Getting Started with navi — Tenable.io Command-line utility.
Navi is a command-line interface to Tenable.io primarily built on pytenable. With over 80 commands and 100s of use-cases, navi can help simply, augment and automate common Vulnerability Management(VM) workflows.
The easiest way to get navi installed is via PIP. Since “navi” was already taken in pypi, I decided to use “navi-pro”. Navi is built in Python3 so you will need to have python 3.9 or higher installed before using pip.
If you are a docker fan you are welcome to use docker to deploy navi. Check out the docker version.
The latest version of navi is: navi-pro-7.5.7
pip3 install navi-pro
Before you can start exporting CSVs, navigating your vulnerability data, and adding context to Tenable.io using tags, you will need to obtain the API keys for your T.io account. If you’re unfamiliar check out Tenable’s documentation to learn how to obtain your API keys.
Once you have your API keys you have a few options for entering them into navi. The easiest and most common is via a single command as shown below. While this is not the best command to run around shoulder surfers, it supports automation. Replace “Access_key” and “Secret_key” with your actual keys provided by the Tenable.io platform.
navi keys --a Access_key --s Secret_key
If shoulder surfers are near, just type “navi keys” and hit “return” and follow the prompts and your keys will be hidden on entry.
The last step before you’re ready to scan and remediate; update the navi database. Navi uses a SQLite DB under the hood to save all of the vulnerability and asset data you choose to download. By default, navi will download the last 30 days of vulnerability data and the last 90 days of asset data(to align with Tenable’s licensing model). You can override the default with the—-days command; adding it to the end of the update command shown below.
navi update full
Navi will immediately schedule a vulnerability and asset export, download the data, parse the data, and finally save it to the navi.db found in the current directory.
Now, before you start navigating your VM data let's check out two critical commands. The first one is the navi api command, which allows you to retrieve pretty-printed JSON responses for simple GET requests to Tenable API endpoints. This can be very useful if you are trying to build or expand upon navi’s use cases or navigate the Tenable API.
Try some of the below examples:
navi api /scans
navi api /users
If I wanted the raw asset data from a recent export you can use the “api” command to grab the raw data, like so:
navi api /assets/export/your-export-id-goes-here/chunks/1
In response, you can expect a pretty-printed JSON body for every asset in the current chunk requested.
The second command you should know is the “query” command which enables a user to explore the contents of the navi database directly.
navi find query "select * from assets;"
Ensure your SQL statement is captured in double-quotations and that you end it with a “;” otherwise you will be presented with an error or a null response.
This command is also very useful in verifying the keys were entered correctly. To see what keys are entered into navi, take a look at the “keys” table in the navi database.
navi find query "select * from keys;"
Okay, now to get started take a look at all of the base commands available in navi today.
I personally support this open source project which is NOT supported by Tenable.
What will you do with Navi?
