. Click the host navigation
button in the expanding panel to navigate to the left navigation pane from another section.
Upload a Trusted Certificate Authority Certificate:
1. Click SSL/TLS Certificates.
2. On the System Certificate tab, navigate to the TRUSTED CERTIFICATE AUTHORITIES: section.
3. Under Add Certificate Authority:, find the Certificate: field and click Choose File.
4. Select the certificate.
5. Click Install Certificate Authority. A success message displays letting you know the upload was
successful.
Note: You can upload as many Trusted Certificate Authority certificates as needed. To remove a pre-
viously uploaded certificate, you must select the certificate and click the Delete button.

TenableCoreOS SC

Transféré par

Informations du document

Copyright

Formats disponibles

Partager ce document

Partager ou intégrer le document

Options de partage

Avez-vous trouvé ce document utile ?

Ce contenu est-il inapproprié ?

Droits d'auteur :

Formats disponibles

TenableCoreOS SC

Transféré par

Droits d'auteur :

Formats disponibles

Tenable Core for SecurityCenter User

Last Updated: November 08, 2018

Welcome to Tenable Core for SecurityCenter 5

Get Started with Tenable Core for SecurityCenter 10

SecurityCenter System Requirements 11

Installation and Updates 12

Install Tenable Core for SecurityCenter 13

Update Tenable Core Offline 14

Configure Static IP Addresses 16

Create a New Account 18

Increase Disk Space 21

System Layout for SecurityCenter 25

Edit Machine Host Name 33

Edit Time and Time Zone 34

Change Performance Profile 37

Rename File System 47

Delete File System 48

SSL/TLS Security Certificates 77

Trusted Certificate Authority Certificates 81

l Provides automatic install and updates via Tenable Public Repositories.

l Root access is now enabled to Tenable Core builds.

l SELinux: SELinux is enabled by default on this image

CIS Level 1 - 1.x

l CIS 1.1.21 (Ensure sticky bit is set on all world-writable directories)

l CIS 1.4.* (Bootloader adjustments)

l CIS 1.4.1 Ensure permissions on bootloader config are configured

l CIS 1.4.2 Ensure bootloader password is set - set superusers

l CIS 1.7.1.* (Messaging/banners)

l Ensure message of the day is configured properly

l Ensure local login warning banner is configured properly

l Ensure remote login warning banner is configured properly

l Ensure GDM login banner is configured - banner message text

l 3.1.2 Ensure packet redirect sending is disabled - 'net.ipv4.conf.all.send_redirects = 0'

l 3.1.2 Ensure packet redirect sending is disabled - 'net.ipv4.conf.default.send_redir-

l CIS 3.2.* (ipv4, icmp, etc)

l 3.2.1 Ensure source routed packets are not accepted - 'net.ipv4.conf.all.accept_

l 3.2.1 Ensure source routed packets are not accepted - 'net.ipv4.conf.default.accept_

l 3.2.2 Ensure ICMP redirects are not accepted - 'net.ipv4.conf.all.accept_redirects = 0'

l 3.2.2 Ensure ICMP redirects are not accepted - 'net.ipv4.conf.default.accept_redirects

l 3.2.3 Ensure secure ICMP redirects are not accepted - 'net.ipv4.conf.all.secure_redir-

l 3.2.3 Ensure secure ICMP redirects are not accepted - 'net.ipv4.conf.default.secure_

l 3.2.4 Ensure suspicious packets are logged - 'net.ipv4.conf.all.log_martians = 1'

l 3.2.4 Ensure suspicious packets are logged - 'net.ipv4.conf.default.log_martians = 1'

l 3.2.6 Ensure bogus ICMP responses are ignored

l 3.2.7 Ensure Reverse Path Filtering is enabled - 'net.ipv4.conf.all.rp_filter = 1'

l 3.2.7 Ensure Reverse Path Filtering is enabled - 'net.ipv4.conf.default.rp_filter = 1'

l 3.2.8 Ensure TCP SYN Cookies is enabled

l CIS 3.3.* (IPv6)

l 3.3.1 Ensure IPv6 router advertisements are not accepted

l 3.3.2 Ensure IPv6 redirects are not accepted

l CIS 3.4.* (tcp)

l 3.4.1 Ensure TCP Wrappers is installed

l CIS 3.5.* (network protocols)

l 3.5.1 Ensure DCCP is disabled

l 3.5.2 Ensure SCTP is disabled

l 3.5.3 Ensure RDS is disabled

l 3.5.4 Ensure TIPC is disabled

l 4.2.1.3 Ensure rsyslog default file permissions configured

l 4.2.1.4 Ensure rsyslog is configured to send logs to a remote log host

l 4.2.4 Ensure permissions on all logfiles are configured

l 5.1.2 Ensure permissions on /etc/crontab are configured

l 5.1.3 Ensure permissions on /etc/cron.hourly are configured

l 5.1.5 Ensure permissions on /etc/cron.weekly are configured

l 5.1.6 Ensure permissions on /etc/cron.monthly are configured