TOC & Recently Viewed

Recently Viewed Topics

Scanning

The Scans function of the SecurityCenter allows you to create, view, configure, control, and schedule Nessus scans. Clicking Scans > Scans displays a list of all available Nessus active scans along with their associated Policy Name/Plugin ID, Start Time, Status, Group/Owner, and Schedule:

Click the gear icon drop-down menu to perform basic scan management tasks:

  • View — view details about the active scan.
  • Edit — edit settings for the active scan.
  • Copy — copy settings for the active scan and create a second, identical scan.
  • Run Diagnostic Scan — run a separate diagnostic scan for troubleshooting. For more information, see Diagnostic Scans.
  • Delete — delete the active scan.

Active Scans

Path: Scans > Active Scans

Authorized users can create an active scan by clicking on Add on the Active Scans page or by copying an existing scan template. Newly created active scans are shared to everyone within the same user group when users have the appropriate permissions. A menu selection similar to the screen capture below appears, showing five page tabs: General, Settings, Target, Credentials, and Post Scan. While adding a new active scan, if you omit a required option, the user interface displays a Validation Failed page when submitting the scan indicating what option(s) need to be corrected.

General Options

The table below describes options available on the General tab.

General Scan Options

Parameter Description

General

Name

The scan name that is associated with the scan’s results and may be any name or phrase (e.g., SystemA, DMZ Scan, Daily Scan of the Web Farm, etc.).

Description

Descriptive information related to the scan.

Policy

The policy on which you want to base the scan. You can scroll through the list, or search by entering text in the search box at the top of the list of available policies.

Schedule

Schedule

The frequency you want to run the scan: Now, Once, Daily, Weekly, Monthly, On Demand, or Dependent. The On Demand selection allows you to create a scan template that you can launch manually at any time. The Dependent selection enables you to schedule the scan after the completion of a scan you select from the drop-down box. The other time frames allow you to launch scans at specified times and intervals, depending upon configuration.

Settings

Basic Scan Options

Parameter Description

Basic

Scan Zone

If you set Scan Zone to Selectable for the user, a drop-down box appears that allows you to select the scan zone to be used for the scan. If you select Automatic Distribution, the Scan Zone that most closely matches the host or range of hosts to be scanned is selected from the zones available. Otherwise, you can select a specific scan zone from the drop-down box and search using the text search box. When you hover over a scan zone, the information icon appears. When you select this icon, the name, description, and last modified date appear.

When you set Scan Zone to forced for the user, the Scan Zone box cannot be modified.

Import Repository

Specifies the repository where the scan results are imported. Select a repository to receive IPv4 or IPv6 results appropriate to the scan.

Scan Timeout Action

The action you want SecurityCenter to perform in the event a scan is incomplete:

  • Import Completed Results With Rollover — (Default option) The system imports the results from the scan into the database and creates a rollover scan that you can launch at a later time to complete the scan.
  • Import Completed Results — The system imports the results of the current scan and discards the information for the unscanned hosts.
  • Discard Results — The system does not import any of the results obtained by the scan to the database.

Rollover Schedule

If you set the Scan Timeout Action to Import results with Rollover, this option specifies how to handle the rollover scan. You can create the rollover scan as a template to launch manually, or to launch the next day at the same start time as the just-completed scan.

Advanced

Scan Virtual Hosts

Specifies whether the system treats a new DNS entry for an IP address as a virtual host as opposed to a DNS name update.

When a new DNS name is found for an IP address:

  • If you select this option, vulnerability data for the two DNS names appears as two entries with the same IP address in the IP Summary analysis tool.
  • If you do not select this option, vulnerability data for the two DNS names merge into a single IP address entry in the IP Summary analysis tool.

Track hosts which have been issued new IP address

Specifies whether the system uses the DNS name, NetBIOS name, and MAC address (if known), in that order, of the computer to track it when the IP address of the computer may have changed. Once a match is made, SecurityCenter does not search further for matches. For example, if a DNS name is not matched, but a NetBIOS name is, the system does not check the MAC address. Networks using DHCP require that you set this option to properly track hosts.

