Nessus General Questions:
What’s the current version of Nessus?
Currently supported versions of Nessus are v6.0 and higher.
The most current version of Nessus is always available from the Tenable Support Portal. We encourage customers to upgrade to the latest release to take advantage of new capabilities and performance and platform improvements. If you want to learn about capabilities in the most recent release of Nessus, visit the New in Nessus area of our website.
If you want to learn about capabilities in the most recent release of Nessus, visit the New in Nessus area of our website.
What OS platforms does Nessus have builds for?
Nessus is supported on a variety of operating systems and platforms
The following list shows Nessus OS support as of February 2015. For the most current information, see the Nessus Installation and Configuration Guide on the Nessus Documentation area of our website.
- Debian 6 and 7 / Kali Linux (i386 and x86-64)
- Fedora 20 and 21 (i386 and x86-64)
- FreeBSD 10 (x86-64)
- Mac OS X 10.8, 10.9, and 10.10 (x86-64)
- Red Hat ES 5 / CentOS 5 / Oracle Linux 5 (i386 and x86-64)
- Red Hat ES 6 / CentOS 6 / Oracle Linux 6 (i386 and x86-64) [Server, Desktop, Workstation]
- Red Hat ES 7 / CentOS 7 / Oracle Linux 7 (x86-64) [Server, Desktop, Workstation]
- SUSE 10 (x86-64) and 11 (i386and x86-64)
- Ubuntu 10.04 (9.10 package), 11.10, 12.04, 12.10, 13.04, 13.10, and 14.04 (i386 and
- Windows Server 2008, Server 2008 R2*, Server 2012, Server 2012 R2 (x86-64)
- Windows 7 and 8 (i386 and x86-64
What are the system/hardware requirements for using Nessus?
For the latest system and hardware requirements, see the Nessus Installation and Configuration Guide on the Nessus Documentation area of our website.
Are there detailed instructions on installing and configuring Nessus?
Yes. A detailed Nessus Installation and Configuration Guide and Nessus User Guide are available in the Nessus Documentation area of our website.
Where can I go for more information?
How can I buy Nessus?
You can get a Nessus subscription from Tenable or from one of our many partners. Flexible licensing options are available depending on the number of IP addresses and/or hosts you wish to scan and if you prefer to run Nessus on premises or in a cloud hosted environment.
Can I evaluate Nessus?
Yes, we would love for you to evaluate Nessus.
Can I use Nessus to perform internal network scanning for PCI?
Yes, you can use Nessus Professional, Nessus Cloud or Nessus Manager to perform internal network scans as required by the PCI DSS 11.2.1 requirement.
Can I use Nessus at work?
Yes, but you must license Nessus Professional, Nessus Manager or Nessus Cloud. Nessus Home is limited to home use and scanning of fewer than 16 IP addresses.
How does the Nessus license work in a VM (virtual machine) environment?
Whether you are using Nessus in a physical or a virtual environment, the IP addresses or hosts that you are scanning must be licensed.
I'm a consultant; can I use Nessus to conduct my client's vulnerability scanning?
Yes, Tenable permits you to use Nessus to scan third-party networks, but you must use a licensed version of the product. Nessus Home cannot be used for consulting commercially.
We are a software or hardware manufacturer; can we include Nessus in the products we sell to our customers?
If you’re interested in an OEM agreement with Tenable for the Nessus engine and the Tenable Plugins, please contact us.
What is Nessus Manager?
Nessus Manager combines the powerful detection, scanning, and auditing features of Nessus, the world’s most widely deployed vulnerability scanner, with extensive management and collaboration functions to reduce your attack surface and eliminate vulnerability blind spots. Nessus Manager enables the sharing of resources including multiple Nessus scanners, scan schedules, policies, and most importantly, results among multiple users or groups.
How is Nessus Manager licensed?
