nessus 6.8 user guide - tenable™ - the cyber exposure...

Nessus 6.8 User Guide

Last Updated: 8/17/2016

Table of Contents

Getting Started 11

About Nessus Products 12

About Nessus Plugins 15

Hardware Requirements 17

Supported Operating Systems 18

Nessus License & Activation Code 21

Setup Nessus 22

Product Download 23

Pre-install Nessus 25

Deployment 26

Host Based Firewalls 27

IPv6 Support 28

Virtual Machines 29

Anti-virus Software 30

Security Warnings 31

Install Nessus and Nessus Agents 32

Nessus Installation 33

Install Nessus on Mac OS X 34

Install Nessus on Linux 36

Install Nessus on Windows 37

Nessus Agent Install 39

Install a Nessus Agent on Mac OS X 40

Copyright © 2016. Tenable Network Security, Inc. All rights reserved. Tenable Network Security and Nessus are registered trademarks of Tenable Network Security, Inc. SecurityCenter Continuous View, Passive

Vulnerability Scanner, and Log Correlation Engine are trademarks of Tenable Network Security, Inc. All other products or services are trademarks of their respective owners.

Install a Nessus Agent on Linux 43

Install a Nessus Agent on Windows 47

Upgrade Nessus and Nessus Agents 51

Nessus Upgrade 52

Upgrade from Evaluation 53

Mac Upgrade 54

Linux Upgrade 55

Windows Upgrade 56

Nessus Agents: Upgrade 57

Installation - Web Browser Portion 58

Nessus (Home, Professional, or Manager) 60

Link to Nessus Manager 61

Link to Tenable Cloud 64

Managed by SecurityCenter 66

Install Nessus while Offline 67

Register Nessus Offline 71

Generate Challenge Code 73

Generate Your License 74

Download and Copy License File (nessus.license) 75

Register Your License with Nessus 76

Download and Copy Plugins 77

Install Plugins Manually 78

Remove Nessus and Nessus Agents 79

Nessus Removal 80



Uninstall Nessus on Mac OS X 81

Uninstall Nessus on Linux 82

Uninstall Nessus on Windows 84

Nessus Agent Removal 85

Uninstall a Nessus Agent on Mac OS X 86

Uninstall a Nessus Agent on Linux 87

Uninstall a Nessus Agent on Windows 89

Nessus Features 90

Navigating Nessus 91

Scans Page 92

Policies Page 96

User Profile 98

System Settings 100

Scanners / Local / Overview (Manager) 101

Scanners 102

Nessus Agents 109

Agent Groups 110

User and Group Accounts 111

Communication 112

Advanced Settings 114

Template Library 125

Scan Template Settings 128

Settings / Basic 131

Settings / Discovery 134



Settings / Assessment 140

Settings / Report 150

Scan Setting / Advanced 152

Scan Credentials Settings 155

Cloud Services 157

Amazon AWS 158

Microsoft Azure 159

Rackspace 160

Salesforce.com 161

Database 162

Database 163

MongoDB 165

Host 166

SSH 167

Public Key 169

Certificate 171

CyberArk Vault 172

Kerberos 174

Password Authentication 176

Thycotic Secret Server Authentication 177

SNMPv3 178

Windows 179

Password 183

CyberArk Vault 184



Kerberos 186

LM Hash 187

NTLM Hash 188

Thycotic Secret Server Authentication 189

Miscellaneous 190

ADSI 191

IBM iSeries 192

Palo Alto Networks PAN-OS 193

RHEV (Red Hat Enterprise Virtualization) 194

VMware ESX SOAP API 195

VMware vCenter SOAP API 196

X.509 197

Mobile Device Management 198

AirWatch 199

Apple Profile Manager 200

Good MDM 201

MaaS360 202

MobileIron 203

Patch Management 204

Dell KACE K1000 205

IBM Tivoli Endpoint Manager (TEM) 207

Microsoft System Center Configuration Manager (SCCM) 209

Windows Server Update Services (WSUS) 210

Red Hat Satellite 6 Server 211



Red Hat Satellite 5 Server 212

Symantec Altiris 213

Plaintext Authentication 215

HTTP 217

telnet/rsh/rexec 219

Scan Compliance Settings 220

Scan Plugins Settings 224

Special Use Templates 227

Manage Nessus 230

Manage Nessus License & Registration 231

Manage Activation Code 232

View your Activation Code 233

Reset Activation Code 234

Update Activation Code 235

Manage Your User Profile 237

Account Settings 238

API Keys 240

Change Password 241

Plugin Rules 242

System Settings 243

Manage Scanners 244

Nessus Professional 245

Scanners / Local / Overview (Professional) 246

Scanners / Local / Link 247



Scanners / Local / Software Update 249

Software Update Page 250

Update Nessus Version 252

Update Plugins 253


Updated Nessus Software using the Command Line 256

Nessus Manager 257

Scanners / Local / Overview (Manager) 258

Scanners / Local / Permissions 259

Scanners / Local / Software Update 260

Software Update Page 261

Update Nessus Version 263

Update Plugins 264


Updated Nessus Software using the Command Line 267

Scanners / Remote / Linked 268

Scanners / Agents / Linked 269

Manage Accounts 273

Manage Communications 276

LDAP Server 277

SMTP Server 279

Proxy Server 280

Cisco ISE 281

Manage Advanced Settings 282



Manage Scans 283

Create Scans 284

Create a Scan Folder 286

Manage Scans 287

Create an Unofficial PCI ASV Validation Scan 290

Scan Results 292

Dashboards 296

Scan Results Pages 300

Report Filters 301

Report Screenshots 305

Compare Report Results (Diff) 306

Knowledge Base 307

Exported Results 308

Manage Policies 309

Create a Policy 310

Create a Limited Plugin Policy 313

Manage Policies 317

Manage Nessus Agents 319

Manage Agent Groups 320

Create an Agent Scan 323

Custom SSL Certificates 327

Enable SSH Local Security Checks 334

Credentialed Checks on Windows 337

Additional Resources 341



Run Nessus as Non-Privileged User 342

Run Nessus on Linux with Systemd as Non-Privileged User 343

Run Nessus on Linux with init.d Script as Non-Privileged User 346

Run Nessus on MAC OSX as Non-Privileged User 348

Run Nessus on FreeBSD as non-privileged User 353

Scan Targets Explained 357

Command Line Operations 359

nessus-service 360

nessuscli 362

nessuscli agent 367

Start or Stop Nessus 369

Offline Update Page Details 371

More Nessus Resources 373



- 11 -

Getting Started

This section provides information about your Nessus license, your system requirements, and how to down-loadNessus products.

Additionally, this section includes information about Nessus features, includingNessus Agents, which areavailable for usewithNessus Manager andTenableCloud.

Unless otherwise noted, features apply toNessus Manager.

l Hardware Requirements

l Software Requirements

l Licensing Requirements

Copyright © 2016. Tenable Network Security, Inc. All rights reserved. Tenable Network Security and Nessus are registered trademarks of Tenable Network Security, Inc. SecurityCenter Continuous

View, Passive Vulnerability Scanner, and Log Correlation Engine are trademarks of Tenable Network Security, Inc. All other products or services are trademarks of their respective owners.

- 12 -

About Nessus Products

Nessus Manager

Nessus ®Manager combines the powerful detection, scanning, and auditing features of Nessus, theworld’smost widely deployed vulnerability scanner, with extensivemanagement and collaboration functions toreduce your attack surface.

Nessus Manager enables the sharing of resources includingNessus scanners, scan schedules, policies, andscan results amongmultiple users or groups. Users can engage and share resources and responsibilitieswith their co-workers; system owners, internal auditors, risk & compliance personnel, IT administrators, net-work admins and security analysts. These collaborative features reduce the timeand cost of security scan-ning and compliance auditing by streamlining scanning,malware andmisconfiguration discovery, andremediation.

Nessus Manager protects physical, virtual, mobile and cloud environments. Nessus Manager is available foron-premises deployment or from the cloud, as Nessus®Cloud, hosted by Tenable. Nessus Manager sup-ports thewidest range of systems, devices and assets, andwith both agent-less andNessus Agent deploy-ment options, easily extends tomobile, transient and other hard-to-reach environments.

Nessus Cloud

TenableCloud is a subscription based license and is available at theTenable Store.

TenableCloud enables security and audit teams to sharemultipleNessus scanners, scan schedules, scanpolicies andmost importantly scan results amongan unlimited set of users or groups.

By making different resources available for sharing amongusers and groups, TenableCloud allows for end-less possibilities for creating highly customizedwork flows for your vulnerability management program,regardless of locations, complexity, or any of the numerous regulatory or compliance drivers that demandkeeping your business secure.

In addition, TenableCloud can controlmultipleNessus scanners, schedule scans, push policies and viewscan findings—all from the cloud, enabling the deployment of Nessus scanners throughout your network tomultiple physical locations, or even public or private clouds.

TheTenableCloud subscription includes:

l Unlimited scanning of your perimeter systems

l Webapplication audits



https://store.tenable.com/

- 13 -

l Ability to prepare for security assessments against current PCI standards

l Up to 2 quarterly report submissions for PCI ASV validation throughTenableNetwork Security, Inc.

l 24/7 access to theTenableSupport Portal for Nessus knowledgebase and support ticket creation

Tenable Cloud Product Page

Tenable Cloud User Manual

Nessus Professional

Nessus Professional, the industry’s most widely deployed vulnerability assessment solution helps youreduce your organization’s attack surface and ensure compliance. Nessus features high-speed asset dis-covery, configuration auditing, target profiling, malware detection, sensitive data discovery, andmore.

Nessus supports more technologies than competitive solutions, scanning operating systems, networkdevices, hypervisors, databases, web servers, and critical infrastructure for vulnerabilities, threats, and com-pliance violations.

With theworld’s largest continuously-updated library of vulnerability and configuration checks, and the supportof Tenable’s expert vulnerability research team, Nessus sets the standard for vulnerability scanning speedand accuracy.

Nessus Professional Product Page

Nessus Agents

Nessus Agents, availablewith TenableCloud andNessus Manager, increase scan flexibility by making iteasy to scan assets without needing ongoing host credentials or assets that are offline, as well as enablelarge-scale concurrent scanningwith little network impact.

Why Use Nessus Agents?

l Supported by allmajor operating systems

l Theperformance overhead of agents is minimal, and because agents rely on local host resources, theycan potentially reduce your overall network scanning overhead

l Eliminate the need tomanage credentials for vulnerability scanning

l Canbedeployed usingmost softwaremanagement systems

l Automatically updated, somaintenance is minimal



http://www.tenable.com/products/nessus/nessus-cloud

https://docs.tenable.com/cloud

http://www.tenable.com/products/nessus/nessus-professional

- 14 -

l Designed to be highly secure, leveraging encryption to protect your data

l Scanning of laptops or other transient devices that are not always connected to the local network

Nessus Agents Product Page



http://www.tenable.com/products/nessus/nessus-agents

- 15 -

About Nessus Plugins

As information about new vulnerabilities are discovered and released into the general public domain, Ten-able’s research staff designs programs to enableNessus to detect them.

These programs are namedPlugins and arewritten in theNessus' proprietary scripting language, calledNes-

sus Attack Scripting Language (NASL).

Plugins contain vulnerability information, a generic set of remediation actions, and the algorithm to test for the

presence of the security issue.

Nessus supports theCommonVulnerability ScoringSystem (CVSS) and supports both v2 and v3 values sim-ultaneously. If bothCVSS2andCVSS3attributes are present, both scores will get calculated. However indetermining theRisk Factor attribute, currently theCVSS2 scores take precedence.

Plugins also are utilized to obtain configuration information from authenticated hosts to leverage for con-

figuration audit purposes against security best practices.

To view plugin information, see a list of newest plugins, view all Nessus Plugins, and search for specific Plu-

gins, see theNessus Plugins home page.

Example Plugin Information

List of a single hosts' scan results by Plugin

Severity and Plugin Name

Details of a single hosts' Plugin scan res-

ult

How do I get Nessus Plugins?



http://www.tenable.com/plugins/

- 16 -

By default, Plugins are set for automatic updates andNessus checks for updated components and pluginsevery 24 hours.

During theProduct Registration portion of theBrowser Portion of theNessus install, Nessus downloadsall Plugins and compiles them into an internal database.

You can also use thenessuscli fetch —register command tomanually download plugins. For more details,

see theCommand Line section of this guide.

Optionally, during theRegistration portion of theBrowser Portion of theNessus install, you can choose the

Custom Settings link and provide a hostnameor IP address to a server which hosts your custom plugin

feed.

Tip: Plugins are obtained from port 443 of plugins.nessus.org, plugins-customers.nessus.org, or plugins-us.nessus.org.

How do I update Nessus Plugins?

By default, Nessus checks for updated components and plugins every 24 hours. Additionally, you canmanu-

ally update plugins from theScanner Settings Page in theUI.

You can also use thenessuscli update --plugins-only command tomanually update plugins.

For more details, see theCommand Line section of this guide.



- 17 -

Hardware Requirements

Enterprise networks can vary in performance, capacity, protocols, and overall activity. Resource require-ments to consider for Nessus deployments include raw network speed, the size of the network beingmon-itored, and the configuration of Nessus.

The following chart outlines somebasic hardware requirements for operatingNessus:

Scenario Minimum Recommended Hardware

Nessus managing up to 50,000 hosts CPU: 1 dual-core 2GHz CPU

Memory: 2GBRAM (4GB RAM recommended)

Disk space: 30GB

Nessus managingmore than 50,000hosts

CPU: 1 dual-core 2 GHz CPU (2 dual-core recommended)

Memory: 2GB RAM (8GB RAM recommended)

Disk space: 30GB (Additional spacemay be needed forreporting)

Virtual Machines

Nessus can be installed on aVirtualMachine thatmeets the same requirements specified. If your virtualmachine is usingNetwork Address Translation (NAT) to reach the network, many of Nessus' vulnerabilitychecks, host enumeration, and operating system identificationwill be negatively affected.



- 18 -

Supported Operating Systems

Nessus supports Mac, Linux, andWindows operating systems.

Nessus Manager and Nessus Professional

Mac OSX

l Mac OSX 10.8, 10.9, 10.10, and 10.11 - x86-64

Linux

l Debian 6, 7, and 8 / Kali Linux 1 and 2 - i386

l Debian 6, 7, and 8 / Kali Linux 1 and 2 - AMD64

l RedHat ES 5 / CentOS 5 / Oracle Linux 5 (includingUnbreakableEnterpriseKernel) - i386

l RedHat ES 5 / CentOS 5 / Oracle Linux 5 (includingUnbreakableEnterpriseKernel) - x86_64




l FreeBSD 10 - AMD64

l Fedora 20 and 21 - x86_64

l SUSE 10.0Enterprise - x86_64

l SUSE 11Enterprise - i586

l SUSE 11Enterprise - x86_64

l Ubuntu 11.10, 12.04, 12.10, 13.04, 13.10, 14.04, and 16.04 - i386

l Ubuntu 11.10, 12.04, 12.10, 13.04, 13.10, 14.04, and 16.04 - AMD64

Windows

l Windows 7, 8, and 10 - i386

l Windows Server 2008, Server 2008R2*, Server 2012, Server 2012R2, 7, 8, and 10 - x86-64



- 19 -

Tip:Windows Server 2008 R2’s bundled version of Microsoft IE does not interface with a Java installationproperly. This causes Nessus not to perform as expected in some situations: Microsoft’s policy recom-mends not using MSIE on server operating systems.

For increased performance and scan reliability when installing on a Windows platform, it is highly recom-mended that Nessus be installed on a server product from the Microsoft Windows family such asWindowsServer 2008 R2.

Nessus Agents

Mac OSX

l Mac OSX 10.8, 10.9, 10.10, and 10.11 - x86-64

Linux

l Debian 6, 7, and 8 - i386

l Debian 6, 7, and 8 - AMD64





l RedHat ES 7 / CentOS 7 / Oracle Linux 7 - x86_64

l Fedora 20 and 21 - x86_64

l Ubuntu 10.04 - i386

l Ubuntu 10.04 - AMD64

l Ubuntu 11.10, 12.04, 12.10, 13.04, 13.10, and 14.04 - i386

l Ubuntu 11.10, 12.04, 12.10, 13.04, 13.10, and 14.04 - AMD64

Windows

l Windows 7, 8, and 10 - i386

l Windows Server 2008, Server 2008R2*, Server 2012, Server 2012R2, 7, 8, and 10 - x86-64

Browsers



- 20 -

Whenusing theNessus user interface, the following browsers are supported.

l GoogleChrome (24+)

l AppleSafari (6+)

l Mozilla Firefox (20+)

l Internet Explorer (9+)

PDF Reports

TheNessus .pdf report generation feature requires the latest version ofOracle Java orOpenJDK.

Oracle Java orOpenJDKmust be installedprior to the installation of Nessus.

Note: IfOracle Java orOpenJDK is installed after the Nessus installation, Nessus will need to be rein-stalled for the PDF report generation to function.



- 21 -

Nessus License & Activation Code

When you registeredNessus, you received an e-email with your activation code.

Your activation code is unique and specific to your Nessus product license or subscription.

This code identifies which version of Nessus you are licensed to install and use, and if applicable, howmanyIP addresses can be scanned, howmany remote scanners can be linked toNessus, and howmany NessusAgents can be linked toNessus Manager.

Additionally, your activation code:

l is aone-time code, unless your license or subscription changes, at which point a new activation code

will be issued to you.

l must usedwith theNessus installationwithin 24 hours.

l cannot be shared between scanners.

l is not case sensitive.

l is required toRegister Nessus Offline.

For more information, seeManage Your Activation Code.



- 22 -

Setup Nessus

This section includes information about installing, upgrading, and removingNessus andNessus Agents.

l Product Download

l Pre-install Nessus

l Install Nessus and Nessus Agents

l Upgrade Nessus and Nessus Agents

l Installation - Web Browser Portion

l Register Nessus Offline

l Remove Nessus and Nessus Agents



- 23 -

Product Download

Nessus products are downloaded from theTenable Support Portal.

WhendownloadingNessus from theTenable Support Portal, make sure that the package selected is spe-cific to your operating system andprocessor.

There is a singleNessus package per operating system andprocessor.Nessus Manager andNessus Pro-

fessional do not have different packages; your activation code determines whichNessus product will beinstalled.

ExampleNessus package file names and descriptions

Nessus Packages Package Descriptions

Nessus-<version number>-Win32.msi

Nessus <version number> forWindows 7 and 8 - i386

Nessus-<version number>-x64.msi

Nessus <version number> forWindows Server 2008, Server 2008R2*, Server 2012, Server 2012R2, 7, and 8 - x86-64

Nessus-<version number>-debian6_amd64.deb

Nessus <version number> for Debian 6 and 7 / Kali Linux - AMD64

Nessus-<version num-ber>.dmg

Nessus <version number> for Mac OSX 10.8, 10.9, and 10.10 - x86-64

Nessus-<version number>-es6.i386.rpm

Nessus <version number> for RedHat ES 6 / CentOS 6 / Oracle Linux6 (includingUnbreakableEnterpriseKernel) - i386

Nessus-<version number>-fc20.x86_64.rpm

Nessus <version number> for Fedora 20 and 21 - x86_64

Nessus-<version number>-suse10.x86_64.rpm

Nessus <version number> for SUSE 10.0Enterprise - x86_64

Nessus-<version number>-ubuntu1110_amd64.deb

Nessus <version number> for Ubuntu 11.10, 12.04, 12.10, 13.04,13.10, and 14.04 - AMD64

ExampleNessus Agent package file names and descriptions



https://support.tenable.com/


- 24 -

Nessus Agent Packages Nessus Agent Package Descriptions

NessusAgent-<version num-ber>-x64.msi

Nessus Agent <version number> forWindows Server 2008, Server2008R2*, Server 2012, Server 2012R2, 7, and 8 - x86-64

NNessusAgent-<version num-ber>-amzn.x86_64.rpm

Nessus Agent <version number> for Amazon Linux 2015.03, 2015.09- x86-64

NessusAgent-<version num-ber>-debian6_i386.deb

Nessus Agent <version number> for Debian 6 and 7 / Kali Linux - i386

NessusAgent-<version num-ber>.dmg

Nessus Agent <version number> for Mac OSX 10.8, 10.9, and 10.10 -x86-64

NessusAgent-<version num-ber>-es6.x86_64.rpm

Nessus Agent <version number> for RedHat ES 6 / CentOS 6 /Oracle Linux 6 (includingUnbreakableEnterpriseKernel) - x86_64

NessusAgent-<version num-ber>-fc20.x86_64.rpm

Nessus Agent <version number> for Fedora 20 and 21 - x86_64

NessusAgent-<version num-ber>-ubuntu1110_amd64.deb

Nessus Agent <version number> for Ubuntu 11.10, 12.04, 12.10,13.04, 13.10, and 14.04 - AMD64



- 25 -

Pre-install Nessus

The section prepares you for a successful installation of Nessus.

To install and perform command-line operations, Nessus requires system root or Administrator permissions.

l Deployment

l Host Based Firewalls

l IPv6 Support

l Virtual Machines

l Anti-virus Software

l Security Warnings



- 26 -

Deployment

WhendeployingNessus, knowledge of routing, filters, and firewall policies is often helpful. It is recommendedthat Nessus be deployed so that it has good IP connectivity to the networks it is scanning. Deploying behind aNAT device is not desirable unless it is scanning the internal network. Any timea vulnerability scan flowsthrough aNAT device or application proxy of some sort, the check can be distorted and a false positive or neg-ative can result. In addition, if the system runningNessus has personal or desktop firewalls in place, thesetools can drastically limit the effectiveness of a remote vulnerability scan.

Host-based firewalls can interferewith network vulnerability scanning. Depending on your firewall’s con-figuration, it may prevent, distort, or hide the probes of aNessus scan.

Certain network devices that perform stateful inspection, such as firewalls, load balancers, and IntrusionDetection/PreventionSystems,may react negatively when a scan is conducted through them. Nessus has anumber of tuning options that can help reduce the impact of scanning through such devices, but the bestmethod to avoid the problems inherent in scanning through such network devices is to perform a credentialedscan.



- 27 -

Host Based Firewalls

Port 8834

TheNessus UI uses port 8834. If not already open, open port 8834 by consulting your firewall’s vendor’s doc-umentation for configuration instructions.

Allow Connections

If your Nessus server is configured on a host with 3rd-party firewall such as ZoneAlarm orWindows firewall,youmust configure it to allow connections from the IP addresses of the clients usingNessus.

Nessus and FirewallD

Nessus can be configured towork with FirewallD.WhenNessus is installed onRHEL7, CentOS 7, andFedora 20+ systems using firewalld, firewalld can be configuredwith theNessus service andNessus port.

To open the ports required for Nessus, use the following commands:

>> firewall-cmd --permanent --add-service=nessus>> firewall-cmd --reload



- 28 -

IPv6 Support

Nessus supports scanning of IPv6 based resources.Many operating systems and devices are shippingwithIPv6 support enabled by default. To perform scans against IPv6 resources, at least one IPv6 interfacemustbe configured on the host whereNessus is installed, andNessus must be on an IPv6 capable network (Nes-sus cannot scan IPv6 resources over IPv4, but it can enumerate IPv6 interfaces via credentialed scans overIPv4). Both full and compressed IPv6 notation is supportedwhen initiating scans.

Scanning IPv6Global Unicast IP address ranges is not supported unless the IPs are entered separately (i.e.,list format). Nessus does not support ranges expressed as hyphenated ranges or CIDR addresses. Nessus

does support Link-local ranges with the link6 directive as the scan target or local link witheth0.



- 29 -

Virtual Machines

If your virtualmachine is usingNetwork Address Translation (NAT) to reach the network, many of Nessus vul-nerability checks, host enumeration, and operating system identificationwill be negatively affected.



- 30 -

Anti-virus Software

Due to the large number of TCP connections generated during a scan, someanti-virus software packagesmay classify Nessus as aworm or a form ofmalware.

If your anti-virus software gives awarning, click onallow to let Nessus continue scanning.

If your anti-virus package has an option to add processes to an exception list, addnessusd.exe andnessus-

service.exe.



- 31 -

Security Warnings

By default, Nessus is installed andmanaged usingHTTPS andSSL, uses port 8834, and the default install-ation of Nessus uses a self-signedSSL certificate.

During theweb-based portion of theNessus installation, the followingmessage regardingSSLwill be dis-played:

You are likely to get a security alert from your web browser saying that the SSL cer-

tificate is invalid. You may either choose to temporarily accept the risk, or you can

obtain a valid SSL certificate from a registrar.

This information refers to a security relatedmessage youwill encounter when accessing theNessus UI(https://[server IP]:8834).

Example Security Warning

l a connection privacy problem

l an untrusted site

l an unsecure connection

BecauseNessus is providing a self-signedSSL certificate, this is expected and normal behavior.

Bypassing SSL warnings

Based on the browser you are using, use the steps below to proceed to theNessus login page.

Browser Instructions

GoogleChrome Click onAdvanced, and thenProceed to example.com (unsafe).

Mozilla Firefox Click on I Understand the Risks, and then click onAdd Exception.

Next click onGet Certificate, and finally clickConfirm Security Excep-

tion.

Microsoft InternetExplorer

Click onContinue to this website (not recommended).



- 32 -

Install Nessus and Nessus Agents

This section includes information and steps required for installingNessus andNessus agents on all supportedoperating systems.

Nessus Installation

l Install Nessus on Mac OS X

l Install Nessus on Linux

l Install Nessus on Windows

Nessus Agent Installation

l Install a Nessus Agent on Mac OS X

l Install a Nessus Agent on Linux

l Install a Nessus Agent on Windows



- 33 -

Nessus Installation

This section details instructions for installingNessus Manager andNessus Professional onMac, Linux, andWindows operating systems.

l Install Nessus on Mac OS X

l Install Nessus on Linux

l Install Nessus on Windows

l Installation - Browser Portion

There are two parts to the installation process: the operating system specific portion, followed by theOSagnostic browser portion, which completes the installation.

Tip:Nessus can be run as a non-privilege user. For steps, see RunNessus asNon-Privileged User.



- 34 -

Install Nessus onMac OS X

Download Nessus package file

For details, refer to theProduct Download topic.

Extract the Nessus files

Double-click theNessus-<version number>.dmg file.

Start Nessus Installation

Double-click the Install Nessus.pkg icon.

Complete the Tenable Nessus Server Install

When the installation begins, the Install Tenable Nessus Server screenwill be displayed and provides aninteractive navigationmenu.

Introduction

TheWelcome to the Tenable Nessus Server Installer window provides general information about the

Nessus installation.

1. Read the installer information.

2. Tobegin, click theContinue button.

License

1. On theSoftware License Agreement screen, read the terms of theTenable Network Security,

Inc. Nessus Software License and Subscription Agreement.

2. OPTIONAL: To retain a copy of the license agreement, click Print orSave.

3. Next, click theContinue button.

4. To continue installingNessus, click theAgree button, otherwise, click theDisagree button to quit andexit.

Installation Type



- 35 -

On theStandard Install on <DriveName> screen, choose one of the following options:

l Click theChange Install Location button.

l Click the Install button to continue using the default installation location.

Installation

When thePreparing for installation screen appears, youwill be prompted for a usernameandpassword.

1. Enter theName andPassword of an administrator account or the root user account.

2. On theReady to Install the Program screen, click the Install button.

Next, the Installing Tenable Nessus screenwill be displayed and aStatus indication bar will illustrate theremaining installation progress. The process may take severalminutes.

Summary

When the installation is complete, youwill seeThe installation was successful. screen.

After the installation completes, clickClose.

The remainingNessus installation steps will be performed in your web browser.

Installation - Web Browser Portion



- 36 -

Install Nessus on Linux

Download Nessus Manager.


Use Commands to Install Nessus

From a commandprompt, run theNessus install command specific to your operating system.

ExampleNessus Install Commands

Red Hat version 6

# rpm -ivh Nessus-<version number>-es6.x86_64.rpm

Debian version 6

# dpkg -i Nessus-<version number>-debian6_amd64.deb

FreeBSD version 10

# pkg add Nessus-<version number>-fbsd10-amd64.txz

Start the Nessus Daemon

From a commandprompt, restart thenessusd daemon.

ExampleNessus DaemonStart Commands

Red Hat, CentOS, Oracle Linux, Fedora, SUSE, FreeBSD

# service nessusd start

Debian/Kali and Ubuntu

# /etc/init.d/nessusd start

The remainingNessus installation steps will be performed in your web browser. Installation - Web Browser

Portion



- 37 -

Install Nessus onWindows

Download Nessus Manager



1. Navigate to the folder where you downloaded theNessus installer.

2. Next, double-click on the file name to start the installation process.

Complete theWindows InstallShieldWizard

1. First, theWelcome to the InstallShield Wizard for Tenable Nessus screenwill be displayed.

ClickNext to continue.

2. On theLicense Agreement screen, read the terms of the TenableNetwork Security, Inc. Nessus Soft-ware License andSubscriptionAgreement.

3. Click the I accept the terms of the license agreement radio button, and then click theNext button.

4. On theDestination Folder screen, click theNext button to accept the default installation folder. Other-

wise, click theChange button to install Nessus to a different folder.


The Installing Tenable Nessus screenwill be displayed and aStatus indication bar will illustrate the install-ation progress. The process may take severalminutes.

If presented, Install WinPcap

As part of theNessus installation process,WinPcap needs to be installed. IfWinPcapwas previously installedas part of another network application, the following steps will not be displayed, and youwill continuewith theinstallation of Nessus.

1. On theWelcome to the WinPcap Setup Wizard screen, click theNext button.

2. On theWinPcap License Agreement screen, read the terms of the license agreement, and then

click the I Agree button to continue.



- 38 -

3. On theWinPcap Installation options screen, ensure that theAutomatically start the WinPcap

driver at boot time option is checked, and then click the Install button.

4. Next, on theCompleting the WinPcap Setup Wizard screen, click theFinish button.

5. Finally, theTenable Nessus InstallShield Wizard Completed screenwill be displayed. Click the

Finish button.

After the InstallShield Wizard completes, theWelcome to Nessus pagewill load in your default browser.

The remainingNessus installation steps will be performed in your web browser. Installation - Web Browser

Portion



- 39 -

Nessus Agent Install

This section included information for installingNessus Agents on all supported operating systems:

l Install a Nessus Agent on Mac OS X

l Install a Nessus Agent on Linux

l Install a Nessus Agent on Windows

Once installed,Nessus Agents are linked toNessus Manager or Tenable Cloud.

l Nessus Agents arenot available for usewithNessus Professional.

l Nessus Agents can only be installedafter the installation ofNessus Manager, but can be linked toTenableCloudwithout future setup in TenableCloud.

l Nessus Agents are downloaded from theNessus Agents Download Page.

l Before you start theAgent installation process, youwill first retrieve theNessus Agent Linking Key

from within theNessus Manager or Tenable Cloudinterface.

l Linked agents will automatically download plugins from themanager upon connection; this process cantake severalminutes and is required before an agent will return scan results.



http://www.tenable.com/products/nessus/agent-download

- 40 -

Install a Nessus Agent onMac OS X

Retrieve Agent Linking Key from within Nessus

1. Log-in toNessus.

2. Click the button.

3. On theScanners / Agents / Linked page, click Agent > Linked and read the on-screenmessage.

Agents can be linked to this manager using the provided key with the following setup instructions.

Once linked, they must be added to agroup for usewhen configuring scans.Also, linked agents will automatically download plugins from themanager upon connection. Pleasenote, this process can take severalminutes and is required before an agent will return scan results.

4. In the first sentence of theScanners / Agents / Linkedwindow, click the setup instructions link.



- 41 -

5. Record thehost, port, and key values. These values will be used during the installation of theNessusAgent.

6. Click theClose button.

Download Nessus Agent

From theNessus Agents Download Page, download theNessus Agent specific to your operating sys-tem.

Example: Compressed Nessus Installer File

NessusAgent-<version number>.dmg

Install Nessus Agent

1. Double-click theNessus .dmg (Mac OSXDisk Image) file.

2. Double-click theNessus.pkg icon.

3. Complete theNessus Agent InstallShield Wizard.

Note:Next, you will use the command line interface (Terminal) to link your Nessus Agent to Nessus Man-ager or Tenable Cloud.

Link Agent using Command Line Interface

During this step, youwill need theAgent Key values obtained from theNessus UI (Step 1): host, port, and

key.

Agent Key Values

Required Values

--key

--host

--port

Optional Values

--name (A name for your Agent)




- 42 -

Agent Key Values

--groups (Existing Agent Group(s) that youwant your Agent to be amember of)

If you do not specify anAgent Group during the install process, you can later add your linkedAgent to

anAgent Groupwithin theNessus UI.

1. OpenTerminal.

2. At the commandprompt, use the following commandas an example to construct your link-specificstring.

ExampleMac Agent Link Command

# /Library/NessusAgent/run/sbin/nessuscli agent link--key=00abcd00000efgh11111i0k222lmopq3333st4455u66v777777w88xy9999zabc00--name="MyOSXAgent" --groups="All" --host=yourcompany.com --port=8834

Verify Linked Agent

1. InNessus, click the button.

2. View linkedAgents on theScanners / Agents / Linked page.

This completes the process of installing aNessus Agent on theMac OSX operating system.



- 43 -

Install a Nessus Agent on Linux


1. Log-in toNessus.








- 44 -



Download the Nessus Agent

From theNessus Agents Download Page, download theNessus Agent specific to your operating sys-tem.

ExampleNessus Agent PackageNames

Red Hat, CentOS, and Oracle Linux

NessusAgent-<version number>-es5.x86_64.rpmNessusAgent-<version number>-es6.i386.rpmNessusAgent-<version number>-es7.x86_64.rpm

Fedora

NessusAgent-<version number>-fc20.x86_64.rpm

Ubuntu

NessusAgent-<version number>-ubuntu1110_amd64.debNessusAgent-<version number>-ubuntu1110_i386.debNessusAgent-<version number>-ubuntu910_amd64.debNessusAgent-<version number>-ubuntu910_i386.deb

Debian

NessusAgent-<version number>-debian6_amd64.debNessusAgent-<version number>-debian6_i386.deb

Install Nessus Agent

Using the command line interface, install theNessus Agent.

