Configure Nessus Agent for NIAP Compliance

If your organization requires that Nessus Agent meets National Information Assurance Partnership (NIAP) standards, you can configure Nessus Agent so that relevant settings are compliant with NIAP standards.

Before you begin:

  • If Nessus Agent is linked to Nessus Manager, verify that the CA certificate of Nessus Manager is in custom_CA.inc or known_CA.inc.
  • Confirm you have enabled the full disk encryption capabilities provided by the operating system on the host where Nessus Agent is installed.

To configure Nessus Agent for NIAP compliance:

  1. Access the agent from the command line interface.
  2. Enable NIAP mode using the command line interface:
    • In the command line, enter the following command:

      nessuscli fix --set niap_mode=enforcing

      Linux example:

      /opt/nessus_agent/sbin/nessuscli fix --set niap_mode=enforcing

    Nessus Agent does the following:

    Note: When Nessus Agent is in NIAP mode, Nessus Agent overrides the following settings as long as Nessus Agent remains in NIAP mode. If you disable NIAP mode, Nessus Agent reverts to what you had set before.

    • Overrides the SSL mode (ssl_mode) with TLS 1.2 (niap).

    • Overrides the SSL cipher list (ssl_cipher_list) setting with NIAP compliant ciphers (niap), which sets the following ciphers: 

      • ECDHE-RSA-AES128-SHA256

      • ECDHE-RSA-AES128-GCM-SHA256

      • ECDHE-RSA-AES256-SHA384

      • ECDHE-RSA-AES256-GCM-SHA384

    • Uses strict certificate validation:

      • Disallows certificate chains if any intermediate certificate lacks the CA extension.

      • Authenticates a server certificate, using the signing CA certificate.

      • Authenticates a client certificate when using client certificate authentication for login.

      • Checks the revocation status of a CA certificate using the Online Certificate Status Protocol (OCSP). If the certificate is revoked, then the certificate is marked as invalid. If there is no response, then the certificate is not marked as invalid, and its use is permitted if it is otherwise valid.

      • Ensures that the certificate has a valid, trusted CA that is in known_CA.inc. CA Certificates for Tenable.io and plugins.nessus.org are already in known_CA.inc in the plugins directory.

      • If linked to Nessus Manager, verifies that the CA certificate of Nessus Manager is found in custom_CA.inc or known_CA.inc.