Nessus 6.3 User Guide - Tenable Network Security
Nessus 6.3 User Guide
March 3, 2015
(Revision 1)
Table of Contents
Introduction ............................................................................................................................................................... 5
Standards and Conventions....................................................................................................................................................................... 5
New in Nessus 6.3 ......................................................................................................................................................................................... 5
Key Feature Updates ................................................................................................................................................................................... 5
Nessus UI Overview................................................................................................................................................. 6
Description ...................................................................................................................................................................................................... 6
Supported Platforms .................................................................................................................................................................................... 6
Installation ................................................................................................................................................................. 6
Nessus UI .................................................................................................................................................................... 7
Connecting to the Nessus UI ..................................................................................................................................................................... 7
Settings .......................................................................................................................................................................................................... 12
Interface Shortcuts .................................................................................................................................................................................... 16
User Profile................................................................................................................................................................................................... 17
Policies ...................................................................................................................................................................... 19
Creating a New Policy .............................................................................................................................................................................. 20
Policy Settings ............................................................................................................................................................................................. 21
Policy Credentials ...................................................................................................................................................................................... 25
Cloud Services ........................................................................................................................................................................................... 28
Database .................................................................................................................................................................................................... 30
Host ............................................................................................................................................................................................................. 32
Windows .......................................................................................................................................................................................................................32
Unix .................................................................................................................................................................................................................................36
SNMPv3 ........................................................................................................................................................................................................................41
Advanced Policy Creation ....................................................................................................................................................................... 42
Settings ....................................................................................................................................................................................................... 42
Discovery Settings .................................................................................................................................................................................... 45
Assessment Settings ................................................................................................................................................................................. 52
Web Applications ..................................................................................................................................................................................... 55
Report.......................................................................................................................................................................................................... 62
Advanced.................................................................................................................................................................................................... 63
Mobile Device Management .................................................................................................................................................................. 66
Creating a Scan ...........................................................................................................................................................................................................67
Plugins and Policy Preferences .............................................................................................................................................................................68
Mobile Device Management Credentials .........................................................................................................................................................69
AirWatch ..................................................................................................................................................................................................................70
Apple Profile Manager ........................................................................................................................................................................................70
Good MDM ..............................................................................................................................................................................................................72
MobileIron ...............................................................................................................................................................................................................73
ADSI ...........................................................................................................................................................................................................................74
Patch Management .................................................................................................................................................................................. 74
IBM Tivoli Endpoint Manager (BigFix) ...............................................................................................................................................................75
WSUS..............................................................................................................................................................................................................................81
SCCM .............................................................................................................................................................................................................................82
Red Hat Network Satellite......................................................................................................................................................................................83
Copyright © 2015. Tenable Network Security, Inc. All rights reserved. Tenable Network Security and Nessus are registered trademarks of Tenable Network Security, Inc.
SecurityCenter is a trademark of Tenable Network Security, Inc. All other products or services are trademarks of their respective owners.
2
Dell KACE K1000 ......................................................................................................................................................................................................85
Symantec Altiris .........................................................................................................................................................................................................86
Scanning With Multiple Patch Managers ..........................................................................................................................................................90
Virtualization............................................................................................................................................................................................. 91
VMware .........................................................................................................................................................................................................................91
Red Hat Enterprise Virtualization (RHEV) .......................................................................................................................................................94
Miscellaneous Authentication ............................................................................................................................................................... 94
Plaintext Authentication ........................................................................................................................................................................ 97
Cleartext Protocols ...................................................................................................................................................................................................98
Web Application Scanning......................................................................................................................................................................................99
Compliance ............................................................................................................................................................................................. 102
Plugins ...................................................................................................................................................................................................... 103
Audit Policies ............................................................................................................................................................................................ 106
Compliance Audit Policies ................................................................................................................................................................... 107
Offline Configuration Audit Policies.................................................................................................................................................. 110
PCI Policies.............................................................................................................................................................................................. 111
SCAP Policies .......................................................................................................................................................................................... 111
Nessus Agent Templates ...................................................................................................................................................................... 112
General Settings ..................................................................................................................................................................................... 113
Discovery Settings ................................................................................................................................................................................. 115
Assessment Settings .............................................................................................................................................................................. 116
Report....................................................................................................................................................................................................... 119
Advanced................................................................................................................................................................................................. 120
Managing Policies ................................................................................................................................................................................... 120
Importing, Exporting, and Copying Policies ................................................................................................................................... 121
Scans ........................................................................................................................................................................ 122
Creating, Launching, and Scheduling a Scan .................................................................................................................................. 122
Configuring a Scan .................................................................................................................................................................................. 123
Configuring a Scan with Nessus Agents .......................................................................................................................................... 128
Managing Scans ....................................................................................................................................................................................... 131
Creating and Managing Scan Folders ............................................................................................................................................... 134
Scan Results and Reports .................................................................................................................................. 135
Browse Scan Results .............................................................................................................................................................................. 136
Dashboards ............................................................................................................................................................................................. 137
Compliance Results ............................................................................................................................................................................... 148
Report Filters .......................................................................................................................................................................................... 150
Report Screenshots ............................................................................................................................................................................... 155
Scan Knowledge Base ........................................................................................................................................................................... 156
Compare the Results (Diff) .................................................................................................................................................................. 157
Managing Reports ................................................................................................................................................................................... 159
Uploading and Exporting Reports ...................................................................................................................................................... 159
HTML and PDF Customization .......................................................................................................................................................... 160
Nessus File Formats .............................................................................................................................................................................. 162
Deleting Scan Results ........................................................................................................................................................................... 163
PCI ASV Validation with Nessus Enterprise Cloud .................................................................................. 163
Submitting Scan Results for PCI Customer Review .................................................................................................................... 166
Customer Review Interface ................................................................................................................................................................. 167
Reviewing Scan Results......................................................................................................................................................................... 168
Copyright © 2015. Tenable Network Security, Inc. All rights reserved. Tenable Network Security and Nessus are registered trademarks of Tenable Network Security, Inc.
SecurityCenter is a trademark of Tenable Network Security, Inc. All other products or services are trademarks of their respective owners.
3
Disputing Scan Results ......................................................................................................................................................................... 170
Submitting Attachments as Evidence for a Dispute ...................................................................................................................... 172
Submitting a Scan Report for Tenable Review ................................................................................................................................ 174
PCI ASV Report Formats ...................................................................................................................................................................... 177
For Further Information..................................................................................................................................... 180
About Tenable Network Security .....................................................................................................................181
Appendix A – Setting up Credentialed Checks on Windows Platforms............................................ 182
Prerequisites............................................................................................................................................................................................. 182
User Privileges ........................................................................................................................................................................................ 182
Enabling Windows Logins for Local and Remote Audits ........................................................................................................... 182
Configuring a Local Account ............................................................................................................................................................... 182
Configuring a Domain Account for Authenticated Scanning ...................................................................................................... 182
Step 1: Creating a Security Group .................................................................................................................................................................... 183
Step 2: Create Group Policy ................................................................................................................................................................................ 183
Step 3: Configure the policy to add the “Nessus Local Access” group as Administrators ............................................................ 183
Step 4: Ensure proper ports are open in the firewall for Nessus to connect to the host .............................................................. 183
Allowing WMI on Windows Vista, 7, 8, 2008, 2008R2 and 2012 Windows Firewall ............................................................... 183
Step 5: Linking GPO ............................................................................................................................................................................................... 184
Configuring Windows 2008, Vista and 7 ........................................................................................................................................ 184
Appendix B – Enabling SSH Local Security Checks on Unix and Network Devices .................... 185
Generating SSH Public and Private Keys ........................................................................................................................................ 185
Creating a User Account and Setting up the SSH Key ................................................................................................................ 185
Enabling SSH Local Security Checks on Network Devices ....................................................................................................... 187
Copyright © 2015. Tenable Network Security, Inc. All rights reserved. Tenable Network Security and Nessus are registered trademarks of Tenable Network Security, Inc.
SecurityCenter is a trademark of Tenable Network Security, Inc. All other products or services are trademarks of their respective owners.
4
Introduction
This document describes how to use Tenable Network Security’s Nessus user interface (UI). Please email any comments and
suggestions to [email protected]
The Nessus UI is a web-based interface to the Nessus vulnerability scanner. To use the UI, you must have an operational
Nessus scanner deployed and be familiar with its use.
Standards and Conventions
Throughout the documentation, filenames, daemons, and executables are indicated with a courier bold font such as
gunzip, httpd, and /etc/passwd.
Command line options and keywords are also indicated with the courier bold font. Command line examples may or may
not include the command line prompt and output text from the results of the command. Command line examples will display
the command being run in courier bold to indicate what the user typed while the sample output generated by the system
will be indicated in courier (not bold). Following is an example running of the Unix pwd command:
# pwd
/opt/nessus/
#
Important notes and considerations are highlighted with this symbol and grey text boxes.
Tips, examples, and best practices are highlighted with this symbol and white on blue text.
New in Nessus 6.3
The following list shows official Nessus product names:







Nessus®
Nessus Home
Nessus Professional
Nessus Manager
Nessus Scanner
Nessus Enterprise Cloud
Nessus Agent
Key Feature Updates
The following are some of the features available in Nessus 6.3. For a complete list of changes, please refer to the Release
Notes.

New licensing model, which includes Nessus Windows agents that can run Windows local checks and compliance
scans

Scanning dashboards that display vulnerability and compliance overviews

Managed scanners by a central Nessus Manager to deploy policies, scans, and plugin and software updates
Copyright © 2015. Tenable Network Security, Inc. All rights reserved. Tenable Network Security and Nessus are registered trademarks of Tenable Network Security, Inc.
SecurityCenter is a trademark of Tenable Network Security, Inc. All other products or services are trademarks of their respective owners.
5
Nessus UI Overview
Description
The Nessus User Interface (UI) is a web-based interface to the Nessus scanner that is comprised of a simple HTTP server and
web client, and requires no software installation apart from the Nessus server. The primary features are:

Generates .nessus files that Tenable products use as the standard for vulnerability data and scan policy.

A policy session, list of targets and the results of several scans can all be stored in a single .nessus file that can be
easily exported. Please refer to the “Nessus v2 File Format” guide for more details.

Scan targets can use a variety of formats: IPv4/IPv6 addresses, hostname, and CIDR notation.

Support for LDAP so that Nessus UI accounts can authenticate against a remote corporate server.

The UI displays scan results in real-time so you do not have to wait for a scan to complete to view results.

Provides unified interface to the Nessus scanner regardless of base platform. The same functionalities exist on Mac
OS X, Windows, and Linux.

Scans will continue to run on the server even if the UI is disconnected for any reason.

Nessus scan reports can be uploaded via the Nessus UI and compared to other reports.

Scanning dashboards that display vulnerability and compliance overviews that allow you to visualize trends across
your scanning history.

A policy wizard to help quickly create efficient scan policies for auditing your network.

Gives the ability to set one scanner as a primary and additional scanners secondary, allowing for a single Nessus
interface to manage large-scale distributed scans.

An extensive user and grouping system that allows for granular resource sharing including scanners, policies,
schedules, and scan results.
Supported Platforms
Since the Nessus UI is a web-based client, it can run on any platform with a modern web browser.
The Nessus web-based user interface is best-experienced using the minimum version specified of the following
browsers: Microsoft Internet Explorer 10, Mozilla Firefox 32, Google Chrome 37, Opera 24, or Apple Safari 7.1
on the desktop. In addition, Nessus is compatible with Chrome 29 for Android, as well as browsers on iOS 7.
Installation
User management of the Nessus server is conducted through the Nessus UI or SecurityCenter only.
Refer to the "Nessus 6.3 Installation and Configuration Guide” for instructions on installing Nessus. For Nessus 6.3 on Linux
systems, Oracle Java (formerly Sun Microsystems’ Java) is required for PDF report functionality on Unix-based systems.
Copyright © 2015. Tenable Network Security, Inc. All rights reserved. Tenable Network Security and Nessus are registered trademarks of Tenable Network Security, Inc.
SecurityCenter is a trademark of Tenable Network Security, Inc. All other products or services are trademarks of their respective owners.
6
Nessus UI
Nessus provides a user interface (UI) through HTTPS on port 8834. Each user will have a unique login and password. To
configure users, see the “Nessus 6.3 Installation and Configuration Guide” for instructions on configuring user accounts.
Connecting to the Nessus UI
To launch the Nessus UI, perform the following:

Open a web browser of your choice.

Enter https://[server IP]:8834/ in the navigation bar.
Be sure to connect to the user interface via HTTPS, as unencrypted HTTP connections are not supported.
The first time you attempt to connect to the Nessus user interface, most web browsers will display an error indicating the
site is not trusted due to Nessus providing a self-signed SSL certificate:
Copyright © 2015. Tenable Network Security, Inc. All rights reserved. Tenable Network Security and Nessus are registered trademarks of Tenable Network Security, Inc.
SecurityCenter is a trademark of Tenable Network Security, Inc. All other products or services are trademarks of their respective owners.
7
Users of Microsoft Internet Explorer can click on “Continue to this website (not recommended)” to load the Nessus user
interface. Firefox users can click on “I Understand the Risks” and then “Add Exception…” to display the site exception dialog
box:
Copyright © 2015. Tenable Network Security, Inc. All rights reserved. Tenable Network Security and Nessus are registered trademarks of Tenable Network Security, Inc.
SecurityCenter is a trademark of Tenable Network Security, Inc. All other products or services are trademarks of their respective owners.
8
Verify the “Location:” bar reflects the URL of the Nessus server and click on “Confirm Security Exception”. For information
on installing a custom SSL certificate, consult the “Nessus 6.3 Installation and Configuration Guide”.
After your browser has confirmed the exception, a splash screen will be displayed as follows:
Authenticate using the administrative account and password previously created during the installation process. When
logging in, you can optionally instruct your browser to remember the username on that computer. Only use this option if the
computer is always in a secured location! After successful authentication, the UI will present menus to manage policies and
scans. Administrative users will also see options for user management, and configuration options for the Nessus scanner.
When you log in, you will be in the “Scans” component of the UI:
At any point during Nessus use, the top left menu options will be present. The “admin” notation seen on the upper right hand
side in the screenshot above denotes the account currently logged in, a drop-down menu, and a bell for quick access to
important notifications related to Nessus operation:
Copyright © 2015. Tenable Network Security, Inc. All rights reserved. Tenable Network Security and Nessus are registered trademarks of Tenable Network Security, Inc.
SecurityCenter is a trademark of Tenable Network Security, Inc. All other products or services are trademarks of their respective owners.
9
At any point during Nessus Enterprise Cloud use, the top left menu options will be present but denoted by the email
addressed registered as the user:
Clicking on this down arrow will offer a menu containing options to access your user profile, general Nessus settings,
information about the installation, help and support options, what’s new in this release, as well as an option to sign out.
The “User Profile” option will bring up a menu with several pages of options related to the user account including the
password change facility, folder management, and plugin rules page. More information about these options can be found
below.
Copyright © 2015. Tenable Network Security, Inc. All rights reserved. Tenable Network Security and Nessus are registered trademarks of Tenable Network Security, Inc.
SecurityCenter is a trademark of Tenable Network Security, Inc. All other products or services are trademarks of their respective owners.
10
Note that the username in the Nessus Enterprise Cloud account will be the registered email address of the user:
The “Account Settings” field shows the current authenticated user, full name, email address, and the user type: System
Administrator, Administrator, Standard, or Read Only. This is the default information displayed when clicking on the “User
Profile” drop-down.
The “Change Password” option allows you to change the password, which should be done in accordance with your
organization’s security policy. Note that you are required to type the password twice to confirm your choice.
The “Plugin Rules” option provides a facility to create a set of rules that dictate the behavior of certain plugins related to any
scan performed. A rule can be based on the Host (or all hosts), Plugin ID, an optional Expiration Date, and manipulation of
Severity. The same rules can be set from the scan results page. This allows you to reprioritize the severity of plugin results to
better account for your organization’s security posture and response plan.
Copyright © 2015. Tenable Network Security, Inc. All rights reserved. Tenable Network Security and Nessus are registered trademarks of Tenable Network Security, Inc.
SecurityCenter is a trademark of Tenable Network Security, Inc. All other products or services are trademarks of their respective owners.
11
To create a new rule, click “New Rule” in the upper right.
Settings
The “Settings” option for Nessus Manager provides access to the “Overview” page, accounts, communication with external
mail and proxy servers, Nessus Agents, Nessus Scanners, and advanced scanner options (if the current user is a system
administrator). More information about these options can be found below.
Copyright © 2015. Tenable Network Security, Inc. All rights reserved. Tenable Network Security and Nessus are registered trademarks of Tenable Network Security, Inc.
SecurityCenter is a trademark of Tenable Network Security, Inc. All other products or services are trademarks of their respective owners.
12
The “Settings” option for Nessus Scanner only provides access to the “Overview” page, accounts, communication with proxy
servers, and advanced scanner options (if the current user is a system administrator). More information about these options
can be found below.
The “Settings” option for Nessus Professional provides access to the “Overview” page, accounts, communication with
external mail and proxy servers, and advanced scanner options (if the current user is an administrator). More information
about these options can be found below.
Copyright © 2015. Tenable Network Security, Inc. All rights reserved. Tenable Network Security and Nessus are registered trademarks of Tenable Network Security, Inc.
SecurityCenter is a trademark of Tenable Network Security, Inc. All other products or services are trademarks of their respective owners.
13
The “What’s New” link provides access to the quick tour of new features with this Nessus release. More information about each
option can be found below the image. In this example, we see new features of a Nessus release:
The “Help & Support” link will load the Tenable Support Portal in a new tab or window. “Sign Out” will terminate your
current session with Nessus.
The bell icon on the upper right side can be clicked on to show any messages related to Nessus operations including errors,
notification of new Nessus releases, session events, and more.
Copyright © 2015. Tenable Network Security, Inc. All rights reserved. Tenable Network Security and Nessus are registered trademarks of Tenable Network Security, Inc.
SecurityCenter is a trademark of Tenable Network Security, Inc. All other products or services are trademarks of their respective owners.
14
This will also serve as a place to provide any additional alerts or errors via popups that will fade shortly after and stay in the
notification history until cleared:
If there are no notifications, the notifications will appear with an empty history message:
Copyright © 2015. Tenable Network Security, Inc. All rights reserved. Tenable Network Security and Nessus are registered trademarks of Tenable Network Security, Inc.
SecurityCenter is a trademark of Tenable Network Security, Inc. All other products or services are trademarks of their respective owners.
15
Interface Shortcuts
The HTML5 interface has several hotkeys that allow quick keyboard-navigation to the major sections of the interface, as well
as performing common activities. These can be used at any time, from anywhere within the interface.
At the main section of the interface, the following hotkeys are available for navigation:
Hot Key
Description
R
Scans
P
Policies
U
Users
C
Settings
G
Groups (Nessus Manager and Nessus Enterprise
Cloud only)
M
User Profile
At the main section of the interface, the following hotkeys are available for creation:
Hot Key
Description
Shift + R
New Scan
Shift + F
New Folder (Scan view only)
In the “Scans” view, the following hotkey is available:
Hot Key
Description
N
New Scan
In the “Policies” view, the following hotkey is available:
Hot Key
Description
N
New Policy
Copyright © 2015. Tenable Network Security, Inc. All rights reserved. Tenable Network Security and Nessus are registered trademarks of Tenable Network Security, Inc.
SecurityCenter is a trademark of Tenable Network Security, Inc. All other products or services are trademarks of their respective owners.
16
In the “Users” view, the following hotkey is available:
Hot Key
Description
N
New User
In the user group view in Nessus Manager and Nessus Enterprise Cloud, the following hotkey is available:
Hot Key
Description
N
New User Group
In the “Advanced” setting view, the following hotkey is available:
Hot Key
Description
N
New Setting
User Profile
The user profile options allow you to manipulate settings related to your account.
Copyright © 2015. Tenable Network Security, Inc. All rights reserved. Tenable Network Security and Nessus are registered trademarks of Tenable Network Security, Inc.
SecurityCenter is a trademark of Tenable Network Security, Inc. All other products or services are trademarks of their respective owners.
17
In Nessus Manager, you have an additional setting for changing the email address associated with your account:
Click on the user account to change the options related to the account.
The “Account Settings” field shows the current authenticated user as well as the user type, either Administrator or user. This
is the default information displayed when clicking on the “User Profile” drop-down.
The “Change Password” option allows you to change the password, which should be done in accordance with your
organization’s security policy. Note that you are required to type the password twice to confirm your choice.
The “Plugin Rules” option provides a facility to create a set of rules that dictate the behavior of certain plugins related to any
scan performed. A rule can be based on the Host (or all hosts), Plugin ID, an optional Expiration Date, and manipulation of
Severity. The same rules can be set from the scan results page. This allows you to reprioritize the severity of plugin results to
better account for your organization’s security posture and response plan.
Copyright © 2015. Tenable Network Security, Inc. All rights reserved. Tenable Network Security and Nessus are registered trademarks of Tenable Network Security, Inc.
SecurityCenter is a trademark of Tenable Network Security, Inc. All other products or services are trademarks of their respective owners.
18
To create a new rule, click “New Rule” in the upper right.
Policies
A Nessus policy is a set of configuration options related to performing a vulnerability scan.
These options include, but are not limited to:

Parameters that control technical aspects of the scan such as timeouts, number of hosts, type of port scanner, and
more.

Credentials for local scans (e.g., Windows, SSH), authenticated Oracle database scans, HTTP, FTP, POP, IMAP, or
Kerberos based authentication.

Granular family or plugin-based scan specifications.

Database compliance policy checks, report verbosity, service detection scan settings, Unix compliance checks, and
more.

Offline configuration audits for network devices, allowing safe checking of network devices without needing to scan
the device directly.

Windows malware scans which compare the MD5 checksums of files, both known good and malicious files.
Copyright © 2015. Tenable Network Security, Inc. All rights reserved. Tenable Network Security and Nessus are registered trademarks of Tenable Network Security, Inc.
SecurityCenter is a trademark of Tenable Network Security, Inc. All other products or services are trademarks of their respective owners.
19

Nessus 6.3 organizes policies into three categories: scanner templates, agent templates, and user-created policies.
Clicking on the “New Policy” button in the Policies section brings up a list of available default templates. The default
policies are stored in the Policy Library. User-created policies are saved policies created from the default templates.
Creating a New Policy
Once you have connected to a Nessus UI, you can create a custom policy by clicking on the “Policies” option on the bar at the
top and then “+ New Policy” button toward the left. The policy library screen will be displayed as follows:
You can also search the policy library from the search box in the upper right corner.
Note that the exact list of policies may change from time-to-time based on the addition of new policy templates to the feed.
For example, when the “Heartbleed” and “Bash Shellshock” vulnerabilities were disclosed, policies configured to specifically
detect the vulnerabilities were added to the list for customer convenience.
The first option is to create a policy from a template with a specific purpose. The available templates may change from timeto-time. Some templates are:
Policy Wizard Name
Description
Advanced Scan
Scan template for users who want total control of their policy configuration.
Audit Cloud Infrastructure
For users who want to audit the configuration of cloud-based services such as Amazon
Web Services (AWS) and Salesforce.com.
Copyright © 2015. Tenable Network Security, Inc. All rights reserved. Tenable Network Security and Nessus are registered trademarks of Tenable Network Security, Inc.
SecurityCenter is a trademark of Tenable Network Security, Inc. All other products or services are trademarks of their respective owners.
20
Bash Shellshock Detection
Remote and credentialed checks for the Bash Shellshock vulnerability.
Basic Network Scan
For users scanning internal or external hosts.
Credentialed Patch Audit
Log in to systems and enumerate missing software updates.
GHOST (glibc) Detection
Credentialed checks for the GHOST vulnerability.
Host Discovery
Identifies live hosts and open ports.
Internal PCI Network Scan
For administrators preparing for a Payment Card Industry Data Security Standards (PCI
DSS) compliance audit of their internal networks.
Mobile Device Scan
For users of Apple Profile Manager, ADSI, MobileIron, or Good MDM.
Offline Config Audit
Upload and audit the config file of a network device.
PCI Quarterly External Scan
An approved policy for quarterly external scanning required by PCI. This is offered on
Nessus Enterprise Cloud only.
Policy Compliance Auditing
Audit system configurations against a known baseline provided by the user.
SCAP Compliance Audit
Audit systems using Security Content Automation Protocol (SCAP) content.
Web Application Tests
For users performing generic web application scans.
Windows Malware Scan
For users searching for malware on Windows systems.
If you are migrating from Nessus 5.x to 6.3, any changes you made to the policies will be overwritten in the policy
library. User created policies will not be affected when derived from the Advanced Template.
Templates for Nessus Agent scans are covered later in the “Nessus Agent Templates” section.
Policy Settings
Policies have five sections under “Settings”: Basic, Discovery, Assessment, Report, and Advanced. These sections allow you
to refine your policy settings.
Depending on the policy template chosen, not all sections will be configurable.
The Basic section covers the policy name, description, and permissions. Nessus provides granular control to the policy.
Permissions on the policy are limited to the user who created the policy (no access) or other users (can use).
Copyright © 2015. Tenable Network Security, Inc. All rights reserved. Tenable Network Security and Nessus are registered trademarks of Tenable Network Security, Inc.
SecurityCenter is a trademark of Tenable Network Security, Inc. All other products or services are trademarks of their respective owners.
21
The Discovery section of the policy settings control the host discovery, port scanning, and service discovery methods used by
the policy.
For the host discovery section, if “Ping the remote host” is not enabled the ping options will not be visible in the
UI.
Depending on the setting, some options may only appear with the “Custom” option selected.
Copyright © 2015. Tenable Network Security, Inc. All rights reserved. Tenable Network Security and Nessus are registered trademarks of Tenable Network Security, Inc.
SecurityCenter is a trademark of Tenable Network Security, Inc. All other products or services are trademarks of their respective owners.
22
The Assessment section configures the web application scanning settings and the SMB enumeration of a scan if necessary.
For the Web Applications section, if “Scan web applications” is not enabled the options will not be visible in the
UI.
Copyright © 2015. Tenable Network Security, Inc. All rights reserved. Tenable Network Security and Nessus are registered trademarks of Tenable Network Security, Inc.
SecurityCenter is a trademark of Tenable Network Security, Inc. All other products or services are trademarks of their respective owners.
23
The Report section configures the appearance of the scan report and whether it can be modified after scan completion.
Copyright © 2015. Tenable Network Security, Inc. All rights reserved. Tenable Network Security and Nessus are registered trademarks of Tenable Network Security, Inc.
SecurityCenter is a trademark of Tenable Network Security, Inc. All other products or services are trademarks of their respective owners.
24
The Advanced section allows configuration of more advanced features, such as performance settings, additional checks, and
logging features.
More details about each policy setting section are listed in the Advanced Policy Creation section below.
Policy Credentials
Tenable’s Nessus scanner is a very effective network vulnerability scanner with a comprehensive database of plugins that
check for a large variety of vulnerabilities that could be remotely exploited. In addition to remote scanning, the Nessus
scanner can also log into systems and check for vulnerabilities directly on the host.
Copyright © 2015. Tenable Network Security, Inc. All rights reserved. Tenable Network Security and Nessus are registered trademarks of Tenable Network Security, Inc.
SecurityCenter is a trademark of Tenable Network Security, Inc. All other products or services are trademarks of their respective owners.
25
By using credentials, the Nessus scanner can be granted local access to scan the target system without requiring an agent. This
can facilitate scanning of a very large network to determine local exposures or compliance violations. As noted, some steps of
policy creation may be optional. Once created, the policy will be saved with recommended settings. You can edit the wizard
options or any other aspect of the policy at any time.
There are several forms of authentication supported including but not limited to databases, SSH, Windows, network devices,
patch management servers, and various plaintext authentication protocols. For example, Nessus leverages the ability to log
into remote Unix hosts via Secure Shell (SSH); and with Windows hosts, Nessus leverages a variety of Microsoft
authentication technologies. Note that Nessus also uses the Simple Network Management Protocol (SNMP) to make version
and information queries to routers and switches. In addition to operating system credentials, Nessus supports other forms of
local authentication.
In Nessus 6.3, the following types of credentials are managed in the Credentials section of the policy:

Cloud Services, which includes Amazon Web Services (AWS) and Salesforce.com

Database, which includes MongoDB, Oracle, MySQL, DB2, PostgreSQL, and SQL Server

Host, which includes Windows logins, SSH, and SNMPv3

Mobile Device Management

Patch Management servers

VMware, Red Hat Enterprise Virtualization (RHEV), IBM iSeries, Palo Alto Networks PAN-OS, and directory
services (ADSI and X.509)

Plaintext authentication mechanism including FTP, HTTP, POP3, and other services
Credentialed scans can perform any operation that a local user can perform. The level of scanning is dependent
on the privileges granted to the user account that Nessus is configured to use. The more privileges the scanner
has via the login account (e.g., root or administrator access), the more thorough the scan results.
Nessus allows multiple credentials in the same policy. To add credentials, click the addition sign for the appropriate type of
credential. Nessus will accept an unlimited number of some types of credentials; these are marked with an infinity sign “∞”.
Other credential types will display a numeric value indicating the remaining number of credentials of that type that can be
added to the policy.
The “Credentials” tab, pictured below, allows you to configure the Nessus scanner to use authentication credentials during
scanning. By configuring credentials, it allows Nessus to perform a wider variety of checks that result in more accurate scan
results.
Please note that Nessus will open several concurrent authenticated connections to carry out credentialed
auditing to ensure it is done in a timely fashion. Ensure that the host being audited does not have a strict account
lockout policy based on concurrent sessions.
Copyright © 2015. Tenable Network Security, Inc. All rights reserved. Tenable Network Security and Nessus are registered trademarks of Tenable Network Security, Inc.
SecurityCenter is a trademark of Tenable Network Security, Inc. All other products or services are trademarks of their respective owners.
26
The “Credentials” section has a search box in the upper right. If nothing matches the search text, then no compliance checks
will appear in the left column.
Copyright © 2015. Tenable Network Security, Inc. All rights reserved. Tenable Network Security and Nessus are registered trademarks of Tenable Network Security, Inc.
SecurityCenter is a trademark of Tenable Network Security, Inc. All other products or services are trademarks of their respective owners.
27
Cloud Services
Nessus supports two services: Amazon AWS and Saleforce.com.
Users can select “Salesforce.com” from the Credentials menu. This allows Nessus to log in to Salesforce.com as the specified
user to perform compliance audits.
Option
Description
Username
Username required to log in to Salesforce.com
Password
Password associated with the Salesforce.com username
Users can select “Amazon AWS” from the Credentials menu and enter credentials for compliance auditing an account in
AWS.
Copyright © 2015. Tenable Network Security, Inc. All rights reserved. Tenable Network Security and Nessus are registered trademarks of Tenable Network Security, Inc.
SecurityCenter is a trademark of Tenable Network Security, Inc. All other products or services are trademarks of their respective owners.
28
Option
Description
AWS Access Key ID
The AWS access key ID string.
AWS Secret Key
AWS secret key that provides the authentication for AWS Access Key ID.
Please see the Nessus Compliance Checks document, under the “Amazon AWS Compliance Capability” section for how to
configure permissions correctly.
Global Settings for Amazon AWS authentication are:
Option
Default
Description
Regions to access
Rest of the
World
In order for Nessus to audit an Amazon AWS account, you must define the
regions you want to scan. Per Amazon policy, you will need different credentials
to audit account configuration for the China region than you will for the Rest of
the World. Choosing the Rest of the World will open the following choices:






us-east-1
us-west-1
us-west-2
eu-west-1
ap-northeast-1
ap-southeast-1
Copyright © 2015. Tenable Network Security, Inc. All rights reserved. Tenable Network Security and Nessus are registered trademarks of Tenable Network Security, Inc.
SecurityCenter is a trademark of Tenable Network Security, Inc. All other products or services are trademarks of their respective owners.
29



ap-southeast-2
sa-east-1
us-gov-west-1
HTTPS
Enabled
Use HTTPS to access Amazon AWS.
Verify SSL Certificate
Enabled
Verify the validity of the SSL digital certificate.
Database
Nessus supports authenticating with Oracle, SQL Server, MySQL, DB2, Informix/DRDA, PostgreSQL, and MongoDB.
Credentials for all the databases except MongoDB are configured by adding “Database” credentials from the Database
category.
The “Database” credential menu is used to specify credentials, the type of database to be tested, and other relevant settings.
Note that some options will appear based on your selections.
All databases will have a username and password:
Option
Description
Username
The username for the database.
Password
The password for the supplied username.
Database Type
Nessus supports Oracle, SQL Server, MySQL, DB2, Informix/DRDA, and PostgreSQL.
Copyright © 2015. Tenable Network Security, Inc. All rights reserved. Tenable Network Security and Nessus are registered trademarks of Tenable Network Security, Inc.
SecurityCenter is a trademark of Tenable Network Security, Inc. All other products or services are trademarks of their respective owners.
30
For Oracle databases, you have the following options:
Option
Default
Description
Database Port
1521
Port the database listens on.
Auth Type
SYSDBA
NORMAL, SYSOPER, and SYSDBA are supported.
SID
none
Oracle system ID that identifies a specific database.
For SQL Server, you have the following options:
Option
Default
Description
Database Port
1433
Port the database listens on.
Auth Type
Windows
Windows authentication or SQL Server authentication are supported.
Instance Name
none
Name of the SQL Server instance for auditing.
For MySQL, you have the following option:
Option
Default
Description
Database Port
3306
Port the database listens on.
For DB2, you have the following options:
Option
Default
Description
Database Port
50000
Port the database listens on.
Database Name
none
Name of the database, which is a required field.
For PostgreSQL, you have the following option:
Option
Default
Description
Database Port
5432
Port the database listens on.
Copyright © 2015. Tenable Network Security, Inc. All rights reserved. Tenable Network Security and Nessus are registered trademarks of Tenable Network Security, Inc.
SecurityCenter is a trademark of Tenable Network Security, Inc. All other products or services are trademarks of their respective owners.
31
The “MongoDB” menu is used to specify the MongoDB credentials for compliance audits:
Option
Description
Username
The username for the database.
Password
The password for the supplied username.
Database
Name of the database to audit.
Port
Port the database listens on.
Host
Nessus supports three forms of host authentication: Windows, Secure Shell (SSH), and SNMPv3.
Windows
The “Windows credentials” menu item has settings to provide Nessus with information such as SMB account name,
password, and domain name. Nessus supports several different types of authentication methods for Windows-based
systems:

The Lanman authentication method was prevalent on Windows NT and early Windows 2000 server deployments; it
is retained for backwards compatibility.

The NTLM authentication method, introduced with Windows NT, provided improved security over Lanman
authentication. The enhanced version, NTLMv2, is cryptographically more secure than NTLM and is the default
authentication method chosen by Nessus when attempting to log into a Windows server. NTLMv2 can make use of
“SMB Signing”.
Copyright © 2015. Tenable Network Security, Inc. All rights reserved. Tenable Network Security and Nessus are registered trademarks of Tenable Network Security, Inc.
SecurityCenter is a trademark of Tenable Network Security, Inc. All other products or services are trademarks of their respective owners.
32

SMB signing is a cryptographic checksum applied to all SMB traffic to and from a Windows server. Many system
administrators enable this feature on their servers to ensure that remote users are 100% authenticated and part of a
domain. In addition, make sure you enforce a policy that mandates the use of strong passwords that cannot be easily
broken via dictionary attacks from tools like John the Ripper and L0phtCrack. It is automatically used by Nessus if it
is required by the remote Windows server. Note that there have been many different types of attacks against
Windows security to illicit “hashes” from computers for re-use in attacking servers. “SMB Signing” adds a layer of
security to prevent these man-in-the-middle attacks.

The SPNEGO (Simple and Protected Negotiate) protocol provides Single Sign On (SSO) capability from a Windows
client to a variety of protected resources via the users’ Windows login credentials. Nessus supports use of SPNEGO
with either NTLMSSP with LMv2 authentication or Kerberos and RC4 encryption. SPNEGO authentication happens
through NTLM or Kerberos authentication; nothing needs to be configured in the Nessus policy.

If an extended security scheme (such as Kerberos or SPNEGO) is not supported or fails, Nessus will attempt to log in
via NTLMSSP/LMv2 authentication. If that fails, Nessus will then attempt to log in using NTLM authentication.

Nessus also supports the use of Kerberos authentication in a Windows domain. To configure this, the IP address of
the Kerberos Domain Controller (actually, the IP address of the Windows Active Directory Server) must be
provided.
Server Message Block (SMB) is a file-sharing protocol that allows computers to share information across the network.
Providing this information to Nessus will allow it to find local information from a remote Windows host. For example, using
credentials enables Nessus to determine if important security patches have been applied. It is not necessary to modify other
SMB parameters from default settings.
The SMB domain field is optional and Nessus will be able to log on with domain credentials without this field. The username,
password, and optional domain refer to an account that the target machine is aware of. For example, given a username of
“joesmith” and a password of “my4x4mpl3”, a Windows server first looks for this username in the local system’s list of
users, and then determines if it is part of a domain.
Regardless of credentials used, Nessus always attempts to log into a Windows server with the following combinations:

“Administrator” without a password

A random username and password to test Guest accounts

No username or password to test null sessions
The actual domain name is only required if an account name is different on the domain from that on the computer. It is
entirely possible to have an “Administrator” account on a Windows server and within the domain. In this case, to log onto the
local server, the username of “Administrator” is used with the password of that account. To log onto the domain, the
“Administrator” username would also be used, but with the domain password and the name of the domain.
When multiple SMB accounts are configured, Nessus will try to log in with the supplied credentials sequentially.
Once Nessus is able to authenticate with a set of credentials, it will check subsequent credentials supplied, but only
use them if administrative privileges are granted when previous accounts provided user access.
Some versions of Windows allow you to create a new account and designate it as an “administrator”. These
accounts are not always suitable for performing credentialed scans. Tenable recommends that the original
administrative account, named “Administrator” be used for credentialed scanning to ensure full access is
permitted. On some versions of Windows, this account may be hidden. The real administrator account can be
unhidden by running a DOS prompt with administrative privileges and typing the following command:
C:\> net user administrator /active:yes
Copyright © 2015. Tenable Network Security, Inc. All rights reserved. Tenable Network Security and Nessus are registered trademarks of Tenable Network Security, Inc.
SecurityCenter is a trademark of Tenable Network Security, Inc. All other products or services are trademarks of their respective owners.
33
If an SMB account is created with limited administrator privileges, Nessus can easily and securely scan multiple domains.
Tenable recommends that network administrators consider creating specific domain accounts to facilitate testing. Nessus
includes a variety of security checks for Windows Vista, Windows 7, Windows 8, Windows 2008, Windows 2008 R2,
Windows 2012, and Windows 2012 R2 that are more accurate if a domain account is provided. Nessus does attempt to try
several checks in most cases if no account is provided.
The Windows Remote Registry service allows remote computers with credentials to access the registry of the
computer being audited. If the service is not running, reading keys and values from the registry will not be
possible, even with full credentials. Please see the Tenable blog post titled “Dynamic Remote Registry Auditing Now you see it, now you don’t!” for more information. This service must be started for a Nessus credentialed
scan to fully audit a system using credentials.
Credentialed scans on Windows systems require that a full administrator level account be used. Several bulletins and
software updates by Microsoft have made reading the registry to determine software patch level unreliable without
administrator privileges, but not all of them. Nessus plugins will check that the provided credentials have full administrative
access to ensure they execute properly. For example, full administrative access is required to perform direct reading of the
file system. This allows Nessus to attach to a computer and perform direct file analysis to determine the true patch level of
the systems being evaluated.
Copyright © 2015. Tenable Network Security, Inc. All rights reserved. Tenable Network Security and Nessus are registered trademarks of Tenable Network Security, Inc.
SecurityCenter is a trademark of Tenable Network Security, Inc. All other products or services are trademarks of their respective owners.
34
There are also four Global Settings for Windows credentials:
Option
Default
Description
Never send credentials
in the clear
Enabled
For security reasons, Windows credentials are not sent in the clear by default.
Do not use NTLMv1
authentication
Enabled
If the “Do not use NTLMv1 authentication” option is disabled, then it is
theoretically possible to trick Nessus into attempting to log into a Windows
server with domain credentials via the NTLM version 1 protocol. This provides
the remote attacker with the ability to use a “hash” obtained from Nessus. This
“hash” can be potentially cracked to reveal a username or password. It may also
be used to directly log into other servers. Force Nessus to use NTLMv2 by
enabling the “Only use NTLMv2” setting at scan time. This prevents a hostile
Windows server from using NTLM and receiving a “hash”.
Because NTLMv1 is an insecure protocol this option is enabled by default.
Start the Remote
Registry service during
the scan
Disabled
This option tells Nessus to start the Remote Registry service on computers being
scanned if it is not running. This service must be running in order for Nessus to
execute some Windows local check plugins.
Enable administrative
shares during the scan
Disabled
This option will allow Nessus to access certain registry entries that can be read
with administrator privileges.
Copyright © 2015. Tenable Network Security, Inc. All rights reserved. Tenable Network Security and Nessus are registered trademarks of Tenable Network Security, Inc.
SecurityCenter is a trademark of Tenable Network Security, Inc. All other products or services are trademarks of their respective owners.
35
The Windows settings for Kerberos authentication are:
Option
Default
Description
Password
none
Like with other credentials methods, this is the user password on the target system.
This is a required field.
Key Distribution
Center (KDC)
none
This host supplies the session tickets for the user. This is a required field.
KDC Port
88
This option can be set to direct Nessus to connect to the KDC if it is running on a port
other than 88.
KDC Transport
TCP
Note that if you need to change the KDC Transport value, you may also need to change
the port as the KDC UDP uses either port 88 or 750 by default, depending on the
implementation.
Domain
none
The Windows domain that the KDC administers. This is a required field.
For details on how to set up a Windows system for local checks, see “Appendix A – Setting up Credentialed Checks on
Windows Platforms”.
Unix
On Unix systems and supported network devices, Nessus uses Secure Shell (SSH) protocol version 2 based programs (e.g.,
OpenSSH, Solaris SSH, etc.) for host-based checks. This mechanism encrypts the data in transit to protect it from being
viewed by sniffer programs. Nessus supports four types of authentication methods for use with SSH: username and
password, public/private keys, digital certificates, and Kerberos.
Users can select “SSH settings” from the Credentials menu and enter credentials for scanning Unix systems. These
credentials are used to obtain local information from remote Unix systems for patch auditing or compliance checks. There is
a field for entering the SSH user name for the account that will perform the checks on the target Unix system, along with
either the SSH password, SSH public key and private key pair, OpenSSH RSA and DSA digital certificates, or Kerberos
authentication. There is also a field for entering the Passphrase for the SSH key or digital certificate, if it is required.
Non-privileged users with local access on Unix systems can determine basic security issues, such as patch levels
or entries in the /etc/passwd file. For more comprehensive information, such as system configuration data or
file permissions across the entire system, an account with “root” privileges is required.
The following screen capture shows the available SSH options. The “Elevate privileges with” drop-down provides several
methods of increasing privileges once authenticated.
Copyright © 2015. Tenable Network Security, Inc. All rights reserved. Tenable Network Security and Nessus are registered trademarks of Tenable Network Security, Inc.
SecurityCenter is a trademark of Tenable Network Security, Inc. All other products or services are trademarks of their respective owners.
36
Public Key Encryption, also referred to as asymmetric key encryption, provides a more secure authentication mechanism by
the use of a public and private key pair. In asymmetric cryptography, the public key is used to encrypt data and the private
key is used to decrypt it. The use of public and private keys is a more secure and flexible method for SSH authentication.
Nessus supports both DSA and RSA key formats.
Like Public Key Encryption, Nessus supports RSA and DSA OpenSSH certificates. Nessus also requires the user certificate,
which is signed by a Certificate Authority (CA), and the user's private key.
Nessus supports the OpenSSH SSH public key format. Formats from other SSH applications, including PuTTY
and SSH Communications Security, must be converted to OpenSSH public key format.
The most effective credentialed scans are when the supplied credentials have “root” privileges. Since many sites do not
permit a remote login as root, Nessus can invoke “su”, “sudo”, “su+sudo”, “dzdo”, “.k5login”, or “pbrun” with a separate
password for an account that has been set up to have “su” or “sudo” privileges. In addition, Nessus can escalate privileges on
Cisco devices by selecting “Cisco ‘enable’” or ”.k5login” for Kerberos logins. SSH Kerberos authentication is covered later
in this section.
Copyright © 2015. Tenable Network Security, Inc. All rights reserved. Tenable Network Security and Nessus are registered trademarks of Tenable Network Security, Inc.
SecurityCenter is a trademark of Tenable Network Security, Inc. All other products or services are trademarks of their respective owners.
37
The figure below illustrates configuring “sudo” in conjunction with SSH keys follows. For this example, the user account is
“audit”, which has been added to the /etc/sudoers file on the system to be scanned. The password provided is the
password for the “audit” account, not the root password. The SSH keys correspond with keys generated for the “audit”
account:
Nessus supports the blowfish-cbc, aes-cbc, and aes-ctr cipher algorithms. Some commercial variants of
SSH do not have support for the blowfish algorithm, possibly for export reasons. It is also possible to configure an
SSH server to only accept certain types of encryption. Check your SSH server to ensure the correct algorithm is
supported.
Nessus encrypts all passwords stored in policies. However, the use of SSH keys for authentication rather than SSH
passwords is recommended. This helps ensure that the same username and password you are using to audit your known SSH
servers is not used to attempt a log in to a system that may not be under your control.
Copyright © 2015. Tenable Network Security, Inc. All rights reserved. Tenable Network Security and Nessus are registered trademarks of Tenable Network Security, Inc.
SecurityCenter is a trademark of Tenable Network Security, Inc. All other products or services are trademarks of their respective owners.
38
For supported network devices, Nessus will only support the network device’s username and password for SSH
connections.
If an account other than root must be used for privilege escalation, it can be specified under the “Escalation account” with
the “Escalation password”.
There are also three Global Settings for SSH credentials:
Option
Default
Description
known_hosts file
none
If an SSH known_hosts file is available and provided as part of the Global Settings
of the scan policy in the “known_hosts file” field, Nessus will only attempt to log into
hosts in this file. This can ensure that the same username and password you are using
to audit your known SSH servers is not used to attempt a log into a system that may
not be under your control.
Preferred port
22
This option can be set to direct Nessus to connect to SSH if it is running on a port
other than 22.
Client version
OpenSSH_5.0
Specifies which type of SSH client Nessus will impersonate while scanning.
Kerberos, developed by MIT’s Project Athena, is a client/server application that uses a symmetric key encryption protocol. In
symmetric encryption, the key used to encrypt the data is the same as the key used to decrypt the data. Organizations deploy
a KDC (Key Distribution Center) that contains all users and services that require Kerberos authentication. Users
authenticate to Kerberos by requesting a TGT (Ticket Granting Ticket). Once a user is granted a TGT, it can be used to
request service tickets from the KDC to be able to utilize other Kerberos based services. Kerberos uses the CBC (Cipher
Block Chain) DES encryption protocol to encrypt all communications.
Note that you must already have a Kerberos environment established to use this method of authentication.
The Nessus implementation of Unix-based Kerberos authentication for SSH supports the “aes-cbc” and “aes-ctr” encryption
algorithms. An overview of how Nessus interacts with Kerberos is as follows:

End-user gives the IP of the KDC

nessusd asks sshd if it supports Kerberos authentication

sshd says yes

nessusd requests a Kerberos TGT, along with login and password

Kerberos sends a ticket back to nessusd

nessusd gives the ticket to sshd

nessusd is logged in
In both Windows and SSH credentials settings, you can specify credentials using Kerberos keys from a remote
system. Note that there are differences in the configurations for Windows and SSH.
Copyright © 2015. Tenable Network Security, Inc. All rights reserved. Tenable Network Security and Nessus are registered trademarks of Tenable Network Security, Inc.
SecurityCenter is a trademark of Tenable Network Security, Inc. All other products or services are trademarks of their respective owners.
39
The SSH settings for Kerberos authentication are:
Option
Description
Password
Like with other credentials methods, this is the user password on the target system.
Key Distribution Center
(KDC)
This host supplies the session tickets for the user.
KDC Port
This option can be set to direct Nessus to connect to the KDC if it is running on a port other
than 88.
KDC Transport
The KDC uses TCP by default in Unix implementations. For UDP, change this option. Note
that if you need to change the KDC Transport value, you may also need to change the port as
the KDC UDP uses either port 88 or 750 by default, depending on the implementation.
Realm
The Realm is the authentication domain, usually noted as the domain name of the target (e.g.,
example.com).
If Kerberos is used, sshd must be configured with Kerberos support to verify the ticket with the KDC. Reverse DNS lookups
must be properly configured for this to work. The Kerberos interaction method must be gssapi-with-mic.
Copyright © 2015. Tenable Network Security, Inc. All rights reserved. Tenable Network Security and Nessus are registered trademarks of Tenable Network Security, Inc.
SecurityCenter is a trademark of Tenable Network Security, Inc. All other products or services are trademarks of their respective owners.
40
SNMPv3
Users can select “SNMPv3 settings” from the Credentials menu and enter credentials for scanning systems using an
encrypted network management protocol. These credentials are used to obtain local information from remote systems,
including network devices, for patch auditing or compliance checks. There is a field for entering the SNMPv3 user name for
the account that will perform the checks on the target system, along with the SNMPv3 port, security level, authentication
algorithm and password, and privacy algorithm and password.
If Nessus is unable to guess the community string and/or password, it may not perform a full audit against the service.
Option
Description
User name
The username for a SNMPv3 based account.
Port
Direct Nessus to scan a different port if SNMP is running on a port other than 161.
Security level
Select the security level for SNMP: authentication, privacy, or both.
Authentication algorithm
Select MD5 or SHA1 based on which algorithm the remote service supports.
Authentication password
The password for the username specified.
Privacy algorithm
The encryption algorithm to use for SNMP traffic.
Privacy password
A password used to protect encrypted SNMP communication.
Copyright © 2015. Tenable Network Security, Inc. All rights reserved. Tenable Network Security and Nessus are registered trademarks of Tenable Network Security, Inc.
SecurityCenter is a trademark of Tenable Network Security, Inc. All other products or services are trademarks of their respective owners.
41
Advanced Policy Creation
If none of the available policy templates match what is desired, the Advanced Scan option allows you to create a policy with
full control over all options.
Note that there are four configuration tabs: Settings, Credentials, Plugins, Compliance, and Plugins. These tabs are
described below.
Settings
The “Settings” tab enables you to name the policy and configure scan-related operations.
Copyright © 2015. Tenable Network Security, Inc. All rights reserved. Tenable Network Security and Nessus are registered trademarks of Tenable Network Security, Inc.
SecurityCenter is a trademark of Tenable Network Security, Inc. All other products or services are trademarks of their respective owners.
42
The “Basic” screen is used to define aspects of the policy itself. The options are under the headings “General” and
“Permissions”:
General Option
Description
Name
Sets the name that will be displayed in the Nessus UI to identify the policy.
Description
Used to give a brief description of the scan policy, typically good to summarize the overall purpose
(e.g., “Web Server scans without local checks or non HTTP services”).
The permissions setting for Nessus Professional enables you to determine who has access to the policy:
Permission
Description
Can Use
Other users can view and use the policy in their scans. They will not be able to edit the policy.
No Access
Only the user who created the policy can view, use, or edit the policy.
Copyright © 2015. Tenable Network Security, Inc. All rights reserved. Tenable Network Security and Nessus are registered trademarks of Tenable Network Security, Inc.
SecurityCenter is a trademark of Tenable Network Security, Inc. All other products or services are trademarks of their respective owners.
43
Nessus Manager Policy Permissions
Nessus Enterprise Cloud Policy Permissions
Nessus Manager and Nessus Enterprise Cloud provide more granular control to a policy. The permissions can be set by group
or by user. Default is the access for everyone that is not otherwise defined by user or group.
Copyright © 2015. Tenable Network Security, Inc. All rights reserved. Tenable Network Security and Nessus are registered trademarks of Tenable Network Security, Inc.
SecurityCenter is a trademark of Tenable Network Security, Inc. All other products or services are trademarks of their respective owners.
44
Permission
Description
Can Use
Users or groups specified here can view and use the policy in their scans. They will not be able to
edit the policy.
Can Edit
Users or groups specified here can make changes to the policy and can use the policy.
No Access
Any users or groups specified here cannot view, use, or edit the policy.
Discovery Settings
The “Discovery” screen controls options related to discovery and port scanning including the port ranges and methods. The
options are under the headings “Host Discovery”, “Port Scanning”, and “Service Discovery”.
The “Ping the remote host” options allow for granular control over Nessus’ ability to ping hosts during discovery scanning.
Toggling the Ping the remote host switch will enable the ping options listed below. Otherwise, the options will
not be enabled or be visible in the UI.
The following are ping options under “Host Discovery”:
Copyright © 2015. Tenable Network Security, Inc. All rights reserved. Tenable Network Security and Nessus are registered trademarks of Tenable Network Security, Inc.
SecurityCenter is a trademark of Tenable Network Security, Inc. All other products or services are trademarks of their respective owners.
45
Option
Default
Description
Ping the remote
host
Enabled
This option enables Nessus to ping remote hosts on multiple ports to determine if
they are alive. When selected, this will enable other pinging options.
Test the local
Nessus host
Enabled
If Ping the remote host is enabled, this option is enabled by default for this policy.
This option allows you to include or exclude the local Nessus host from the scan. This
is used when the Nessus host falls within the target network range for the scan.
Fast network
discovery
Disabled
If Ping the remote host is enabled, you will be able to see this option. By default, this
option is not enabled. When Nessus “pings” a remote IP and receives a reply, it
performs extra checks to make sure that it is not a transparent proxy or a load
balancer that would return noise but no result (some devices answer to every port 165535 even when there is no service behind the device). Such checks can take some
time, especially if the remote host is firewalled. If the “fast network discovery” option
is enabled, Nessus will not perform these checks.
ARP
Enabled
Ping a host using its hardware address via Address Resolution Protocol (ARP). This
only works on a local network.
TCP
Enabled
Ping a host using TCP.
Destination ports
(TCP)
Built-in
Destination ports can be configured to use specific ports for TCP ping. This specifies
the list of ports that will be checked via TCP ping. If you are not sure of the ports,
leave this setting to the default of “built-in”.
ICMP
Enabled
Ping a host using the Internet Control Message Protocol (ICMP).
Assume ICMP
unreachable from
the gateway means
the host is down
Disabled
When a ping is sent to a host that is down, its gateway may return an ICMP
unreachable message. When this option is enabled, when Nessus receives an ICMP
Unreachable message it will consider the targeted host dead. This is to help speed up
discovery on some networks.
Note that some firewalls and packet filters use this same behavior for hosts that are
up but are connecting to a port or protocol that is filtered. With this option enabled,
this will lead to the scan considering the host is down when it is indeed up.
Number of Retries
(ICMP)
2
Allows you to specify the number of attempts to try to ping the remote host. The
default is two attempts.
UDP
Disabled
Ping a host using the User Datagram Protocol (UDP).
UDP is a “stateless” protocol, meaning that communication is not
performed with handshake dialogues. UDP-based communication is
not always reliable, and because of the nature of UDP services and
screening devices, they are not always remotely detectable.
To scan VMware guest systems, “Ping the remote host” must disabled.
Copyright © 2015. Tenable Network Security, Inc. All rights reserved. Tenable Network Security and Nessus are registered trademarks of Tenable Network Security, Inc.
SecurityCenter is a trademark of Tenable Network Security, Inc. All other products or services are trademarks of their respective owners.
46
Other Host Discovery options include scanning fragile devices, Wake-on-LAN, and network type. Those options are
described below:
Option
Default
Description
Fragile devices
Disabled
The “Fragile Devices” menu offers two options that instruct the Nessus scanner not to
scan hosts that have a history of being “fragile”, or prone to crashing when receiving
unexpected input. Users can select either “Scan Network Printers” or “Scan Novell
Netware hosts” to instruct Nessus to scan those particular devices. Nessus will only
scan these devices if these options are checked. It is recommended that scanning of
these devices be performed in a manner that allows IT staff to monitor the systems for
issues.
Wake-on-LAN
Disabled
The “Wake-on-LAN” (WOL) menu controls which hosts to send WOL magic packets to
before performing a scan and how long to wait (in minutes) for the systems to boot. The
list of MAC addresses for WOL is entered using an uploaded text file with one host MAC
address per line. For example:
Copyright © 2015. Tenable Network Security, Inc. All rights reserved. Tenable Network Security and Nessus are registered trademarks of Tenable Network Security, Inc.
SecurityCenter is a trademark of Tenable Network Security, Inc. All other products or services are trademarks of their respective owners.
47
00:11:22:33:44:55
aa:bb:cc:dd:ee:ff
Network Type
Mixed
Allows you to specify if you are using publicly routable IPs, private non-Internet
routable IPs or a mix of these. Select “Mixed” if you are using RFC 1918 addresses and
have multiple routers within your network.
Port scanning options define how the port scanner will behave and which ports to scan.
Option
Default
Description
Consider
Unscanned Ports
as Closed
Disabled
If a port is not scanned with a selected port scanner (e.g., out of the range specified),
Nessus will consider it closed.
Port Scan Range
Default
Directs the scanner to target a specific range of ports. Accepts “default” (a list of
approximately 4,790 common ports found in the nessus-services file), “all” (scans
all ports from 0-65535), or a custom list of ports specified by the user. The custom list
may contain individual ports and ranges; for example, “21,23,25,80,110” and “1-
Copyright © 2015. Tenable Network Security, Inc. All rights reserved. Tenable Network Security and Nessus are registered trademarks of Tenable Network Security, Inc.
SecurityCenter is a trademark of Tenable Network Security, Inc. All other products or services are trademarks of their respective owners.
48
1024,8080,9000-9200” are valid values. Specifying “1-65535” will scan all ports.
See the port scan range section below for more details.
The Port Scan Range option directs the scanner to target a specific range of ports. The following values are allowed:
Value
Description
“default”
Using the keyword “default”, Nessus will scan approximately 4,790 common ports. The list of ports
can be found in the nessus-services file.
“all”
Using the keyword “all”, Nessus will scan via a plugin all 65,536 ports, including port 0.
Custom List
A custom range of ports can be selected by using a comma-delimited list of ports or port ranges. For
example, “21,23,25,80,110” or “1-1024,8080,9000-9200” are allowed. Specifying “1-65535” will
scan all ports.
You may also specify a split range specific to each protocol. For example, if you want to scan a
different range of ports for TCP and UDP in the same policy, you would specify “T:1-1024,U:300500”. You can also specify a set of ports to scan for both protocols, as well as individual ranges for
each separate protocol ("1-1024,T:1024-65535,U:1025"). If you are scanning a single protocol,
select only that port scanner and specify the ports normally.
The range specified for a port scan will be applied to both TCP and UDP scans.
The local port scanners use netstat and SNMP to detect services. The options are listed below:
Option
Default
Description
SSH (netstat)
Enabled
This option uses netstat to check for open ports from the local machine. It relies on
the netstat command being available via a SSH connection to the target. This scan
is intended for Unix-based systems and requires authentication credentials.
WMI (netstat)
Enabled
This option uses netstat to check for open ports from the local machine. It relies on
the netstat command being available via a WMI connection to the target. This scan
is intended for Windows-based systems and requires authentication credentials.
A WMI based scan uses netstat to determine open ports, thus
ignoring any port ranges specified. If any port enumerator (netstat or
SNMP) is successful, the port range becomes “all”. However, Nessus
will still honor the “consider unscanned ports as closed” option if
selected.
SNMP
Enabled
Direct Nessus to scan targets for a Simple Network Management Protocol (SNMP)
service. Nessus will attempt to guess relevant SNMP settings during a scan. If the
settings are provided by the user (under “Credentials”), this will allow Nessus to
better test the remote host and produce more detailed audit results. For example,
there are many Cisco router checks that determine the vulnerabilities present by
Copyright © 2015. Tenable Network Security, Inc. All rights reserved. Tenable Network Security and Nessus are registered trademarks of Tenable Network Security, Inc.
SecurityCenter is a trademark of Tenable Network Security, Inc. All other products or services are trademarks of their respective owners.
49
examining the version of the returned SNMP string. This information is necessary for
these audits.
Only run network
port scanners if
local port
enumeration failed
Enabled
Rely on local port enumeration first before relying on network port scans.
Verify open TCP
ports found by local
port enumerators
Disabled
If a local port enumerator (e.g., WMI or netstat) finds a port, Nessus will also verify it
is open remotely. This helps determine if some form of access control is being used
(e.g., TCP wrappers, firewall).
The remote port scanners use TCP, SYN, and UDP packets to scan for open ports on a target. The options are listed below:
Option
Default
Description
TCP
Disabled
Use Nessus’ built-in Transmission Control Protocol (TCP) scanner to identify open TCP ports
on the targets. This scanner is optimized and has some self-tuning features.
On some platforms (e.g., Windows and Mac OS X), selecting this scanner will
cause Nessus to use the SYN scanner to avoid serious performance issues native
to those operating systems.
SYN
Enabled
Use Nessus’ built-in SYN scanner to identify open TCP ports on the targets. SYN scans are a
popular method for conducting port scans and generally considered to be a bit less intrusive
than TCP scans, depending on the security monitoring device such as a firewall or Intrusion
Detection System (IDS). The scanner sends a SYN packet to the port, waits for SYN-ACK
reply, and determines port state based on a reply, or lack of reply.
UDP
Disabled
This option engages Nessus’ built-in UDP scanner to identify open UDP ports on the targets.
Due to the nature of the protocol, it is generally not possible for a port scanner
to tell the difference between open and filtered UDP ports. Enabling the UDP
port scanner may dramatically increase the scan time and produce unreliable
results. Consider using the netstat or SNMP port enumeration options instead if
possible.
Nessus TCP and SYN scanner options allow you to better tune the native SYN and TCP scanners to detect the presence of a
firewall. The TCP and SYN scanners can help identify if a firewall is located between the scanner and the target by default.
Option
Description
Use aggressive detection
Will attempt to run plugins even if the port appears to be closed. It is recommended that this
option not be used on a production network.
Use soft detection
Disables the ability to monitor how often resets are set and to determine if there is a
limitation configured by a downstream network device.
Disable detection
Disables the Firewall detection feature.
Copyright © 2015. Tenable Network Security, Inc. All rights reserved. Tenable Network Security and Nessus are registered trademarks of Tenable Network Security, Inc.
SecurityCenter is a trademark of Tenable Network Security, Inc. All other products or services are trademarks of their respective owners.
50
Toggling the Search for SSL based services switch will enable the service discovery options listed below.
Otherwise, they will not be visible.
The Service Discovery section sets options that attempt to map each open port with the service that is running on that port.
There is a possibility that probing may disrupt servers or cause unforeseen side effects.
Under General Settings, you can set up probing all ports to find any services that are running.
Option
Default
Description
Probe all ports to
find services
Enabled
Attempts to map each open port with the service that is running on that port. Note that
in some rare cases, this might disrupt some services and cause unforeseen side effects.
Search for SSL
based services
Enabled
The Search for SSL based services controls how Nessus will test SSL based services.
If selected, choose between Known SSL ports (e.g., 443) and All ports. Testing for SSL
capability on all ports may be disruptive for the tested host.
If Search for SSL based services is enabled, the following options are available:
Copyright © 2015. Tenable Network Security, Inc. All rights reserved. Tenable Network Security and Nessus are registered trademarks of Tenable Network Security, Inc.
SecurityCenter is a trademark of Tenable Network Security, Inc. All other products or services are trademarks of their respective owners.
51
Option
Default
Description
Enumerate all SSL
ciphers
Enabled
When Nessus performs an SSL scan, it tries to determine the SSL ciphers used by the
remote server by attempting to establish a connection with each different
documented SSL cipher, regardless of what the server says is available.
Enable CRL
checking (connects
to Internet)
Disabled
Direct Nessus to check SSL certificates against known Certificate Revocation Lists
(CRL).
Assessment Settings
The “Assessment” screen controls evaluation popular for security assessments. The options are under the headings
“General”, “Brute Force”, “SCADA”, “Web Applications”, and “Windows”.
The following settings are under the General section. The “Accuracy” options allow for granular control of false alarm
reports and running thorough tests in a scan.
Copyright © 2015. Tenable Network Security, Inc. All rights reserved. Tenable Network Security and Nessus are registered trademarks of Tenable Network Security, Inc.
SecurityCenter is a trademark of Tenable Network Security, Inc. All other products or services are trademarks of their respective owners.
52
Option
Default
Description
Override normal
accuracy
Disabled
In some cases, Nessus cannot remotely determine whether a flaw is present or not. If
report paranoia is set to “Show potential false alarms” then a flaw will be reported
every time, even when there is a doubt about the remote host being affected.
Conversely, a paranoia setting of “Avoid potential false alarms” will cause Nessus to not
report any flaw whenever there is a hint of uncertainty about the remote host. Not
enabling “Override normal accuracy” is a middle ground between these two settings.
Perform thorough
tests (may disrupt
your network or
impact scan speed)
Disabled
Causes various plugins to “work harder”. For example, when looking through SMB file
shares, a plugin can analyze 3 directory levels deep instead of 1. This could cause
much more network traffic and analysis in some cases. Note that by being more
thorough, the scan will be more intrusive and is more likely to disrupt the network,
while potentially providing better audit results.
The “Antivirus” option allow for controlling antivirus settings in the scan.
Option
Description
Antivirus definition
grace period (in days)
Configure the delay of the Antivirus software check for a set number of days (0-7). The “Antivirus
Software Check” menu allows you to direct Nessus to allow for a specific grace time in reporting
when antivirus signatures are considered out of date. By default, Nessus will consider signatures
out of date regardless of how long ago an update was available (e.g., “a few hours ago”). This can
be configured to allow for up to 7 days before reporting them out of date.
The “SMTP settings” menu specifies options for Simple Mail Transport Protocol (SMTP) tests that run on all devices within
the scanned domain that are running SMTP services. Nessus will attempt to relay messages through the device to the
specified “Third party domain”. If the message sent to the “Third party domain” is rejected by the address specified in the
“To address” field, the spam attempt failed. If the message is accepted, then the SMTP server was successfully used to relay
spam.
Option
Description
Third party domain
Nessus will attempt to send spam through each SMTP device to the address listed in this field.
This third party domain address must be outside the range of the site being scanned or the site
performing the scan. Otherwise, the test may be aborted by the SMTP server.
From address
The test messages sent to the SMTP server(s) will appear as if they originated from the address
specified in this field.
To address
Nessus will attempt to send messages addressed to the mail recipient listed in this field. The
postmaster address is the default value since it is a valid address on most mail servers.
Copyright © 2015. Tenable Network Security, Inc. All rights reserved. Tenable Network Security and Nessus are registered trademarks of Tenable Network Security, Inc.
SecurityCenter is a trademark of Tenable Network Security, Inc. All other products or services are trademarks of their respective owners.
53
The “Brute Force” options allow for granular control of accounts for brute force scans. The “Default Accounts” options
relate to how the scanner tests possible default accounts.
Option
Default
Description
Only use
credentials
provided by the
user
Enabled
In some cases, Nessus can test default accounts and known default passwords. By
default, this is enabled. This can cause the account to be locked out if too many
consecutive invalid attempts trigger security protocols on the operating system or
application.
Test default
Oracle accounts
(slow)
Disabled
Test for known default accounts in Oracle software.
The “SCADA” settings menu specifies options for Supervisory Control And Data Acquisition (SCADA) tests that run on all
devices within the scanned domain that are running SCADA services. The Nessus vulnerability scanner performs both
uncredentialed and credentialed scans of SCADA systems for a wide range of vulnerabilities for commercial customers.
Settings for SCADA plugins are listed below:
Copyright © 2015. Tenable Network Security, Inc. All rights reserved. Tenable Network Security and Nessus are registered trademarks of Tenable Network Security, Inc.
SecurityCenter is a trademark of Tenable Network Security, Inc. All other products or services are trademarks of their respective owners.
54
Option
Description
Modbus/TCP Coil
Access
The “Modbus/TCP Coil Access” options are available for commercial users. This drop-down
menu item is dynamically generated by the SCADA plugins available with the commercial
version of Nessus. Modbus uses a function code of 1 to read “coils” in a Modbus slave. Coils
represent binary output settings and are typically mapped to actuators. The ability to read
coils may help an attacker profile a system and identify ranges of registers to alter via a “write
coil” message. The defaults for this are “0” for the “Start reg” and “16” for the “End reg”.
ICCP/COTP TSAP
Addressing Weakness
The “ICCP/COTP TSAP Addressing” menu determines a Connection Oriented Transport
Protocol (COTP) Transport Service Access Points (TSAP) value on an ICCP server by trying
possible values. The start and stop values are set to “8” by default.
Web Applications
The “Web Applications” menu tests the arguments of the remote CGIs (Common Gateway Interface) discovered in the web
mirroring process by attempting to pass common CGI programming errors such as cross-site scripting, remote file inclusion,
command execution, traversal attacks, and SQL injection. Enable this option by selecting the “Scan web applications”
checkbox. These tests are dependent on the following NASL plugins:

11139, 42424, 42479, 42426, 42427, 43160, 51973 – SQL Injection (CGI abuses)

39465, 44967, 51528 – Command Execution (CGI abuses)
Copyright © 2015. Tenable Network Security, Inc. All rights reserved. Tenable Network Security and Nessus are registered trademarks of Tenable Network Security, Inc.
SecurityCenter is a trademark of Tenable Network Security, Inc. All other products or services are trademarks of their respective owners.
55

39466, 47831, 42425, 46193, 49067, 51972, 51529, 52483, 55904 – Cross-Site Scripting (CGI abuses: XSS)

39467, 46195, 46194, 50494 – Directory Traversal (CGI abuses)

39468 – HTTP Header Injection (CGI abuses: XSS)

39469, 42056, 42872 – File Inclusion (CGI abuses)

42055 – Format String (CGI abuses)

42423, 42054 – Server Side Includes a.k.a. SSI (CGI abuses)

44136 – Cookie Manipulation (CGI abuses)

46196 – XML Injection (CGI abuses)