Nessus Manager is licensed on a per-host basis. A host can be an IP address scanned by Nessus or a device that is scanned by a Nessus Agent. A number of licensing tier (up to X number of hosts) are offered and each tier comes with a specific number of scanners.
How many scanners are included with Nessus Manager?
The number of scanners included with Nessus Manager depends on the tier for which your organization is licensed. For example, if your organization licenses Nessus Manager at the 1,024 host tier, you're entitled to the scanner that is embedded with Nessus Manager plus four additional scanners.
Can I add more scanners to Nessus Manager?
Yes. You can purchase additional scanners.
Will Nessus Manager work with Tenable SecurityCenter?
Yes. Nessus Manager scan results and reports can be imported into SecurityCenter. Any IPs imported from Nessus Manager will count against your SecurityCenter license. To learn more about Tenable SecurityCenter, please visit the product page.
What is Nessus Cloud?
Nessus Cloud is Tenable’s hosted, cloud-based vulnerability management solution that combines the powerful detection, scanning and auditing features of Nessus with multi-user support enabling extensive collaborative capabilities of scanners and resources. Nessus Cloud is Tenable’s Approved Scanning Vendor (ASV) solution for adherence to PCI DSS 11.2.2 external scanning requirements by performing vulnerability scans of Internet facing environments.
How is Nessus Cloud licensed?
Nessus Cloud is licensed on a per-host basis. A host can be an IP address scanned by Nessus or a device that is scanned by a Nessus Agent. A number of licensing tiers are offered and each tier comes with a specific number of scanners.
How many scanners are included with Nessus Cloud?
The number of scanners included with Nessus Cloud depends on the tier for which your organization is licensed. For example, if your organization licenses Nessus Cloud at the 1,024 host tier, you're entitled to the scanner that is embedded in Nessus Cloud plus four additional scanners.
Can I add more scanners to Nessus Cloud?
Yes. You can purchase additional scanners.
How do I scan and submit for PCI ASV validation?
The process to create a PCI DSS ASV scan policy with Nessus Cloud and submit it to Tenable is described in both the Nessus User Guide and also this video provided by the Tenable Training Team.
Can I use Nessus Cloud to perform external network scanning for PCI?
Tenable Network Security is a Payment Card Industry (PCI) Approved Scanning Vendor (ASV). Nessus Cloud enables companies to validate adherence to the PCI DSS 11.2.2 external scanning requirement by performing periodic vulnerability scans of Internet facing systems.
Can I submit multiple scan reports to meet the quarterly requirement for PCI ASV validation?
Nessus Cloud customers may scan their Internet facing systems as often as they like, but only need to submit one scan report to receive the quarterly PCI ASV attestation. To meet the new multiple scan reports rule in PCI DSS 11.2 you may currently submit up to two scans per calendar quarter for PCI ASV validation by Tenable’s PCI ASV analysts. Tenable defines a calendar quarter as January-March, April-June, July-September, and October-December. If you want or need to submit additional scans for PCI ASV validation, you may do so for a nominal fee.
Are there any limitations to the number of IPs or websites I can scan?
Yes. You may only scan IP addresses or websites that you are authorized to scan up to the limit of your subscription; however, you may scan as many times as you’d like. For PCI ASV reporting, you may submit multiple scan reports to demonstrate that you have an ongoing process for remediation of scan vulnerabilities in lieu of submitting a single passing scan report. Note that you will be charged a nominal fee for additional scan submissions beyond the two submissions per quarter limit.
I believe an unauthorized scan has been conducted by Nessus Cloud, who do I contact to report abuse?
Please email email@example.com.
What IP addresses will Nessus Cloud scans originate from?
The Nessus Cloud has the following selections available for configuring the scanner you use. The network traffic from the selected scanner will originate from one of the following network blocks:
- US Cloud Scanner: either 220.127.116.11/27 or 18.104.22.168/26
- US East Cloud Scanners: 22.214.171.124/26
- US West Cloud Scanners: 126.96.36.199/26
- AP Singapore Cloud Scanners: 188.8.131.52/26
- EU Frankfort Cloud Scanners: 184.108.40.206/26
What’s the URL to access Nessus Cloud?
