This worklet will install Nessus Agent on 64-bit versions of Windows. Does require your own key and nessus agent be uploaded to worklet.
Evaluation
- Parameters
- The Function Convert-EpochtoCST will break during DST and Currently removes 5 hours to make UTC time CST
- The $status variable assumes 64-bit agent was installed. Add logic if you have 32-bit agents deployed.
- Converts output of nessuscli agent status to powershell object
- If Link Status is not connected, run remediation
- If Last Connected is 28+ days, run remediation
- If no status exists, run remediation
Function Convert-EpochtoCST ($epochTime){
(New-Object DateTime 1970,1,1,0,0,0).AddSeconds($epochTime).AddHours(-5) # UTC to CST
}
Function Get-NessusStatus{
# Collect Status
$status = cmd /c "C:\Program Files\Tenable\Nessus Agent\nessuscli" agent status
# Last Scanned
$epochTime = $(IF($status -match "Last scanned"){($status -match "Last scanned").Split(": ")[-1]})
$LastScanned = Convert-EpochtoCST $epochTime
# Last connect
$epochTime = $(IF($status -match "Last connect"){($status -match "Last connect").Split(": ")[-1]})
$LastConnect = Convert-EpochtoCST $epochTime
# Last connect attempt
$epochTime = $(IF($status -match "Last connection attempt"){($status -match "Last connection attempt").Split(": ")[-1]})
$LastConnectAtmpt = Convert-EpochtoCST $epochTime
[pscustomobject]@{
"Running" = $(IF($status -match "Running"){($status -match "Running").Split(": ")[-1]})
"Linked to" = $(IF($status -match "Linked to"){($status -match "Linked to").Split(" ")[-1]})
"Link status" = $(IF($status -match "Link status"){($status -match "Link status").Replace("Link status: ","")})
"Last connection" = $(IF($status -match "Last successful connection with controller"){($status -match "Last successful connection with controller").Replace("Last successful connection with controller: ","")})
"Proxy" = $(IF($status -match "Proxy"){($status -match "Proxy").Split(": ")[-1]})
"Plugin set" = $(IF($status -match "Plugin set"){($status -match "Plugin set").Split(": ")[-1]})
"Scanning" = $(IF($status -match "Scanning"){($status -match "Scanning").Replace("Scanning: ","")})
"Scans run today" = $(IF($status -match "Scans run today"){($status -match "Scans run today").Replace("Scans run today: ","")})
"Last scanned" = $LastScanned
"Last connect" = $LastConnect
"Last connection attempt" = $LastConnectAtmpt
}
}
$status = Get-NessusStatus
IF($status){
IF($status.'Link status' -notmatch 'Connected'){
exit 1 # Nessus Agent not Connected
}
$timespan = (New-TimeSpan $status.'Last connect' (Get-Date)).Days
IF($timespan -gt 28){
exit 1 # Nessus Agent not connected 28+ days, possibly bad agent
}
}else{
exit 1 # Nessus Agent Not Installed
}
exit 0
Remediation
- Parameters
- Same nuances with TimeZone and Agent Install Path
- Important: update $key to match your own environment
- Important: upload payload msi and the script will look for a file called NessusAgent*
- Converts output of nessuscli agent status to PowerShell object
- If Link Status is not connected, use nessuscli to link asset
- If Last Connected is 28+ days, Install Nessus Agent
- If no status exists, Install Nessus Agent
$key = '<your-company-key>'
Function Convert-EpochtoCST ($epochTime){
(New-Object DateTime 1970,1,1,0,0,0).AddSeconds($epochTime).AddHours(-5) # UTC to CST
}
Function Get-NessusStatus{
# Collect Status
$status = cmd /c "C:\Program Files\Tenable\Nessus Agent\nessuscli" agent status
# Last Scanned
$epochTime = $(IF($status -match "Last scanned"){($status -match "Last scanned").Split(": ")[-1]})
$LastScanned = Convert-EpochtoCST $epochTime
# Last connect
$epochTime = $(IF($status -match "Last connect"){($status -match "Last connect").Split(": ")[-1]})
$LastConnect = Convert-EpochtoCST $epochTime
# Last connect attempt
$epochTime = $(IF($status -match "Last connection attempt"){($status -match "Last connection attempt").Split(": ")[-1]})
$LastConnectAtmpt = Convert-EpochtoCST $epochTime
[pscustomobject]@{
"Running" = $(IF($status -match "Running"){($status -match "Running").Split(": ")[-1]})
"Linked to" = $(IF($status -match "Linked to"){($status -match "Linked to").Split(" ")[-1]})
"Link status" = $(IF($status -match "Link status"){($status -match "Link status").Replace("Link status: ","")})
"Last connection" = $(IF($status -match "Last successful connection with controller"){($status -match "Last successful connection with controller").Replace("Last successful connection with controller: ","")})
"Proxy" = $(IF($status -match "Proxy"){($status -match "Proxy").Split(": ")[-1]})
"Plugin set" = $(IF($status -match "Plugin set"){($status -match "Plugin set").Split(": ")[-1]})
"Scanning" = $(IF($status -match "Scanning"){($status -match "Scanning").Replace("Scanning: ","")})
"Scans run today" = $(IF($status -match "Scans run today"){($status -match "Scans run today").Replace("Scans run today: ","")})
"Last scanned" = $LastScanned
"Last connect" = $LastConnect
"Last connection attempt" = $LastConnectAtmpt
}
}
$status = Get-NessusStatus
IF($status){
IF($status.'Link status' -notmatch 'Connected'){
Write-Output "Nessus Agent not Linked. Attempting to connect. "
# License
$link = cmd /c "C:\Program Files\Tenable\Nessus Agent\nessuscli" agent link --key=$key --cloud
Write-Output $link
}
$timespan = (New-TimeSpan $status.'Last connect' (Get-Date)).Days
IF($timespan -gt 28){
Write-Output "Nessus Last Scan $timespan days ago. Attempt to install agent again"
$i++ # Nessus Agent not Scanned 28+ days, possibly bad agent
}
}else{
$i++
}
IF($i -gt 0){
# Install
$msi = (Get-ChildItem NessusAgent*).Name
Start-Process msiexec -argumentlist "/i $msi NESSUS_SERVER='cloud.tenable.com:443' /qn" -wait
$link = cmd /c "C:\Program Files\Tenable\Nessus Agent\nessuscli" agent link --key=$key --cloud
Write-Output $link
}
