TOC & Recently Viewed

Recently Viewed Topics

Basic Settings

You can use Basic settings to specify certain organizational and security-related aspects of the scan or policy, including the name of the scan, its targets, the scan schedule status, and who has access to the scan, among other settings.

Note: Configuration items that are required by a particular scan or policy are indicated in the Tenable.io interface.

The Basic settings include the following sections:

The following tables list, by section, all available Basic settings.

General

Setting Default Value Description

Name

None

(Required) Specifies the name of the scan or policy. This value is displayed on the Tenable.io interface.

Description

None

Specifies a description of the scan or policy.

Scan Results

Show in dashboard

Specifies whether the results of the scan should appear in dashboards or be kept private.

When set to Keep private, you must access the scan directly to view the results.

Folder

My Scans

Specifies the folder where the scan appears after being saved.

Agent Groups None

(Agent scans only) Specifies the agent group or groups you want the scan to target. Select an existing agent group from the drop-down box, or create a new agent group. For more information, see Agent Groups.

Scan Window 1 hour (Agent scans only) Specifies the time frame during which agents must report in order to be included and visible in vulnerability reports. Use the drop-down box to select an interval of time, or click to type a custom scan window.

Scanner

Varies

Specifies the scanner that performs the scan.

The default scanner varies based on the organization and user.

Asset Lists

None

You can select or add a new target group to which the scan applies. Assets in the target group are used as scan targets.

Targets

None

(Required) Specifies one or more targets you want to scan. If you select a target group or upload a targets file, you do not need to specify additional targets.

You can specify targets using a number of different formats.

Upload Targets

None

Uploads a text file that specifies targets.

The targets file must:

  • Be ASCII format.
  • Have only one target per line.
  • Have whitespace (e.g., spaces or tabs) at the end of a line.
  • Have no hard line breaks following the last target.

Note: Unicode/UTF-8 encoding is not supported.

Schedule

By default, scans are not scheduled. When you first access the Schedule section, the Enable Schedule setting appears, set to Off. To modify the settings listed on the following table, click the Off button. The rest of the settings appear.

Setting Default Value Description

Frequency

Once

Specifies how often the scan launches.

  • Once: Schedule the scan at a specific time.
  • Daily: Schedule the scan to occur on a daily basis, at a specific time or to repeat up to every 20 days.
  • Weekly: Schedule the scan to occur on a recurring basis, by time and day of week, for up to 20 weeks.
  • Monthly: Schedule the scan to occur every month, by time and day or week of month, for up to 20 months.
  • Yearly: Schedule the scan to occur every year, by time and day, for up to 20 years.

Starts

Varies

Specifies the exact date and time when a scan launches.

The starting date defaults to the current date. The starting time is the nearest half-hour interval. For example, if you create your scan on 10/31/2016 at 9:12 AM, the starting date and time defaults to 10/31/2016 at 09:30.

Timezone

Zulu

For the Starts setting, specifies the timezone.

Repeat Every Varies Specifies the interval at which Tenable.io relaunches a scan. The default value of this item varies based on the frequency you choose.
Repeat On Varies

Specifies what day of the week a scan repeats. This item appears only if you specify Weekly for Frequency.

The value for Repeat On defaults to the day of the week on which you create the scan.

Repeat By Day of the Month Specifies when Tenable.io relaunches a monthly scan. This item appears only if you specify Monthly for Frequency.

Summary

Not applicable

Provides a summary of the schedule for your scan based on the values you specified for the available settings.

Notifications

Setting Default Value Description

Email Recipient(s)

None Specifies zero or more email addresses to alert when a scan completes and the results are available.

Result Filters

None Defines the type of information in the email alert.

Permissions

Using settings in the Permissions section, you can assign various permissions to groups and individual users. When you assign a permission to a group, that permission applies to all users within the group.

Setting Description
Data Sharing
Scan Results

Specifies whether you want scan results to be private to your user account, or appear in the Vulnerabilities and Assets workbenches.

User Sharing (All)
Owner

For scans, specifies the only user who can delete the scan.

For policies, specifies the only user who can delete the policy or modify permissions for the policy.

This setting is only visible if you are the scan or policy owner. By default, you are assigned ownership when you create the scan or policy.

No Access

(Default permission) Groups and users set to No Access cannot interact with the scan or policy in any way.

User Sharing (Scans only)

Can View

Groups and users set to Can View can view the results of the scan. They can also move the scan to their Trash folder but cannot delete it.

Can Control

Groups and users set to Can Control can launch, pause, and stop a scan, in addition to performing any tasks allowed by Can View.

Can Configure

Groups and users set to Can Configure can modify any setting for the scan except scan ownership, in addition to performing any tasks allowed by Can Control.

User Sharing (Policies only)
Can Use

Groups and users set to Can Use can use the policy to create scans.

Can Edit

Groups and users set to Can Edit can modify any setting for the policy except permissions, in addition to performing any tasks allowed by Can Use.

Can Configure

Groups and users set to Can Configure can modify any setting for the policy except policy ownership, in addition to performing any tasks allowed by Can Edit.

Authentication

In policy templates, you can use Authentication settings to configure the actions Tenable.io performs when authenticating certain types of credentialed scans. Authentication settings are used by scans created from the policy. The Authentication settings are equivalent to the Scan-wide Credential Type Settings you can set in a scan that is not based on a user-defined policy.

Setting Default Value Description
SNMPv1/v2c
equivalent to Scans > Credentials > Plaintext Authentication >  SNMPv1/v2c

UDP Port

161 Ports where Tenable.io attempts to authenticate on the host device.
Additional UDP port #1 161
Additional UDP port #2 161
Additional UDP port #3 161
HTTP
equivalent to Scans > Credentials > Plaintext Authentication > HTTP

Login method

POST

Specify if the login action is performed via a GET or POST request.

