Transition from Frictionless Assessment to Agentless Assessment
Agentless Assessment is a new, flexible, and easier-to-deploy approach to scanning cloud-based hosts. It compliments other scanning method, such as Tenable Nessus Agents or Tenable Nessus scanners, and replaces Frictionless Assessment. This document helps you in transitioning from Frictionless Assessment to Agentless Assessment.
The following are some of the benefits of Agentless Assessment when compared to Frictionless Assessment:
-
No need to manage or update an agent on an operating system or network.
-
No performance impact on workloads.
-
Beneficial for ephemeral workloads that do not stay up long enough to load an agent on.
-
Live results based on Tenable plugin library.
Follow these high-level steps to transition from Frictionless Assessment to Agentless Assessment:
Step 1: Plan the Transition
Review the following resources before transitioning from Frictionless Assessment to Agentless Assessment:
-
Review the Cloud Service Provider Snapshot documentation:
Step 2: Remove and Cleanup Frictionless Assessment Artifacts
AWS
For each account and region that you deployed and configured Frictionless Assessment, remove the CloudFormation template to clean up the Amazon EC2 Simple Systems Manager (SSM) artifacts that were deployed. After this runs, verify that the following artifacts have been removed from AWS Systems Manager:
-
Tenable SSM Document
-
Tenable SSM Association
-
Tenable SSM Resource Data Sync
Azure
For each subscription and Azure region that you deployed Frictionless Assessment, remove the resource groups and any related resources to clean up Frictionless Assessment artifacts.
Tenable Vulnerability Management
Remove all the Frictionless Assessment cloud connectors for AWS and Azure from Tenable Vulnerability Management.
For more information, see Remove Frictionless Assessment.
Step 3: Agentless Assessment Prerequisites
Verify that you have enabled snapshots on relevant EC2 instances and virtual machines and have at least one snapshot per machine or volume you plan to scan:
For information about other requirements for Agentless Assessment, see the following:
Step 4: Ensure Tenable Cloud Security Readiness
Ensure that you have met all requirements and set up Agentless Assessment in Tenable Cloud Security.
Before you begin:
-
Log in to Tenable Cloud Security to confirm access.
-
Create relevant Tenable Cloud Security projects. For more information, see Create a Project.
-
Onboard all the required cloud accounts and assign these accounts to the projects. For more information, see Discover Cloud Accounts.
-
Ensure that you have created appropriate snapshots for the resources that you want to scan using Agentless Assessment. For more information, see Step 3: Agentless Assessment Prerequisites.
To perform an agentless assessment scan:
-
For each project, create a new scan profile.
Note: Do the following when creating the scan profile:- In Step 1, in the Cloud config assessment options section, select only the relevant IaaS compute resources (EC2 Instance and Azure Virtual Machines) for your scan.
- In Step 2, click the Enable Vulnerability Scan toggle to enable vulnerability assessment.
-
Edit the newly created scan profile and configure a scan schedule to at least once every 24 hours to replicate the Frictionless Assessment schedule.
Step 5: Review Agentless Assessment Results
Review the following results for Agentless Assessment:
-
Agentless Assessment provides vulnerability findings to the Tenable Cloud platform, populating all data sources.
-
Agentless Assessment populates vulnerability findings, including the Tenable Vulnerability Management Dashboard and Tenable Cloud Security Dashboard.
-
Tenable Vulnerability Management displays vulnerabilities under Explore > Findings. To filter on your Agentless Assessment results, add a filter for Scan Origin = Agentless Assessment. For more information, see Findings.
Step 6: Repeat the Process for Each Project
In Tenable Cloud Security, repeat all the steps listed above for each project. Here is a summary of the important steps to be performed when transitioning from Frictionless Assessment to Agentless Assessment:
-
Ensure that you have created appropriate snapshots for the resources that you want to scan using Agentless Assessment.
-
Enable Vulnerability Scans for each scan profile you created.
-
Perform an on-demand scan using that scan profile.
-
Once the scan is completed in Tenable Cloud Security, check the total instances from Home > Vulnerabilities.
-
When ready, enable scheduled scans for this scan profile.
Step 7: Delete Licensed Frictionless Assessment Assets from Tenable Vulnerability Management
Delete all licensed assets that use Frictionless Assessment from Tenable Vulnerability Management.
-
In Tenable Vulnerability Management, click Explore > Assets.
The Assets page appears.
-
In the Filters section. add the filter Source = AWS FA and Azure FA and click Apply.
-
In the assets table, select all the assets.
The action bar appears at the bottom of the page.
-
In the action bar, click the Delete button.
For more information, see Delete Assets.