cyhy_amis/ansible/roles/nessus/tasks/main.yml at 7ca25edf567d4105380f929bdafa3ef25778a8a7 · cisagov/cyhy_amis · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
---
#
# Check if a license key is registered and if not register one
#
- name: Check if a license key is registered
  ansible.builtin.command: /opt/nessus/sbin/nessuscli fetch --check
  register: nessus_license_registered
  # This is a read-only operation
  changed_when: false
  failed_when: nessus_license_registered.rc not in [0, 1]

- name: Retrieve the license key if one is registered
  when: nessus_license_registered.rc == 0
  block:
    - name: Get the registered license key
      ansible.builtin.command: /opt/nessus/sbin/nessuscli fetch --code-in-use
      # This is a read-only operation
      changed_when: false
      register: nessus_key_result

    - name: Extract the key in use
      ansible.builtin.set_fact:
        nessus_registered_key: "{{ nessus_key_result.stdout | regex_search(nessus_license_regexp, '\\1') }}"
      vars:
        # Looking for key in format:
        # XXXX-XXXX-XXXX-XXXX or XXXX-XXXX-XXXX-XXXX-XXXX
        nessus_license_regexp: '([a-zA-Z0-9]{4}(?:\-[a-zA-Z0-9]{4}){3,4})'

    - name: See if the key in use matches the provided one
      ansible.builtin.set_fact:
        # regex_search() returns a list so we want to compare the one element
        nessus_matching_key: "{{ nessus_activation_code == nessus_registered_key[0] }}"

- name: Register a license key, setup user, and update plugins if necessary
  when: nessus_license_registered.rc != 0 or not nessus_matching_key|default(false)|bool
  block:
    - name: Stop the Nessus service
      ansible.builtin.service:
        name: nessusd
        state: stopped

    - name: Register a license key
      # This task is only run as part of a block that checks if a license key
      # needs to be registered. Additionally the command gives no indication
      # that a key is already registered when rerun.
      ansible.builtin.command: # noqa no-changed-when
        cmd: "/opt/nessus/sbin/nessuscli fetch --register-only {{ nessus_activation_code }}"

    #
    # Create the Nessus scanner user
    #
    - name: Grab the existing Nessus users
      ansible.builtin.command: /opt/nessus/sbin/nessuscli lsuser
      # This is a read-only operation
      changed_when: false
      register: nessus_users

    # The expect Ansible module requires pexpect
    - name: Install pexpect
      ansible.builtin.apt:
        name: python3-pexpect
        state: present
      when: nessus_username not in nessus_users.stdout

    - name: Create scanner user if necessary
      ansible.builtin.expect:
        command: "/opt/nessus/sbin/nessuscli adduser {{ nessus_username }}"
        responses:
          administrator: y
          BLANK: ""
          password: "{{ nessus_password }}"
      when: nessus_username not in nessus_users.stdout

    - name: Update plugins
      # This task is only run as part of a block that checks if a license key
      # needs to be registered. It will always pull any plugin updates available
      # when run.
      ansible.builtin.command: # noqa no-changed-when
        cmd: /opt/nessus/sbin/nessuscli update --plugins-only
      async: 300
      poll: 5

    - name: Rebuild the plugin database
      # This task is only run as part of a block that checks if a license key
      # needs to be registered. It will always rebuild the plugin database when
      # run.
      ansible.builtin.command: # noqa no-changed-when
        cmd: /opt/nessus/sbin/nessusd --recompile
      async: 3600  # 60 minutes
      poll: 30

    - name: Start Nessus service
      ansible.builtin.service:
        name: nessusd
        state: started

- name: Create the configuration file for Nessus API access
  ansible.builtin.template:
    dest: /etc/cyhy/nessus_api.yml
    group: cyhy
    mode: u=rw,g=r,o=
    owner: cyhy
    src: nessus_api.yml.j2

- name: Copy the nessus_base.py Python file for configuring Nessus
  ansible.builtin.copy:
    dest: /tmp/nessus_base.py
    mode: u=rw,g=r,o=r
    src: nessus_base.py

- name: Copy base Nessus scan policy to instance tmp
  ansible.builtin.template:
    dest: /tmp/cyhy-base-nessus8-policy.xml
    mode: u=rw,g=r,o=r
    src: cyhy-base-nessus8-policy.xml.j2

- name: Wait for Nessus port to be open
  ansible.builtin.wait_for:
    port: 8834

- name: Run Nessus configuration script
  ansible.builtin.command: python3 /tmp/nessus_base.py
  changed_when: "'Policy already exists' not in nessus_base_policy.stderr"
  register: nessus_base_policy

#
# Clean up
#
- name: Delete /tmp/cyhy-base-nessus8-policy.xml
  ansible.builtin.file:
    path: /tmp/cyhy-base-nessus8-policy.xml
    state: absent

- name: Delete /tmp/nessus_base.py
  ansible.builtin.file:
    path: /tmp/nessus_base.py
    state: absent