40406, 48926, 48927 – Error Messages

56245 – XPath Injection

47830, 47832, 47834, 44134 – Additional attacks (CGI abuses)
This list of web application related plugins is updated frequently and may not be complete. Additional plugins
may be dependent on the settings in this preference option.
Copyright © 2015. Tenable Network Security, Inc. All rights reserved. Tenable Network Security and Nessus are registered trademarks of Tenable Network Security, Inc.
SecurityCenter is a trademark of Tenable Network Security, Inc. All other products or services are trademarks of their respective owners.
56
Toggling the Scan web applications switch will enable all the web application scanning options listed below.
Otherwise, they will not be enabled or will be visible in the UI.
The following settings are under the General section and affect all web application scanning.
Option
Default
Description
Use the cloud to
take
screenshots of
public
webservers
Disabled
This option enables Nessus to take screenshots to better demonstrate some
findings. This includes some services (e.g., VNC, RDP) as well as configuration
specific options (e.g., web server directory indexing). The feature only works for
Internet-facing hosts, as the screenshots are generated on a managed server
and sent to the Nessus scanner.
For example, if Nessus discovers Virtual Network Computing (VNC) running
without a password to restrict access, a screenshot will be taken to show the
session and included in the report. In the example below, a VNC was discovered
where the login screen shows the administrator logged in to the system:
Note that screenshots are not exported with a Nessus scan report.
Use a custom
User-Agent
Mozilla/4.0
(compatible; MSIE
8.0; Windows NT
5.1; Trident/4.0)
Specifies which type of web browser Nessus will impersonate while scanning.
The “Web Crawler” options set configuration parameters for Nessus’ native web server content mirroring utility. Nessus will
mirror web content to better analyze the content for vulnerabilities and help minimize the impact on the web server.
If the web crawling parameters are set in such a way to crawl an entire web site, this may cause a significant
amount of traffic to be generated during the scan. For example, if there is 1 gigabyte of material on a web server
and Nessus is configured to mirror everything, then the scan will generate at least 1 gigabyte of traffic from the
server to the Nessus scanner.
Copyright © 2015. Tenable Network Security, Inc. All rights reserved. Tenable Network Security and Nessus are registered trademarks of Tenable Network Security, Inc.
SecurityCenter is a trademark of Tenable Network Security, Inc. All other products or services are trademarks of their respective owners.
57
Option
Default
Description
Start crawling
from
/
The URL of the first page that will be tested. If multiple pages are
required, use a colon delimiter to separate them (e.g., “/:/php4:/base”).
Excluded pages
(regex)
/server_privileges\
.php|logout
Enable exclusion of portions of the web site from being crawled. For
example, to exclude the “/manual” directory and all Perl CGI, set this field
to: (^/manual)|(\.pl(\?.*)?$). Nessus supports POSIX regular
expressions for string matching and handling, as well as Perl-compatible
regular expressions (PCRE).
Maximum
pages to crawl
1000
The maximum number of pages to crawl.
Maximum
depth to crawl
6
Limit the number of links Nessus will follow for each start page.
Follow dynamic
pages
Disabled
If selected, Nessus will follow dynamic links and may exceed the
parameters set above.
The “Application Test Settings” options set further refined configuration parameters for Nessus’ native web server content
mirroring utility. Nessus will mirror web content to better analyze the contents for vulnerabilities and help minimize the
impact on the server.
Option
Default
Description
Enable generic
web application
tests
Disabled
Enables the options listed below.
Abort web
application tests if
HTTP login fails
Disabled
If Nessus cannot login to the target via HTTP, then do not run any
web application tests.
Try all HTTP
methods
Disabled
This option will instruct Nessus to also use “POST requests” for
enhanced web form testing. By default, the web application tests will
only use GET requests, unless this option is enabled. Generally, more
complex applications use the POST method when a user submits data
to the application. This setting provides more thorough testing, but
may considerably increase the time required. When selected, Nessus
will test each script/variable with both GET and POST requests. This
setting provides more thorough testing, but may considerably
increase the time required.
Attempt HTTP
Parameter
Pollution
Disabled
When performing web application tests, attempt to bypass filtering
mechanisms by injecting content into a variable while supplying the
same variable with valid content as well. For example, a normal SQL
injection test may look like “/target.cgi?a='&b=2”. With HTTP
Parameter Pollution (HPP) enabled, the request may look like
“/target.cgi?a='&a=1&b=2”.
Test embedded
web servers
Disabled
Embedded web servers are often static and contain no customizable
CGI scripts. In addition, embedded web servers may be prone to
crash or become non-responsive when scanned. Tenable
Copyright © 2015. Tenable Network Security, Inc. All rights reserved. Tenable Network Security and Nessus are registered trademarks of Tenable Network Security, Inc.
SecurityCenter is a trademark of Tenable Network Security, Inc. All other products or services are trademarks of their respective owners.
58
recommends scanning embedded web servers separately from other
web servers using this option.
Test more than
one parameter at
a time per form
Disabled
This option manages the combination of argument values used in the
HTTP requests. The default, without checking this option, is testing
one parameter at a time with an attack string, without trying “nonattack” variations for additional parameters. For example, Nessus
would attempt “/test.php?arg1=XSS&b=1&c=1” where “b” and
“c” allow other values, without testing each combination. This is the
quickest method of testing with the smallest result set generated.
This drop-down has four options:
Test random pairs of parameters – This form of testing will randomly
check a combination of random pairs of parameters. This is the
fastest way to test multiple parameters.
Test all pairs of parameters (slow) – This form of testing is slightly
slower but more efficient than the “one value” test. While testing
multiple parameters, it will test an attack string, variations for a single
variable and then use the first value for all other variables. For
example, Nessus would attempt
“/test.php?a=XSS&b=1&c=1&d=1” and then cycle through the
variables so that one is given the attack string, one is cycled through
all possible values (as discovered during the mirror process) and any
other variables are given the first value. In this case, Nessus would
never test for “/test.php?a=XSS&b=3&c=3&d=3” when the first
value of each variable is “1”.
Test random combinations of three or more parameters (slower) –
This form of testing will randomly check a combination of three or
more parameters. This is more thorough than testing only pairs of
parameters. Note that increasing the amount of combinations by
three or more increases the web application test time.
Test all combinations of parameters (slowest) – This method of
testing will do a fully exhaustive test of all possible combinations of
attack strings with valid input to variables. Where “All-pairs” testing
seeks to create a smaller data set as a tradeoff for speed, “all
combinations” makes no compromise on time and uses a complete
data set of tests. This testing method may take a long time to
complete.
Do not stop after
first flaw is found
per web page
Disabled
This option determines when a new flaw is targeted. This applies at
the script level; finding an XSS flaw will not disable searching for SQL
injection or header injection, but you will have at most one report for
each type on a given port, unless “thorough tests” is set. Note that
several flaws of the same type (e.g., XSS, SQLi, etc.) may be reported
sometimes, if they were caught by the same attack. The drop-down
has four options:
Stop after one flaw is found per web server (fastest) – As soon as a
flaw is found on a web server by a script, Nessus stops and switches
to another web server on a different port.
Copyright © 2015. Tenable Network Security, Inc. All rights reserved. Tenable Network Security and Nessus are registered trademarks of Tenable Network Security, Inc.
SecurityCenter is a trademark of Tenable Network Security, Inc. All other products or services are trademarks of their respective owners.
59
Stop after one flaw is found per parameter (slow) – As soon as one
type of flaw is found in a parameter of a CGI (e.g., XSS), Nessus
switches to the next parameter of the same CGI, or the next known
CGI, or to the next port/server.
Look for all flaws (slowest) – Perform extensive tests regardless of
flaws found. This option can produce a very verbose report and is not
recommend in most cases.
URL for Remote
File Inclusion
http://rfi.nessus.org/rfi.txt
During Remote File Inclusion (RFI) testing, this option specifies a file
on a remote host to use for tests. By default, Nessus will use a safe file
hosted by Tenable for RFI testing. If the scanner cannot reach the
Internet, using an internally hosted file is recommended for more
accurate RFI testing.
Maximum run
time (min)
5
This option manages the amount of time in minutes spent performing
web application tests. This option defaults to 60 minutes and applies
to all ports and CGIs for a given web site. Scanning the local network
for web sites with small applications will typically complete in under
an hour, however web sites with large applications may require a
higher value.
The “Windows” options allow you to fine tune the scope of Windows scans.
Copyright © 2015. Tenable Network Security, Inc. All rights reserved. Tenable Network Security and Nessus are registered trademarks of Tenable Network Security, Inc.
SecurityCenter is a trademark of Tenable Network Security, Inc. All other products or services are trademarks of their respective owners.
60
The following options affect the SMB scope for Windows targets.
Option
Default
Description
Request
information about
the SMB Domain
Enabled
If the option “Request information about the domain” is set, then domain users will
be queried instead of local users.
The following settings control how Nessus enumerate users in the domain or on the local system:
Option
Description
Enumerate Domain Users
The “Enumerate Domain Users” menu specifies the SID range to use to perform a reverse
lookup on usernames on the domain. The default setting is recommended for most scans.
The default values are 1000 for Start UID and 1200 for End UID.
Enumerate Local Users
The “Enumerate Local Users” menu specifies the SID range to use to perform a reverse
lookup on local usernames. The default setting is recommended.
The default values are 1000 for Start UID and 1200 for End UID.
The “Malware” option allows you to specify a list of additional MD5 hashes that Nessus will use to scan a system for known
malware, as well as a list of known good hashes to reduce false positives. This list is used by the plugin “Malicious Process
Detection: User Defined Malware Running” (Plugin ID 65548), which functions like Tenable’s “Malicious Process Detection”
(Plugin ID 59275).
Option
Description
Provide your own list of
known bad MD5 hashes
Additional known bad MD5 hashes can be uploaded via a text file that contains one MD5
hash per line.
It is possible to (optionally) add a description for each hash in the uploaded file. This is done
by adding a comma after the hash, followed by the description. If any matches are found
when scanning a target and a description was provided for the hash the description will
show up in the scan results. Standard hash-delimited comments (e.g., #) can optionally be used
in addition to the comma-delimited ones.
Provide your own list of
known good MD5 hashes
Additional known good MD5 hashes can be uploaded via a text file that contains one MD5
hash per line.
It is possible to (optionally) add a description for each hash in the uploaded file. This is done
by adding a comma after the hash, followed by the description. If any matches are found
when scanning a target, and a description was provided for the hash, the description will
show up in the scan results. Standard hash-delimited comments (e.g., #) can optionally be used
in addition to the comma-delimited ones.
Hosts file whitelist
Nessus checks system hosts files for signs of a compromise (e.g., Plugin ID 23910 titled
“Compromised Windows System (hosts File Check”). This option allows you to upload a file
containing a list of hostnames that will be ignored by Nessus during a scan. Include one
hostname per line in a regular text file.
Copyright © 2015. Tenable Network Security, Inc. All rights reserved. Tenable Network Security and Nessus are registered trademarks of Tenable Network Security, Inc.
SecurityCenter is a trademark of Tenable Network Security, Inc. All other products or services are trademarks of their respective owners.
61
Report
The “Report” section affects report processing and output.
The “Report processing” options affect the overall plugin information to be included in a report.
Option
Default
Description
Override normal
verbosity
Disabled
“I have limited disk space. Report as little information as possible” will provide less
information about plugin activity in the report to minimize impact on disk space.
“Report as much information as possible” will provide more information about plugin
activity in the report.
Show missing
patches that have
been superseded
Disabled
This option allows you to configure Nessus to include or remove superseded patch
information in the scan report. This option is off by default, except for policies created
using the Internal PCI Network Scan template in the Policy Library.
Hide results from
plugins initiated as a
dependency
Enabled
If this option is checked, the list of dependencies is not included in the report. If you
want to include the list of dependencies in the report, uncheck the box.
Copyright © 2015. Tenable Network Security, Inc. All rights reserved. Tenable Network Security and Nessus are registered trademarks of Tenable Network Security, Inc.
SecurityCenter is a trademark of Tenable Network Security, Inc. All other products or services are trademarks of their respective owners.
62
The “Report output” options affect the results of the report.
Option
Option
Description
Allow users to edit
scan results
Enabled
This feature allows users to delete items from the report when checked. When
performing a scan for regulatory compliance or other types of audits, uncheck this to
show that the scan was not tampered with.
Designate hosts by
their DNS name
Disabled
Use the host name rather than IP address for report output.
Display hosts that
respond to ping
Disabled
Select this option to specifically report on the ability to successfully ping a remote
host.
Display unreachable
hosts
Disabled
If this option is selected, hosts that did not reply to the ping request will be included in
the security report as dead hosts.
Advanced
The “Advanced” section contains a wide variety of configuration options to offer more granular control of how the scanner
operates.
Copyright © 2015. Tenable Network Security, Inc. All rights reserved. Tenable Network Security and Nessus are registered trademarks of Tenable Network Security, Inc.
SecurityCenter is a trademark of Tenable Network Security, Inc. All other products or services are trademarks of their respective owners.
63
The “General” menu further defines options related to how the scan should behave:
Option
Default
Description
Enable Safe Checks
Enabled
Enable Safe Checks disables all plugins that may have an adverse effect on the remote
host.
Log Scan Details to
Server
Disabled
Save additional details of the scan to the Nessus server log (nessusd.messages)
including plugin launch, plugin completion, or if a plugin is killed. The resulting log
can be used to confirm that particular plugins were used and hosts were scanned.
Stop scanning hosts
that become
unresponsive during
the scan
Disabled
If checked, Nessus will stop scanning if it detects that the host has become
unresponsive. This may occur if users turn off their PCs during a scan, a host has
stopped responding after a denial of service plugin, or a security mechanism (e.g.,
IDS) has begun to block traffic to a server. Continuing scans on these machines will
send unnecessary traffic across the network and delay the scan.
Scan IP addresses in
a random order
Disabled
By default, Nessus scans a list of IP addresses in sequential order. If checked,
Nessus will scan the list of hosts in a random order. This is typically useful in helping
to distribute the network traffic directed at a particular subnet during large scans.
Before July 2013, this option worked on a per-subnet basis. This
feature has since been enhanced to randomize across the entire
target IP space.
The “Performance” options control how many scans will be launched. These options are perhaps the most important when
configuring a scan as they have the biggest impact on scan times and network activity.
Option
Default
Description
Slow down the scan
when network
congestion is
detected
Disabled
This enables Nessus to detect when it is sending too many packets and the network
pipe is approaching capacity. If detected, Nessus will throttle the scan to
accommodate and alleviate the congestion. Once the congestion has subsided,
Nessus will automatically attempt to use the available space within the network
pipe again.
Use Linux kernel
congestion detection
Disabled
Enables Nessus to monitor the CPU and other internal workings for congestion and
scale back accordingly. Nessus will always attempt to use as much of each resource
as is available. This feature is only available for Nessus scanners deployed on Linux.
Network timeout (in
seconds)
5
Set to five seconds by default. This is the time that Nessus will wait for a response
from a host unless otherwise specified within a plugin. If you are scanning over a
slow connection, you may wish to set this to a higher number of seconds.
Max simultaneous
checks per host
5
This setting limits the maximum number of checks a Nessus scanner will perform
against a single host at one time.
Max simultaneous
hosts per scan
30
This setting limits the maximum number of hosts that a Nessus scanner will scan at
the same time.
Max number of
concurrent TCP
sessions per host
none
This setting limits the maximum number of established TCP sessions for a single
host.
Copyright © 2015. Tenable Network Security, Inc. All rights reserved. Tenable Network Security and Nessus are registered trademarks of Tenable Network Security, Inc.
SecurityCenter is a trademark of Tenable Network Security, Inc. All other products or services are trademarks of their respective owners.
64
This TCP throttling option also controls the number of packets per
second the SYN scanner will eventually send (e.g., if this option is set
to 15, the SYN scanner will send 1500 packets per second at most).
Max number of
concurrent TCP
sessions per scan
none
This setting limits the maximum number of established TCP sessions for the entire
scan, regardless of the number of hosts being scanned.
For Nessus scanners installed on Windows XP, Vista, 7, and 8 hosts,
this value must be set to 19 or less to get accurate results.
The following options define General settings:
Option
Default
Description
Enable Safe Checks
Enabled
Safe Checks will disable all plugins that may have an adverse effect on the remote host.
Log Scan Details to
Server
Disabled
Save additional details of the scan to the Nessus server log (nessusd.messages)
including plugin launch, plugin finish or if a plugin is killed. The resulting log can be
used to confirm that particular plugins were used and hosts were scanned.
Stop scanning hosts
that become
unresponsive during
the scan
Disabled
If checked, Nessus will stop scanning if it detects that the host has become
unresponsive. This may occur if users turn off their PCs during a scan, a host has
stopped responding after a denial of service plugin, or a security mechanism (e.g.,
IDS) has begun to block traffic to a server. Continuing scans on these machines will
send unnecessary traffic across the network and delay the scan.
Copyright © 2015. Tenable Network Security, Inc. All rights reserved. Tenable Network Security and Nessus are registered trademarks of Tenable Network Security, Inc.
SecurityCenter is a trademark of Tenable Network Security, Inc. All other products or services are trademarks of their respective owners.
65
Scan IP addresses in
a random order
Disabled
By default, Nessus scans a list of IP addresses in sequential order. If checked, Nessus
will scan the list of hosts in a random order. This is typically useful in helping to
distribute the network traffic directed at a particular subnet during large scans.
The following options define Performance options:
Option
Default
Description
Slow down the scan
when network
congestion is
detected
none
This enables Nessus to detect when it is sending too many packets and the network
pipe is approaching capacity. If detected, Nessus will throttle the scan to
accommodate and alleviate the congestion. Once the congestion has subsided,
Nessus will automatically attempt to use the available space within the network pipe
again.
Use Linux kernel
congestion detection
none
Enables Nessus to monitor the CPU and other internal workings for congestion
and scale back accordingly. Nessus will always attempt to use as much resource as
is available. This feature is only available for Nessus scanners deployed on Linux.
Network timeout (in
seconds)
5
Set to five seconds by default. This is the time that Nessus will wait for a response
from a host unless otherwise specified within a plugin. If you are scanning over a
slow connection, you may wish to set this to a higher number of seconds.
Max simultaneous
checks per host
5
This setting limits the maximum number of checks a Nessus scanner will perform
against a single host at one time.
Max simultaneous
hosts per scan
30
This setting limits the maximum number of hosts that a Nessus scanner will scan at
the same time.
Max number of
concurrent TCP
sessions per host
none
This setting limits the maximum number of established TCP sessions for a single
host.
This TCP throttling option also controls the number of packets per
second the SYN scanner will eventually send (e.g., if this option is set
to 15, the SYN scanner will send 1500 packets per second at most).
Max number of
concurrent TCP
sessions per scan
none
This setting limits the maximum number of established TCP sessions for the entire
scan, regardless of the number of hosts being scanned.
For Nessus scanners installed on Windows 7 and 8 hosts, this value
must be set to 19 or less to get accurate results.
Mobile Device Management
Mobile device penetration has reached an all-time high, as both individuals and corporations become more reliant on them to
conduct their affairs. An entire market has quickly evolved, centered on “Bring Your Own Device” (BYOD) security and
integration. Like it or not, and know it or not, mobile devices are increasingly being connected to corporate networks. In
some cases, such connections may seem like a harmless activity such as charging a battery. In reality, simply charging the
device is often performed via USB connection, and doing so may bridge the device with the computer.
Active scanning cannot always detect mobile devices on the network directly since the devices are not always active on the
network. There are several approaches that can be taken to identify mobile devices connecting to the network. One is to
leverage a Mobile Device Management (MDM) console, which will contain a lot of useful information about mobile devices
Copyright © 2015. Tenable Network Security, Inc. All rights reserved. Tenable Network Security and Nessus are registered trademarks of Tenable Network Security, Inc.
SecurityCenter is a trademark of Tenable Network Security, Inc. All other products or services are trademarks of their respective owners.
66
on the network. The drawback to this approach is the reason the issue is called “Bring Your Own Device”; the device is often
a personal device that is not enrolled in the MDM system.
A better approach is to leverage information obtained from devices that connect to Microsoft Exchange servers. Basically,
any employees who self-enroll with ActiveSync are sending their mobile OS version and other information back to the
Exchange server. This provides a non-intrusive method to obtain the device type and OS version. Since Exchange is so widely
deployed, the information is already available in many infrastructures. The drawback to this approach is that the information
obtained is less granular than what is available on an MDM.
With Nessus Manager, the Nessus “Mobile Devices” plugin family provides the ability to obtain information from devices
registered in a MDM and from Active Directory servers that contain information from MS Exchange servers. This currently
includes Apple iPhone, Apple iPad, Windows Phone, and Android devices that supply version information, and have “checked
in” to their respective servers in the last year (365 days).
The Nessus scanner must be able to reach the mobile device management (MDM) servers to query for
information. You must ensure no screening devices block traffic to these systems from the Nessus scanner. In
addition, Nessus must be given administrative credentials (e.g., domain administrator) to the Active Directory
servers.
To scan for mobile devices, Nessus must be configured with authentication information for the management server and the
mobile plugins of interest. Since Nessus authenticates directly to the management servers, a scan policy does not need to be
configured to scan specific hosts.
Creating a Scan
In order to scan a mobile system, create a new policy and select the “Mobile Device Scan” policy wizard. It will ask the basic
information required to perform the scan and auto-create the rest of the policy. The wizard will also let you control report
verbosity, scan result sharing, and input credentials to access the mobile device manager.
Copyright © 2015. Tenable Network Security, Inc. All rights reserved. Tenable Network Security and Nessus are registered trademarks of Tenable Network Security, Inc.
SecurityCenter is a trademark of Tenable Network Security, Inc. All other products or services are trademarks of their respective owners.
67
For ActiveSync scans that access data from Microsoft Exchange servers, Nessus will retrieve information from phones that have
been updated in the last 365 days.
Plugins and Policy Preferences
Mobile device policies can also be created with the “Advanced Scan” template.
To scan mobile device management servers, authentication credentials are established in the “Credentials” tab and the
“Mobile” sub-heading of an “Advanced Scan”, or Step 2 of the Mobile Scan policy wizard. Your scan policy does not need to
be configured to scan any ports or use any port scanners.
Copyright © 2015. Tenable Network Security, Inc. All rights reserved. Tenable Network Security and Nessus are registered trademarks of Tenable Network Security, Inc.
SecurityCenter is a trademark of Tenable Network Security, Inc. All other products or services are trademarks of their respective owners.
68
Mobile Device Management Credentials
For “Apple Profile Manager API Settings”, “AirWatch API Settings”, “Good MDM Settings”, and “MobileIron” host devices do
not need to be scanned directly to obtain information about them. The Nessus scanner must be able to reach the mobile device
management (MDM) server to query it for information. When either of these options is configured, the scan policy does not
require a target host to scan; you can target “localhost” and the policy will still reach out to the MDM server for information.
Copyright © 2015. Tenable Network Security, Inc. All rights reserved. Tenable Network Security and Nessus are registered trademarks of Tenable Network Security, Inc.
SecurityCenter is a trademark of Tenable Network Security, Inc. All other products or services are trademarks of their respective owners.
69
AirWatch
“AirWatch” allows Nessus to query the AirWatch API, using the specified credentials and API key, to gather information
about the mobile devices it manages. This feature does not require any ports be specified in the scan policy. Optionally,
communications over SSL can be specified, as well as verifying the SSL certificate.
Option
Default
Description
ArWatch Environment
API URL
none
This is the URL for accessing the server's API. This is a required field.
Port
443
Default port for Nessus to communicate with AirWatch.
Username
none
Username for accessing AirWatch. This is a required field.
API Key
none
API key for accessing AirWatch. This is a required field.
HTTPS
Enabled
Access AirWatch over HTTPS instead of HTTP. This will encrypt the connection.
Verify SSL Certificate
Enabled
Verify that the SSL certificate is valid.
Apple Profile Manager
“Apple Profile Manager” allows Nessus to query an Apple Profile Manager server to enumerate Apple iOS-based devices (e.g.,
iPhone, iPad) on the network. Using the credentials and server information, Nessus authenticates to the Profile Manager to
directly query it for device information. Optionally, communications over SSL can be specified, as well as directing the server to
force a device information update (i.e., each device will update its information with the Profile Manager server).
Copyright © 2015. Tenable Network Security, Inc. All rights reserved. Tenable Network Security and Nessus are registered trademarks of Tenable Network Security, Inc.
SecurityCenter is a trademark of Tenable Network Security, Inc. All other products or services are trademarks of their respective owners.
70
Options for configuring Apple Profile Manger are below:
Option
Default
Description
Server
none
Name of Apple Profile Manager server. This is a required field.
Port
443
Default port for Nessus to check for Apple Profile Manager.
Username
none
Username for accessing Apple Profile Manager. This is a required field.
API Key
none
API key for accessing Apple Profile Manager. This is a required field.
HTTPS
Enabled
Access Apple Profile Manager over HTTPS instead of HTTP. This will encrypt the
connection.
Verify SSL Certificate
Enabled
Verify that the SSL certificate is valid.
Global settings for the Apple Profile Manager are:
Option
Default
Description
Force Device Updates
Enabled
This forces the Apple Profile Manager to run updates.
Device update timeout
(minutes)
5
This is the timeout value in minutes for the Apple Profile Manager to update.
Copyright © 2015. Tenable Network Security, Inc. All rights reserved. Tenable Network Security and Nessus are registered trademarks of Tenable Network Security, Inc.
SecurityCenter is a trademark of Tenable Network Security, Inc. All other products or services are trademarks of their respective owners.
71
Good MDM
“Good MDM” allows Nessus to query a Good server to enumerate mobile devices on the network. Using the credentials and
server information, Nessus authenticates to the Good server to directly query it for device information. Optionally,
communications over SSL can be specified as well as strict SSL certificate verification.
Options for configuring Good MDM are below:
Option
Default
Description
Server
none
Name of Good MDM server. This is a required field.
Port
none
Default port for Nessus to check for Good MDM.
Domain
none
Domain for Good MDM
Username
none
Username for accessing Apple Profile Manager. This is a required field.
Password
none
Password for the previously supplied username.
HTTPS
Enabled
Access Apple Profile Manager over HTTPS instead of HTTP. This will encrypt the
connection.
Verify SSL Certificate
Enabled
Verify that the SSL certificate is valid.
Copyright © 2015. Tenable Network Security, Inc. All rights reserved. Tenable Network Security and Nessus are registered trademarks of Tenable Network Security, Inc.
SecurityCenter is a trademark of Tenable Network Security, Inc. All other products or services are trademarks of their respective owners.
72
MobileIron
“MobileIron” allows Nessus to query a MobileIron server to enumerate any attached mobile devices (e.g., iPhone, iPad, HTC,
BlackBerry, Android). Using the credentials and server information, Nessus uses authenticated API calls to query the server
for device information. Optionally, communications over SSL can be specified, as well as directing the server to verify the SSL
certificate for enhanced security.
Options for configuring MobileIron are below:
Option
Default
Description
MobileIron VSP Admin
Portal URL
none
URL for accessing the MobileIron VSP Admin Portal This is a required field.
Port
443
Default port for Nessus to check for MobileIron.
Username
none
Username for accessing MobileIron. This is a required field.
Password
none
Password for the previously supplied username.
HTTPS
Enabled
Access Apple Profile Manager over HTTPS instead of HTTP. This will encrypt the
connection.
Verify SSL Certificate
Enabled
Verify that the SSL certificate is valid.
Copyright © 2015. Tenable Network Security, Inc. All rights reserved. Tenable Network Security and Nessus are registered trademarks of Tenable Network Security, Inc.
SecurityCenter is a trademark of Tenable Network Security, Inc. All other products or services are trademarks of their respective owners.
73
ADSI
Nessus can leverage ActiveSync in addition to a mobile device manager:
“ADSI” allows Nessus to query an ActiveSync server to determine if any Android or iOS-based devices are connected. Using
the credentials and server information, Nessus authenticates to the domain controller (not the Exchange server) to directly
query it for device information. This feature does not require any ports be specified in the scan policy. These settings are
required for mobile device scanning.
Options for configuring ADSI are below:
Option
Description
Domain Controller
Name of the domain controller for ActiveSync
Domain
Name of the Windows domain for ActiveSync
Domain Admin
Domain admin’s username
Domain Password
Domain admin’s password
Nessus supports obtaining the mobile information from Exchange Server 2010 and 2013 only. Nessus cannot
retrieve that information from Exchange Server 2007.
Patch Management
Nessus Manager can leverage credentials for the Red Hat Network Satellite, IBM TEM, Dell KACE 1000, WSUS, and SCCM
patch management systems to perform patch auditing on systems for which credentials may not be available to the Nessus
scanner. Options for these patch management systems can be found under “Credentials” in their respective drop-down
Copyright © 2015. Tenable Network Security, Inc. All rights reserved. Tenable Network Security and Nessus are registered trademarks of Tenable Network Security, Inc.
SecurityCenter is a trademark of Tenable Network Security, Inc. All other products or services are trademarks of their respective owners.
74
menus: “Symantec Altiris”, “IBM Tivoli Endpoint Manager (BigFix)”, “Red Hat Satellite Server”, “Microsoft SCCM”, “Dell
KACE K1000”, and “Microsoft WSUS”.
IT administrators are expected to manage the patch monitoring software and install any agents required by the
patch management system on their systems.
IBM Tivoli Endpoint Manager (BigFix)
Tivoli Endpoint Manager (TEM) is available from IBM to manage the distribution of updates and hotfixes for desktop
systems. Nessus and SecurityCenter have the ability to query TEM to verify whether or not patches are installed on systems
managed by TEM and display the patch information through Nessus Manager.

If the credential check sees a system but it is unable to authenticate against the system, it will use the data obtained
from the patch management system to perform the check. If Nessus is able to connect to the target system, it will
perform checks on that system and ignore TEM output.

The data returned to Nessus by TEM is only as current as the most recent data that the TEM server has obtained
from its managed hosts.
TEM scanning is performed using five Nessus plugins:

Patch Management: Tivoli Endpoint Manager Computer Info Initialization (Plugin ID 62559)

Patch Management: Missing updates from Tivoli Endpoint Manager (Plugin ID 62560)
Copyright © 2015. Tenable Network Security, Inc. All rights reserved. Tenable Network Security and Nessus are registered trademarks of Tenable Network Security, Inc.
SecurityCenter is a trademark of Tenable Network Security, Inc. All other products or services are trademarks of their respective owners.
75

Patch Management: IBM Tivoli Endpoint Manager Server Settings (Plugin ID 62558)

Patch Management: Tivoli Endpoint Manager Report (Plugin ID 62561)

Patch Management: Tivoli Endpoint Manager Get Installed Packages (Plugin ID 65703)
Credentials for the IBM Tivoli Endpoint Manager server must be provided for TEM scanning to work properly.
In the “Credentials” menu, select “Patch Management: IBM Tivoli Endpoint Manager Server (BigFix)” from the Plugin dropdown menu:
Patch Management: TEM Server Settings
Credential
Default
Description
Web Reports Server
None
Name of IBM TEM Web Reports Server
Web Reports Port
none
Port that the IBM TEM Web Reports Server listens
Web Reports Username
none
Web Reports administrative username
Web Reports Password
none
Web Reports administrative username’s password
HTTPS
Enabled
If the Web Reports service is using SSL
Verify SSL certificate
Enabled
Verify that the SSL certificate is valid
Copyright © 2015. Tenable Network Security, Inc. All rights reserved. Tenable Network Security and Nessus are registered trademarks of Tenable Network Security, Inc.
SecurityCenter is a trademark of Tenable Network Security, Inc. All other products or services are trademarks of their respective owners.
76
Package reporting is supported by RPM-based and Debian-based distributions that IBM TEM officially supports. This
includes Red Hat derivatives such as RHEL, CentOS, Scientific Linux, and Oracle Linux, as well as Debian and Ubuntu. Other
distributions may also work, but unless officially supported by TEM, there is no support available.
For local check plugins to trigger, only RHEL, CentOS, Scientific Linux, Oracle Linux, Debian, and Ubuntu are supported. The
plugin “Patch Management: Tivoli Endpoint Manager Get Installed Packages” must be enabled.
In order to use these auditing features, changes must be made to the IBM TEM server. A custom Analysis must be imported
into TEM so that detailed package information will be retrieved and made available to Nessus. This process is outlined below.
Before beginning, the following text must be saved to a file on the TEM system, and named with a .bes extension:
<?xml version="1.0" encoding="UTF-8"?>
<BES xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:noNamespaceSchemaLocation="BES.xsd">
<Analysis>
<Title>Tenable</Title>
<Description>This analysis provides Nessus with the data it needs for
vulnerability reporting. </Description>
<Relevance>true</Relevance>
<Source>Internal</Source>
<SourceReleaseDate>2013-01-31</SourceReleaseDate>
<MIMEField>
<Name>x-fixlet-modification-time</Name>
<Value>Fri, 01 Feb 2013 15:54:09 +0000</Value>
</MIMEField>
<Domain>BESC</Domain>
<Property Name="Packages - With Versions (Tenable)" ID="1"><![CDATA[if
(exists true whose (if true then (exists debianpackage) else false)) then
unique values of (name of it & "|" & version of it as string & "|" & "deb" &
"|" & architecture of it & "|" & architecture of operating system) of packages
whose (exists version of it) of debianpackages else if (exists true whose (if
true then (exists rpm) else false)) then unique values of (name of it & "|" &
version of it as string & "|" & "rpm" & "|" & architecture of it & "|" &
architecture of operating system) of packages of rpm else "<unsupported>"
]]></Property>
</Analysis>
</BES>
Copyright © 2015. Tenable Network Security, Inc. All rights reserved. Tenable Network Security and Nessus are registered trademarks of Tenable Network Security, Inc.
SecurityCenter is a trademark of Tenable Network Security, Inc. All other products or services are trademarks of their respective owners.
77
Open the TEM Console and log in:
Once authenticated, click on the “File” menu item, and then “Import…”:
Copyright © 2015. Tenable Network Security, Inc. All rights reserved. Tenable Network Security and Nessus are registered trademarks of Tenable Network Security, Inc.
SecurityCenter is a trademark of Tenable Network Security, Inc. All other products or services are trademarks of their respective owners.
78
Locate the .bes file that contains the configuration details and click “Open”:
Copyright © 2015. Tenable Network Security, Inc. All rights reserved. Tenable Network Security and Nessus are registered trademarks of Tenable Network Security, Inc.
SecurityCenter is a trademark of Tenable Network Security, Inc. All other products or services are trademarks of their respective owners.
79
When the “Create Analysis” dialog opens, click “OK”:
Optionally, you can click “Hide Locally” and then “Hide Globally” to remove it from view, to avoid clutter:
After these steps are completed, it may take some time (depending on your network and report schedule) for the Analysis to
fully populate. You can view the “Applicable Computers” count on the tab seen above to see how many computers have so far
reported during a scan.
Copyright © 2015. Tenable Network Security, Inc. All rights reserved. Tenable Network Security and Nessus are registered trademarks of Tenable Network Security, Inc.
SecurityCenter is a trademark of Tenable Network Security, Inc. All other products or services are trademarks of their respective owners.
80
WSUS
Windows Server Update Services (WSUS) is available from Microsoft to manage the distribution of updates and hotfixes for
Microsoft products. Nessus and SecurityCenter have the ability to query WSUS to verify whether or not patches are
installed on systems managed by WSUS and display the patch information through the Nessus or SecurityCenter GUI.

If the credential check sees a system but it is unable to authenticate against the system, it will use the data obtained
from the patch management system to perform the check. If Nessus is able to connect to the target system, it will
perform checks on that system and ignore WSUS output.

The data returned to Nessus by WSUS is only as current as the most recent data that the WSUS server has obtained
from its managed hosts.
WSUS scanning is performed using three Nessus plugins:

Patch Management: WSUS Server Settings (Plugin ID 57031)

Patch Management: Missing updates from WSUS (Plugin ID 57032)

Patch Management: WSUS Report (Plugin ID 58133)
Credentials for the WSUS system must be provided for WSUS scanning to work properly. Under the “Credentials” tab, select
“Patch Management” and then “Microsoft WSUS”:
Copyright © 2015. Tenable Network Security, Inc. All rights reserved. Tenable Network Security and Nessus are registered trademarks of Tenable Network Security, Inc.
SecurityCenter is a trademark of Tenable Network Security, Inc. All other products or services are trademarks of their respective owners.
81
Credential
Default
Description
Server
None
WSUS IP address or system name
Port
8530
Port WSUS is running on (typically TCP 80 or 443)
Username
none
WSUS admin username
Password
none
WSUS admin password
HTTPS
Enabled
If the WSUS service is using SSL
Verify SSL certificate
Enabled
Verify that the SSL certificate is valid
SCCM
System Center Configuration Manager (SCCM) is available from Microsoft to manage large groups of Windows-based
systems. Nessus has the ability to query the SCCM service to verify whether or not patches are installed on systems
managed by SCCM and display the patch information through the Nessus or SecurityCenter GUI.

If the credentialed check sees a system but it is unable to authenticate against the system, it will use the data
obtained from the patch management system to perform the check. If Nessus is able to connect to the target system,
it will perform checks on that system and ignore SCCM output.

The data returned by SCCM is only as current as the most recent data that the SCCM server has obtained from its
managed hosts.

Nessus connects to the server that is running the SCCM site (e.g., credentials must be valid for the SCCM service,
meaning an admin account in SCCM with the privileges to query all the data in the SCCM MMC). This server may
also run the SQL database, or the database as well as the SCCM repository can be on separate servers. When
leveraging this audit, Nessus must connect to the SCCM Server, not the SQL or SCCM server if they are on a
separate box.
Nessus SCCM patch management plugins support SCCM 2007 and SCCM 2012.
SCCM scanning is performed using four Nessus plugins:

Patch Management: SCCM Server Settings (Plugin ID 57029)

Patch Management: Missing updates from SCCM(Plugin ID 57030)

Patch Management: SCCM Computer Info Initialization(Plugin ID 73636)

Patch Management: SCCM Report(Plugin ID 58186)
Credentials for the SCCM system must be provided for SCCM scanning to work properly. Under the “Credentials” tab, select
“Patch Management” and then “Microsoft SCCM”:
Copyright © 2015. Tenable Network Security, Inc. All rights reserved. Tenable Network Security and Nessus are registered trademarks of Tenable Network Security, Inc.
SecurityCenter is a trademark of Tenable Network Security, Inc. All other products or services are trademarks of their respective owners.
82
Credential
Description
Server
SCCM IP address or system name
Domain
The domain the SCCM server is a part of
Username
SCCM admin username
Password
SCCM admin password
Red Hat Network Satellite
Red Hat Satellite is a systems management platform for Linux-based systems. Nessus and SecurityCenter have the ability to
query Satellite to verify whether or not patches are installed on systems managed by Satellite and display the patch
information through the Nessus or SecurityCenter GUI.
Although not supported by Tenable, the RHN Satellite plugin will also work with Spacewalk Server, the Open Source
Upstream Version of Red Hat Satellite. Spacewalk has the capability of managing distributions based on Red Hat (RHEL,
CentOS, Fedora) and SUSE. Tenable supports the Satellite server for Red Hat Enterprise Linux.

If the credential check sees a system but it is unable to authenticate against the system, it will use the data obtained
from the patch management system to perform the check. If Nessus is able to connect to the target system, it will
perform checks on that system and ignore RHN Satellite output.
Copyright © 2015. Tenable Network Security, Inc. All rights reserved. Tenable Network Security and Nessus are registered trademarks of Tenable Network Security, Inc.
SecurityCenter is a trademark of Tenable Network Security, Inc. All other products or services are trademarks of their respective owners.
83

The data returned to Nessus by RHN Satellite is only as current as the most recent data that the Satellite server has
obtained from its managed hosts.
Satellite scanning is performed using five Nessus plugins:

Patch Management: Patch Schedule From Red Hat Satellite Server (Plugin ID 57066)

Patch Management: Red Hat Satellite Server Get Installed Packages (Plugin ID 57065)

Patch Management: Red Hat Satellite Server Get Managed Servers (57064)

Patch Management: Red Hat Satellite Server Get System Information (Plugin ID 57067)

Patch Management: Red Hat Satellite Server Settings (Plugin ID 57063)
Credentials for the Red Hat Satellite system must be provided for Satellite scanning to work properly. Under the
“Credentials” tab, select “Patch Management” and then “Red Hat Satellite Server”:
Credential
Default
Description
Satellite server
none
RHN Satellite IP address or system name
Port
443
Port Satellite is running on (typically TCP 80 or 443)
Verify SSL Certificate
Enabled
Verify that the SSL certificate is valid
Username
none
Red Hat Satellite username
Copyright © 2015. Tenable Network Security, Inc. All rights reserved. Tenable Network Security and Nessus are registered trademarks of Tenable Network Security, Inc.
SecurityCenter is a trademark of Tenable Network Security, Inc. All other products or services are trademarks of their respective owners.
84
Password
none
Red Hat Satellite password
Dell KACE K1000
KACE K1000 is available from Dell to manage the distribution of updates and hotfixes for Linux, Windows, and Mac OS X
systems. Nessus and SecurityCenter have the ability to query KACE K1000 to verify whether or not patches are installed on
systems managed by KACE K1000 and display the patch information through the Nessus or SecurityCenter GUI.