Immediately remove vulnerabilities from scanned hosts that do not reply

If a previously responsive host does not reply to a scan, the system automatically removes vulnerabilities related to that host from the cumulative database. If you enable this option, the system removes the vulnerabilities immediately. If you disable this option, the system removes the vulnerabilities according to the interval set in the Number of days to wait before removing dead hosts option.

Number of days to wait before removing dead hosts

Specifies how many days the system waits to remove vulnerabilities from the cumulative database when previously responsive hosts do not reply to a scan.

This option only shows if you disable the Immediately remove vulnerabilities from scanned hosts that do not reply option.

Max scan duration (hours)

Specifies the number of hours after which the scan stops running.

Targets

The Targets section identifies the devices to be scanned. The drop-down box for Target Type contains the following options:

  • Assets—A list of available assets appears, and one or more asset might be selected. You can search the assets using the search box above the list.
  • IP / DNS Name—A box appears, listing DNS names and/or IP addresses in individual, CIDR, or range notation.
  • Mixed—You can use a combination of asset lists and IP/DNS names.

Valid Formats:

  • A single IP address (e.g., 172.16.0.1), (The proper ways to specify IPs in SC are <fullIP>-<fullIP> (range), <fullIP>/<bits> (CIDR), or <fullIP>)
  • An IP range (e.g., 172.26.84.1-172.26.85.20)
  • A subnet with CIDR notation (e.g., 172.26.84.0/24)
  • A resolvable host (e.g., www.yourdomain.com)
  • A resolvable host with subnet (www.yourdomain.com/255.255.255.0)
  • A resolvable host with CIDR notation (www.yourdomain.com/24)
  • A single IPv6 address (e.g., fe80::230:78ff:feac:61d1/64)

Note: You cannot scan both IPv4 and IPv6 addresses in the same scan, because you can only select one Import Repository.

Credentials

The Credentials section allows users to select pre-configured credential sets for authenticated scanning. SecurityCenter supports the use of an unlimited number of Windows credential sets, four SNMP credential sets, an unlimited number of SSH credential set, and Database credential set.

Click the type of scan credential to add to the scan from the drop-down box. Then click the specific credential to add from the list by clicking the name. You can search the credentials using the text search option. Only credentials that match the type selected appear. When you hover over a credential, the information icon appears, which displays information about the credential such as the name, description, type, and owner. After you select the credential, click the check mark to add it to the scan template. Clicking the X removes the credential from the list of added credentials.

As you add credentials, the You may add <number> more credential message updates to display how many more of that type you can use in the current scan. Once you have added the maximum of a type, that credential type no longer appears in the type menu until you remove at least one of the previously used credentials of that type.

For more information, see Credentials.

Post Scan

These options determine what actions occur immediately before and after the active scan completes. The table below describes the post scan options available to users:

Post Scan Options

Option Description

Notifications

E-mail me on Launch

This option specifies whether the system emails you a notification when the scan launches. This option only appears if you set an email address for your user account.

E-mail me on Completion

This option specifies whether the system emails you a notification when the scan completes. This option only appears if you set an email address for your user account.

Reports to Run on Scan Completion

Add Report

This option provides a list of report templates available to the user to run when the scan completes.

The initial choices to select a report are to click the group and owner of the report to present a list of valid report options. Then click the report from the list that can be searched using the text search box. When hovering over a report name, you can select the information icon to display the name and description of the report. The report generated is based on the current scan’s results or the results in the Cumulative database.

Selecting the check mark causes that report to launch once the scan completes. Selecting the X removes the changes. Once added, you can modify or delete the report information.

Diagnostic Scans

If you experience issues with an active scan, Tenable Support may ask you to run a diagnostic scan to assist with troubleshooting. After SecurityCenter runs the diagnostic scan, download the diagnostic file and send it to Tenable Support.

To run a diagnostic scan:

  1. Click Scans > Active Scans.
  2. Locate the scan and click the gear icon drop-down menu.
  3. Click Run Diagnostic Scan.

    Note: You must resolve repository errors before running diagnostic scan.

