Migrate Tenable Nessus to a New Linux Server

During the lifecycle of a Tenable Nessus scanner or Tenable Nessus Manager installed on Linux, you may need to perform a migration from one server to another. The following topic outlines the migration steps for same-to-same, cross-platform, and/or cross-architecture migrations and provides some considerations.

Prerequisites

Ensure your target server has an operating system that is supported for the target version of Tenable Nessus and that it meets all other system and hardware requirements.

Next, ensure the Tenable Nessus version is the same on the source and target servers.

Run the /opt/nessus/sbin/nessusd -v command to determine the version on both servers. If the source version is lower than the target version, do one of the following:

  • Upgrade the source server Tenable Nessus to the same version as the target server's.

  • Downgrade the target server Tenable Nessus to the same version as the source server's.

    • To downgrade Tenable Nessus on Tenable Core, run the pkexec /usr/libexec/tenablecore/backup/applicationDowngrade.sh command on the target server, select the Tenable Nessus version to downgrade to, then press Enter.

      Note: Due to a Cockpit limitation in Tenable Core Oracle Linux 8 (OL8), it is not possible to run this command in Tenable Core OL8's terminal. You must run it in a Secure Shell (SSH) session instead.

    • To downgrade Tenable Nessus on any other operating system, uninstall Tenable Nessus, then install the version matching the source server's.

Transfer the Data

Transfer the data from the source to the target server using one of the following two options. Both options exclude specific directories (including backups and logs) that are non-essential to the migration. Back these up separately, if needed. A remote sync is the faster option, as it does not require to create, transfer and restore a backup.

Notes:

  • All commands must be run as root.

  • If you have a non-root user (providing sudo privilege escalation is allowed for your account), you may switch to a root prompt by using the sudo -i command and entering your non-root user password again.

  • Some operating systems may show a "tar: invalid option -- '▒'" error when copying and pasting a tar command. Manually entering the command resolves this issue.

  1. Before you begin, ensure sufficient disk space is available on the source server to create a backup. Run the following command to estimate both the time and disk space required for a backup without creating a file.

    time tar --exclude={'bin*','lib*','sbin*','var/nessus/backups*','var/nessus/logs*','var/nessus/plugin*','var/nessus/remote*','var/nessus/report-engine*','var/nessus/templates/tmp*','var/nessus/tmp*','var/nessus/tools*','var/nessus/www*'} -Ppczf - /opt/nessus | wc -c | numfmt --to=iec-i

    Example output

    [root@ness01 ~]# time tar --exclude={'bin*','lib*','sbin*','var/nessus/backups*','var/nessus/logs*','var/nessus/plugin*','var/nessus/remote*','var/nessus/report-engine*','var/nessus/templates/tmp*','var/nessus/tmp*','var/nessus/tools*','var/nessus/www*'} -Ppczf - /opt/nessus | wc -c | numfmt --to=iec-i

    43Mi

     

    real 0m7.158s

    user 0m7.074s

    sys 0m0.362s

  2. Run the following command to determine if any of the available mount points have sufficient disk space to store a backup of the estimated size.

    df -h

  3. Providing sufficient disk space is available, run the following command to generate the backup on the source server at a suitable time. Change /path/to to a path you determined to have sufficient disk space to store the backup:

    service nessusd stop

    tar –-exclude={'bin*','lib*','sbin*','var/nessus/backups*','var/nessus/logs*','var/nessus/plugin*','var/nessus/remote*','var/nessus/report-engine*','var/nessus/templates/tmp*','var/nessus/tmp*','var/nessus/tools*','var/nessus/www*'} -Ppczf /path/to/nessus_backup.tar.gz /opt/nessus

  4. Transfer nessus_backup.tar.gz to a location on the target server with sufficient disk space by running the following command:

    scp /path/to/nessus_backup.tar.gz root@:/path/to

    Example output

    [root@ness01 ~]# scp /tmp/nessus_backup.tar.gz root@ness01_target:/tmp

    The authenticity of host 'ness01_target (1.2.3.4)' can't be established.

    ECDSA key fingerprint is SHA256:oarLiSLC4L+z8ts5/qAwhV9JYtqLNy8Eia1IBqh8gso.

    ECDSA key fingerprint is MD5:32:3d:4b:3d:4b:e4:78:ce:4b:87:16:ce:f0:ac:f5:82.

