# Cloud Security

## Version:

* Linux Control Center = 2.10.X or higher

## Requirements:

* Tenable Vulnerability Management Secret Key and Access Key
* Hosts in the LCC database previously configured

## Overview:

* This guide provides information and step-by-step instructions for integrating Linux Control Center (LCC) with Tenable Vulnerability Management vulnerability manager.

## Objective:

* This integration allows you to run Tenable Vulnerability Management scans from LCC and use the scan results to quickly and easily identify vulnerabilities in Hosts managed by LCC.

{% hint style="warning" %}
Please note that all third-party solutions that interact with LCC must be configured correctly. Inconsistent data from these solutions cannot be reliably processed or presented by LCC.

Tenable Vulnerability Management does not have ACR and AES indexes to classify Host risk levels.
{% endhint %}

## Integration Configuration

1. To create the LCC connection with Tenable, access the menu on the left of the LCC and click on the **Config** option

![](https://1620115297-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FtZm19HsLxuDm2GumYKEz%2Fuploads%2Fgit-blob-c2ecd830666fdc24d2c3a23b4dea0eee70a58c82%2Fconfig_dashboard.png?alt=media)

1. Click on **Tenable**

![](https://1620115297-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FtZm19HsLxuDm2GumYKEz%2Fuploads%2Fgit-blob-2392175ee074a464129fef04ca04976196dade3a%2Ftenable_sc.png?alt=media)

1. Click on **Vulnerability Manager**

![](https://1620115297-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FtZm19HsLxuDm2GumYKEz%2Fuploads%2Fgit-blob-2251d5d48fd04f18102005821767987555b055eb%2Ftenable_integrations.png?alt=media)

1. Click on the **Create** button.

![](https://1620115297-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FtZm19HsLxuDm2GumYKEz%2Fuploads%2Fgit-blob-2783802b5a6ddc5e23190980b28c0ba9d8386910%2Fcreate_tenable_vm.png?alt=media)

1. Then, fill in the fields below; 1. Enter the name to identify the synchronization in the **Name** field
2. Enter the URL <https://cloud.tenable.com> in the **URL** field
3. Enter the **Access Key** and **Secret Key** in their respective fields.

* **Chunk Size:** is the number of Assets that will be imported at a time<br>
* **Number of Assets:** is the maximum number of Hosts to import<br>
* **Updated At:** This option allows you to define from which date the LCC will be able to obtain the scan results.<br>

Default: Vulnerabilities from 30 days ago.

1. Click **Save**

![](https://1620115297-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FtZm19HsLxuDm2GumYKEz%2Fuploads%2Fgit-blob-ae115944c34e2766a7bb5c8a13c9ff425fe32cdf%2Ftenable_configurado.png?alt=media)

1. After saving, click on the previously saved item to open the Tenable Vulnerability Management integration window.

![](https://1620115297-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FtZm19HsLxuDm2GumYKEz%2Fuploads%2Fgit-blob-2759e248b113d11c106b865bc601943be99e40c0%2Ftenable_item.png?alt=media)

1. Click on the **GENERAL** tab, and then click on the **Test Connection** button to test the connection with Tenable Vulnerability Management.

![](https://1620115297-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FtZm19HsLxuDm2GumYKEz%2Fuploads%2Fgit-blob-c702707cb6ce425033c64dd8ca75334822a6800b%2Ftenable_general.png?alt=media)

1. The Status will turn green to confirm that the connection was successful

![](https://1620115297-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FtZm19HsLxuDm2GumYKEz%2Fuploads%2Fgit-blob-c3dcb4ede923b3ee7ab130952ac90d4db78b30b5%2Ftenable_status.png?alt=media)

### Sync Assets

{% hint style="warning" %}
Sync Assets compares the IP addresses of the Hosts in the LCC database with those in the Tenable Vulnerability Manager database. Only Hosts with the same IP addresses in both databases will be displayed in the LCC Assets screen.