  4. Type a Diagnostic Target, the IP address for a target in the scan's policy.
  5. Type a Diagnostic Password to secure the diagnostic file.
  6. Click Submit.

To download a diagnostic file:

  1. Click Scans > Scan Results.
  2. Locate the diagnostic scan and confirm that the scan finished without errors.
  3. Click the gear icon drop-down menu.
  4. Click Download Diagnostic Info.

Agent Scans

Path: Scans > Agent Scans

Authorized users can create an import schedule for agent-based scans by clicking on Add on the Agent Scans page or by copying an existing agent scan template. Newly created agent scan import schedules are shared to everyone within the same user group when users have the appropriate permissions. A menu selection similar to the screen capture below appears, showing three page tabs: General, Settings, and Post Scan. When you add a new agent scan result import, if you omit a required option, the user interface displays a Validation Failed page when submitting the schedule, indicating what option(s) you must correct.

When more than one Agent scan result is ready on Tenable.io™ or Nessus Manager, all of the scan results import.

General Options

The table below describes options available on the General tab.

Parameter

Description

General

Name

The scan name associated with the scan’s results. This may be any name or phrase (e.g., SystemA, DMZ Scan, Daily Scan of the Web Farm, etc.).

Description

Descriptive information related to the scan.

Agent Scanner

The Agent-enabled scanner from which to retrieve agent results.

Agent Scan Name Filter

A filter for agent scan results to retrieve from the Nessus Agent enabled scanner. Filters can use the specific name of the result(s) to retrieve or an asterisk (*) or question mark (?) for all or part of the scan result name(s) to retrieve. You can find the available Agent Scans retrieved from the selected scanner on the Scan Page of the user logged in to the Nessus server.

If the agent scan retrieves results that match the filter, they appear when you click the Preview Filter button. If the agent scan does not retrieve results, the filter matches once the results are available.

Schedule

Schedule

The frequency you want to run the scan: selecting Now, Once, Daily, Weekly, Monthly, On Demand, or Dependent allows you to create an agent scan retrieval template that you can launch manually at any time. The other time frames allow you to retrieve scans at specified times and intervals.

You should retrieve agent scan resultsas close to the completion time of the scan as possible to most accurately display within SecurityCenter when the scan discovered the vulnerability results.

Basic Scan Options

Parameter Description

Basic

Import Repository

Specifies the repository where you want the agent scan results to import. Select a repository to receive IPv4 or IPv6 results appropriate to the imported scan.

Advanced

Track hosts which have been issued new IP address

This option uses the DNS name, NetBIOS name, and MAC address (if known), in that order, to track a host when its IP address changes. Once a match has been made, SecurityCenter does not search further for matches. For example, if SecurityCenter does not match a DNS name, but it does match a NetBIOS name, the system does not check the MAC address. Networks using DHCP require that you set this option to properly track hosts.

Running a Scan

The scan distribution of a running scan consists of the following:

  • The number of targets (IPs/DNS names) in the scan.
  • The number of completed scans across all scanners (at the current instance).
  • The number of scans completed by each scanner used in the scan (at the current instance).

The counts update on a heartbeat while being viewed. The scan transitions to completed once all scans stop.

Post Scan

These options determine what actions occurs immediately before and after the agent scan completes. The table below describes the post scan options available to users:

Option Description

Reports to Run on Scan Completion

Add Report

This option provides a list of report templates available to the user to run when the agent scan data import completes.

The initial choices are to click the group and owner of the report to present a list of valid report options. Next, click the report from the list that can be searched using the text search box. When hovering over a report name, you can select the information icon to display the name and description of the report. You can base the generated report on the current scan’s results or the results in the Cumulative database.

Selecting the check mark causes the report to launch once the scan completes. Selecting the X removes the changes. Once added, you can modify or delete the report information.

