Scan Templates

Scan templates contain granular configuration settings for your scans. You can use Tenable's scan templates to create custom scan configurations for your organization. Then, you can run scans based on Tenable's scan templates or your custom configurations' settings.

When you create a scan configuration, the Select a Scan Template page appears. Tenable Vulnerability Management provides separate templates for Tenable Vulnerability Management and Tenable Web App Scanning. Within Tenable Vulnerability Management scanning, Tenable Vulnerability Management provides separate templates for scanners and agents, depending on which sensor you want to use for scanning:

If you have custom configurations, they appear in the User Defined tab. For more information about user-defined templates, see User-Defined Templates.

When you configure a Tenable-provided scan template, you can modify only the settings included for the scan template type. When you create a user-defined scan template, you can modify a custom set of settings for your scan.

For descriptions of all scan template settings, see Scan Settings.

Tip: For information and tips on optimizing your Tenable Vulnerability Management scan configurations, see the Tenable Vulnerability Management Scan Tuning Guide.

Tenable-Provided Tenable Nessus Scanner Templates

There are three scanner template categories in Tenable Vulnerability Management:

  • Vulnerability Scans (Common) — Tenable recommends using vulnerability scan templates for most of your organization's standard, day-to-day scanning needs.

  • Configuration Scans — Tenable recommends using configuration scan templates to check whether host configurations are compliant with various industry standards. Configuration scans are sometimes referred to as compliance scans. For more information about the checks that compliance scans can perform, see Compliance in Tenable Vulnerability Management Scans and SCAP Settings in Tenable Vulnerability Management Scans.

  • Tactical Scans — Tenable recommends using the tactical scan templates to scan your network for a specific vulnerability or group of vulnerabilities. Tactical scans are lightweight, timely scan templates that you can use to scan your assets for a particular vulnerability. Tenable frequently updates the Tenable Vulnerability Management Tactical Scans library with templates that detect the latest vulnerabilities of public interest, such as Log4Shell.

The following table describes the available Tenable Nessus Scanner templates:

Template Description
Vulnerability Scans (Common)
Advanced Network Scan

The most configurable scan type. You can configure this scan template to match any policy. This template has the same default settings as the basic scan template, but it allows for additional configuration options.

Note: Advanced scan templates allow Tenable Vulnerability Management experts to scan more deeply using custom configuration, such as faster or slower checks, but misconfigurations can cause asset outages or network saturation. Use the advanced templates with caution.

Basic Network Scan

Performs a full system scan that is suitable for any host. Use this template to scan an asset or assets with all of Nessus's plugins enabled. For example, you can perform an internal vulnerability scan on your organization's systems.

Credentialed Patch Audit

Authenticates hosts and enumerates missing updates.

Use this template with credentials to give Tenable Vulnerability Management direct access to the host, scan the target hosts, and enumerate missing patch updates.

Host Discovery

Performs a simple scan to discover live hosts and open ports.

Launch this scan to see what hosts are on your network and associated information such as IP address, FQDN, operating systems, and open ports, if available. After you have a list of hosts, you can choose what hosts you want to target in a specific vulnerability scan.

Tenable recommends that organizations who do not have a passive network monitor, such as Tenable Nessus Network Monitor, run this scan weekly to discover new assets on your network.

Note: Assets identified by discovery scans do not count toward your license.

Internal PCI Network Scan

Performs an internal PCI DSS (11.2.1) vulnerability scan.

This template creates scans that you can use to satisfy internal (PCI DSS 11.2.1) scanning requirements for ongoing vulnerability management programs that satisfy PCI compliance requirements. You can use these scans for ongoing vulnerability management and to perform rescans until passing or clean results are achieved. You can provide credentials to enumerate missing patches and client-side vulnerabilities.

Note: While the PCI DSS requires you to provide evidence of passing or "clean" scans on at least a quarterly basis, you must also perform scans after any significant changes to your network (PCI DSS 11.2.3).

Legacy Web App Scan

Uses a Tenable Nessus scanner to scan your web applications.

Note: Unlike the Tenable Web App Scanning scanner, the Tenable Nessus scanner does not use a browser to scan your web applications. Therefore, a Legacy Web App Scan is not as comprehensive as Tenable Web App Scanning.

Mobile Device Scan

Assesses mobile devices via Microsoft Exchange or an MDM.

PCI Quarterly External Scan

Performs quarterly external scans as required by PCI.

Note: Because the nature of a PCI ASV scan is more paranoid and may lead to false positives, the scan data is not included in the aggregate Tenable Vulnerability Management data. This is by design.

Configuration Scans
Audit Cloud Infrastructure Audits the configuration of third-party cloud services.

You can use this template to scan the configuration of Amazon Web Service (AWS), Google Cloud Platform, Microsoft Azure, Rackspace, Salesforce.com, and Zoom, given that you provide credentials for the service you want to audit.

