Prerequisites
It is recommended that you use a dedicated server or VM to run the Kenna Agent. Please make sure that your firewall rules allow the Kenna Agent to talk to your internal connectors as well as reach out to Cisco Vulnerability Management.
These scanners are currently supported:
- Nexpose [only username & password is supported]
- Nessus
- Sonatype
- BlackDuck
Important: The machine must have network access to your scanner and the Kenna API.
Recommended specifications:
Operating System | RHEL or derivative (RHEL 7+, CentOS 7+, Fedora 28+) |
RAM | 1-2 GB |
Number of CPUs | 1-2 |
Disk Size | 20 GB, encrypted |
Note: HTTP/S proxying is supported. Refer to the Proxy for Agent section.
Windows server-based installs are not supported at this time. If you are interested, please let us know.
Important: Please open a support ticket to ask that the Agent UI feature flag be turned on. This will enable the checkbox for the agent to be shown on the connector setup page. In the same ticket, if you are using a proxy or firewall, please request a list of urls that need to be whitelisted.
Download the Agent
Go here to download the agent.
Install the Agent
Tip: You can execute the commands as Root if you do not wish to use sudo.
In the Command Prompt, create a new "kenna.repo" file using
$ sudo yum install kenna-agent-1.2.1798-1.x86.64.rpm
Fedora 28+
$ sudo dnf install kenna-agent-1.2.1798-1.x86.64.rpm
Installation destination folder: /etc/kenna-agent
Connector Setup
You must first select a connector if you have no existing connector before proceeding with the connector setup. Log in to the Cisco Vulnerability Management UI and click the Connectors tab to select a connector.
Once you have selected a connector, the connector-specific setup page opens as shown below.
Click the Use Kenna Agent checkbox. If there is no checkbox visible, open a support ticket and request that the feature flag for Agent UI be enabled.
Fill in Username, Password, Host information as well as select the desired Schedule, if not already completed.
Note: You can make changes to your cron as required. Changes to the Schedule change the config snippet as shown.
Important: The connector ID is blank initially and only populates after the connector is saved.
Note: All times are in UTC.
Click Save to confirm your changes.
Important: By clicking Save, the Run and Upload & Run buttons are clickable but their functionality will be disabled.
Any previously set schedule will not work and all new connector runs will be completed using the Kenna Agent.
Configure the Agent
Note: A connector must be added, as shown in the pervious section, before proceeding configuring the agent.
Important: You require your Kenna API token to configure and use the Kenna Agent.
Log into Cisco Vulnerability Management and navigate to API keys menu option.
Locate your API key and click the Copy button to copy the API token.
Edit the "/etc/kenna-agent/kenna-agent.toml" file.
Item | What to Enter |
token | Paste in the API token. |
id |
Enter the connector ID. Tip: To locate your connector ID, select the connector in the Connectors tab. In the Details page that displays, highlight and copy the Connector ID. |
type | Enter the connector type such as “nexpose”, “nessus”. |
url | Enter the scanner URL (protocol + host + port). |
username | Enter the scanner credentials. |
password | Enter the scanner credentials. |
schedule |
Enter a cron job schedule using the “min hr dom mon dow” format. Important: Time is interpreted in UTC. |
scan_list |
Contains scan IDs for the Nessus connector. For a single list, enter scan_list = [#]. For example, scan_list = [5]. For multiple lists, enter numbers separated by commas. For example, scan_list = [5, 246, 248]. |
To manually kick-off the connector outside of the scheduled window, you must log into the agent console and run the following command:
kenna-agent oneshot
Multiple Connectors Setup
The Kenna-Agent allows for multiple connectors to be set up simultaneously by simply editing the kenna-agent.toml file as shown.
[kenna]
url = "https://api.kennasecurity.com"
token = "your token"
[connector.nexpose]
id = 12345
type = "nexpose"
url = "https://nexpose.example.com"
username = "user"
password = "pass"
schedule = "*45 23 * * *"
[connector.blackduck]
id = 12346
type = "blackduck"
url = "https://blackduck.example.com"
username = "user"
password = "pass"
schedule = "55 23 * * *"
Kenna-Agent runs each connector when the schedule is set.
Important: Ensure that schedules are spread out to avoid encountering memory errors.
Directory Connector
A directory connector gathers all files inside a specified directory, uploads them to conduit, and starts a connector run. To set up a directory connector, you need to create a connector to which you upload files.
Important: Agent will pick up all files in the given directory for each run.
[kenna]
url = "https://api.kennasecurity.com"
token = "your token"
[connector.directory_nexpose]
id =
type = "directory"
url = "file:/home/kenna/Downloads/nexpose"
username = ""
password = ""
schedule = "*45 23 * * *"
Item |
What to Enter |
token |
Paste in the API token. |
id |
Enter the connector ID. Note: The connector should be a supported XML connector only. |
type |
Enter the connector type as “directory”. |
url |
Enter the path where the directory is located. For example, if the directory is in home/[User]/Downloads/nexpose, then the url would be as follows: “file:/home/kenna/Downloads/nexpose” Important: Ensure the specified directory has read permissions. |
username |
Leave blank. |
password | |
schedule |
Enter a cron job schedule using the “min hr dom mon dow” format. Important: Time is interpreted in UTC. |
Start and Enable the Agent
Once installation is complete, you are ready to run the agent. Enter to start the agent.
$ sudo systemctl enable kenna-agent
In the Command Prompt, enter "kenna-agent check" to check the configuration details of the Kenna Agent. Use this command to troubleshoot issues by reviewing the Check Summary.
Run Agent Check from the terminal
In the Command Prompt, enter "kenna-agent check" to check the configuration details of the Kenna Agent. Use this command to troubleshoot issues by reviewing the Check Summary.
$ kenna-agent check
Run connector from the terminal
To manually kick-off the connector outside of the scheduled window, you must log into the agent console and run the following command:
$ kenna-agent oneshot
Proxy for Agent
When a proxy is used, the agent is capable of working with HTTP and HTTPS settings.
In the command prompt, enter the following command:
$ sudo systemctl edit kenna-agent.service
In the editor, create/add an environment variable override.
Note: For different proxy settings, multiple environment variables can be added.
[Service]
Environment=HTTPS_PROXY=https://myproxy:4566(replace the URL with your proxy)
Environment=HTTP_PROXY=https://myproxy:4566
Enter the following command to restart the Kenna Agent. After adding or creating the variables, save the changes and exit the editor.
$ sudo systemctl restart kenna-agent.service
Helpful commands
Start agent:
$ sudo systemctl start kenna-agent
Enable agent:
$ sudo systemctl enable kenna-agent
Stop agent:
$ sudo systemctl stop kenna-agent
Agent process status:
$ sudo systemctl status kenna-agent
Check config details:
$ kenna-agent check
Run connector from the terminal:
To manually kick-off the connector outside of the scheduled window, you must log into the agent console and run the following command:
$ kenna-agent oneshot
Comments
Helpful, but also need to know if there are any firewall requirements for each of the SaaS platforms.
Please sign in to leave a comment.