search

packetchaos / navi

A Command-line tool which leverages the Tenable.io API to reduce the time it takes to get information that is common during remediation or a troubleshooting event
GNU General Public License v3.0
72 stars 26 forks source link

Tag Update for Agent Group not working for Group with 6522 agents #37

Closed 1amdavadi closed 10 months ago

1amdavadi commented 1 year ago

Thank you for this amazing tool. Has made life a lot easier. I have been using Navi to tag my assets based on Agent groups and its working for all groups that have less than 5000 agents. I have one group which has 6522 Agents and the tagging command results in an error. Please see error below. I have redacted sections with personal/company name details.

MacBook-Pro:~ root# navi tag --c "Endpoint Agent Group" --v "Staff_Win_Endpoints_AU" --group "Staff_Win_Endpoints_AU"

The object you tried to create may already exist

If you are changing scan ownership, there is a bug where 'empty' scans won't be moved <PreparedRequest [GET]> {'Date': 'Thu, 05 Oct 2023 00:55:56 GMT', 'Content-Type': 'application/json; charset=utf-8', 'Content-Length': '66', 'Connection': 'keep-alive', 'Set-Cookie': 'nginx-cloud-site-id=ap-syd-1; path=/; HttpOnly; SameSite=Strict; Secure', 'Vary': 'origin', 'Cache-Control': 'no-cache', 'X-Request-Uuid': 'eebc8b1856b79b640xxxxxxxxe065d30', 'X-XSS-Protection': '1; mode=block', 'X-Frame-Options': 'DENY', 'Strict-Transport-Security': 'max-age=63072000; includeSubDomains', 'X-Content-Type-Options': 'nosniff', 'X-Gateway-Site-ID': 'service-nginx-router-ap-southeast-2-prod-7c5444698c-775z8', 'CF-Cache-Status': 'DYNAMIC', 'Server': 'cloudflare', 'CF-RAY': '8111b3b0db9717cd-MEL'} Bad Request Traceback (most recent call last): File "/usr/local/bin/navi", line 8, in sys.exit(cli()) File "/Library/Python/3.9/site-packages/click/core.py", line 1157, in call return self.main(args, kwargs) File "/Library/Python/3.9/site-packages/click/core.py", line 1078, in main rv = self.invoke(ctx) File "/Library/Python/3.9/site-packages/click/core.py", line 1688, in invoke return _process_result(sub_ctx.command.invoke(sub_ctx)) File "/Library/Python/3.9/site-packages/click/core.py", line 1434, in invoke return ctx.invoke(self.callback, ctx.params) File "/Library/Python/3.9/site-packages/click/core.py", line 783, in invoke return __callback(args, **kwargs) File "/Library/Python/3.9/site-packages/navi/plugins/tag.py", line 380, in tag for agent_group in group_data['groups']: TypeError: 'NoneType' object is not subscriptable MacBook-Pro:~ root#

packetchaos commented 1 year ago

Can you confirm the version of navi you are running? There was a bug with this command I resolved a few months ago around agents over 5000.

If you are on 7.5.1, I would ask to delete the tag and try to create it. if you get the same results, please post the trace back so I can work on a resolution.

1amdavadi commented 1 year ago

Thank you. I am using version 7.5.1 and deleting/recreating the tag did not help. Same error as above. How do I get you the "trace" log?

packetchaos commented 1 year ago

The "None Type" error indicates one of few issues that I can think of:

  1. The navi update full command hasn't been run since the agent group was created
  2. The navi user doesn't have access to the agent group in question
  3. The agent group at the command line has a spelling error
  4. The agents are new, and have not been scanned

The above may not be the exhaustive list.

We need to check a few things to rule the above out:

  1. Verify your navi user can see the agent group

    • navi api /scanners/1/agent-groups --limit 5000
    • Grab the group ID using grep or findstr with the above command

  2. Use the group ID to enumerate all of the assets

    • navi api /scanners/1/agent-groups/{group id}/agents
    • Grab a single asset UUID for a test

  3. Use the asset UUID and search the DB

    • navi find query "select * from assets where uuid='{uuid}';"

Replace the {} with the details from the previous task.

The above steps will help troubleshoot where the issue resides.

Below is the code snippet... You can see the above three steps is what the code is doing. navi_tag_group

DBorGe commented 11 months ago

is there any way I can use the opposite? We have multiple ways to tag assets in Tenable.io, however we don't have many to create groups or add agents to groups based on their tags.

Lets see the following:

I have multiple agents that are not scanned often, because for example machine is shutdown. So, I can create a tag "missing-agent-scan" if last authenticated scan is from more than 7 days. However, I can't have an agent scan run based on tags. This is only possible for network scans.

So, I was trying to find a way to: identify agent with that tag, and add to the "missing-agent-scan" group. Which will then run at more precise hours or during business hours.

packetchaos commented 11 months ago

That is an interesting use-case. I don't have a solution today.

I'm will add this to my backlog and see if I can come up with something suitable. I have some code that pulls from target groups in to the scan target section which might make it a shorter LoE.

I might be able to get something out before the end of the year, if I'm not missing an unknown blocker.

packetchaos commented 10 months ago

I have a fix for this. It will take three commands. I plan on creating a article explaining the use-case.

Tag agents by missed auth days(7 days) --> navi tag --c "missed scans" --v "Agents missed scans" --missed 7

update the navi database with the new tag relationship --> navi update assets --days 1

Turn tag into Agent group --> navi agent bytag --c "missed scans" --v "Agents missed scans" --group "Missed Agents Group"

Once I'm done testing I will release it. Shooting for the 24th.

packetchaos commented 10 months ago

I plan on writing an article on how this new functionality works. Closing the ticket.

New version will be pushed before Christmas after some more changes.