As of March 31, 2015, customers access Nessus Cloud through https://cloud.tenable.com.
If you were using Nessus Enterprise Cloud prior to March 31 and have white-listed the IPs that the Nessus Enterprise Cloud web UI is accessed on (or the domain names), you will need to add the new hostname to your whitelist rule. Similarly, if you are using a “per-customer” domain names like “https://example-customer-site.svc.nessus.org, you will need to switch to the new URL. You can learn more in this announcement on the Tenable Discussion Forum.
How often can I re-scan the same IP or conduct discovery scans?
You can scan as often as desired.
Can scans be scheduled?
Yes. Nessus Cloud includes the ability to schedule immediate and recurring scans.
Will Nessus Cloud work with Tenable SecurityCenter?
Yes. Nessus Cloud scan results and reports can be imported into SecurityCenter. Any IPs imported from Nessus Cloud will count against your SecurityCenter license. To learn more about Tenable SecurityCenter, please visit the product page.
I'm a consultant; can I use Nessus Cloud to conduct audits of my clients?
Yes. As a consultant, Tenable permits you to use Nessus Cloud to perform unlimited scans of third-party external-facing IP addresses, but you may not provide direct or indirect access to Nessus Cloud to your clients. In addition, you are not permitted to submit external scans for Tenable PCI ASV validation on behalf of your client(s).
What happens if I do not renew my Nessus Cloud subscription?
If you choose not to renew your Nessus Cloud subscription, you’ll no longer have access to your account. If you know you are not going to renew and you use Nessus Cloud for external scanning for PCI, we encourage you to complete PCI scans and submit reports to Tenable for PCI ASV validation in enough time for Tenable to provide feedback and for you to download your scan data.
Where should I send notices required under the Nessus Cloud contract?
All notices to Tenable shall be sent to the mailing address described in the Nessus Cloud Agreement to the attention of the Legal Department.
Tenable Network Security, Inc.
7021 Columbia Gateway Drive, Suite 500
Columbia, MD 21046 - USA
Attn: Legal Department
What are Nessus Agents?
Nessus Agents, available with Nessus Cloud and Nessus Manager, increase scan flexibility by making it easy to scan assets without needing ongoing host credentials or assets that are offline, as well as enable large-scale concurrent scanning with little network impact.
When would I use Nessus Agents?
Most organizations will use a mix of agent-based and agent-less scanning in their Nessus environment. Nessus Agents will be attractive in a number of scenarios, including:
- Scanning of laptops or other portable devices that are not always connected to the local network.
- Scanning assets for which you do not have credentials or could easily obtain credentials.
- Improving overall scan performance, since agents operate in parallel using local resources.
What platforms are supported by Nessus Agents?
Nessus Agents currently support a variety of operating systems:
- Amazon Linux
- CentOS v5, v6, v7
- Debian Linux v6 and v7 on amd64 and i386
- OS X 10.8, 10.9, 10.10
- Red Hat Enterprise Linux v5, v6, v7
- Ubuntu Linux 10.04, 12.04 and 14.04 on amd64 and i386
- 32 and 64-bit editions of Windows Server 2008 and 2012, and Windows 7 and 8
Which Tenable products work with Nessus Agents?
Nessus Agents work with Nessus Cloud and Nessus Manager. In addition, data collected by Nessus Agents can be imported into SecurityCenter and/or SecurityCenter Continuous View.
What is the resource consumption of Nessus Agents?
The performance overhead of the agent is minimal, and can reduce overall network overhead in many situations, because agents use local resources to scan the system or device they are located on instead of consuming network resources for scanning purposes.
How are Nessus Agents updated?
Agents can be deployed using most software management systems and auto-update once deployed.
How are Nessus Agents licensed?
