TOC & Recently Viewed

Recently Viewed Topics

Pre-Installation

Note: A basic understanding of Linux is assumed throughout the installation, upgrade, and removal processes.

SecurityCenter Licenses

SecurityCenter is licensed by the total number of active IP addresses it manages and the hostname of the system on which it is installed. For example, a customer can purchase a 500 IP SecurityCenter license for the hostname of “security”. This key allows that particular server to scan several networks, but as soon as 500 IP addresses are discovered, the license limit becomes active.

SecurityCenter generates a warning in the web interface if the license limit has been exceeded or is approaching capacity. Contact Tenable Sales for an expanded license key.

You will need to provide the hostname of the machine on which SecurityCenter will be installed. This can be obtained by entering the hostname command at the shell prompt.

SecurityCenter does not support an unlicensed “demo” mode – a license key is required.

During the initial configuration, there will be an opportunity to upload the key to SecurityCenter and activate the license.

Offline repositories are not counted against the IP license count. Additionally, the following plugins (listed by ID) are not counted against the license IP count when scanned using the Ping Host port scanner:

  • 3
  • 12
  • 10180
  • 10287
  • 10335
  • 11219
  • 11933
  • 11936
  • 12053
  • 14272
  • 14274
  • 19506
  • 22964
  • 33812
  • 33813
  • 34220
  • 34277
  • 54615
  • 800000 - 800099

Note: Using other port scanners will cause the detected IPs to be counted against the license.

Disable Default Web Servers

SecurityCenter provides its own Apache web server listening on port 443. If the installation target already has another web server or other service listening on port 443, that service needs to be disabled on that port or SecurityCenter must be adjusted to use a different port after installation.

Confirm what, if any, services are listening on port 443 with the following command:

# ss -pan | grep ':443 '

Modify Security Settings

The default Red Hat firewall settings cause issues with SecurityCenter’s web services. To easily alleviate this, SELinux must be either set to Disabled or enabled in Permissive mode. You can disable SELinux Enforcing mode using the following steps:

  1. Navigate to: /etc/selinux.
  2. Edit the file named config.
  3. Change the SELINUX line from SELINUX=enforcing to SELINUX=disabled or SELINUX=permissive.
  4. Save the file.
  5. Reboot the system.

Ensure the following incoming services are permitted by the firewall rules:

  • SSH (port 22 by default)
  • HTTPS (port 443 by default)
  • RHEL 7/CentOS 7 - the local firewall may be disabled upon install and the user should re-enable it with the appropriate access information

Additionally, the following ports must be open for SecurityCenter to communicate with other Tenable products:

  • PVS (port 8835 by default)
  • Nessus (port 8834 by default)
  • LCE (port 1243 by default)

Note: Please consult local security and best practices within your environment for the proper usage and configuration of SELinux. SecurityCenter is known to work with SELinux in “Enforcing” mode with some customization of the SELinux rules. However, permitted rules vary from organization to organization.

Log Rotation

The installation does not include a log rotate utility; however, the native Linux logrotate tool is supported post-installation. In most Red Hat environments, logrotate is installed by default. The following logs will be rotated if the logrotate utility is installed:

  • All files in /opt/sc/support/logs matching *log
  • /opt/sc/admin/logs/sc-error.log

During an install/upgrade, the installer will drop a file named “SecurityCenter” into /etc/logrotate.d/ that contains log rotate rules for the files mentioned above.

Log files are rotated on a monthly basis. This file will be owned by root/root.

Obtain the Installation Package

The installer comes in a number of versions based on OS level and architecture. The general format of the installer is shown below:

SecurityCenter-x.x.x-os.arch.rpm

Confirm the integrity of the installation package by comparing the download md5 checksum with the one listed in the product release notes.

Depending on the OS of the host, you may also need to move the installer to it using your preferred file transfer tool.

Copyright 2017. Tenable Network Security, Inc. All rights reserved. Tenable Network Security, Nessus, SecurityCenter Continuous View, Passive Vulnerability Scanner, and Log Correlation Engine are registered trademarks of Tenable Network Security, Inc. All other products or services are trademarks of their respective owners.