    Are you sure you want to continue connecting (yes/no)? yes

    Warning: Permanently added 'ness01_target' (ECDSA) to the list of known hosts.

    root@ness01_target's password:

    nessus_backup.tar.gz 100% 3049MB 186.2MB/s 00:16

  5. On the target server, extract the backup by running the following command. Change /path/to to reflect the transferred backup path on the target server:

    tar -xvf /path/to/nessus_backup.tar.gz -C /

  1. Ensure rsync is available on both the source and the target server, and that you are able to log in as root to the target server from the source server. If the rsync command does not return output on either server, you can install it by running the yum install rsync command on Red Hat-based operating systems, or dpkg -i rsync on Debian-based operating systems.

  2. On the source server, run the following command to determine the amount of disk space consumed by Tenable Nessus, excluding the directories that will not be synced:

    du -sh --exclude{"bin*","lib*","sbin*","var/nessus/backups*","var/nessus/logs*","var/nessus/plugin*","var/nessus/remote*","var/nessus/report-engine*","var/nessus/templates/tmp*","var/nessus/tmp*","var/nessus/tools*","var/nessus/www*"} /opt/Nessus

  3. Ensure at least the same amount of space is available on the target server, then stop the service on the both the source and target server by running the following command:

    service nessusd stop

  4. Run the following command on the source server to synchronize the files to the target server. Change <target IP address> to the actual target IP address.

    rsync -ravz --exclude={'bin*','lib*','sbin*','var/nessus/backups*','var/nessus/logs*','var/nessus/plugin*','var/nessus/remote*','var/nessus/report-engine*','var/nessus/templates/tmp*','var/nessus/tmp*','var/nessus/tools*','var/nessus/www*'} /opt/nessus/* root@<target IP address>:/opt/nessus/

    Example output

    [root@ness01 ~]# rsync -ravz --exclude={'bin*','lib*','sbin*','var/nessus/backups*','var/nessus/logs*','var/nessus/plugin*','var/nessus/remote*','var/nessus/report-engine*','var/nessus/templates/tmp*','var/nessus/tmp*','var/nessus/tools*','var/nessus/www*'} /opt/nessus/* [email protected]:/opt/nessus/

    [email protected]'s password:

    sending incremental file list

    etc/nessus/

    etc/nessus/nessus-fetch.db

    etc/nessus/nessus-fetch.db-shm

    etc/nessus/nessus-fetch.db-wal

    etc/nessus/nessusd.db

    etc/nessus/nessusd.db-journal

    var/nessus/

    var/nessus/.__db_ok

    var/nessus/global.db

    var/nessus/global.db-shm

    var/nessus/global.db-wal

    var/nessus/nessus-service.version

    var/nessus/nessus.version

    var/nessus/tenable_links.json

    var/nessus/tenable_rss_feeds.json

    var/nessus/terrascan.db

    var/nessus/upgrades.db

    var/nessus/users/

    var/nessus/users/admin/

    var/nessus/users/admin/policies.db

    var/nessus/users/admin/auth/

    var/nessus/users/admin/auth/admin

    var/nessus/users/admin/auth/hash

    var/nessus/users/admin/auth/rules

    var/nessus/users/admin/reports/

    var/nessus/users/admin/reports/361da43c-fda9-960c-49e8-d52d3b60280b1d615196a27e8acb

    var/nessus/users/admin/reports/361da43c-fda9-960c-49e8-d52d3b60280b1d615196a27e8acb.name

    var/nessus/users/admin/reports/361da43c-fda9-960c-49e8-d52d3b60280b1d615196a27e8acb.ts

    var/nessus/users/nessus_ms_agent/

    var/nessus/users/nessus_ms_agent/tmp/

    var/nessus/users/nessus_ms_agent/tmp/e5a9ba0be43e72ab/

    var/nessus/users/test/

    var/nessus/users/test/policies.db

    var/nessus/users/test/auth/

    var/nessus/users/test/auth/hash

    var/nessus/users/test/auth/rules

    var/nessus/users/test/files/

    var/nessus/users/test/reports/

    sent 2,317,224 bytes received 5,953 bytes 172,087.19 bytes/sec

    total size is 335,189,932 speedup is 144.28

Adjustments

Perform the following steps on the target server to ensure a consistent, working state after you have transferred or restored the data:

  1. To prevent a FIPS module error from being shown when running nessuscli and ensure the correct platform-specific binaries are in place, perform a forced Tenable Nessus upgrade with the appropriate command for Red Hat or Debian-based operating systems.

