Configure Nessus for NIAP Compliance
If your organization requires that your instance of Nessus meets National Information Assurance Partnership (NIAP) standards, you can configure Nessus so that relevant settings are compliant with NIAP standards.
Before you begin:
- If you are using SSL certificates to log in SSL certificates to log in to Nessus, ensure your server and client certificates are NIAP-compliant. You can either use your own certificates signed by a CA, or you can Create SSL Client Certificates for Login using Nessus.
Confirm you have enabled the full disk encryption capabilities provided by the operating system on the host where you installed Nessus.
To configure Nessus for NIAP compliance:
- Log in to your instance of Nessus.
Enable NIAP mode using the command line interface:
- Access Nessus from a command line interface.
In the command line, enter the following command:nessuscli fix --set niap_mode=enforcing
Linux example:/opt/nessus/sbin/nessuscli fix --set niap_mode=enforcing
Nessus does the following:
Note: When Nessus is in NIAP mode, Nessus overrides the following settings as long as Nessus remains in NIAP mode. If you disable NIAP mode, Nessus reverts to what you had set before.
- Overrides the SSL Mode (ssl_mode_preference) with the TLS 1.2 (niap) option.
- Overrides the SSL Cipher List (ssl_cipher_list) setting with the NIAP Approved Ciphers (niap) setting, which sets the following ciphers:
- Uses strict certificate validation:
- Disallows certificate chains if any intermediate certificate lacks the CA extension.
- Authenticates a server certificate, using the signing CA certificate.
- Authenticates a client certificate when using client certificate authentication for login.
- Checks the revocation status of a CA certificate using the Online Certificate Status Protocol (OCSP). If the certificate is revoked, then Nessus marks the certificate as invalid. If there is no response, then Nessus does not mark the certificate as invalid.
Ensure that the certificate has a valid, trusted CA that is in known_CA.inc. CA Certificates for Tenable.io and plugins.nessus.org are already in known_CA.inc in the plugins directory.
- If you want to use a custom CA certificate that is not in known_CA.inc, copy it to custom_CA.inc in the plugins directory.
Enforces the current validated FIPS module for Nessus communication and database encryption. The FIPS module does not affect scanning encryption.Note: You can enforce the FIPS module from the nessuscli without enforcing NIAP mode. For more information, see Fix Commands.
You can convert encrypted databases from the default format (OFB-128) to NIAP-compliant encryption (XTS-AES-128).
Nessus in NIAP mode can read databases with the default format (OFB-128).
To convert encrypted databases to NIAP-compliant encryption:
- Stop Nessus.
- Enable NIAP mode, as described in the previous procedure.
Enter the following command:nessuscli security niapconvert
Nessus converts encrypted databases to XTS-AES-128 format.