Example Linux Install Commands


# rpm -ivhNessusAgent-<version number>-es6.i386.rpm# rpm -ivhNessusAgent-<version number>-es5.x86_64.rpm




- 45 -

Fedora

# rpm -ivhNessusAgent-<version number>-fc20.x86_64.rpm

Ubuntu

# dpkg -i NessusAgent-<version number>-ubuntu1110_i386.deb

Debian

# dpkg -i NessusAgent-<version number>-debian6_amd64.deb

Link Agent to Nessus Manager

Note: This step requires root privileges.

During this step, youwill need theAgent Key values obtained from theNessus UI:

Agent Key Values

Required Values

--key

--host

--port

Optional Values

--name (A name for your Agent)

--groups (Existing Agent Group(s) that youwant your Agent to be amember of)

If you do not specify anAgent Group during the install process, you can later add your linkedAgent to an

Agent Groupwithin theNessus UI.

At the commandprompt, use the following commandas an example to construct thenessuscli agentlink string.

/opt/nessus_agent/sbin/nessuscli agent link--key=00abcd00000efgh11111i0k222lmopq3333st4455u66v777777w88xy9999zabc00--name=MyOSXAgent --groups="All" --host=yourcompany.com --port=8834



- 46 -

Verify Linked Agent.


2. View Agents on theScanners / Agents / Linked page.

Note: If information provided in your command string is incorrect, a Failed to link agent error will be dis-played.

This completes the process of installing aNessus Agent on theLinux operating system.



- 47 -

Install a Nessus Agent onWindows

Before You Begin

Nessus Agents can be deployedwith a standardWindows service such as ActiveDirectory (AD), SystemsManagement Server (SMS), or other software delivery system for MSI packages.

OnWindows 7 x64Enterprise,Windows 8Enterprise, andWindows Server 2012, youmay be required to per-form a reboot to complete installation.


1. Log-in toNessus.







- 48 -




Download Nessus Agent

From theNessus Agents Download Page, download theNessus Agent specific to your operating system.

Example: Nessus Agent package file

NessusAgent-<version number>-Win32.msi

Windows Server 7, and 8 (32-bit)

Start Nessus Agent Installation

1. Navigate to the folder where you downloaded theNessus Agent installer.

2. Next, double-click the file name to start the installation process.

Complete the Windows InstallShield Wizard

1. First, theWelcome to the InstallShield Wizard for Nessus Agent dialog box will appear. Click

Next to continue.




- 49 -

2. From theLicense Agreement window, read the terms of theTenable Network Security, Inc. Nes-

sus Software License and Subscription Agreement.




Note:During the next step, you will need the Agent Key values: Key, Server (host), andGroups.

5. On theConfiguration Options screen, enter theAgent Key values:Key,Server (host), and

Groups, and then clickNext.

Agent Key Values

Required Values

--Key

--Server (host)

Optional Value

--groups (ExistingAgent Group(s) that youwant your Agent to be amember of)

Note: If you do not specify an Agent Group during the install process, you can later add your linkedAgent to an Agent Groupwithin the Nessus UI.

Note: Your Agent Name will be the computer name where the agent is installed.

6. On theReady to Install the Program screen, click Install.

7. If presentedwith aUser Account Controlmessage, click Yes to allow theNessus Agent to beinstalled.

8. When the InstallShield Wizard Complete screen appears, click Finish.

Verify Linked Agent

1. InNessus, click the button .

2. View the linked agents on theScanners / Agents / Linked page.



- 50 -

Tip:Nessus Agents can be deployed and linked using the command line interface.Example:> msiexec /i NessusAgent-<version number>-Win32.msi NESSUS_GROUPS="Agent Group Name"NESSUS_SERVER="192.168.0.1:8834" NESSUS_KEY-Y=00abcd00000efgh11111i0k222lmopq3333st4455u66v777777w88xy9999zabc00 /qn

This completes the process of installing aNessus Agent on theWindows operating system.



- 51 -

Upgrade Nessus and Nessus Agents

This section included information for upgradingNessus andNessus Agents on all supported operating sys-tems.

l Nessus Upgrade

l Upgrade from Evaluation

l Mac Upgrade

l Linux Upgrade

l Windows Upgrade

l Nessus Agents: Upgrade



- 52 -

Nessus Upgrade

This section includes information for upgradingNessus Manager andNessus Professional.

l Upgrade from Evaluation

l Mac Upgrade

l Linux Upgrade

l Windows Upgrade



- 53 -

Upgrade from Evaluation

If you used an evaluation version of Nessus and are now upgrading to a full-licensed version of Nessus, you

simply need to add your full-versionActivation Code on theSettings Page of theNessus UI.

Use a New Activation Code

1. Click the pencil icon next to theActivation Code.

2. Select theRegistration type.

3. Enter the newActivation Code.

4. Click Save.

Nessus will download and install theNessus engine and the latest Nessus plugins.

Once the download process is complete, Nessus will restart, and then prompt you to log in toNessus again.



- 54 -

Mac Upgrade

Theprocess of upgradingNessus on aMac is the sameprocess as a newMac Install.



- 55 -

Linux Upgrade


From theTenable Support Portal, download the latest, full-license version of Nessus Manager.

Use Commands to Upgrade Nessus

From a commandprompt, run theNessus upgrade command.

ExampleNessus UpgradeCommands


# rpm -Uvh Nessus-<version number>-es6.i386.rpm

SUSE version 11

# rpm -Uvh Nessus-<version number>-suse11.i586.rpm

Fedora version 20

# rpm -Uvh Nessus-<version number>-fc20.x86_64.rpm

Ubuntu version 910

# dpkg -i Nessus-<version number>-ubuntu910_i386.deb

Start the Nessus Daemon

From a commandprompt, restart thenessusd daemon.

Examples: Nessus DaemonStart Commands


# service nessusd start


# /etc/init.d/nessusd start

This completes the process of upgradingNessus on aLinux operating system.




- 56 -

Windows Upgrade


From theTenable Support Portal, download the latest, full-license version of Nessus Manager. The down-load package is specific theNessus build version, your platform, your platform version, and your CPU.

Example Nessus Installer Files

Nessus-<version number>-Win32.msi

Nessus-<version number>-x64.msi


1. Navigate to the folder where you downloaded theNessus installer.

2. Next, double-click on the file name to start the installation process.

Complete theWindows InstallShieldWizard

1. At theWelcome to the InstallShield Wizard for Tenable Nessus screen, clickNext.

2. On theLicense Agreement screen, read the terms of the TenableNetwork Security, Inc. Nessus Soft-ware License andSubscriptionAgreement.





The Installing Tenable Nessus screenwill be displayed and aStatus indication bar will illustrate theupgrade progress.

On theTenable Nessus InstallShield Wizard Completed screen click theFinish button.

After the InstallShield Wizard completes, theWelcome to Nessus pagewill load in your default browser;you can now log in toNessus.

This completes theNessus upgrade process on aWindows operating system.




- 57 -

Nessus Agents: Upgrade

Once installed,Nessus Agents are automatically updated by Nessus Manager orNessus Cloud; there isno action required.



- 58 -

Installation - Web Browser Portion

Begin Browser Portion of the Nessus Setup

1. On theWelcome to Nessus page, click the link at the end of thePlease connect via SSL state-ment. Youwill be redirected and youwill continuewith the remaining installation steps.

Caution:When accessing Nessus via a web-browser, you will encounter a message related to asecurity certificate issue: a connection privacy problem, an untrusted site, an unsecure connection, orsimilar security related message. This is expected and normal behavior; Nessus is providing a self-signed SSL certificate.

Refer to the SecurityWarnings section for steps necessary to bypass the SSL warnings.

2. Accept, thenDisablePrivacy Settings

3. On theWelcome to Nessus 6 page, click theContinue button.

Create Nessus System Administrator Account

1. On the Initial Account Setup page, in theUsername field, type the username that will be used for thisNessus System Administrator’s account.

Note: After setup, you can create additional Nessus System Administrator accounts.

2. Next, in thePassword field, type the password that will be used for this Nessus System Admin-

istrator’s account.

3. In theConfirm Password field, re-enter theNessus System Administrator account’s password.

4. Finally, click theContinue button.

Select Nessus Registration

l Nessus (Home, Professional, or Manager)

l Link to Nessus Manager

l Link to Tenable Cloud



- 59 -

l Managed by SecurityCenter

l Install Nessus while Offline



- 60 -

Nessus (Home, Professional, or Manager)

This option installs a stand-alone versions of Nessus Home, Nessus Professional, or Nessus Manager. Dur-

ing installation, youwill be prompted to enter your Nessus Activation Code; this Activation Code determ-ines which product will be installed.

1. SelectNessus (Home, Professional, or Manager) from theRegistration drop-down.

2. Enter yourActivation Code. TheActivation Code is the code you obtained from the your license e-

mail or from theTenable Support Portal.

3. OPTIONAL: Click theCustom Settings link tomanually configureProxy andPlugin Feed settings.

ConfiguringCustom Settings allows you to override the default settings related toNessus Plugins.

Note: You may configure Custom Host settings only, Plugin Feed settings only, or both CustomHost and Plugin Feed settings.

a. In theHost field, type the host nameor IP address of your proxy server.

b. In thePort field, type thePort Number of the proxy server.

c. In theUsername field, type the nameof a user account that has permissions to access and usethe proxy server.

d. In thePassword, type the password of the user account that you specified in the previous step.

e. In thePlugin Feed portion of the page, use theCustom Host field to enter the host nameor IPaddress of a custom plugin feed.

f. Click Save to commit yourCustom Settings.

g. Finally, click theContinue button.

4. Nessus will finish the installation process; this may take severalminutes.

5. Using theSystem Administrator account you created,Sign In toNessus.




- 61 -

Link to Nessus Manager

This option installs Nessus as aRemote (Secondary) Scanner, linked to aNessus Manager install.

During installation, youwill be prompted to enter theNessusManager Host, NessusManager Port, and

Nessus Manager Linking Key.

Tip: In Nessus Manager, the Linking Key is displayed on the Scanners / Remote / Linked page.

1. Select Link to Nessus Manager from theRegistration drop-down.



- 62 -

2. Next, enter theNessusManager Host,Manager Port (Nessus is installed onPort 8834 by default),

and theNessus Manger Linking Key.

3. OPTIONAL: Click theCustom Settings link tomanually configureProxy andPlugin Feed settings.

ConfiguringCustom Settings allows you to override the default settings related toNessus Plugins.

Note: You may configure Custom Host settings only, Plugin Feed settings only, or both CustomHost and Plugin Feed settings.

a. In theHost field, type the host nameor IP address of your proxy server.

b. In thePort field, type thePort Number of the proxy server.

c. In theUsername field, type the nameof a user account that has permissions to access and usethe proxy server.

d. In thePassword, type the password of the user account that you specified in the previous step.

e. In thePlugin Feed portion of the page, use theCustom Host field to enter the host nameor IPaddress of a custom plugin feed.



- 63 -

f. Click Save to commit yourCustom Settings.

g. Finally, click theContinue button.

4. Nessus will finish the installation process; this may take severalminutes.




- 64 -

Link to Tenable Cloud

This option installs Nessus as a remote scanner, linked to TenableCloud.

During installation, youwill be prompted to enter TenableCloudLinking Key .

Tip: In Tenable Cloud, the Linking Key is displayed on the Scanners > Linked Scanners page.

1. Select Link to Tenable Cloud from theRegistration drop-down.

2. Next, enter the TenableCloudLinking Key.

Nessus will finish the installation process; this may take severalminutes.




- 65 -

Note: Although you will not be prompted to enter this information, Tenable Cloud settings are as fol-lows:Host: cloud.tenable.comPort: 443



- 66 -

Managed by SecurityCenter

This option is usedwhen installingNessus, whichwill bemanaged by SecurityCenter.



- 67 -

Install Nessus while Offline

ANessusOffline registration is suitable for computers that will be runningNessus, but are not connected tothe Internet. To ensure that Nessus has themost up-to-date plugins, Nessus servers not connected to theInternetmust perform these specific steps to register Nessus.

This process requires the use of two computers: the computer where you are installingNessus, which is notconnected to the Internet, and another computer that is connected to the Internet.

For the instructions below, we'll use computers A (offlineNessus server) andB (online computer) as

examples.

1. During the Installation - Web Browser Portion,Offline from theRegistration drop-down.

2. OnceOffline is selected, the page displays a uniqueChallenge Code. In the example below, the chal-

lenge code is: aaaaaa11b2222cc33d44e5f6666a777b8cc99999.This challenge code is used in the next step.

3. (Optional) Configure your Nessus setup to useCustom Settings.

Generate the License



- 68 -

1. Ona systemwith Internet access (B), navigate to

theNessus Offline Registration Page - http://plugins.nessus.org/v2/offline.php.

2. In the top field, type in the challenge code that was displayed on theNessus Product Registrationscreen.ExampleChallengeCode:aaaaaa11b2222cc33d44e5f6666a777b8cc99999

3. Next, where prompted, enter your Nessus activation code.Example ActivationCode:AB-CDE-1111-F222-3E4D-55E5-CD6F

4. Click Submit.

TheOffline Update Page Details displays and includes the following elements:

l Custom URL: The custom URLdisplayed downloads a compressed plugins file. This file is used by

Nessus to obtain plugin information. This URL is specific to your Nessus license andmust be savedand used each timeplugins need to be updated.

l License: The complete text-string startingwith -----BEGIN TENABLE LICENSE----- and ends

with -----END TENABLE LICENSE----- is your Nessus product license information. Tenable usesthis text-string to confirm your product license and registration.

l nessus.license file: At the bottom of thewebpage, there is an embedded file that includes license text-

string displayed.



http://plugins.nessus.org/v2/offline.php


- 69 -

Download and Copy Latest Plugins

1. While still using the computer with Internet access (B), click the on-screen, custom URL link.

The link will download a compressedTAR file.

Tip: This custom URL is specific to your Nessus license and must be saved and used each time plu-gins need to be updated.

2. Copy the compressedTAR file to theNessus offline (A) system.

Use the directory specific to your operating system:

Platform Command

Linux # /opt/nessus/sbin/



- 70 -

Platform Command

FreeBSD # /usr/local/nessus/sbin/

Mac OSX # /Library/Nessus/run/sbin/

Windows C:\Program Files\Tenable\Nessus

Copy and Paste License Text

1. While still using the computer with Internet access (B), copy complete text-string startingwith -----

BEGIN TENABLE LICENSE----- and ends with -----END TENABLE LICENSE-----

2. On the computer where you are installingNessus (A), on theNessus Product Registration screen,

paste the complete text-string startingwith -----BEGIN TENABLE LICENSE----- and ends with ----

-END TENABLE LICENSE-----.

3. ClickContinue.Nessus will finish the installation process; this may take severalminutes.

4. Using theSystem Administrator account you created during setup,Sign In toNessus.



- 71 -

Register Nessus Offline

When your Nessus server is not connected to the Internet, youmust perform certain operations offline. Thismay include installingNessus offline, updatingNessus with a new license, or downloading and installingNes-sus Plugins.

There are 3 distinct scenarios to consider whenmanagingNessus offline and each of these scenarios requirethe use of two computers: theNessus server, which is not connected to the Internet, and another computerthat is connected to the Internet.

Scenario 1: New Nessus Install

Youare performing a new install of Nessus, but for security purposes, the server is not connected to the Inter-

net. In this scenario, youwill perform the complete steps to Install Nessus while Offline. During this pro-cess, Nessus Plugins are downloaded and installed on the offlineNessus server.

Scenario 2: Update Nessus Licensing

Youhave an existingNessus server that is offline, your license changes, and youmust updateNessus withthe new license / activation code. In this case, youwill perform the following operations:

1. Generate Challenge Code

2. Generate Your License

3. Download and Copy License File (nessus.license)

These instructions apply toNessus 6.3 and newer and directs you to the followingURL: https://plu-

gins.nessus.org/v2/offline.php.

If you are using a version of Nessus 6.2 or earlier, youmust use the information and instructions dis-

played on the followingURL: https://plugins.nessus.org/offline.php.

4. Register Your License with Nessus

5. Download and Copy Plugins


7. Update Nessus Plugins using <tar.gz filename>



https://plugins.nessus.org/v2/offline.php


https://plugins.nessus.org/offline.php

- 72 -

Scenario 3: Update Nessus Plugins

Youhave an existingNessus server that is offline and you need to updateNessus Plugins. In this scenario,

you have already completed steps to Install Nessus while Offline but you need to install the latest plugins.

In this case, youwill perform the following operations:

1. Use theCustom URL that you saved and copied during your first offlineDownload and Copy Pluginsoperation.


3. Update Nessus Plugins using <tar.gz filename>

Nessus Offline Operations

For the explanation purposes, we'll use computers A (offlineNessus server) andB (online computer) to

demonstrate operations performedwhenmanagingNessus offline.

OperationComputer A

(Offline Nessus)

Computer B

(Online Computer)

Generate Challenge Code X

Generate Your License X

Download and Copy License File (nessus.license) X

Download and Copy Plugins X

Download and Copy Plugins X

Register Your License with Nessus X

Install Plugins Manually X



- 73 -

Generate Challenge Code

Before performing offline update operations, youmay need to generate a unique identifier on theNessusserver. This identifier is called a challenge code.

Whereas anActivation Code is usedwhenperformingNessus operations when connected to the Internet, alicense is usedwhenperforming offline operations; the generatedChallengeCodeenables you to view anduse your license for offline operations.

Steps

1. On theoffline system runningNessus (A), open a commandprompt.

2. Use thenessuscli fetch --challenge command specific to your operating system.

Platform Command

Linux # /opt/nessus/sbin/nessuscli fetch --challenge

FreeBSD # /usr/local/nessus/sbin/nessuscli fetch --challenge

Mac OSX # /Library/Nessus/run/sbin/nessuscli fetch --challenge

Windows C:\Program Files\Tenable\Nessus>nessuscli.exe fetch --challenge

3. Copy the alphanumeric challenge code.ExampleChallengeCode:aaaaaa11b2222cc33d44e5f6666a777b8cc99999

4. Use the copied challenge code toGenerate Your License.



- 74 -

Generate Your License

By default, whenNessus is installed, your license is hidden, and is automatically registered. This license is notviewable.

However, in the event that your Nessus Server is not connected to the Internet (Offline) a licensemust be gen-erated. This license is unique to your Nessus product and cannot be shared.

Your license is a text-based file that contains a string of alphanumeric characters. The license is created and

based on your uniquegenerated challenge code.

1. Ona systemwith Internet access (B), navigate to the theNessus Offline Registration Page -

http://plugins.nessus.org/v2/offline.php.

2. Where prompted, type in your challenge code.ExampleChallengeCode:aaaaaa11b2222cc33d44e5f6666a777b8cc99999

3. Next, where prompted, enter your Nessus activation code.Example ActivationCode:AB-CDE-1111-F222-3E4D-55E5-CD6F

4. Click Submit.At the bottom of the resultingwebpage, there is an embedded nessus.license file that includes thelicense text-string displayed.

5. Next,Download and Copy License File (nessus.license).





- 75 -

Download and Copy License File (nessus.license)

After you havegenerated your Nessus license, you now need to download and then copy the license to the

offline system(A) runningNessus.

Note: These instructions apply to Nessus 6.3 and newer and directs you to the following URL: https://plu-gins.nessus.org/v2/offline.php.

If you are using a version of Nessus 6.2 or earlier, you must use the information and instructions displayedon the following URL: https://plugins.nessus.org/offline.php.

1. While still using the computer with Internet access (B), click the on-screennessus.license link.

The link will download thenessus.license file.

2. Copy thenessus.license file to theoffline system (A) runningNessus 6.3 and newer.

Use the directory specific to your operating system:

Platform Directory

Linux # /opt/nessus/etc/nessus/

FreeBSD # /usr/local/nessus/etc/nessus

Mac OS X # /Library/Nessus/run/etc/nessus

Windows C:\ProgramData\Tenable\Nessus\conf

3. Next register your license with Nessus.






- 76 -

Register Your License with Nessus

In the event that you receive a new license andActivationCode, the licensemust be re-registeredwithNes-sus.

When your Nessus server is offline, youmust generate a license, download the license, and then registeryour licensewithNessus.

Oncedownloaded and copied to your offlineNessus server, use thenessuscli fetch -- register com-mand that corresponds to your operating system.


2. Use thenessuscli fetch --register-offline command specific to your operating system.

Platform Command

Linux # /opt/nessus/sbin/nessuscli fetch --register-offline /op-t/nessus/etc/nessus/nessus.license

FreeBSD # /usr/local/nessus/sbin/nessuscli fetch --register-offline /us-r/local/nessus/etc/nessus/nessus.license

Mac OSX

# /Library/Nessus/run/sbin/nessuscli fetch --register-offline /Library/Nes-sus/run/etc/nessus/nessus.license

Windows C:\ProgramData\Tenable\Nessus>nessuscli.exe fetch --register-offline "C:\Pro-gramData\Tenable\Nessus\conf\nessus.license"



- 77 -

Download and Copy Plugins

After submitting the required information on theOffline Update Page Details, youwill download theNessusPlugins compressedTAR file.

Download Plugins

1. Using the computer with Internet access (B), copy and save the on-screen custom URL link.

Note: This custom URL is specific to your Nessus license and must be used each time plugins need tobe downloaded and updated again.

2. Next, click the on-screen, custom URL link.The link will download the compressedTAR file.

Copy Plugins to Nessus

3. Copy the compressedTAR file to theoffline (A) system.Use the directory specific to your operating system:

Platform Command

Linux # /opt/nessus/sbin/

FreeBSD # /usr/local/nessus/sbin/

Mac OS X # /Library/Nessus/run/sbin/

Windows C:\Program Files\Tenable\Nessus

4. Next, on theoffline (A) system runningNessus, Install Plugins Manually.



- 78 -

Install Plugins Manually

If you used the steps toDownload and Copy Plugins offline, your next step is to updateNessus Pluginsusing the compressedTAR file.

Once you have copied the plugins file, there are twoways to updateNessus using the compressedTAR file.

1. Use theManual Software Update feature in theNessus user-interface.

2. Use the command line interface and thenessuscli update command.

Option 1: Manual Software Update via the UI

1. On theoffline system runningNessus (A), click the button.

2. From the side-bar menu, click Software Update.

3. Next, click theManual Software Update button.

4. On theManual Software Update dialog box, selectUpload your own plugin archive, and then

clickContinue.

5. Navigate to the directory where you downloaded the compressedTAR file.

6. Select the compressedTAR file and then clickOpen.Nessus updates with the uploaded plugins.

Option 2: Update via the Command Line


2. Use thenessuscli update <tar.gz filename> command specific to your operating system.

Platform Command

Linux # /opt/nessus/sbin/nessuscli update <tar.gz filename>

FreeBSD # /usr/local/nessus/sbin/nessuscli update <tar.gz filename>

Mac OSX # /Library/Nessus/run/sbin/nessuscli update <tar.gz filename>

Windows C:\Program Files\Tenable\Nessus>nessuscli.exe update <tar.gz filename>



- 79 -

Remove Nessus and Nessus Agents

This section includes information for removingNessus andNessus Agents.

l Nessus Removal

l Uninstall Nessus on Mac OS X

l Uninstall Nessus on Linux

l Uninstall Nessus on Windows

l Nessus Agent Removal

l Uninstall a Nessus Agent on Mac OS X

l Uninstall a Nessus Agent on Linux

l Uninstall a Nessus Agent on Windows



- 80 -

Nessus Removal

This section includes information for uninstalling and removingNessus.

l Uninstall Nessus on Mac OS X

l Uninstall Nessus on Linux

l Uninstall Nessus on Windows



- 81 -

Uninstall Nessus onMac OS X

Stop Nessus

1. InSystem Preferences, click theNessus icon.

2. On theNessus.Preferences screen, click the lock tomake changes.

3. Next, enter your usernameandpassword.

4. Click theStop Nessus button.

TheStatus becomes red and displays Stopped

5. Finally, exit theNessus.Preferences screen.

Remove the following Nessus directories, subdirectories, or files

/Library/Nessus/Library/LaunchDaemons/com.tenablesecurity.nessusd.plist/Library/PreferencePanes/Nessus Preferences.prefPane/Applications/Nessus

Disable the Nessus service

1. Toprevent theMac OSX from trying to start the now non-existent service, type the following commandfrom a commandprompt.

$ sudo launchctl remove com.tenablesecurity.nessusd

2. If prompted, provide the administrator password.



- 82 -

Uninstall Nessus on Linux

OPTIONAL: Export your Scans and Policies

1. Go to the folder(s) where your Scans are stored.

2. Double-click on theScan to view its Dashboard.

3. In the upper right corner, select theExport button, and then choose theNessus .db file option.

Stop Nessus Processes

1. From withinNessus, verify any running scans have completed.

2. From a commandprompt, stop thenessusd daemon.

Examples: Nessus DaemonStopCommands

Red Hat, CentOS and Oracle Linux

# /sbin/service nessusd stop

SUSE

# /etc/rc.d/nessusd stop

FreeBSD

# service nessusd stop


# /etc/init.d/nessusd stop

Determine Nessus Package Name

From a commandprompt, determine your package name.

Examples: Nessus PackageNameDetermination


# rpm -qa | grep Nessus



- 83 -


# dpkg -l | grep Nessus

FreeBSD

# pkg_info | grep Nessus

Remove Nessus

1. Using the package name identified, use the remove command specific to your Linux-style operatingsystem.

Examples: Nessus RemoveCommands

Red Hat, CentOS, Oracle Linux, Fedora, SUSE,

# rpm -e <Package Name>


# dpkg -r <package name>

FreeBSD

# pkg delete <package name>

2. Using the command specific to your Linux-style operating system, remove remaining files that were notpart of the original installation.

Examples: Nessus RemoveCommand

Linux

# rm -rf /opt/nessus

FreeBSD

# rm -rf /usr/local/nessus/bin

This completes the process of uninstalling theNessus on theLinux operating systems.



- 84 -

Uninstall Nessus onWindows

UseWindows to Uninstall Nessus

1. Navigate to the portion ofWindows that allows you toAdd or Remove Programs orUninstall or

change a program.

2. From the list of installed programs, select theTenable Nessus product.

3. Next, click theUninstall option.

4. Click Yes to continue, otherwise clickNo.

Next,Windows will remove all Nessus related files and folders.

This completes the process of uninstallingNessus Professional orNessus Manager on theWindowsoperating system.



- 85 -

Nessus Agent Removal

Regardless of your operating system, you can remove linkedNessus Agents from within theNessus UI.

However this will not removeNessus Agent files and folders on the computer where theAgent was installed.

l Uninstall a Nessus Agent on Mac OS X

l Uninstall a Nessus Agent on Linux

l Uninstall a Nessus Agent on Windows

Remove Linked Agents

1. InNessus, click the button

2. Navigate to theScanners / Agents / Linked page.

3. Click theX button next to the agent that youwould like to delete.

4. On theRemove Agent screen, click theRemove button, otherwise, clickCancel.

Tip: To remove (delete) multiple agents at once, use the check boxes, and then click the REMOVE button.

If you are using aMac or Linux operating system, you can also unlink your agent from the command line.

After unlinking your agent from the command line, the agent will automatically be removed from theScanners

/ Agents / Linked page inNessus.



- 86 -

Uninstall a Nessus Agent onMac OS X

Unlink Agent

1. From a commandprompt, type the following command.

# /Library/NessusAgent/run/sbin/nessuscli agent unlink


Remove Nessus directories, sub-directories, and files

1. UsingFinder, located and deleted the following items.

/Library/Nessus Agent/Library/LaunchDaemons/com.tenablesecurity.nessusagent.plist/Library/PreferencePanes/Nessus Agent Preferences.prefPane/Applications/Nessus Agent

2. (Optional) To permanently delete these files and folders, empty theMac’s Trash.

Disable the Nessus Agent service

1. From a commandprompt, type the following command.

$ sudo launchctl remove com.tenablesecurity.nessusagent


Note: This final step prevents Mac OSX from trying to start the now non-existent service.

This completes the process of uninstalling aNessus Agent on theMac OS X operating system.



- 87 -

Uninstall a Nessus Agent on Linux

OPTIONAL: Unlink Nessus Agent

1. From the command line, type the following command.

nessuscli agent unlink


Remove Nessus Agent

1. From a commandprompt, determine your package name.

Examples: Nessus PackageNameDetermination


# rpm -qa | grep NessusAgent


# dpkg -l | grep NessusAgent

FreeBSD

# pkg_info | grep NessusAgent

2. Using the package name identified, type the remove command specific to your Linux-style operatingsystem.

Examples: Nessus Agent RemoveCommands

Red Hat, CentOS, Oracle Linux, Fedora, SUSE

# rpm -e <Agent Package Name>


# dpkg -r <Agent Package Name>

FreeBSD



- 88 -

# pkg delete <Agent Package Name>

This completes the process of removing theNessus Agent on theLinux operating systems.



- 89 -

Uninstall a Nessus Agent onWindows

Remove Tenable Nessus Agent Product

1. Navigate to the portion ofWindows that allows you toAdd or Remove Programs orUninstall or

change a program.

2. From the list of installed programs, select your Tenable Nessus product.

3. Next, click theUninstall option.

At the start of the uninstall process, awarningmessage is displayed.

4. Click Yes to continue, otherwise clickNo.

Next,Windows will remove all relatedNessus files and folders.

This completes the process of uninstalling theNessus Agent on theWindows operating system



- 90 -

Nessus Features

This section describes the following features in theNessus web interface:

l Navigating Nessus

l Scans

l Policies

l User Profile

l Settings

l Templates



- 91 -

Navigating Nessus

TheNessus top navigationmenuprovides youwith links commonNessus actions.

Item Description

When clicked, theNessus logo links to the homepage. The homepagewill

always be yourScans / My Scans page.

Scans TheScans item directs you to yourScans / My Scans page, which listsscans you have created.

Policies ThePolicies item directs you to yourPolicies / All Policies page, which listspolicies you have created.

The logged-in user’s name is displayed.

When clicked, the downarrow displays links to theUser Profile,Help &

Support (theTenable Support Portal),What’s New features, and allows

you toSign Out.

The button links you to theNessus Setting pages:Scanners,Accounts,

Communication, andAdvanced.

Visibility of and access to general settings and options are determined based

on theUser Type assigned to the logged-in user’s Nessus Account.

When clicked, the button displays messages related toNessus oper-

ations.




- 92 -

Scans Page

Thedefault Nessus landing page is theMy Scans section of theScans page.

When logging intoNessus for the first time, theScans /My Scans pagewill be empty andwill remain empty

until aNew Scan is created.

TheAll Scans displays all Scans within all folders.

This page displays the following elements:

l New Scan button

l ScanFolders

l ScanTrash

l All Scans Link

l ScanNames

l ScanSchedules

l LastModifiedDates

l ScanStatus

l ScanControls



- 93 -

Scan Folders

l Upon install, theNessus interface displays 3 scan system folders, which cannot be deleted:My

Scans,Trash, andAll Scans.

l Scan / All Scans displays all scans in all folders.

l Whena scan is created, the default folder selected isMy Scans.

l During the creation of a scan, only existing folders can be selected; scan folders cannot be created dur-ing a scan.

l From the left navigation, hovering over a scan folder’s nameallows you toRename orDelete it.

l Deleting a scan folder with scans in it, moves the scans to theTrash folder.

l Scans inTrash folder no longer perform; however, the scan has not been deleted.

l From theTrash folder, scans can be deleted,moved to another folder, or moved to aNew Folder.

l Scans stored in theTrash folder will be automatically deleted after 30 days.

After a scan is created, and based on permissions, when a scan is selected from theScans page, theMorebuttonwill appear and the following additional options for the selected scan becomeavailable:

l Configure

l Copy to

l Launch

l Mark Unread

l Move to



- 94 -

Scan Statuses

Status Description

Completed This scan has finished running and is now complete.

Aborted This scan has been aborted. This status indicates theNessus servicewas stopped during a scan.

Imported This scan has been imported; it was not run using thisscanner.

Pending This is a scheduled scan or a scan that has been cre-ated but has not run yet.

Running This scan is currently running and has not yet com-pleted.

Resuming This scan is resuming from a stopped state.

Canceling This scan is in the process of being canceled.

Canceled This scan has been canceled.



- 95 -

Pausing This scan is in the process of being paused.

Paused This scan has been paused.

Stopping This scan is in the process of being stopped.

Stopped This scan is in a stopped state.



- 96 -

Policies Page

ThePolicies page displays your created policies.

l Parameters that control technical aspects of the scan such as timeouts, number of hosts, type of portscanner, andmore.

l Credentials for local scans (e.g.,Windows, SSH), authenticatedOracle database scans, HTTP, FTP,POP, IMAP, or Kerberos based authentication.

l Granular family or plugin-based scan specifications.

l Database compliance policy checks, report verbosity, service detection scan settings, Linux com-pliance checks, andmore.

l Offline configuration audits for network devices, allowing safe checking of network devices withoutneeding to scan the device directly.

l Windows malware scans which compare theMD5checksums of files, both knowngood andmaliciousfiles.

When creating aPolicy, in thePolicy Library,Nessus organizes policies into three categories:Scanner Tem-

plates,Agent Templates, andUser-created policies.



- 98 -

User Profile

TheUser Profile page includes the following sections:

Account Settings

TheAccount Settings section displays settings for the current authenticated user. Usernames cannot bechanged. Based on your Nessus product, the following information appears in this section:

Version Settings

Nessus Cloud Username (email address)

Full Name

Email

User Type

Nessus Manager Username

Full Name

Email

User Type

Nessus Professional Username

User Type

Change Password

TheChange Password section allows you to change your password. Users with administrative privilegescan change other user passwords.

