TOC & Recently Viewed

Recently Viewed Topics

Scanning

The “Scans” function of the SecurityCenter provides the ability to create, view, configure, control, and schedule Nessus scans. Clicking on “Scans” under the “Scans” menu displays a list of all available Nessus active scans along with their associated Policy Name/Plugin ID, Start Time, Status, Group/Owner, and Schedule:

Click the gear icon menu to perform basic scan management tasks:

  • View — view details about the active scan.
  • Edit — edit settings for the active scan.
  • Copy — copy settings for the active scan and create a second, identical scan.
  • Run Diagnostic Scan — run a separate diagnostic scan for troubleshooting. For more information, see Diagnostic Scans.
  • Delete — delete the active scan.

Active Scans

Authorized users can create an active scan by clicking on “Add” on the “Active Scans” page or by copying an existing scan template. Newly created active scans are shared to everyone within the same user group when users have the appropriate permissions. A menu selection similar to the screen capture below is displayed showing five page tabs: General, Settings, Target, Credentials, and Post Scan. While adding a new active scan, if a required field (indicated by a red asterisk *) is omitted, the user interface will display a Validation Failed page when submitting the scan indicating what field(s) need to be corrected.

General Options

The table below describes options available on the General tab.

General Scan Options

Parameter Description

General

Name

The scan name will be associated with the scan’s results and may be any name or phrase (e.g., “SystemA”, “DMZ Scan”, “Daily Scan of the Web Farm”, etc.).

Description

Descriptive information related to the scan.

Policy

This provides a drop-down list for the selection of a policy to base the scan off of. The list may be scrolled or searched by entering text into the search box at the top of the list of available policies.

Schedule

Schedule

The drop-down menu provides the ability to schedule a scan for “Now”, “Once”, “Daily”, “Weekly”, “Monthly”, “On Demand”, or “Dependent”. The “On Demand” selection provides the ability to create a scan template that may be launched manually at any time. The “Dependent” selection enables the scan to be scheduled after the completion of a scan selected from the displayed drop-down menu. The other time frames allow for launching of scans at specified times and intervals, depending upon configuration.

 

Settings

Basic Scan Options

Parameter Description

Basic

Scan Zone

If Scan Zone is set to “Selectable” for the user, a drop-down box will be available to allow for the selection of the scan zone to be used for the scan. If “Automatic Distribution” is selected, the Scan Zone that most closely matches the host or range of hosts to be scanned will be selected from the zones available. Otherwise a specific scan zone may be selected from the drop-down list and searched using the text search box. When hovering over a scan zone the information icon becomes available. When selected the information provided is the name, description, and last modified date.

When Scan Zone is set to “forced” for the user, the Scan Zone box is not able to be modified.

Import Repository

Specifies the repository where the scan results will be imported. Select a repository to receive IPv4 or IPv6 results appropriate to the scan being conducted.

Scan Timeout Action

Provides a drop-down selection of three options in the event a scan is not completed. “Import Completed Results With Rollover” is the default option, and will import the results from the scan into the database and create a rollover scan that may be launched at a later time to complete the scan. “Import Completed Results” will import the results of the current scan and discard the information for the unscanned hosts. “Discard Results” will not import any of the results obtained by the scan to the database.

Rollover Schedule

When the Scan Timeout Action is set to “Import results with Rollover”, this option determines through a drop-down menu how to handle the rollover scan. The rollover scan may be created as a template to launch manually or to launch the next day at the same start time as the just completed scan.

Advanced

Scanning Virtual Hosts

This option treats new DNS entries for an IP address as a virtual host as opposed to a DNS name update. When selected, this option will result in two DNS name/IP address entries in the IP Summary analysis tool if a new DNS name is found for an IP address. If this option is not selected and a new DNS name is found for an IP address, vulnerability data for the two DNS names will be merged into the single IP address entry in the IP Summary analysis tool.

