Recently Viewed Topics
Define Scanning Objects
SecurityCenter supports a flexible dynamic asset discovery system that can also import static asset lists from many commercial and open source systems. This allows “high level” asset lists to be constructed as well as very detailed lists of specific items. Some examples of assets to be grouped together include, but are not limited to, hardware device types, particular service types, certain vulnerability types, machines with outdated software, OS types, and other lists based on discovered information. There are many Asset templates available by default in SecurityCenter and, if configured, templates are automatically updated and added to by Tenable.
To create a static list of assets in SecurityCenter, users can either manually enter IP addresses into the “Addresses” field or upload a text file that contains IP addresses, ranges of IP addresses, or CIDR notation. Once uploaded, the asset list is named and can be immediately used.
SecurityCenter can implement rules that consider “discovered” information for dynamic asset discovery. These rules are run against the vulnerability data and results in assigning an IP address to one or more asset lists. For example, SecurityCenter could create a rule stating that any Windows system that belongs to the “CORPORATE-NY” domain be placed on an asset list named “New York Domain”. Another example would be any host discovered to have LimeWire software running (Nessus plugin 11427 or PVS plugin 4110) could be assigned to a dynamic asset list for special review. Tenable also provides a variety of asset templates that may be used as is or may be customized for the local environment.
A configuration audit is one where the auditors verify that servers and devices are configured according to an established standard and maintained with an appropriate procedure. SecurityCenter can perform configuration audits on key assets through the use of Nessus’ local checks that can log directly onto a Unix or Windows server without an agent.
SecurityCenter supports a variety of audit standards. Some of these come from best practice centers like the PCI Security Standards Council and the Center for Internet Security (CIS). Some of these are based on Tenable’s interpretation of audit requirements to comply with specific industry standards such as PCI DSS or legislation such as Sarbanes-Oxley.
In addition to the base audits, it is easy to create customized audits for the particular requirements of any organization. These customized audits can be loaded into the SecurityCenter and made available to anyone performing configuration audits within an organization.
NIST SCAP files can be uploaded and used in the same manner as an audit file. Navigate to NIST’s SCAP website () and under the “SCAP Content” section, download the desired SCAP security checklist zip file. The file may then be uploaded to SecurityCenter and selected for use in Nessus scan jobs.
Once the audit policies have been configured in SecurityCenter, they can be repeatedly used with little effort. SecurityCenter can also perform audits intended for specific assets. Through the use of audit policies and asset lists, a SecurityCenter user can quickly determine the compliance posture for any specified asset.
Credentials are reusable objects that facilitate a login to a scan target. Various types of credentials with different authentication methods can be configured for use within scan policies. Credentials may be shared between users for scanning purposes. Available credential types include:
- SNMP community string
SecurityCenter supports the use of an unlimited number of SSH and Windows credential sets, unlimited number of Database credentials, and four SNMP credential sets per scan configuration.
Queries allow SecurityCenter users to save custom views of vulnerability or event data for repeated access. This enables SecurityCenter users to quickly update data for a particular query type without having to configure complex query parameters each time.
Scan policies consist of configuration options related to performing an active vulnerability scan. These options include, but are not limited to:
- Parameters that control technical aspects of the scan such as timeouts, number of hosts, type of port scanner, and more
- Granular plugin family or individual plugin based scan specifications
- Compliance policy checks (Windows, Linux, Database, etc.), report verbosity, service detection scan settings, audit files, patch management systems, and more