To change another user’s password, log in toNessus as a user with administrative privileges, and select thebutton, and then navigate to theUsers section of theAccounts page.

Plugin Rules

Plugin Rules allow you to hide or change the severity of any given plugin. In addition, rules can be limited to a

specific host or specific time frame. From this page you can view, create, edit, and delete your rules.



- 99 -

ThePlugin Rules section provides a facility to create a set of rules that dictate the behavior of certain plugins

related to any scan performed. A rule can be based on theHost (or all hosts),Plugin ID, an optionalExpir-

ation Date, andmanipulation ofSeverity.

This allows you to reprioritize the severity of plugin results to better account for your organization’s securityposture and response plan.

API Keys

API Keys consist of anAccess Key and aSecret Key, and are used to authenticatewith theNessus REST

API (version 6.4 or greater) and passedwith requests using the "X-ApiKeys"HTTP header.

Click theGenerate button to create anAccess Key and aSecret Key.

Note:

l API Keys are only presented upon initial generation. Please store API Keys in a safe location, as theycannot be retrieved later.

l API Keys cannot be retrieved by Nessus. If lost, an API Key must be regenerated.

l Regenerating an API Key will immediately deauthorize any applications currently using the key.



- 100 -

System Settings

TheSettings page contains the following sections:

l Scanners / Local / Overview (Manager)

l Scanners

l User and Group Accounts

l Communication

l Advanced Settings



- 101 -

Scanners / Local / Overview (Manager)

Nessus Manager Overview page displays theOverview for your Local Nessus Scanner and its Nessus Plu-gins:

l YourNessus product nameand version

l Your number of licensed hosts

l Your number of licensedScanners

l Your number of licensedAgents

l YourPlugin last update

l YourPlugin expiration date

l ThePlugin set identifier

l YourNessus Activation Code

From theOverview Page, you can:

l Update Nessus Version

l Update Plugins

l Update Activation Code

If you areworkingwithNessus offline, seeRegister Nessus Offline



- 102 -

Scanners

Scanners are displayed on theSettings page and displays the left navigationmenu that includes links to set-

tings specific toScanners.

Based on product version, theScanners page navigation includesOverview, Link (Nessus Professional

only),Software Update, and inNessus Manager, linkedRemote andAgents scanners.

Scanners / Local / Overview

Purpose: TheScanners / Local / Overview page displays theOverview for your Local Nessus Scanner andits Nessus Plugins.

This Scanners / Local / Overview page is displayed in all versions of Nessus and is visible to all User Rolesexcept Basic.




l Your number of licensedAgents (Nessus Manager andTenableCloud only)





- 103 -



The button next to theActivation Code allows you to update yourActivation Code as needed.

Setting Description

Product

Version

(s)

User

Type(s)Image

Local

Overview Theoverview pagegives detailedinformation aboutthe product versionand plugins.

NessusManager

NessusPro-fessional

All useraccountrolesexceptBasic

Per-missions

Users or groups areadded to the per-mission page for noaccess, the abilityto use, or the abilitytomanage the scan-ner.

l No

NessusManager

NessusPro-fessional

SystemAdmin-istrator



- 104 -

Setting Description

Product

Version

(s)

User

Type(s)Image

Access: Anyusers orgroups spe-cified cannotview, use, ormanage thescanners.

l Can Use:Users orgroups spe-cified canview and usethe scanner,but cannotmake anychanges.

l Can Man-

age: Usersor groups spe-cified canmakechanges tothe scanner'ssettings.



- 105 -

Setting Description

Product

Version

(s)

User

Type(s)Image

Link Enabling this optionallows this localscanner to be linkedtoNessus Manageror to TenableCloud.

Tip: When link-ing to NessusCloud, use thefollowing set-tings:

l Man-agerHost: cloud.te-nable.-com

l Man-agerPort:443

l LinkingKey: CloudLinkingKey

InNessus Cloud,

theLinking Key isdisplayed on the

Scanners

> Linked Scan-

ners page.

Note: NessusProfessional

NessusPro-fessional




- 106 -

Setting Description

Product

Version

(s)

User

Type(s)Image

can be linked toanother Nes-sus Manageror TenableCloud instanceonly once.

SoftwareUpdate

Software updatescan be configuredfor updating all Nes-sus components,Nessus pluginsonly, or disabledaltogether.

Options include

Update Fre-

quency and youhave the ability toconfigure a custom

Plugin Feed host.

This page alsoallows you to per-

form aManual

Software Updateusing the down-loaded, com-pressedTAR fileobtainedwhen you

Register Nessus

Offline andDown-

load and Copy

Plugins.

NessusPro-fessional

NessusManager




- 107 -

Setting Description

Product

Version

(s)

User

Type(s)Image

Remote

Linked Remote scannerscan be linked to thismanager throughthe provided key orvalid account cre-dentials. Oncelinked, they can bemanaged locallyand selectedwhenconfiguring scans.

NessusManager

SystemAdmin-istratorandAdmin-istrator

Agents

Linked Agents can belinked to this man-ager using theprovided key withthe following setupinstructions. Oncelinked, they must beadded to a group forusewhen con-figuring scans.Also, linked agentswill automaticallydownload pluginsfrom themanagerupon connection.

Note: this pro-cess can takeseveralminutes and isrequired before

NessusManager




- 108 -

Setting Description

Product

Version

(s)

User

Type(s)Image

an agent willreturn scan res-ults.

Groups Agent groups areused to organizeandmanage theagents linked toyour scanner. Eachagent can be addedto any number ofgroups and scanscan be configured touse these groupsas targets. Fromthis view, you canmanage your agentgroups.

NessusManager




- 109 -

Nessus Agents

Nessus Agents, connected to TenableCloud or Nessus Manager, increase scan flexibility by making it easyto scan assets without needing ongoing host credentials or assets that are offline, as well as enable large-scale concurrent scanningwith little network impact.

Once installed and linked toNessus Manager, Nessus Agents are viewedon theScanners / Agents /

Linked page.

For more information, seeNessus Agent Install.

Once linked toNessus Manager, Nessus Agents can bemanaged by adding or removing them toNessus

Agent Groups.



- 110 -

Agent Groups

Agent groups are used to organize andmanage the agents linked to your scanner. Each agent can be addedto any number of groups and scans can be configured to use these groups as targets.

On theScanners / Agents / Linked page, you can create a new group.

Once a new group has been created, you can:

l manage its agents.

l set permissions for the agent group.

l rename the agent group.

During the installation of Nessus Agents, you had the option of adding your agent to an existing agent group.

If you did not have any agent groups created prior to theNessus Agent’s install, or you opted to not add youragent to an existing group, you can create agent groups in theNessus UI.



- 111 -

User andGroup Accounts

Setting

NameDescription

Product Ver-

sion(s)User Type(s)

Users Individual Nessus accounts to be used for assign-ing permissions.

Nessus Cloud

Nessus Man-ager

Nessus Pro-fessional

All User Types

Groups Collections of users created for shared per-missions.

Nessus Cloud

Nessus Man-ager

System Admin-istrator



- 112 -

Communication

TheCommunications page allows you to configureNessus to communicatewith network servers and con-nector services.

Setting

NameDescription

Product

Version(s)

User Type

(s)

NETWORK

LDAPServer

The Lightweight Directory Access Protocol (LDAP) is anindustry standard for accessing andmaintaining directoryservices across an organization. Once connected to anLDAP server, Nessus administrators can add usersstraight from their directory and these users can authen-ticate using their directory credentials.

NessusCloud

NessusManager

SystemAdministrator



- 113 -

Setting

NameDescription

Product

Version(s)

User Type

(s)

Tip: Nessus auto-negotiates encryption, thereforethere are no encryption options in the Nessus interface.

ProxyServer

Proxy servers are used to forwardHTTP requests. If yourorganization requires one, Nessus will use these settingsto perform plugin updates and communicatewith remotescanners. There are five fields that control proxy settings,but only the host and port are required. Username, pass-word, and user-agent are available if needed

NessusCloud

NessusManager


SystemAdministrator

SMTPServer

SimpleMail Transfer Protocol (SMTP) is an industry stand-ard for sending and receiving email. Once configured forSMTP, Nessus will email scan results to the list of recip-ients specified in a scan’s "Email Notifications" con-figuration. These results can be custom tailored throughfilters and require anHTMLcompatible email client.

NessusCloud

NessusManager


SystemAdministrator

CONNECTORS

CiscoISE

Cisco Identity Services Engine (ISE) is a security policymanagement and control platform that simplifies accesscontrol and security compliance for wired, wireless, andVPN connectivity. Cisco ISE is primarily used to providesecure access, support BYOD initiatives, and enforceusage policies. Nessus only supports Cisco ISE version1.2 or greater.

NessusManager

SystemAdministrator



- 114 -

Advanced Settings

TheAdvanced page allows you tomanually configure theNessus daemon.

l AdvancedSettings are global settings.

l To configureAdvanced Settings, youmust use aNessus System Administrator user account.

l Whenmodified, changes go into effect a fewminutes after the setting is saved.

l global.max_hosts, max_hosts, andmax_checks settings can have a particularly great impact on theability to perform scans.

l Custom policy settings supersede the globalAdvanced Settings.

Note:When an Advanced Setting is added or an existing setting is modified, are prompted to either Discardor Save the setting.

Setting

NameDescription Default

allow_post_scan_editing

Allows a user tomake edits toscan results afterthe scan com-pletes.

yes



- 115 -

auto_enable_dependencies

Automaticallyactivate the plu-gins that aredepended on. Ifdisabled, not allplugins may rundespite beingselected in a scanpolicy.

yes

auto_update Automatic pluginupdates. Ifenabled andNes-sus is registered,fetch the newestplugins from plu-gins.nessus.orgautomatically. Dis-able if the scanneris on an isolatednetwork that is notable to reach theInternet.

yes

auto_update_delay

Number of hourstowait betweentwoupdates. Four(4) hours is theminimum allowedinterval.

24

cgi_path During the testingof web servers,use this colondelimited list ofCGI paths.

/cgi-bin:/scripts

checks_read_timeout

Read timeout forthe sockets of thetests.

5



- 116 -

disable_ui Disables the userinterface onman-aged scanners.

no

disable_ntp Disable the oldNTP legacy pro-tocol.

yes

disable_xmlrpc

Disable the newXMLRPC (WebServer) interface.

no

dumpfile Location of adump file fordebugging outputif generated.

C:\ProgramData\Tenable\Nessus\nessus\logs\nessusd.dump

global.max_hosts

Maximum num-ber of sim-ultaneous checksagainst each hosttested.

2150

global.max_scans

If set to non-zero,this defines themaximum num-ber of scans thatmay take place inparallel.

If this option is notused, no limit isenforced.

0

global.max_simult_tcp_sessions

Maximum num-ber of sim-ultaneous TCPsessionsbetween allscans.

If this option is not

50



- 117 -

used, no limit isenforced.

global.max_web_users

If set to non-zero,this defines themaximum of(web) users whocan connect inparallel.

If this option is notused, no limit isenforced.

1024

listen_address IPv4 address tolisten for incomingconnections. Ifset to 127.0.0.1,this will restrictaccess to localconnections only.

0.0.0.0

log_whole_attack

Log every detail ofthe attack?Help-ful for debuggingissues with thescan, but thismay be diskintensive.

no

logfile LocationwheretheNessus logfile is stored.

C:\Pro-gramData\Tenable\Nessus\nessus\logs\nessusd.messages

max_hosts Maximum num-ber of hostschecked at onetimeduring ascan.

5

max_checks Maximum num- 5



- 118 -

ber of sim-ultaneous checksagainst each hosttested.

nasl_log_type Direct the type ofNASLengine out-put in nes-susd.dump.

normal

nasl_no_sig-nature_check

Determines ifNessus will con-sider all NASLscripts as beingsigned. Selecting“yes” is unsafeand not recom-mended.

no

nessus_syn_scanner.global_through-put.max

Sets themaxnumber of SYNpackets that Nes-sus will send persecond during itsport scan (nomat-ter howmanyhosts arescanned in par-allel). Adjust thissetting based onthe sensitivity ofthe remote deviceto large numbersof SYN packets.

65536

nessus_udp_scanner.max_run_time

Used to specifythemaximum runtime, in seconds,for theUDP portscanner. If the set-

31536000



- 119 -

ting is not present,a default value of365 days(31536000seconds) is usedinstead.

non_simult_ports

Specifies portsagainst which twoplugins cannot notbe run sim-ultaneously.

139, 445, 3389

optimize_test Optimize the testprocedure.Changing this to“no” will causescans to takelonger and typ-ically generatemore false pos-itives.

yes

plugin_upload Designate ifadmin users mayupload plugins.

yes

plugins_timeout

Maximum lifetimeof a plugin’s activ-ity (in seconds).

320

port_range Range of theports the portscanners willscan. Can usekeywords“default” or “all”,as well as acommadelimitedlist of ports or

default



- 120 -

ranges of ports.

purge_plugin_db

Determines ifNessus will purgethe plugin data-base at eachupdate. This dir-ects Nessus toremove, re-down-load, and re-buildthe plugin data-base for eachupdate. Choosingyes will causeeach update to beconsiderablyslower.

no

qdb_mem_usage

Directs Nessus tousemore or lessmemory whenidle. If Nessus isrunning on a ded-icated server, set-ting this to “high”will usemorememory toincrease per-formance. If Nes-sus is running ona sharedmachine, settingsthis to “low” willuse considerablyless memory, butat the price of amoderate per-formance impact.

low



- 121 -

reduce_con-nections_on_congestion

Reduce the num-ber of TCP ses-sions in parallelwhen the networkappears to be con-gested.

no

report_crashes

Anonymouslyreport crashes toTenable.

yesWhen set to yes, Nessus crash information is sent to Tenable toidentify problems. Personal nor system-identifying information issent to Tenable.

remote_listen_port

This settingallows Nessus tooperate on dif-ferent ports: onededicated to com-municatingwithremote agentsand scanners(comms port) andthe other for userlogins (man-agement port).

By adding this set-ting, you can linkyour managedscanners andagents a differentport (Example:9000) instead ofthe defined inxmlrpc_listen_port (default8834).

none

rules Location of theNessus Rules file(nessusd.rules).

C:\ProgramData\Tenable\Nessus\conf\nessusd.rules



- 122 -

safe_checks Safe checks relyon bannergrabbing ratherthan active testingfor a vulnerability.

yes

silent_depend-encies

If enabled, the listof plugin depend-encies and theiroutput are notincluded in thereport. A pluginmay be selectedas part of a policythat depends onother plugins torun. By default,Nessus will runthose plugindependencies,but will not includetheir output in thereport. Setting thisoption to nowillcause both theselected plugin,and any plugindependencies toall appear in thereport.

yes

slice_net-work_addresses

If this option isset, Nessus willnot scan a net-work incre-mentally(10.0.0.1, then10.0.0.2, then10.0.0.3, and so

no



- 123 -

on) but willattempt to slicetheworkloadthroughout thewhole network(e.g., it will scan10.0.0.1, then10.0.0.127, then10.0.0.2, then10.0.0.128, andso on).

ssl_cipher_list Nessus only sup-ports 'strong' SSLciphers when con-necting to port8834.

strong

ssl_mode Minimum sup-ported version ofTLS.If not present or ifremoved, Nessuswill use TLS 1.0(tls_1_0).

tls_1_2

stop_scan_on_disconnect

Stop scanning ahost that seemsto have been dis-connected duringthe scan.

no

stop_scan_on_hang

Stop a scan thatseems to behung.

no

throttle_scan Throttle scanwhenCPU isoverloaded.

yes

www_logfile Locationwhere C:\ProgramData\Tenable\Nessus\nessus\logs\www_server.log



- 124 -

theNessus WebServer (user inter-face) log isstored.

xmlrpc_idle_session_timeout

XMLRPC IdleSessionTimeoutinminutes. Valuedefaults to 30minutes. If thevalue is set tozero (0), thedefault value of 30minutes will stillapply. There is nomaximum limit forthis value.

30

xmlrpc_listen_port

Port for theNes-sus WebServerto listen to (newXMLRPC pro-tocol).

8834



- 125 -

Template Library

Nessus templates are used to facilitate the creation ofScans andPolicies.

AScan is the act of Nessus assessing a host for vulnerabilities, based on defined rules.

APolicy is a set of rules that defines what a scan does.

WhenanewScan or a newPolicy is created, theTemplate Library is displayed; each library contains

Scanner Templates, andAgent Templates.

If you create aPolicy, your custom templates appears on theUser tab.

l Policy Templates andScanner Templates sharemany settings and configuration options.

l Scanner Templates include settings regardingFolder location,Dashboard options, identification of

Scanners andTargets,Schedules, andEmail Notifications.

l Policy Templates do not include settings regardingFolder location,Dashboard options, iden-

tification ofScanners andTargets,Schedules, andEmail Notifications.

l Agent Templates do not includeCredentials options.

While the templates in each library are named identically, actualVulnerability Scanning is performedby the

creation and usage of aScan, and the creation and usage of aPolicy defines the rules by which those scansoperate.

Note: The contents of the Template Library changes as vulnerabilities are discovered.

Templates

Template Name Description

Scanner Templates

AdvancedScan Scan template for users whowant total control of their scan or policy con-figuration.

Audit Cloud Infrastructure Compliance specific template used for auditing the configuration of third-party cloud services.

Badlock Detection This policy is used to perform remote and local checks for theBadlock



- 126 -


vulnerability (CVE-2016-2118 andCVE-2016-0128).

BashShellshock Detection Remote and credentialed checks for theBashShellshock vulnerability.

Basic Network Scan For users scanning internal or external hosts.

CredentialedPatchAudit Log in to systems and enumeratemissing software updates.

DROWNDetection Remote checks for CVE-2016-0800.

Host Discovery Identifies live hosts and open ports.

Internal PCI Network Scan For companies required to run an internal scan tomeet Payment CardIndustry DataSecurity Standards (PCI DSS) internal scanning require-ments (11.2.1).

MDMConfig Audit Compliance specific template used for auditing the configuration ofMobileDeviceManagers (MDM).

MobileDeviceScan For users of AppleProfileManager, ADSI, MobileIron, or GoodMDM.

OfflineConfig Audit Compliance specific template used to upload and audit the config file of anetwork device.

PCIQuarterly External Scan Tenable Cloud Only

For companies required to run quarterly external scans tomeet PaymentCard Industry DataSecurity Standards (PCI DSS) external scanningrequirements (11.2.2).

Note: This is the approved policy for quarterly external scanning aspart of Tenable’s Approved Scanning Vendor (ASV) solution and mustbe executed from Tenable Cloud to be able to submit for quarterlyattestation.

Policy ComplianceAuditing Compliance specific template used to audit system configurationsagainst a knownbaseline provided by the user.

SCAP andOVALCom-plianceAuditing

Compliance specific template used to audit systems usingSecurity Con-tent AutomationProtocol (SCAP) andOVALdefinitions.

WebApplication Tests For users performing generic web application scans.



- 127 -


Windows MalwareScan For users searching for malware onWindows systems.

Agent Templates

AdvancedAgent Scan Allows you to create andmanually configure a customizedAgent Scan.

Basic Agent Scan Scans systems connected toWindows or Linux agents.

Windows MalwareScan Scans for malware on systems connected viaWindows agents.

Policy ComplianceAuditing Used for auditing systems connected viaWindows or Linux agents.

SCAP andOVALAgentAuditing

Audit systems usingSCAP andOVALdefinitions.



- 128 -

Scan Template Settings

When creating a newScan or a newPolicy, you'll notice that both theBasic Network Scan template and theAdvancedScan template share the following configuration options:

l Settings / Basic

l Settings / Discovery

l Settings / Assessment

l Settings / Report

l Scan Setting / Advanced

l Scan Credentials Settings

Basic Network Scan Template

Note:Nessus Professional does not have the Permissions option.



- 129 -

Advanced Scan Template

Using theAdvanced Scan template allows for total customization of your scan or policy settings.

In addition toSettings andCredentials, you also have the ability to configureCompliance andPluginsoptions.

Note:Nessus Professional does not have the Permissions option.



- 131 -

Settings / Basic

Settings / Basic / General

Setting Description

Name Sets the name that will be displayed in theNessus user interface to identify the scan.

Description Optional field for amore detailed description of the scan.

Folder TheNessus user interface folder to store the scan results.

Dashboard Enable or disable scan dashboards. Dashboards are enabled for all new scans by default.However, they are disabled on existing or imported scans unless you enable them.

Targets Valid Formats

l A single IP address (e.g., 192.168.0.1)

l An IP range (e.g., 192.168.0.1-192.168.0.255 or 192.168.0[4-10])

l A subnet withCIDR notation (e.g., 192.168.0.0/24)

l A resolvable host (e.g., www.yourdomain.com)

l A resolvable host with subnet (www.yourdomain.com/255.255.255.0)

l A resolvable host withCIDR notation (www.yourdomain.com/24)

l A single IPv6 address (e.g., link6%eth0, 2001:db8::2120:17ff:fe57:333b,fe80:0000:0000:0000:0216:cbff:fe92:88d0%eth0)

UploadTar-gets

A text file that includes targeted hosts.

The host filemust be formatted as ASCII text with one host per line and no extra spaces orlines. Unicode/UTF-8 encoding is not supported.

Settings / Basic / Schedule

Setting Description

Launch Sets Scan’s launch interval

l OnceSchedule the scan at a specific time.



- 132 -

l DailySchedule the scan to occur on a daily basis, at a specific time or to repeat up to every20 days.

l WeeklySchedule the scan to occur on a recurring basis, by timeand day of week, for up to20weeks.

l MonthlySchedule the scan to occur every month, by timeand day or week ofmonth, for up to20months.

l YearlySchedule the scan to occur every year, by timeand day, for up to 20 years.

Starts On Sets a fixed date and time for the initial launch to occur.

TimeZone

Sets the time zone for the launch’s time settings.

Summary Provides complete details about your scan’s schedule configuration.

Settings / Basic / Notifications

Setting Description

Tip: ASMTPServer is required and must be configured.

Email Recipient(s) Email addresses of users or distribution groups to receiveNessus noti-fications.

Result Filters Defines the type of information to be emailed.

Settings / Basic / Permissions

Tip: This option is only available in Nessus Manager;Nessus Professional does not include these set-tings.

Setting Description

No Only the user who created the policy can view, use, or edit the policy



- 133 -

Access

CanView Other users can view the scan results. They will not be able to control or configure the scan.

CanCon-trol

Other users can control the scan (launch, pause, and stop) and view the scan results. Theywill not be able to configure the scan.

CanCon-figure

Other users can control the scan and configure the scan settings. They cannot delete thescan.



- 134 -

Settings / Discovery

TheDiscovery page controls options related to discovery and port scanning, including port ranges andmeth-ods.

Setting Description

ScanType

l Port scan (commonports)

l Port scan (all ports)

l Custom

WhenCustom is selected, additional options becomeavailable:Host Discovery,Port

Scanning, andService Discovery.

Settings / Discovery / Host Discovery

Setting Description

Ping theremotehost

This option enables Nessus to ping remote hosts onmultiple ports to determine if they arealive.When selected, this will enable other pinging options.

To scanVMware guest systems,Ping the remote hostmust disabled.

General Settings

Test thelocal Nes-sus host

IfPing the remote host is enabled, this option is enabled by default for this policy. Thisoption allows you to include or exclude the local Nessus host from the scan. This is usedwhen theNessus host falls within the target network range for the scan.

Fast net-work dis-covery

IfPing the remote host is enabled, youwill be able to see this option. By default, thisoption is not enabled.WhenNessus pings a remote IP and receives a reply, it performsextra checks tomake sure that it is not a transparent proxy or a load balancer that wouldreturn noise but no result (somedevices answer to every port 1-65535 evenwhen there isno service behind the device). Such checks can take some time, especially if the remotehost is firewalled. If the fast network discovery option is enabled, Nessus will not performthese checks.

PingMethods

ARP Ping a host using its hardware address viaAddress ResolutionProtocol (ARP). This only



- 135 -

works on a local network.

TCP Ping a host using TCP.

Destinationports(TCP)

Destination ports can be configured to use specific ports for TCP ping. This specifies thelist of ports that will be checked via TCP ping. If you are not sure of the ports, leave this set-ting to the default of built-in.

ICMP Ping a host using the Internet ControlMessageProtocol (ICMP).

Assume ICMP unreachable from the gateway means the host is downWhenaping is sentto a host that is down, its gateway may return an ICMP unreachablemessage.When thisoption is enabled, whenNessus receives an ICMPUnreachablemessage it will considerthe targeted host dead. This is to help speed up discovery on somenetworks.

Note that some firewalls and packet filters use this samebehavior for hosts that are up butare connecting to a port or protocol that is filtered.With this option enabled, this will lead tothe scan considering the host is downwhen it is indeed up.

Number of Retries (ICMP) allows you to specify the number of attempts to try to ping theremote host. The default is two attempts.

UDP Ping a host using theUser Datagram Protocol (UDP).UDP is a stateless protocol, meaning that communication is not performedwith hand-shake dialogues. UDP-based communication is not always reliable, and because of thenature of UDP services and screening devices, they are not always remotely detectable.

Fragiledevices

TheFragileDevices menuoffers two options that instruct theNessus scanner not to scanhosts that have a history of being fragile, or prone to crashingwhen receiving unexpectedinput.

UseScan Network Printers orScan Novell Netware hosts to instruct Nessus toscan those particular devices.

Tip: It is recommended that scanning of these devices be performed in a manner thatallows IT staff to monitor the systems for issues.

Wake-on-LAN

TheWake-on-LAN (WOL)menu controls which hosts to sendWOLmagic packets tobefore performing a scan and how long towait (inminutes) for the systems to boot.

The list of MAC addresses forWOL is entered using an uploaded text filewith one hostMAC address per line.

Example WOL File Contents:



- 136 -

00:11:22:33:44:55aa:bb:cc:dd:ee:ff

NetworkType

Allows you to specify if you are using publicly routable IPs, private non-Internet routableIPs or amix of these. Select Mixed if you are usingRFC 1918addresses and havemul-tiple routers within your network.

Settings / Discovery / Port Scanning

Port scanning options define how the port scanner will behave andwhich ports to scan.

Setting Description

Ports

ConsiderUnscannedPorts asClosed

If a port is not scannedwith a selected port scanner (e.g., out of the range specified), Nes-sus will consider it closed.

Port ScanRange

l Keyword default instructs Nessus to scan approximately 4,790 commonports.The list of ports can be found in the nessus-services file.

l Keyword all instructs Nessus instructs Nessus to scan all 65,536 ports, includingport 0.

l KeywordCustom List allows Nessus to use a custom range of ports by using acomma-delimited list of ports or port ranges.

Example: 21,23,25,80,110 or 1-1024,8080,9000-9200.

Note: Specifying 1-65535 will scan all ports.

Youmay also specify a split range specific to each protocol. For example, if youwant toscan a different range of ports for TCP andUDP in the samepolicy, youwould specifyT:1-1024,U:300-500. You can also specify a set of ports to scan for both protocols, aswell as individual ranges for each separate protocol ("1-1024,T:1024-65535,U:1025"). Ifyou are scanning a single protocol, select only that port scanner and specify the ports nor-mally.

The range specified for a port scanwill be applied to both TCP andUDP scans.

Local Port Enumerators



- 137 -

Setting Description

SSH (net-stat)

This option uses netstat to check for open ports from the localmachine. It relies on thenetstat commandbeing available via aSSH connection to the target. This scan is inten-ded for Linux-based systems and requires authentication credentials.

WMI (net-stat)

AWMI based scan uses netstat to determine open ports, thus ignoring any port rangesspecified. If any port enumerator (netstat or SNMP) is successful, the port rangebecomes all. However, Nessus will still honor the consider unscanned ports as closedoption if selected.

SNMP If the settings are provided by the user (under Credentials), this will allow Nessus to bet-ter test the remote host and producemore detailed audit results. For example, there aremany Cisco router checks that determine the vulnerabilities present by examining theversion of the returnedSNMP string. This information is necessary for these audits.

Only run net-work portscanners iflocal portenumerationfailed

Rely on local port enumeration first before relying on network port scans.

Verify openTCP portsfound bylocal portenumerators

If a local port enumerator (e.g.,WMI or netstat) finds a port, Nessus will also verify it isopen remotely. This helps determine if some form of access control is being used (e.g.,TCPwrappers, firewall).

Network Port Scanners

TCP Onsomeplatforms (e.g.,Windows andMac OSX), selecting this scanner will causeNessus to use theSYN scanner to avoid serious performance issues native to thoseoperating systems.

SYN UseNessus’ built-in SYN scanner to identify openTCP ports on the targets. SYN scansare a popular method for conducting port scans and generally considered to be a bit lessintrusive thanTCP scans, depending on the security monitoring device such as a firewallor IntrusionDetectionSystem (IDS). The scanner sends aSYN packet to the port, waitsfor SYN-ACK reply, and determines port state based on a reply, or lack of reply.

l Use aggressive detectionwill attempt to run plugins even if the port appears to



- 138 -

Setting Description

be closed. It is recommended that this option not be used on a production network.

l Use soft detection disables the ability tomonitor how often resets are set and to

determine if there is a limitation configured by a downstream network device.

l Disable detection disables theFirewall detection feature.

UDP This option engages Nessus’ built-inUDP scanner to identify openUDP ports on the tar-gets.

Due to the nature of the protocol, it is generally not possible for a port scanner to tell the dif-ference between open and filteredUDP ports. Enabling theUDP port scanner may dra-matically increase the scan timeand produce unreliable results. Consider using thenetstat or SNMP port enumeration options instead if possible.

Settings / Discovery / Service Discovery

TheServiceDiscovery page defines options that attempt tomapeach open port with the service that is run-ning on that port.

Tip: There is a possibility that probing may disrupt servers or cause unforeseen side effects.

Setting Description

General Settings

Probe all portsto find ser-vices

Attempts tomapeach open port with the service that is running on that port. Note that insome rare cases, this might disrupt some services and cause unforeseen side effects.

Search forSSLbasedservices

TheSearch for SSLbased services controls howNessus will test SSLbased services.

If toggled, choose betweenKnownSSLports (e.g., 443) andAll ports.

Tip: Testing for SSL capability on all ports may be disruptive for the tested host.

Search for SSL/TLSServices (enabled)

Enumerate allSSL ciphers

WhenNessus performs anSSL scan, it tries to determine theSSL ciphers used by theremote server by attempting to establish a connectionwith each different documentedSSL cipher, regardless of what the server says is available.



- 139 -

Setting Description

EnableCRLchecking (con-nects to Inter-net)

Direct Nessus to check SSL certificates against knownCertificateRevocation Lists(CRL).



- 140 -

Settings / Assessment

Settings / Assessment / General

Option Default Description

Accuracy

OverridenormalAccuracy

Disabled In some cases, Nessus cannot remotely determinewhether a flaw ispresent or not. If report paranoia is set to Show potential false alarmsthen a flaw will be reported every time, evenwhen there is a doubtabout the remote host being affected. Conversely, a paranoia setting ofAvoid potential false alarms will causeNessus to not report any flawwhenever there is a hint of uncertainty about the remote host. NotenablingOverride normal accuracy is amiddle ground between thesetwo settings.

Performthoroughtests(may dis-rupt yournetworkor impactscanspeed)

Disabled Causes various plugins towork harder. For example, when lookingthroughSMB file shares, a plugin can analyze 3 directory levels deepinstead of 1. This could causemuchmore network traffic and analysisin some cases. Note that by beingmore thorough, the scanwill bemore intrusive and is more likely to disrupt the network, while poten-tially providing better audit results.

Antivirus

Antivirusdefinitiongraceperiod (indays)

0 Configure the delay of theAntivirus software check for a set number ofdays (0-7). TheAntivirus SoftwareCheck menuallows you to directNessus to allow for a specific grace time in reportingwhenantivirus sig-natures are considered out of date. By default, Nessus will consider sig-natures out of date regardless of how long ago an updatewas available(e.g., a few hours ago). This can be configured to allow for up to 7 daysbefore reporting them out of date.

SMTP

Thirdparty

Nessus will attempt to send spam through eachSMTP device to the address listed in thisfield. This third party domain address must be outside the range of the site being scanned or



- 141 -

domain the site performing the scan. Otherwise, the test may be aborted by theSMTP server.

Fromaddress

The test messages sent to theSMTP server(s) will appear as if they originated from theaddress specified in this field.

Toaddress

Nessus will attempt to sendmessages addressed to themail recipient listed in this field. Thepostmaster address is the default value since it is a valid address onmostmail servers.

Settings / Assessment / Brute Force


General Settings

Only usecredentialsprovided bythe user

Enabled In some cases, Nessus can test default accounts and knowndefault pass-words. This can cause the account to be locked out if toomany consecutiveinvalid attempts trigger security protocols on the operating system or applic-ation. By default, this setting is enabled to prevent Nessus from performingthese tests.

OracleDatabase

Test defaultOracleaccounts(slow)

Disabled Test for knowndefault accounts inOracle software.

Hydra

Hydra options only appear when Hydra is installed on the same computer as Nessus.

AlwaysenableHydra(slow)

Disabled Enables Hydrawhenever the scan is performed.

Logins file A file that contains user names that Hydrawill use during the scan.

Passwordsfile

A file that contains passwords for user accounts that Hydrawill use duringthe scan.

Number ofparalleltasks

16 The number of simultaneous Hydra tests that youwant to execute. Bydefault, this value is 16.



- 142 -

Timeout (inseconds)

30 The number of seconds per logon attempt.

Try emptypasswords

Enabled If enabled, Hydrawill additionally try user names without using a password.

Try login aspassword

Enabled If enabled, Hydrawill additionally try a user nameas the correspondingpassword.