Track hosts which have been issued new IP address

This option uses the DNS name, NetBIOS name, and MAC address (if known), in that order, of the computer to track it when the IP address of the computer may have changed. Once a match has been made, SecurityCenter will not search further for matches. For example, if a DNS name is not matched, but a NetBIOS name is, the MAC address will not be checked. Networks using DHCP require that this option be set to properly track hosts.

Immediately remove vulnerabilities from scanned hosts that do not reply

This setting removes vulnerabilities from the cumulative database for hosts that do not reply that were successfully scanned in the past.

Max scan duration (hours)

The number of hours after which the scan will stop running.

 

Targets

In this section, the devices to be scanned are identified. The drop-down for “Target Type” contains three options: Assets, IP / DNS Name, and Mixed. When Assets is selected, a list of available assets is displayed and one or more may be selected. The assets may be searched using the search box above the list. When IP / DNS Name is selected, a text box is available. The text box may have a list of DNS names and/or IP addresses in individual, CIDR, or range notation. When Mixed is selected, a combination of asset lists and IP / DNS names may be used.

Valid Formats

  • A single IP address (e.g., 172.16.0.1), (The "proper" ways to specify IPs in SC are <fullIP>-<fullIP> (range), <fullIP>/<bits> (CIDR), or <fullIP>)
  • An IP range (e.g., 172.26.84.1-172.26.85.20)
  • A subnet with CIDR notation (e.g., 172.26.84.0/24)
  • A resolvable host (e.g., www.yourdomain.com)
  • A resolvable host with subnet (www.yourdomain.com/255.255.255.0)
  • A resolvable host with CIDR notation (www.yourdomain.com/24)
  • A single IPv6 address (e.g., fe80::230:78ff:feac:61d1/64)

Note: Scanning both IPv4 and IPv6 addresses in the same scan is not supported due to the ability to only select one Import Repository.

Credentials

The Credentials section allows users to select pre-configured credential sets for authenticated scanning. SecurityCenter supports the use of an unlimited number of Windows credential sets, four SNMP credential sets, an unlimited number of SSH credential set, and Database credential set.

Select the type of scan credential to add to the scan from the drop-down menu. Then select the specific credential to add from the list by clicking the name. The credentials may be searched using the text search field. Only credentials that match the type selected will be displayed. When a credential is hovered over, the information icon is displayed and may be selected to provide information about the credential such as the name, description, type, and owner. After the credential is chosen, click the check mark to add it to the scan template. Clicking the “X” will cause the credential to not be added.

As credentials are added, the “You may add <number> more credential” message will be updated to display how many more of that type may be used in the current scan. Once the maximum of a type is added, that credential type will no longer appear in the type menu until at least one of the previously used credentials of that type are removed.

Post Scan

These options determine what actions will occur immediately before and after the active scan has completed. The table below describes the post scan options available to users:

Post Scan Options

Option Description

Reports to Run on Scan Completion

Add Report

This field provides a list of report templates available to the user to run when the scan completes.

The initial choices to select a report are to select the group and owner of the report to present a list of valid report options. Then select the report from the list that may be searched using the text search box. When hovering over a report name, the information icon may be selected to present the name and description of the report. The report generated may be based on the current scan’s results or the results in the Cumulative database.

Selecting the check mark will add that report to launch once the scan has completed. Selecting the “X” will remove the changes. Once added, the report information may be modified or deleted.

Diagnostic Scans

If you experience issues with an active scan, Tenable Support may ask you to run a diagnostic scan to assist with troubleshooting. After SecurityCenter runs the diagnostic scan, download the diagnostic file and send it to Tenable Support.

To run a diagnostic scan:

  1. Click Scans > Active Scans.
  2. Locate the scan and click the gear icon menu.
  3. Click Run Diagnostic Scan.
  4. You must resolve repository errors before running diagnostic scan.
  5. Type a Diagnostic Target, the IP address for a target in the scan's policy.
  6. Type a Diagnostic Password to secure the diagnostic file.
  7. Click Submit.

To download a diagnostic file:

  1. Click Scans > Scan Results.
  2. Locate the diagnostic scan and confirm that the scan finished without errors.
  3. Click the gear icon menu.
  4. Click Download Diagnostic Info.

