Compliance in Tenable Vulnerability Management Scans
Note: If a scan is based on a user-defined
Tenable Vulnerability Management can perform vulnerability scans of network services as well as log in to servers to discover any missing patches.
However, a lack of vulnerabilities does not mean the servers are configured correctly or are “compliant” with a particular standard.
You can use Tenable Vulnerability Management to perform vulnerability scans and compliance audits to obtain all of this data at one time. If you know how a server is configured, how it is patched, and what vulnerabilities are present, you can determine measures to mitigate risk.
At a higher level, if this information is aggregated for an entire network or asset class, security and risk can be analyzed globally. This allows auditors and network managers to spot trends in non-compliant systems and adjust controls to fix these on a larger scale.
When configuring a scan or policy, you can include one or more compliance checks, also known as audits. Each compliance check requires specific credentials.
Some compliance checks are preconfigured by Tenable, but you can also create and upload custom audits.
For more information on compliance checks and creating custom audits, see the Compliance Checks Reference.
Note: The maximum number of audit files you can include in a single Policy Compliance Auditing scan is limited by the total runtime and memory that the audit files require. Exceeding this limit may lead to incomplete or failed scan results. To limit the possible impact, Tenable recommends that audit selection in your scan policies be targeted and specific for the scan's scope and compliance requirements.
| Compliance Check | Required Credentials |
|---|---|
| Adtran AOS | SSH |
| Alcatel TiMOS | SSH |
| Amazon AWS | Amazon AWS |
| Arista EOS | SSH |
| ArubaOS | SSH |
| Blue Coat ProxySG | SSH |
| Brocade FabricOS | SSH |
| Check Point GAiA | SSH |
| Cisco ACI | SSH |
| Cisco Firepower | SSH |
| Cisco IOS | SSH |
| Cisco Viptela | SSH |
| Citrix Application Delivery | Citrix NITRO API |
| Database | Database |
| Extreme ExtremeXOS | SSH |
| F5 | F5 |
| FireEye | SSH |
| Fortigate FortiOS | SSH |
| Generic SSH | SSH |
| Google Cloud Platform | Google Cloud Platform |
| HP ProCurve | SSH |
| Huawei VRP | SSH |
| IBM DB2 DB | Database |
| IBM iSeries | IBM iSeries or SSH |
| Juniper Junos | SSH |
| Microsoft Azure | Microsoft Azure |
| Mobile Device Manager | AirWatch or Mobileiron |
| MongoDB | MongoDB |
| Microsoft SQL DB | Database |
| MySQL DB | Database |
| NetApp API | NetApp API |
| NetApp Data ONTAP | SSH |
| OpenShift Container Platform | OpenShift Container Platform |
| OpenStack | OpenStack |
| Oracle DB | Database |
| Palo Alto Networks PAN-OS | PAN-OS |
| PostgreSQL DB | Database |
| Rackspace | Rackspace |
| RHEV | RHEV |
| Salesforce.com | Salesforce SOAP API |
| Snowflake | Snowflake API |
| SonicWALL SonicOS | SSH |
| Splunk | Splunk API |
| Sybase DB | Database |
| Unix | SSH |
| Unix File Contents | SSH |
| VMware vCenter/vSphere | VMware vCenter API or VMware ESX SOAP API |
| WatchGuard | SSH |
| Windows | Windows |
| Windows File Contents | Windows |
| Zoom | Zoom |
| ZTE ROSNG | SSH |
Note: Plugins sometimes produce errors that fall into one of the following scenarios:
-
Something should be notified as a concern, but not at the risk of impacting the results of a large scan
-
Something happened where the plugin was unable to report issues
In either one of these scenarios, a compliance result with the name Compliance Plugin Errors: <plugin name> is posted as a WARNING. The output of the compliance results identifies the issue that should be reviewed. These results are posted by the plugin 214001 Compliance Status.