Stop bruteforcing afterthe first suc-cess

Disabled If enabled, Hydrawill stop brute forcing user accounts after the first time anaccount is successfully accessed.

Addaccountsfound byother plu-gins to thelogin file

Enabled If disabled, only the user names specified in the logins filewill be used forthe scan. Otherwise, additional user names discovered by other plugins willbe added to the logins file and used for the scan.

PostgreSQLdatabasename

Thedatabase that youwant Hydra to test.

SAPR/3Cli-ent ID (0 -99)

The ID of theSAPR/3 client that youwant Hydra to test.

Windowsaccounts totest

Localaccounts

Canbe set toLocal accounts,Domain Accounts, orEither.

Interpretpasswordsas NTLMhashes

Disabled If enabled, Hydrawill interpret passwords as NTLM hashes.

Cisco loginpassword

This password is used to login to aCisco system before brute forcingenable passwords. If no password is provided here, Hydrawill attempt tologin using credentials that were successfully brute forced earlier in thescan.



- 143 -

Webpage tobrute force

Enter awebpage that is protected by HTTP basic or digest authentication. Ifaweb page is not provided here, Hydrawill attempt to brute force a page dis-covered by theNessus web crawler that requires HTTP authentication.

HTTP proxytest website

If Hydra successfully brute forces anHTTP proxy, it will attempt to accessthewebsite provided here via the brute forced proxy.

LDAPDN TheLDAPDistinguishNamescope that Hydrawill authenticate against.

Settings / Assessment / SCADA

Option Description

Modbus/TCPCoil Access

TheModbus/TCPCoil Access options are available for commercial users. This drop-downmenu item is dynamically generated by theSCADA plugins availablewith the com-mercial version of Nessus.Modbus uses a function code of 1 to read coils in aModbusslave. Coils represent binary output settings and are typically mapped to actuators. Theability to read coils may help an attacker profile a system and identify ranges of registersto alter via awrite coilmessage.

The defaults for this are 0 for theStart reg and 16 for theEnd reg.

ICCP/COTPTSAPAddressingWeakness

The ICCP/COTPTSAPAddressingmenudetermines aConnectionOrientedTransportProtocol (COTP) Transport ServiceAccess Points (TSAP) value on an ICCP server bytrying possible values.

The start and stop values are set to 8 by default.

Settings / Assessment / Web Applications


General

Use thecloud to takescreenshotsof publicwebservers

Disabled This option enables Nessus to take screenshots to betterdemonstrate some findings. This includes someservices(e.g., VNC, RDP) as well as configuration specific options(e.g., web server directory indexing). The feature onlyworks for Internet-facing hosts, as the screenshots are gen-erated on amanaged server and sent to theNessus scan-ner.



- 144 -


Screenshots are not exportedwith aNessus scan report.

Use a cus-tom User-Agent

Mozilla/4.0 (compatible;MSIE 8.0;Windows NT5.1; Trident/4.0)

Specifies which type of web browser Nessus will imper-sonatewhile scanning.

WebCrawler

Start crawl-ing from

/ TheURLof the first page that will be tested. If multiplepages are required, use a colon delimiter to separate them(e.g., /:/php4:/base).

Excludedpages(regex)

/server_privileges\.php

<> log outEnable exclusion of portions of theweb site from beingcrawled. For example, to exclude the /manual directory and

all Perl CGI, set this field to: (^/manual) <> (\.pl(\?.*)?$).

Nessus supports POSIX regular expressions for stringmatching and handling, as well as Perl-compatible regularexpressions (PCRE)

Maximumpages tocrawl

1000 Themaximum number of pages to crawl.

Maximumdepth tocrawl

6 Limit the number of links Nessus will follow for each startpage.

Followdynamicpages

Disabled If selected, Nessus will follow dynamic links andmayexceed the parameters set above.

Application Test Settings

Enable gen-eric webapplicationtestss

Disabled Enables the options listed below.

Abort webapplication

Disabled If Nessus cannot login to the target viaHTTP, then do notrun any webapplication tests.



- 145 -


tests ifHTTP loginfails

Try all HTTPmethods

Disabled This optionwill instruct Nessus to also usePOST requestsfor enhancedweb form testing. By default, thewebapplic-ation tests will only useGET requests, unless this option isenabled. Generally, more complex applications use thePOSTmethodwhena user submits data to the application.This setting provides more thorough testing, butmay con-siderably increase the time required.When selected, Nes-sus will test each script/variablewith bothGET andPOSTrequests. This setting provides more thorough testing, butmay considerably increase the time required.

AttemptHTTPPara-meter Pol-lution

Disabled Whenperformingwebapplication tests, attempt to bypassfilteringmechanisms by injecting content into a variablewhile supplying the samevariablewith valid content as well.For example, a normal SQL injection test may look like /tar-get.cgi?a='&b=2.WithHTTPParameter Pollution (HPP)enabled, the requestmay look like /tar-get.cgi?a='&a=1&b=2.

Test embed-dedwebservers

Disabled Embeddedweb servers are often static and contain no cus-tomizableCGI scripts. In addition, embeddedweb serversmay be prone to crash or becomenon-responsivewhenscanned. Tenable recommends scanning embeddedwebservers separately from other web servers using thisoption.

Testmorethan oneparameterat a time perform

Disabled This optionmanages the combination of argument valuesused in theHTTP requests. The default, without checkingthis option, is testing one parameter at a timewith an attackstring, without trying non-attack variations for additionalparameters. For example, Nessus would attempt/test.php?arg1=XSS&b=1&c=1where b and c allow othervalues, without testing each combination. This is the quick-est method of testingwith the smallest result set generated.



- 146 -


This drop-downhas four options:

Test random pairs of parameters – This form of testing

will randomly check a combination of random pairs of para-meters. This is the fastest way to test multiple parameters.

Test all pairs of parameters (slow) – This form of testing

is slightly slower butmore efficient than the one value test.While testingmultiple parameters, it will test an attackstring, variations for a single variable and then use the firstvalue for all other variables. For example, Nessus wouldattempt /test.php?a=XSS&b=1&c=1&d=1and then cyclethrough the variables so that one is given the attack string,one is cycled through all possible values (as discovered dur-ing themirror process) and any other variables are giventhe first value. In this case, Nessus would never test for/test.php?a=XSS&b=3&c=3&d=3when the first value ofeach variable is 1.

Test random combinations of three or more para-

meters (slower) – This form of testingwill randomly check

a combination of three or more parameters. This is morethorough than testing only pairs of parameters. Note thatincreasing the amount of combinations by three or moreincreases thewebapplication test time.

Test all combinations of parameters (slowest) – Thismethod of testingwill do a fully exhaustive test of all pos-sible combinations of attack strings with valid input to vari-ables.WhereAll-pairs testing seeks to create a smallerdata set as a tradeoff for speed, all combinations makes nocompromise on timeand uses a complete data set of tests.This testingmethodmay take a long time to complete.

Do not stopafter firstflaw is foundper web

Disabled This option determines whena new flaw is targeted. Thisapplies at the script level; finding anXSS flaw will not dis-able searching for SQL injection or header injection, but youwill have atmost one report for each type on a given port,



- 147 -


page unless thorough tests is set. Note that several flaws of thesame type (e.g., XSS, SQLi, etc.) may be reported some-times, if they were caught by the sameattack. The drop-downhas four options:

Stop after one flaw is found per web server (fastest)– As soon as a flaw is found on aweb server by a script, Nes-sus stops and switches to another web server on a differentport.

Stop after one flaw is found per parameter (slow) –As soon as one type of flaw is found in a parameter of aCGI(e.g., XSS), Nessus switches to the next parameter of thesameCGI, or the next knownCGI, or to the nextport/server.

Look for all flaws (slowest) – Perform extensive tests

regardless of flaws found. This option can produce a veryverbose report and is not recommend inmost cases.

URL forRemote FileInclusion

http://rfi.nessus.org/rfi.txt DuringRemote File Inclusion (RFI) testing, this option spe-cifies a file on a remote host to use for tests. By default, Nes-sus will use a safe file hosted by Tenable for RFI testing. Ifthe scanner cannot reach the Internet, using an internallyhosted file is recommended for more accurateRFI testing.

Maximumrun time(min)

5 This optionmanages the amount of time inminutes spentperformingwebapplication tests. This option defaults to 60minutes and applies to all ports andCGIs for a givenwebsite. Scanning the local network for web sites with smallapplications will typically complete in under an hour, how-ever web sites with large applications may require a highervalue.

Settings / Assessment / Windows

Option Description



- 148 -

General Setting

Request information abouttheSMBDomain

If the optionRequest information about the domain is set, thendomain users will be queried instead of local users.

EnumerateDomainUsers

Start UID 1000

EndUID 1200

Enumerate Local User

Start UID 1000

EndUID 1200

Settings / Assessment / Malware

General Settings

DisableDNSRes-olution

Checking this optionwill prevent Nessus from using the cloud to compare scan find-ings against knownmalware.

Hash and Whitelist Files

Provide your ownlist of knownbadMD5hashes

Additional knownbadMD5hashes can be uploaded via a text file that contains oneMD5hash per line.It is possible to (optionally) add a description for each hash in the uploaded file. Thisis done by adding a commaafter the hash, followed by the description. If anymatches are foundwhen scanning a target and a descriptionwas provided for thehash the descriptionwill show up in the scan results.

Provide your ownlist of knowngoodMD5hashes

Additional knowngoodMD5hashes can be uploaded via a text file that contains oneMD5hash per line.It is possible to (optionally) add a description for each hash in the uploaded file. Thisis done by adding a commaafter the hash, followed by the description. If anymatches are foundwhen scanning a target, and a descriptionwas provided for thehash, the descriptionwill show up in the scan results.

Hosts filewhitelist Nessus checks system hosts files for signs of a compromise (e.g., Plugin ID 23910titledCompromisedWindows System (hosts FileCheck). This option allows you toupload a file containing a list of hostnames that will be ignored by Nessus during a



- 149 -

scan. Include one hostnameper line in a regular text file

File System Scanning

Scan file system Turning on this option allows you to scan system directories and files on host com-puters.

Caution: Enabling this setting in scans targeting 10 or more hosts could result inperformance degradation.

Directories

Scan%Sys-temroot%

Enable file system scanning to scan%Systemroot%

Scan%Pro-gramFiles%

Enable file system scanning to scan%ProgramFiles%

Scan%Pro-gramFiles(x86)%

Enable file system scanning to scan%ProgramFiles(x86)%

Scan%Pro-gramData%

Enable file system scanning to scan%ProgramData%

ScanUser Pro-files

Enable file system scanning to scan user profiles

Custom FilescanDirectories

AddFile

Add a custom file that list directories for malware file scanning. List each each dir-ectory on one line.

Caution:Root directories such as 'C:\' or 'D:\' are not accepted.

YaraRules File AddFile

Enable yara file system scanning.



- 150 -

Settings / Report


Processing

Override normalverbosity

Disabled “I have limited disk space. Report as little information as possible willprovide less information about plugin activity in the report tominimizeimpact on disk space.

“Report as much information as possible will providemore informationabout plugin activity in the report.

Showmissingpatches thathave been super-seded

Enabled This option allows you to configureNessus to include or remove super-seded patch information in the scan report.

Hide results fromplugins initiatedas a dependency

Enabled If this option is checked, the list of dependencies is not included in thereport. If youwant to include the list of dependencies in the report,uncheck the box.



- 151 -


Output

Allow users toedit scan results

Enabled This feature allows users to delete items from the report whenchecked.Whenperforming a scan for regulatory compliance or othertypes of audits, uncheck this to show that the scanwas not tamperedwith.

Designate hostsby their DNSname

Disabled Use the host name rather than IP address for report output.

Display hoststhat respond toping

Disabled Select this option to specifically report on the ability to successfully pinga remote host.

Display unreach-able hosts

Disabled If this option is selected, hosts that did not reply to the ping request willbe included in the security report as dead hosts. Do not enable thisoption for large IP blocks.



- 152 -

Scan Setting / Advanced


General Settings

EnableSafeChecks

Enabled EnableSafeChecks disables all plugins thatmay have an adverse effecton the remote host.

Stop scan-ning hoststhat becomeunresponsiveduring thescan

Disabled If checked, Nessus will stop scanning if it detects that the host has becomeunresponsive. This may occur if users turn off their PCs during a scan, ahost has stopped responding after a denial of service plugin, or a securitymechanism (e.g., IDS) has begun to block traffic to a server. Continuingscans on thesemachines will send unnecessary traffic across the networkand delay the scan.

Scan IPaddresses ina randomorder

Disabled By default, Nessus scans a list of IP addresses in sequential order. Ifchecked, Nessus will scan the list of hosts in a random order. This is typ-ically useful in helping to distribute the network traffic directed at a particularsubnet during large scans.

Before July 2013, this optionworked on a per-subnet basis. This featurehas since been enhanced to randomize across the entire target IP space.



- 153 -


Performance

Slow downthe scanwhennet-work con-gestion isdetected

Disabled This enables Nessus to detect when it is sending toomany packets andthe network pipe is approaching capacity. If detected, Nessus will throttlethe scan to accommodate and alleviate the congestion. Once the con-gestion has subsided, Nessus will automatically attempt to use the avail-able spacewithin the network pipe again.

Networktimeout (inseconds)

5 Set to five seconds by default. This is the time that Nessus will wait for aresponse from ahost unless otherwise specifiedwithin a plugin. If you arescanning over a slow connection, youmay wish to set this to a higher num-ber of seconds.

Max sim-ultaneouschecks perhost

5 This setting limits themaximum number of checks aNessus scanner willperform against a single host at one time.

Max sim-ultaneoushosts perscan

5 This setting limits themaximum number of hosts that aNessus scannerwill scan at the same time.

Max numberof concurrentTCP ses-sions perhost

none This setting limits themaximum number of establishedTCP sessions for asingle host.

This TCP throttling option also controls the number of packets per secondtheSYN scanner will eventually send (e.g., if this option is set to 15, theSYN scanner will send 1500 packets per second atmost).

Max numberof concurrentTCP ses-sions perscan

none This setting limits themaximum number of establishedTCP sessions forthe entire scan, regardless of the number of hosts being scanned.

For Nessus scanners installed onWindows XP, Vista, 7, and 8 hosts, thisvaluemust be set to 19 or less to get accurate results.

DebugSettings

Log scandetails to

Disabled Logs the start and finish time for each plugin used during a scan to nes-susd.messages.



- 154 -


server

Enable plugindebugging

Disabled Attaches available debug logs from plugins to the vulnerability output of thisscan



- 155 -

Scan Credentials Settings

By usingCredentials, theNessus scanner can be granted local access to scan the target system withoutrequiring an agent. This can facilitate scanning of a very large network to determine local exposures or com-pliance violations. As noted, some steps of policy creationmay be optional. Once created, the policy will besavedwith recommended settings.

There are several forms of authentication supported including but not limited to databases, SSH,Windows,network devices, patchmanagement servers, and various plaintext authentication protocols. For example,Nessus leverages the ability to log into remote Linux hosts viaSecureShell (SSH); andwithWindows hosts,Nessus leverages a variety of Microsoft authentication technologies. Note that Nessus also uses theSimpleNetwork Management Protocol (SNMP) tomake version and information queries to routers and switches.

TheScan or Policy’sCredentials page, allows you to configure theNessus scanner to use authenticationcredentials during scanning. By configuring credentials, it allows Nessus to perform awider variety of checksthat result inmore accurate scan results.

Nessus will open several concurrent authenticated connections to carry out credentialed auditing to ensure itis done in a timely fashion. Ensure that the host being audited does not have a strict account lockout policybased on concurrent sessions.

Credentials Security

Credentials input into aNessus scan or policy are stored in thepolicies.db file. This file is protected usingAES-128 encryption. The key used to encrypt the database is randomly generated and is only readable by theuser that performed theNessus. For further security, amaster password can be specified by using the "K"

argument when invoking theNessus daemon (nessus-service); this requires entering themaster passwordwhenever Nessus is restarted.

Credentials Order

Credentialed scans can perform any operation that a local user can perform. The level of scanning is depend-ent on the privileges granted to the user account that Nessus is configured to use. Themore privileges thescanner has via the login account (e.g., root or administrator access), themore thorough the scan results.

Once the scan settings are configured, Nessus uses credentials in the order they were entered into the scan'sActiveCredentials list, and continues to use the order of the list until a set of credentials succeeds in logginginto the target system.



- 156 -

If the credentials used have administrative privileges on the targeted system and the administrative cre-dentials succeed in logging into the target system, no further attempts will bemadeusing subsequent cre-dentials from theActiveCredentials list.

However, if Nessus encounters credentials that have limited privileges on the target system, but the cre-dentials login is successful, Nessus will attempt to use subsequent credentials from ActiveCredentials list.

Multiple Scan Targets

Whena scan is configuredwithmultiple targets, the scan of each target uses the order of theActiveCre-dentials list until a set of credentials succeeds. After each target's credentials succeed in logging into thescan's target, the scan performs its vulnerability checks, and then the process repeats itself until each targethas been scanned.

If the 1st set of credentials in theActiveCredentials list succeed, therewill be no further attempts to use sub-sequent credentials from theActiveCredentials list.

If the 1st set of credentials in theActiveCredentials list fail, but the 2nd set of credentials in theActiveCre-dentials list succeeds, no further attempts to use subsequent credentials from theActiveCredentials list.

Credential Types

The following types of credentials aremanaged in theCredentials section of the scan or policy:

l Cloud Services

l Database

l Host

l Miscellaneous

l Mobile Device Management

l Patch Management



- 157 -

Cloud Services

Nessus supports the followingCloud credentials:

l Amazon AWS

l Microsoft Azure

l Rackspace

l Salesforce.com



- 158 -

Amazon AWS

Users can select AmazonAWS from theCredentials menuand enter credentials for compliance auditing anaccount in AWS.

Option Description

AWSAccess Key IDS TheAWSaccess key ID string.

AWSSecret Key AWS secret key that provides the authentication for AWSAccess Key ID.

Amazon AWS Global Settings


Regionsto access

Rest oftheWorld

In order for Nessus to audit anAmazonAWSaccount, youmust define theregions youwant to scan. Per Amazon policy, youwill need different cre-

dentials to audit account configuration for theChina region than youwill for the

Rest of the World. Choosing theRest of the Worldwill open the followingchoices:

l us-east-1

l us-west-1

l us-west-2

l eu-west-1

l eu-central-1

l ap-northeast-1

l ap-southeast-1

l ap-southeast-2

l sa-east-1

l us-gov-west-1

HTTPS Enabled UseHTTPS to access AmazonAWS.

VerifySSLCer-tificate

Enabled Verify the validity of theSSLdigital certificate.



- 159 -

Microsoft Azure

Option Description

Username Username required to log in

Password Password associatedwith the username

Client Id Microsoft AzureClient Id

SubscriptionIDs

List subscription IDs to scan, separated by a comma. If this field isblank, all subscriptions will be audited.



- 160 -

Rackspace

Option Description

Username Username required to log in

Password or API Keys Password or API keys associatedwith the username

AuthenticationMethod Specify Password or API-Key from the drop-down

Global Settings Location of RackspaceCloud instance.



- 161 -

Salesforce.com

Users can select Salesforce.com from theCredentials menu. This allows Nessus to log in toSalesforce.comas the specified user to perform compliance audits.

Option Description

Username Username required to log in toSalesforce.com

Password Password associatedwith theSalesforce.com username



- 162 -

Database

Nessus supports Database authenticationmethods:

l Database

l MongoDB



- 163 -

Database

Nessus supports the following database types:

l PostgreSQL

l DB2

l MySQL

l SQLServer

l Oracle

PostgreSQL

Username (Required)

Password

DatabaseType PostgreSQL

DatabasePort Default 5432

DatabaseName If no database name is provided, the default 'postgres' database is used.

DB2

Username (Required)

Password

DatabaseType DB2


DatabaseName (Required)

MySQL

Username (Required)

Password



- 164 -

DatabaseType MySQL


SQL Server

Username (Required)

Password

DatabaseType SQLServer


Auth type l SQL

l Windows

InstanceName If no instance name is provided, the default instance is used.

Oracle

Username (Required)

Password

DatabaseType Oracle


Auth type l SYSDBA

l SYSOPER

l NORMAL

Service type l SID

l SERVICE_NAME



- 165 -

MongoDB

Option Description

Username Theusername for the database.

Password The password for the supplied username.

Database Nameof the database to audit.

Port Port the database listens on.



- 166 -

Host

Nessus supports the following forms of Host authenticationmethods:

l SSH

l SNMPv3

l Windows



- 167 -

SSH

OnLinux systems and supported network devices, Nessus uses SecureShell (SSH) protocol version 2based programs (e.g., OpenSSH, Solaris SSH, etc.) for host-based checks.

This mechanism encrypts the data in transit to protect it from being viewedby sniffer programs. Nessus sup-ports six types of authenticationmethods for usewithSSH:

l Public Key

l Certificate

l CyberArk Vault

l Kerberos

l Password Authentication

l Thycotic Secret Server Authentication

Users can select SSH settings from theCredentials menuand enter credentials for scanning Linux systems.

These credentials are used to obtain local information from remote Linux systems for patch auditing or com-pliance checks.

Non-privileged users with local access on Linux systems can determine basic security issues, such as patchlevels or entries in the /etc/passwd file. For more comprehensive information, such as system configurationdata or file permissions across the entire system, an account with root privileges is required.

Global Credential Settings


known_hosts file

none If anSSH known_hosts file is available and provided as part of the GlobalSettings of the scan policy in the known_hosts file field, Nessus will onlyattempt to log into hosts in this file. This can ensure that the sameusernameandpassword you are using to audit your knownSSH servers is not used toattempt a log into a system thatmay not be under your control.

Preferredport

22 This option can be set to direct Nessus to connect to SSH if it is running on aport other than 22.

Client ver-sion

OpenSSH_5.0

Specifies which type of SSH client Nessus will impersonatewhile scanning.



- 168 -

Authentication Options

Option Description

Authenticationmethod

Public Key

Certificate

CyberArk Vault

Kerberos

Password Authentication

Thycotic Secret Server Authentication

Username Usernameof the account that is being used for authentication on the host system.

PrivateKey RSA or DSAOpenSSH key file of the user. Only RSA andDSAOpenSSH keysare supported

Private key pass-phrase

Passphrase of thePrivateKey.

Elevate privilegeswith

Allows for increasing privileges once authenticated.

l .k5login

l Cisco

l dzdo

l pbrun

l su

l su+sudo

l sudo



- 169 -

Public Key

Public Key Encryption, also referred to as asymmetric key encryption, provides amore secure authenticationmechanism by the use of a public and private key pair. In asymmetric cryptography, the public key is used toencrypt data and the private key is used to decrypt it. The use of public and private keys is amore secure andflexiblemethod for SSH authentication. Nessus supports bothDSA andRSA key formats.

LikePublic Key Encryption, Nessus supports RSA andDSAOpenSSH certificates. Nessus also requires theuser certificate, which is signed by aCertificateAuthority (CA), and the user’s private key.

Note:Nessus supports the OpenSSH SSH public key format. Formats from other SSH applications, includ-ing PuTTY and SSHCommunications Security, must be converted to OpenSSH public key format.

Themost effective credentialed scans arewhen the supplied credentials have root privileges. Sincemanysites do not permit a remote login as root, Nessus can invoke su, sudo, su+sudo, dzdo, .k5login, or pbrunwitha separate password for an account that has been set up to have su or sudo privileges. In addition, Nessuscan escalate privileges onCisco devices by selectingCisco ‘enable’ or .k5login for Kerberos logins.

Nessus supports the blowfish-cbc, aes-cbc, and aes-ctr cipher algorithms. Somecommercial variants ofSSH donot have support for the blowfish algorithm, possibly for export reasons. It is also possible to configureanSSH server to only accept certain types of encryption. Check your SSH server to ensure the correctalgorithm is supported.

Nessus encrypts all passwords stored in policies. However, the use of SSH keys for authentication ratherthanSSH passwords is recommended. This helps ensure that the sameusernameandpassword you areusing to audit your knownSSH servers is not used to attempt a log in to a system thatmay not be under yourcontrol.

For supported network devices, Nessus will only support the network device’s usernameandpassword forSSH connections.

If an account other than rootmust be used for privilege escalation, it can be specified under theEscalationaccount with theEscalation password.

Option Description

Username Usernameof the account which is being used for authentication on the host sys-tem.

PrivateKey RSA or DSAOpenSSH key file of the user.





- 170 -

Option Description

Elevate privileges with Allows for increasing privileges once authenticated.



- 171 -

Certificate

Option Description

Username Usernameof the account which is being used for authentication on the host sys-tem.

User Certificate RSA or DSAOpenSSH certificate file of the user.

PrivateKey RSA or DSAOpenSSH key file of the user.






- 172 -

CyberArk Vault

CyberArk is a popular enterprise password vault that helps youmanage privileged credentials. Nessus canget credentials from CyberArk to use in a scan.

Option Description

Username The target system’s username.

Domain This is an optional field if the above username is part of a domain.

Central Cre-dential Pro-vider Host

TheCyberArk Central Credential Provider IP/DNS address.

Central Cre-dential Pro-vider Port

The port theCyberArk Central Credential Provider is listening on.

Vault User-name(optional)

If theCyberArk Central Credential Provider is configured to use basic authentication youcan fill in this field for authentication.

Vault Pass-word(optional)


Safe The safe on theCyberArk Central Credential Provider server that contained the authen-tication information youwould like to retrieve.

AppId TheAppId that has been allocated permissions on theCyberArk Central Credential Pro-vider to retrieve the target password.

Folder The folder on theCyberArk Central Credential Provider server that contains the authen-tication information youwould like to retrieve.

PolicyId ThePolicyID assigned to the credentials youwould like to retrieve from theCyberArk Cen-tral Credential Provider.

UseSSL If CyberArk Central Credential Provider is configured to support SSL through IIS check forsecure communication.

Verify SSLCertificate

If CyberArk Central Credential Provider is configured to support SSL through IIS and youwant to validate the certificate check this. Refer to custom_CA.inc documentation for how



- 173 -

Option Description

to use self-signed certificates.



- 174 -

Kerberos

Kerberos, developed by MIT’s Project Athena, is a client/server application that uses a symmetric key encryp-tion protocol. In symmetric encryption, the key used to encrypt the data is the sameas the key used todecrypt the data. Organizations deploy aKDC (Key DistributionCenter) that contains all users and servicesthat requireKerberos authentication. Users authenticate toKerberos by requesting aTGT (Ticket GrantingTicket). Once a user is granted aTGT, it can be used to request service tickets from theKDC to be able to util-ize other Kerberos based services. Kerberos uses theCBC (Cipher Block Chain) DES encryption protocol toencrypt all communications.

Note: You must already have a Kerberos environment established to use this method of authentication.

TheNessus implementation of Linux-basedKerberos authentication for SSH supports theaes-cbc andaes-ctr encryption algorithms. An overview of howNessus interacts with Kerberos is as follows:

1. Enduser gives the IP of theKDC.

2. nessusd asks sshd if it supports Kerberos authentication.

3. sshd says yes.

4. nessusd requests aKerberos TGT, alongwith login and password.

5. Kerberos sends a ticket back tonessusd.

6. nessusd gives the ticket tosshd.

7. nessusd is logged in.

In bothWindows andSSH credentials settings, you can specify credentials usingKerberos keys from aremote system. Note that there are differences in the configurations forWindows andSSH.

Option Description


Password Password of the username specified.

Key Dis-tributionCenter(KDC)

This host supplies the session tickets for the user.



- 175 -

Option Description

KDCPort This option can be set to direct Nessus to connect to theKDC if it is running on a port otherthan 88.

KDC Trans-port

TheKDC uses TCP by default in Linux implementations. For UDP, change this option.Note that if you need to change theKDC Transport value, youmay also need to changethe port as theKDCUDP uses either port 88 or 750 by default, depending on the imple-mentation.

Realm The Realm is the authentication domain, usually noted as the domain nameof the target(e.g., example.com).

Elevateprivilegeswith

Allows for increasing privileges once authenticated.

If Kerberos is used, sshdmust be configuredwithKerberos support to verify the ticket with theKDC. ReverseDNS lookups must be properly configured for this towork. TheKerberos interactionmethodmust begss-api-with-mic.



- 176 -

Password Authentication

Option Description


Password Password of the username specified.




- 177 -


Option Default Value

Username(required)

The username that is used to authenticate via ssh to the system.

Domain Set the domain the username is part of if usingWindows credentials.

ThycoticSecretName(required)

This is the value that the secret is stored as on theThycotic server. It is referred to as the“Secret Name” on theThycotic server.

ThycoticSecretServer URL(required)

This is used to set the transfer method, target , and target directory for the scanner. Thevalue can be found inAdmin->Configuration->ApplicationSettings->Secret Server URLon theThycotic server. For example consider the following address https://p-w.mydomain.com/SecretServer/Wewill parse this to know that https defines it is a sslconnectionpw.mydomain.com is the target address/SecretServer/ is the root directory.

ThycoticLoginName(required)

The username to authenticate to theThycotic server.

ThycoticPassword(required)

The password associated to theThycotic LoginName.

ThycoticOrganization(required)

This value is used in cloud instances of Thycotic to definewhich organization your queryshould hit.

ThycoticDomain(optional)

This is an optional value set if the domain value is set for the Thycotic server.

PrivateKey(optional)

Use key based authentication for SSH connections instead of password.


Verify if theSSLCertificate on the server is signed by a trustedCA.



- 178 -

SNMPv3

Users can select SNMPv3 settings from theCredentials menuand enter credentials for scanning systemsusing an encrypted network management protocol.

These credentials are used to obtain local information from remote systems, including network devices, forpatch auditing or compliance checks.

There is a field for entering theSNMPv3user name for the account that will perform the checks on the targetsystem, alongwith theSNMPv3port, security level, authentication algorithm andpassword, and privacyalgorithm andpassword.

If Nessus is unable to determine the community string or password, it may not perform a full audit of the ser-vice.

Option Description

Username Theusername for aSNMPv3based account.

Port Direct Nessus to scan a different port if SNMP is running on a port other than161.

Security level Select the security level for SNMP: authentication, privacy, or both.

Authenticationalgorithm

Select MD5or SHA1based onwhich algorithm the remote service supports.

Authentication pass-word

The password for the username specified.

Privacy algorithm Theencryption algorithm to use for SNMP traffic.

Privacy password A password used to protect encryptedSNMP communication.



- 179 -

Windows

TheWindows credentials menu item has settings to provideNessus with information such as SMB accountname, password, and domain name. Nessus supports several different types of authenticationmethods forWindows-based systems:

l TheLanmanauthenticationmethodwas prevalent onWindows NT andearly Windows 2000 serverdeployments; it is retained for backward compatibility.

l TheNTLM authenticationmethod, introducedwithWindows NT, provided improved security over Lan-manauthentication. The enhanced version, NTLMv2, is cryptographically more secure thanNTLM andis the default authenticationmethod chosen by Nessus whenattempting to log into aWindows server.NTLMv2 canmake use of SMBSigning.

l SMB signing is a cryptographic checksum applied to all SMB traffic to and from aWindows server.Many system administrators enable this feature on their servers to ensure that remote users are 100%authenticated and part of a domain. In addition, make sure you enforce a policy thatmandates the use ofstrong passwords that cannot be easily broken via dictionary attacks from tools like John theRipperand L0phtCrack. It is automatically used by Nessus if it is required by the remoteWindows server. Notethat there have beenmany different types of attacks againstWindows security to illicit hashes fromcomputers for re-use in attacking servers. SMBSigning adds a layer of security to prevent theseman-in-the-middle attacks.

l TheSPNEGO (Simple andProtectedNegotiate) protocol provides SingleSignOn (SSO) capabilityfrom aWindows client to a variety of protected resources via the users’Windows login credentials. Nes-sus supports use of SPNEGOScans andPolicies: Scans 54 of 151with either NTLMSSPwith LMv2authentication or Kerberos andRC4encryption. SPNEGO authentication happens throughNTLM orKerberos authentication; nothing needs to be configured in theNessus policy.

l If an extended security scheme (such as Kerberos or SPNEGO) is not supported or fails, Nessus willattempt to log in viaNTLMSSP/LMv2authentication. If that fails, Nessus will then attempt to log in usingNTLM authentication.

l Nessus also supports the use of Kerberos authentication in aWindows domain. To configure this, the IPaddress of theKerberos DomainController (actually, the IP address of theWindows ActiveDirectoryServer) must be provided

Server MessageBlock (SMB) is a file-sharing protocol that allows computers to share information across thenetwork. Providing this information toNessus will allow it to find local information from a remoteWindowshost. For example, using credentials enables Nessus to determine if important security patches have beenapplied. It is not necessary tomodify other SMB parameters from default settings.



- 180 -

TheSMB domain field is optional andNessus will be able to log onwith domain credentials without this field.The username, password, and optional domain refer to an account that the targetmachine is aware of. Forexample, given a usernameof joesmith and a password ofmy4x4mpl3, aWindows server first looks for thisusername in the local system’s list of users, and then determines if it is part of a domain.

Regardless of credentials used, Nessus always attempts to log into aWindows server with the following com-binations:

l Administrator without a password

l A random usernameandpassword to test Guest accounts

l Nousernameor password to test null sessions

The actual domain name is only required if an account name is different on the domain from that on the com-puter. It is entirely possible to have anAdministrator account on aWindows server andwithin the domain. Inthis case, to log onto the local server, the usernameof Administrator is usedwith the password of thataccount. To log onto the domain, theAdministrator usernamewould also be used, but with the domain pass-word and the nameof the domain.

Whenmultiple SMB accounts are configured, Nessus will try to log inwith the supplied credentials sequen-tially. OnceNessus is able to authenticatewith a set of credentials, it will check subsequent credentials sup-plied, but only use them if administrative privileges are grantedwhenprevious accounts provided useraccess.