Be careful not to create duplicate Assets in Tenable Vulnerability Manager. If you do, they cannot be processed or presented reliably by LCC.
{% endhint %}

1. After validating the connection, click on **Hosts**
2. Click on **Sync Assets** to synchronize the LCC Hosts with Tenable Vulnerability Management Assets

![](https://1620115297-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FtZm19HsLxuDm2GumYKEz%2Fuploads%2Fgit-blob-caef3d6886b9315d36a6e07e6dc9c65bf22594fe%2Ftenable_assets.png?alt=media)

### Running Scans

1. Then, click on **SCANS**, click on the **SYNC SCANS** button to integrate which Scans are present in Tenable Vulnerability Management
2. After **SYNC SCANS** finishes and lists the Tenable scans, click on **RUN** to run the desired scan.

![](https://1620115297-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FtZm19HsLxuDm2GumYKEz%2Fuploads%2Fgit-blob-e388e9832f21f48b1d61e949ad0cf9d48a9e9ad1%2Ftenable_scans.png?alt=media)

### Sync Results

{% hint style="warning" %}
This Action can only be run once every 24 hours. Before running Sync Results, check if any scans have been performed recently to ensure that vulnerability information is up to date.

The Action will have the status **Aborted** if it is run again within the 24-hour period.
{% endhint %}

1. Access the Tenable web interface to monitor the scan execution. Once complete, return to **Hosts** and click **Sync Results** to synchronize the scan results with the LCC Console.

![](https://1620115297-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FtZm19HsLxuDm2GumYKEz%2Fuploads%2Fgit-blob-571f2ad8b48b9cfd6bd6018a10ff983901135a23%2Ftenable_hosts.png?alt=media)

### Schedules

1. On the Tenable Vulnerability Management integration screen, click on the **Schedule** tab

![](https://1620115297-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FtZm19HsLxuDm2GumYKEz%2Fuploads%2Fgit-blob-a2b5d85f17f9bb569b5eaa39679dfae54add133d%2Fschedule_general.png?alt=media)

1. Click on **Add Schedule**

![](https://1620115297-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FtZm19HsLxuDm2GumYKEz%2Fuploads%2Fgit-blob-4a8e3a114d50c70ad72f487966571f133a517cee%2Fadd_schedule.png?alt=media)

1. These are the actions available to execute in the schedule.

**Test Connection:** Performs a connection test with Tenable Vulnerability Management to validate the integration\
**Sync Scans:** Updates the list of scans available in Tenable Vulnerability Management on the LCC integration Scans screen\
**Sync Assets:** Updates the list of Tenable Vulnerability Management assets according to the database LCC host data\
**Launch Scan:** Sends the command to run a desired scan in Tenable Vulnerability Management\
**Sync Results:** Synchronizes the results of the last scan run in Tenable Vulnerability Management with the hosts integrated in LCC.<br>

4. Then, define a name for the schedule in the **Name** field and choose one of the actions in the **Action** line

By default, the scheduling screen opens with the **One Time** option, to schedule a single execution at a specific hour, minute and date, as shown in the image below;

![](https://1620115297-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FtZm19HsLxuDm2GumYKEz%2Fuploads%2Fgit-blob-89a0886f820e10aeb1f30756ac259aabe0ff9d72%2Factions_schedule.png?alt=media)

1. By checking the **Repeatedly** box together with **Minutes** it is possible to execute the action every X defined minutes.

![](https://1620115297-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FtZm19HsLxuDm2GumYKEz%2Fuploads%2Fgit-blob-854bf0fe8749cd5e9bc6b1ab2ae9a5572e20bc1f%2Fminutes_schedule.png?alt=media)

1. Checking the **Repeatedly** box together with **Daily** allows you to execute the action every day every X hours and X minutes.

![](https://1620115297-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FtZm19HsLxuDm2GumYKEz%2Fuploads%2Fgit-blob-6dcc136fa41e40077f038a6b63d5f870c90e4adb%2Fdaily_schedule.png?alt=media)

1. Checking the **Repeatedly** box together with **Advanced** to choose the custom schedule, where you can choose the hour, minute, day of the week, day of the month and the desired month.

![](https://1620115297-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FtZm19HsLxuDm2GumYKEz%2Fuploads%2Fgit-blob-c477531ae861b3fae43a83eab1824e5881e0d788%2Fschedule_advanced.png?alt=media)

1. After creating and saving a schedule, you can pause it if necessary by clicking **Disable** and monitor the status of whether it is enabled or not in the **Active** column.