When a customer subscribes to Nessus Cloud or Nessus Manager, they are licensed up to a maximum number of hosts/agents and can mix the number of hosts and agents depending on their environment. For example, a customer that wants to scan 200 devices agent-less and 50 laptops using agents, would subscribe at the 256 hosts/agents tier to support all the assets they want to include in their scans.
What happens if we deploy more Nessus Agents than we have licenses?
You will only see scan data for the licensed agents
How do I launch a scan using Nessus Agents?
Current Nessus users will find that launching an agent-based scan looks familiar, with just a few small differences.
- To get started, select a scan template from the “Agents” section of the Scan Library.
- Next, instead of selecting a scanner or manually entering targets, select the group of agents to serve as targets for the scan (you’ll be presented with a drop down list of groups to choose from).
- Finally, specify how long a scan is to listen to for agent to connect; this is the window of time that targeted agents can check in, receive a new policy and upload their results for this particular scan.
Can I review the scan results from Nessus Agents that have reported back before the schedule is completed?
How often do Nessus Agents check-in?
Nessus Agents check in using a staggered method that is based on the number of agents linked to Nessus Cloud or Nessus Manager. The length of time is approximately every 60 seconds.
Can I see which Nessus Agents have checked-in and which ones have not?
You can see the number of agents that have reported results. Because scan times are very short, the difference between “check-in” and “done” is minimal, so we only show agents that have reported results.
What privileges does the Nessus Agent require to run?
The Nessus Agent runs under the Local System account. You need sufficient privileges to install software that runs under this account.
Can a laptop or desktop user disable the agent?
Yes, if the user has administrative privileges on their system.
How does the remediation summary apply to an agent schedule? Per host or Per Schedule? Is this sent at the end of the schedule?
The remediation summary works like it does for traditional Nessus scans.
Can I export a report while a schedule is running?
No, the scan must be completed before a report can be exported.
Can the Nessus Agent leave a report on the user desktop? E.g., Graph, score etc.?
No. Nessus Agents send results back to Nessus Cloud/Manager, where the resulting data can be included in reports.
Which Nessus plugins will Nessus Agents run?
Nessus Agent policies include plugins that perform local checks appropriate to the platform on which the agent is running; no connections to services on the host are created. These plugins include those that perform patch auditing, compliance checks, and malware detection.
Can I run compliance checks and malware scans on the agents?
What versions of Nessus support Mobile Device Management (MDM) system integration?
Nessus Cloud and Nessus Manager support MDM integration. SecurityCenter also integrates with MDM systems.
What mobile technology is supported?
Nessus Cloud and Nessus Manager can currently integrate with the following MDM systems:
- Exchange 2010 or later (via Active Directory)
- Apple Profile Manager as shipped with Mac OS X 10.7 server
- Good for Enterprise
Nessus 6.4 and beyond expands MDM integration with AirWatch and MobileIron to query MDMs to audit mobile device policies for CIS or Tenable Best Practices, including identifying new mobile devices connecting to the network as well as mobile devices that haven’t connected in a designated time period.
Note: Devices that use IMAP instead of Exchange will not be detected.
Why doesn't Nessus scan mobile devices directly?
Mobile devices are difficult to scan for a variety of reasons:
- They connect and disconnect from the network at any time (and can be on different 3G, 4G, LAN or guest access point networks), making it difficult to directly scan these devices for vulnerabilities and compliance violations.
- Network-wise, the device is "off" most of the time, so as to save battery. They only wake up every now and then to poll email.
- They do not have any service that allows granular identification of their OSs.
What do the mobile device plugins do exactly?
The mobile device plugins integrate with the MDMs to gather information about devices and check for settings like the following:
- Protecting mobile devices - The first thing to configure and that most auditors will look for is whether basic security settings are configured: is encryption turned on, is remote wipe enabled, are passcode requirements set, etc.
