Hello Gurús,
I wonder if it’s possible to distribute a new version of the Nesssus agent on the endpoints. I know there’s not a native fixlet to do this so, I think I will require to build my own fixlet. Considerations would be version validation, a bunch or relevances to validate, etc.
Has any one experimented anything like this?
Thank you in advance.
Though not for Nessus, I’ve regularly used Bigfix to deploy and upgrade agents. A simple and generic approach could be to check for the existence of an agent service that is below the version you require and this bring you visibility of the estate you have to deal with. e.g.
exists service "yourservice" whose (version of it < "major.minor.build.revision")
exists service "besclient" whose (version of it < "11.0.5")
You would probably also want to do some OS checks, eg windows of operating system if you have a mixed OS environment.
You can then create actions to download the installer file(s) then execute it, eg via msiexec.exe passing suitable arguments for you needs.
We do Nessus agent updates from Bigfix, it's pretty straight forward depending on how many groups you have, if you even use Nessus groups at all. We have different groups depending on what domain the machines are supposed to go into, but for the upgrade itself we just stop the Tenable service, wait 30 seconds then run the MSI command to install the applicaition with the proper switches. This is how we do it and we've had good success with the upgrades. Now... We have other processes for checking whether the agent is actually working as well, because that is another painpoint with the nessus agent. Sometimes the agent stops communicating or there is a firewall rule blocking communication and you have to run a nessus command line task to check for the agent status then remediate if needed.
Let me know if you have any other questions.
// Download all specified files
begin prefetch block
<add prefetch items>
end prefetch block
waithidden cmd.exe /c net stop "Tenable Nessus Agent"
//Wait 30 seconds
parameter "Pause1" = "{now}"
pause while {now < ( (( parameter "Pause1" of action ) as time ) + 15* second)}
//Assign Parameter for Group
If {("domain1.fqdn domain2.fqdn" as lowercase contains (string value of selects "Domain from Win32_ComputerSystem" of wmi) as lowercase)}
parameter "NessusGroup" = "<Group Name 1>"
ElseIf {("domain3.fqdn" as lowercase contains (string value of selects "Domain from Win32_ComputerSystem" of wmi) as lowercase)}
parameter "NessusGroup" = "<Groupname 2>"
else
parameter "NessusGroup" = "<Groupname3>"
EndIf
if {parameter "NessusGroup" != ""}
// Install Nessus Agent
waithidden msiexec.exe /i __Download\NessusAgent.msi /quiet /norestart NESSUS_GROUPS="{(parameter "NessusGroup")}" NESSUS_SERVER="<enter server name>" NESSUS_KEY=<Enter nessus Key>
endif
Thank you both gentlemen. I’ll give it a try and let you know of the outcome.
Have a great day !