Configure Tenable Enclave Security

When you access the Tenable Enclave Security user interface for the first time, the Setup page appears. On the Setup page, you'll create your Super Administrator user account, set up your first organization, and create a Security Manager user account.

Before you begin:

Configure Tenable Enclave Security:

  1. In a web browser, access Tenable Enclave Security at the URL that you defined in Prepare a Kubernetes Cluster.

  2. Set up your Super Administrator user account, and click Next.

    Option

    Description

    First Name

    The first name for the user.

    Last Name

    The last name for the user.

    User Name

    The username for the Super Administrator account.

    Password

    The unique password for the Super Administrator account.

    Confirm Password

    The same password you entered in the Password box.

  3. Set up an organization, and click Next.

    For more information about organizations, see Organizations.

    Option

    Description

    Default

    General

    Name

    The name for the organization.

    --

    Description

    A description for the organization.

    --

    Address

    The address for the organization.

    --

    City

    The city for the organization.

    --

    State

    The city for the organization.

    --

    Phone

    The phone number for the organization.

    --

    Password Expiration

    Enable Password Expiration

    When enabled, the user's password will expire after the number of days specified in the Expiration Days box. The user will receive daily password expiration notifications at login, starting 14 days before the password expires. After the password expires, the user must change their password at the next login.

    When disabled, the user's password expiration settings will default to the organization settings.

    disabled

    Expiration Days

    The number of days before the user's password expires. You can enter a number between 1 and 365.

    --
    Container Security
    Scanner Key Expiration The number of days before the user's scanner key expires. 90

    Scanning

    Distribution Method

    The scan distribution mode you want to use for this organization:

    • Automatic Distribution Only - The scanner chooses one or more scan zones to run the scan. Organizational users cannot choose a scan zone when configuring a scan.

    • Locked Zone - The scanner uses the scan zone(s) you specify to run the scan. Organizational users cannot modify the scan zone when configuring a scan.

    • Selectable Zones - The scanner allows organizational users to select a scan zone when configuring a scan. This mode allows organizational users to use scanners to run internal and external vulnerability scans and analyze the vulnerability stance from a new perspective. For example, an organizational user can choose an external scanner to see the attack surface from an external attacker’s perspective.

    Automatic Distribution Only

    Scan Zones

    One or more scan zones for the organization.

    Scan zones are areas of your network that you want to target in an active scan, associating an IP address or range of IP addresses with one or more scanners in your deployment. For more information about scan zones, see

    --

    Allow for Automatic Distribution

    Enable or disable this option to specify whether you want the scanner to select one or more scan zones automatically if an organizational user does not specify a scan zone when configuring a scan.

    • When enabled, the scanner chooses one or more scan zones that you specify in the Restricted Scan Ranges setting.

    • When disabled, the scanner requires the organizational user to specify a scan zone when configuring a scan.

    disabled

    Restricted Scan Ranges

    The IP address ranges you do not want users in this organization to scan.

    --

    Analysis

    Accessible LCEs

    The Log Correlation Engines that you want this organization to have access to. You can search for the Log Correlation Engines by name or scroll through the list.

    --

    Accessible Repositories

    The repositories that you want this organization to have access to. You can search for the repositories by name or scroll through the list.

    --

    Accessible Agent Capable Scanners

    The Tenable Nessus scanners (with Tenable Nessus Agents enabled) that you want this organization to have access to. Select one or more of the available scanners to allow the organization to import Tenable Nessus Agent results from the selected scanner.

    --

    Accessible LDAP Scanners

    The LDAP servers that you want this organization to have access to. An organization must have access to an LDAP server to perform LDAP authentication on user accounts within that organization, and to configure LDAP query assets.

    Note: If you revoke access to an LDAP server, users in the organization cannot authenticate and LDAP query assets cannot run.

    --

    Custom Analysis Links

    Link Name

    A name for the custom analysis link. You can use custom analysis links to reference additional data external to Tenable Enclave Security.

    --

    URL

    The custom analysis link URL that will appear in the host vulnerability details.

    For example, http://example.com/index.htm?ip=%ip%.The %ip% reference is a variable that inserts the IP address of the current host into the specified URI.

    --

    Vulnerability Weights

    Vulnerability Weights

    The vulnerability weighting to apply to vulnerabilities with the specified criticality:

    • Low - The vulnerability weighting to apply to Low criticality vulnerabilities for scoring purposes. (Default: 1)

    • Medium - The vulnerability weighting to apply to Medium criticality vulnerabilities for scoring purposes. (Default: 3)

    • High - The vulnerability weighting to apply to High criticality vulnerabilities for scoring purposes. (Default: 10)

    • Critical - The vulnerability weighting to apply to Critical criticality vulnerabilities for scoring purposes. (Default: 40)

    Medium

    Vulnerability Scoring System

    Scoring System

    The scoring system the scanner uses to assess the severity of vulnerabilities: CVSS v2 or CVSS v3.

    Note: Changing the Scoring System while the scanner is running certain operations, such as preparing reports or dashboard data, results in data using mixed CVSS v2 and CVSS v3 scores.

    Note: Changing the Scoring System does not impact historical dashboard trend data. For example, if you change the Scoring System from CVSS v2 to CVSS v3, dashboard trend data before the change displays CVSS v2 scores while dashboard trend data after the change displays CVSS v3 scores.

    CVSS v2

  4. Configure a Security Manager account, and click Finish.

    Option

    Description

    Default

    Configure Product Access

    Role

    The role for the user.

    Security Manager

    Organization

    The organization that the user belongs to.

    --

    General

    First Name

    The first name for the user.

    --

    Last Name

    The last name for the user.

    --

    Type

    The authentication type for the user account:

    • Tenable (TNS)

    • Lightweight Directory Access Protocol (LDAP)

    • Security Assertion Markup Language (SAML)

    You must configure an LDAP server or SAML authentication in order to select LDAP or SAML from the Type drop-down box.

    TNS

    User Name

    The username for the user account. The username is case-sensitive.

    --

    Password

    The password for the user account.

    Tip: Tenable recommends using passwords that meet stringent length and complexity requirements.

    --

    Confirm Password

    The same password you entered in the Password box.

    --

    User Must Change Password

    When enabled, the user must change their password when they log in for the first time.

    disabled

    Time Zone

    The time zone for the user.

     

    Scan Result Default Timeframe

    The default Completion Time filter applied when the user accesses or refreshes the scan results.

     

    Cached Fetching

    When enabled, Tenable Enclave Security caches plugin policy information and performs plugin policy downloads once per page load.

     

    Password Expiration

    Enable Password Expiration

    When enabled, the user's password will expire after the number of days specified in the Expiration Days box. The user will receive daily password expiration notifications at login, starting 14 days before the password expires. After the password expires, the user must change their password at the next login.

    When disabled, the user's password expiration settings will default to the organization settings.

    disabled

    Expiration Days

    The number of days before the user's password expires. You can enter a number between 1 and 365.

    --