MDM Config Audit Audits the configuration of mobile device managers.

The MDM Config Audit template reports on a variety of MDM vulnerabilities, such as password requirements, remote wipe settings, and the use of insecure features, such as tethering and Bluetooth.

Offline Config Audit

Audits the configuration of network devices.

Offline configuration audits allow Tenable Vulnerability Management to scan hosts without the need to scan over the network or use credentials. Organizational policies may not allow you to scan devices or know credentials for devices on the network for security reasons. Offline configuration audits use host configuration files from hosts to scan instead. Through scanning these files, you can ensure that devices' settings comply with audits without the need to scan the host directly.

Tenable recommends using offline configuration audits to scan devices that do not support secure remote access and devices that scanners cannot access.

Policy Compliance Auditing

Audits system configurations against a known baseline.

Note: The maximum number of audit files you can include in a single Policy Compliance Auditing scan is limited by the total runtime and memory that the audit files require. Exceeding this limit may lead to incomplete or failed scan results. To limit the possible impact, Tenable recommends that audit selection in your scan policies be targeted and specific for the scan's scope and compliance requirements.

The compliance checks can audit against custom security policies, such as password complexity, system settings, or registry values on Windows operating systems. For Windows systems, the compliance audits can test for a large percentage of anything that can be described in a Windows policy file. For Unix systems, the compliance audits test for running processes, user security policy, and content of files.

SCAP and OVAL Auditing

Audits systems using SCAP and OVAL definitions.

The National Institute of Standards and Technology (NIST) Security Content Automation Protocol (SCAP) is a set of policies for managing vulnerabilities and policy compliance in government agencies. It relies on multiple open standards and policies, including OVAL, CVE, CVSS, CPE, and FDCC policies.

  • SCAP compliance auditing requires sending an executable to the remote host.

  • Systems running security software (for example, McAfee Host Intrusion Prevention), may block or quarantine the executable required for auditing. For those systems, you must make an exception for either the host or the executable sent.

  • When using the SCAP and OVAL Auditing template, you can perform Linux and Windows SCAP CHECKS to test compliance standards as specified in NIST’s Special Publication 800-126.

Tactical Scans
Active Directory Identity Use a Domain User account to query AD identity information. This policy enumerates Active Directory identity information via LDAPS. It requires Domain User credentials, LDAPS configuration, and an Active Directory Domain Controller as the scan target.
Active Directory Starter Scan

Scans for misconfigurations in Active Directory.

Use this template to check Active Directory for Kerberoasting, Weak Kerberos encryption, Kerberos pre-authentication validation, non-expiring account passwords, unconstrained delegation, null sessions, Kerberos KRBTGT, dangerous trust relationships, Primary Group ID integrity, and blank passwords.

Find AI Scans for AI, LLM, and ML-related vulnerabilities.
Malware Scan

Scans for malware on Windows and Unix systems.

Tenable-Provided Tenable Nessus Agent Templates

There are two agent template categories in Tenable Vulnerability Management:

  • Vulnerability Scans — Tenable recommends using vulnerability scan templates for most of your organization's standard, day-to-day scanning needs.

  • Inventory Collection — Unlike standard Tenable Nessus Agent vulnerability scans, the Collect Inventory template provides faster scan results and reduce the scan's system footprint. Agent-based inventory scans gather basic information from a host and upload it to Tenable Vulnerability Management. Then, Tenable Vulnerability Management analyzes the information against missing patches and vulnerabilities as Tenable releases coverage. This reduces the performance impact on the target host while also reducing the time it takes for an analyst to see the impact of a recent patch.

Note: If a plugin requires authentication or settings to communicate with another system, the plugin is not available on agents. This includes, but is not limited to:

  • Patch management

  • Mobile device management

  • Cloud infrastructure audit

  • Database checks that require authentication

The following table describes the available Tenable Nessus Agent templates:

Template

Description

Vulnerability Scans

Advanced Agent Scan

An agent scan without any recommendations, so that you can fully customize the scan settings. In Tenable Vulnerability Management, the Advanced Agent Scan template allows for two scanning methods:

  • Scan Window - Specify the timeframe during which the agent must report to be included and visible in vulnerability reports.

  • Triggered Scans - Provide the agent with specific criteria that indicates when to launch a scan. The agent launches the scan when one (or more) of the criteria are met. For more information, see Basic Settings in the Tenable Vulnerability Management User Guide.

Note: When you create an agent scan using the Advanced Agent Scan template, you must also select the plugins you want to use for the scan.

Agent Log4Shell Agent detection of Apache Log4j CVE-2021-44228.
Basic Agent Scan

Scans systems connected via Tenable Nessus Agents.

Malware Scan

Scans for malware on systems connected via Tenable Nessus Agents.

Tenable Nessus Agent detects malware using a combined allow list and block list approach to monitor known good processes, alert on known bad processes, and identify coverage gaps between the two by flagging unknown processes for further inspection.