Scan Results

Path: Scans > Scan Results

The Scan Results page displays the status of running and completed Active and Agent import scans. Results appear in a list view, and you can drill down into individual scan details. If you launch a scan on behalf of another user, the scan results appear in the other user's list. The following image is an example screen capture of this page:

Filters allow you to view only desired scan results. Filter parameters include the Name, Group, Owner, Scan Policy, Status, Completion Time, Access, and Type. To remove all filters, click Clear Filters under the filter options. To return to the default filter for your user account, refresh your browser window. The number in grey next to the filter displays how many filters are currently in use.

To view the results of individual scans, click the gear icon next to the scan, and select Browse. This action displays the Vulnerability Summary analysis tool with data from the selected scan.

To pause an active scan, click the double vertical bar icon next to the scan in progress. To resume a paused active scan, click the right arrow icon next to the paused scan.

In addition, you can upload Nessus scans performed from other systems to SecurityCenter using the Upload Scan Results button on the top right of the page. The scan results can be either raw .nessus or compressed (.zip) with one .nessus file per archive before uploading.This allows you to import scan results from scans run in remote locations without network connectivity into SecurityCenter. If you require uploads greater than 300 MB, you must modify upload_max_filesize in /opt/sc/support/etc/php.ini to accommodate the larger uploads.

The following options are all available from the gear icon next to a scan result. However, the options listed here are only available to users with the appropriate permissions.

To view scan result details, click on the scan, or click the gear icon next to the scan and select View. For example, if a scan fails and you need more information, click on the details to find a more complete summary of the root cause.

To browse scan results using the Vulnerability Summary analysis tool, click the gear icon next to the scan and select Browse. Once you select this option, you can select other analysis tools for other views of the data.

To download the results of a selected scan, click the gear icon icon next to the scan, and select Download. On a standard scan, you can download a Nessus results file. If the scan contains SCAP results, you can use an additional option to download the SCAP results.

To manually import scans listed in the scan results screen, click the gear icon next to the scan, and select Import. This option is useful for cases where a scan may have not fully imported after completion. For example, if a scan was blocked because importing it would have exceeded the licensed IP count, you can increase the IP count, then import the scan results previously not imported.

You can use the Copy option under the gear icon drop-down menu to share a selected report result with other users who do not have access to it by default. Selecting a Group from the drop-down box displays a list of users from that Group. You can select one or more users from that list.

The Email option under the gear icon allows you to select users or manually add email addresses into the Email Addresses option to send a copy of the report to one or more users outside of the SecurityCenter environment.

The Send to Report option under the gear icon allows you to for send the results of the scan to generate a report based off of a preconfigured template.

Finally, to remove a scan from SecurityCenter, click the gear icon next to the scan, and select Delete.

Blackout Windows

Path: Scans > Blackout Windows

Note: At the beginning of the blackout window period, the system stops any currently running scans.

The blackout window in SecurityCenter specifies a timeframe where new scans cannot launch. This prevents remediation or ad-hoc scans from running during undesired timeframes, such as during production hours.

Use the Blackout Windows page to see the current status of or manage existing blackout windows.

Blackout windows are organizational and affect all scans in the creating user’s organization. Only users with the Manage Blackout Windows permission can perform blackout window additions.

To create a blackout window, click Scans > Blackout Windows, then click Add.

Next, type in the desired name and description. Make sure you select Enabled. Click the Targets for the blackout window by All Systems, IPs, Assets, or a mix of both options. Type in the desired schedule and blackout time range options and then click Submit. The next time that date/time window occurs, no new scans will be permitted.

To disable a blackout window without actually removing it, click Edit from the gear icon drop-down menu to modify the desired window and deselect Enabled. Click Submit to apply the changes. These blackout windows display with a state of Disabled in the blackout window display list.

Clicking on a blackout configuration from the list displays the details of the blackout window configuration. Select Delete from the gear icon drop-down menu to remove any blackout windows that are no longer required for the organization.

Copyright 2017 Tenable, Inc. All rights reserved. Tenable Network Security, Nessus, SecurityCenter, SecurityCenter Continuous View and Log Correlation Engine are registered trademarks of Tenable, Inc.  Tenable, Tenable.io, Assure, and The Cyber Exposure Company are trademarks of Tenable, Inc.  All other products or services are trademarks of their respective owners.