Someversions ofWindows allow you to create a new account and designate it as an administrator. Theseaccounts are not always suitable for performing credentialed scans. Tenable recommends that the originaladministrative account, namedAdministrator be used for credentialed scanning to ensure full access is per-mitted. On someversions ofWindows, this accountmay be hidden. The real administrator account can beunhidden by running aDOS prompt with administrative privileges and typing the following command:

C:\> net user administrator /active:yes

If anSMB account is createdwith limited administrator privileges, Nessus can easily and securely scanmul-tiple domains. Tenable recommends that network administrators consider creating specific domain accountsto facilitate testing. Nessus includes a variety of security checks forWindows Vista,Windows 7,Windows 8,Windows 2008,Windows 2008R2,Windows 2012, andWindows 2012R2 that aremore accurate if a domainaccount is provided. Nessus does attempt to try several checks inmost cases if no account is provided.

TheWindows RemoteRegistry service allows remote computers with credentials to access the registry ofthe computer being audited. If the service is not running, reading keys and values from the registry will not bepossible, evenwith full credentials. This servicemust be started for aNessus credentialed scan to fully audit asystem using credentials.



- 181 -

Credentialed scans onWindows systems require that a full administrator level account be used. Several bul-letins and software updates by Microsoft havemade reading the registry to determine software patch levelunreliablewithout administrator privileges, but not all of them. Nessus plugins will check that the provided cre-dentials have full administrative access to ensure they execute properly. For example, full administrativeaccess is required to perform direct reading of the file system. This allows Nessus to attach to a computer andperform direct file analysis to determine the true patch level of the systems being evaluated.



Never sendcredentials inthe clear

Enabled For security reasons,Windows credentials are not sent in the clear bydefault.

Do not useNTLMv1authentication

Enabled If theDonot useNTLMv1authentication option is disabled, then it is the-oretically possible to trick Nessus into attempting to log into aWindowsserver with domain credentials via theNTLM version 1 protocol. Thisprovides the remote attacker with the ability to use a hash obtained fromNessus. This hash can be potentially cracked to reveal a usernameorpassword. It may also be used to directly log into other servers. ForceNes-sus to useNTLMv2by enabling theOnly useNTLMv2 setting at scantime. This prevents a hostileWindows server from usingNTLM and receiv-ing a hash. BecauseNTLMv1 is an insecure protocol this option is enabledby default.

Start theRemoteRegistry ser-vice duringthe scan

Disabled This option tells Nessus to start theRemoteRegistry service on com-puters being scanned if it is not running. This servicemust be running inorder for Nessus to execute someWindows local check plugins.

Enable admin-istrativeshares duringthe scan

Disabled This optionwill allow Nessus to access certain registry entries that can bereadwith administrator privileges.

Authentication Methods



- 182 -

Option Description

Windows AuthenticationMethods Password

CyberArk

Kerberos

LM Hash

NTLM Hash

Thycotic Secret Server



- 183 -

Password

Password authentication requires aUsernameandPassword.



- 184 -

CyberArk Vault

CyberArk is a popular enterprise password vault that helps youmanage privileged credentials. Nessus canget credentials from CyberArk to use in a scan.

Option Description


Domain This is an optional field if the above username is part of a domain.

Central Cre-dential Pro-vider Host

TheCyberArk Central Credential Provider IP/DNS address.

Central Cre-dential Pro-vider Port

The port theCyberArk Central Credential Provider is listening on.

Vault User-name(optional)


Vault Pass-word(optional)


Safe The safe on theCyberArk Central Credential Provider server that contained the authen-tication information youwould like to retrieve.

AppId TheAppId that has been allocated permissions on theCyberArk Central Credential Pro-vider to retrieve the target password.

Folder The folder on theCyberArk Central Credential Provider server that contains the authen-tication information youwould like to retrieve.

PolicyId ThePolicyID assigned to the credentials youwould like to retrieve from theCyberArk Cen-tral Credential Provider.

UseSSL If CyberArk Central Credential Provider is configured to support SSL through IIS check forsecure communication.


If CyberArk Central Credential Provider is configured to support SSL through IIS and youwant to validate the certificate check this. Refer to custom_CA.inc documentation for how



- 185 -

Option Description

to use self-signed certificates.

CyberArkelevate priv-ileges with

Nothing.k5loginCisco 'enable'dzdopbrunsusu+sudo



- 186 -

Kerberos

OptionDefault

ValueDescription

Username(Required)

Password(Required)

Key Dis-tributionCenter(KDC)(Required)

This host supplies the session tickets for the user. This is a required field.

KDCPort 88 This option can be set to direct Nessus to connect to theKDC if it is run-ning on a port other than 88.

KDC Transport TCP Note that if you need to change theKDC Transport value, youmay alsoneed to change the port as theKDCUDP uses either port 88 or 750 bydefault, depending on the implementation.

Domain(Required)

TheWindows domain that theKDC administers. This is a required field.



- 187 -

LMHash

Option Description


Hash Hash being utilized.

Domain TheWindows domain of the specified user’s name.



- 188 -

NTLMHash

Option Description


Hash Hash being utilized.

Domain TheWindows domain of the specified user’s name.



- 189 -


Option Default Value

Username(required)

The username that is used to authenticate via ssh to the system.

Domain Set the domain the username is part of if usingWindows credentials.

ThycoticSecretName(required)

This is the value that the secret is stored as on theThycotic server. It is referred to as the“Secret Name” on theThycotic server.

ThycoticSecretServer URL(required)

This is used to set the transfer method, target , and target directory for the scanner. Thevalue can be found inAdmin->Configuration->ApplicationSettings->Secret Server URLon theThycotic server. For example consider the following address https://p-w.mydomain.com/SecretServer/Wewill parse this to know that https defines it is a sslconnectionpw.mydomain.com is the target address/SecretServer/ is the root directory.

ThycoticLoginName(required)

The username to authenticate to theThycotic server.

ThycoticPassword(required)

The password associated to theThycotic LoginName.

ThycoticOrganization(required)

This value is used in cloud instances of Thycotic to definewhich organization your queryshould hit.

ThycoticDomain(optional)

This is an optional value set if the domain value is set for the Thycotic server.

PrivateKey(optional)

Use key based authentication for SSH connections instead of password.


Verify if theSSLCertificate on the server is signed by a trustedCA.



- 190 -

Miscellaneous

This section includes information and settings for credentials in theMiscellaneous category:

l ADSI

l IBM iSeries

l Palo Alto Networks PAN-OS

l RHEV (Red Hat Enterprise Virtualization)

l VMware ESX SOAP API

l VMware vCenter SOAP API

l X.509



- 191 -

ADSI

ADSI requires the domain controller information, domain, and domain admin and password.

ADSI allows Nessus to query anActiveSync server to determine if any Android or iOS-based devices are con-nected. Using the credentials and server information, Nessus authenticates to the domain controller (not theExchange server) to directly query it for device information. This feature does not require any ports be spe-cified in the scan policy. These settings are required for mobile device scanning.

Option Description

DomainController Nameof the domain controller for ActiveSync

Domain Nameof theWindows domain for ActiveSync

DomainAdmin Domain admin’s username

DomainPassword Domain admin’s password

Nessus supports obtaining themobile information from ExchangeServer 2010 and 2013 only; Nessus cannotretrieve information from ExchangeServer 2007.



- 192 -

IBM iSeries

IBM iSeries only requires an iSeries usernameandpassword.



- 193 -

Palo Alto Networks PAN-OS

PaloAltoNetworks PAN-OS requires aPAN-OS usernameandpassword,management port number, andyou can enableHTTPS and verify theSSL certificate.



- 194 -

RHEV (Red Hat Enterprise Virtualization)

RHEV requires username, password, and network port. Additionally, you can provide verification for theSSLcertificate.

Option Description

Username Username to login to theRHEV server. This is a required field.

Password Username to the password to login to theRHEV server. This is a required field.

Port Port to connect to theRHEV server.

Verify SSLCertificate Verify that theSSL certificate for theRHEV server is valid.



- 195 -

VMware ESX SOAP API

Access toVMware servers is available through its nativeSOAPAPI. VMwareESXSOAPAPI allows you toaccess theESX andESXi servers via usernameandpassword. Additionally, you have the option of notenablingSSL certificate verification:

Option Description

Username Username to login to theESXi server. This is a required field.

Password Username to the password to login to theESXi server. This is a requiredfield.

Do not verify SSLCer-tificate

Donot verify that theSSL certificate for theESXi server is valid.



- 196 -

VMware vCenter SOAP API

VMware vCenter SOAPAPI allows you to access vCenter. This requires a username, password, vCenterhostname, and vCenter port.

Additionally, you can requireHTTPS andSSL certificate verification.

Credential Description

vCenter Host Nameof the vCenter host. This is a required field.

vCenter Port Port to access the vCenter host.

Username Username to login to the vCenter server. This is a required field.

Password Username to the password to login to the vCenter server. This is a required field.

HTTPS Connect to the vCenter via SSL.

Verify SSLCertificate Verify that theSSL certificate for theESXi server is valid.



- 197 -

X.509

For X.509, youwill need to supply the client certificate, client private key, its corresponding passphrase, andthe trustedCertificateAuthority’s (CA) digital certificate.



- 198 -

Mobile DeviceManagement

Nessus supports the followingMobile device authenticationmethods:

l AirWatch

l Apple Profile Manager

l Good MDM

l MaaS360

l MobileIron



- 199 -

AirWatch

Option Description

AirWatchEnvironment API URL(required)

TheURLof theSOAP or RESTAPI

Port Set to use a different port to authenticatewith Airwatch

Username (required) The username to authenticatewith Airwatch’s API

Password (required) The password to authenticatewith Airwatch’s API

API Keys (required) TheAPI Key for theAirwatchRESTAPI

HTTPS Set to useHTTPS instead of HTTP

Verify SSLCertificate Verify if theSSLCertificate on the server is signed by a trus-tedCA.



- 200 -

Apple Profile Manager

Option Description

Server (required) The server URL to authenticatewith AppleProfileManager

Port Set to use a different port to authenticatewith AppleProfileManager

Username (required) The username to authenticate

Password (required) The password to authenticate


Verify SSLCertificate Verify if theSSLCertificate on the server is signed by a trustedCA.


Force device updates Force devices to updatewith AppleProfileManager immediately

Device update timeout(minutes)

Number ofminutes towait for devices to reconnect with AppleProfileManager



- 201 -

GoodMDM

Option Description

Server (required) The server URL to authenticatewithGoodMDM

Port (required) Set the port to use to authenticatewithGoodMDM

Domain (required) The domain name for GoodMDM







- 202 -

MaaS360

Option Description



Root URL (required) The server URL to authenticatewithMaaS360

Platform ID (required) ThePlatform ID provided for MaaS360

Billing ID (required) TheBilling ID provided for MaaS360

App ID (required) TheApp ID provided for MaaS360

AppVersion (required) TheAppVersion ofMaaS360

Appaccess key (required) TheAppAccess Key provided for MaaS360



- 203 -

MobileIron

Option Description

VSPAdminPortal URL (required) The server URL to authenticatewithMobileIron

Port Set to use a different port to authenticate







- 204 -

PatchManagement

Nessus Manager andTenableCloud can leverage credentials for patch auditing on systems for which cre-dentials may not be available to theNessus scanner:

l Dell KACE K1000

l IBM Tivoli Endpoint Manager (TEM)

l Microsoft System Center Configuration Manager (SCCM)

l Windows Server Update Services (WSUS)

l Red Hat Satellite 6 Server

l Red Hat Satellite 5 Server

l Symantec Altiris

IT administrators are expected tomanage the patchmonitoring software and install any agents required by thepatchmanagement system on their systems.

ScanningWith Multiple Patch Managers

If multiple sets of credentials are supplied toNessus for patchmanagement tools, Nessus will use all of them.

If credentials are provided for a host, as well as a patchmanagement system, or multiple patchmanagementsystems, Nessus will compare the findings between allmethods and report on conflicts or provide a satisfiedfinding. Using thePatchManagementWindows AuditingConflicts plugins, the patch data differences (con-flicts) between the host and a patchmanagement system will be highlighted.



- 205 -

Dell KACE K1000

KACEK1000 is available from Dell tomanage the distribution of updates and hotfixes for Linux,Windows, andMac OSX systems. Nessus andSecurityCenter have the ability to query KACEK1000 to verify whether ornot patches are installed on systems managed by KACEK1000and display the patch information through theNessus or SecurityCenter GUI.

l If the credential check sees a system but it is unable to authenticate against the system, it will use thedata obtained from the patchmanagement system to perform the check. If Nessus is able to connectto the target system, it will perform checks on that system and ignoreKACEK1000output.

l Thedata returned toNessus by KACEK1000 is only as current as themost recent data that theKACEK1000has obtained from its managed hosts.

KACEK1000 scanning is performedusing four Nessus plugins.

l kace_k1000_get_computer_info.nbin (Plugin ID 76867)

l kace_k1000_get_missing_updates.nbin (Plugin ID 76868)

l kace_k1000_init_info.nbin (Plugin ID 76866)

l kace_k1000_report.nbin (Plugin ID 76869)

Credentials for theDell KACEK1000 systemmust be provided for K1000 scanning towork properly. UndertheCredentials tab, select PatchManagement and thenDell KACEK1000.


Server none KACEK1000 IP address or system name. This is a required field.

DatabasePort

3306 Port theK1000 database is running on (typically TCP 3306).

OrganizationDatabaseName

ORG1 Thenameof the organization component for theKACEK1000database.This component will beginwith the letters ORG andendwith a number thatcorresponds with theK1000 database username.

DatabaseUsername

none Username required to log into theK1000 database. R1 is the default if nouser is defined. The usernamewill beginwith the letter R. This usernamewillend in the samenumber that represents the number of the organization toscan. This is a required field

K1000Data-basePass-

none Password required to authenticate theK1000DatabaseUsername. This is arequired field.



- 206 -


word



- 207 -

IBM Tivoli Endpoint Manager (TEM)

Tivoli Endpoint Manager (TEM) is available from IBM tomanage the distribution of updates and hotfixes fordesktop systems. Nessus andSecurityCenter have the ability to query TEM to verify whether or not patchesare installed on systems managed by TEM anddisplay the patch information.

l If the credential check sees a system but it is unable to authenticate against the system, it will use thedata obtained from the patchmanagement system to perform the check. If Nessus is able to connectto the target system, it will perform checks on that system and ignore TEM output.

l Thedata returned toNessus by TEM is only as current as themost recent data that the TEM serverhas obtained from its managed hosts.

TEM scanning is performedusing fiveNessus plugins

l PatchManagement: Tivoli Endpoint Manager Compute Info Initialization (Plugin ID 62559)

l PatchManagement: Missing updates from Tivoli Endpoint Manager (Plugin ID 62560)

l PatchManagement: IBM Tivoli Endpoint Manager Server Settings (Plugin ID 62558)

l PatchManagement: Tivoli Endpoint Manager Report (Plugin ID 62561)

l PatchManagement: Tivoli Endpoint Manager Get InstalledPackages (Plugin ID 65703)

Credentials for the IBM Tivoli Endpoint Manager server must be provided for TEM scanning towork properly.


WebReports Server None Nameof IBM TEMWebReports Server

WebReports Port none Port that the IBM TEMWebReports Server listens

WebReports Username none WebReports administrative username

WebReports Password none WebReports administrative username’s password

HTTPS Enabled If theWebReports service is usingSSL

Verify SSL certificate Enabled Verify that theSSL certificate is valid

Package reporting is supported by RPM-based andDebian-based distributions that IBM TEM officially sup-ports. This includes RedHat derivatives such as RHEL, CentOS, Scientific Linux, andOracle Linux, as wellas Debian andUbuntu. Other distributions may alsowork, but unless officially supported by TEM, there is nosupport available.



- 208 -

For local check plugins to trigger, only RHEL, CentOS, Scientific Linux, Oracle Linux, Debian, andUbuntu aresupported. The pluginPatchManagement: Tivoli Endpoint Manager Get InstalledPackages must be enabled.

In order to use these auditing features, changes must bemade to the IBM TEM server. A custom Analysismust be imported into TEM so that detailed package informationwill be retrieved andmadeavailable toNes-sus. This process is outlined below. Before beginning, the following text must be saved to a file on theTEMsystem, and namedwith a .bes extension.

<?xml version="1.0" encoding="UTF-8"?><BES xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:noNamespaceS-chemaLocation="BES.xsd">

<Analysis><Title>Tenable</Title>

<Description>This analysis provides Nessus with the data it needs for vulnerabilityreporting. </Description>

<Relevance>true</Relevance><Source>Internal</Source><SourceReleaseDate>2013-01-31</SourceReleaseDate><MIMEField>

<Name>x-fixlet-modification-time</Name><Value>Fri, 01 Feb 2013 15:54:09 +0000</Value>

</MIMEField><Domain>BESC</Domain><Property Name="Packages - With Versions (Tenable)" ID="1"><![CDATA[if

(exists true whose (if true then (exists debianpackage) else false)) then unique val-ues of (name of it & "|" & version of it as string & "|" & "deb" & "|" & archi-tecture of it & "|" & architecture of operating system) of packages whose (existsversion of it) of debianpackages else if (exists true whose (if true then (existsrpm) else false)) then unique values of (name of it & "|" & version of it as string& "|" & "rpm" & "|" & architecture of it & "|" & architecture of operating system)of packages of rpm else "<unsupported>" ]]></Property>

</Analysis></BES>



- 209 -

Microsoft System Center ConfigurationManager (SCCM)

Microsoft System Center ConfigurationManager (SCCM) is available tomanage large groups ofWindows-based systems. Nessus has the ability to query theSCCM service to verify whether or not patches areinstalled on systems managed by SCCM anddisplay the patch information through theNessus or Secur-ityCenter GUI.

l If the credentialed check sees a system but it is unable to authenticate against the system, it will usethe data obtained from the patchmanagement system to perform the check. If Nessus is able to con-nect to the target system, it will perform checks on that system and ignoreSCCM output.

l Thedata returned by SCCM is only as current as themost recent data that theSCCM server hasobtained from its managed hosts.

l Nessus connects to the server that is running theSCCM site (e.g., credentials must be valid for theSCCM service, meaning an admin account in SCCMwith the privileges to query all the data in theSCCMMMC). This server may also run theSQLdatabase, or the database as well as theSCCMrepository can be on separate servers.When leveraging this audit, Nessus must connect to theSCCM Server, not theSQLor SCCM server if they are on a separate box.

Nessus SCCM patchmanagement plugins support SCCM 2007andSCCM 2012.

SCCM scanning is performedusing four Nessus plugins.

l PatchManagement: SCCM Server Settings (Plugin ID 57029)

l PatchManagement: Missing updates from SCCM(Plugin ID 57030)

l PatchManagement: SCCMComputer Info Initialization(Plugin ID 73636)

l PatchManagement: SCCMReport(Plugin ID 58186)

Credentials for theSCCM systemmust be provided for SCCM scanning towork properly. Under theCre-dentials tab, select PatchManagement and thenMicrosoft SCCM.

Credential Description

Server SCCM IP address or system name

Domain The domain theSCCM server is a part of

Username SCCM admin username

Password SCCM admin password



- 210 -

Windows Server Update Services (WSUS)

Windows Server UpdateServices (WSUS) is available fromMicrosoft tomanage the distribution of updatesand hotfixes for Microsoft products. Nessus andSecurityCenter have the ability to query WSUS to verifywhether or not patches are installed on systems managed by WSUS anddisplay the patch informationthrough theNessus or SecurityCenter GUI.

l If the credential check sees a system but it is unable to authenticate against the system, it will use thedata obtained from the patchmanagement system to perform the check. If Nessus is able to connectto the target system, it will perform checks on that system and ignoreWSUS output.

l Thedata returned toNessus by WSUS is only as current as themost recent data that theWSUSserver has obtained from its managed hosts.

WSUS scanning is performedusing threeNessus plugins.

l PatchManagement:WSUSServer Settings (Plugin ID 57031)

l PatchManagement: Missing updates fromWSUS (Plugin ID 57032)

l PatchManagement:WSUSReport (Plugin ID 58133)

Credentials for theWSUS systemmust be provided forWSUS scanning towork properly. Under theCre-dentials tab, select PatchManagement and thenMicrosoftWSUS.

Credential Default Description

Server None WSUS IP address or system name

Port 8530 PortWSUS is running on (typically TCP 80or 443)

Username none WSUS admin username

Password none WSUS admin password

HTTPS Enabled If theWSUS service is usingSSL

Verify SSL certificate Enabled Verify that theSSL certificate is valid



- 211 -

RedHat Satellite 6 Server


Satellite server none RHNSatellite IP address or system name

Port 443 Port Satellite is running on (typically TCP 80or 443)

Username none RedHat Satellite username

Password none RedHat Satellite password

HTTPS Enabled

Verify SSLCertificate Enabled Verify that theSSL certificate is valid



- 212 -

RedHat Satellite 5 Server

RedHat Satellite is a systems management platform for Linux-based systems. Nessus has the ability toquery Satellite to verify whether or not patches are installed on systems managed by Satellite and display thepatch information.

Although not supported by Tenable, theRHNSatellite pluginwill alsowork with Spacewalk Server, theOpenSourceUpstream Version of RedHat Satellite. Spacewalk has the capability of managing distributions basedonRedHat (RHEL, CentOS, Fedora) andSUSE. Tenable supports theSatellite server for RedHat EnterpriseLinux.

l If the credential check sees a system, but it is unable to authenticate against the system, it will use thedata obtained from the patchmanagement system to perform the check. If Nessus is able to connect tothe target system, it will perform checks on that system and ignoreRHNSatellite output.

l Thedata returned toNessus by RHNSatellite is only as current as themost recent data that theSatel-lite server has obtained from its managed hosts.

Satellite scanning is performedusing fiveNessus plugins:

l PatchManagement: PatchSchedule From RedHat Satellite Server (Plugin ID 84236)

l PatchManagement: RedHat Satellite Server Get InstalledPackages (Plugin ID 84235)

l PatchManagement: RedHat Satellite Server GetManagedServers (Plugin ID 84234)

l PatchManagement: RedHat Satellite Server Get System Information (Plugin ID 84237)

l PatchManagement: RedHat Satellite Server Settings (Plugin ID 84238)

If theRHNSatellite server is version 6, three additional Nessus plugins are used:

l PatchManagement: RedHat Satellite Server Get InstalledPackages (Plugin ID 84231)

l PatchManagement: RedHat Satellite 6Settings (Plugin ID 84232)

l PatchManagement: RedHat Satellite 6Report (Plugin ID 84233)



- 213 -

Symantec Altiris

Altiris is available from Symantec tomanage the distribution of updates and hotfixes for Linux,Windows, andMac OSX systems. Nessus andSecurityCenter have the ability to use theAltiris API to verify whether or notpatches are installed on systems managed by Altiris and display the patch information through theNessus orSecurityCenter GUI.

l If the credential check sees a system but it is unable to authenticate against the system, it will use thedata obtained from the patchmanagement system to perform the check. If Nessus is able to connectto the target system, it will perform checks on that system and ignoreAltiris output.

l Thedata returned toNessus by Altiris is only as current as themost recent data that theAltiris hasobtained from its managed hosts.

l Nessus connects to theMicrosoft SQL server that is running on theAltiris host (e.g., credentials mustbe valid for theMSSQLdatabase,meaning a database account with the privileges to query all the datain theAltiris MSSQLdatabase). The database server may be run on a separate host from theAltirisdeployment.When leveraging this audit, Nessus must connect to theMSSQLdatabase, not theAltirisserver if they are on a separate box.

Altiris scanning is performedusing four Nessus plugins.

l symantec_altiris_get_computer_info.nbin (Plugin ID 78013)

l symantec_altiris_get_missing_updates.nbin (Plugin ID 78012)

l symantec_altiris_init_info.nbin (Plugin ID 78011)

l symantec_altiris_report.nbin (Plugin ID 78014)

Credentials for theAltiris Microsoft SQL (MSSQL) databasemust be provided for Altiris scanning toworkproperly. Under theCredentials tab, select PatchManagement and thenSymantec Altiris.


Server none Altiris IP address or system name. This is a required field.

DatabasePort 5690 Port theAltiris database is running on (Typically TCP 5690)

DatabaseName

Symantec_CMDB

Thenameof theMSSQLdatabase thatmanages Altiris patch inform-ation.

DatabaseUser-name

None Username required to log into theAltiris MSSQLdatabase. This is arequired field.



- 214 -


DatabasePass-word

none Password required to authenticate theAltiris MSSQLdatabase. Thisis a required field.

UseWindowsAuthentication

Disabled Denotes whether or not to useNTLMSSP for compatibility with olderWindows Servers, otherwise it will useKerberos

To ensureNessus can properly utilizeAltiris to pull patchmanagement information, it must be configured to doso.



- 215 -

Plaintext Authentication

Tip:Using cleartext credentials is not recommended. Use encrypted authentication methods when pos-sible.

If a secure method of performing credentialed checks is not available, users can force Nessus to try to per-form checks over unsecure protocols, by configuring the Plaintext Authentication drop-down menu item.

This menuallows theNessus scanner to use credentials when testingHTTP, NNTP, FTP, POP2, POP3,IMAP, IPMI, SNMPv1/v2c, and telnet/rsh/rexec.

By supplying credentials, Nessus may have the ability to domore extensive checks to determine vul-nerabilities. HTTP credentials supplied herewill be used for Basic andDigest authentication only.

FTP, IPMI, NNTP, POP2, and POP3

Credentials for FTP, IPMI, NNTP, POP2, andPOP3are usernameandpassword only.

SNMPv1/v2c

SNMPv1/v2c configuration allows you to use community strings for authentication to network devices. Up to4SNMP community strings can be configured.

Option Default

Community string public

Global Settings

UPDPort 161

Additional UDP port #1 161



telnet/rsh/rexec

The telnet/rsh/rexec authentication section is also usernameandpassword, but there are additionalGlobalSettings for this section that can allow you to perform patch audits using any of these three protocols.

FTP



- 216 -

UsernameandPassword are the only required credentials.

IPMI


NNTP


POP2


POP3




- 217 -

HTTP

There are four different types of HTTP Authenticationmethods: Automatic authentication, Basic/Digestauthentication, HTTP login form, and HTTP cookies import.

HTTP Global Settings


Loginmethod POST Specify if the login action is performed via aGET or POST request.

Re-authenticatedelay (seconds)

0 The timedelay between authentication attempts. This is useful toavoid triggering brute force lockoutmechanisms.

Follow 30x redir-ections(# of levels)

0 If a 30x redirect code is received from aweb server, this directs Nes-sus to follow the link provided or not.

Invert authen-ticated regex

Disabled A regex pattern to look for on the login page, that if found, tells Nessusauthenticationwas not successful (e.g., Authentication failed!).

Use authenticatedregex onHTTPheaders

Disabled Rather than search the body of a response, Nessus can search theHTTP response headers for a given regex pattern to better determineauthentication state.

Use authenticatedregex onHTTPheaders

Disabled The regex searches are case sensitive by default. This instructs Nes-sus to ignore case.

Authentication methods

Automatic authentication

UsernameandPasswordRequired

Basic/Digest authentication

UsernameandPasswordRequired

HTTP Login Form



- 218 -

TheHTTP login page settings provide control over where authenticated testing of a custom web-based applic-ation begins.

Option Description

Username Login user name.

Password Password of the user specified.

Login page Theabsolute path to the login page of the application, e.g., /login.html.

Login sub-mission page

Theaction parameter for the form method. For example, the login form for <form meth-od="POST" name="auth_form" action="/login.php"> would be /login.php.

Login para-meters

Specify the authentication parameters (e.g., login=%USER%&password=%PASS%).If the keywords %USER% and%PASS% are used, they will be substitutedwith valuessupplied on the Login configurations drop-downmenu. This field can be used to providemore than two parameters if required (e.g., a group nameor someother piece of inform-ation is required for the authentication process).

Check authen-tication onpage

Theabsolute path of a protectedwebpage that requires authentication, to better assistNessus in determining authentication status, e.g., /admin.html.

Regex toverify suc-cessfulauthentication

A regex pattern to look for on the login page. Simply receiving a 200 response code isnot always sufficient to determine session state. Nessus can attempt tomatch a givenstring such as Authentication successful!

HTTP cookies import

To facilitatewebapplication testing, Nessus can import HTTP cookies from another piece of software (e.g.,web browser, web proxy, etc.) with theHTTP cookies import settings. A cookie file can be uploaded so thatNessus uses the cookies when attempting to access awebapplication. The cookie filemust be inNetscapeformat.



- 219 -

telnet/rsh/rexec

The telnet/rsh/rexec authentication section is also usernameandpassword, but there are additionalGlobalSettings for this section that can allow you to perform patch audits using any of these three protocols.

SNMPv1/v2c

SNMPv1/v2c configuration allows you to use community strings for authentication to network devices. Up to4SNMP community strings can be configured.



- 220 -

Scan Compliance Settings

Nessus can perform vulnerability scans of network services as well as log into servers to discover any miss-ing patches.

However, a lack of vulnerabilities does notmean the servers are configured correctly or are “compliant” with aparticular standard.

The advantage of usingNessus to perform vulnerability scans and compliance audits is that all of this datacan be obtained at one time. Knowing how a server is configured, how it is patched andwhat vulnerabilities arepresent can help determinemeasures tomitigate risk.

At a higher level, if this information is aggregated for an entire network or asset class, security and risk can beanalyzed globally. This allows auditors and network managers to spot trends in non-compliant systems andadjust controls to fix these on a larger scale.

When configuring a scan or policy, you can include one or more compliance checks.

Audit Cap-

ability

Required Cre-

dentialsDescription

AdtranAOS SSH Anoption to select a predefined or custom audit policy file tobe specified to test AdtranAOS based devices against com-pliance standards.

AmazonAWS AmazonAWS Anoption to select a predefined or custom audit policy file tobe specified to test aAmazonAWSaccount against com-pliance standards.



- 221 -

BlueCoatProxySG

SSH Anoption to select a predefined or custom audit policy file tobe specified to test Bluecoat ProxySG based devicesagainst compliance standards.

BrocadeFab-ricOS

SSH Anoption to select a predefined or custom audit policy file tobe specified to test BrocadeFabricOS based devicesagainst compliance standards.

Check PointGAiA

SSH Anoption to select a predefined or custom audit policy file tobe specified to test CheckPoint GAiA based devicesagainst compliance standards.

Cisco IOS SSH Anoption to select a predefined or custom audit policy file tobe specified to test Cisco IOS based devices against com-pliance standards.

Citrix XenServer SSH Anoption to select a predefined or custom audit policy file tobe specified to test Citrix XenServer host against com-pliance standards.

Database Database cre-dentials

An option to select a predefined or custom audit policy file tobe specified to test Database servers against compliancestandards.

Dell Force10FTOS

SSH Anoption to select a predefined or custom audit policy file tobe specified to test Dell Force10FTOS based devicesagainst compliance standards.

ExtremeExtremeXOS

SSH Anoption to select a predefined or custom audit policy file tobe specified to test ExtremeExtremeXOS based devicesagainst compliance standards.

FireEye SSH Anoption to select a predefined or custom audit policy file tobe specified to test FireEye based devices against com-pliance standards.

Fortigate FortiOS SSH Anoption to select a predefined or custom audit policy file tobe specified to test Fortigate FortiOS based devices againstcompliance standards.

HPProCurve SSH Anoption to select a predefined or custom audit policy file tobe specified to test HPProCurve based devices againstcompliance standards.



- 222 -

Huawei SSH Anoption to select a predefined or custom audit policy file tobe specified to test Huawei devices against compliancestandards.

IBM iSeries IBM iSeries Anoption to select a predefined or custom audit policy file tobe specified to test IBM iSeries servers against compliancestandards.

Juniper Junos SSH Anoption to select a predefined or custom audit policy file tobe specified to test Juniper Junos based devices againstcompliance standards.

Microsoft Azure Microsoft Azure Anoption to select a predefined or custom audit policy file tobe specified to test Microsoft Azure accounts against com-pliance standards.

MobileDeviceManager

AirWatch/ApplePro-fileManager/MobileIron

An option to select a predefined or custom audit policy file tobe specified to test MobileDeviceManagement systemsagainst compliance standards.

MongoDB MongoDB Anoption to select a predefined or custom audit policy file tobe specified to test MongoDB servers against compliancestandards.

NetAppDataONTAP

SSH Anoption to select a predefined or custom audit policy file tobe specified to test NetAppDataONTAP devices againstcompliance standards.

PaloAltoNet-works PAN-OS

PAN-OS Anoption to select a predefined or custom audit policy file tobe specified to test Palto AltoNetworks PAN-OS baseddevices against compliance standards.

Rackspace Rackspace Anoption to select a predefined or custom audit policy file tobe specified to test Rackspace accounts against com-pliance standards.

RHEV RHEV Anoption to select a predefined or custom audit policy file tobe specified to test RedHat EnterpriseVirtualization serv-ers against compliance standards.

Salesforce.com SalesforceSOAPAPI

Anoption to select a predefined or custom audit policy file tobe specified to test Salesforce accounts against com-pliance standards.



- 223 -

SonicWALLSon-icOS

SSH Anoption to select a predefined or custom audit policy file tobe specified to test SonicWALLSonicOS based devicesagainst compliance standards.

Linux SSH Anoption to select a predefined or custom audit policy file tobe specified to test Linux servers against compliance stand-ards.

Linux FileCon-tents

SSH Anoption to select a predefined or custom audit policy file tobe specified to test Linux servers for sensitive content suchas SSN, credit cards etc.

VMware vCen-ter/vSphere

VMwareESXSOAPAPI orVMware vCenterSOAPAPI

Anoption to select a predefined or custom audit policy file tobe specified to test VMware vCenter/vSphere serversagainst compliance standards.