Agent Scans

Authorized users can create an import schedule for agent-based scans by clicking on “Add” on the “Agent Scans” page or by copying an existing agent scan template. Newly created agent scan import schedules are shared to everyone within the same user group when users have the appropriate permissions. A menu selection similar to the screen capture below is displayed showing three page tabs: General, Settings, and Post Scan. When adding a new agent scan result import, if a required field (indicated by a red asterisk *) is omitted, the user interface will display a Validation Failed page when submitting the schedule, indicating what field(s) need to be corrected.

When more than one Agent scan result is ready on Tenable.io™ or Nessus Manager, all of the scan results will be imported.

General Options

The table below describes options available on the General tab.

General Scan Options

Parameter

Description

General

Name

The scan name that will be associated with the scan’s results. This may be any name or phrase (e.g., “SystemA”, “DMZ Scan”, “Daily Scan of the Web Farm”, etc.).

Description

Descriptive information related to the scan.

Agent Scanner

From this drop-down, select the Agent enabled scanner to retrieve agent results from.

Agent Scan Name Filter

In this text box, enter a filter for agent scan results to retrieve from the Nessus Agent enabled scanner. Filters may use the specific name of the result(s) to retrieve or an asterisk (*) or question mark (?) for all or part of the scan result name(s) to retrieve. The available Agent Scans to be retrieved from the selected scanner may be found on the Scan Page of the user used to connect on the Nessus server.

If there are agent scan results to be retrieved that match the filter, they will be displayed when the “Preview Filter” button is clicked. If there are no results ready to be retrieved, the filter will match once the results are available.

Schedule

Schedule

The drop-down menu provides the ability to schedule a scan for “Now”, “Once”, “Daily”, “Weekly”, “Monthly”, or “On Demand”. The “On Demand” selection provides the ability to create an agent scan retrieval template that may be launched manually at any time. The other time frames allow for retrieving of scans at specified times and intervals.

Agent scan results should be retrieved as close to the completion time of the scan as possible to most accurately display within SecurityCenter when the vulnerability results were discovered.

Settings

Basic Scan Options

Parameter Description

Basic

Import Repository

Specifies the repository where the agent scan results will be imported. Select a repository to receive IPv4 or IPv6 results appropriate to the scan being imported.

Advanced

Track hosts which have been issued new IP address

This option uses the DNS name, NetBIOS name, and MAC address (if known), in that order, to track a host when its IP address may have changed. Once a match has been made, SecurityCenter will not search further for matches. For example, if a DNS name is not matched, but a NetBIOS name is, the MAC address will not be checked. Networks using DHCP require that this option be set to properly track hosts.

Running a Scan

The scan distribution of a running scan consists of the following:

  • The number of targets (IPs/DNS names) in the scan.
  • The number of completed scans across all scanners (at the current instance).
  • The number of scans completed by each scanner used in the scan (at the current instance).

The counts should update on a heartbeat as it is being viewed. The scan will transition to completed once all scans have stopped.

Post Scan

These options determine what actions will occur immediately before and after the agent scan has completed. The table below describes the post scan options available to users:

Post Scan Options

Option Description

Reports to Run on Scan Completion

Add Report

This field provides a list of report templates available to the user to run when the agent scan data import completes.

The initial choices are to select the group and owner of the report to present a list of valid report options. Next, select the report from the list that may be searched using the text search box. When hovering over a report name, the information icon may be selected to present the name and description of the report. The report generated may be based on the current scan’s results or the results in the Cumulative database.

Selecting the check mark will add that report to launch once the scan has completed. Selecting the “X” will remove the changes. Once added, the report information may be modified or deleted.

 

Scan Results

Clicking on “Scan Results” under the “Scans” menu displays the status of running and completed Active and Agent import scans. Results are displayed in a list view with the ability to drill down into individual scan details. If a scan is launched on behalf of another user, the scan results show in the list of the other user. An example screen capture of this page is shown below:

Filters are available to allow the user to view only desired scan results. Filter parameters include the “Name”, “Group”, “Owner”, “Scan Policy”, “Status”, “Completion Time”, “Access”, and “Type”. To return to the original scan result view, click on the “Clear Filters” link under the filter options. The number in grey next to the filter displays how many filters are currently in use.

