Tenable Extension Attribute

EUC-Admin
New Contributor III

Hey all,

 

Hoping you all can shed some light. Essentially, I'm trying to create an extension attribute to simply pull the agent version and build info.

https://community.jamf.com/t5/jamf-pro/extension-attribute-tenable-network-security-nessus/td-p/1090... 

So I'm following the above article related to its extension attribute setup. Deployment is going well but getting Jamf to acknowledge via the setup of an extension attribute is rough for me.

 

Namely in the Nessus Agent Version and Build info:

Screen Shot 2022-07-27 at 9.56.15 AM.png

 

Screen Shot 2022-07-27 at 10.24.00 AM.png

 

I'm going awry somewhere so any help would be appreciated if possible.

3 ACCEPTED SOLUTIONS

bizzaredm
Contributor

It looks like they have an EA listed in that article for the version

#!/bin/sh
# Check to see if Nessus Agent is installed
NessusAgentInstalled="$(ls /Library/NessusAgent/run/sbin/ | grep nessuscli)"
if [ "$NessusAgentInstalled" != "nessuscli" ] 
then
 echo "<result>N/A</result>"
else 
 NessusAgentVersion="$(/Library/NessusAgent/run/sbin/nessuscli -v | awk 'NR==1{print $3 " " $4 " " $5}')"
 echo "<result>$NessusAgentVersion</result>"
fi

 

If that is not getting you the right info, you can play with the line:
 NessusAgentVersion="$(/Library/NessusAgent/run/sbin/nessuscli -v | awk 'NR==1{print $3 " " $4 " " $5}')"

and change the awk as needed.

View solution in original post

obi-k
Valued Contributor III

For Nessus Agent Service Status EA, try this:

#!/bin/sh
# Check to see if Nessus Agent is running
NessusAgentRunning="$(sudo launchctl list com.tenablesecurity.nessusagent | grep "PID" | awk '{ print $1 }' | tr -d '\"')"
if [ "$NessusAgentRunning" = "PID" ]
then
echo "<result>Running</result>"
else
echo "<result>Stopped</result>"
fi

 

For Nessus Agent Version EA, try this:

#!/bin/sh
# Check to see if Nessus Agent is installed
NessusAgentInstalled="$(ls /Library/NessusAgent/run/sbin/ | grep nessuscli)"
if [ "$NessusAgentInstalled" != "nessuscli" ]
then
echo "<result>N/A</result>"
else
NessusAgentVersion="$(/Library/NessusAgent/run/sbin/nessuscli -v | awk 'NR==1{print $3 " " $4 " " $5}')"
echo "<result>$NessusAgentVersion</result>"
fi

 

For Nessus Agent Installation Status EA, try this:

#!/bin/sh
# Check to see if Nessus Agent is installed
NessusAgentInstalled="$(ls /Library/NessusAgent/run/sbin/ | grep nessuscli)"
if [ "$NessusAgentInstalled" != "nessuscli" ]
then
echo "<result>Not Installed</result>"
else
echo "<result>Installed</result>"
fi

 

Screen Shot 2022-07-27 at 2.10.22 PM.png

View solution in original post

mm2270
Legendary Contributor III

First off, I'm surprised no-one has mentioned this yet, but the main issue with the EA you posted, is that it's not an EA. Extension Attributes only work if some string or result of a command is output (usually echoed) between <result> and </result> tags. Otherwise the EA for your Macs will remain blank in your console forever.

But outside of that, if you still need some help in getting a working EA together, I'll post the old ones I used to use as well. We no longer use Nessus where I am, but when we did, this was the Extension Attribute I had for the version:

 

#!/bin/sh

nessus_agent_cli_path="/Library/NessusAgent/run/sbin/nessuscli"

if [ -e "$nessus_agent_cli_path" ]; then
	nessus_agent_version=$("$nessus_agent_cli_path" -v 2>&1 | awk -F\) '/Nessus Agent/{print $NF}' | xargs)
else
	nessus_agent_version="N/A"
fi

echo "<result>$nessus_agent_version</result>"

 

I also had this EA for capturing its status, as in Installed (Running + Connected etc.) or what the status was. I have no idea if this even works anymore with the current Nessus agent version, but you can try it in case it interests you.

 

#!/bin/sh

## Path to the Nessus Agent CLI
nessus_cli_path="/Library/NessusAgent/run/sbin/nessuscli"

if [ -e "$nessus_cli_path" ]; then
	## If installed, get a printout of the full status of the agent
	agent_running_status=$("$nessus_cli_path" agent status 2>&1 | awk -F': ' '/Running:/{print $NF}')
	agent_connected_status=$("$nessus_cli_path" agent status 2>&1 | awk -F': ' '/Link status/{print $NF}')
	
	## If agent is running and connected, result is Installed
	if [[ "$agent_running_status" == "Yes" ]] && [[ "$agent_connected_status" =~ "Connected" ]]; then
		result="Installed"
	## If either the agent is not connected or not running, print back those results
	elif [[ "$agent_running_status" != "Yes" ]] || [[ ! "$agent_connected_status" =~ "Connected" ]]; then
		result="Running: $agent_running_status, Connected: $agent_connected_status"
	fi
else
	result="Not Installed"
fi

## Send the final result back to the Jamf server
echo "<result>$result</result>"

 

 