WatchGuard SSH Anoption to select a predefined or custom audit policy file tobe specified to testWatchGuard devices against com-pliance standards.

Windows Windows Anoption to select a predefined or custom audit policy file tobe specified to testWindows servers against compliancestandards.

Windows FileContents

Windows Anoption to select a predefined or custom audit policy file tobe specified to testWindows servers for sensitive contentsuch as SSN, credit cards etc.



- 224 -

Scan Plugins Settings

TheAdvanced Scan templates includePlugin options.

ThePluginsmenuenables you to select security checks by Plugin Family or individual checks.

Clicking on the plugin family allows you to enable (green) or disable (gray) the entire family. Selecting a familywill display the list of its plugins. Individual plugins can be enabled or disabled to create very specific scanpolicies.

A family with someplugins disabledwill turn blue and display mixed to indicate only someplugins are enabled.Clicking on the plugin family will load the complete list of plugins, and allow for granular selection based onyour scanning preferences.

Selecting a specific pluginwill display the plugin output that will be displayed as seen in a report. The synopsisand descriptionwill providemore details of the vulnerability being examined. Scrolling down in your browserwill also show solution information, additional references if available, risk information; exploit information, andany vulnerability database or informational cross-references.



- 225 -

At the top of the plugin family page, you can create filters to build a list of plugins to include in the policy, as wellas disable or enable all plugins. Filters allow granular control over plugin selection. Multiple filters can be set ina single policy.

To create a filter, click the Filter Plugin Families drop-downarrow.



- 226 -

Each filter created provides several options for refining a search. The filter criteria can be based onAny, whereany one criteriawill returnmatches, or All, where every filter criteriamust be present. For example, if wewanta policy that only includes plugins that have an exploit or can be exploitedwithout a scripted exploit, we createtwo filters and select Any for the criteria.

Tip: To use filters to create a policy, it is recommended you start by disabling all plugins. Using plugin filters,narrow down the plugins you want to be in your policy. Once completed, select each plugin family and clickEnable Plugins.

Whenapolicy is created and saved, it records all of the plugins that are initially selected.Whennew pluginsare received via a plugin update, they will automatically be enabled if the family they are associatedwith isenabled. If the family has been disabled or partially enabled, new plugins in that family will automatically be dis-abled as well.

TheDenial of Service family contains someplugins that could cause outages on a network if theSafeChecksoption is not enabled, but does contain someuseful checks that will not cause any harm. TheDenial of Ser-vice family can be used in conjunctionwith SafeChecks to ensure that any potentially dangerous plugins arenot run. However, it is recommended that theDenial of Service family not be used on a production networkunless scheduled during amaintenancewindow andwith staff ready to respond to any issues.



- 227 -

Special Use Templates

Compliance

Nessus compliance auditing can be configured using one or more of the followingScanner andAgent tem-plates.

l Audit Cloud Infrastructure

l MDMConfig Audit

l OfflineConfig Audit

l SCAP andOVALAuditing

l Policy ComplianceAuditing

Mobile Device

WithNessus Manager, theNessus MobileDevices plugin family provides the ability to obtain information fromdevices registered in aMobileDeviceManager (MDM) and from ActiveDirectory servers that contain inform-ation fromMicrosoft ExchangeServers.

l Toquery for information, theNessus scanner must be able to reach theMobileDeviceManagementservers. Youmust ensure no screening devices block traffic to these systems from theNessus scan-ner. In addition, Nessus must be given administrative credentials (e.g., domain administrator) to theAct-iveDirectory servers.

l To scan for mobile devices, Nessus must be configuredwith authentication information for theman-agement server and themobile plugins. SinceNessus authenticates directly to themanagement serv-ers, a scan policy does not need to be configured to scan specific hosts.

l For ActiveSync scans that access data fromMicrosoft Exchange servers, Nessus will retrieve inform-ation from phones that have been updated in the last 365 days.

Payment Card Industry (PCI)

Tenable offers twoPayment Card Industry Data Security Standard (PCI DSS) templates: one for test-ing internal systems (11.2.1) and one for Internet facing systems (11.2.2). Also, these scan templates mayalso be used to complete scans after significant changes to your network, as required by PCI DSS 11.2.3.

Template Product Description



- 228 -

PCIQuarterlyExternalScan

TenableCloudOnly

ThePCIQuarterly External Scan template is only available inTenable

Cloud. Using this template,Tenable Cloud tests for all PCI DSSexternal scanning requirements, includingwebapplications.

The scan results obtained using thePCI Quarterly External Scan tem-platemay be submitted to Tenable (anApprovedScanningVendor) forPCI validation.

Refer to theScanResults section for details on creating, reviewing, andsubmittingPCI scan results.

PCIQuarterlyExternalScan (Unof-ficial)

NessusManager


For Nessus Manager andNessus Professional versions, Tenable

provides thePCI Quarterly External Scan (Unofficial) template.

This template can be used to simulate an external scan (PCI DSS 11.2.2)tomeet PCI DSS quarterly scanning requirements. However, the scan

results from theUnofficial template cannot be submitted to Tenable forPCI Validation.

ThePCIQuarterly External Scan (Unofficial) Template performs the

identical scanning functions as theTenable Cloud version of this tem-plate.

PCIQuarterlyExternalScan (Unof-ficial

NessusManager


The Internal PCI Network Scan template can be used tomeetPCI

DSS Internal scanning requirement (11.2.1).

SCAP and OVAL

TheNational Institute of Standards andTechnology (NIST) Security Content AutomationProtocol (SCAP) is aset of policies for managing vulnerabilities and policy compliance in government agencies. It relies onmultipleopen standards and policies, includingOVAL, CVE, CVSS, CPE, andFDCC policies.

l SCAP compliance auditing requires sending an executable to the remote host.

l Systems running security software (e.g., McAfeeHost IntrusionPrevention), may block or quarantinethe executable required for auditing. For those systems, an exceptionmust bemade for the either thehost or the executable sent.



- 229 -

l Whenusing theSCAP and OVAL Auditing template, you can perform Linux andWindows SCAP

CHECKS to test compliance standards as specified inNIST’s Special Publication 800-126.



- 230 -

Manage Nessus

This section includes instructions and procedures for commonNessus usage.

l Manage Nessus License & Registration

l Manage Activation Code

l Manage Your User Profile

l System Settings

l Manage Scanners

l Manage Accounts

l Manage Communications

l Manage Advanced Settings

l Manage Scans

l Manage Policies

l Manage Nessus Agents

l Custom SSL Certificates

l Enable SSH Local Security Checks

l Credentialed Checks on Windows



- 231 -

Manage Nessus License & Registration

If your license changes, Nessus must be updated.

If your Nessus server has connectivity to the Internet, youwill be able to follow theUpdate Activation Codesteps.

If for security purposes your installation of Nessus does not have connectivity to the Internet, seeRegister

Nessus Offline.



- 232 -

Manage Activation Code

From time to time, youmay have cause tomanage your ActivationCode.

The following topics include instructions to:

l View your Activation Code

l Reset Activation Code


If you are usingNessus offline, seeRegister Nessus Offline.



- 233 -

View your Activation Code

View on the Support Portal

1. Navigate and log in to theTenable Support Portal.

2. In theMain Menu of the support portal, click theActivation Codes.

3. Next to your product name, click thex button to expand the product details.

View from Command Line

Use thenessuscli fetch --code-in-use command specific to your operating system.

Platform Command

Linux # /opt/nessus/sbin/nessuscli fetch --code-in-use

FreeBSD # /usr/local/nessus/sbin/nessuscli fetch --code-in-use

MacOS X

# /Library/Nessus/run/sbin/nessuscli fetch --code-in-use

Windows C:\Program Files\Tenable\Nessus>nessuscli.exe fetch --code-in-use




- 234 -

Reset Activation Code

If you uninstall, and then you reinstall Nessus, youwill need to reset your activation code.

1. Navigate and log in to theTenable Support Portal.

2. In theMain Menu of the support portal, click Activation Codes .

3. Next to your product name, click thex button to expand the product details.

4. Under theReset column, click X button.

Once reset, your activation code is available for use.

Note:Reset codes have a 10 day waiting period before you can reset your code again.




- 235 -

Update Activation Code

In the event that you receive a new license correspondingActivationCode, your activation codemust be re-registeredwithNessus.

You can updateNessus with the new activation code using 1 of 2methods:

1. Update theNessus ActivationCode in theUI

2. Update theNessus ActivationCode viaCommandLine

Note: If you are working with Nessus offline, see Register NessusOffline.

Update Nessus in the UI

1. InNessus, click the button (System Settings page).


3. On theUpdate Activation screen, select yourRegistration type.

4. Next, enter the newActivation Code.

5. Click Save.

Next, Nessus will download and install theNessus engine and the latest Nessus plugins.

Once the download process is complete, Nessus will restart, and then prompt you to log in again.

At this point, Nessus is updatedwith the new licensing information.

Update Nessus via Command Line

1. On theoffline system runningNessus, open a commandprompt.

2. Use thenessuscli fetch --register <Activation Code> command specific to your operating sys-tem.

Platform Command

Linux # /opt/nessus/sbin/nessuscli fetch fetch --register xxxx-xxxx-xxxx-xxxx

FreeBSD # /usr/local/nessus/sbin/nessuscli fetch --register xxxx-xxxx-xxxx-xxxx



- 236 -

Mac OSX # /Library/Nessus/run/sbin/nessuscli fetch --register xxxx-xxxx-xxxx-xxxx

Windows C:\Program Files\Tenable\Nessus>nessuscli.exe fetch --register xxxx-xxxx-xxxx-xxxx






- 237 -

Manage Your User Profile

From theNessus top navigationmenu, select the drop downarrow next to your user name, and then select

User Profile.

YourUser Profile includes the following pages:

l Account Settings

l API Keys

l Change Password

l Plugin Rules



- 238 -

Account Settings

TheAccount Settings page displays settings for the current authenticated user.

Note:Once created, a username cannot be changed.

Based on your Nessus product, the following information is displayed.

Version Settings

Nessus Cloud Username (e-mail address)Full NameEmailUser Type

Note: Tenable Cloud accounts use the email address of the user for logins.

Nessus Manager UsernameFull NameEmailUser Type

Nessus Pro- User Name



- 239 -

fessional User Type

Note:Nessus Professional user accounts do not have an associated emailaddress.

Nessus Professional has only two user types: System Administrator andStandard.



- 240 -

API Keys

API Keys (anAccess Key and aSecret Key) are used to authenticatewith theNessus REST API (version6.4 or greater) and passedwith requests using the "X-ApiKeys"HTTP header.

TheUser Profile / API Keys page allows you to generateAPI keys.

Click theGenerate button to create anAccess Key and aSecret Key.

Note:

l API Keys are only presented upon initial generation. Please store API Keys in a safe location, as theycannot be retrieved later.

l API Keys cannot be retrieved by Nessus. If lost, the API Keys must be regenerated.

l Regenerating the API Keys will immediately un-authorize any applications currently utilizing the key.



- 241 -

Change Password

TheChange Password section allows you to change your password. Users with administrative privilegescan change other user passwords.

To change another user’s password, log in toNessus as a user with administrative privileges, and select thebutton, and then navigate to theUsers section of theAccounts page.



- 242 -

Plugin Rules

Create a new Plugin Rule

1. From theUser Profile/ Plugin Rules page, click theNew Rule button.

2. Next, enter values for theHost, Plugin ID, ExpirationDate (Optional), and theSeverity that youwouldlike thePlugin to adopt.

3. Next, click theSave button.

New Plugin Rule Example

Host: 192.168.0.6

Plugin ID: 9877

ExpirationDate: 12/31/2016

Severity: Critical

This rule is created for scans performedon IP address 192.168.0.6. Once saved, this PluginRulechanges the default severity of Plugin ID 79877 (CentOS 7 : rpm (CESA-2014:1976) to a severityof low until 12/31/2016. After 12/31/2016, the results of Plugin ID 79877will return to its criticalseverity.

Update a Plugin Rule

1. From theUser Profile/ Plugin Rules page, click thePluginRule(s) that youwant to update.

2. On theEdit Rule page, update theHost,Plugin ID,Expiration Date, orSeverity values.

3. Click theSave button.

Delete a Plugin Rule

1. From theUser Profile/ Plugin Rules page, place a check box in thePluginRule(s) that youwant todeleted.

2. Click theDelete button.

3. On theDelete Rule confirmation screen, clickDelete.



- 243 -

System Settings

From theNessus homepage, the button links you to theNessus system Settings:Scanners,

Accounts,Communication, andAdvanced.

IfRemote scanners are linked to this Nessus Manager, a list of their scans will be listed.



- 244 -

Manage Scanners

TheSettings / Scanners page allows you to view andmanage your Local scanner, yourRemote scan-

ners, and yourAgents.

Nessus Professional andNessus Manager feature slightly different Scanner settings:

Nessus Professional

l Scanners / Local / Overview (Professional)

l Scanners / Local / Link

l Scanners / Local / Software Update

Nessus Manager

l Scanners / Local / Overview

l Scanners / Local / Permissions


l Scanners / Remote / Linked

l Scanners / Agents / Linked



- 245 -

Nessus Professional

For Nessus Professional, Local Scanners pages include:

l Scanners / Local / Overview (Professional)

l Scanners / Local / Link




- 246 -

Scanners / Local / Overview (Professional)

The settings landing page displays theOverview for your Local Nessus Scanner and its Nessus Plugins:








l Update Plugins





- 247 -

Scanners / Local / Link

TheLocal / Link page is aNessus Professional only feature. This page allows you to link your Nessus Pro-fessional Scanner toNessus Manager or toNessus Cloud.

Link Scanner to Nessus Manager or Tenable Cloud

1. On theLocal / Link page, use the toggle to create a linked scanner.

2. Create a uniqueScanner Name.



- 248 -

3. Enter theManager Host,Manager Port, andLinking Key obtained from Nessus Manager or Ten-

ableCloud.

Option Description

ScannerName

UniqueScanner Name. This namewill appear inNessus Manager or Nessus Cloud'slinked scanners.

ManagerHost

The hostnameor IP address of Nessus Manager.If connecting toNessus Cloud, use cloud.tenable.com as theManager Host.

ManagerPort

The port number to connect toNessus Manager (8834).If connecting toNessus Cloud, use port 443.

LinkingKey

TheNessus Manager or TenableCloudLinking Key.

Tip: In Nessus Manager, the Linking Key is displayed on the Scanners / Remote /Linked page.

Tip: In Nessus Cloud, the Linking Key is displayed on the Scanners > LinkedScanners page.

UseProxy

OPTIONAL: If communicationmust be directed through a proxy, select this option.Once selected, the scanner will use theProxy Server information provided on the

Communication / Network / Proxy Server page.



- 249 -

Scanners / Local / Software Update

On theScanners / Local / Software page, you can configure how andwhen youwant to install Nessus

updates.

There are two parts of aNessus update: Component Updates andPluginUpdates.

Whenan update becomes available, you can opt to use theManual Software Update or opt to useAuto-

matic Updates.

To view theSoftware Update page, click the button.


l Update Plugins




- 250 -

Software Update Page

Nessus components and the latest Plugins for Nessus is performedby using theSoftwareUpdate page or by

using theUpdated Nessus Software using the Command Line.

To view theSoftwareUpdate page, use the button.

Manual Software Update

At the top of theSoftware Update page, you can opt to use theManual Software Update button.

When this method of software update is selected, an update is performedonly once.

Manual Software Update Options

l Update all components

l Update plugins (only)

Note: If the Update plugins option is selected, the scanner will only receive update plugins, but willnot receive feature or operational updates for the Nessus UI or the Nessus engine. Selecting thisoption prevents new features and functionality from being displayed and or and becoming oper-ational.

l Upload your ownplugin archive

A plugin archive is a compressed TAR file that is created and downloaded when you

Register Nessus Offline andDownload and Copy Plugins. For more information, see Install Plu-

gins Manually.

Tip: Manual Software Update can be used in conjunction with Automatic Updates.

Automatic Updates


l Update plugins

l Disabled

Update Frequency



- 251 -

l Daily

l Weekly

l Monthly

The button next toUpdate Frequency interval allows you customize the update frequency by any num-

ber of hours.

Plugin Feed

You can opt to provide a specific Plugin Feed host. For example, if plugins must be updated from a site resid-

ing in theU.S., you can specify “plugins-us.nessus.org”.

Note: If you are using Nessus offline, see the Register NessusOffline section.



- 252 -

Update Nessus Version

1. On theScanners / Local / Overview page next to theVersion number, click the icon.

2. On theSoftware Update screen, youwill see the followingwarningmessage.

Updating this scanner requires a restart andwill abort all running scans. Are you sure youwant to con-tinue?

3. ClickContinue.




- 253 -

Update Plugins

1. On theScanners / Local / Overview page next to theLast Updated date, click the icon.

2. ClickContinue to proceed.Nessus will updatewith the latest Nessus plugins.



- 254 -












5. Click Save.







Platform Command





- 255 -








- 256 -

Updated Nessus Software using the Command Line

WhenupdatingNessus components, you can use the nessuscli update commands, also found in the com-

mand line section.

Note: If offline, see Register NessusOffline.

Operating System Command

Linux # /opt/nessus/sbin/nessuscli <arg1> <arg2>

Mac OSX # /Library/Nessus/run/sbin/nessuscli <arg1> <arg2>

Windows

Commands mustRun as

administrator

C:\Program Files\Tenable\NessusorC:\ProgramData\Tenable\Nessus

SOFTWAREUPDATECOMMANDS

nessuscli update By default, this tool will respect the software update options selectedthrough theNessus UI.

nessuscli update --all Forces updates for all Nessus components.

nessuscli update --plugins-only

Forces updates for Nessus Plugins only.



- 257 -

Nessus Manager

InNessus Manager, Scanners pages include:

l Scanners / Local / Overview

l Scanners / Local / Permissions


l Scanners / Remote / Linked

l Scanners / Agents / Linked



- 258 -

Scanners / Local / Overview (Manager)

Nessus Manager Overview page displays theOverview for your Local Nessus Scanner and its Nessus Plu-gins:




l Your number of licensedAgents







l Update Plugins





- 259 -

Scanners / Local / Permissions

InNessus Manager, you can control the permissions of the local scanner by adding users or group, or bysetting the default group’s settings.

l NoAccessAny users or groups specified cannot view, cannot use, or cannotmanage theScanners.

l CanUseUsers or groups specified here can view and use the scanner; they will not be able tomake anychanges.

l CanManageUsers or groups specified here canmake changes to theScanner’s settings.



- 260 -

Scanners / Local / Software Update

On theScanners / Local / Software page, you can configure how andwhen youwant to install Nessus

updates.

There are two parts of aNessus update: Component Updates andPluginUpdates.

Whenan update becomes available, you can opt to use theManual Software Update or opt to useAuto-

matic Updates.

To view theSoftware Update page, click the button.


l Update Plugins




- 261 -

Software Update Page

Nessus components and the latest Plugins for Nessus is performedby using theSoftwareUpdate page or by

using theUpdated Nessus Software using the Command Line.

To view theSoftwareUpdate page, use the button.

Manual Software Update

At the top of theSoftware Update page, you can opt to use theManual Software Update button.

When this method of software update is selected, an update is performedonly once.

Manual Software Update Options


l Update plugins (only)

Note: If the Update plugins option is selected, the scanner will only receive update plugins, but willnot receive feature or operational updates for the Nessus UI or the Nessus engine. Selecting thisoption prevents new features and functionality from being displayed and or and becoming oper-ational.

l Upload your ownplugin archive

A plugin archive is a compressed TAR file that is created and downloaded when you

Register Nessus Offline andDownload and Copy Plugins. For more information, see Install Plu-

gins Manually.

Tip: Manual Software Update can be used in conjunction with Automatic Updates.

Automatic Updates


l Update plugins

l Disabled

Update Frequency



- 262 -

l Daily

l Weekly

l Monthly

The button next toUpdate Frequency interval allows you customize the update frequency by any num-

ber of hours.

Plugin Feed

You can opt to provide a specific Plugin Feed host. For example, if plugins must be updated from a site resid-

ing in theU.S., you can specify “plugins-us.nessus.org”.

Note: If you are using Nessus offline, see the Register NessusOffline section.



- 263 -

Update Nessus Version

1. On theScanners / Local / Overview page next to theVersion number, click the icon.

2. On theSoftware Update screen, youwill see the followingwarningmessage.

Updating this scanner requires a restart andwill abort all running scans. Are you sure youwant to con-tinue?

3. ClickContinue.




- 264 -

Update Plugins

1. On theScanners / Local / Overview page next to theLast Updated date, click the icon.

2. ClickContinue to proceed.Nessus will updatewith the latest Nessus plugins.



- 265 -












5. Click Save.







Platform Command





- 266 -








- 267 -

Updated Nessus Software using the Command Line

WhenupdatingNessus components, you can use the nessuscli update commands, also found in the com-

mand line section.

Note: If offline, see Register NessusOffline.




Windows

Commands mustRun as

administrator









- 268 -

Scanners / Remote / Linked

Remote scanners can be linked to this Nessus Manager by using theLinking Key displayed.

Tip:During the Browser Portion of the Nessus installation, choose the Link to Nessus Scanner Regis-tration type, and then enter this Linking Key.

Once linked, Remote scanners can be selectedwhen configuring scans.

Tip: If there is ever concern over the Linking Key becoming compromised, you can regenerate the LinkingKey by clicking the icon to the right of the Linking Key.

Regenerating the key will not disable any secondary scanners that are already registered. Once the sec-ondary scanner has established communications with the primary scanner, it will display on this interfaceunder Remote scanners menu under the Linked menu.

From the scanners list, you can use theDisable / Enable icon or theRemove icon to connect, disconnect,or remote your linked scanner(s).

Tomanage your remote linked scanner’s settings, open the remote scanner from the scanner’s list.

TheOverview page displays details for yourRemote / Linked scanner.

On thePermissions page, you can configure the permissions of the users or groups whoCan use,Can

manage, or haveNo access this remote scanner.



- 269 -

Scanners / Agents / Linked

After you have performedaNessus Agent Install, your Nessus Agents are viewedandmanaged in theNes-sus UI.

InNessus Manager, click the button

Delete Agents

From theScanners/ Agents / Linked page, you can delete agents.

To deletemultiple agents at once, use the checkboxes, and them click theRemove button at the top of thepage.

Scanners / Agents / Groups

Once linked toNessus Manager, Nessus Agents can bemanaged by adding or removing them fromNessus

Agent Groups.

On theScanners / Agents / Linked page, you can create a new agent group.




- 270 -

l Manage its Agents

l Set Permissions for theAgent Group

l Rename theAgent Group

During the installation of Nessus Agents, you had the option of adding your agent to an existingAgent Group.

If you did not have any Agent Groups created prior to theNessus Agent’s install, or you opted to not add your

agent to an existing group, you can createAgent Groups in theNessus UI.


Create an Agent Group

1. InNessus, click the button

2. Next, click on the link forScanners / Agents / Groups.

3. Click theNew Group button.

4. In theName field, name your Agent Group.

5. Click Save to continue.

Your newAgent Group page is displayed.



- 271 -

Once created, agent groups can bemanaged from theScanners / Agents / Groups page.

To display agent group settings, select the agent group from the list.

Add an Agent to a Group

1. Go to theScanners / Agents / Groups page.

2. Click the nameof theAgent Group that youwill be addingAgents to.

3. From theAvailable Agents list, click the + button.

The agent will move from theAvailable Agents column to theMember Agents column.

Add Permissions to an Agent Group


2. Click the nameof theAgent Group that youwill be adding permissions to.

3. Click thePermissions link.

Note:Only existing Nessus users or groups can be added to the permissions for the Agent Group(s).



- 272 -

On this page, you have the following options:

l Set permissions for theDefault Nessus group

l Add individual Nessus users and set specific permissions for that user

l AddNessusUser Groups and set specific permissions for that group

Agent Groups have two permission options:Can Use orNo Access.

Change the name of the Agent Group


2. Click the nameof theAgent Group that for which youwant to change the name.

3. Click theSettings link.

4. In theName field, renameyour group.

5. Click Save.



- 273 -

Manage Accounts

Users andGroups are created andmanaged from theAccounts page.

1. From theNessus homepage, click the button.

2. Next, click Accounts.

The following table describes settings and options inNessus Manager,Tenable Cloud, andNessus Pro-

fessional.

Setting

NameDescription

Product Ver-

sion(s)

User Type

(s)

Users Users are individual Nessus accounts to be used forassigning permissions.

Nessus Cloud

Nessus Man-ager


All User Types

Groups Group are collections of users created for shared per-missions.

Nessus Cloud

Nessus Man-ager

SystemAdministrator

Nessus Manager also has the ability tomanage users using a configured LDAPServer.

Nessus Cloud: Youmust define the usernameas the registered email address within theNessus Cloudservice.

Caution:Warning:Once an Account is created, the accountUsername cannot be changed.If you need to change an account's username, you must create a New User account with a new username.

Create User Accounts


2. Next, click Accounts

3. Click theNew User button



- 274 -

4. Enter aUsername

5. Enter the user’s Full Name

6. Enter the user’s Email address

7. Create a userPassword

8. Retype the user’s Password

9. Select aUser Role

10. Click Save

User Role Description

Basic Basic user roles can only read scan results.

Not available inNessus Professional

Standard Standard user roles can create scans, create policies, create schedules, and createreports. They cannotmodify any user accounts, user groups, scanners, or system con-figuration settings.

Administrator Administrator user roles have the sameprivileges as theStandard role, but can alsomanage users, manage user groups, andmanage scanners.

Note:Not available in Nessus Professional

SystemAdministrator

System Administrator user roles have the sameprivileges as theAdministrator roleand canmanage andmodify system configuration settings.

Create Groups


2. Next, click Accounts.

3. ClickGroups.


5. Enter aName for theGroup.

The next page allows you toAdd Users to the group you created.



- 275 -

Add Users to the Group

1. Click theAdd User button.

2. Use the drop-downmenu to select a user to be added to the group.

3. If necessary, add additional users to the group.

4. Whendone, click theSave button.

Tip:Once created, users and groups can be managed from the Accounts / Users or Accounts / Groupspage.



- 276 -

Manage Communications

TheSettings / Communications page allows you to configureNessus to communicatewith network serv-ers and connector services.

Note: Nessus Professional includes only the Proxy Server and SMTP Server communication options.

l LDAP Server

l SMTP Server

l Proxy Server

l Cisco ISE



- 277 -

LDAP Server

TheLightweight Directory Access Protocol (LDAP) is an industry standard for accessing andmaintaining dir-ectory services across an organization.

Once connected to an LDAP server, Nessus administrators can add users straight from their directory andthese users can authenticate using their directory credentials.

Nessus auto-negotiates encryption, therefore there are no encryption options in theNessus interface.

Allowable Characters

l Upper and lower case alphabetical characters (A – Z and a-z)

l Numerical characters (0 – 9)

l Period (.)

l Underscore (_)

l Dash (-)

l Plus (+)

l Ampersand (&)

If Nessus encounters characters or symbols other than specified, a 400 error will occur.

General Settings

l Host

l Port

l Username

l Password

l BaseDN

Advanced Settings

l UsernameAttribute

l Email Attribute



- 278 -

l NameAttribute

l CA (PEM Format)



- 279 -

SMTP Server

SimpleMail Transfer Protocol (SMTP) is an industry standard for sending and receiving email. Once con-figured for SMTP, Nessus will email scan results to the list of recipients specified in a scan’s "Email Noti-fications" configuration.

These results can be custom tailored through filters and require anHTMLcompatible email client.

General Settings

l Host

l Port

l From (sender email)

l Encryption

l Hostname (for email links)

l AuthMethod



- 280 -

Proxy Server

Proxy servers are used to forwardHTTP requests. If your organization requires one, Nessus will use thesesettings to perform plugin updates and communicatewith remote scanners.

General Settings

l Host (required)

l Port (required)

l Username (optional)

l Password (optional)

l AuthMethodAutoDetect (Default)NoneBasicDigestNTLM

l User-Agent (optional)

If the proxy you are using filters specific HTTP user agents, a custom user-agent string can be supplied.



- 281 -

Cisco ISE

Cisco Identity Services Engine (ISE) is a security policy management and control platform that simplifiesaccess control and security compliance for wired, wireless, andVPN connectivity.

Cisco ISE is primarily used to provide secure access, support BYOD initiatives, and enforce usage policies.Nessus only supports Cisco ISE version 1.2 or greater.

General Settings

l Host (required)

l Port (required)

l Username (required)

l Password (required)

Permissions

l Addusers or groups

Youmay addNessus users andNessus groups to theCisco ISE connector and set permissions asNo

Access,Can view, orCan quarantine. By default, permissions are set atNo Access.



- 282 -

Manage Advanced Settings

Nessus Manager andNessus Professional features Advanced Settings. These customizable settingsprovide granular control of Nessus operations.

Caution: Advanced Settings are helpful in specific situations, but changing settings is not required forroutine use. Modifying Advanced Settings may involve risk, so please use them with caution. If you areunsure about modifying any setting, please contact Tenable Support [email protected].

l AdvancedSettings are global settings.

l To configureAdvanced Settings, youmust use aNessus System Administrator user account.

l Whenmodified, changes go into effect a fewminutes after the setting is saved.

l global.max_hosts, max_hosts, andmax_checks settings can have a particularly great impact onNes-sus' ability to perform scans.

l Custom policy settings supersede the global AdvancedSettings.

Note:When an Advanced Setting is added or an existing setting is modified, are prompted to either Discardor Save the setting.

Modify Advanced Value

1. From theAdvanced Settings page, click the nameof the value.

2. Type a newValue

3. Click Save.

Tip:Changes go into effect a fewminutes after the setting is saved.



mailto:[email protected]

- 283 -

Manage Scans

This section includes information and steps to perform common tasks associatedwithmanagingNessusScans.

For information, seeTemplate Library andScan Template Settings

l Create Scans

l Create an Unofficial PCI ASV Validation Scan

l Create a Scan Folder

l Manage Scans

l Scan Results



- 284 -

Create Scans

All Scan andPolicy Templates shareBasic,Discovery,Assessment,Report, andAdvanced settings, as

well asCredentials options.

Advanced Scan templates includeCompliance andPlugins options.

Tip: For scanning Agents, seeManage Nessus Agents.

Create a Basic Network Scan

1. From theScans / My Scans page, use theNew Scan button to create a new scan; youwill be redir-

ected to theScan Library.

2. Select theBasic Network Scan template.

3. Configure the scan’s Settings using theBasic,Discovery,Assessment,Report, andAdvancedlinks.

4. Next, clickCredentials.

5. From theCredentials list, select applicable credentials required to perform the scan.Multiple cre-

dentials can be added.

6. Whendone, you have the option toSave the scan or Launch the scan.

l Clicking theSave buttonwill save the scan, but the scanwill not launch; it will be set toOn

Demand and it can be launched from theScans / MyScans page.

l Clicking theSave▼ arrow will allow you to select Launch; the scanwill be saved andwill launchimmediately.

Create an Advanced Scan



2. Select theAdvanced Scan template.




- 285 -

4. ClickCredentials.


dentials can be added and configured.

6. If applicable, clickCompliance.

7. From theCompliance Checks list, select compliance checks applicable to perform the scan.Multiple

compliance checks can be added and configured.

8. If applicable, click Plugins; enabledPlugins are displayed.


l Clicking theSave buttonwill save the scan, but the scanwill not launch; it will be set toOn Demand

and it can be launched from theScans / MyScans page.

l Clicking theSave▼ arrow will allow you to select Launch; the scanwill be saved andwill launch imme-diately.

Create a PCI Quarterly External Scan (Unofficial)

1. Navigate to theScans / My Scans page.

2. Click theNew Scan button.

3. Select thePCI Quarterly External Scan (Unofficial) template.

4. Enter aName andDescription.

5. Next, if applicable, configure settings:Basic,Discovery, andAdvanced.

Tip: In Nessus Professional and Nessus Manager, the scan results from the PCI Quarterly External Scan(Unofficial) may not be submitted to Tenable for PCI AVSValidation. This feature is available only in Ten-able Cloud.



- 286 -

Create a Scan Folder

1. From theScans / My Scans page, clickNew Folder.

2. Provide aName for your new folder; the namemust be 20 characters or less.



- 287 -

Manage Scans

View all scans on theScans / All Scans page.

Whena scan is selected from the list of scans, theMore buttonwill appear and additional options for the selec-ted scan becomes available.

Configure displays the scan’s results and allows you tomodify the original scan settings.



- 288 -

Upload a Scan

Scans results can be exported and then imported using theUpload button. Valid file formats are .(dot)nessus

and .db. Uploaded scans are imported into theScan / My Scans folder.

After a scan is imported, you can view its Scan Results. By default, imported scans do not have theDash-

board Enabled feature turned on.

Tip: Scans results can be imported from other Nessus Manager scans, even from other Nessus installs.

Upload Scan Options

Option Description

.nessus AnXML-based format and the de-facto standard inNessus 4.2 and later. This format uses anexpanded set of XML tags tomake extracting and parsing informationmore granular. Thisreport does not allow chapter selection.

If the policy is exported and saved to a .nessus file, the passwords will be stripped.

When importing a .nessus file format, youwill need to re-apply your passwords to the cre-dentials being used.



- 289 -

NessusDB

Anencrypted database format used inNessus 5.2 and later that contains all the information ina scan, including the audit trails and results.Whenexporting to this format, youwill be promp-ted for a password to encrypt the results of the scan.

Configure a Scan

TheConfigure option allows youmanage scan settings, including their schedules and settings, and you havethe ability to update them as needed.

Disable a Scheduled Scan

If the scan that you have selected is configuredwith a schedule, theMoremenuallows you to disable thescan’s schedule.

Copy a Scan

Based on permissions, you have the ability toCopy existing scans.

1. Select the scan to be copied.

2. From theMore drop-downmenu, selectCopy to.

3. Copy the scan to an existing folder or selectNew Folder to create a new folder to store the copied

scan.