![](https://1620115297-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FtZm19HsLxuDm2GumYKEz%2Fuploads%2Fgit-blob-56cbd191ff8a12aa35e1d3145d5b6bbebcdeb2cd%2Fdisable_schedule.png?alt=media)

1. The **Next Run** column displays when the next run will be and the **Last Run** column displays when the last run was. The **Count** column counts how many times the schedule has been run.

![](https://1620115297-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FtZm19HsLxuDm2GumYKEz%2Fuploads%2Fgit-blob-7c3f079fed80d86aa04fe11186ce791aac70c9e3%2Flast_next_run.png?alt=media)

1. You can also delete a schedule by clicking the trash can icon next to the Disable/Enable button.

![](https://1620115297-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FtZm19HsLxuDm2GumYKEz%2Fuploads%2Fgit-blob-7257223dae4bc7252acf6866e8627a9ac74e3986%2Fdelete_schedule.png?alt=media)

## Vulnerability Fix

### Fix Plugin ID 153588 - Weak SSH Ciphers

The LCC 7 Library has a script to change SSH encryption ciphers, configuring hosts to use stronger ciphers for SSH authentication.

To download and run this script, follow the steps below.

1. Click **7 Library** in the LCC left menu

![](https://1620115297-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FtZm19HsLxuDm2GumYKEz%2Fuploads%2Fgit-blob-83d51d88d139beeae61b7f77218c01226232f38c%2F7library_dashboard.png?alt=media)

1. Click **Sync Feed** to update the 7 Library feed

![](https://1620115297-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FtZm19HsLxuDm2GumYKEz%2Fuploads%2Fgit-blob-b4e1e78d085a1bfdba07e4b7df843631d21235e3%2Fsync_feed.png?alt=media)

1. Click on the **config SSH Ciphers Algorithms** script

![](https://1620115297-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FtZm19HsLxuDm2GumYKEz%2Fuploads%2Fgit-blob-93fafd8043be44a3b161403453be95879503bfdb%2F7library-page.png?alt=media)

1. Click **Download** and the script will be saved in the LCC and will be available in the **Scripts** screen

![](https://1620115297-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FtZm19HsLxuDm2GumYKEz%2Fuploads%2Fgit-blob-0d2fd45ac85440b63993e038ed6020f3c6dc1e69%2Fdownload_script.png?alt=media)

1. Click on **Scripts** in the left side menu.

![](https://1620115297-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FtZm19HsLxuDm2GumYKEz%2Fuploads%2Fgit-blob-7a28660a18ec677122f81c8e4f62942d11ad0c3d%2Fscripts_lateral.png?alt=media)

1. Click on the script that was downloaded.

![](https://gitlab.com/7dev-doc/linux-control-center/-/blob/main/pt-br/images/workflow/fix_153588_tenable/downloaded_script.png)

1. Click on **User for Execution.**

![](https://1620115297-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FtZm19HsLxuDm2GumYKEz%2Fuploads%2Fgit-blob-2e637f7815ba6d7764c2f18a24c7e16521f2608b%2Fcampo_user_for_execution.png?alt=media)

1. Choose which user will run the script (We recommend using the **lcc.local** user to avoid failures due to lack of permission.)

![](https://1620115297-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FtZm19HsLxuDm2GumYKEz%2Fuploads%2Fgit-blob-c3086bbec0fc167903431f13568111d84c0f8f9e%2Fconta_lcc_local.png?alt=media)

1. Click on **Save**

![](https://1620115297-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FtZm19HsLxuDm2GumYKEz%2Fuploads%2Fgit-blob-2c6d81b5e1a00e9bbe5c9ee218213a9b71622ba5%2Fbotao_save_script.png?alt=media)

1. Then, click on **Workflow** in the left menu of the LCC

![](https://1620115297-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FtZm19HsLxuDm2GumYKEz%2Fuploads%2Fgit-blob-bf678eeccdc53dedd861e1460542bf6c2f0ebb2c%2Fbotao_workflow_lateral.png?alt=media)

1. Click **Create**

![](https://1620115297-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FtZm19HsLxuDm2GumYKEz%2Fuploads%2Fgit-blob-aaec5ef3cc146d2b102fefe4943c77e454911665%2Fadd_workflow.png?alt=media)

