Dockerizing Nessus Scanners

Dockerizing your vulnerability assessment architecture

Nessus and Docker
Nessus is a professional vulnerability management tool. It’s a great tool designed to automate the testing and discovery of known security problems. One of the very powerful features of Nessus is its client server technology. Servers can be placed at various strategic points on a network allowing tests to be conducted from various points of view. A central client or multiple distributed clients can control all the servers

Docker is a container manager that makes it easy to create, deploy and run application on containers. Containers allow you to build a package with all the configuration and parts that are needed for the application to run. This will make sure that you have an identical setup on all the machines running that container. The package can be shipped to any machine which supports docker and it will work as expected.

Having the ability to have automated and preconfigured scanners running in your environment can be very useful in terms of operational costs, consistency of configuration, ease of update, ease of deployment, migration.
In this tutorial we will cover how to set up a new image running with the Nessus Scanner and how to deploy images containing custom configuration, making it simple to manage and maintain your scanners.

Why run Nessus Scanner in containers
One of the main reasons is standard configuration. By having a pre built container running the Nessus Scanner , you will be able to start that container on any of you host that will act as the scanner, and have the pre build standard configuration. This may include local user configuration, how the scanner will be managed, etc.. Another important benefit, is the fast deployment. By doing the normal installation, it will require some time to install the scanner, configure it and start the service. Having it running on a container, the deployment will be very fast, and you will have the service up and running in a very short time. Other benefits are easy and faster upgrades and rollbacks.
If you are familiar with Security Center API, and how to start scans using them, you could run the container only during the scanning. By doing so, you would safe resources on the server, as they would be used only when scanning. This feature can also become very effective when used with the Nessus Agent for Host Based Scanning, as you would not need to have Nessus Agent up and running on your machines all the time, but run it only during the time of the scans.

Building the Nessus Scanner Image
Prerequisites:
Docker installed on the host were Nessus Scanner will run
Local/Private docker registry in order to save the image and deploy it more easy(hub.docker.com can also be used, but keep noted that only 1 private repo is available)
Latest Nessus scanner deb file for debian(we’ll be running it on a debian container, you can any OS of you liking)

Building the image:
For building the image, I would suggest doing it in you local machine and then, using the docker registry, deploy it on you Scanner hosts.
First download the latest agent version,as of now is 7.0.3.We are going to use the 64 bit scanner.

After download the .deb package, create a directory, nessus_scanner. Copy the deb file inside of it and also create a new file called Dockerfile with the following content:

FROM debian:latest

ADD Nessus-7.0.3-debian6_amd64.deb /tmp/Nessus-7.0.3-debian6_amd64.deb

RUN apt-get update -y \
&& apt-get install -y apt-utils tzdata \
&& dpkg -i /tmp/Nessus-7.0.3-debian6_amd64.deb \
&& rm -r /tmp/Nessus-7.0.3-debian6_amd64.deb

EXPOSE 8834

CMD service nessusd start && tail -f /dev/null

This will tell docker to use the latest version of debian as the OS image. It will copy the Nessus deb file to the container /tmp folder, and it will install the dependencies and the Nessus software on the container. After the installation is done it will remove the deb file, as it won’t be needed anymore. The port 8834, where the Nessus service run, will be exposed, and in the end it will run the command that will start Nessus service everytime that the container starts.
tail -f /dev/null is just a workaround for the container to not stop. That happens because the nessusd service will run in background, making docker think that the application has stopped. This would cause docker to stop the container. In order to prevent this, we run a foreground process which does not effect in any way the the nessusd service.

If you are running this on a private network and need a proxy to have access on the internet, you also need to configure the apt.conf with a proxy that have access to the debian repositories for the debian container to be able to download the necessary dependencies. To do so we need only to add some line in our Dockerfile. Create a apt.conf file with the neccassary proxy configuration inside the nessus directory, then add a line right after the line that copies the deb package:

……
ADD Nessus-7.0.3-debian6_amd64.deb /tmp/Nessus-7.0.3-debian6_amd64.deb
ADD apt.conf /etc/apt/apt.conf
RUN apt-get update -y \
……

Note that this might change depending on the os you decided to use.

If you want to use the proxy only once, and restore it the default configuration, just a default apt.conf file in you folder and this line before the Expose command:

……
&& rm -r /tmp/Nessus-7.0.3-debian6_amd64.deb
ADD apt.conf.default /etc/apt/apt.conf
EXPOSE 8834
……

Now that we the Dockerfile, we can build the container using the following command:

docker build -t nessus/nessus-scanner:7.0.3

This will create a new image tagged with serverheat/nessus-deb-7.
If you are using a private docker registry, you can tag it using your registry:

docker build -t myprivateregistry:5000/nessus/nessus-scanner:7.0.3 .

myprivateregistry is the ip of name of the server where you running you docker registry, usually running on port 5000. Nessus is the name of the project, nessus-scanner is the name of the repository where the image will be saved, and 7.0.3 is the tag, which can be used to determine the version of the service running in the container. The last “.” tells docker where to look for the Dockerfile, in this case the current folder. If you have another path where the Dockerfile is, use that one.