4. Type a newScan Name and choosewhether or not to Include scans history.

Imported scans cannot be copied; they can bemoved.

Move a Scan

Similar to copying a scan, theMove to to option allows you tomove a selected scan to a different folder, to the

Trash folder, or allows you to create aNew Folder tomove the scan to.



- 290 -

Create an Unofficial PCI ASV Validation Scan

ApprovedScanningVendors (ASVs) are organizations that validate adherence to certainDSS requirementsby performing vulnerability scans of Internet facing environments ofmerchants and service providers.

TenableNetwork Security, Inc. is aPCI ApprovedScanningVendor (ASV), and is certified to validate vul-nerability scans of Internet-facing systems for adherence to certain aspects of thePCI DataSecurity Stand-ards (PCI DSS) andTenableCloud is a validatedApprovedScanningVendor (ASV) solution.

Nessus Professional andNessus Manager features 2PCI related scan templates:

Internal PCI Network Scan

This template creates scans thatmay be used to satisfy internal (PCI DSS 11.2.1) scanning requirements forongoing vulnerability management programs that satisfy PCI compliance requirements. These scans may beused for ongoing vulnerability management and to perform rescans until passing or clean results areachieved. Credentials can optionally be provided to enumeratemissing patches and cilent-side vulnerabilities.

Note:while the PCI DSS requires you to provide evidence of passing or "clean" scans on at least a quarterlybasis, you are also required to perform scans after any significant changes to your network (PCI DSS11.2.3).

Unofficial PCI Quarterly External Scan

TheUnofficial PCI Quarterly External Scan template creates a scan that simulates an external scan (PCIDSS 11.2.2) performedby Nessus Cloud tomeet PCI DSS quarterly scanning requirements. Although the res-

ultsmay not be submitted for validation, they may be used to seewhat "official" Nessus Cloud resultsmight look like. Users that have external PCI scanning requirements should use this template inNessusCloud, which allows scanning unlimited times before submitting results to Tenable for validation (NessusCloud is a validatedASV solution).

For more information on performing and submitting an official PCI Quarterly External Scan, see theTenable

Cloud User Guide.

Create an Unofficial PCI Quarterly External Scan

1. Navigate to theScans /My Scans page.

2. Click theNew Scanbutton.





- 291 -

3. Select theUnofficial PCI Quarterly External Scan template.

4. Enter aNameandDescription.

5. Next, if applicable, configure settings: Basic, Discovery, andAdvanced.

Creating aPCIQuarterly External Scanpolicywill allow you to create scans based on your policy; the policy

will appear in the template library in theUser CreatedPolicies area.

Submit Scan Results

Only TenableCloud customers have the option to submit their PCI scan results to TenableNetwork Securityfor PCI ASV validation.

When submitted, scan results are uploaded and the scan results can be reviewed from aPCI DSS per-spective.



- 292 -

Scan Results

Nessus features rich, flexible, customizable reporting tools.

Using color-coded indicators, alongwith corresponding values, you can quickly assess your scan’s data tohelp you understand your organization’s health and vulnerabilities.

Navigating Scan Results

Scan reports and dashboard pages are reviewedusing common interactive features.

You can:

l Hover over menu, page, or dashboard elements.

l Drill into data by clicking on line items or page elements.

l Useascending▲ and descending▼ sorting controls.

l Navigate between pages using forward> or back < controls.

View Scan Results



- 293 -

1. Navigate to theScans / All Scans page.

2. Select the nameof the of scan.

OR

1. Navigate to theScans / All Scans page.

2. Place a check box next to the nameof the scan.

3. Use theMore drop-downmenu, and then selectConfigure.

Based on permissions and the scan’s actions, you canConfigure the scan, search the scan’s Audit Trail,

Launch the scan, orExport the scan’s results.

Option Description

Configure Navigates you back to the scan’s configuration settings.

AuditTrail

Displays the audit trail dialogue.

Launch Display two choices to launch a scan: Default andCustom.

l Default: This option uses the scan’s pre-configured settings.

l Custom: This options allows forCustomer Scan Targets.

Export Allows you to export the scan’s result in one of four formats: Nessus (.nessus), HTML,CSV, or Nessus DB (.db).

Nessus DB format is an encrypted, proprietary format, which exports all scan data. A pass-wordmust be created, and then usedwhen importing the .nessus file type.

Dashboard

Whena scan is configuredwithDashboard >Enabled, the scan’s results page defaults to the interactivedashboard view.

Based on the type of scan performedand the type of data collected, the dashboard displays key values andtrending indicators.



- 294 -

Dashboard Details

Name Description

Current Vul-nerabilities

The number of vulnerabilities identified.

OperatingSystem Com-parison

The percentage of operating systems identified.

VulnerabilityComparison

The percentage of all vulnerabilities, identified by severity.

Host Count The percentage of hosts scanned by credentialed and non-credentialed authorization



- 295 -

Comparison types: without authorization, new (scans) without authorization, with authorization, andnew (scan) with authorization.

TopVul-nerabilities

Top 8 vulnerabilities based on severity.



- 296 -

Dashboards

Whena scan is configuredwithDashboard Enabled, the scan’s results page defaults to the interactive dash-board view.

Dashboard View

Based on the type of scan performedand the type of data collected, the dashboard displays key values and atrending indicator.



- 298 -

Dashboard Details

Name Description

Current Vul-nerabilities

The number of vulnerabilities identified by the scan, by severity.

OperatingSystem Com-parison

The percentage of operating systems identified by the scan.

VulnerabilityComparison

The percentage of all vulnerabilities by the scan, identified by severity.

Host Count

Comparison

The percentage of hosts scanned by credentialed and non-credentialed authorizationtypes: without authorization, new (scans) without authorization, with authorization, andnew (scan) with authorization.

VulnerabilitiesOver Time

Vulnerabilities found over a period of time. Note: At least 2 scans must be completed forthis chart to be displayed.

TopHosts Top 8 hosts that had the highest number of vulnerabilities found in the scan.



- 299 -

TopVul-nerabilities

Top 8 vulnerabilities based on severity.



- 300 -

Scan Results Pages

When you click a scan's name from theScans page, youwill be redirected to its results pages.

The following table lists examples of each possible scan results page:

Page Description

Dashboard If configured, the default scan results page displays theDashboard view.

Hosts TheHosts page displays all scanned targets.

If the scan is configured for compliance scanning, the exchange icon allows you to

navigate between theCompliance andVulnerability results.

Vulnerabilities List of identifiedPlugin vulnerabilities, sorted by severity.

Compliance If the scan includes ComplianceChecks, this list displays counts and details sorted byvulnerability severity.

Remediations If the scan's results includeRemediation information, this list displays all remediationdetails, sorted by the number of vulnerabilities.

Notes TheNotes page displays additional information about the scan and the scan’s results.

History TheHistory displays a listing of scans:Start Time,End Time, and theScan

Statuses.



- 301 -

Report Filters

Nessus offers a flexible system of filters to assist in displaying specific report results. Filters can be used todisplay results based on any aspect of the vulnerability findings.Whenmultiple filters are used,more detailedand customized report views can be created.

The first filter type is a simple text string entered into theFilter Vulnerabilities box on the upper right. As youtype, Nessus will immediately begin to filter the results based on your text andwhat it matches in the titles ofthe findings. The second filter type is more comprehensive and allows you to specify more details. To createthis type of filter, begin by clicking on the downarrow on the right side of the Filter Vulnerabilities box. Filterscan be created from any report tab. Multiple filters can be createdwith logic that allows for complex filtering.

A filter is created by selecting the plugin attribute, a filter argument, and a value to filter on.When selectingmul-tiple filters, specify the keywordAny or All accordingly. If All is selected, then only results that match all filterswill be displayed:

Option Description

Plugin ID Filter results if Plugin ID is equal to, is not equal to, contains, or does not contain a givenstring (e.g., 42111).

PluginDescription

Filter results if PluginDescription contains, or does not contain a given string (e.g.,remote).

PluginName

Filter results if PluginName is equal to, is not equal to, contains, or does not contain agiven string (e.g., windows).

Plugin Fam-ily

Filter results if PluginName is equal to or is not equal to one of the designatedNessus plu-gin families. The possiblematches are provided via a drop-downmenu.

PluginOut-put

Filter results if PluginDescription is equal to, is not equal to, contains, or does not containa given string (e.g., PHP)

Plugin Type Filter results if Plugin Type is equal to or is not equal to one of the two types of plugins:local or remote.

Solution Filter results if the pluginSolution contains or does not contain a given string (e.g.,upgrade).

Synopsis Filter results if the pluginSolution contains or does not contain a given string (e.g., PHP).

Hostname Filter results if the host is equal to, is not equal to, contains, or does not contain a givenstring (e.g., 192.168 or lab).



- 302 -

Port Filter results based on if a port is equal to, is not equal to, contains, or does not contain agiven string (e.g., 80).

Protocol Filter results if a protocol is equal to or is not equal to a given string (e.g., http).

CWE Filter results based onCommonWeakness Enumeration (CWEª) if aCVSS vector isequal to, is not equal to, contains, or does not contain aCWE reference number (e.g.,200).

CPE Filter results based on if theCommonPlatform Enumeration (CPE) is equal to, is notequal to, contains, or does not contain a given string (e.g., Solaris).

CVSSBaseScore

Filter results based on if aCVSS base score is less than, is more than, is equal to, is notequal to, contains, or does not contain a string (e.g., 5)

This filter can be used to select by risk level. The severity ratings are derived from theassociatedCVSS score, where 0 is Info, less than 4 is Low, less than 7 is Medium, lessthan 10 is High, and aCVSS score of 10will be flaggedCritical.

CVSS Tem-poral Score

Filter results based on if aCVSS temporal score is less than, is more than, is equal to, isnot equal to, contains, or does not contain a string (e.g., 3.3).

CVSS Tem-poral Vector

Filter results based on if aCVSS temporal vector is equal to, is not equal to, contains, ordoes not contain a given string (e.g., E:F).

CVSSVector

Filter results based on if aCVSS vector is equal to, is not equal to, contains, or does notcontain a given string (e.g., AV:N).

VulnerabilityPublicationDate

Filter results based on if a vulnerability publication date earlier than, later than, on, not on,contains, or does not contain a string (e.g., 01/01/2012). Note: Pressing the button next tothe datewill bring up a calendar interface for easier date selection.

PatchPublic-ationDate

Filter results based on if a vulnerability patch publication date is less than, is more than, isequal to, is not equal to, contains, or does not contain a string (e.g., 12/01/2011).

PluginPublicationDate

Filter results based on if aNessus plugin publication date is less than, is more than, isequal to, is not equal to, contains, or does not contain a string (e.g., 06/03/2011).

PluginModi-ficationDate

Filter results based on if aNessus pluginmodification date is less than, is more than, isequal to, is not equal to, contains, or does not contain a string (e.g., 02/14/2010).

CVE Filter results based on if aCVE reference is equal to, is not equal to, contains, or does notcontain a given string (e.g., 2011-0123).



- 303 -

Bugtraq ID Filter results based on if a Bugtraq ID is equal to, is not equal to, contains, or does not con-tain a given string (e.g., 51300).

CERTAdvis-ory ID

Filter results based on if aCERTAdvisory ID (now called Technical Cyber Security Alert)is equal to, is not equal to, contains, or does not contain a given string (e.g., TA12-010A).

OSVDB ID Filter results based on if anOpenSourceVulnerability Database (OSVDB) ID is equal to,is not equal to, contains, or does not contain a given string (e.g., 78300).

Secunia ID Filter results based on if a Secunia ID is equal to, is not equal to, contains, or does not con-tain a given string (e.g., 47650).

Exploit Data-base ID

Filter results based on if anExploit Database ID (EBD-ID) reference is equal to, is notequal to, contains, or does not contain a given string (e.g., 18380).

MetasploitName

Filter results based on if aMetasploit name is equal to, is not equal to, contains, or doesnot contain a given string (e.g., xslt_password_reset).

Exploited byMalware

Filter results based on if the presence of a vulnerability is exploitable by malware is equalto or is not equal to true or false.

IAVA Filter results based on if an IAVA reference is equal to, is not equal to, contains, or doesnot contain a given string (e.g., 2012-A-0008).

IAVB Filter results based on if an IAVB reference is equal to, is not equal to, contains, or doesnot contain a given string (e.g., 2012-A-0008).

IAVM Sever-ity

Filter results based on the IAVM severity level (e.g., IV).

IAVT Filter results based on if an IAVT reference is equal to, is not equal to, contains, or doesnot contain a given string (e.g., 2012-A-0008).

SeeAlso Filter results based on if aNessus plugin see also reference is equal to, is not equal to,contains, or does not contain a given string (e.g., seclists.org).

Risk Factor Filter results based on the risk factor of the vulnerability (e.g., Low,Medium, High, Crit-ical).

ExploitsAvailable

Filter results based on the vulnerability having a knownpublic exploit.

ExploitabilityEase

Filter results based on if the exploitability ease is equal to or is not equal to the followingvalues: Exploits are available, No exploit is required, or No knownexploits are available.



- 304 -

MetasploitExploitFramework

Filter results based on if the presence of a vulnerability in theMetasploit Exploit Frame-work is equal to or is not equal to true or false.

CANVASExploitFramework

Filter results based on if the presence of an exploit in theCANVAS exploit framework isequal to or is not equal to true or false.

CANVASPackage

Filter results based onwhichCANVAS exploit framework package an exploit exists for.Options includeCANVAS, D2ExploitPack, orWhite_Phosphorus.

COREExploitFramework

Filter results based on if the presence of an exploit in theCORE exploit framework isequal to or is not equal to true or false.

Elliot ExploitFramework

Filter results based on if the presence of an exploit in theElliot exploit framework is equalto or is not equal to true or false.

Elliot ExploitName

Filter results based on if anElliot exploit is equal to, is not equal to, contains, or does notcontain a given string (e.g., Typo3FD).

ExploitHub Filter results based on if the presence of an exploit on theExploitHubweb site is equal toor is not equal to true or false.



- 305 -

Report Screenshots

Nessus also has the ability to take screenshots during a vulnerability scan and include them in a report.

For example, if Nessus discovers VNC runningwithout a password to restrict access, a screenshot will betaken to show the session and included in the report.

This featuremust be enabled in theScanWebApplications section of a scan policy, under General.



- 306 -

Compare Report Results (Diff)

WithNessus, you can compare two scan reports against each other to display any differences. The ability toshow scan differentials helps to point out how agiven system or network has changed over time. This helps incompliance analysis by showing how vulnerabilities are being remediated, if systems are patched as new vul-nerabilities are found, or how two scans may not be targeting the samehosts.



- 307 -

Knowledge Base

AKnowledge Base (KB) is savedwith every scan performed. This is anASCII text file containing a log ofinformation relevant to the scan performedand results found. A KB is often useful during cases where youneed support from Tenable, as it allows Support staff to understand exactly what Nessus did, andwhat inform-

ationwas found. You can download aKB from theHost Details section.

Only scans performedon the host will have an associatedKB.



- 308 -

Exported Results

Once complete, Nessus scan results can be exported.

Using theExport button, you can export the scan’s results in one of four formats:

l Nessus (.nessus)

l HTML

l CSV

l Nessus DB (.db)

Nessus DB format is an encrypted, proprietary format, which exports all scan data. A passwordmust be cre-ated, and then usedwhen importing the .nessus file type.

Note: If the Nessus server time zone is changed after Nessus is installed and running, the time displayed onHTML and PDF reports will show the accurate time of day for the (new) changed time zone, but the timezone label will reflect the previous label of the previous time zone.To resolve this issue, restart the Nessus service.



- 309 -

Manage Policies

This section includes information and steps to perform common tasks associatedwithmanagingNessusPolicies.

l Create a Policy

l Create a Limited Plugin Policy

l Manage Policies



- 310 -

Create a Policy

From thePolicies page you can create aNew Policy, or manage your policies.

Tip:Creating a new Policy involves the same steps as creating a new Scan: Use the New Policy button,select a template, and configure your policy’s settings.

Create a Basic Scan Policy



- 311 -

1. From thePolicies page, clickNew Policy; youwill be redirected to theTemplate Library.

2. Select theBasic Network Scan template.





- 312 -



This policy is ready to be usedwhen creating newBasic Network Scans.

Create Advanced Scan Policy

1. From thePolicies page, click theNew Policy; youwill be redirected to thePolicy Library.










If Agents are linked toNessus, you also can createAgent policies.



- 313 -

Create a Limited Plugin Policy

1. From thePolicies page, click theNew Policy; youwill be redirected to thePolicy Library.









8. Click Plugins.

By default, all Plugins are Enabled.



- 314 -

9. Next, click theDisable All button.

10. From thePlugins list, click on thePlugin Family nameyouwant toEnable.

Do not click the Disabled button next to the Plugin Family name.

After you click thePlugin Familyname, all associatedPlugins will appear asDisabled in the right



- 315 -

column.

11. Next, from the right column, click theDisabled button next to eachPlugin Name that youwish toinclude in your policy.

In the right column, eachPluginwill switch fromDisabled toEnabled and thePlugin Family in the left

columnnow showsMixed.

To commit your changes, click theSave button.

12. Optional: Use the topmenu, click theFilter Plugin Families search box to search for, find, and applyspecific Plugins.

When finished, click theApply button.

From the results list, click theEnable button and then click theSave button.



- 316 -

13. Optional: AddmorePlugins to your custom policy, clicking theSave button after enablingPlugins.



- 317 -

Manage Policies

Your policies are displayed on thePolicies page.

When you select a policy from the list of existing policies (placing a check in the box besides its name), the

More buttonwill appear.

Upload a Policy

TheUpload button allows you to upload a previously policy. Using the native file browser box, select the policyfrom your local system and click onOpen.

Download a Policy

Clicking onDownloadwill open the browser’s download dialog box allows you to open the policy in an externalprogram (e.g., text editor) or save the policy to the directory of your choice. Depending on the browser, thepolicy may be downloaded automatically.



- 318 -

Note: Passwords and .audit files contained in a policy will not be exported.

Copy a Policy

To copy a policy, select a policy, then click theMore button and selectCopy.

Delete a Policy

Todelete a policy, select a policy, then click theX icon or use theMore button,Delete option.



- 319 -

Manage Nessus Agents

Once installed,Nessus Agents are viewedandmanaged in theNessus Manager or TenableCloud inter-face.

Note: Before an Agent can be used in a scan, the Agent must be added to at least one agent group. Formore information, seeManage Agent Groups and Create an Agent Scan.

View your Linked Agents


2. From theScanners overview page, click Agents > Linked.

Remove a Linked Agent

To remove a linkedAgent, you can click the x or you can use the check-boxes to select and removemultiplelinkedAgents.

Once linked toNessus, Nessus Agents can bemanaged by adding or removing them inNessus AgentGroups.



- 320 -

Manage Agent Groups

On theScanners / Agents / Linked page, you can create a new agent group.



l AddAgents to theGroup

l Manage its Agents

l Set Permissions for the agent group

l Rename the agent group

During the installation of Nessus Agents, you had the option of adding your agent to an existing agent group.

If you did not have any agent groups created prior to theNessus Agent’s install, or you opted to not add youragent to an existing group, you can create agent groups in theNessus UI.

Create an Agent Group

1. InNessus, click the settings icon.

2. Next, click on the link forScanners / Agents / Groups.



- 321 -


4. In theName field, name your agent group.

5. Click Save to continue.

Your newAgent Group page is displayed.

Add an Agent to a Group


2. Click the nameof the agent group that youwill be addingAgents to.

3. From theAvailable Agents list, click the + button.

The agent will move from theAvailable Agents column to theMember Agents column.

Add Permissions to an Agent Group



- 322 -


2. Click the nameof the agent group that youwill be adding permissions to.

3. Click thePermissions link.

Note:Only existing Nessus users or groups can be added to permissions for the agent group(s).

On this page, you have the following options:

l Set permissions for theDefault Nessus group

l Add individual Nessus users and set specific permissions for that user

l AddNessusUser Groups and set specific permissions for that group

Agent groups have two permission options:Can Use orNo Access.

Change the Name of a Agent Group


2. Click the nameof the agent group that for which youwant to change the name.

3. Click theSettings link.

4. In theName field, renameyour group.

5. Click Save.



- 323 -

Create an Agent Scan

Note: Before an Agent can be used in a scan, the Agent must be added to at least one Agent Group.

Create a Basic Agent Scan





- 324 -

2. Click theAgent tab.

3. Select theBasis Agent Scan template.

4. Next, enter your Agent Scan details.

Name Required

Folder The folder where this Agent Scanwill be stored. By default, My Scans is selected.

Dashboard If Enabled is selected, the scan results will be included indashboards.

AgentGroups

Required

Use the drop-down to select one or moreAgent Groups.

ScanWin-dow

Use theScanWindow drop-down to select an interval of time. To be included and vis-ible in vulnerability reports, Nessus Agents must report within this time-frame.

Predefined values:

l 15minutes

l 30minutes

l 1 hour

l 6 hours

l 12 hours

l 1 day



- 325 -

5. OPTIONAL: Configure the scan’s Settings:Basic,Discovery,Assessment,Report, and

Advanced.





Create an Advanced Agent Scan



2. Select theAdvanced Agent Scan template.




- 326 -












- 327 -

Custom SSLCertificates

Usage

By default, Nessus is installed andmanaged usingHTTPS andSSL support and uses port 8834, and defaultinstallation of Nessus uses a self-signedSSL certificate.

To avoid browser warnings, a custom SSL certificate specific to your organization can be used. During theinstallation, Nessus creates two files thatmake up the certificate: servercert.pem and serverkey.pem. Thesefiles must be replacedwith certificate files generated by your organization or a trustedCertificateAuthority(CA).

Before replacing the certificate files, stop theNessus server. Replace the two files and re-start theNessusserver. Subsequent connections to the scanner should not display an error if the certificatewas generated bya trustedCA.

Location of Certificate Files

Operating System Directory

Linux /opt/nessus/com/nessus/CA/servercert.pem

/opt/nessus/var/nessus/CA/serverkey.pem

FreeBSD /usr/local/nessus/com/nessus/CA/servercert.pem

/usr/local/nessus/var/nessus/CA/serverkey.pem

Windows Vista and later C:\ProgramData\Tenable\Nessus\nessus\CA\servercert.pemC:\ProgramData\Tenable\Nessus\nessus\CA\serverkey.pem

Mac OSX /Library/Nessus/run/com/nessus/CA/servercert.pem

/Library/Nessus/run/var/nessus/CA/serverkey.pem

You can also use the /getcert switch to install the root CA in your browser, whichwill remove thewarning.

https://[IP address]:8834/getcert

Note: To set up an intermediate certificate chain, a file named serverchain.pem must be placed in the samedirectory as the servercert.pem file. This file contains the 1-n intermediate certificates (concatenated publiccertificates) necessary to construct the full certificate chain from the Nessus server to its ultimate root cer-tificate (one trusted by the user’s browser).



- 328 -

SSL Client Certificate Authentication

Nessus supports use of SSL client certificate authentication. This allows use of SSL client certificates, smartcards, andCAC authenticationwhen the browser is configured for this method.

Nessus allows for password-based or SSLCertificate authenticationmethods for user accounts.When cre-ating a user for SSL certificate authentication, the nessusclimkcert-client utility is used through the commandline on theNessus server.

Configure Nessus for Certificates

The first step to allow SSL certificate authentication is to configure theNessus web server with a server cer-tificate andCA.

This process allows theweb server to trust certificates created by theCertificateAuthority (CA) for authen-tication purposes. Generated files related to certificates must be ownedby root:root, and have the correct per-missions by default.

Create a new custom CA and server certificate

1. (Optional) Create a new custom CA and server certificate for theNessus server using the nessusclimkcert commandat the command line. This will place the certificates in their correct directories.

Whenprompted for the hostname, enter theDNS nameor IP address of the server in the browser suchas https://hostname:8834/ or https://ipaddress:8834/. The default certificate uses the hostname.

2. If aCA certificate is to be used instead of theNessus generated one,make a copy of the self-signedCAcertificate using the appropriate command for your OS:

Linux/Linux

# cp /opt/nessus/com/nessus/CA/cacert.pem /opt/nessus/com/nessus/CA/ORIGcacert.pem

Windows Vista and later

C:\> copy \ProgramData\Tenable\Nessus\nessus\CA\cacert.pem C:\Pro-gramData\Tenable\Nessus\nessus\CA\ORIGcacert.pem

3. If the certificates to be used for authentication are created by aCA other than theNessus server, theCAcertificatemust be installed on theNessus server.

Linux/Linux

Copy the organization’s CA certificate to /opt/nessus/com/nessus/CA/cacert.pem



- 329 -

Windows 7 and later

Copy the organization’s CA certificate toC:\ProgramData\Tenable\Nessus\nessus\CA\cacert.pem

4. Configure theNessus server for certificate authentication. Once certificate authentication is enabled,login using a usernameandpassword is disabled.

Caution:Connecting Agents, Remote Scanners, or Managed Scanners using the force_pubkey_auth option is not supported.

Linux/Linux

# /opt/nessus/sbin/nessuscli fix --set force_pubkey_auth=yes

Windows

C:\> \program files\Tenable\Nessus\nessuscli fix --set force_pubkey_auth-h=yes

5. Once theCA is in place and the force_pubkey_auth setting is enabled, restart theNessus services withthe service nessusd restart command.

After Nessus has been configuredwith the proper CA certificate(s), users may log in toNessus usingSSL cli-ent certificates, Smart Cards, andCACs.

Create Nessus SSL Certificates for Login

To log in to aNessus server with SSL certificates, the certificates must be createdwith the proper utility. Forthis process, the nessusclimkcert-client command-line utility is used on the system. The six questions askedare to set defaults for the creation of users during the current session. These include certificate lifetime, coun-try, state, location, organization, and organizational unit. The defaults for these options may be changed duringthe actual user creation if desired. The user(s) will then be created one at a timeas prompted. At the end of theprocess the certificates are copied appropriately and are used to log in to theNessus server.

1. On theNessus server, run the nessusclimkcert-client command.

Linux/Linux:

# /opt/nessus/sbin/nessuscli mkcert-client

Windows (Run as a local Administrator user):

C:\> \Program Files\Tenable\Nessus\nessuscli mkcert-client



- 330 -

2. Fill in the fields as prompted. The process is identical on a Linux/Linux orWindows server.

mkcert-client Output

Tip: The client certificates will be placed in the temporary directory in Nessus:

Linux: /opt/nessus/var/nessus/tmp/

Mac OSX: /Library/Nessus/run/var/nessus/tmp/



- 331 -

Windows: C:\programdata\tenable\nessus\tmp

Tip:Windows installations of Nessus do not come with “man” pages (local manual instructions). Con-sult the Tenable Support Portal for additional details on commonly used Nessus executables.

3. Two files are created in the temporary directory. In the example demonstrated in the above image, cert_sylvester.pem and key_sylvester.pem were created. These two files must be combined and exportedinto a format thatmay be imported into thewebbrowser such as .pfx. This may be accomplishedwiththe openssl program and the following command:

##openssl pkcs12 -export -out combined_sylvester.pfx -inkey key_sylvester.pem -in cert_sylvester.pem -chain -CAfile /opt/nessus/com/nessus/CA/cacert.pem -pas-sout 'pass:password' -name 'Nessus User Certificate for: sylvester'

The resulting file combined sylvester.pfx will be created in the directory from which the command is launched.This filemust then be imported into thewebbrowser’s personal certificate store.

Enable Connections with Smart Card or CAC Card

Once theCAcert for the smart card, CAC, or similar device has been put in place, corresponding users mustbe created tomatchwithinNessus. During this process, the users createdmustmatch theCN used on thecardwithwhich the user will use to connect.

1. On theNessus server, run the nessus-mkcert-client command.

Linux/Linux

# /opt/nessus/sbin/nessuscli mkcert-client

Windows (Run as a local Administrator user):

C:\> \Program Files\Tenable\Nessus\nessuscli.exe mkcert-client

2. Fill in the fields as prompted. The process is identical on a Linux/Linux orWindows server. The usernamemustmatch theCN supplied by the certificate on the card.

Tip:Client certificates are created in a randomized temporary directory appropriate to the system.The temporary directory will be identified on the line beginning with "Your client certificates are in".For the use of card authentication, these certificates are not needed and may be deleted.



- 332 -

Once created, a user with the proper cardmay access theNessus server and authenticate automaticallyonce their PIN or similar secret is provided.

Connect with Certificate or Card Enabled Browser

The following information is providedwith the understanding that your browser is configured for SSL certificateauthentication. This includes the proper trust of theCA by thewebbrowser. Please refer to your browser’shelp files or other documentation to configure this feature.

The process for certificate login begins whena user connects toNessus.

1. Launch a browser and navigate to theNessus server.

2. Thebrowser will present a list of available certificate identities to select from:

3. Oncea certificate has been selected, a prompt for thePIN or password for the certificate is presented (ifrequired) to access your certificate.When thePIN or password is successfully entered, the certificatewill be available for the current sessionwithNessus.



- 333 -

4. Uponnavigating to theNessus web interface, the user may briefly see the usernameandpasswordscreen followed by an automatic login as the designated user. TheNessus user interfacemay be usednormally.

Note: If you log out of the session, you will be presented with the standard Nessus login screen. If youwish to log in again with the same certificate, refresh your browser. If you need to use a different cer-tificate, you must restart your browser session.



- 334 -

Enable SSH Local Security Checks

Before You Begin

This section applies to Linux andNetwork Devices

This section is intended to provide a high-level procedure for enablingSSH between the systems involved intheNessus credentialed checks. It is not intended to be an in-depth tutorial onSSH. It is assumed the readerhas the prerequisite knowledge of Linux system commands.

Generate SSH Public and Private Keys

The first step is to generate a private/public key pair for theNessus scanner to use.

This key pair can be generated from any of your Linux systems, using any user account. However, it is import-ant that the keys be ownedby the definedNessus user.

To generate the key pair, use ssh-keygen and save the key in a safe place. In the following example the keysare generated on aRedHat ES 3 installation.

# ssh-keygen -t dsa

Generating public/private dsa key pair.Enter file in which to save the key (/Users/test/.ssh/id_dsa): /home/test/Nes-sus/ssh_keyEnter passphrase (empty for no passphrase):Enter same passphrase again:Your identification has been saved in/home/test/Nessus/ssh_key.Your public key has been saved in/home/test/Nessus/ssh_key.pub.The key fingerprint is:06:4a:fd:76:ee:0f:d4:e6:4b:74:84:9a:99:e6:12:ea#

Donot transfer the private key to any system other than the one running theNessus server.When ssh-key-gen asks you for a passphrase, enter a strong passphrase or hit theReturn key twice (i.e., do not set any pass-phrase). If a passphrase is specified, it must be specified in thePolicies→ Credentials→ SSH settingsoptions in order for Nessus to use key-based authentication.



- 335 -

Nessus Windows users may wish to copy both keys to themainNessus application directory on the systemrunningNessus (C:\Program Files\Tenable\Nessus by default), and then copy the public key to the target sys-tems as needed. This makes it easier tomanage the public and private key files.

Create a User Account and Setting up the SSH Key

Onevery target system to be scanned using local security checks, create a new user account dedicated toNessus. This user accountmust have exactly the samenameonall systems. For this document, wewill call

the user nessus, but you can use any name.

Once the account is created for the user, make sure that the account has no valid password set. On Linux sys-tems, new user accounts are locked by default, unless an initial passwordwas explicitly set. If you are usingan account where a password had been set, use the passwd –l command to lock the account.

Youmust also create the directory under this new account’s homedirectory to hold the public key. For thisexercise, the directory will be /home/nessus/.ssh. An example for Linux systems is provided below:

# passwd –l nessus# cd /home/nessus# mkdir .ssh#

For Solaris 10 systems, Sun has enhanced the passwd(1) command to distinguish between locked and non-login accounts. This is to ensure that a user account that has been lockedmay not be used to execute com-mands (e.g., cron jobs). Non-login accounts are used only to execute commands and do not support an inter-active login session. These accounts have theNP token in the password field of /etc/shadow. To set a non-login account and create theSSH public key directory in Solaris 10, run the following commands:

# passwd –N nessus# grep nessus /etc/shadownessus:NP:13579::::::# cd /export/home/nessus# mkdir .ssh`#

Now that the user account is created, youmust transfer the key to the system, place it in the appropriate dir-ectory and set the correct permissions.

From the system containing the keys, secure copy the public key to system that will be scanned for hostchecks as shownbelow. 192.1.1.44 is an example remote system that will be testedwith the host-basedchecks.



- 336 -

# scp ssh_key.pub [email protected]:/home/nessus/.ssh/authorized_keys#

You can also copy the file from the system onwhichNessus is installed using the secure FTP command, sftp.Note that the file on the target systemmust be namedauthorized_keys.

Note:Do not use the no-pty option in your authorized_keys file for SSH authentication. This can impact theSSH credentialed scans.

Return to the System Housing the Public Key

Set the permissions on both the /home/nessus/.ssh directory, as well as theauthorized_keys file.

# chown -R nessus:nessus ~nessus/.ssh/# chmod 0600 ~nessus/.ssh/authorized_keys# chmod 0700 ~nessus/.ssh/`#

Repeat this process on all systems that will be tested for SSH checks (starting at Creating aUser AccountandSetting up theSSHKey above).

Test tomake sure that the accounts and networks are configured correctly. Using the simple Linux commandid, from theNessus scanner, run the following command:

# ssh -i /home/test/nessus/ssh_key [email protected] iduid=252(nessus) gid=250(tns) groups=250(tns)#

If it successfully returns information about thenessus user, the key exchangewas successful.

Enable SSH Local Security Checks on Network Devices

In addition to usingSSH for local security checks, Nessus also supports local security checks on various net-work devices. Those network devices currently includeCisco IOS devices, F5 networks devices, Huaweidevices, Junos devices, andPaloAltoNetworks devices.