View solution in original post

8 REPLIES 8

bizzaredm
Contributor

It looks like they have an EA listed in that article for the version

#!/bin/sh
# Check to see if Nessus Agent is installed
NessusAgentInstalled="$(ls /Library/NessusAgent/run/sbin/ | grep nessuscli)"
if [ "$NessusAgentInstalled" != "nessuscli" ] 
then
 echo "<result>N/A</result>"
else 
 NessusAgentVersion="$(/Library/NessusAgent/run/sbin/nessuscli -v | awk 'NR==1{print $3 " " $4 " " $5}')"
 echo "<result>$NessusAgentVersion</result>"
fi

 

If that is not getting you the right info, you can play with the line:
 NessusAgentVersion="$(/Library/NessusAgent/run/sbin/nessuscli -v | awk 'NR==1{print $3 " " $4 " " $5}')"

and change the awk as needed.

EUC-Admin
New Contributor III

Hey @bizzaredm,

I manipulated the values like you suggested (changed to 4,5,6 from 3,4,5) and it outputted what I needed.

Thanks again!

obi-k
Valued Contributor III

For Nessus Agent Service Status EA, try this:

#!/bin/sh
# Check to see if Nessus Agent is running
NessusAgentRunning="$(sudo launchctl list com.tenablesecurity.nessusagent | grep "PID" | awk '{ print $1 }' | tr -d '\"')"
if [ "$NessusAgentRunning" = "PID" ]
then
echo "<result>Running</result>"
else
echo "<result>Stopped</result>"
fi

 

For Nessus Agent Version EA, try this:

#!/bin/sh
# Check to see if Nessus Agent is installed
NessusAgentInstalled="$(ls /Library/NessusAgent/run/sbin/ | grep nessuscli)"
if [ "$NessusAgentInstalled" != "nessuscli" ]
then
echo "<result>N/A</result>"
else
NessusAgentVersion="$(/Library/NessusAgent/run/sbin/nessuscli -v | awk 'NR==1{print $3 " " $4 " " $5}')"
echo "<result>$NessusAgentVersion</result>"
fi

 

For Nessus Agent Installation Status EA, try this:

#!/bin/sh
# Check to see if Nessus Agent is installed
NessusAgentInstalled="$(ls /Library/NessusAgent/run/sbin/ | grep nessuscli)"
if [ "$NessusAgentInstalled" != "nessuscli" ]
then
echo "<result>Not Installed</result>"
else
echo "<result>Installed</result>"
fi

 

Screen Shot 2022-07-27 at 2.10.22 PM.png

EUC-Admin
New Contributor III

Hey @obi-k, your advice did just the trick!

 

Screen Shot 2022-07-28 at 7.01.11 PM.pngScreen Shot 2022-07-28 at 7.00.34 PM.png

Thank you, @obi-k!

This worked like a charm

mm2270
Legendary Contributor III

First off, I'm surprised no-one has mentioned this yet, but the main issue with the EA you posted, is that it's not an EA. Extension Attributes only work if some string or result of a command is output (usually echoed) between <result> and </result> tags. Otherwise the EA for your Macs will remain blank in your console forever.

But outside of that, if you still need some help in getting a working EA together, I'll post the old ones I used to use as well. We no longer use Nessus where I am, but when we did, this was the Extension Attribute I had for the version:

 

#!/bin/sh

nessus_agent_cli_path="/Library/NessusAgent/run/sbin/nessuscli"

if [ -e "$nessus_agent_cli_path" ]; then
	nessus_agent_version=$("$nessus_agent_cli_path" -v 2>&1 | awk -F\) '/Nessus Agent/{print $NF}' | xargs)
else
	nessus_agent_version="N/A"
fi

echo "<result>$nessus_agent_version</result>"

 

I also had this EA for capturing its status, as in Installed (Running + Connected etc.) or what the status was. I have no idea if this even works anymore with the current Nessus agent version, but you can try it in case it interests you.

 

#!/bin/sh

## Path to the Nessus Agent CLI
nessus_cli_path="/Library/NessusAgent/run/sbin/nessuscli"

if [ -e "$nessus_cli_path" ]; then
	## If installed, get a printout of the full status of the agent
	agent_running_status=$("$nessus_cli_path" agent status 2>&1 | awk -F': ' '/Running:/{print $NF}')
	agent_connected_status=$("$nessus_cli_path" agent status 2>&1 | awk -F': ' '/Link status/{print $NF}')
	
	## If agent is running and connected, result is Installed
	if [[ "$agent_running_status" == "Yes" ]] && [[ "$agent_connected_status" =~ "Connected" ]]; then
		result="Installed"
	## If either the agent is not connected or not running, print back those results
	elif [[ "$agent_running_status" != "Yes" ]] || [[ ! "$agent_connected_status" =~ "Connected" ]]; then
		result="Running: $agent_running_status, Connected: $agent_connected_status"
	fi
else
	result="Not Installed"
fi

## Send the final result back to the Jamf server
echo "<result>$result</result>"

 

 

DrumBum213
New Contributor III

Hey everyone. I tried several/all of these solutions above and I am not having much luck. Either I am not getting hardly any version information or more importantly my results are coming back that the tenable agent is installed on all of my fleet which is not true. Any ideas of what is happening?

rstasel
Valued Contributor

Which EA are you trying to use? Can you paste in the script?