The image will require some time to build. After the image has been build you can push it to your registry using the docker push command and then pull it on the host you want to run the container. For more information regarding the process of pushing and pulling the docker images you can check the official docker documentation https://docs.docker.com

To run the container we use the following command:

docker run -d –name nessus-scanner -p 8834:8834 nessus/nessus-scanner:7.0.3

The above command will tell docker to run the container in detached mode(-d), it will give the container the name nessus-scanner and export on the host the port 8834, which will is mapped to the port 8834 of the container. This will start the container and the service will be running on port 8834 of the host. You could connect to the serverip:8834 using you web browser and you would see the initial Nessus page.

First we need to create a username/password for the Nessus web console.(This will also be used to connect SecurityCenter to the scanner if you are managing the scanner with SecurityCenter ).

In the next step you need to define how the scanner will be managed. This will depend on you infrastructure..if you are using Security Center, Tenable.io, or just a simple Nessus standalone scanner.

After that the Scanner will initialize its data for some seconds.(Here we can note that the first initialization is faster when running the scanner on a container than when having the default installation)

We still don’t have any custom configuration on the image.
The way the container is starting now, all the data will be stored inside the container, and lost when the container removed.

Having Persistent Data
In order to have persistent data, we first create a docker volume, where the data will be stored:

docker volume create nessus_scanner_var

This will create a new docker volume, located on /var/lib/docker/volumes
In order to have the nessus data stored there, we start the container using this command:

docker run -d –name nessus-scanner \
-v nessus_scanner_var:/opt/nessus/var/nessus \
-p 8834:8834 nessus/nessus-scanner:7.0.3

This will start the container and store the data present in the /opt/nessus/var/nessus on the container, into the nessus_scanner_var. This will ensure that the data won’t be lost, independent of the container. Note that data present on the host volumes or folders, have higher priority over the data present on the container.

Custom configuration in the image
Currently we have managed to build and deploy a default Nessus Scanner container. This image does not have any custom configuration. To have the image pre-configured before deploying it, we need to do some simple tasks

First, configure a local Nessus Scanner.
During the first initialization, Nessus scanner will require creating a new user, and how the scanner will be managed. After you start the container, and do the standard configuration that will be used across the infrastructure, you will need to create a new image.
To do so, first you need to find the id of the container, using docker ps command

Once you have the container id, you need the following command to push the new image to the docker registry:

docker commit cont_id nessus-scanner-conf

docker tag nessus-scanner-conf \
myprivateregistry:5000/nessus/nessus-scanner-conf:7.0.3

docker push myprivateregistry:5000/nessus/nessus-scanner-conf:7.0.3

These sets of docker commands will push the new image to the docker registry.
docker commit with create a new image from the container, docker tag it will tag it using the private registry name, and docker push will push it to the registry.

To run this new image we can use the same command as we did with the first one, except for changing the image name. This time when the container will start, it will not require any configuration, but it will be pre configured and ready to be used.

Deploying Nessus Scanner using Rancher
At this point we have the build Nessus image and the image with custom configuration.
Now we need to deploy our app, manage multiple environments like staging and production. You want to deploy your containers on multiple hosts, set up Cluester’s of containers with some clicks. This is where Rancher comes in handy.
Rancher is an open-source software for managing and running your containers in production. It has nice enterprise level features, and it GUI makes it easy to manage your infrastructure. To start with Rancher, you can check our Introduction to Rancher here.

After you have Rancher installed and up and running and added the hosts where the container will be deployed, we firstly will configure the docker registry(private one, or the account for the hub.docker.com if the repository you created is private)
To do so go to Infrastructure — > Registries

After clicking on Add Registry, we can choose the type of registrie we want to add:

After the registry has been added, rancher will be able to pull images from that registry. This means that you don’t need to configure the registry on all your hosts, as you would have needed to do if you would had deployed the container locally.

Once we have the registry set up, we create a new stack that will contain our services:

Configuring the Stack is pretty simple, just add the name and some description

Once we have the stack up, we create a new service, which will be our Nessus Container.

Here is where we configure how the service will be deployed. We can decide how the service will be scaled, how much containers will be running for this, on which hosts they will be running. We configure the image that will be used, and the ports that will be exposed.

In the Volumes tab, we can configure the mapping of the Volumes.

In the Scheduling tab, we configure on which host the containers will be deployed. We can deploy containers on multiple hosts based on the labels we have configured for those hosts, or simply run the container on a specific hosts.

After we have finished with all the necessary configuration, we can create the service, and the containers will be deployed.

Running Nessus Scanner on containers can greatly reduce configuration, maintenance times and cost. Maintaining standard configuration is simplified. New deployment of scanner are more faster and easier to manage. Running the containers along side with using the Security Center API can be very efficient, reducing resource utilization.
Also using Rancher, deployment in wide infrastructures and environments becomes more easy to manage.

Leave a Reply

Your email address will not be published. Required fields are marked *

Scroll to top