Configure Nessus Agent for NIAP Compliance

If your organization requires that Nessus Agent meets National Information Assurance Partnership (NIAP) standards, you can configure Nessus Agent so that relevant settings are compliant with NIAP standards.

Before you begin:

  • If Nessus Agent is linked to Nessus Manager, verify that the CA certificate of Nessus Manager is in or
  • Confirm you have enabled the full disk encryption capabilities provided by the operating system on the host where Nessus Agent is installed.

To configure Nessus Agent for NIAP compliance:

  1. Access the agent from the command line interface.
  2. Enable NIAP mode using the command line interface:
    • In the command line, enter the following command:

      nessuscli fix --set niap_mode=enforcing

      Linux example:

      /opt/nessus_agent/sbin/nessuscli fix --set niap_mode=enforcing

    Nessus Agent does the following:

    Note: When Nessus Agent is in NIAP mode, Nessus Agent overrides the following settings as long as Nessus Agent remains in NIAP mode. If you disable NIAP mode, Nessus Agent reverts to what you had set before.

    • Overrides the SSL mode (ssl_mode) with TLS 1.2 (niap).

    • Overrides the SSL cipher list (ssl_cipher_list) setting with NIAP compliant ciphers (niap), which sets the following ciphers: 

      • ECDHE-RSA-AES128-SHA256

      • ECDHE-RSA-AES128-GCM-SHA256

      • ECDHE-RSA-AES256-SHA384

      • ECDHE-RSA-AES256-GCM-SHA384

    • Uses strict certificate validation:

      • Disallows certificate chains if any intermediate certificate lacks the CA extension.

      • Authenticates a server certificate, using the signing CA certificate.

      • Authenticates a client certificate when using client certificate authentication for login.

      • Checks the revocation status of a CA certificate using the Online Certificate Status Protocol (OCSP). If the certificate is revoked, then the certificate is marked as invalid. If there is no response, then the certificate is not marked as invalid, and its use is permitted if it is otherwise valid.

      • Ensures that the certificate has a valid, trusted CA that is in CA Certificates for and are already in in the plugins directory.

      • If linked to Nessus Manager, verifies that the CA certificate of Nessus Manager is found in or

    • Enforces the current validated FIPS module for Nessus Agent communication and database encryption. The FIPS module does not affect scanning encryption.

      Note: You can enforce the FIPS module from the Agent nessuscli utility without enforcing NIAP mode. For more information, see Fix Commands.