If the credential check sees a system but it is unable to authenticate against the system, it will use the data obtained
from the patch management system to perform the check. If Nessus is able to connect to the target system, it will
perform checks on that system and ignore KACE K1000 output.

The data returned to Nessus by KACE K1000 is only as current as the most recent data that the KACE K1000 has
obtained from its managed hosts.
KACE K1000 scanning is performed using four Nessus plugins:

kace_k1000_get_computer_info.nbin (Plugin ID 76867)

kace_k1000_get_missing_updates.nbin (Plugin ID 76868)

kace_k1000_init_info.nbin (Plugin ID 76866)

kace_k1000_report.nbin (Plugin ID 76869)
Credentials for the Dell KACE K1000 system must be provided for K1000 scanning to work properly. Under the
“Credentials” tab, select “Patch Management” and then “Dell KACE K1000”:
Copyright © 2015. Tenable Network Security, Inc. All rights reserved. Tenable Network Security and Nessus are registered trademarks of Tenable Network Security, Inc.
SecurityCenter is a trademark of Tenable Network Security, Inc. All other products or services are trademarks of their respective owners.
85
Credential
Default
Description
Server
none
KACE K1000 IP address or system name. This is a required field.
Database Port
3306
Port the K1000 database is running on (typically TCP 3306).
Organization
Database Name
ORG1
The name of the organization component for the KACE K1000 database. This
component will begin with the letters “ORG” and end with a number that
corresponds with the K1000 database username.
Database Username
none
Username required to log into the K1000 database. R1 is the default if no user is
defined. The username will begin with the letter “R”. This username will end in the
same number that represents the number of the organization to scan. This is a
required field.
K1000 Database
Password
none
Password required to authenticate the K1000 Database Username. This is a
required field.
Symantec Altiris
Altiris is available from Symantec to manage the distribution of updates and hotfixes for Linux, Windows, and Mac OS X
systems. Nessus and SecurityCenter have the ability to use the Altiris API to verify whether or not patches are installed on
systems managed by Altiris and display the patch information through the Nessus or SecurityCenter GUI.

If the credential check sees a system but it is unable to authenticate against the system, it will use the data obtained
from the patch management system to perform the check. If Nessus is able to connect to the target system, it will
perform checks on that system and ignore Altiris output.

The data returned to Nessus by Altiris is only as current as the most recent data that the Altiris has obtained from its
managed hosts.

Nessus connects to the Microsoft SQL server that is running on the Altiris host (e.g., credentials must be valid for the
MSSQL database, meaning a database account with the privileges to query all the data in the Altiris MSSQL
database). The database server may be run on a separate host from the Altiris deployment. When leveraging this
audit, Nessus must connect to the MSSQL database, not the Altiris server if they are on a separate box.
Altiris scanning is performed using four Nessus plugins:

symantec_altiris_get_computer_info.nbin (Plugin ID 78013)

symantec_altiris_get_missing_updates.nbin (Plugin ID 78012)

symantec_altiris_init_info.nbin (Plugin ID 78011)

symantec_altiris_report.nbin (Plugin ID 78014)
To ensure Nessus can properly utilize Altiris to pull patch management information, it must be configured to do so.
Copyright © 2015. Tenable Network Security, Inc. All rights reserved. Tenable Network Security and Nessus are registered trademarks of Tenable Network Security, Inc.
SecurityCenter is a trademark of Tenable Network Security, Inc. All other products or services are trademarks of their respective owners.
86
From the dashboard (shown above), click on “Settings” and then “Database Settings”:
Copyright © 2015. Tenable Network Security, Inc. All rights reserved. Tenable Network Security and Nessus are registered trademarks of Tenable Network Security, Inc.
SecurityCenter is a trademark of Tenable Network Security, Inc. All other products or services are trademarks of their respective owners.
87
Ensure that the SQL server name is set and that a database is selected. Next, configure the Microsoft SQL Server:
Under “Connections”, “Allow remote connections to this server” must be selected. Next, navigate to the “Permissions” tab:
Copyright © 2015. Tenable Network Security, Inc. All rights reserved. Tenable Network Security and Nessus are registered trademarks of Tenable Network Security, Inc.
SecurityCenter is a trademark of Tenable Network Security, Inc. All other products or services are trademarks of their respective owners.
88
Configure the account that Nessus will use with “CONNECT SQL” and “VIEW ANY DATABASE” credentials.
Credentials for the Altiris Microsoft SQL (MSSQL) database must be provided for Altiris scanning to work properly. Under
the “Credentials” tab, select “Patch Management” and then “Symantec Altiris”:
Credential
Default
Description
Server
none
Altiris IP address or system name. This is a required field.
Database Port
5690
Port the Altiris database is running on (Typically TCP 5690)
Database Name
Symantec_CMDB
The name of the MSSQL database that manages Altiris patch
information.
Database Username
None
Username required to log into the Altiris MSSQL database. This is a
required field.
Database Password
none
Password required to authenticate the Altiris MSSQL database. This is
a required field.
Use Windows
Authentication
Disabled
Denotes whether or not to use NTLMSSP for compatibility with older
Windows Servers, otherwise it will use Kerberos
Copyright © 2015. Tenable Network Security, Inc. All rights reserved. Tenable Network Security and Nessus are registered trademarks of Tenable Network Security, Inc.
SecurityCenter is a trademark of Tenable Network Security, Inc. All other products or services are trademarks of their respective owners.
89
Scanning With Multiple Patch Managers
If multiple sets of credentials are supplied to Nessus for patch management tools, Nessus will use all of them. Available
credentials are:







Credentials supplied to directly authenticate to the target
IBM TEM
Microsoft WSUS
Microsoft SCCM
Red Hat Network Satellite
Dell KACE 1000
Altiris
If credentials are provided for a host, as well as a patch management system, or multiple patch management systems, Nessus
will compare the findings between all methods and report on conflicts or provide a “satisfied” finding. Using the “Patch
Management Windows Auditing Conflicts” plugins, the patch data differences (conflicts) between the host and a patch
management system will be highlighted. For example, if you provide credentials for the target host and a SCCM, IBM TEM,
KACE 1000, and WSUS patch management systems, Nessus will produce the following report with a “High” severity rating if
there are conflicts found:
This underscores the importance of cross-referencing patches between what is on the system and what the patch
management system thinks is on the system. In the above output you can see that Nessus has credentials to log in to the
target system itself (indicated by the “Nessus ->”). Nessus is also able to pull the patch levels from SCCM (as indicated by the
“-> SCCM conflicts”). The report for each patch and the discrepancies is displayed in the plugin output. As the first entry
indicates for the host, Nessus found MS11-049 missing, but IBM TEM is reporting that patch as being applied.
Copyright © 2015. Tenable Network Security, Inc. All rights reserved. Tenable Network Security and Nessus are registered trademarks of Tenable Network Security, Inc.
SecurityCenter is a trademark of Tenable Network Security, Inc. All other products or services are trademarks of their respective owners.
90
This allows organizations to not only audit hosts, but to help ensure that patch management software is providing accurate
information. If there are no conflicts found, Nessus will provide a “Satisfied” finding with an “Info” severity rating:
Virtualization
Tenable also supports authentication to the VMware virtualization platforms and Red Hat Enterprise Virtualization (RHEV).
Using a variety of remote and credentialed checks, Nessus can perform a wide range of audits against the virtualization
platform as well as the software running on it. While virtual hosts remove the need for some hardware, they also add another
layer that can be attacked. It is important to ensure that not only the operating system or applications that run on the virtual
platform are tested, but also the underlying virtualization software platform itself.
VMware
Nessus contains a wide variety of support for VMware products. Plugins are written based on the severity of associated
vulnerabilities rather than prioritizing individual products by themselves. Typically, new plugins for VMware products are
available a day or two after initial release, based on the time it takes to evaluate the issue and draft the corresponding check.
Nessus can detect active virtual machines (VMs) for ESX, ESXi, vSphere, and vCenter.
Nessus supports vCenter in a number of ways. Where possible, Tenable writes checks for published vulnerabilities (e.g.,
vmware_vcenter_update_mgr_xss.nasl) to help audit VMs remotely. In addition, Nessus has the ability to
authenticate to the VMware interface via the SOAP API to query vCenter 4.5 (or later) and 5.x for patch information on ESX
hosts managed by the software.
For ESX/ESXi, Tenable has local credentialed checks available that check for the existence of patches for ESX/ESXi 3.5 and
later. If a patch has been applied, but the server has not been rebooted, the presence of the patch may not be detected and
Nessus will report the host vulnerable. These checks can be performed using SSH credentials or through a SOAP interface on
the ESXi host, or vCenter.
In addition, Nessus offers a variety of credentialed local checks for other VMware products including Fusion, Workstation,
vMA, and OVF Tool.
Copyright © 2015. Tenable Network Security, Inc. All rights reserved. Tenable Network Security and Nessus are registered trademarks of Tenable Network Security, Inc.
SecurityCenter is a trademark of Tenable Network Security, Inc. All other products or services are trademarks of their respective owners.
91
Access to VMware servers is available through its native SOAP API. VMware ESX SOAP API allows you to access the ESX
and ESXi servers via username and password. Additionally, you have the option of not enabling SSL certificate verification:
Credential
Default
Description
Username
none
Username to login to the ESXi server. This is a required field.
Password
none
Username to the password to login to the ESXi server. This is a required field.
Do not verify SSL
Certificate
Disabled
Do not verify that the SSL certificate for the ESXi server is valid.
Copyright © 2015. Tenable Network Security, Inc. All rights reserved. Tenable Network Security and Nessus are registered trademarks of Tenable Network Security, Inc.
SecurityCenter is a trademark of Tenable Network Security, Inc. All other products or services are trademarks of their respective owners.
92
VMware vCenter SOAP API allows you to access vCenter. This requires a username, password, vCenter hostname, and
vCenter port. Additionally, you can require HTTPS and SSL certificate verification:
Credential
Default
Description
vCenter Host
none
Name of the vCenter host. This is a required field.
vCenter Port
443
Port to access the vCenter host.
Username
none
Username to login to the vCenter server. This is a required field.
Password
none
Username to the password to login to the vCenter server. This is a required field.
HTTPS
Enabled
Connect to the vCenter via SSL.
Verify SSL
Certificate
Enabled
Verify that the SSL certificate for the ESXi server is valid.
Tenable currently offers compliance checks for ESXi. For more information, consult the “Nessus VMware vCenter Patch
Auditing Now Available” blog.
Note that by default, local ESXi users are limited to “Read-only” roles. Using such an account will result in a
21745 error. Either an administrative account or one with “Global” -> “Settings” permission must be used to
facilitate this audit. Credentials for the ESX SOAP API can be supplied when creating a new policy.
Copyright © 2015. Tenable Network Security, Inc. All rights reserved. Tenable Network Security and Nessus are registered trademarks of Tenable Network Security, Inc.
SecurityCenter is a trademark of Tenable Network Security, Inc. All other products or services are trademarks of their respective owners.
93
Red Hat Enterprise Virtualization (RHEV)
RHEV requires username, password, and network port. Additionally, you can provide verification for the SSL certificate:
Credential
Default
Description
Username
none
Username to login to the RHEV server. This is a required field.
Password
none
Username to the password to login to the RHEV server. This is a required field.
Port
443
Port to connect to the RHEV server.
Verify SSL
Certificate
Enabled
Verify that the SSL certificate for the RHEV server is valid.
Miscellaneous Authentication
Nessus has the ability to scan various services and devices that have a unique function, including IBM iSeries,Palo Alto
Networks firewalls, X.509 services, and Active Directory Service Interfaces (ADSI). Nessus can be configured to authenticate
to these servers and report on any issues.
VMware ESXi, VMware vCenter, and RHEV are discussed in the Virtualization section of this document.
Copyright © 2015. Tenable Network Security, Inc. All rights reserved. Tenable Network Security and Nessus are registered trademarks of Tenable Network Security, Inc.
SecurityCenter is a trademark of Tenable Network Security, Inc. All other products or services are trademarks of their respective owners.
94
ADSI requires the domain controller information, domain, and domain admin and password:
Copyright © 2015. Tenable Network Security, Inc. All rights reserved. Tenable Network Security and Nessus are registered trademarks of Tenable Network Security, Inc.
SecurityCenter is a trademark of Tenable Network Security, Inc. All other products or services are trademarks of their respective owners.
95
IBM iSeries only requires an iSeries username and password:
Palo Alto Networks PAN-OS requires a PAN-OS username and password as well as the management port. Additionally, you
can verify the SSL certificate:
Copyright © 2015. Tenable Network Security, Inc. All rights reserved. Tenable Network Security and Nessus are registered trademarks of Tenable Network Security, Inc.
SecurityCenter is a trademark of Tenable Network Security, Inc. All other products or services are trademarks of their respective owners.
96
For X.509, you will need to supply the client certificate, client private key and its corresponding passphrase, and the trusted
Certificate Authority’s (CA) digital certificate:
Plaintext Authentication
Finally, if a secure method of performing credentialed checks is not available, users can force Nessus to try to perform checks
over insecure protocols by configuring the “Plaintext Authentication” drop-down menu item.
This menu allows the Nessus scanner to use credentials when testing HTTP, NNTP, FTP, POP2, POP3, IMAP, IPMI,
SNMPv1/v2c, and telnet/rsh/rexec. By supplying credentials, Nessus may have the ability to do more extensive checks to
determine vulnerabilities. HTTP credentials supplied here will be used for Basic and Digest authentication only.
Copyright © 2015. Tenable Network Security, Inc. All rights reserved. Tenable Network Security and Nessus are registered trademarks of Tenable Network Security, Inc.
SecurityCenter is a trademark of Tenable Network Security, Inc. All other products or services are trademarks of their respective owners.
97
Cleartext Protocols
Credentials for FTP, IPMI, NNTP, POP2, and POP3 are username and password only.
The telnet/rsh/rexec authentication section is also username and password, but there are additional Global Settings for this
section that can allow you to perform patch audits using any of these three protocols.
Copyright © 2015. Tenable Network Security, Inc. All rights reserved. Tenable Network Security and Nessus are registered trademarks of Tenable Network Security, Inc.
SecurityCenter is a trademark of Tenable Network Security, Inc. All other products or services are trademarks of their respective owners.
98
SNMPv1/v2c configuration allows you to use community strings for authentication to network devices. Up to 4 SNMP
community strings can be configured.
Web Application Scanning
There are four different types of HTTP authentication: Automatic authentication, Basic/Digest authentication, HTTP login
form for a custom web application, and HTTP cookies import. All methods include Global Settings for HTTP logins:
Copyright © 2015. Tenable Network Security, Inc. All rights reserved. Tenable Network Security and Nessus are registered trademarks of Tenable Network Security, Inc.
SecurityCenter is a trademark of Tenable Network Security, Inc. All other products or services are trademarks of their respective owners.
99
Option
Default
Description
Login method
POST
Specify if the login action is performed via a GET or POST request.
Re-authenticate
delay (seconds)
none
The time delay between authentication attempts. This is useful to avoid triggering
brute force lockout mechanisms.
Follow 30x
redirections
(# of levels)
0
If a 30x redirect code is received from a web server, this directs Nessus to follow the
link provided or not.
Invert
authenticated regex
Disabled
A regex pattern to look for on the login page, that if found, tells Nessus
authentication was not successful (e.g., “Authentication failed!”).
Use authenticated
regex on HTTP
headers
Disabled
Rather than search the body of a response, Nessus can search the HTTP response
headers for a given regex pattern to better determine authentication state.
Use authenticated
regex on HTTP
headers
Disabled
The regex searches are case sensitive by default. This instructs Nessus to ignore case.
Copyright © 2015. Tenable Network Security, Inc. All rights reserved. Tenable Network Security and Nessus are registered trademarks of Tenable Network Security, Inc.
SecurityCenter is a trademark of Tenable Network Security, Inc. All other products or services are trademarks of their respective owners.
100
The “HTTP login page” settings provide control over where authenticated testing of a custom web-based application begins.
In addition to the username and password, the following options are required:
Option
Description
Login page
The absolute path to the login page of the application, e.g., “/login.html”.
Login submission page
The “action” parameter for the form method. For example, the login form for <form
method="POST" name="auth_form" action="/login.php"> would be
“/login.php”.
Login parameters
Specify the authentication parameters (e.g., login=%USER%&password=%PASS%). If
the keywords %USER% and %PASS% are used, they will be substituted with values
supplied on the “Login configurations” drop-down menu. This field can be used to
provide more than two parameters if required (e.g., a “group” name or some other piece
of information is required for the authentication process).
Check authentication on
page
The absolute path of a protected web page that requires authentication, to better assist
Nessus in determining authentication status, e.g., “/admin.html”.
Authenticated regex
A regex pattern to look for on the login page. Simply receiving a 200 response code is not
always sufficient to determine session state. Nessus can attempt to match a given string
such as “Authentication successful!”
Copyright © 2015. Tenable Network Security, Inc. All rights reserved. Tenable Network Security and Nessus are registered trademarks of Tenable Network Security, Inc.
SecurityCenter is a trademark of Tenable Network Security, Inc. All other products or services are trademarks of their respective owners.
101
To facilitate web application testing, Nessus can import HTTP cookies from another piece of software (e.g., web browser,
web proxy, etc.) with the “HTTP cookies import” settings. A cookie file can be uploaded so that Nessus uses the cookies
when attempting to access a web application. The cookie file must be in Netscape format.
By default, all passwords (and the policy itself) are encrypted within Nessus. If the policy is exported and saved to a .nessus
file, the passwords will be stripped during export. Once you have imported your policy into the destination Nessus scanner, you
will need to re-apply your passwords to the credentials being used. The reason for this is that all passwords in the policy will be
unusable by the destination Nessus scanner you import to, as it will be unable to decrypt them.
Using cleartext credentials in any fashion is not recommended! If the credentials are sent remotely (e.g., via a
Nessus scan), the credentials could be intercepted by anyone with access to the network. Use encrypted
authentication mechanisms whenever possible.
Compliance
For details on compliance, see the Audit Policies section below.
Copyright © 2015. Tenable Network Security, Inc. All rights reserved. Tenable Network Security and Nessus are registered trademarks of Tenable Network Security, Inc.
SecurityCenter is a trademark of Tenable Network Security, Inc. All other products or services are trademarks of their respective owners.
102
Plugins
The “Plugins” menu enables the user to choose specific security checks by plugin family or individual checks.
Clicking on the plugin family allows you to enable (green) or disable (grey) the entire family. Selecting a family will display the
list of its plugins. Individual plugins can be enabled or disabled to create very specific scan policies. A family with some
plugins disabled will turn blue and display “mixed” to indicate only some plugins are enabled. Clicking on the plugin family will
load the complete list of plugins, and allow for granular selection based on your scanning preferences.
Selecting a specific plugin will display the plugin output that will be displayed as seen in a report. The synopsis and
description will provide more details of the vulnerability being examined. Scrolling down in your browser will also show
solution information, additional references if available, risk information, exploit information, and any vulnerability database
or informational cross-references.
Copyright © 2015. Tenable Network Security, Inc. All rights reserved. Tenable Network Security and Nessus are registered trademarks of Tenable Network Security, Inc.
SecurityCenter is a trademark of Tenable Network Security, Inc. All other products or services are trademarks of their respective owners.
103
At the top of the plugin family page, you can create filters to build a list of plugins to include in the policy, as well as disable or
enable all plugins. Filters allow granular control over plugin selection. Multiple filters can be set in a single policy.
Copyright © 2015. Tenable Network Security, Inc. All rights reserved. Tenable Network Security and Nessus are registered trademarks of Tenable Network Security, Inc.
SecurityCenter is a trademark of Tenable Network Security, Inc. All other products or services are trademarks of their respective owners.
104
To quickly filter plugin families based on name, you can type in the search box. This will filter the plugin families on-the-fly. To
create a filter, click on the “Filter Options” button:
Each filter created provides several options for refining a search. The filter criteria can be based on “Any”, where any one
criteria will return matches, or “All”, where every filter criteria must be present. For example, if we want a policy that only
includes plugins that have an exploit or can be exploited without a scripted exploit, we create two filters and select “Any” for
the criteria:
Copyright © 2015. Tenable Network Security, Inc. All rights reserved. Tenable Network Security and Nessus are registered trademarks of Tenable Network Security, Inc.
SecurityCenter is a trademark of Tenable Network Security, Inc. All other products or services are trademarks of their respective owners.
105
If we want to create a policy that contains plugins that match several criteria, we select “All” and add the desired filters. For
example, the policy below would include any vulnerability with a patch published after January 1, 2014 that has a public
exploit, and CVSS Base Score higher than 5.0:
For a full list of filter criteria and details, check the Report Filters section of this document.
To use filters to create a policy, it is recommended you start by disabling all plugins. Using plugin filters, narrow
down the plugins you want to be in your policy. Once completed, select each plugin family and click “Enable
Plugins”.
When a policy is created and saved, it records all of the plugins that are initially selected. When new plugins are received via
a plugin update, they will automatically be enabled if the family they are associated with is enabled. If the family has been
disabled or partially enabled, new plugins in that family will automatically be disabled as well.
The “Denial of Service” family contains some plugins that could cause outages on a network if the “Safe Checks”
option is not enabled, but does contain some useful checks that will not cause any harm. The “Denial of Service”
family can be used in conjunction with “Safe Checks” to ensure that any potentially dangerous plugins are not run.
However, it is recommended that the “Denial of Service” family not be used on a production network unless
scheduled during a maintenance window and with staff ready to respond to any issues.
Audit Policies
Nessus compliance auditing can be configured through one of four policies, PCI Quarterly External Scan, Internal PCI
Network Scan, Policy Compliance Auditing, and SCAP Compliance Audit:
Copyright © 2015. Tenable Network Security, Inc. All rights reserved. Tenable Network Security and Nessus are registered trademarks of Tenable Network Security, Inc.
SecurityCenter is a trademark of Tenable Network Security, Inc. All other products or services are trademarks of their respective owners.
106
Compliance Audit Policies
Nessus provides a library of policy checks available for Policy Compliance Auditing. You can create customized audits for
many operating systems, databases, network devices, hypervisors, and other enterprise level applications.
Like the Credentials section, Compliance has a search box in the upper right. If nothing matches the search text, then no
compliance checks will appear in the left column.
After entering the required credentials, this menu allows commercial customers to upload policy files that will be used to
determine if the supported device, application, or operating system meets the specified compliance standards. Up to five
policies may be selected at one time.
Copyright © 2015. Tenable Network Security, Inc. All rights reserved. Tenable Network Security and Nessus are registered trademarks of Tenable Network Security, Inc.
SecurityCenter is a trademark of Tenable Network Security, Inc. All other products or services are trademarks of their respective owners.
107
Once a compliance policy is saved, a user can open the compliance policy and download any custom audit files. This enables a
user who did not originate the policy to retrieve the audit file from the Nessus policy directly:
Some policies also have a best practices option, which is a pre-defined audit file where the user provides the values to their
environment. In some instances, there are pre-defined DISA STIG, CIS, and PCI audit policies already available.
Copyright © 2015. Tenable Network Security, Inc. All rights reserved. Tenable Network Security and Nessus are registered trademarks of Tenable Network Security, Inc.
SecurityCenter is a trademark of Tenable Network Security, Inc. All other products or services are trademarks of their respective owners.
108
When creating a new policy, click on Policy Compliance Auditing. There will be a third option next to Credentials that shows
the Compliance options available.
The following table provides an overview of all compliance checks. For more detailed information regarding each item, check
the Tenable Network Security document, “Nessus Compliance Checks”.
Compliance Policy
Required Credentials
Description
Adtran AOS
Compliance Checks
SSH
An option that allows a system or policy file to be specified to test
Adtran AOS based devices against compliance standards.
Amazon AWS
Compliance Checks
SSH
An option that allows a system to be specified to test the AWS
account configuration against compliance standards.
Blue Coat ProxySG
Compliance Checks
SSH
An option that allows a system to be specified to test Blue Coat
ProxySG devices against compliance standards.
Brocade FabricOS
Compliance Checks
An option that allows a system or policy file to be specified to test
Brocade FabricOS based devices against compliance standards.
Check Point GAiA
Compliance Checks
SSH
An option that allows a system to be specified to test Check Point
GAiA based devices against compliance standards.
Cisco IOS
Compliance Checks
SSH
An option that allows a device or policy file to be specified to test
Cisco IOS based devices against compliance standards.
In addition to being able to upload your own .audit files, there are also
DISA STIG and other best practices files available.
Citrix XenServer
Compliance Checks
SSH
A commercial option that allows a system to be specified to test Citrix
XenServers against compliance standards
Database
Compliance Checks
Database credentials
An option that allows a policy file to be specified to test databases
such as DB2, SQL Server, MySQL, and Oracle against compliance
standards.
Dell Force10 FTOS
Compliance Checks
SSH
An option that allows a system or policy file to be specified to test Dell
Force10 FTOS based devices against compliance standards.
Extreme
ExtremeXOS
Compliance Checks
SSH
An option that allows a system or policy file to be specified to test
Extreme ExtremeXOS based devices against compliance standards.
FireEye Compliance
Checks
SSH
An option that allows a system or policy file to be specified to test
FireEye devices against compliance standards.
Fortigate FortiOS
Compliance Checks
SSH
An option that allows a system or policy file to be specified to test
Fortigate FortiOS based devices against compliance standards.
Huawei Compliance
Checks
SSH
An option that allows a device or policy file to be specified to test
Huawei VRP based devices against compliance standards.
HP ProCurve
Compliance Checks
SSH
An option that allows a system or policy file to be specified to test HP
ProCurve devices against compliance standards.
IBM iSeries
Compliance Checks
IBM iSeries
An option that allows a policy file to be specified to test IBM iSeries
systems against compliance standards.
Copyright © 2015. Tenable Network Security, Inc. All rights reserved. Tenable Network Security and Nessus are registered trademarks of Tenable Network Security, Inc.
SecurityCenter is a trademark of Tenable Network Security, Inc. All other products or services are trademarks of their respective owners.
109
Juniper Junos
Compliance Checks
SSH
An option that allows a device or policy file to be specified to test
Juniper Junos devices against compliance standards.
MongoDB
Compliance Checks
MongoDB
An option that allows a system or policy file to be specified to test
MongoDB systems against compliance standards.
NetApp Data ONTAP
Compliance Checks
SSH
An option that allows a system or policy file to be specified to test
NetApp Data ONTAP devices against compliance standards.
Palo Alto Networks
PAN-OS Compliance
Checks
PAN-OS
An option that allows a system to be specified to test Palo Alto
Networks PAN-OS devices against compliance standards.
Red Hat Enterprise
Virtualization Best
Practices
RHEV
An option that allows a system to be specified to test Red Hat
Enterprise Virtualization devices against compliance standards.
Salesforce
Salesforce SOAP API
An option that allows a system to be specified to test Salesforce
applications against compliance standards.
SonicWALL SonicOS
Compliance Checks
SSH
An option that allows a system or policy file to be specified to test
SonicWALL SonicOS devices against compliance standards.
Unix Compliance
Checks
SSH
An option that allows a policy file to be specified to test Unix systems
against compliance standards.
Unix File Contents
Compliance Checks
SSH
The “Unix File Contents Compliance Checks” menu allows users to
upload Windows-based audit files that search a system for a specific
type of content (e.g., source code errors, credit cards, Social Security
numbers) to help determine compliance with corporate regulations or
third-party standards.
VMware
vCenter/vSphere
Compliance Checks
VMware ESX SOAP API
or VMware vCenter
SOAP API
An option that allows a system to be specified to test VMware devices
against compliance standards.
Windows
Compliance Checks
Windows
An option that allows a policy file to be specified to test Windows
systems against compliance standards.
Windows File
Contents Compliance
Checks
Windows
The “Windows File Contents Compliance Checks” menu allows users
to upload Windows-based audit files that search a system for a
specific type of content (e.g., credit cards, Social Security numbers) to
help determine compliance with corporate regulations or third-party
standards.
For more information on specific compliance policies, see the Tenable Network Security document, “Nessus Compliance
Checks”.
Offline Configuration Audit Policies
Tenable offers the ability to upload configuration policies directly to Nessus. This provides the user with the ability to upload
the configuration of a critical device for auditing and not require any access to the device. This keeps the audited device
online while being able to audit the configuration.
Copyright © 2015. Tenable Network Security, Inc. All rights reserved. Tenable Network Security and Nessus are registered trademarks of Tenable Network Security, Inc.
SecurityCenter is a trademark of Tenable Network Security, Inc. All other products or services are trademarks of their respective owners.
110
Currently supported devices for offline configuration auditing are:













Adtran AOS
Blue Coat ProxySG Compliance Checks
Brocade Fabric OS
Cisco IOS
Check Point GAiA Compliance Checks
Dell Force10 FTOS
Extreme ExtremeXOS
FireEye
HP ProCurve
Huawei VRP
Juniper Junos
Netapp Data ONTAP
SonicWALL SonicOS
PCI Policies
Tenable offers two Payment Card Industry Data Security Standard (PCI DSS) policies in Nessus: one for testing internal
systems and one for external scans. The external scan policy is available only via Nessus Enterprise Cloud. Nessus Enterprise
Cloud will test for all PCI DSS external scanning requirements, including web applications. The PCI Quarterly External Scan
is designed to help you meet PCI scan requirements by an Approved Scanning Vendor (ASV).
Nessus results can be used during PCI compliance assessment to demonstrate periodic and ongoing processes were
maintained throughout the assessment period as required by numerous PCI DSS requirements.
In order to submit a Nessus scan for PCI attestation, the scan must be conducted and submitted by Nessus
Enterprise Cloud.
Nessus results can be used during PCI compliance assessment to demonstrate periodic and ongoing processes were
maintained throughout the assessment period as required by numerous PCI DSS requirements.
PCI Policy
Description
PCI Quarterly External Scan
A Nessus Enterprise Cloud-only option that directs Nessus to compare scan results
against PCI DSS standards.
Internal PCI Network Scan
Policy for performing an internal PCI DSS vulnerability scan.
SCAP Policies
NIST's Security Content Automation Protocol (SCAP) is a set of policies for managing vulnerabilities and policy compliance in
government agencies. It relies on multiple open standards and policies, including OVAL, CVE, CVSS, CPE, and FDCC policies.
For more information on SCAP, please visit the NIST Security Content Automation Protocol site.
SCAP compliance auditing requires sending an executable to the remote host. Systems running security software (e.g.,
McAfee Host Intrusion Prevention), may block or quarantine the executable required for auditing. For those systems, an
exception must be made for the either the host or the executable sent.
Copyright © 2015. Tenable Network Security, Inc. All rights reserved. Tenable Network Security and Nessus are registered trademarks of Tenable Network Security, Inc.
SecurityCenter is a trademark of Tenable Network Security, Inc. All other products or services are trademarks of their respective owners.
111
Nessus has two SCAP compliance policies available to you with the commercial license:
SCAP Policy
Description
SCAP Windows Compliance
Checks
A commercial option that allows commercial customers to upload SCAP zip files that will
be used to determine if a tested Windows system meets the compliance standards as
specified in SP 800-126.
SCAP Linux Compliance
Checks
A commercial option that allows commercial customers to upload SCAP zip files that will
be used to determine if a tested Linux system meets the compliance standards as
specified in SP 800-126.
For more information on specific compliance policies, see the Tenable Network Security document, Nessus SCAP
Assessments.
Nessus Agent Templates
With Nessus Manager, you can create policies and scans for Nessus Agents.
Nessus Manager is the only Nessus product that can run Nessus Agents.
Nessus Agents currently run local scans and compliance checks on Windows. There are three types of Nessus Agent
Templates:
Windows Agent Policy
Description
Local Windows Scan
Run local check scans on Windows systems via the Windows Nessus Agents. The policies
are limited to Windows local checks.
Windows Compliance Audit
Run compliance audits on Windows systems via the Windows Nessus Agents. The
policies are limited to Windows compliance checks and Windows File Contents
compliance checks.
Windows Malware Scan
Searches for malware on Windows systems via the Windows Nessus Agents. This is
limited to Windows local checks focusing on malware.
Advanced Agent Scan
If none of the available policy templates match what is desired, the Advanced Agent Scan
option allows you to create a policy with full control over all options from the beginning.
The Advanced Agent scan contains all the plugins and policy items from both the Local
Windows Scan and Windows Compliance Audit.
Copyright © 2015. Tenable Network Security, Inc. All rights reserved. Tenable Network Security and Nessus are registered trademarks of Tenable Network Security, Inc.
SecurityCenter is a trademark of Tenable Network Security, Inc. All other products or services are trademarks of their respective owners.
112
General Settings
The “General” setting enables you to name the policy and configure scan-related operations.
The “Basic” screen is used to define aspects of the policy itself. The options are under the headings “General” and
“Permissions”:
General Option
Description
Name
Sets the name that will be displayed in the Nessus UI to identify the policy.
Description
Provides a brief description of the scan policy, typically summarizing the overall purpose
(e.g., “Web Server scans without local checks or non HTTP services”).
Copyright © 2015. Tenable Network Security, Inc. All rights reserved. Tenable Network Security and Nessus are registered trademarks of Tenable Network Security, Inc.
SecurityCenter is a trademark of Tenable Network Security, Inc. All other products or services are trademarks of their respective owners.
113
Nessus Manager provides granular control of access to the Agent policy. Permissions can be set by group or by user. Default
is the access for everyone that is not defined by user or group.
Permission
Description
Can Use
Other users can view and use the policy in their scans. They will not be able to edit the
policy.
Can Edit
Can make changes to the policy and can use the policy.
No Access
Only the user who created the policy can view, use, or edit the policy.
Copyright © 2015. Tenable Network Security, Inc. All rights reserved. Tenable Network Security and Nessus are registered trademarks of Tenable Network Security, Inc.
SecurityCenter is a trademark of Tenable Network Security, Inc. All other products or services are trademarks of their respective owners.
114
Discovery Settings
The “Discovery” screen provides options for enabling port enumeration.
Option
Default
Description
WMI (netstat)
Enabled
This option uses netstat to check for open ports from the local machine. It relies on the
netstat command being available via a WMI connection to the target. This scan is
intended for Windows-based systems and requires authentication credentials.
A WMI based scan uses netstat to determine open ports, thus ignoring
any port ranges specified. If any port enumerator (netstat or SNMP) is
successful, the port range becomes “all”. However, Nessus will still honor
the “consider unscanned ports as closed” option if selected.
Copyright © 2015. Tenable Network Security, Inc. All rights reserved. Tenable Network Security and Nessus are registered trademarks of Tenable Network Security, Inc.
SecurityCenter is a trademark of Tenable Network Security, Inc. All other products or services are trademarks of their respective owners.
115
Assessment Settings
The “Assessment” screen provides options for controlling Nessus Agent security assessments.
The following settings are under the General section. The “Accuracy” options allow for granular control of false alarm
reports and running thorough tests in a scan.
Option
Default
Description
Override normal
accuracy
Disabled
In some cases, Nessus cannot remotely determine whether a flaw is present or not. If
report paranoia is set to “Show potential false alarms” then a flaw will be reported every
time, even when there is a doubt about the remote host being affected. Conversely, a
paranoia setting of “Avoid potential false alarms” will cause Nessus to not report any
flaw whenever there is a hint of uncertainty about the remote host. Not enabling
“Override normal accuracy” is a middle ground between these two settings.
Perform thorough
tests
Enabled
Causes various plugins to “work harder”. For example, when looking through SMB file
shares, a plugin can analyze 3 directory levels deep instead of 1. This could cause much
more network traffic and analysis in some cases. Note that by being more thorough,
the scan will be more intrusive and is more likely to disrupt the network, while
potentially having better audit results.
Copyright © 2015. Tenable Network Security, Inc. All rights reserved. Tenable Network Security and Nessus are registered trademarks of Tenable Network Security, Inc.
SecurityCenter is a trademark of Tenable Network Security, Inc. All other products or services are trademarks of their respective owners.
116
The “Antivirus” option allow for controlling antivirus settings in the scan.
Option
Description
Antivirus definition grace
period (in days)
Configure the delay of the Antivirus software check for a set number of days (0-7). The
“Antivirus Software Check” menu allows you to direct Nessus to allow for a specific
grace time in reporting when antivirus signatures are considered out of date. By default,
Nessus will consider signatures out of date regardless of how long ago an update was
available (e.g., “a few hours ago”). This can be configured to allow for up to 7 days before
reporting them out of date.
The “Windows” options allow you to fine tune the scope of Windows scans.
Copyright © 2015. Tenable Network Security, Inc. All rights reserved. Tenable Network Security and Nessus are registered trademarks of Tenable Network Security, Inc.
SecurityCenter is a trademark of Tenable Network Security, Inc. All other products or services are trademarks of their respective owners.
117
The following options affect the SMB scope for Windows targets:
Option
Default
Description
Request information
about the SMB
Domain
Enabled
If the option “Request information about the domain” is set, then domain
users will be queried instead of local users.
The following settings set the values for enumerating users in the domain or local:
Option
Default
Description
Enumerate Domain
Users
Start UID: 1000
End UID: 1200
The “Enumerate Domain Users” menu specifies the SID range to use to
perform a reverse lookup on usernames on the domain. The default setting is
recommended for most scans.
Enumerate Local
Users
Start UID: 1000
End UID: 1200
The “Enumerate Local Users” menu specifies the SID range to use to perform
a reverse lookup on local usernames. The default setting is recommended.
The “Malware” options allows you to specify a list of additional MD5 hashes that Nessus will use to scan a system for known
malware, as well as a list of known good hashes to reduce false positives. This list is used by the plugin “Malicious Process
Detection: User Defined Malware Running” (Plugin ID 65548), which functions like Tenable’s “Malicious Process Detection”
(Plugin ID 59275).
Option
Description
Provide your own list of
known bad MD5 hashes
Additional known bad MD5 hashes can be uploaded via a text file that contains one MD5
hash per line.
It is possible to (optionally) add a description for each hash in the uploaded file. This is done
by adding a comma after the hash, followed by the description. If any matches are found
when scanning a target and a description was provided for the hash the description will show
up in the scan results. Standard hash-delimited comments (e.g., #) can optionally be used in
addition to the comma-delimited ones.
Provide your own list of
known good MD5 hashes
Additional known good MD5 hashes can be uploaded via a text file that contains one MD5
hash per line.
It is possible to (optionally) add a description for each hash in the uploaded file. This is done
by adding a comma after the hash, followed by the description. If any matches are found
when scanning a target, and a description was provided for the hash, the description will
show up in the scan results. Standard hash-delimited comments (e.g., #) can optionally be used
in addition to the comma-delimited ones.
Hosts file whitelist
Nessus checks system hosts files for signs of a compromise (e.g., Plugin ID 23910 titled
“Compromised Windows System (hosts File Check”). This option allows you to upload a file
containing a list of hostnames that will be ignored by Nessus during a scan. Include one
hostname per line in a regular text file.
Copyright © 2015. Tenable Network Security, Inc. All rights reserved. Tenable Network Security and Nessus are registered trademarks of Tenable Network Security, Inc.
SecurityCenter is a trademark of Tenable Network Security, Inc. All other products or services are trademarks of their respective owners.
118
Report
The “Report” section affects report processing and output.
The “Report processing” options affect the overall plugin information to be included in a report.
Option
Default
Description
Override normal
verbosity
Disabled
“I have limited disk space. Report as little information as possible” will provide less
information about plugin activity in the report to minimize impact on disk space.
“Report as much information as possible” will provide more information about
plugin activity in the report.
Show missing
patches that have
been superseded
Disabled
This option allows you to configure Nessus to include or remove superseded patch
information in the scan report. This option is off by default, except for policies
created using the Internal PCI Network Scan template in the Policy Library.
Hide results from
plugins initiated as a
dependency
Enabled
If this option is checked, the list of dependencies is not included in the report. If you
want to include the list of dependencies in the report, uncheck the box.
The “Report output” option affects the results of the report.
Copyright © 2015. Tenable Network Security, Inc. All rights reserved. Tenable Network Security and Nessus are registered trademarks of Tenable Network Security, Inc.
SecurityCenter is a trademark of Tenable Network Security, Inc. All other products or services are trademarks of their respective owners.
119
Option
Default
Description
Allow users to edit
scan results
Enabled
This feature allows users to delete items from the report when checked. When
performing a scan for regulatory compliance or other types of audits, uncheck this
to show that the scan was not tampered with.
Advanced
The “Advanced” section contains a variety of configuration options to offer more granular control of how the Agent
operates.
The “General Settings” menu further how the scan should log:
Option
Default
Description
Log Scan Details to
Server
Disabled
Save additional details of the scan to the Nessus server log (nessusd.messages)
including plugin launch, plugin finish or if a plugin is killed. The resulting log can be
used to confirm that particular plugins were used and hosts were scanned.
Disable DNS
Resolution
Disabled
Disable DNS name resolution. This will ensure that agents will not rely on the
network for completing scans.
Managing Policies
To view all of your custom policies, click on the “Policies” menu item at the top of your screen:
Copyright © 2015. Tenable Network Security, Inc. All rights reserved. Tenable Network Security and Nessus are registered trademarks of Tenable Network Security, Inc.
SecurityCenter is a trademark of Tenable Network Security, Inc. All other products or services are trademarks of their respective owners.
120
For organizational convenience, Nessus has two pre-set filters on the left side for “Advanced” and “Template” policies. Note
that these will not appear until you have at least one of each policy type:
Importing, Exporting, and Copying Policies
The “Upload” button on the Policies menu bar allows you to upload previously created policies to the scanner. Using the
native file browser box, select the policy from your local system and click on “Open”:
Clicking the checkbox on the selected policy from the scanner enables three options next to the “Upload” button. Those
options are “Copy”, “Download”, and “Delete”.
Copyright © 2015. Tenable Network Security, Inc. All rights reserved. Tenable Network Security and Nessus are registered trademarks of Tenable Network Security, Inc.
SecurityCenter is a trademark of Tenable Network Security, Inc. All other products or services are trademarks of their respective owners.
121
Clicking on “Download” will open the browser’s download dialog box allows you to open the policy in an external program
(e.g., text editor) or save the policy to the directory of your choice. Depending on the browser, the policy may be downloaded
automatically.
Passwords and .audit files contained in a policy will not be exported.
If you want to create a policy similar to an existing policy with minor modifications, you can select the base policy in the list
and click on “Copy” on the menu bar. This will create a copy of the original policy that can be edited to make any required
modifications. This is useful for creating standard policies with minor changes as required for a given environment.
Scans
After creating a policy or using a template, you need to create a scan. A scan provides the name of the scan, description of the
scan, folder for storing the scan, scanners or agents to use, and target information.
Creating, Launching, and Scheduling a Scan
The default Nessus UI folder for the scans is in the My Scans folder, which cannot be deleted.
Any scan that has not been viewed but has been run will be shown in bold in the folder. Additionally, the number of new scans
is printed next to the folder.
Nessus DB format is an encrypted proprietary format. Note that the Nessus DB formats all the possible data
about a scan, including but not limited to the results, the audit trails, and attachments.
Copyright © 2015. Tenable Network Security, Inc. All rights reserved. Tenable Network Security and Nessus are registered trademarks of Tenable Network Security, Inc.
SecurityCenter is a trademark of Tenable Network Security, Inc. All other products or services are trademarks of their respective owners.
122
The following scan statuses are available in the scan list table:
Scan Status
Description
Completed
The scan is fully finished.
Running
The scan is currently in progress.
Canceled
The user stopped the scan before the end.
Aborted
The scan has been aborted due to an invalid target list or a server error (e.g., reboot, crash).
Imported
The scan has been imported using the upload functionality.
These statuses only apply to new scans. Old scans are all considered “Completed” and cannot be run. Scans with the same
status can be listed through the virtual folders on the left navigation panel.
Configuring a Scan
After creating or selecting a policy, create a new scan by clicking on the “Scans” option on the menu bar at the top and then
click on the “+ New Scan” button on the left. This will take you to the new policies process, defined in the Policy creation
section.
There is no need to create a policy first. Clicking on “New Scan” allows you to use a default template or create a
policy based on a template. Note that this screen will display both Default Templates and User Created
Templates.
Copyright © 2015. Tenable Network Security, Inc. All rights reserved. Tenable Network Security and Nessus are registered trademarks of Tenable Network Security, Inc.
SecurityCenter is a trademark of Tenable Network Security, Inc. All other products or services are trademarks of their respective owners.
123
This allows you to either create a new policy by selecting one of the Scanner Templates, Agent Templates, or you can select
one of the User Created Policies that you have already created.
Copyright © 2015. Tenable Network Security, Inc. All rights reserved. Tenable Network Security and Nessus are registered trademarks of Tenable Network Security, Inc.
SecurityCenter is a trademark of Tenable Network Security, Inc. All other products or services are trademarks of their respective owners.
124
After creating or configuring a new policy, the “New Scan” screen will be displayed:
Under the “General” tab, there are fields to enter the scan target:
Option
Default
Description
Name
none
Sets the name that will be displayed in the Nessus UI to identify the scan.
Description
none
Optional field for a more detailed description of the scan.
Folder
My Scans
The Nessus UI folder to store the scan results.
Dashboard
Enabled
Enable or disable scan dashboards. Dashboards are enabled for all new scans by
default. However, they are disabled on existing or imported scans unless you enable
them.
Copyright © 2015. Tenable Network Security, Inc. All rights reserved. Tenable Network Security and Nessus are registered trademarks of Tenable Network Security, Inc.
SecurityCenter is a trademark of Tenable Network Security, Inc. All other products or services are trademarks of their respective owners.
125
Scanner
Local Scanner
Which Nessus scanner to perform the scan. This will provide multiple options if you
have configured additional Nessus scanners to be secondary to this one.
Targets
none
Targets can be entered by single IP address (e.g., 192.168.0.1), IP range (e.g.,
192.168.0.1-192.168.0.255), subnet with CIDR notation (e.g., 192.168.0.0/24),
resolvable host (e.g., www.nessus.org), or a single IPv6 address (e.g., link6%eth0,
fe80::2120d:17ff:fe57:333b, fe80:0000:0000:0000:0216:cbff:fe92:88d0%eth0).
Upload Targets
none
A text file with a list of hosts can be imported by clicking on “Add File” and selecting a
file from the local machine.
Only the local scanner can be used with Nessus Professional.
The host file must be formatted as ASCII text with one host per line and no extra spaces or lines. Unicode/UTF-8
encoding is not supported.
Example host file formats:
Individual hosts:
192.168.0.100
192.168.0.101
192.168.0.102
Host range:
192.168.0.100-192.168.0.102
Host CIDR block:
192.168.0.1/24
Virtual servers:
www.tenable.com[192.168.1.1]
www.nessus.org[192.168.1.1]
www.tenablesecurity.com[192.168.1.1]
IPv6 addresses:
link6
fe80::212:17ff:fe57:333b
fe80:0000:0000:0000:0216:cbff:fe92:88d0
IPv6 addresses with the zone index in Unix-based operating systems (e.g., Linux, FreeBSD):
link6%eth0
fe80::212:17ff:fe57:333b%dc0
fe80:0000:0000:0000:0216:cbff:fe92:88d0%eth0
Copyright © 2015. Tenable Network Security, Inc. All rights reserved. Tenable Network Security and Nessus are registered trademarks of Tenable Network Security, Inc.
SecurityCenter is a trademark of Tenable Network Security, Inc. All other products or services are trademarks of their respective owners.
126
IPv6 addresses with the zone index in Windows operating systems:
link6%23
fe80::212:17ff:fe57:333b%1
fe80:0000:0000:0000:0216:cbff:fe92:88d0%6
Depending on your scan settings such as “max hosts” or “max checks per host”, this may cause virtual hosts to be
throttled as Nessus views them as the same IP address. On non-Windows hosts, Nessus administrators can add a
custom advanced setting named multi_scan_same_host and set it to yes. This will allow the scanner to
perform multiple scans against the same IP address. Note that on Windows, the PCAP driver does not allow this
regardless of Nessus configuration. This functionality is available in Nessus 5.2.0 and later.
In Nessus Manager and Nessus Enterprise Cloud, you can configure granular permissions on the scan:
The “Permissions” functionality affects which users have permissions to access or configure the scan:
Permission
Description
No Access
Only the user who created the policy can view, use, or edit the policy.
Can View
Other users can view the scan results. They will not be able to control or configure the scan.
Can Control
Other users can control the scan (launch, pause, and stop) and view the scan results. They will not
be able to configure the scan.
Can Configure
Other users can control the scan and configure the scan settings. They cannot delete the scan.
Copyright © 2015. Tenable Network Security, Inc. All rights reserved. Tenable Network Security and Nessus are registered trademarks of Tenable Network Security, Inc.
SecurityCenter is a trademark of Tenable Network Security, Inc. All other products or services are trademarks of their respective owners.
127
Configuring a Scan with Nessus Agents
With Nessus Manager, you can also run scans with Nessus Agents.
Option
Default
Description
Name
none
Sets the name that will be displayed in the Nessus UI to identify the scan.
Description
none
Optional field for a more detailed description of the scan.
Folder
My Scans
The Nessus UI folder to store the scan results.
Dashboard
Enabled
Enable or disable scan dashboards. Dashboards are enabled for all new scans by
default. However, they are disabled on existing or imported scans unless you enable
them.
Agent Groups
none
Which Nessus Agents scanner group to perform the scan. This will provide multiple
options if you have configured additional Nessus Agent groups to be used for the
scan.
Scan Window
1 hour
The amount of time the Nessus Agent has to report back to the Nessus Manager.
However, if you click Custom, you can change the variable to the amount of minutes
you wish to have the Nessus Agent return its scan.
Copyright © 2015. Tenable Network Security, Inc. All rights reserved. Tenable Network Security and Nessus are registered trademarks of Tenable Network Security, Inc.
SecurityCenter is a trademark of Tenable Network Security, Inc. All other products or services are trademarks of their respective owners.
128
Under the “Schedule” tab, there is a drop-down menu that controls when the scan will be launched. Note that Launch this
scan immediately is enabled by default.
To enable scheduling, toggle the Enable Schedule switch:
Copyright © 2015. Tenable Network Security, Inc. All rights reserved. Tenable Network Security and Nessus are registered trademarks of Tenable Network Security, Inc.
SecurityCenter is a trademark of Tenable Network Security, Inc. All other products or services are trademarks of their respective owners.
129
The schedule options are as follows:
Permission
Description
On Demand
Configure the scan so it can be manually launched at any time. Select the checkbox “Launch this
scan immediately” to launch the scan now, which is enabled by default.
Once
Schedule the scan at a specific time.
Daily
Schedule the scan to occur on a daily basis, at a specific time or to repeat up to every 20 days.
Weekly
Schedule the scan to occur on a recurring basis, by time and day of week, for up to 20 weeks.
Monthly
Schedule the scan to occur every month, by time and day or week of month, for up to 20 months.
Yearly
Schedule the scan to occur every year, by time and day, for up to 20 years.
Under the “Email Notifications” tab, you can optionally configure email addresses to which will be notified of scan
completion via email. The recipients are listed individually, separated by a newline. The filters will affect what is displayed in
the email. For example, if you only want to see critical plugins in the email, they will be the ones to display.
Copyright © 2015. Tenable Network Security, Inc. All rights reserved. Tenable Network Security and Nessus are registered trademarks of Tenable Network Security, Inc.
SecurityCenter is a trademark of Tenable Network Security, Inc. All other products or services are trademarks of their respective owners.
130
For Nessus Agents, you can configure granular permissions on the scan:
The “Permissions” functionality affects which users have permissions to access or configure the scan:
Permission
Description
No Access
Only the user who created the policy can view, use, or edit the policy
Can View
Other users can view the scan results. They will not be able to control or configure the scan.
Can Control
Other users can control the scan (launch, pause, and stop) and view the scan results. They will not
be able to configure the scan.
Can Configure
Other users can control the scan and configure the scan settings. They cannot delete the scan.
This functionality requires that a Nessus administrator configure the SMTP settings. For more information on configuring
SMTP settings, consult the “Nessus 6.3 Installation and Configuration Guide”. If you have not configured these settings,
Nessus will warn you that they must be set for the functionality to work.
Managing Scans
Once a scan is created, it can be accessed via the “More” menu at the top. From here, you can toggle the scan’s read status by
Mark as Unread or Mark as Read. Additionally, selecting “Configure” allows you manage scans, including their schedules and
settings, and update them as required:
Copyright © 2015. Tenable Network Security, Inc. All rights reserved. Tenable Network Security and Nessus are registered trademarks of Tenable Network Security, Inc.
SecurityCenter is a trademark of Tenable Network Security, Inc. All other products or services are trademarks of their respective owners.
131
Note if you have a scan selected that was created on this instance of Nessus, you can also run the control commands from the
“More” menu.
Copyright © 2015. Tenable Network Security, Inc. All rights reserved. Tenable Network Security and Nessus are registered trademarks of Tenable Network Security, Inc.
SecurityCenter is a trademark of Tenable Network Security, Inc. All other products or services are trademarks of their respective owners.
132
If a scheduled scan is selected, you have the ability to disable it the “More” menu:
After you have entered the scan information, click “Save”. After submitting, the scan will begin immediately (if “Launch this
scan immediately” was selected) before the display is returned to the general “Scans” page. The top menu bar will also
update the number overlaying the “Scans” button to indicate how many total scans are unread.
Copyright © 2015. Tenable Network Security, Inc. All rights reserved. Tenable Network Security and Nessus are registered trademarks of Tenable Network Security, Inc.
SecurityCenter is a trademark of Tenable Network Security, Inc. All other products or services are trademarks of their respective owners.
133
Once a scan has launched, the “Scans” list will display a list of all scans currently running or paused, along with basic
information about the scan. While a scan is running, a pause and stop button are on the left to change the status:
After selecting a particular scan on the list via the checkbox on the left, the “More” and “Move To” buttons on the top right
will allow you to perform further actions including the ability to rename, manipulate scan status, mark as read, or move it to a
different folder.
Creating and Managing Scan Folders
Scans can be organized into folders. On the left are two default folders, My Scans and Trash. By default, all new scans will
appear in the My Scans virtual folder. Additional folders can be created via the “New Folder” option on the left and
subsequent pop-up window, shown below:
Copyright © 2015. Tenable Network Security, Inc. All rights reserved. Tenable Network Security and Nessus are registered trademarks of Tenable Network Security, Inc.
SecurityCenter is a trademark of Tenable Network Security, Inc. All other products or services are trademarks of their respective owners.
134
Folders can be renamed or deleted by mousing over a folder to bring up a drop-down arrow, and clicking on it:
Scans in the “Trash” folder will be deleted automatically after 30 days. They can be deleted at any time by
individually deleting, or selecting “Empty Trash” at the top.
To move scan results between folders, select the scan by checking the box to the left. Once checked, additional drop-down
menus will appear at the top. One provides “More” options including rename and marking a scan read or unread. The second
allows you to move the scan to the desired folder.
Scan Results and Reports