Network devices that support SSH require both a usernameandpassword. Currently, Nessus does not sup-port any other forms of authentication to network devices.

See your appropriate network devicemanual for configuringSSH support.



- 337 -

Credentialed Checks onWindows

Prerequisites

A very commonmistake is to create a local account that does not have enough privileges to log on remotelyand do anything useful. By default,Windows will assign new local accounts Guest privileges if they are loggedinto remotely. This prevents remote vulnerability audits from succeeding. Another commonmistake is toincrease the amount of access that theGuest users obtain. This reduces the security of yourWindowsserver.

EnableWindows Logins for Local and Remote Audits

Themost important aspect aboutWindows credentials is that the account used to perform the checks shouldhave privileges to access all required files and registry entries, and inmany cases this means administrativeprivileges. If Nessus is not provided the credentials for an administrative account, at best it can be used to per-form registry checks for the patches.While this is still a validmethod to determine if a patch is installed, it isincompatiblewith some third party patchmanagement tools thatmay neglect to set the key in the policy. IfNessus has administrative privileges, then it will actually check the version of the dynamic-link library (.dll) onthe remote host, which is considerably more accurate.

Configure a Local Account

To configure a stand-aloneWindows server with credentials to be used that is not part of a domain, simply cre-ate a unique account as an administrator.

Make sure that the configuration of this account is not set with a typical default of Guest only: local usersauthenticate as guest. Instead, switch this toClassic: local users authenticate as themselves.

To configure the server to allow logins from adomain account, theClassic security model should be invoked.

1. OpenGroupPolicy by clicking on start, click Run, type gpedit.msc and then click OK.

2. Select Computer Configuration→ Windows Settings→ Security Settings→ Local Policies→ Secur-ity Options.

3. From the list of policies openNetwork access: Sharing and security model for local accounts.

4. In this dialog, select Classic – local users authenticate as themselves and click OK to save this.

This will cause users local to the domain to authenticate as themselves, even though they are actually notreally physically local on the particular server.Without doing this, all remote users, even real users in the



- 338 -

domain, will actually authenticate as aGuest andwill likely not have enough credentials to perform a remoteaudit.

Tip: The gpedit.msc tool is not available on some version such asWindows 7 Home, which is not supportedby Tenable.

Configure a Domain Account for Authenticated Scanning

To create a domain account for remote host-based auditing of aWindows server, the server must first beWin-dows Server 2008, Server 2008R2*, Server 2012, Server 2012R2,Windows 7,Windows 8, orWindows 10andmust be part of a domain.

Create a Security Group called Nessus Local Access

1. Log onto aDomainController, openActiveDirectory Users andComputers.

2. Create a security Group fromMenu select Action→ New→ Group.

3. Name the groupNessus Local Access.Make sure it has aScope of Global and aType of Security.

4. Add the account youwill use to perform Nessus Windows AuthenticatedScans to theNessus LocalAccess group.

Create Group Policy called Local Admin GPO

1. Open theGroupPolicy Management Console.

2. Right click onGroupPolicy Objects and select New.

3. Type the nameof the policyNessus Scan GPO.

Add the Nessus Local Access group to the Nessus Scan GPO

1. Right click Nessus ScanGPO Policy then select Edit.

2. ExpandComputer configuration\Policies\Windows Settings\Security Settings\RestrictedGroups.

3. In the Left pane onRestrictedGroups, right click and select AddGroup.

4. In theAddGroup dialog box, select browse and typeNessus Local Access and then click CheckNames.

5. Click OK twice to close the dialog box.



- 339 -

6. Click Add under This group is amember of:

7. Add theAdministrators Group.

8. Click OK twice.

Nessus uses SMB (Server MessageBlock) andWMI (Windows Management Instrumentation) for this weneed tomake sure that theWindows Firewall will allow access to the system.

AllowWMI onWindows Vista, 7, 8, 10, 2008, 2008R2 and 2012Windows

Firewall

1. Right click Nessus ScanGPO Policy then select Edit.

2. ExpandComputer configuration\Policies\Windows Settings\Security Settings\Windows Firewall withAdvancedSecurity\Windows Firewall with AdvancedSecurity\InboundRules

3. Right-click in theworking area and chooseNewRule…

4. Choose thePredefined option, and selectWindows Management Instrumentation (WMI) from the drop-down list.

5. Click onNext.

6. Select theCheckboxes for:

Windows Management Instrumentation (ASync-In)

Windows Management Instrumentation (WMI-In)

Windows Management Instrumentation (DCOM-In)

7. Click onNext

8. Click onFinish

Tip: Later, you can edit the predefined rule created and limit the connection to the ports by IP Address andDomain User so as to reduce any risk for abuse of WMI.

Link the GPO

1. InGroup policy management console, right click on the domain or theOU and select Link anExistingGPO

2. Select theNessus ScanGPO



- 340 -

ConfigureWindows 2008, Vista, 7, 8, and 10

1. UnderWindows Firewall→ Windows Firewall Settings, File andPrinter Sharingmust be enabled.

2. Using the gpedit.msc tool (via theRun.. prompt), invoke theGroupPolicy Object Editor. Navigate toLocal Computer Policy→ Administrative Templates→ Network→ Network Connections - >WindowsFirewall→ StandardProfile→ Windows Firewall : Allow inbound file and printer exception, and enableit.

3. While in theGroupPolicy Object Editor, navigate to Local Computer Policy→ Administrative Tem-plates→ Network→ Network Connections→ Prohibit use of Internet connection firewall on your DNSdomain and ensure it is set to either Disabled or Not Configured.

4. TheRemoteRegistry servicemust be enabled (it is disabled by default). It can be enabledmanually forcontinuing audits, either by an administrator or by Nessus. Using plugin IDs 42897 and 42898, Nessuscan enable the service just for the duration of the scan.

Note: Enabling this option configures Nessus to attempt to start the remote registry service prior to startingthe scan.

The Windows credentials provided in the Nessus scan policy must have administrative permissions to startthe Remote Registry service on the host being scanned.

Caution:While not recommended, Windows User Account Control (UAC) can be disabled.

Tip: To turn off UAC completely, open the Control Panel, select User Accounts and then set Turn UserAccount Control to off. Alternatively, you can add a new registry key named LocalAccountTokenFilterPolicyand set its value to 1.

This key must be created in the registry at the following location: HKLM\SOFTWARE\Microsoft\ Win-dows\CurrentVersion\Policies\system\LocalAccountTokenFilterPolicy.

For more information on this registry setting, consult the MSDN 766945 KB. In Windows 7 and 8, if UAC isdisabled, then EnableLUAmust be set to 0 in HKEY_LOCAL_MACHINE\Soft-ware\Microsoft\Windows\CurrentVersion\Policies\System as well.



- 341 -

Additional Resources

l Run Nessus as Non-Privileged User

l Scan Targets Explained

l Command Line Operations

l More Nessus Resources



- 342 -

RunNessus as Non-Privileged User

Nessus 6.7 and later has the ability to run as a non-privileged.

Limitations

l When scanning localhost, Nessus Plugins assume that they are running as root. Therefore, certaintypes of scans may fail. For example, becauseNessus is now running as a non-privileged user, file con-tent ComplianceAudits may fail or return erroneous results since thePlugins are not able to access alldirectories.

l nessuscli does not have a --no-rootmode. Running commands with nessuscli as root could poten-tially create files in theNessus install directory ownedby root, which could causeNessus to be unableto access them appropriately. Use carewhen running nessuscli, and potentially fix permissions withchownafter using it.



- 343 -

RunNessus on Linux with Systemd as Non-Privileged User

Limitations

l For usewithNessus 6.7 or later.



1. If you have not already, perform aNessus Linux Install.

2. Create a non-root account whichwill run theNessus service.

sudo useradd -r nonprivuser

3. Remove 'world' permissions onNessus binaries in the /sbin directory.

sudo chmod 750 /opt/nessus/sbin/*

4. Change ownership of /opt/nessus to the non-root user.

sudo chown nonprivuser:nonprivuser -R /opt/nessus

5. Set capabilities on nessusd and nessus-service.

Tip: cap_net_admin is used to put interface in promiscuous mode.cap_net_raw is used to create raw sockets for packet forgery.cap_sys_resource is used to set resource limits.

If this is only a manager, and this Nessus install will not be performing scans, you only need

to provide it with the capability to change it's resource limits.



- 344 -

sudo setcap "cap_sys_resource+eip" /opt/nessus/sbin/nessusdsudo setcap "cap_sys_resource+eip" /opt/nessus/sbin/nessus-service

If this Nessus install will actually be performing scans, you need to add additional per-

missions to allow packet forgery and enabling promiscuous mode on the interface.

sudo setcap "cap_net_admin,cap_net_raw,cap_sys_resource+eip" /op-t/nessus/sbin/nessusdsudo setcap "cap_net_admin,cap_net_raw,cap_sys_resource+eip" /op-t/nessus/sbin/nessus-service

6. Modify the service script, /usr/lib/systemd/system/nessusd.service, removing and adding the followinglines:

Remove: ExecStart=/opt/nessus_pr/sbin/nessus-service -q

Add: ExecStart=/opt/nessus_pr/sbin/nessus-service -q --no-root

Add: User=nonprivuser

The resulting script should appear as follows:

[Service]Type=simplePIDFile=/opt/nessus_pr/var/nessus/nessus-service.pidExecStart=/opt/nessus_pr/sbin/nessus-service -q --no-rootRestart=on-abortExecReload=/usr/bin/pkill nessusdEnvironmentFile=-/etc/sysconfig/nessusdUser=nonprivuser

[Install]WantedBy=multi-user.target

7. Reload and start nessusd.In this step, Nessus is restarted as root, but systemdwill start it as 'nonprivuser' user.



- 345 -

sudo systemctl daemon-reloadsudo service nessusd start



- 346 -

RunNessus on Linux with init.d Script as Non-Privileged User

Limitations


l When scanning localhost, Nessus plugins assume that they are running as root. Therefore, certaintypes of scans may fail. For example, becauseNessus is now running as a non-privileged user, file con-tent ComplianceAudits may fail or return erroneous results since the plugins are not able to access alldirectories.


Steps

1. If you have not already, perform aNessus Linux Install.

2. Create a non-root account whichwill run theNessus service.

sudo useradd -r nonprivuser


sudo chmod 750 /opt/nessus/sbin/*


sudo chown nonprivuser:nonprivuser -R /opt/nessus

5. Set capabilities on nessusd and nessus-service.

Tip:

cap_net_admin is used to put the interface in promiscuous mode.

cap_net_raw is used to create raw sockets for packet forgery.



- 347 -

cap_sys_resource is used to set resource limits.

If this is only amanager, and this Nessus install will not be performing scans, you only need to provide itwith the capability to change its resource limits.

sudo setcap "cap_sys_resource+eip" /opt/nessus/sbin/nessusdsudo setcap "cap_sys_resource+eip" /opt/nessus/sbin/nessus-service

If this Nessus install will actually be performing scans, you need to add additional permissions to allowpacket forgery and enabling promiscuous modeon the interface.

sudo setcap "cap_net_admin,cap_net_raw,cap_sys_resource+eip" /op-t/nessus/sbin/nessusdsudo setcap "cap_net_admin,cap_net_raw,cap_sys_resource+eip" /op-t/nessus/sbin/nessus-service

6. Next, using a text editor, modify the service script, /etc/init.d/nessusd, removing and adding the fol-lowing lines:

Remove: /opt/nessus/sbin/nessus-service -q -D

Add: daemon --user=nonprivuser /opt/nessus/sbin/nessus-service -- -q -D --no-root


start() { KIND="$NESSUS_NAME" echo -n $"Starting $NESSUS_NAME : " daemon --user=nonprivuser /opt/nessus/sbin/nessus-service -- -q -D --no-root echo "." return 0}

7. Start nessusd.

In this step, the service is started as root, but init.dwill start the process as the 'nonprivuser' user.

sudo service nessusd start



- 348 -

RunNessus onMACOSX as Non-Privileged User

Limitations




1. If you have not already done so, Install Nessus onMacOSX.

2. Since theNessus service is running as root, it needs to be unloaded.Use the following command to unload theNessus service:

sudo launchctl unload /Library/LaunchDae-mons/com.tenablesecurity.nessusd.plist

3. On theMac, inSystem Preferences -> Users & Groups, create a newGroup..



- 349 -

4. Next, inSystem Preferences -> Users & Groups, create the newStandard User. This user willbe configured to run as theNessus non-privileged account.



- 350 -

5. Add the new user to the group you created inStep 1.


sudo chmod 750 /Library/Nessus/run/sbin/*

7. Change ownership of /Library/Nessus/run directory to the non-root (Standard) user you created inStep2.

sudo chown -R nonprivuser:nonprivuser /Library/Nessus/run

8. Give that user read/write permissions to the /dev/bpf* devices. A simpleway to do this is to installWire-shark, which creates a group called "access_bpf", as well as a corresponding launch daemon to setappropriate permissions on /dev/bpf* at startup. In this case, you can simply assign the "nonpriv" userto be in the "access_bpf" group. Otherwise, youwill need to create a launch daemongiving the "nonpriv"user, or a group that it is a part of, read/write permissions to all /dev/bpf*.

9. For Step 8. changes to take effect, reboot your system.



- 351 -

10. Using a text editor, modify theNessus /Library/LaunchDae-

mons/com.tenablesecurity.nessusd.plist file and add the following lines.Do not modify any of

the existing lines.

<string>--no-root</string><key>UserName</key><string>nonprivuser</string>

11. Usingsysctl, verify the following parameters have theminimum values:

$ sysctl debug.bpf_maxdevicesdebug.bpf_maxdevices: 16384$ sysctl kern.maxfileskern.maxfiles: 12288$ sysctl kern.maxfilesperprockern.maxfilesperproc: 12288$ sysctl kern.maxprockern.maxproc: 1064$ sysctl kern.maxprocperuidkern.maxprocperuid: 1064



- 352 -

12. If any of the values inStep 9. do notmeet theminimum requirements, take the following steps tomodifyvalues.

Create a file called /etc/sysctl.conf.

Using the a text editor, edit the systctl.conf filewith the correct values found inStep 9.

Example:

$ cat /etc/sysctl.confkern.maxfilesperproc=12288kern.maxproc=1064kern.maxprocperuid=1064

13. Next, using the launchctl limit command, verify your OS default values.Example: MacOSX 10.10 and 10.11 values.

$ launchctl limitcpu unlimited unlimitedfilesize unlimited unlimiteddata unlimited unlimitedstack 8388608 67104768core 0 unlimitedrss unlimited unlimitedmemlock unlimited unlimitedmaxproc 709 1064maxfiles 256 unlimited

14. If any of the values inStep 11. are not set to the default OSX values above, take the following steps tomodify values.

Using the a text editor, edit the launchd.conf filewith the correct, default values as shown inStep 11.

Example:

$ cat /etc/launchd.conflimit maxproc 709 1064

Note: Some older versions of OSX have smaller limits formaxproc. If your version of OSX supportsincreasing the limits through /etc/launchctl.conf, increase the value.



- 353 -

15. For all changes to take effect either reboot your system or reload the launch daemon.

sudo launchctl load /Library/LaunchDae-mons/com.tenablesecurity.nessusd.plist

RunNessus on FreeBSD as non-privileged User

Limitations




Note:Unless otherwise noted, execute the following commands in a root login shell.

1. If you have not already done so, Install Nessus onFreeBSD.

pkg add Nessus-*.txz

2. Create a non-root account whichwill run theNessus service.In this example, nonprivuser is created in the nonprivgroup.

# adduserUsername: nonprivuserFull name: NonPrivUserUid (Leave empty for default):Login group [nonprivuser]:Login group is nonprivuser. Invite nonprivuser into other groups?



- 354 -

[]:Login class [default]:Shell (sh csh tcsh bash rbash nologin) [sh]:Home directory [/home/nonprivuser]:Home directory permissions (Leave empty for default):Use password-based authentication? [yes]:Use an empty password? (yes/no) [no]:Use a random password? (yes/no) [no]:Enter password:Enter password again:Lock out the account after creation? [no]:Username : nonprivuserPassword : *****Full Name : NonPrivUserUid : 1003Class :Groups : nonprivuserHome : /home/nonprivuserHome Mode :Shell : /bin/shLocked : noOK? (yes/no): yesadduser: INFO: Successfully added (nonprivuser) to the user data-base.Add another user? (yes/no): noGoodbye!


chmod 750 /usr/local/nessus/sbin/*



- 355 -


chown -R nonprivuser:nonprivuser /usr/local/nessus

5. Create a group to give the non-root user access to the /dev/bpf device and allow them to use raw sock-

ets.

pw groupadd access_bpfpw groupmod access_bpf -m nonprivuser

6. Confirm the nonprivuser was added to the group.

# pw groupshow access_bpfaccess_bpf:*:1003:nonprivuser

7. Next, check your system limit values.

Using theulimit -a command, verify that each parameter has, at minimum, the following values.This example displays FreeBSD 10 values:

# ulimit -acpu time (seconds, -t) unlimitedfile size (512-blocks, -f) unlimiteddata seg size (kbytes, -d) 33554432stack size (kbytes, -s) 524288core file size (512-blocks, -c) unlimitedmax memory size (kbytes, -m) unlimitedlocked memory (kbytes, -l) unlimitedmax user processes (-u) 6670open files (-n) 58329virtual mem size (kbytes, -v) unlimitedswap limit (kbytes, -w) unlimitedsbsize (bytes, -b) unlimitedpseudo-terminals (-p) unlimited



- 356 -

8. If any of the values inStep 6. do notmeet theminimum requirements, take the following steps tomodifyvalues.

Using a text editor, edit the /etc/sysctl.conf file.

Next, using the service command, restart the sysctl service:

service sysctl restart

Alternatively, you can reboot your system.

Verify the new,minimum required values by using theulimit -a commandagain.

9. Next, using a text editor, modify the /usr/local/etc/rc.d/nessusd service script to remove and add thefollowing lines:

Remove: /usr/local/nessus/sbin/nessus-service -D -q

Add: chown root:access_bpf /dev/bpf

Add: chmod660 /dev/bpf

Add: daemon -u nonprivuser /usr/local/nessus/sbin/nessus-service -D -q --no-root


nessusd_start() { echo 'Starting Nessus...' chown root:access_bpf /dev/bpf chmod 660 /dev/bpf daemon -u nonprivuser /usr/local/nessus/sbin/nessus-service -D -q --no-root}

nessusd_stop() {test -f /usr/local/nessus/var/nessus/nessus-service.pid && kill

`cat /usr/local/nessus/var/nessus/nessus-service.pid` && echo 'Stop-ping Nessus...' && sleep 3}



- 357 -

Scan Targets Explained

Hostname targets that look like either a link6 target (start with the text "link6") or like one of the two IPv6 rangeforms can be forced to be processed as a hostnameby putting single quotes around the target.

The following table explains target types, examples, and a short explanation of what happens when that targettype is scanned.

Target

DescriptionExample Explanation

A single IPv4address

192.168.0.1 The single IPv4 address is scanned

A single IPv6address

2001:db8::2120:17ff:fe56:333b The single IPv6 address is scanned

A single linklocal IPv6address witha scope iden-tifier

fe80:0:0:0:216:cbff:fe92:88d0%eth0 The single IPv6 address is scanned. Notethat usage of interfaces names instead ofinterface indexes for the scope identifier is notsupport onWindows platforms

An IPv4rangewith astart and endaddress

192.168.0.1-192.168.0.255 All IPv4 addresses between the start addressand end address including both addresses.

An IPv4address withone or moreoctetsreplacedwithnumericranges

192.168.0-1.3-5 The examplewill expand to all combinationsof the values given in the octet ranges:192.168.0.3, 192.168.0.4, 192.168.0.5,192.168.1.3, 192.168.1.4 and 192.168.1.5

An IPv4 sub-net withCIDR nota-tion

192.168.0.0/24 All addresses within the specified subnet arescanned. The address given is not the startaddress. Specifying any address within thesubnet with the sameCIDRwill scan thesameset of hosts.



- 358 -

Target

DescriptionExample Explanation

An IPv4 sub-net with net-masknotation

192.168.0.0/255.255.255.128 All addresses within the specified subnet arescanned. The address is not a start address.Specifying any address within the subnet withthe samenetmask will scan the samehosts

A host resolv-able to eitheran IPv4 or anIPv6 address

www.yourdomain.com The single host is scanned. If the hostnameresolves tomultiple addresses the address toscan is the first IPv4 address or if it did notresolve to an IPv4 address, the first IPv6address.

A host resolv-able to anIPv4 addresswithCIDRnotation

www.yourdomain.com/24 The hostname is resolved to an IPv4 addressand then treated like any other IPv4 addresswithCIDR target.

A host resolv-able to anIPv4 addresswith netmasknotation

www.yourdomain.com/255.255.252.0 The hostname is resolved to an IPv4 addressand then treated like any other IPv4 addresswith netmask notation

The text'link6' option-ally followedby an IPv6scope iden-tifier

link6 or link6%16 Multicast ICMPv6echo requests are sent outon the interface specified by the scope iden-tifier to the ff02::1 address. All hosts thatrespond to the request are scanned. If noIPv6 scope identifier is given the requests aresent out on all interfaces. Note that usage ofinterfaces names for the scope identifier is notsupported onWindows platforms

Some textwith either asingle IPv4 orIPv6 addresswithin squarebrackets

"Test Host 1[10.0.1.1]" or "Test Host 2[2001:db8::abcd]

The IPv4 or IPv6 address within the bracketsis scanned like a normal single target



- 359 -

Command LineOperations

This section includes command line operations for Nessus andNessus Agents.

Tip:During command line operations, prompts for sensitive information, such as a password, do not showcharacters as you type. However, the data is being recorded and will be accepted when you hitthe Enter key.

The following topics are included in this section:

l nessus-service

l nessuscli

l nessuscli agent



- 360 -

nessus-service

If necessary, whenever possible, Nessus services should be started and stopped usingNessus Service con-trols in the operating system’s interface.

However, there aremany nessus-service functions that can be performed through a command line interface.

Unless otherwise specified, the nessusd command can be used interchangeably with nessus-service servercommands.

The # killall nessusd command is used to halt Nessus; Nessus will immediately stop all services and stop allin-process scans.

nessus-service Syntax

Operating

SystemCommand

Linux # /opt/nessus/sbin/nessus-service [-vhD] [-c <config-file>] [-p <port-number>] [-a<address>] [-S <ip[,ip,…]>]

FreeBSD # /usr/local/nessus/sbin/nessus-service [-vhD] [-c <config-file>] [-p <port-number>] [-a<address>] [-S <ip[,ip,…]>]

Mac OSX # /Library/Nessus/run/sbin/nessus-service [-vhD] [-c <config-file>] [-p <port-number>][-a <address>] [-S <ip[,ip,…]>]

Suppress Command Output Examples

You can suppress commandoutput by using the “-q” option.

Linux

# /opt/nessus/sbin/nessus-service -q -D

FreeBSD

# /usr/local/nessus/sbin/nessus-service -q -D

nessusd Commands



- 361 -

Option Description

-c <config-file>

When starting the nessusd server, this option is used to specify the server-side nessusdconfiguration file to use. It allows for the use of an alternate configuration file instead of thestandard db.

-a<address>

When starting the nessusd server, this option is used to tell the server to only listen to con-nections on the address <address> that is an IP, not amachine name. This option is usefulif you are running nessusd on a gateway and if you do not want people on the outside to con-nect to your nessusd.

-S <ip[,ip2,…]>

When starting the nessusd server, force the source IP of the connections established byNessus during scanning to <ip>. This option is only useful if you have amulti-homedmachinewithmultiple public IP addresses that youwould like to use instead of the defaultone. For this setup towork, the host running nessusdmust havemultipleNICs with theseIP addresses set.

-D When starting the nessusd server, this optionwill make the server run in the background(daemonmode).

-v Display the version number and exit.

-l Display a list of those third-party software licenses.

-h Show a summary of the commands and exit.

--ipv4-only Only listen on IPv4 socket.

--ipv6-only Only listen on IPv6 socket.

-q Operate in "quiet"mode, suppressing allmessages to stdout.

-R Force a re-processing of the plugins.

-t Check the timestampof each pluginwhen starting up to only compile newly updated plu-gins.

-K Set amaster password for the scanner.

If amaster password is set, Nessus will encrypt all policies and credentials contained inthe policy.Whenapassword is set, theNessus UI will prompt you for the password.

If your master password is set and then lost, it cannot be recovered by your administratornor TenableSupport.



- 362 -

nessuscli

Some Nessus functions can be administered through a command line interface using the nessuscli utility.

This allows the user tomanage user accounts, modify advanced settings, manage digital certificates, reportbugs, updateNessus, and fetch necessary license information.

nessuscli Syntax




Windows

Commands mustRun as administrator


nessuscli Commands

Command Description

HELPCOMMANDS

nessuscli help Displays a list of Nessus commands

The help outputmay vary, depending on your Nessus license.

nessuscli [cmd] help Displays additional help for specific commands identified inthe nessuscli help output.

BUGREPORTINGCOMMANDSThebug reporting commands create an archive that can be sent to Tenable to help diagnose issues. Bydefault, the script will run in interactivemode.

nessuscli bug-report-gen-erator

Generates an archive of system diagnostics

Running this commandwithout arguments will prompt for values.

--quiet: run the bug report generator without prompting user for feedback

--scrub: when in quiet mode, bug report generator will sanitize the last



- 363 -

Command Description

two octets of the IPv4 address

--full: when in quiet mode, bug report generator will collect extra data

USERCOMMANDS

nessuscli rmuser [user-name]

Allows you to remove aNessus user.

nessuscli chpasswd [user-name]

Allows you to change a user’s password. Youwill be prompted to entertheNessus user’s name. Passwords will not be echoed on the screen.

nessuscli adduser [user-name]

Allows you to add aNessus user account.

Youwill be prompted for a username, password, and opted to allow theuser to have an administrator type account. Additionally, youwill beprompted to addUsers Rules for this new user account.

nessuscli lsuser Displays a list of Nessus users

FETCHCOMMANDSManageNessus registration and fetch updates

nessuscli fetch --register<ActivationCode>

Uses your ActivationCode to register Nessus online.

Example

# /opt/nessus/sbin/nessuscli fetch --register xxxx-xxxx-xxxx-xxxx

nessuscli fetch --register-off-line nessus.license

Registers Nessus 6.3 and newer with the nessus.license file obtained

from https://plugins.nessus.org/v2/offline.php

Note: If you are using a version of Nessus 6.2 or earlier, you must usethe information and instructions displayed on https://plu-gins.nessus.org/offline.php. In Nessus 6.2 and earlier, the license iscontained in the fc.file.

nessuscli fetch --check Displays whether Nessus is properly registered and is able to receiveupdates.

nessuscli fetch --code-in-use

Displays theNessus ActivationCodebeing used by Nessus.






- 364 -

Command Description

nessuscli fetch --challenge Displays the Challenge code needed to usewhenperforming an offlineregistration.ExampleChallengeCode: aaaaaa11b2222c-c33d44e5f6666a777b8cc99999

nessuscli fetch --security-center

Prepares Nessus to be connected toSecurity Center.

FIX COMMANDS

nessuscli fix Reset registration, display network interfaces, andmanage advancedsettings.

Using the --secure optionwill act on the encrypted preferences, whichcontain information about registration

--list, --set, --get, and --delete can be used tomodify or view preferences.

nessuscli fix [--secure] --list

nessuscli fix [--secure] --set<name=value>

nessuscli fix [--secure] --get<name>

nessuscli fix [--secure] --delete <name>

nessuscli fix --list-interfaces List the network adapters on this machine

nessuscli fix --reset This commandwill delete all your registration information and pref-erences, causingNessus to be put into a non-registered state

Before running nessuscli fix --reset, verify running scans have com-pleted, then stop the nessusd daemonor service.

Windows: net stop "TenableNessus"

Linux: service nessusd stop

CERTIFICATECOMMANDS

nessusclimkcert-client Creates a certificate for theNessus server.



- 365 -

Command Description

nessusclimkcert [-q] Quietly creates a certificatewith default values.






nessuscli update <tar.gz file-name>

Updates Nessus Plugins by using aTAR file instead of getting theupdates from the plugin feed. TheTAR file is obtainedwhen you

Register Nessus Offline -Download and Copy Plugins steps.

MANAGERCOMMANDS

Used for generating plugin updates for your managed scanners and agents connected to amanager.

nessusclimanager down-load-core

Downloads core component updates for remotely managed agents andscanners

nessusclimanager gen-erate-plugins

Generates plugins archives for remotely managed agents and scanners

MANAGEDSCANNERCOMMANDSUsed for linking, unlinking and viewing the status of remotemanaged scanners.

nessusclimanaged help Displays nessusclimanged commands and syntax.

nessusclimanaged link --key=<key> --host=<host> --port=<port> [optional para-meters]

Link amanaged scanner to theNessus Manager.

Additional Parameters

--name=<name>--ca-path=<ca_file_name>--proxy-host=<host>--proxy-port=<port>--proxy-username=<username>--proxy-password=<password>--proxy-agent=<agent>



- 366 -

Command Description

nessusclimanaged unlink Unlink amanaged scanner to theNessus Manager.

nessusclimanaged status Identifies the status of themanaged scanner.



- 367 -

nessuscli agent

Some Nessus Agent functions can be performedand administered through a command line interface usingthe nessuscli agent utility.

nessuscli agent Syntax


Linux # /opt/nessus_agent/sbin/nessuscli agent <arg1> <arg2>

Mac OSX # /Library/NessusAgent/run/sbin/nessuscli <arg1> <arg2>

Windows C:\Program Files\Tenable\Nessus AgentorC:\ProgramData\Tenable\Nessus Agent

Run cmd.exe as administrator

nessuscli agent Commands

Command Description

HELPCOMMANDS

#nessuscli agent help Displays a list of Nessus Agent com-mands

BUGREPORTINGCOMMANDS

#nessuscli agent bug-report-generator Generates an archive of system dia-gnostics

Running this commandwithout argumentswill prompt for values.

--quiet: run the bug report generator withoutprompting user for feedback

--scrub: when in quiet mode, bug reportgenerator will sanitize the last two octets ofthe IPv4 address



- 368 -

Command Description

--full: when in quiet mode, bug report gen-erator will collect extra data

LOCALAGENTCOMMANDSUsed to link, unlink, and display agent status

# nessuscli agent link --key=<key> [--name=<name>] [--groups=<group1,group2,…>] [--ca-path=<ca_file_name>]--host=<host> --port=<port>

Using the key obtained from withinNessusManager, this command links the agent totheNessus Manager.

Optional Parameters

--name=<name>

--groups=<group1,group2,...>

--ca-path=<ca_file_name>

--proxy-host=<host>

--proxy-port=<port>

--proxy-username=<username>

--proxy-password=<password>

--proxy-agent=<agent>

# nessuscli agent unlink Unlinks agent from theNessus Manager

# nessuscli agent status Displays the status of the agent: jobspending and if the agent linked or not linkedto server.

Example Status

Agent linked3 jobs pending

Agent not linked to a server

Agent is linked to 192.168.0.1:88341 jobs pending



- 369 -

Start or Stop Nessus

If necessary, whenever possible, Nessus services should be started and stopped usingNessus Service con-trols in the operating system’s interface.

Mac OS X

1. Navigate to System Preferences.

2. Click the Nessus icon.

3. Click the lock icon.

4. Enter your usernameandpassword.

5. To stop theNessus service, click the StopNessus button.

6. To start theNessus service, click the Start Nessus button.

Mac OS X Command Line

Start Stop

# launchctl load -w /Library/LaunchDae-mons/com.tenablesecurity.nessusd.plist

# launchctl unload -w /Library/LaunchDae-mons/com.tenablesecurity.nessusd.plist

Windows

1. Navigate to Services.

2. In the Name column, select TenableNessus.

3. To stop theNessus service, right-click TenableNessus, and then click Stop.

4. To restart theNessus service, right-click TenableNessus, and then click Start.

Windows Command Line

Start Stop

C:\Windows\system32>net start "TenableNes-sus"

C:\Windows\system32>net stop "TenableNes-sus"



- 370 -

Linux

Linux Command Line

Start Stop

RedHat, CentOS andOracle Linux

# /sbin/service nessusd start # /sbin/service nessusd stop

SUSE

# /etc/rc.d/nessusd start # /etc/rc.d/nessusd stop

FreeBSD

# service nessusd start # service nessusd stop

Debian/Kali andUbuntu

# /etc/init.d/nessusd start # /etc/init.d/nessusd stop



- 371 -

Offline Update Page Details

When you areworkingwithNessus offline, youwill use thehttps://plugins.nessus.org/v2/offline.php page.

Based the steps you are using toRegister Nessus Offline, the resultingwebpage displayed includes the fol-lowing elements:

l Custom URL: The custom URLdisplayed downloads a compressed plugins file. This file is used by

Nessus to obtain plugin information. This URL is specific to your Nessus license andmust be savedand used each timeplugins need to be updated.

l License: The complete text-string startingwith -----BEGIN TENABLE LICENSE----- and ends

with -----END TENABLE LICENSE----- is your Nessus product license information. Tenable usesthis text-string to confirm your product license and registration.

l nessus.license file: At the bottom of thewebpage, there is an embedded file that includes license text-

string displayed.




- 373 -

More Nessus Resources

Product Pages

Nessus Product Page

Nessus Product Feature Comparisons

Tenable Plugins Home Page

Tenable Support Portal

Nessus FAQs



http://www.tenable.com/products

http://www.tenable.com/products/nessus-vulnerability-scanner

http://www.tenable.com/products/nessus/features

http://www.tenable.com/plugins/


http://www.tenable.com/products/nessus/nessus-faq

nessus 6.8 user guide - tenable™ - the cyber exposure...

Documents