Policy Compliance Auditing

Audits system configurations against a known baseline for systems connected via Tenable Nessus Agents.

The compliance checks can audit against custom security policies, such as password complexity, system settings, or registry values on Windows operating systems. For Windows systems, the compliance audits can test for a large percentage of anything that can be described in a Windows policy file. For Unix systems, the compliance audits test for running processes, user security policy, and content of files.

SCAP and OVAL Agent Auditing

Audits systems using SCAP and OVAL definitions for systems connected via Tenable Nessus Agents.

The National Institute of Standards and Technology (NIST) Security Content Automation Protocol (SCAP) is a set of policies for managing vulnerabilities and policy compliance in government agencies. It relies on multiple open standards and policies, including OVAL, CVE, CVSS, CPE, and FDCC policies.

  • SCAP compliance auditing requires sending an executable to the remote host.

  • Systems running security software (for example, McAfee Host Intrusion Prevention), may block or quarantine the executable required for auditing. For those systems, you must make an exception for either the host or the executable sent.

  • When using the SCAP and OVAL Auditing template, you can perform Linux and Windows SCAP CHECKS to test compliance standards as specified in NIST’s Special Publication 800-126.

Inventory Collection
Collect Inventory

Scans with a compiled, limited selection of software inventory plugins.

This template provides faster scan results and a reduced system footprint because the agent only performs checks that collect asset information (for example, installed software and IP addresses). This scanning method is sometimes referred to as inventory scanning in the Tenable Vulnerability Management user interface and documentation.

Collect Inventory scans provide coverage for:

  • RedHat local security checks

  • Oracle Linux local security checks

  • CentOS local security checks

  • Amazon Linux local security checks

  • Debian local security checks

  • Fedora local security checks

  • SUSE local security checks

  • Ubuntu local security checks

  • Windows/Microsoft bulletin checks (All Windows roll-up checks since 2017)

Collect Inventory scans do not currently provide coverage for:

  • Malware and compliance checks

  • Third-party Linux application detection (for example, Apache HTTP or Postgres) for instances not installed via dpkg or rpm

  • Third-party Windows applications (for example, Google Chrome or Mozilla Firefox)

  • Microsoft product Patch Tuesday updates (for example, Exchange or Sharepoint)

Note: An asset that Tenable Vulnerability Management has performed inventory scanning on continues to report vulnerabilities until the asset ages out, even if the asset is offline.

Tenable-Provided Tenable Web App Scanning Templates

The following table describes the available Tenable Web App Scanning scan templates:

Template Description
API

A scan that checks an API for vulnerabilities. This scan analyzes RESTful APIs described via an OpenAPI (Swagger) specification file. File attachment size is limited to 1 MB.

Tip: If the API you want to scan requires keys or a token for authentication, you can add the expected custom headers in the Advanced settings in the HTTP Settings section.

Note: The API scan template is available as a public beta. Its functionality is subject to change as ongoing improvements are made throughout the beta period.
Note: API scans support only one target at a time.

Config Audit

A high-level scan that analyzes HTTP security headers and other externally facing configurations on a web application to determine if the application is compliant with common security industry standards.

If you create a scan using the Config Audit scan template, Tenable Web App Scanning analyzes your web application only for plugins related to security industry standards compliance.

Log4Shell

Detects the Log4Shell vulnerability (CVE-2021-44228) in Apache Log4j via local checks.

Overview

A high-level preliminary scan that determines which URLs in a web application Tenable Web App Scanning scans by default.

The Overview scan template does not analyze the web application for active vulnerabilities. Therefore, this scan template does not offer as many plugin family options as the Scan template.

PCI A scan that assesses web applications for compliance with Payment Card Industry Data Security Standards (PCI DSS) for Tenable PCI ASV.
Quick Scan

A high-level scan similar to the Config Audit scan template that analyzes HTTP security headers and other externally facing configurations on a web application to determine if the application is compliant with common security industry standards. Does not include scheduling.

If you create a scan using the Quick Scan scan template, Tenable Vulnerability Management analyzes your web application only for plugins related to security industry standards compliance.

Scan

A comprehensive scan that assesses web applications for a wide range of vulnerabilities.

The Scan template provides plugin family options for all active web application plugins.

If you create a scan using the Scan template, Tenable Web App Scanning analyzes your web application for all plugins that the scanner checks for when you create a scan using the Config Audit, Overview, or SSL TLS templates, as well as additional plugins to detect specific vulnerabilities.

A scan run with this scan template provides a more detailed assessment of a web application and take longer to complete that other Tenable Web App Scanning scans.

SSL TLS

A scan to determine if a web application uses SSL/TLS public-key encryption and, if so, how the encryption is configured.

When you create a scan using the SSL TLS template, Tenable Web App Scanning analyzes your web application only for plugins related to SSL/TLS implementation. The scanner does not crawl URLs or assess individual pages for vulnerabilities.