Nessus has an extensive interface for viewing scan results and generating reports. Additionally, you can reconfigure a scan,
launch an audit trail, launch scans, or export results while viewing the reports.
Copyright © 2015. Tenable Network Security, Inc. All rights reserved. Tenable Network Security and Nessus are registered trademarks of Tenable Network Security, Inc.
SecurityCenter is a trademark of Tenable Network Security, Inc. All other products or services are trademarks of their respective owners.
135
Browse Scan Results
The scan results are displayed with the title, the date of the current results, the navigation bar, and the scan results. Above
the scan results, there are four buttons for working with the scan result:
Button/Dropdown
Description
Configure
Navigates you back to the scan settings.
Audit Trail
Pulls up the audit trail dialogue. Audit trails are covered later in this section.
Launch
Pulls up two choices to launch a scan: Default and Custom. The custom option allows you to
define different targets for the scan, where default will run the scan with the predefined targets.
Export
Allows you to save the scan result in one of four formats: Nessus (.nessus), HTML, CSV, or
Nessus DB. Exporting scan results is covered later in this section.
If you scan more hosts than your license allows, Nessus will display a warning directing you to contact Tenable to obtain
more licenses by selecting “click here”:
Copyright © 2015. Tenable Network Security, Inc. All rights reserved. Tenable Network Security and Nessus are registered trademarks of Tenable Network Security, Inc.
SecurityCenter is a trademark of Tenable Network Security, Inc. All other products or services are trademarks of their respective owners.
136
Dashboards
Nessus Manager can display dashboards for scan results. Dashboards present a graphical summary of scan including: current
vulnerabilities by severity and total, vulnerabilities by operating system, vulnerabilities by severity, and a comparison of
hosts scanned with and without credentials.
When first running a scan, the dashboard will display the vulnerability count over time and top vulnerabilities discovered:
Copyright © 2015. Tenable Network Security, Inc. All rights reserved. Tenable Network Security and Nessus are registered trademarks of Tenable Network Security, Inc.
SecurityCenter is a trademark of Tenable Network Security, Inc. All other products or services are trademarks of their respective owners.
137
If there are multiple scan results, the Top Hosts chart will be replaced with Vulnerabilities over Time:
If a scan includes compliance results, you will see toggle arrows above the totals:
You will also see the toggle arrows next to Top Vulnerabilities:
Copyright © 2015. Tenable Network Security, Inc. All rights reserved. Tenable Network Security and Nessus are registered trademarks of Tenable Network Security, Inc.
SecurityCenter is a trademark of Tenable Network Security, Inc. All other products or services are trademarks of their respective owners.
138
If you mouse over either set of the toggle arrows, you will see text that states that navigation will take you to vulnerability
counts or compliance counts dashboard:
Compliance results will look something like this:
Scan dashboards only are available from completed scans. Uploaded scans do not have dashboards enabled by
default.
Copyright © 2015. Tenable Network Security, Inc. All rights reserved. Tenable Network Security and Nessus are registered trademarks of Tenable Network Security, Inc.
SecurityCenter is a trademark of Tenable Network Security, Inc. All other products or services are trademarks of their respective owners.
139
Scan results can be navigated by vulnerabilities or hosts, displaying ports and specific vulnerability information. The default
view/tab is by host summary, which shows a list of hosts with a color-coded vulnerability summary per host:
Copyright © 2015. Tenable Network Security, Inc. All rights reserved. Tenable Network Security and Nessus are registered trademarks of Tenable Network Security, Inc.
SecurityCenter is a trademark of Tenable Network Security, Inc. All other products or services are trademarks of their respective owners.
140
The Nessus Agent scan results can be navigated the same way as the Nessus scanners:
Note that if you exceed your license by scanning more hosts than allotted, the policy will display a warning:
Copyright © 2015. Tenable Network Security, Inc. All rights reserved. Tenable Network Security and Nessus are registered trademarks of Tenable Network Security, Inc.
SecurityCenter is a trademark of Tenable Network Security, Inc. All other products or services are trademarks of their respective owners.
141
From the “Hosts” summary view, each summary will contain details about the vulnerability or informational findings, as well
as Host Details that provide general information about the host scanned. If “Allow Post-Scan Report Editing” was selected
in the scan policy, a host can be deleted from the scan results by selecting the delete icon to the right of Host Details.
Copyright © 2015. Tenable Network Security, Inc. All rights reserved. Tenable Network Security and Nessus are registered trademarks of Tenable Network Security, Inc.
SecurityCenter is a trademark of Tenable Network Security, Inc. All other products or services are trademarks of their respective owners.
142
To quickly change between hosts after you have already selected one, click on the host via the navigation flow at the top to
display a drop-down menu of other hosts. If there are numerous hosts, a search box will be available for quick host location:
Copyright © 2015. Tenable Network Security, Inc. All rights reserved. Tenable Network Security and Nessus are registered trademarks of Tenable Network Security, Inc.
SecurityCenter is a trademark of Tenable Network Security, Inc. All other products or services are trademarks of their respective owners.
143
Clicking on a vulnerability via the “Hosts” or “Vulnerabilities” tab will display vulnerability information including a
description, solution, references, and any available plugin output. Plugin Details will be displayed on the right providing
additional information about the plugin and associated vulnerability. From this screen, the pen icon to the right of Plugin
Details can be used to modify the displayed vulnerability:
Clicking on the pen icon will display a dialog as shown below:
Copyright © 2015. Tenable Network Security, Inc. All rights reserved. Tenable Network Security and Nessus are registered trademarks of Tenable Network Security, Inc.
SecurityCenter is a trademark of Tenable Network Security, Inc. All other products or services are trademarks of their respective owners.
144
The host input in the Modify Vulnerability dialogue only shows when you choose to modify a vulnerability under
a host, not from the vulnerability overview list.
The severity drop-down menu will enable you to re-classify the severity rating of the vulnerability in question, and also to
hide it from the report:
Once the change is made, clicking “Save” will save the change and apply it to the vulnerability in question. In addition, the
modification can be applied to all future reports by clicking the option. Doing so will bring up a dialog box allowing you to set
an optional expiration date for the modification rule:
Copyright © 2015. Tenable Network Security, Inc. All rights reserved. Tenable Network Security and Nessus are registered trademarks of Tenable Network Security, Inc.
SecurityCenter is a trademark of Tenable Network Security, Inc. All other products or services are trademarks of their respective owners.
145
An expiration date can be selected using the calendar. Upon that date, the specified modification rule will no longer be
applied to that finding.
Note that global rules for recasting plugin risk/severity can be established in the “User Profile” -> “Plugin Rules” area within
Nessus.
The severity ratings are derived from the associated CVSS score, where 0 is “Info”, less than 4 is “Low”, less than
7 is “Medium”, less than 10 is “High”, and a CVSS score of 10 will be flagged “Critical”.
Selecting the “Vulnerabilities” tab at the top will switch to the Vulnerability View. This will sort the results by vulnerabilities
rather than hosts, and include the number of hosts affected to the right. Selecting a vulnerability will provide the same
information as before, but also include a list of affected hosts at the bottom, along with relevant output for each host.
Copyright © 2015. Tenable Network Security, Inc. All rights reserved. Tenable Network Security and Nessus are registered trademarks of Tenable Network Security, Inc.
SecurityCenter is a trademark of Tenable Network Security, Inc. All other products or services are trademarks of their respective owners.
146
In cases where one host has multiple findings on different ports, the results will be broken down by host and further broken
down by port:
Clicking on an affected host at the bottom will load the host-based view of vulnerabilities.
Copyright © 2015. Tenable Network Security, Inc. All rights reserved. Tenable Network Security and Nessus are registered trademarks of Tenable Network Security, Inc.
SecurityCenter is a trademark of Tenable Network Security, Inc. All other products or services are trademarks of their respective owners.
147
Compliance Results
If a scan is initiated that uses a compliance policy, the results will be found on a separate tab at the top called “Compliance”:
In addition to the Hosts and Vulnerabilities tabs, Nessus offers three additional tabs. The first is a Remediations tab that
provides summary information to remediate major issues that have been discovered. This advice is intended to provide you
with the most effective mitigation that will significantly reduce the risk posed by vulnerabilities:
Copyright © 2015. Tenable Network Security, Inc. All rights reserved. Tenable Network Security and Nessus are registered trademarks of Tenable Network Security, Inc.
SecurityCenter is a trademark of Tenable Network Security, Inc. All other products or services are trademarks of their respective owners.
148
The second tab is called Notes and offers advice to enhance your scan results or contains warnings:
Copyright © 2015. Tenable Network Security, Inc. All rights reserved. Tenable Network Security and Nessus are registered trademarks of Tenable Network Security, Inc.
SecurityCenter is a trademark of Tenable Network Security, Inc. All other products or services are trademarks of their respective owners.
149
The third tab is called “History” and it shows the scans and the list of scans by start time, end time, and status. To view an
earlier scan result, select the scan in the list. The “current” indication will update to show the current scan result you are
viewing.
Report Filters
Nessus offers a flexible system of filters to assist in displaying specific report results. Filters can be used to display results
based on any aspect of the vulnerability findings. When multiple filters are used, more detailed and customized report views
can be created.
The first filter type is a simple text string entered into the “Filter Vulnerabilities” box on the upper right. As you type, Nessus
will immediately begin to filter the results based on your text and what it matches in the titles of the findings. The second
filter type is more comprehensive and allows you to specify more details. To create this type of filter, begin by clicking on the
down arrow on the right side of the “Filter Vulnerabilities” box. Filters can be created from any report tab. Multiple filters
can be created with logic that allows for complex filtering. A filter is created by selecting the plugin attribute, a filter
argument, and a value to filter on. When selecting multiple filters, specify the keyword “Any” or “All” accordingly. If “All” is
selected, then only results that match all filters will be displayed:
Copyright © 2015. Tenable Network Security, Inc. All rights reserved. Tenable Network Security and Nessus are registered trademarks of Tenable Network Security, Inc.
SecurityCenter is a trademark of Tenable Network Security, Inc. All other products or services are trademarks of their respective owners.
150
Once a filter has been set, it can be removed individually by clicking on the to the right. Additionally, all filters can be
removed at the same time by selecting “Clear Filters”. The report filters allow for a wide variety of criteria for granular
control of results. The following filter attributes will be present if they are found in the scan results. If an attribute is not
present in the scan results, Nessus will suppress them from the filters for convenience:
Option
Description
Plugin ID
Filter results if Plugin ID “is equal to”, “is not equal to”, “contains”, or “does not contain” a
given string (e.g., 42111).
Plugin Description
Filter results if Plugin Description “contains”, or “does not contain” a given string (e.g.,
“remote”).
Plugin Name
Filter results if Plugin Name “is equal to”, “is not equal to”, “contains”, or “does not contain” a
given string (e.g., “windows”).
Plugin Family
Filter results if Plugin Name “is equal to” or “is not equal to” one of the designated Nessus
plugin families. The possible matches are provided via a drop-down menu.
Plugin Output
Filter results if Plugin Description “is equal to”, “is not equal to”, “contains”, or “does not
contain” a given string (e.g., “PHP”)
Plugin Type
Filter results if Plugin Type “is equal to” or “is not equal to” one of the two types of plugins:
local or remote.
Solution
Filter results if the plugin Solution “contains” or “does not contain” a given string (e.g.,
“upgrade”).
Synopsis
Filter results if the plugin Solution “contains” or “does not contain” a given string (e.g.,
“PHP”).
Hostname
Filter results if the host “is equal to”, “is not equal to”, “contains”, or “does not contain” a
given string (e.g., “192.168” or “lab”).
Port
Filter results based on if a port “is equal to”, “is not equal to”, “contains”, or “does not
contain” a given string (e.g., “80”).
Copyright © 2015. Tenable Network Security, Inc. All rights reserved. Tenable Network Security and Nessus are registered trademarks of Tenable Network Security, Inc.
SecurityCenter is a trademark of Tenable Network Security, Inc. All other products or services are trademarks of their respective owners.
151
Protocol
Filter results if a protocol “is equal to” or “is not equal to” a given string (e.g., “http”).
CPE
Filter results based on if the Common Platform Enumeration (CPE) “is equal to”, “is not
equal to”, “contains”, or “does not contain” a given string (e.g., “Solaris”).
CVSS Base Score
Filter results based on if a CVSS base score “is less than”, “is more than”, “is equal to”, “is not
equal to”, “contains”, or “does not contain” a string (e.g., “5”).
This filter can be used to select by risk level. The severity ratings are
derived from the associated CVSS score, where 0 is “Info”, less than 4 is
“Low”, less than 7 is “Medium”, less than 10 is “High”, and a CVSS score of
10 will be flagged “Critical”.
CVSS Temporal Score
Filter results based on if a CVSS temporal score “is less than”, “is more than”, “is equal to”,
“is not equal to”, “contains”, or “does not contain” a string (e.g., “3.3”).
CVSS Temporal Vector
Filter results based on if a CVSS temporal vector “is equal to”, “is not equal to”, “contains”,
or “does not contain” a given string (e.g., “E:F”).
CVSS Vector
Filter results based on if a CVSS vector “is equal to”, “is not equal to”, “contains”, or “does
not contain” a given string (e.g., “AV:N”).
Vulnerability Publication
Date
Filter results based on if a vulnerability publication date “earlier than”, “later than”, “on”,
“not on”, “contains”, or “does not contain” a string (e.g., “01/01/2012”). Note: Pressing the
button next to the date will bring up a calendar interface for easier date selection.
Patch Publication Date
Filter results based on if a vulnerability patch publication date “is less than”, “is more than”,
“is equal to”, “is not equal to”, “contains”, or “does not contain” a string (e.g., “12/01/2011”).
Plugin Publication Date
Filter results based on if a Nessus plugin publication date “is less than”, “is more than”, “is
equal to”, “is not equal to”, “contains”, or “does not contain” a string (e.g., “06/03/2011”).
Plugin Modification Date
Filter results based on if a Nessus plugin modification date “is less than”, “is more than”, “is
equal to”, “is not equal to”, “contains”, or “does not contain” a string (e.g., “02/14/2010”).
CVE
Filter results based on if a CVE reference “is equal to”, “is not equal to”, “contains”, or “does
not contain” a given string (e.g., “2011-0123”).
Bugtraq ID
Filter results based on if a Bugtraq ID “is equal to”, “is not equal to”, “contains”, or “does not
contain” a given string (e.g., “51300”).
CERT Advisory ID
Filter results based on if a CERT Advisory ID (now called Technical Cyber Security Alert)
“is equal to”, “is not equal to”, “contains”, or “does not contain” a given string (e.g., “TA12010A”).
OSVDB ID
Filter results based on if an Open Source Vulnerability Database (OSVDB) ID “is equal
to”, “is not equal to”, “contains”, or “does not contain” a given string (e.g., “78300”).
Secunia ID
Filter results based on if a Secunia ID “is equal to”, “is not equal to”, “contains”, or “does not
contain” a given string (e.g., “47650”).
Exploit Database ID
Filter results based on if an Exploit Database ID (EBD-ID) reference “is equal to”, “is not
equal to”, “contains”, or “does not contain” a given string (e.g., “18380”).
Metasploit Name
Filter results based on if a Metasploit name “is equal to”, “is not equal to”, “contains”, or
“does not contain” a given string (e.g., “xslt_password_reset”).
Copyright © 2015. Tenable Network Security, Inc. All rights reserved. Tenable Network Security and Nessus are registered trademarks of Tenable Network Security, Inc.
SecurityCenter is a trademark of Tenable Network Security, Inc. All other products or services are trademarks of their respective owners.
152
Exploited by Malware
Filter results based on if the presence of a vulnerability is exploitable by malware “is
equal to” or “is not equal to” true or false.
IAVA
Filter results based on if an IAVA reference “is equal to”, “is not equal to”, “contains”, or
“does not contain” a given string (e.g., 2012-A-0008).
IAVB
Filter results based on if an IAVB reference “is equal to”, “is not equal to”, “contains”, or
“does not contain” a given string (e.g., 2012-A-0008).
IAVM Severity
Filter results based on the IAVM severity level (e.g., IV).
IAVT
Filter results based on if an IAVT reference “is equal to”, “is not equal to”, “contains”, or
“does not contain” a given string (e.g., 2012-A-0008).
See Also
Filter results based on if a Nessus plugin “see also” reference “is equal to”, “is not equal to”,
“contains”, or “does not contain” a given string (e.g., “seclists.org”).
Risk Factor
Filter results based on the risk factor of the vulnerability (e.g., Low, Medium, High,
Critical).
Exploits Available
Filter results based on the vulnerability having a known public exploit.
Exploitability Ease
Filter results based on if the exploitability ease “is equal to” or “is not equal to” to the
following values: “Exploits are available”, “No exploit is required”, or “No known exploits are
available”.
Metasploit Exploit
Framework
Filter results based on if the presence of a vulnerability in the Metasploit Exploit
Framework “is equal to” or “is not equal to” true or false.
CANVAS Exploit Framework
Filter results based on if the presence of an exploit in the CANVAS exploit framework “is
equal to” or “is not equal to” true or false.
CANVAS Package
Filter results based on which CANVAS exploit framework package an exploit exists for.
Options include CANVAS, D2ExploitPack, or White_Phosphorus.
CORE Exploit Framework
Filter results based on if the presence of an exploit in the CORE exploit framework “is
equal to” or “is not equal to” true or false.
Elliot Exploit Framework
Filter results based on if the presence of an exploit in the Elliot exploit framework “is
equal to” or “is not equal to” true or false.
Elliot Exploit Name
Filter results based on if an Elliot exploit “is equal to”, “is not equal to”, “contains”, or “does
not contain” a given string (e.g., “Typo3 FD”).
ExploitHub
Filter results based on if the presence of an exploit on the ExploitHub web site “is equal
to” or “is not equal to” true or false.
When using a filter, the string or numeric value can be comma delimited to filter based on multiple strings. For example, to
filter results to show only web servers, you could create a “Ports” filter, select “is equal to” and input “80,443,8000,8080”.
This will show you results associated with those four ports.
Filter criteria are not case sensitive.
If a filter option is not available, it means that the report contains nothing that meets the criteria. For example, if
“Microsoft Bulletin” is not on the filter dropdown list, then no vulnerabilities were found that reference a
Microsoft Bulletin.
Copyright © 2015. Tenable Network Security, Inc. All rights reserved. Tenable Network Security and Nessus are registered trademarks of Tenable Network Security, Inc.
SecurityCenter is a trademark of Tenable Network Security, Inc. All other products or services are trademarks of their respective owners.
153
As a filter is created, the scan results will be updated to reflect the new filter criteria after selecting “Apply”. The down arrow in
the “Filter Vulnerabilities” box will change to a numeric representation of how many filters are currently being applied.
Once the results have been filtered to provide the data set you want, click “Export Results” to export just the filtered results.
To receive a report with all of the results, remove all filters and use the export feature.
Nessus scan results provide a concise list of plugins that detected issues on the host. However, there are times where you
may want to know why a plugin did not return results. The “Audit Trail” functionality will provide this information. Begin by
clicking “Audit Trail” located on the upper right-hand side:
This will bring up the Audit Trail dialogue box. Begin by entering the ID of the plugin you want to know more about. Click
“Search” and a host or list of hosts will be displayed that relates to your query. Optionally, you can supply a host IP for the
initial query to limit the results to a target of interest. Once the host(s) are displayed, click on one to display information
about why the plugin did not fire:
Copyright © 2015. Tenable Network Security, Inc. All rights reserved. Tenable Network Security and Nessus are registered trademarks of Tenable Network Security, Inc.
SecurityCenter is a trademark of Tenable Network Security, Inc. All other products or services are trademarks of their respective owners.
154
Due to the resources required for the audit trail, there are cases where only a partial audit trail will be provided.
For a single scanned host, the full audit trail is available. If between 2 and 512 hosts are scanned, a full audit trail
is only available if the Nessus server has more than 1 CPU and 2G of RAM. Scanning over 512 hosts will always
result in a partial audit trail.
The audit trail is only available for scans originated on the host. It does not work on imported scans.
Report Screenshots
Nessus also has the ability to take screenshots during a vulnerability scan and include them in a report. For example, if
Nessus discovers VNC running without a password to restrict access, a screenshot will be taken to show the session and
included in the report. In the example below, a VNC was discovered where the login screen shows the administrator logged
in to the system:
Copyright © 2015. Tenable Network Security, Inc. All rights reserved. Tenable Network Security and Nessus are registered trademarks of Tenable Network Security, Inc.
SecurityCenter is a trademark of Tenable Network Security, Inc. All other products or services are trademarks of their respective owners.
155
This feature must be enabled in the “Scan Web Applications” section of a scan policy, under “General”.
Scan Knowledge Base
A Knowledge Base (KB) is saved with every scan performed. This is an ASCII text file containing a log of information relevant
to the scan performed and results found. A KB is often useful during cases where you need support from Tenable, as it allows
Support staff to understand exactly what Nessus did, and what information was found.
To download a KB, select a report and then a specific host. To the right of the host name or IP there is link titled “Host
Details”. Click on this and one of the host details is “KB” with a “Download” link:
Copyright © 2015. Tenable Network Security, Inc. All rights reserved. Tenable Network Security and Nessus are registered trademarks of Tenable Network Security, Inc.
SecurityCenter is a trademark of Tenable Network Security, Inc. All other products or services are trademarks of their respective owners.
156
Only scans performed on the host will have an associated KB. Imported scans do not carry the KB with them.
Compare the Results (Diff)
With Nessus, you can compare two scan reports against each other to display any differences. The ability to show scan
differentials helps to point out how a given system or network has changed over time. This helps in compliance analysis by
showing how vulnerabilities are being remediated, if systems are patched as new vulnerabilities are found, or how two scans
may not be targeting the same hosts.
To compare reports, begin by selecting a scan from the “Scans” list, click on “History”, check the reports you wish to compare,
and select “Diff” from the upper right corner:
Nessus will compare the first report selected with the second and produce a list of results that are different since the first. The
compare feature shows what is new since the baseline (i.e., the first report selected), not produce a differential of any two
reports. This comparison highlights which vulnerabilities have been found or remediated between the two scans.
Copyright © 2015. Tenable Network Security, Inc. All rights reserved. Tenable Network Security and Nessus are registered trademarks of Tenable Network Security, Inc.
SecurityCenter is a trademark of Tenable Network Security, Inc. All other products or services are trademarks of their respective owners.
157
In the example above, “DMZ Network Scan” is an unauthenticated scan of a DMZ, performed several times.
Copyright © 2015. Tenable Network Security, Inc. All rights reserved. Tenable Network Security and Nessus are registered trademarks of Tenable Network Security, Inc.
SecurityCenter is a trademark of Tenable Network Security, Inc. All other products or services are trademarks of their respective owners.
158
The results display the differences and highlighting vulnerabilities that were not found in the October 1 scan with a Diff report:
Managing Reports
Nessus provides ways of managing your scan reports.
Uploading and Exporting Reports
Scan results can be exported from one Nessus scanner and imported to a different Nessus scanner. The “Upload” and
“Export” features facilitate better scan management, report comparison, report backup, and communication between groups
or organizations within a company.
Users can create their own report by chapters: Host Summary (Executive), Vulnerabilities by Host, Compliance Check
(Executive), Suggested Remediations, Vulnerabilities by Plugin, or Compliance Check. The HTML format is still supported by
default. For scanner hosts running Unix with Oracle Java installed, users can export reports in PDF as well as the other
supported formats: CSV, or the Nessus DB. By using the report filters and export features, users can create dynamic reports
of their own choosing instead of selecting from a specific list.
Nessus DB format is an encrypted proprietary format. Note that the Nessus DB includes all the possible data
about a scan, including but not limited to the results, the audit trails, and attachments.
To export a scan, begin by selecting a specific scan from the “Scans” screen. The next screen is the report, and then click on
the “Export” drop-down at the top, and choose the format you want.
Copyright © 2015. Tenable Network Security, Inc. All rights reserved. Tenable Network Security and Nessus are registered trademarks of Tenable Network Security, Inc.
SecurityCenter is a trademark of Tenable Network Security, Inc. All other products or services are trademarks of their respective owners.
159
Only compliance scans performed with Nessus can be exported to PDF or HTML formats with compliance
chapters. Imported scans from previous versions of Nessus will not export in that manner.
Reports can be downloaded in several formats. Note that some formats will not allow chapter selection and include all
information.
Option
Description
.nessus
An XML-based format and the de-facto standard in Nessus 4.2 and later. This format
uses an expanded set of XML tags to make extracting and parsing information more
granular. This report does not allow chapter selection.
Nessus DB
A proprietary encrypted database format used in Nessus 5.2 and later that contains all
the information in a scan, including the audit trails and results. When exporting to this
format, you will be prompted for a password to encrypt the results of the scan.
HTML
A report generated using standard HTML that allows chapter selection. This report will
open in a new tab in your browser.
PDF
A report generated in PDF format that allows chapter selection. Depending on the size
of the report, PDF generation may take several minutes.
Oracle Java (formerly Sun Microsystems’ Java) is required for PDF report
functionality on Unix based systems.
CSV
A comma-separated values (CSV) export that can be used to import into many external
programs such as databases, spreadsheets, and more. This report does not allow chapter
selection.
After selecting a format, your standard web browser “Save File” dialog will be displayed, allowing you to save the scan results
to the location of your choice.
HTML and PDF Customization
For HTML and PDF formats, Nessus will display a dropdown that will let you choose an Executive Summary or Custom
report:
Copyright © 2015. Tenable Network Security, Inc. All rights reserved. Tenable Network Security and Nessus are registered trademarks of Tenable Network Security, Inc.
SecurityCenter is a trademark of Tenable Network Security, Inc. All other products or services are trademarks of their respective owners.
160
The custom drop-down allows you to specify the information to be included. This includes the vulnerabilities and
remediation data, and how to group the information (by host or by plugin):
Note that a compliance scan will show different export options under a custom report:
Copyright © 2015. Tenable Network Security, Inc. All rights reserved. Tenable Network Security and Nessus are registered trademarks of Tenable Network Security, Inc.
SecurityCenter is a trademark of Tenable Network Security, Inc. All other products or services are trademarks of their respective owners.
161
To import a report, click on the “Upload” button on the top bar of the “Scans” screen to open a file browse window:
Select the .nessus scan file you want to import and click on “Open”. Nessus will parse the information and make it available
in the “Scans” interface.
Nessus File Formats
Nessus uses two specific file formats (.nessus and .db) for scan export and import. The .nessus format has the following
advantages:

XML based, for easy forward and backward compatibility, and easy implementation.

Self-sufficient: a single .nessus file contains the list of targets, the policies defined by the user, as well as the scan
results themselves.

Secure: Passwords are not saved in the file. Instead, a reference to a password stored in a secure location on the
local host is used.
The process to create a .nessus file that contains the targets, policies, and scan results is to first generate the policy and
save it. Next, generate the list of target addresses and finally, run a scan. Once the scan is complete, all the information can be
saved in a .nessus file by using the “Export” option from the “Scans” result. Please see the “Nessus v2 File Format”
document for more details on .nessus files.
The Nessus DB format (.db) contains all the possible data about a scan and provides a way to encrypt the file. The only way
to access the file is by providing the password through a Nessus report upload.
Copyright © 2015. Tenable Network Security, Inc. All rights reserved. Tenable Network Security and Nessus are registered trademarks of Tenable Network Security, Inc.
SecurityCenter is a trademark of Tenable Network Security, Inc. All other products or services are trademarks of their respective owners.
162
Deleting Scan Results
Once you are finished with scan results, you can click the “X” to the right of the scan from the History tab in a scan result to
move the scan to the Trash:
Select the “Trash” folder, and you can empty the trash to permanently delete the scan:
This action cannot be undone! Use the “Export” feature to export your scan results before deleting.
PCI ASV Validation with Nessus Enterprise Cloud
Tenable Network Security, Inc. is a PCI Approved Scanning Vendor (ASV), and is certified to validate vulnerability scans of
Internet-facing systems for adherence to certain aspects of the PCI Data Security Standards (PCI DSS). The Nessus
Enterprise Cloud includes a pre-built static PCI DSS policy that adheres to the quarterly scanning requirements of the PCI
DSS v2.0. This policy may be used by merchants and providers to initially assess their environments based on PCI DSS
requirements, and also to perform external vulnerability scans and generate reports that can be validated by qualified
Copyright © 2015. Tenable Network Security, Inc. All rights reserved. Tenable Network Security and Nessus are registered trademarks of Tenable Network Security, Inc.
SecurityCenter is a trademark of Tenable Network Security, Inc. All other products or services are trademarks of their respective owners.
163
Tenable Network Security staff members for the PCI DSS ASV validation requirement. It is important to note that, while
customers can use the PCI DSS scan policy to test their externally-facing systems as often as they wish, a scan must be
submitted to Tenable for validation before it can be considered to qualify as a valid PCI ASV scan. Customers are allowed up
to two quarterly report submissions for PCI ASV validation through Tenable Network Security, Inc.
Once logged into the service, customers have the option to select a policy titled “PCI Quarterly External Scan” that adheres
to the requirements of the PCI ASV Program Guide v2.0 section titled “ASV Scan Solution – Required Components”.
To qualify as a PCI DSS ASV scan for validation through the Nessus Enterprise Cloud, “PCI Quarterly External
Scan” policy must be selected.
To create a PCI DSS ASV scan policy, go to “Policies” and click “+ New Policy”. Next, click on “PCI Quarterly External Scan”:
First, enter a name and description for your PCI scan:
Copyright © 2015. Tenable Network Security, Inc. All rights reserved. Tenable Network Security and Nessus are registered trademarks of Tenable Network Security, Inc.
SecurityCenter is a trademark of Tenable Network Security, Inc. All other products or services are trademarks of their respective owners.
164
For most organizations, this is all you need to do. The default scan policy has been configured specifically to test for PCI
compliance. There are a few additional options that you can configure as needed. From the Policies menu, select the policy
you just created. Under the Discovery tab, you can opt to “Scan unresponsive hosts”:
Under the Advanced tab, you can manipulate the “Scan Type”:
Any policies created with the PCI Quarterly External Scan policy template cannot be edited further to ensure the
required testing is performed.
Copyright © 2015. Tenable Network Security, Inc. All rights reserved. Tenable Network Security and Nessus are registered trademarks of Tenable Network Security, Inc.
SecurityCenter is a trademark of Tenable Network Security, Inc. All other products or services are trademarks of their respective owners.
165
Submitting Scan Results for PCI Customer Review
Customers have the option to submit their scan results to Tenable Network Security for PCI ASV validation. By clicking
“Submit for PCI”, the scan results will be uploaded to an administrative section of the Nessus Enterprise Cloud for customer
review, and the customer will be prompted to log in to the user section of the service to review the findings of the scan
results from a PCI DSS perspective.
Link to “Submit for PCI” (highlighted in red)
PCI-DSS ASV scans older than three months cannot be submitted for review. No “Submit for PCI” button will
appear for those scans.
Report Upload and PCI Validation Link Dialog Box
Copyright © 2015. Tenable Network Security, Inc. All rights reserved. Tenable Network Security and Nessus are registered trademarks of Tenable Network Security, Inc.
SecurityCenter is a trademark of Tenable Network Security, Inc. All other products or services are trademarks of their respective owners.
166
Customers are strongly urged to thoroughly review their PCI scan results before submitting their report(s) to
Tenable Network Security through the Nessus Enterprise Cloud. Reports with failed results are required to
undergo a full PCI review cycle, of which Nessus Enterprise Cloud customers are limited to two (2) per quarterly
period.
Customer Review Interface
Nessus Enterprise Cloud Customer Login Screen
Once a customer logs into the PCI Validation user section, they are presented with a list of reports that have been submitted by
their unique Nessus Enterprise Cloud login. The “Report Filter” allows reports to be filtered by Owner, Name, and Status.
Copyright © 2015. Tenable Network Security, Inc. All rights reserved. Tenable Network Security and Nessus are registered trademarks of Tenable Network Security, Inc.
SecurityCenter is a trademark of Tenable Network Security, Inc. All other products or services are trademarks of their respective owners.
167
Reviewing Scan Results
To pass a PCI DSS ASV assessment, all items (except for denial of service (DoS) vulnerabilities) listed as “Critical”, “High”, or
“Medium” (or with a CVSS score of 4.0 or higher) must either be remediated or disputed by the customer, and all disputed
items must either be resolved, accepted as exceptions, accepted as false positives, or mitigated through the use of
compensating controls. All items listed as “Critical”, “High”, or “Medium” in the Nessus Enterprise Cloud can be viewed in
detail, and all items carry an option to dispute the item in question.
Clicking the name of the scan in the “List of Reports” allows the user to view a list of hosts and the number of vulnerabilities
found on each host, sorted by severity.
Clicking the number of “Failed Items” in the “List of Reports” will display a list of items that will need to be addressed in order
to qualify for a “compliant” ASV report through Tenable’s Nessus Enterprise Cloud.
Nessus Enterprise Cloud customers are responsible for reviewing all of their “Failed Items” before submitting a
scan report to Tenable Network Security. Selecting the “Failed Items” in the “List of Reports” allows you to jump
directly to the items that may affect your PCI ASV Validation compliance status.
Copyright © 2015. Tenable Network Security, Inc. All rights reserved. Tenable Network Security and Nessus are registered trademarks of Tenable Network Security, Inc.
SecurityCenter is a trademark of Tenable Network Security, Inc. All other products or services are trademarks of their respective owners.
168
Use the green “+” button under the far left column to expand an individual entry for additional vulnerability details.
Scan Report Item Description with “Dispute” Functionality
As shown above, a “Dispute” button is displayed for each individual item, which allows the customer to enter additional
details about vulnerability remediation, or dispute what they believe may be a false positive generated by the initial scan.
Copyright © 2015. Tenable Network Security, Inc. All rights reserved. Tenable Network Security and Nessus are registered trademarks of Tenable Network Security, Inc.
SecurityCenter is a trademark of Tenable Network Security, Inc. All other products or services are trademarks of their respective owners.
169
Disputing Scan Results
When an item is disputed, a ticket is created that allows for the selection of an amendment type, the addition of text to the
amendment, and any other notes that the customer may want to add prior to submission for review by Tenable Network
Security.
Once a ticket for a particular item has been created, the customer can view it by selecting the item in question and then
selecting “View Ticket”.
Copyright © 2015. Tenable Network Security, Inc. All rights reserved. Tenable Network Security and Nessus are registered trademarks of Tenable Network Security, Inc.
SecurityCenter is a trademark of Tenable Network Security, Inc. All other products or services are trademarks of their respective owners.
170
Scan Report Item Description with “View Ticket” Functionality
Copyright © 2015. Tenable Network Security, Inc. All rights reserved. Tenable Network Security and Nessus are registered trademarks of Tenable Network Security, Inc.
SecurityCenter is a trademark of Tenable Network Security, Inc. All other products or services are trademarks of their respective owners.
171
Additional comments can be added by clicking the “Edit” button, then “Add Note”, and saving the note into the ticket by
clicking “Update”.
Plugin 33929, “PCI DSS Compliance”, is an administrative plugin that links to the results of other plugins. If a
report shows that a host is not PCI DSS compliant, resolving all failed items will then allow plugin 33929 to
resolve and be replaced with plugin 33930, “PCI DSS Compliance: Passed”. In cases of disputes or exceptions, if all
failed report items are successfully disputed or given exceptions, an exception can then be given for plugin 33929
based on the remediation of all other report issues.
Submitting Attachments as Evidence for a Dispute
Once a ticket is created, it is possible to submit supporting evidence as an attachment. After creating a ticket, click the
number listed under “Open Tickets” to display all open tickets:
Copyright © 2015. Tenable Network Security, Inc. All rights reserved. Tenable Network Security and Nessus are registered trademarks of Tenable Network Security, Inc.
SecurityCenter is a trademark of Tenable Network Security, Inc. All other products or services are trademarks of their respective owners.
172
In the “List of Tickets” screen, click “View”:
When the screen for the open ticket is displayed, options for “Upload File” and “Attach” are displayed:
Click “Browse…” to navigate to and select the evidence file (screenshot, Word document, PDF, etc.) to be uploaded:
Sample Evidence File (no_shiro.png)
Copyright © 2015. Tenable Network Security, Inc. All rights reserved. Tenable Network Security and Nessus are registered trademarks of Tenable Network Security, Inc.
SecurityCenter is a trademark of Tenable Network Security, Inc. All other products or services are trademarks of their respective owners.
173
Next, click “Attach” to attach the file to the ticket. When completed, the screen will display a message that the file was
uploaded successfully:
Clicking the “Download” link next to “Attachments” will show the names of all files attached to the ticket:
Submitting a Scan Report for Tenable Review
When tickets have been created for all outstanding report items under user review, the report can then be sent to Tenable
Network Security for ASV review.
Before a report can be submitted for review, the customer must fill in contact information and agree to an attestation that
includes mandatory text as described in the ASV Program Guide.
Copyright © 2015. Tenable Network Security, Inc. All rights reserved. Tenable Network Security and Nessus are registered trademarks of Tenable Network Security, Inc.
SecurityCenter is a trademark of Tenable Network Security, Inc. All other products or services are trademarks of their respective owners.
174
Report Submission Attestation Text
If a customer neglects to address any outstanding item for a particular scan before the report is submitted for ASV review,
they will be prompted to make sure that a ticket has been created for each item. Any report with outstanding items that have
not been addressed by the customer cannot be submitted to Tenable Network Security for review.
Copyright © 2015. Tenable Network Security, Inc. All rights reserved. Tenable Network Security and Nessus are registered trademarks of Tenable Network Security, Inc.
SecurityCenter is a trademark of Tenable Network Security, Inc. All other products or services are trademarks of their respective owners.
175
When a report is finally submitted to Tenable Network Security for review, the status of the report changes from “Under
User Review” to “Under Admin Review” and the “Submit” option is removed (greyed out) to prevent the submission of
duplicate items or reports.
Submitted Report “Under Admin Review”
The “Withdraw” function within an open ticket is only available once a report has been submitted for review by
Tenable’s Nessus Enterprise Cloud. Be careful when using the “Withdraw” function; withdrawing a ticket will
cause the item in question to be flagged as unresolved due to having inconclusive evidence, and the report as a
whole will be deemed as non-compliant.
If a Tenable Network Security staff member requests more information or if any other user action is required by the
customer for a ticket, an indicator will appear in the customer’s “List of Reports” as shown below:
“User Action Required” Notification
Copyright © 2015. Tenable Network Security, Inc. All rights reserved. Tenable Network Security and Nessus are registered trademarks of Tenable Network Security, Inc.
SecurityCenter is a trademark of Tenable Network Security, Inc. All other products or services are trademarks of their respective owners.
176
The ticket can then be amended by the user and resubmitted to Tenable Network Security for further review.
PCI ASV Report Formats
Once a scan report has earned “compliance” status by Tenable’s Nessus Enterprise Cloud, customers have the option of
viewing reports in “Attestation Report”, “Executive Report”, or “Detailed Report” formats. An ASV Feedback Form is also
provided to the Nessus Enterprise Cloud customer. These options are available through the “Download” icon listed next to
each report.
The Attestation Report, Executive Report, and Details Report are only available to the customer in PDF format and cannot
be edited.
Copyright © 2015. Tenable Network Security, Inc. All rights reserved. Tenable Network Security and Nessus are registered trademarks of Tenable Network Security, Inc.
SecurityCenter is a trademark of Tenable Network Security, Inc. All other products or services are trademarks of their respective owners.
177
Sample Attestation Report
Copyright © 2015. Tenable Network Security, Inc. All rights reserved. Tenable Network Security and Nessus are registered trademarks of Tenable Network Security, Inc.
SecurityCenter is a trademark of Tenable Network Security, Inc. All other products or services are trademarks of their respective owners.
178
Sample Executive Report
When a report name and then host name is selected within the web-based interface, a list of items pertaining to the selected
report is displayed.
“List of Items” Displayed in the Web Interface
Copyright © 2015. Tenable Network Security, Inc. All rights reserved. Tenable Network Security and Nessus are registered trademarks of Tenable Network Security, Inc.
SecurityCenter is a trademark of Tenable Network Security, Inc. All other products or services are trademarks of their respective owners.
179
For Further Information
Tenable has produced a variety of other documents detailing Nessus’ installation, deployment, configuration, user operation,
and overall testing:

Nessus 6.3 Installation and Configuration Guide – step by step walk through of installation and configuration for
Nessus Professional, Nessus Manager, Nessus Scanner, and Nessus Agents

Nessus 6.3 Command Line Reference – describes the command line tools of Nessus

Nessus v6 SCAP Assessments – describes how to use Tenable's Nessus to generate SCAP content audits as well as
view and export the scan results

Nessus Compliance Checks – high-level guide to understanding and running compliance checks using Nessus and
SecurityCenter

Nessus Compliance Checks Reference – comprehensive guide to Nessus Compliance Check syntax

Nessus v2 File Format – describes the structure for the .nessus file format, which was introduced with Nessus 3.2
and NessusClient 3.2

Nessus and Antivirus – outlines how several popular security software packages interact with Nessus, and provides
tips or workarounds to allow the software to better co-exist without compromising your security or hindering your
vulnerability scanning efforts

Strategic Anti-malware Monitoring with Nessus, PVS, and LCE – describes how Tenable's USM platform can detect a
variety of malicious software and identify and determine the extent of malware infections

Real-Time Compliance Monitoring – outlines how Tenable’s solutions can be used to assist in meeting many
different types of government and financial regulations

Tenable Products Plugin Families – provides a description and summary of the plugin families for Nessus, Log
Correlation Engine, and the Passive Vulnerability Scanner

SecurityCenter Administration Guide
Other online resources are listed below:

Nessus Discussions Forum: https://discussions.tenable.com/

Tenable Blog: http://www.tenable.com/blog

Tenable Podcast: http://www.tenable.com/podcast

Example Use Videos: http://www.youtube.com/user/tenablesecurity

Tenable Twitter Feed: http://twitter.com/tenablesecurity
Please feel free to contact Tenable at [email protected], [email protected], or visit our website at
http://www.tenable.com/.
Copyright © 2015. Tenable Network Security, Inc. All rights reserved. Tenable Network Security and Nessus are registered trademarks of Tenable Network Security, Inc.
SecurityCenter is a trademark of Tenable Network Security, Inc. All other products or services are trademarks of their respective owners.
180
About Tenable Network Security
Tenable Network Security provides continuous network monitoring to identify vulnerabilities, reduce risk and ensure
compliance. Our family of products includes SecurityCenter Continuous View™, which provides the most comprehensive and
integrated view of network health, and Nessus®, the global standard in detecting and assessing network data. Tenable is
relied upon by more than 20,000 organizations, including the entire U.S. Department of Defense and many of the world’s
largest companies and governments. For more information, visit tenable.com.
Copyright © 2015. Tenable Network Security, Inc. All rights reserved. Tenable Network Security and Nessus are registered trademarks of Tenable Network Security, Inc.
SecurityCenter is a trademark of Tenable Network Security, Inc. All other products or services are trademarks of their respective owners.
181
Appendix A – Setting up Credentialed Checks on Windows Platforms
Prerequisites
User Privileges
A very common mistake is to create a local account that does not have enough privileges to log on remotely and do anything
useful. By default, Windows will assign new local accounts “Guest” privileges if they are logged into remotely. This prevents
remote vulnerability audits from succeeding. Another common mistake is to increase the amount of access that the “Guest”
users obtain. This reduces the security of your Windows server.
Enabling Windows Logins for Local and Remote Audits
The most important aspect about Windows credentials is that the account used to perform the checks should have privileges
to access all required files and registry entries, and in many cases this means administrative privileges. If Nessus is not
provided the credentials for an administrative account, at best it can be used to perform registry checks for the patches.
While this is still a valid method to determine if a patch is installed, it is incompatible with some third party patch
management tools that may neglect to set the key in the policy. If Nessus has administrative privileges, then it will actually
check the version of the dynamic-link library (.dll) on the remote host, which is considerably more accurate.
Configuring a Local Account
To configure a stand-alone Windows server with credentials to be used that is not part of a domain, simply create a unique
account as an administrator.
Make sure that the configuration of this account is not set with a typical default of “Guest only: local users authenticate as
guest”. Instead, switch this to “Classic: local users authenticate as themselves”.
To configure the server to allow logins from a domain account, the “Classic” security model should be invoked. To do this,
follow these steps:
1.
Open “Group Policy” by clicking on “start”, click “Run”, type “gpedit.msc” and then click “OK”.
2.
Select Computer Configuration -> Windows Settings -> Security Settings -> Local Policies -> Security Options.
3.
From the list of policies open “Network access: Sharing and security model for local accounts”.
4.
In this dialog, select “Classic – local users authenticate as themselves” and click “OK” to save this.
This will cause users local to the domain to authenticate as themselves, even though they are actually not really physically
“local” on the particular server. Without doing this, all remote users, even real users in the domain, will actually authenticate as a
“Guest” and will likely not have enough credentials to perform a remote audit.
Note that the gpedit.msc tool is not available on some version such as Windows 7 Home, which is not supported by
Tenable.
Configuring a Domain Account for Authenticated Scanning
To create a domain account for remote host-based auditing of a Windows server, the server must first be Windows Server
2008, Server 2008 R2*, Server 2012, Server 2012 R2, Windows 7, and Windows 8 and be part of a domain. There are five
general steps that should be performed to facilitate this scanning while keeping security in mind.
Copyright © 2015. Tenable Network Security, Inc. All rights reserved. Tenable Network Security and Nessus are registered trademarks of Tenable Network Security, Inc.
SecurityCenter is a trademark of Tenable Network Security, Inc. All other products or services are trademarks of their respective owners.
182
Step 1: Creating a Security Group
First, create a security group called Nessus Local Access:

Log onto a Domain Controller, open Active Directory Users and Computers.

Create a security Group from Menu select Action -> New -> Group.

Name the group Nessus Local Access. Make sure it has a “Scope” of Global and a “Type” of Security.

Add the account you will use to perform Nessus Windows Authenticated Scans to the Nessus Local Access group.
Step 2: Create Group Policy
Next, you need to create a group policy called Local Admin GPO.

Open the Group Policy Management Console.

Right click on Group Policy Objects and select New.

Type the name of the policy Nessus Scan GPO”.
Step 3: Configure the policy to add the “Nessus Local Access” group as Administrators
Here you will add the Nessus Local Access group to the Nessus Scan GPO policy and put them in the groups you wish them
to use.

Right click “Nessus Scan GPO” Policy then select Edit.

Expand Computer configuration\Policies\Windows Settings\Security Settings\Restricted Groups.

In the Left pane on Restricted Groups, right click and select “Add Group”.

In the Add Group dialog box, select browse and type Nessus Local Access and then click “Check Names”.

Click OK twice to close the dialog box.

Click Add under “This group is a member of:”

Add the “Administrators” Group.

Click OK twice.
Step 4: Ensure proper ports are open in the firewall for Nessus to connect to the host
Nessus uses SMB (Server Message Block) and WMI (Windows Management Instrumentation) for this we need to make sure
that the Windows Firewall will allow access to the system.
Allowing WMI on Windows Vista, 7, 8, 2008, 2008R2 and 2012 Windows Firewall

Right click “Nessus Scan GPO” Policy then select Edit.

Expand Computer configuration\Policies\Windows Settings\Security Settings\Windows Firewall with Advanced
Security\Windows Firewall with Advanced Security\Inbound Rules

Right-click in the working area and choose New Rule...
Copyright © 2015. Tenable Network Security, Inc. All rights reserved. Tenable Network Security and Nessus are registered trademarks of Tenable Network Security, Inc.
SecurityCenter is a trademark of Tenable Network Security, Inc. All other products or services are trademarks of their respective owners.
183

Choose the Predefined option, and select Windows Management Instrumentation (WMI) from the drop-down list.

Click on Next.

Select the Checkboxes for:
-
Windows Management Instrumentation (ASync-In)
-
Windows Management Instrumentation (WMI-In)
-
Windows Management Instrumentation (DCOM-In)

Click on Next

Click on Finish

Note: You can later edit the predefined rule created and limit the connection to the ports by IP Address and Domain
User so as to reduce any risk for abuse of WMI.
Step 5: Linking GPO

In Group policy management console, right click on the domain or the OU and select Link an Existing GPO

Select the Nessus Scan GPO
Configuring Windows 2008, Vista and 7
When performing authenticated scans against Windows 2008, Vista or 7 systems, there are several configuration options
that must be enabled:
1.
Under Windows Firewall -> Windows Firewall Settings, “File and Printer Sharing” must be enabled.
2.
Using the gpedit.msc tool (via the “Run..” prompt), invoke the Group Policy Object Editor. Navigate to Local
Computer Policy -> Administrative Templates -> Network -> Network Connections - > Windows Firewall ->
Standard Profile -> Windows Firewall : Allow inbound file and printer exception, and enable it.
3.
While in the Group Policy Object Editor, navigate to Local Computer Policy -> Administrative Templates ->
Network -> Network Connections -> Prohibit use of Internet connection firewall on your DNS domain and ensure
it is set to either “Disabled” or “Not Configured”.
4.
The Remote Registry service must be enabled (it is disabled by default). It can be enabled manually for continuing
audits, either by an administrator or by Nessus. Using plugin IDs 42897 and 42898, Nessus can enable the service
just for the duration of the scan.
Nessus has the ability to enable and disable the Remote Registry service. For this to work, the target must have
the Remote Registry service set to “Manual” and not “Disabled”.
Windows User Account Control (UAC) can be disabled alternatively, but that is not recommended. To turn off
UAC completely, open the Control Panel, select “User Accounts” and then set “Turn User Account Control” to
off. Alternatively, you can add a new registry key named “LocalAccountTokenFilterPolicy” and set its
value to “1”. This key must be created in the registry at the following location: HKLM\SOFTWARE\Microsoft\
Windows\CurrentVersion\Policies\system\LocalAccountTokenFilterPolicy. For more
information on this registry setting, consult the MSDN 766945 KB. In Windows 7 and 8, if UAC is disabled, then
EnableLUA must be set to 0 in
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System as well.
Copyright © 2015. Tenable Network Security, Inc. All rights reserved. Tenable Network Security and Nessus are registered trademarks of Tenable Network Security, Inc.
SecurityCenter is a trademark of Tenable Network Security, Inc. All other products or services are trademarks of their respective owners.
184
Appendix B – Enabling SSH Local Security Checks on Unix and Network
Devices
This section is intended to provide a high-level procedure for enabling SSH between the systems involved in the Nessus
credentialed checks. It is not intended to be an in-depth tutorial on SSH. It is assumed the reader has the prerequisite
knowledge of Unix system commands.
Generating SSH Public and Private Keys
The first step is to generate a private/public key pair for the Nessus scanner to use. This key pair can be generated from any of
your Unix systems, using any user account. However, it is important that the keys be owned by the defined Nessus user.
To generate the key pair, use ssh-keygen and save the key in a safe place. In the following example the keys are generated
on a Red Hat ES 3 installation.
# ssh-keygen -t dsa
Generating public/private dsa key pair.
Enter file in which to save the key (/Users/test/.ssh/id_dsa):
/home/test/Nessus/ssh_key
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in
/home/test/Nessus/ssh_key.
Your public key has been saved in
/home/test/Nessus/ssh_key.pub.
The key fingerprint is:
06:4a:fd:76:ee:0f:d4:e6:4b:74:84:9a:99:e6:12:ea
#
Do not transfer the private key to any system other than the one running the Nessus server. When ssh-keygen asks you for a
passphrase, enter a strong passphrase or hit the “Return” key twice (i.e., do not set any passphrase). If a passphrase is specified,
it must be specified in the Policies -> Credentials -> SSH settings options in order for Nessus to use key-based authentication.
Nessus Windows users may wish to copy both keys to the main Nessus application directory on the system running Nessus
(C:\Program Files\Tenable\Nessus by default), and then copy the public key to the target systems as needed. This
makes it easier to manage the public and private key files.
Creating a User Account and Setting up the SSH Key
On every target system to be scanned using local security checks, create a new user account dedicated to Nessus. This user
account must have exactly the same name on all systems. For this document, we will call the user “nessus”, but you can use
any name.
Once the account is created for the user, make sure that the account has no valid password set. On Linux systems, new user
accounts are locked by default, unless an initial password was explicitly set. If you are using an account where a password
had been set, use the “passwd –l” command to lock the account.
You must also create the directory under this new account’s home directory to hold the public key. For this exercise, the
directory will be /home/nessus/.ssh. An example for Linux systems is provided below:
Copyright © 2015. Tenable Network Security, Inc. All rights reserved. Tenable Network Security and Nessus are registered trademarks of Tenable Network Security, Inc.
SecurityCenter is a trademark of Tenable Network Security, Inc. All other products or services are trademarks of their respective owners.
185
# passwd –l nessus
# cd /home/nessus
# mkdir .ssh
#
For Solaris 10 systems, Sun has enhanced the “passwd(1)” command to distinguish between locked and non-login
accounts. This is to ensure that a user account that has been locked may not be used to execute commands (e.g., cron jobs).
Non-login accounts are used only to execute commands and do not support an interactive login session. These accounts have
the “NP” token in the password field of /etc/shadow. To set a non-login account and create the SSH public key directory in
Solaris 10, run the following commands:
# passwd –N nessus
# grep nessus /etc/shadow
nessus:NP:13579::::::
# cd /export/home/nessus
# mkdir .ssh
#
Now that the user account is created, you must transfer the key to the system, place it in the appropriate directory and set
the correct permissions.
From the system containing the keys, secure copy the public key to system that will be scanned for host checks as shown
below. 192.1.1.44 is an example remote system that will be tested with the host-based checks.
# scp ssh_key.pub [email protected]:/home/nessus/.ssh/authorized_keys
#
You can also copy the file from the system on which Nessus is installed using the secure FTP command, “sftp”. Note that the
file on the target system must be named “authorized_keys”.
Do not use the no-pty option in your “authorized_keys” file for SSH authentication. This can impact the SSH
credentialed scans.
Return to the System Housing the Public Key
Set the permissions on both the /home/nessus/.ssh directory, as well as the authorized_keys file.
# chown -R nessus:nessus ~nessus/.ssh/
# chmod 0600 ~nessus/.ssh/authorized_keys
# chmod 0700 ~nessus/.ssh/
#
Repeat this process on all systems that will be tested for SSH checks (starting at “Creating a User Account and Setting up the
SSH Key” above).
Test to make sure that the accounts and networks are configured correctly. Using the simple Unix command “id”, from the
Nessus scanner, run the following command:
Copyright © 2015. Tenable Network Security, Inc. All rights reserved. Tenable Network Security and Nessus are registered trademarks of Tenable Network Security, Inc.
SecurityCenter is a trademark of Tenable Network Security, Inc. All other products or services are trademarks of their respective owners.
186
# ssh -i /home/test/nessus/ssh_key [email protected] id
uid=252(nessus) gid=250(tns) groups=250(tns)
#
If it successfully returns information about the nessus user, the key exchange was successful.
Enabling SSH Local Security Checks on Network Devices
In addition to using SSH for local security checks, Nessus also supports local security checks on various network devices.
Those network devices currently include Cisco IOS devices, F5 networks devices, Huawei devices, Junos devices, and Palo
Alto Networks devices.
Network devices that support SSH require both a username and password. Currently, Nessus does not support any other
forms of authentication to network devices.
See your appropriate network device manual for configuring SSH support.
Copyright © 2015. Tenable Network Security, Inc. All rights reserved. Tenable Network Security and Nessus are registered trademarks of Tenable Network Security, Inc.
SecurityCenter is a trademark of Tenable Network Security, Inc. All other products or services are trademarks of their respective owners.
187
Was this manual useful for you? yes no
Thank you for your participation!

* Your assessment is very important for improving the work of artificial intelligence, which forms the content of this project

Download PDF

advertisement