Recently Viewed Topics
SecurityCenter supports a flexible dynamic asset discovery system that can also import static asset lists from many commercial and open source systems. This constructs high level asset listswith very detailed lists of specific items. Some examples of assets grouped together include, but are not limited to, hardware device types, particular service types, certain vulnerability types, machines with outdated software, OS types, and other lists based on discovered information. There are many Asset templates available by default in SecurityCenter and, if configured, Tenable automatically updates and adds to these templates.
To create a static list of assets in SecurityCenter, you can either manually type IP addresses into the Addresses option, or upload a text file that contains IP addresses, ranges of IP addresses, or CIDR notation. Once uploaded, the asset list is named and can be immediately used.
SecurityCenter can implement rules that consider discovered information for dynamic asset discovery. These rules are run against the vulnerability data and result in assigning an IP address to one or more asset lists. For example, SecurityCenter could create a rule stating that any Windows system that belongs to the CORPORATE-NY domain be placed on an asset list named New York Domain. Another example would be any host discovered to have LimeWire software running (Nessus plugin 11427 or NNM plugin 4110) could be assigned to a dynamic asset list for special review. Tenable also provides a variety of asset templates that may be used as is or may be customized for the local environment.
For more information, see Assets.
During a configuration audit, auditors verify that servers and devices are configured according to an established standard and maintained with an appropriate procedure. SecurityCenter can perform configuration audits on key assets through the use of Nessus’ local checks that can log directly onto a Unix or Windows server without an agent.
SecurityCenter supports a variety of audit standards. Some of these come from best practice centers like the PCI Security Standards Council and the Center for Internet Security (CIS). Some of these are based on Tenable’s interpretation of audit requirements to comply with specific industry standards such as PCI DSS or legislation such as Sarbanes-Oxley.
In addition to base audits, it is easy to create customized audits for the particular requirements of any organization. These customized audits can be loaded into the SecurityCenter and made available to anyone performing configuration audits within an organization.
NIST SCAP files can be uploaded and used in the same manner as an audit file. Navigate to NIST’s SCAP website () and under the SCAP Content section, download the desired SCAP security checklist zip file. The file may then be uploaded to SecurityCenter and selected for use in Nessus scan jobs.
Once the audit policies are configured in SecurityCenter, they can be repeatedly used. SecurityCenter can also perform audits intended for specific assets. Through the use of audit policies and asset lists, a SecurityCenter user can quickly determine the compliance posture for any specified asset.
For more information, see Audit Files.
Credentials are reusable objects that facilitate a login to a scan target. Various types of credentials with different authentication methods can be configured for use within scan policies. Credentials may be shared between users for scanning purposes. Available credential types include:
- SNMP community string
SecurityCenter supports the use of an unlimited number of SSH and Windows credential sets, unlimited number of Database credentials, and four SNMP credential sets per scan configuration.
For more information, see Credentials.
Queries allow SecurityCenter users to save custom views of vulnerability or event data for repeated access. This enables SecurityCenter users to quickly update data for a particular query type without having to configure complex query parameters each time.
For more information, see Queries.
Scan policies consist of configuration options related to performing an active vulnerability scan. These options include, but are not limited to:
- Parameters that control technical aspects of the scan such as timeouts, number of hosts, type of port scanner, and more.
- Granular plugin family or individual plugin based scan specifications.
- Compliance policy checks (Windows, Linux, Database, etc.), report verbosity, service detection scan settings, audit files, patch management systems, and more.
For more information, see Scan Policies.