Configure Nessus for NIAP Compliance

If your organization requires that your instance of Nessus meets National Information Assurance Project (NIAP) standards, you can configure Nessus so that relevant settings are compliant with NIAP standards.

Before you begin:

  • If you are using SSL certificates to log in SSL certificates to log in to Nessus, ensure your server and client certificates are NIAP compliant. You can either use your own certificates signed by a CA, or you can Create Nessus SSL Certificates for Login using Nessus.

To configure Nessus for NIAP compliance:

  1. Log in to your instance of Nessus.
  2. Enable NIAP mode using the command line interface:
      1. Access Nessus from a command line interface.
      2. In the command line, enter the following command:

        nessuscli fix --set niap_mode=enforcing

        Linux example:

        /opt/nessus/sbin/nessuscli fix --set niap_mode=enforcing
    • Nessus does the following:

      Note: When Nessus is in NIAP mode, Nessus overrides the following settings as long as Nessus remains in NIAP mode. If you disable NIAP mode, Nessus reverts to what you had set before.

      • Overrides the SSL Mode (ssl_mode_preference) with the TLS 1.2 (niap) option.
      • Overrides the SSL Cipher List (ssl_cipher_list) setting with the NIAP Approved Ciphers (niap) setting, which sets the following ciphers: 
        • ECDHE-RSA-AES128-SHA256
        • ECDHE-RSA-AES128-GCM-SHA256
        • ECDHE-RSA-AES256-SHA384
        • ECDHE-RSA-AES256-GCM-SHA384
      • Uses strict certificate validation:
        • Disallows certificate chains if any intermediate certificate lacks the CA extension.
        • Authenticates a server certificate, using the signing CA certificate.
        • Authenticates a client certificate when using client certificate authentication for login.
        • Checks the revocation status of a CA certificate using the Online Certificate Status Protocol (OCSP). If the response is that the certificate is revoked, then the certificate will be marked as invalid. If there is no response, then the certificate will not be marked as invalid, and its use will be permitted if it is otherwise valid.
        • Ensure that the certificate has a valid, trusted CA that is in known_CA.inc. CA Certificates for Tenable.io and plugins.nessus.org are already in known_CA.inc in the plugins directory.

        • If you want to use a custom CA certificate that is not in known_CA.inc, copy it to custom_CA.inc in the plugins directory.

Database Encryption

You can convert encrypted databases from the default format (OFB-128) to NIAP compliant encryption (XTS-128).

Nessus in NIAP mode can read databases with the default format (OFB-128).

To convert encrypted databases to NIAP compliant encryption:

  1. Stop Nessus.
  2. Ensure NIAP mode is enabled, as described in the previous procedure.
  3. Enter the following command:

    nessuscli security niapconvert

    Nessus converts encrypted databases to XTS-AES 128-bit format.