Scan Policy Template Selection

Tenable Security Center provides various scanner and Nessus Agent scan templates that meet different business needs. Tenable Security Center provides three categories of scan templates: Common scans, Compliance scans, and Configuration scans. You can view Tenable Security Center's complete offering of scan templates when you add a scan policy template n the user interface.

Click the following scan template categories to view the descriptions. For information about specific scan templates, see Scan Policy Templates.

Note: Depending on the scan template you use, you may not be able to tune some of the settings described. The Advanced Scan and Advanced Agent Scan templates allow you to adjust all the described settings available to each assessment type.

Tenable recommends using vulnerability scan templates for most of your organization's standard, day-to-day scanning needs. Some of Tenable Security Center's most notable vulnerability scan templates are:

  • Advanced Agent Scan — The most configurable scan type that Tenable Security Center offers. You can configure this scan template to match any policy search any asset or assets. These policies have the same default settings as the Basic Network/Agent Scan, but they allow for more additional configuration options.

    Note: Advanced scan templates allow Tenable Security Center experts to scan more deeply using custom configuration, such as faster or slower checks, but misconfigurations can cause asset outages or network saturation. Use the advanced templates with caution.

  • Basic Network Scan — Use this template to scan a system or systems with all of Tenable Security Center's current default plugins enabled. This scan provides a quick and easy way to scan systems for vulnerabilities.

  • Credentialed Patch Audit (Nessus Scanner only) — Use this template with credentials to give the scanner direct access to the host, scans the target hosts, and enumerates missing patch updates.

  • Host Discovery Scan (Nessus Scanner only) — Launch this scan to see what hosts are on your network, and associated information such as IP address, FQDN, operating systems, and open ports, if available. After you have a list of hosts, you can choose what hosts you want to target in a specific vulnerability scan.

    Tenable recommends that organizations who do not have a passive network monitor, such as Tenable Nessus Network Monitor, run this scan weekly to discover new assets on your network.

    Note: Assets identified by discovery scans do not count toward your license.

Tenable recommends using configuration scan templates to check whether host configurations are compliant with various industry standards. Configuration scans are sometimes referred to as compliance scans. For more information about the checks that compliance scans can perform, see Audit Files and SCAP scans.

Tenable recommends using the tactical scan templates to scan your network for a specific vulnerability or group of vulnerabilities.

Tactical scans are lightweight, timely scan templates that you can use to scan your assets for a particular vulnerability. Tenable frequently updates the library with templates that detect the latest vulnerabilities of public interest.