- Disabling non-essential features - Once you configure basic security settings, the next thing to do is disable all features that are deemed non-essential features for your organization. For example: tethering, Bluetooth, NFC (near field communication), etc.
- Disabling native apps - You may also want to disable certain native apps, especially those that eat up bandwidth on your network, such as YouTube or FaceTime. In some cases, you may want to go a bit further and disallow the installation of public apps, disallow in-app purchases, or disable explicit content.
Does an administrator need to do anything special on company mobile devices for them to appear in the Nessus results?
Exchange: If your organization’s users are retrieving emails using ActiveSync, nothing needs to be changed on the phones.
All Other MDMs: The devices must be properly enrolled with the MDM.
If the same device is managed by Profile Manager and checks emails via Exchange, will the phone appear twice in the Nessus report?
No. When one device accesses multiple servers that Nessus interacts with, the device scan information is consolidated in the report. Such cases also potentially allow Nessus to do more thorough checks.
I'm having problems accessing the Exchange server with Nessus, how can I diagnose the problem?
Nessus installations come with a plugin that can help diagnose/debug the issue. Navigate to the "plugins" directory and run the following command and follow the instructions:
Unix installations: /opt/nessus/lib/nessus/plugins
Windows installations: C:\Program Files\Tenable\Nessus\nessus\plugins
I have multiple domains and Active Directory (AD) servers, yet the "Mobile" tab only allows me to select one. How can Nessus handle my setup?
Click on the "Mobile" tab and create a policy with the first AD controller you want to receive information from. Once the policy is saved, navigate to the "Policies" tab and edit the newly created "Mobile Devices Audit" policy. Go to Preferences -> ADSI Settings and there are fields to enter additional domains.
In Apple Profile Manager, there is an option called "Force Devices Updates", what does it do?
This option tells Profile Manager to send a Push Notification to each phone that is enrolled in order to force them to report their newest information to the server. By default, iOS devices only report such data when Profile Manager asks them to. Therefore, you should enable this option to make sure the device data is up-to-date.
The sister option of that setting is "Device Update Timeout (minutes)", which specifies how long the scanner should wait for the phones to react to the push notification, in order to update their data.
I'm seeing old phones in the Nessus results, although I discarded the device weeks ago. Why?
Exchange does not support a "de-enrollment" process, so data about phones never decays, even years after you stopped using the device. Nessus will report information about phones that have been used during the last three months. Phones that have not been used for that period are considered decommissioned or inactive, and will not show up in the report.
Some of our organization's Android-based devices are not appearing in the scan results. Why?
Older Android devices prior to 2.3 do not announce their version, so they do not show up in the report.
This section contains details about Nessus support operations that apply only to Tenable's customers have purchased a Nessus subscription.
Where can I go to get help on an issue I'm having with Nessus if I'm not a customer?
Visit the Nessus Discussion Forums to see if your questions have already been asked and answered.
What is the Tenable Support Portal?
The Tenable Support Portal is a web application used by engineers to manage requests with our customers on the incidents they report, provide a knowledgebase of information about Tenable products, provide additional downloads and manage subscription licenses.
In addition, this whitepaper describes usage and features of the Support Portal.
Can I request support via email?
Yes. Support requests are accepted via the Tenable Support Portal or send an email firstname.lastname@example.org. Email requests must be sent from one of the email addresses provided to Tenable as a support contact.
How do I obtain a Tenable Support Portal account and/or add additional people to the account?
When you purchase Nessus, you provide Tenable with the name and email address of your Technical Contact Person(s). A separate Tenable Support Portal account is created for each Technical Contact Person.
The Primary Contact can add contacts to existing accounts with the instructions found here. To "log in" for the first time, please use the "Activate Account?" link on the login page, enter the email address registered with Tenable Network Security, click "Send Confirmation", and follow the instructions in the email you will receive.
How do I add or change the Technical Contact information?