    Red Hat-based operating systems

    rpm -Uvh --force /tmp/Nessus-<version>.x86_64.rpm

    Note: On Oracle Linx 8 instances of Tenable Core, you can run the yum download Nessus command to download the latest Tenable Nessus RPM file to the present working directory. On older instances of Tenable Core, you can run yumdownloader Nessus to achieve the same result.

    Debian-based operating systems

    dpkg --force-all -I /tmp/Nessus-<version>.amd64.deb

  2. Start the Tenable Nessus service on the target server:

    service nessusd start

  3. To allow the download of plugins and prevent a “Could not validate this preference file. Have installation files been copied from another system?” error, log in to Tenable Nessus, then navigate to Settings > Overview and apply the license again. To re-use the same license, first reset it in https://community.tenable.com/s/products. After applying the license, Tenable Nessus signs you out.

    Notes:

    • If configured to update online, Tenable Nessus attempts to update shortly thereafter, with the login screen showing “Plugins are compiling, Nessus functionality will be limited until compilation is complete” for up to 20 minutes. During that time, backend.log shows "<[info] [globaldb] Waiting for Nessus to be ready>". While you will be able to log in and check your data is all there, it will not be possible to run scans until after this completes. When done, the user interface shows “Plugins are done compiling”, while backend.log shows "[info] [globaldb] cleanup is starting" and other activity.

      You can use the tail -f /opt/nessus/var/nessus/logs/backend.log command to monitor the progress in backend.log.

      If applicable, Tenable Nessus Manager also starts generating agent DB files, which will take an additional 10 minutes. Next, Tenable Nessus Manager checks if the feed offers a new agent core version. If so, it downloads the new agent core version.

    • Air-gapped Tenable Nessus installations require a manual plugins update. You can force the generation of agent DB files for Tenable Nessus Manager after a plugins update using the following command:

      /opt/nessus/sbin/nessuscli manager generate-plugins –force

    • Information exchange between Tenable Nessus Manager cluster nodes is dependent on a pre-shared secret. If, for example, you run nessuscli fix --reset was performed, a new certificate was generated, or a custom CA uploaded to the Tenable Nessus Manager parent, an "Invalid certificate signature" error may appear in a child node's backend.log. If so, follow Invalid Certificate signature on cluster nodes to reset the pre-shared secret and re-enable communication between the nodes.

Configure the Hostname and IP address

A stand-alone Tenable Nessus may use a different hostname and/or IP address. However, as agents will have been linked to one or the other, a Tenable Nessus Manager target server should have the same IP address and hostname as the source server. After transferring the data, make note of the source server hostname and IP address, then shut down the source server and assign the same to the target server.

Notes:

  • If a different hostname and/or IP address is used for the Tenable Nessus Manager target server, agents linked to the previous hostname or IP address will have an Offline status in the console. To correct this, you must remove each agent’s Tenable tag (/etc/tenable_tag or HKLM\SOFTWARE\Tenable\TAG) before relinking them to the target server.

    • Not removing the Tenable tag before attempting to relink the agent results in a 409 error, as the Tenable Nessus Manager will already have an agent with the same Tenable tag.

    • After deleting the Tenable tag, restart the agent service using service nessusagent restart to create a new one.

    • The relinking of an agent with a new Tenable tag results in an update of the agent in the Tenable Nessus Manager console.

Configure the hostname using one of the following two options:

  1. Shut down the source server

  2. On the target server, run the following command as root to change the hostname:

    hostname <hostname>

    Note: The changed hostname is not immediately reflected in the command prompt. Enter exit, then log in again, after which the new hostname should be shown. If it does not persist after a reboot, change the name in /etc/hostname directly.

  1. Run the below command as root on the target server to set the desired hostname.

    hostname <new hostname>

  2. Enter exit, then log in again, after which the new hostname should be shown.

To change the target server’s IP address, determine the interface name associated with the IP address to be changed in the ip a output, then update the IP address in /etc/sysconfig/network-scripts/ifcfg-<network interface name> in a Red Hat-based operating system, or in /etc/network/interfaces in a Debian-based operating system, and then reboot the server.