1. Enter a name for the *Workflow* in the **Name** field

![](https://1620115297-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FtZm19HsLxuDm2GumYKEz%2Fuploads%2Fgit-blob-545ce7ea4124400e878e39674c1ea8d8af72ad03%2Fcampo_name_workflow2.png?alt=media)

1. Click **Start New Workflow.**

![](https://1620115297-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FtZm19HsLxuDm2GumYKEz%2Fuploads%2Fgit-blob-2f6f312dfa1d82780a72a4ac5ed62af70e5dd9c5%2Fstart_workflow.png?alt=media)

1. Click **Actions** and choose the **Execute Custom Script** option

![](https://1620115297-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FtZm19HsLxuDm2GumYKEz%2Fuploads%2Fgit-blob-65121154f33ea696ff3dd591a9c6248800d13dbf%2Fcustom_script.png?alt=media)

1. Define one or more Hosts in the **Host** field

![](https://1620115297-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FtZm19HsLxuDm2GumYKEz%2Fuploads%2Fgit-blob-b27a88376639600f7413102763fa27a3fa4c9cea%2Ftarget_host.png?alt=media)

1. If you have a pre-configured group, choose it in the **Target Group** field

![](https://1620115297-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FtZm19HsLxuDm2GumYKEz%2Fuploads%2Fgit-blob-231de58c5451a86bc9d383d51d3013266531fd3c%2Fgrupo_hosts.png?alt=media)

1. Choose the **Config SSH Ciphers Algorithms** script.

![](https://1620115297-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FtZm19HsLxuDm2GumYKEz%2Fuploads%2Fgit-blob-e249974d3c69a0fe7400e6b534ec1da094f7fcce%2Fcampo_script.png?alt=media)

1. Click **Create**.

![](https://1620115297-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FtZm19HsLxuDm2GumYKEz%2Fuploads%2Fgit-blob-09105987329211611883814d65a554dae016b682%2Fworkflow_completo.png?alt=media)

1. Click **Save** to save the Workflow.

![](https://1620115297-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FtZm19HsLxuDm2GumYKEz%2Fuploads%2Fgit-blob-400b5469c229a551e4eda188f7603e50f86dbc28%2Fbotao_save.png?alt=media)

1. After creating the Workflow, click the **Actions** button, then **Run**.

![](https://1620115297-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FtZm19HsLxuDm2GumYKEz%2Fuploads%2Fgit-blob-243783b84ec4866f4b0c4c100967b71e63eb3e74%2Fexecute_workflow.png?alt=media)

1. Click **AGREE** to confirm the execution of the Workflow.

![](https://1620115297-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FtZm19HsLxuDm2GumYKEz%2Fuploads%2Fgit-blob-352cc0bfc0518b7da93d3cf5ac5dbb40278254ec%2Fconfirmacao.png?alt=media)

1. Wait for the Workflow execution to finish.
2. Run the Tenable Vulnerability Management scan, as per step [Scan Execution](#scan-execution)
3. Run **Sync Results**, as per item 2 from the topic [Sync Results](#sync-results)
4. Access the menu on the left of the LCC and click on **Hosts**

![](https://1620115297-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FtZm19HsLxuDm2GumYKEz%2Fuploads%2Fgit-blob-571f2ad8b48b9cfd6bd6018a10ff983901135a23%2Ftenable_hosts.png?alt=media)

1. Click on the desired **Host** which will open the Host window.
2. Click on **Tenable Plugins**.

![](https://1620115297-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FtZm19HsLxuDm2GumYKEz%2Fuploads%2Fgit-blob-c4faa308baafe677a5352985763afd4a9edbdd19%2Ftenable_plugins.png?alt=media)

1. Click on the **Tenable Plugins** tab and search for the number 153588 in the **Search** field

![](https://1620115297-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FtZm19HsLxuDm2GumYKEz%2Fuploads%2Fgit-blob-118e5414d2aa31bdd94e0612afce72696c7c1e9f%2Ftenable_search.png?alt=media)

1. We can see that the ID 153588 is no longer present in the Plugin ID column.

![](https://1620115297-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FtZm19HsLxuDm2GumYKEz%2Fuploads%2Fgit-blob-373898b5ad3ab962752cff91b3f594059aa2f407%2Ftenable_id.png?alt=media)