The Primary Contact (PC) for the account has the ability to add and deactivate a contact from the Tenable Support Portal. Please have the PC log in to the Tenable Support Portal, and then select “Add Contact” to add or deactivate a registered contact. For new contacts, we will send an account activation email once the account has been created.
To update the information for an existing registered contact, email email@example.com with the requested changes.
What kind of Support and Maintenance is available from Tenable for Nessus Professional, Nessus Manager and Nessus Cloud?
Maintenance and Standard Support include access to software upgrades, hotfixes, patches, access to current Plugins, and access to Tenable's Technical Support team via Live Chat, Email, WebEx, and the Support Portal.
The following support resources are available 24x7:
- Live Chat Support
- Email and remote WebEx support
- Access to the Tenable Support Portal
- Access to Tenable plugin feeds via the Internet
In addition to all the resources listed above, Nessus Manager and Nessus Cloud customers with a current license agreement can also access telephone support if and when desired.
May I request to escalate my issue's priority?
Tenable determines the initial priority of your issue, though at any time, you may request to escalate or downgrade the priority of an issue via the Tenable Support Portal.
What information should I provide with my support request?
When submitting requests for support, the customer must provide to Tenable all data that is relevant for resolving each technical support request. Relevant data may include, but is not limited to, log files, database dumps, program scripts, descriptions of the hardware and software environment, examples of inputs as well as expected and actual outputs. This information should be as complete as possible, but sensitive information (e.g., account names, passwords, internal IP addresses) should be sanitized before sending to Tenable.
What is an issue's expected resolution time?
Tenable Support responds to all email queries for support within one business day.
Resolution time is the time within which support engineers will attempt to resolve your issue. There are no guarantees about resolution times; however most customers have their issues resolved in one business day. Depending on the complexity of the issue, resolution may take a few hours to a few days or longer. In some cases, successful resolution or a work-around may not be possible. Issues involving the functionality of the Nessus engine will be corrected in a timely manner. When necessary, plugins will be altered and fine-tuned to provide the best overall responses to the entire customer base but there may be OSs, applications, and other network devices that will respond in ways that prevent problems or disruptions from being resolved. In such cases, it is Tenable's policy that the applicable vendor is liable for the correction of the response or behavior of their products.
What versions of Nessus does Tenable support?
Currently, Tenable support covers authorized, unmodified versions of the Nessus 6.x and higher binaries, tools, and our own utilities. This does not include any user-compiled products or third-party developed products. Tenable does not provide support for the underlying operating system, hardware, applications, or third-party products that access a Nessus 6.x and higher server. Further, Tenable is not required to provide support services regarding the following:
- any software other than supported software;
- any classroom training or on-site consulting;
- design of any application;
- patches or modifications to the source code of the supported software authored by anyone other than Tenable;
- installation, configuration, or malfunctions of any part of the customer's computer or networking hardware equipment; or
- installation, configuration, or malfunctions of any part of the customer's operating system, including without limitation kernels, libraries, patches, and drivers.
Will you support user-patched versions of Nessus 4.x or higher binaries?
Does support cover the Nessus 2.x GPL version of the software?
Where should I send notices required under the Nessus contract?
Tenable Network Security, Inc.
7021 Columbia Gateway Drive, Suite 500
Columbia, MD 21046 – USA
Attn: Legal Department
Nessus Configuration and Troubleshooting:
How can I change the password of a Nessus user?
Password changes are done through the Nessus web interface. Click on your account name in the upper right corner, select "Settings,", click on “Accounts,”, click on the user for whom you want to change the password, click "Change Password", change the password, confirm, and click "Save."
I attempted to install Nessus via RPM, but I get an error. Why can't I install Nessus this way?
If you downloaded the Nessus RPM to a Windows system and then transferred it to your Unix system, the name of the Nessus RPM file will likely be something similar to Nessus-5.0.0-es4.i386.rpm. RPM cannot handle square brackets (i.e., ). Rename the file to Nessus-5.0.0-es4.i386.rpm and re-attempt the installation.