Re-authenticate delay (seconds)

0

The time delay between authentication attempts. Setting a time delay is useful to avoid triggering brute force lockout mechanisms.

Follow 30x redirections (# of levels)

0

If a 30x redirect code is received from a web server, this setting directs Tenable.io to follow the link provided or not.

Invert authenticated regex

Disabled

A regex pattern to look for on the login page, that if found, tells Tenable.io that authentication was not successful (e.g., Authentication failed!).

Use authenticated regex on HTTP headers

Disabled

Rather than search the body of a response, Tenable.io can search the HTTP response headers for a given regex pattern to better determine authentication state.

Case insensitive authenticated regex Disabled

he regex searches are case sensitive by default. This instructs Tenable.io to ignore case.

telnet/rsh/rexec
equivalent to Scans > Credentials > Plaintext Authentication > telnet/ssh/rexec
Perform patch audits over telnet Disabled Tenable.io uses telnet to connect to the host device for patch audits.
Perform patch audits over rsh Disabled Tenable.io uses rsh to connect to the host device for patch audits.
Perform patch audits over rexec Disabled Tenable.io uses rexec to connect to the host device for patch audits.
Windows
equivalent to Scans > Credentials > Host > Windows
Never send credentials in the clear

Enabled

By default, for security reasons, this option is enabled.

Do not use NTLMv1 authentication

Enabled

If the Do not use NTLMv1 authentication option is disabled, then it is theoretically possible to trick Tenable.io into attempting to log into a Windows server with domain credentials via the NTLM version 1 protocol. This provides the remote attacker with the ability to use a hash obtained from Tenable.io. This hash can be potentially cracked to reveal a username or password. It may also be used to directly log into other servers. Force Tenable.io to use NTLMv2 by enabling the Only use NTLMv2 setting at scan time. This prevents a hostile Windows server from using NTLM and receiving a hash. Because NTLMv1 is an insecure protocol, this option is enabled by default.

Start the Remote Registry service during the scan

Disabled

This option tells Tenable.io to start the Remote Registry service on computers being scanned if it is not running. This service must be running in order for Tenable.io to execute some Windows local check plugins.

Enable administrative shares during the scan

Disabled

This option allows Tenable.io to access certain registry entries that can be read with administrator privileges.

SSH
equivalent to Scans > Credentials > Host > SSH
known_hosts file

None

If you upload an SSH known_hosts file, Tenable.io only attempts to log in to hosts in this file. This can ensure that the same username and password you are using to audit your known SSH servers is not used to attempt a log into a system that may not be under your control.

Preferred port

22

The port on which SSH is running on the target system.

Client version

OpenSSH_5.0

The type of SSH client Tenable.io impersonates while scanning.

Attempt least privilege

Cleared

Enables or disables dynamic privilege escalation. When enabled, Tenable.io attempts to run the scan with an account with lesser privileges, even if theElevate privileges with option is enabled. If a command fails, Tenable.io escalates privileges. Plugins 101975 and 101976 report which plugins ran with or without escalated privileges.

Note: Enabling this option may increase scan run time by up to 30%.

Amazon AWS
equivalent to Scans > Credentials > Cloud Services > Amazon AWS
Regions to access

Rest of the World

In order for Tenable.io to audit an Amazon AWS account, you must define the regions you want to scan. Per Amazon policy, you need different credentials to audit account configuration for the China region than you do for the rest of the world.

Possible regions include:

  • GovCloud—If you select this region, you automatically select the government cloud (e.g., us-gov-west-1).

  • Rest of the World—If you select this region, the following additional options appear:

    • us-east-1

    • us-east-2

    • us-west-1

    • us-west-2

    • ca-central-1

    • eu-west-1

    • eu-west-2

    • eu-central-1

    • ap-northeast-1

    • ap-northeast-2

    • ap-southeast-1

    • ap-southeast-2

    • sa-east-1

  • China—If you select this region, the following additional options appear:

    • cn-north-1

    • cn-northwest-1

HTTPS

Enabled

Whether Tenable.io authenticates over an encrypted (HTTPS) or an unencrypted (HTTP) connection.

Verify SSL Certificate

Enabled

Whether Tenable.io verifies the validity of the SSL digital certificate.

Rackspace
equivalent to Scans > Credentials > Cloud Services > Rackspace
Location

Location of the Rackspace Cloud instance. Possible locations include:

  • Dallas-Fort Worth (DFW)
  • Chicago (ORD)
  • Northern Virginia (IAD)
  • London (LON)
  • Syndney (SYD)
  • Hong Kong (HKG)
Microsoft Azure
equivalent to Scans > Credentials > Cloud Services > Amazon AWS
Subscription IDs

List subscription IDs to scan, separated by a comma. If this field is blank, all subscriptions are audited.

Apple Profile Manager
equivalent to Scans > Credentials > Mobile > Apple Profile Manager
Force device updates Enabled

Force devices to update with Apple Profile Manager immediately.

Device update timeout (minutes) 5

Number of minutes to wait for devices to reconnect with Apple Profile Manager.

Copyright 2017 - 2018 Tenable, Inc. All rights reserved. Tenable Network Security, Nessus, SecurityCenter, SecurityCenter Continuous View and Log Correlation Engine are registered trademarks of Tenable, Inc. Tenable, Tenable.io, Assure, and The Cyber Exposure Company are trademarks of Tenable, Inc. All other products or services are trademarks of their respective owners.