The results of individual scans are viewable by using the gear icon menu and selecting Browse. This displays the Vulnerability Summary analysis tool with data from the selected scan.

Active scans may be paused or resumed using the icon next to the Status progress bar. The double vertical bars indicate that the scan in progress may be paused. The right arrow icon next to the progress bar with a status of Paused may be selected to resume the scan from where it was previously paused.

In addition, Nessus scans performed from other systems can be uploaded to SecurityCenter using the “Upload Scan Results” button on the top right of the page. The scan results can be either raw .nessus or compressed (.zip) with one .nessus file per archive before uploading. This allows for scan results from scans run in remote locations without network connectivity to be imported into SecurityCenter. If uploads greater than 300MB are required, upload_max_filesize in /opt/sc/support/etc/php.ini must be modified to accommodate the larger uploads.

The following options are all available from the gear icon next to a scan result. However, the options listed here are only available to users with the appropriate permissions.

Scan result details are available using the “View” option under the gear icon menu or by clicking on the scan. For example, if a scan fails and more information is required, click on the details to find a more complete summary of the root cause.

The “Browse” option under the gear icon menu is used to browse the scan results using the Vulnerability Summary analysis tool. Once selected, other analysis tools may be selected for other views of the data.

The “Download” option under the gear icon menu may be used to download the results of the selected scan. On a standard scan, a Nessus results file may be downloaded. If the scan contains SCAP results, there is an additional option to download the SCAP results.

The “Import” option under the gear icon menu is used for manually importing scans that are listed in the scan results screen. This is useful for cases where a scan may have not fully imported after it completed. For example, if a scan was blocked because it would have exceeded the licensed IP count, after increasing the IP count, the import option could be used to import the scan results previously not imported.

The “Copy” option under the gear icon menu is used to share a selected report result with other users who do not have access to it by default. Selecting a Group from the drop-down list displays a list of users from that Group. One or more users may be selected from that list.

The “Email” option under the gear icon allows for selecting users or manually adding email addresses into the Email Addresses field to have a copy of the report sent to a user(s) outside of the SecurityCenter environment.

The “Send to Report” option under the gear icon allows for sending the results of the scan to generate a report based off of a preconfigured template.

Finally, scans may be removed from SecurityCenter using the “Delete” option under the gear icon menu.

Blackout Windows

Note: Currently running scans are stopped at the beginning of the blackout window period.

The blackout window in SecurityCenter specifies a timeframe where new scans are prohibited from launching. This prevents remediation or ad-hoc scans from being performed during timeframes when they are not desired, such as production hours.

Click on “Scans” and then “Blackout Window” to see the current status of or manage existing blackout windows.

Blackout windows are organizational and will affect all scans in the creating user’s organization. Only users with the “Manage Blackout Windows” permission can perform blackout window additions.

To create a blackout window, click on “Scanning”, “Blackout Window”, and then “Add”.

Next, enter in the desired name and description. Make sure “Enabled” is checked. Select the Targets for the blackout window by All Systems, IPs, Assets, or a mix of both options. Enter in the desired schedule and blackout time range options and then click “Submit”. The next time that date/time window occurs, no new scans will be permitted.

To disable a blackout window without actually removing it, click “Edit” from the gear icon menu to modify the desired window and deselect “Enabled”. Click “Submit” to apply the changes. These blackout windows will show with a state of “Disabled” in the blackout window display list.

Clicking on a blackout configuration from the list will display the details of the blackout window configuration. Select “Delete” from the gear icon menu to remove any blackout windows that are no longer required for the Organization.

Copyright 2017. Tenable Network Security, Inc. All rights reserved. Tenable Network Security, Nessus, SecurityCenter Continuous View, Passive Vulnerability Scanner, and Log Correlation Engine are registered trademarks of Tenable Network Security, Inc. All other products or services are trademarks of their respective owners.