Nessus Windows specific:
When I try to install Nessus Windows, why am I receiving the error, "Error 1607: Unable to Install InstallShield Scripting Run Time"?
This error code can be produced if the Windows Management Instrumentation (WMI) service has been disabled. Please verify that the service is running.
If the WMI service is running, then this may be a problem between the Microsoft Windows operating system settings and the InstallShield product that is used for installing and removing Nessus Windows. There are knowledge base articles from both Microsoft and InstallShield that detail potential causes and the resolution of the issue.
Is there a difference in running Nessus on a Windows Server operating system (such as Server 2008 or 2012) versus a Windows desktop operating system (such as Windows 7 or Windows 8)?
Yes. Microsoft Windows desktop systems have network limitations that may impact the performance of Nessus. The TCP/IP stack limits the number of simultaneous incomplete outbound TCP connection attempts. After the limit is reached, subsequent connection attempts are put in a queue and will be resolved at a fixed rate (10 per second). If too many enter the queue, they may be dropped.
This has the effect of causing a Nessus scan on a Windows desktop operating system to potentially have false negatives. For better accuracy, it is recommended that Nessus on a Windows desktop operating system have its port scan throttle setting down to the following, which is found in the "Performance" setting type under General Settings of a new policy:
Max number of hosts: 10
Max number of security checks: 4
Max number of packets per second for a port scan: 50
For increased performance and scan reliability, it is highly recommended that Nessus Windows be installed on a server product from the Microsoft Windows family, such as, Windows Server 2008, or 2012.
Can I use Nessus on a system with a Host-based Intrusion Prevention System (HIPS) installed?
No. During the process of scanning a remote target, Nessus must forge TCP/UDP packets and send probes that are often considered "malicious" by HIPS software. If the HIPS system is configured to block malicious traffic, it will interfere with Nessus and cause the scan results to be incomplete or unreliable.
What do the compliance checks audit against?
The compliance checks can audit against custom security policies, such as password complexity, system settings, or registry values on Windows operating systems. For Windows systems, the compliance audits can test for a large percentage of anything that can be described in a Windows policy file. For Unix systems, the compliance audits test for running processes, user security policy, and content of files.
How do I create my own audit policies?
Tenable has made documentation available for writing custom audit policies as well as several command line tools and very detailed example policies. In most cases, Tenable customers have been able to use the default audit policies and remove unneeded tests. In cases where more detail is needed than the current example tests, Tenable has documented examples for each type of Unix and Windows audit point. These can be modified with values that are in line with your organization’s configuration guidelines. The documentation is available on our Tenable Support Portal on the "Downloads" page.
Can the audit policies test for "XYZ"?
Tenable often receives "policy" testing requests for technical parameters outside of the scope of the audit checks. The compliance checks can audit the underlying configuration of the operating system; however they cannot test for items such as detecting dual boot servers, user login behavior, CPU utilization, or when a program was last used. On a case by case basis, some applications may have log files and registry settings that may contain this sort of information, but as a base function of the compliance checks, they do not detect this sort of information by default.
Do I need to run an agent to perform these checks?
No. You can run scans using agents or agent-less.
How is a compliance check different than a vulnerability scan?
Nessus can perform vulnerability scans of network services and also log into servers to discover any missing patches. However, the lack of vulnerabilities does not mean a server is configured correctly. The advantage of using Nessus to perform vulnerability scans and compliance audits is that all of this data can be obtained at one time. Having knowledge of how a server is configured, how it is patched, and which vulnerabilities it has can help to prioritize systems for mitigating risk.
What systems can be audited?
Nessus can perform audits on Windows and several Unix-compatible systems, including:
- Windows 2003 Server
- Windows 2008 Server
- Windows Vista
- Windows 7
- Mac OS X
What standards do you audit against?
Tenable has developed several different audit policies for Unix and Windows platforms. Tenable has taken into consideration many aspects of common compliance audits, such as the requirements of SOX, FISMA, HIPAA, and others while writing these policies. CIS Benchmarks, NIST, NSA, and other organizations' recommended best practices are also audited against and can be used to validate PCI configuration requirements.
We also provide files to audit databases, the presence of anti-virus software, detection of viruses and searching for plain-text sensitive content. Audit files are created and updated regularly by Tenable staff.
Are compliance checks available for all Nessus editions?
Compliance checks are available for Nessus Professional, Nessus Manager, and Nessus Cloud customers; they are not available for Nessus Home.
Are all compliance checks available from all Nessus platforms?
Yes; the operating system on which Nessus is running does not matter. You can perform compliance audits of a Windows 2003 server from a Mac OS X system, and you can also audit a Linux server from a Windows system.
How do I get compliance checks?
If you are a Tenable SecurityCenter or Nessus subscriber, your Nessus scanner will already have the plugins required to perform compliance audits. Update your plugins to obtain them. Nessus Professional, Nessus Manager and Nessus Cloud customers who have upgraded to Nessus v6.x will see compliance checks in the Nessus user interface.
Finally, at the Tenable Support Portal on the "Downloads" page, Tenable has made several compliance audit policies available for download, as well as tools to help you develop your own policies.
Is there a charge for the compliance check plugins?
No. The compliance check plugins are included with your Nessus subscription.
How do I configure the compliance check plugins to match my security policy?
Detailed documentation is available on our Tenable Support Portal on the "Downloads" page.
Are compliance checks enabled by default when I do a scan?
No. They are enabled after you have manually selected an audit file to perform the scan.
Why do I get the error message "Supplied credentials don't have enough privileges to audit the remote host" when I try and execute compliance checks?
The account being used for sign on credentials must have permissions to read the local machine policy. If a target host does not participate in a Windows domain, then the account must be a member of the host's administrators group. If the host participates in a domain, then the domain's administrator group will be a member of the host's administrators group and the account will have access to the local machine policy if it is a member of the domain's administrator group.
Tenable Plugin Subscriptions:
What are Nessus plugins?
As information about new vulnerabilities are discovered and released into the general public domain, Tenable's research staff designs programs to enable Nessus to detect them. These programs are named 'plugins' and are written in the Nessus Attack Scripting Language (NASL). The plugins contain vulnerability information, a generic set of remediation actions and the algorithm to test for the presence of the security issue. Plugins also are utilized to obtain configuration information from authenticated hosts to leverage for configuration audit purposes against security best practices.
How many Nessus plugins are there?
View the latest information regarding Nessus plugins where a total count of plugins and CVEs covered are listed, in addition to a plugin family listing.
How do I access Nessus plugins?
Nessus plugins are available for download through the feed available in the Nessus UI as well as in offline mode through a download process via the Nessus command line which issues a challenge code that can be entered at https://plugins.nessus.org/offline.php.
How frequently are Nessus plugins updated?
Nessus plugins are updated daily, based on when vendors and security research sites publish new vulnerabilities. The updates are automatically available via the plugin feed to Nessus to be loaded into your next scan policy.
Can I use plugins with a "Nessus Home" subscription?
The Nessus Home subscription is available for non-commercial home use ONLY. Nessus Home is a non-commercial subscription that permits you to use plugins in conjunction with a registered scanner for your personal use solely to detect vulnerabilities only on your own personal system or network that you use for non-commercial purposes.
Can I use plugins while evaluating a version of Nessus?
Absolutely! If you are interested in evaluating Nessus and working with plugins, download or request an evaluation.
Which plugins can I distribute in my book, magazine, or CD?
You must obtain express written consent from Tenable Network Security to redistribute any Tenable Plugins or a copy of Nessus.
Can I request plugin modifications from Tenable as part of my Nessus subscription?
Yes, we welcome feedback to enhance or fix existing plugins and will consider requests for future plugin releases.