Nessus 8 15

Tenable Nessus 8.15.
x User Guide
Last Updated: June 21, 2023
Copyright © 2023 Tenable, Inc. All rights reserved. Tenable, Tenable Nessus, Tenable Lumin, Assure, and the Tenable logo are registered trademarks of Tenable, Inc. or its affiliates. All other
products or services are trademarks of their respective owners.
Table of Contents
Welcome to Tenable Nessus 8.15.x 20
Get Started with Tenable Nessus 23
Prepare 24
Install and Configure Tenable Nessus 25
Create and Configure Scans 26
View and Analyze Scan Results 27
Refine Tenable Nessus Settings 28
Navigate Tenable Nessus 29
System Requirements 30
Hardware Requirements 30
Storage Requirements 31
NIC Requirements 32
Tenable Nessus Scanners and Tenable Nessus Professional 33
Tenable Nessus Manager 34
Virtual Machine 35
Nessus Agents 36
Software Requirements 36
Tenable Nessus 38
Nessus Agents 39
Supported Browsers 40
SELinux Requirements 41
PDF Report Requirements 42
Customize SELinux Enforcing Mode Policies 43
- 2-
Licensing Requirements 44
Deployment Considerations 46
Port Requirements 46
Tenable Nessus Manager, Tenable Nessus Professional, Tenable Nessus Expert, Ten-
able Nessus Essentials, and Tenable Nessus Scanners 48
Tenable Nessus Agents 49
Host-Based Firewalls 50
IPv6 Support 51
Network Address Translation (NAT) Limitation 52
Antivirus Software 53
Security Warnings 54
Certificates and Certificate Authorities 55
Custom SSL Server Certificates 57
Create a New Server Certificate and CA Certificate 59
Upload a Custom Server Certificate and CA Certificate 61
Trust a Custom CA 65
Create SSL Client Certificates for Login 67
Tenable Nessus Manager Certificates and Tenable Nessus Agent 70
Install Tenable Nessus 72
Download Tenable Nessus 73
Install Tenable Nessus 74
Install Tenable Nessus on Linux 75
Install Tenable Nessus on Windows 76
Download Nessus Package File 77
Start Nessus Installation 78
- 3-
Complete the Windows InstallShield Wizard 79
Install Tenable Nessus on macOS 80
Deploy Tenable Nessus as a Docker Image 82
Operators 84
Environment Variables 85
Install Tenable Nessus Agents 88
Retrieve the Nessus Agent Linking Key 89
Link an Agent to Tenable Nessus Manager 90
Upgrade Tenable Nessus and Tenable Nessus Agents 93
Upgrade Nessus 94
Upgrade from Evaluation 95
Update Tenable Nessus Software 96
Upgrade Nessus on Linux 99
Upgrade Nessus on Windows 100
Upgrade Nessus on macOS 101
Update a Nessus Agent 102
Downgrade Tenable Nessus Software 103
Configure Tenable Nessus 106
Install Tenable Nessus Essentials, Professional, or Manager 107
Link to Tenable Vulnerability Management 109
Link to Tenable Security Center 115
Link to Tenable Nessus Manager 118
Link a Node 121
Manage Tenable Nessus Offline 123
-4-
Scenario 1: New Nessus Install 124
Scenario 2: Update Nessus Licensing 125
Scenario 3: Update Nessus Plugins 126
Nessus Offline Operations 127
Manage Activation Code 128
View Activation Code 129
Reset Activation Code 130
Update Activation Code 131
Transfer Activation Code 132
Nessus User Interface 133
Command Line Interface 134
Manage Tenable Nessus Offline 134
Scenario 1: New Nessus Install 135
Scenario 2: Update Nessus Licensing 136
Scenario 3: Update Nessus Plugins 137
Nessus Offline Operations 138
Install Tenable NessusOffline 138
Generate the License 140
Download and Copy Latest Plugins 141
Copy and Paste License Text 142
Generate Challenge Code 143
Generate Your License 145
Download and Copy License File (nessus.license) 146
Register Your License with Nessus 147
- 5-
Download and Copy Plugins 148
Install Plugins Manually 149
Update the Audit Warehouse Manually 151
Update Nessus Manager Manually on an Offline System 153
Offline Update Page Details 155
Back Up Tenable Nessus 156
Restore Tenable Nessus 157
Remove Nessus and Nessus Agents 158
Remove Nessus 159
Uninstall Nessus on Linux 159
Optional: Export your Scans and Policies 160
Stop Nessus Processes 161
Remove Nessus 162
Uninstall Nessus on Windows 163
Uninstall Nessus on macOS 164
Remove Tenable Nessus as a Docker Container 165
Remove Nessus Agent 166
Uninstall a Nessus Agent on Linux 167
Uninstall a Nessus Agent on Windows 168
Uninstall a Nessus Agent on macOS 170
Scans 171
Scan Templates 172
Scanner Templates 172
Agent Templates (Tenable Nessus Manager only) 179
- 6-
Scan and Policy Settings 182
Basic Settings for Scans 183
General 184
Schedule 187
Notifications 189
Permissions 190
Scan Targets 191
Basic Settings for Policies 193
General 195
Permissions 196
Discovery Scan Settings 196
Host Discovery 197
Port Scanning 201
Service Discovery 205
Identity 207
Preconfigured Discovery Scan Settings 208
Assessment Scan Settings 230
General 231
Brute Force 233
SCADA 236
Web Applications 237
Windows 243
Malware 245
Databases 248
- 7-
Preconfigured Assessment Scan Settings 249
Report Scan Settings 258
Advanced Scan Settings 259
Preconfigured Advanced Scan Settings 267
Credentials 274
Cloud Services Credentials 276
Database Credentials 278
DB2 279
MySQL 280
Oracle 281
PostgreSQL 283
SQL Server 284
Sybase ASE 284
Cassandra 285
MongoDB 285
Database Credentials Authentication Types 286
Client Certificate 287
Password 288
Import 290
CyberArk 290
CyberArk (Legacy) 293
HashiCorp Vault 297
Lieberman 300
Host Credentials 303
- 8-
SNMPv3 304
SSH 306
Windows 325
Authentication Methods 329
Miscellaneous Credentials 346
Mobile Credentials 353
Patch Management Credentials 358
Plaintext Authentication Credentials 367
HTTP 368
NNTP 371
FTP 372
POP2 373
POP3 374
IMAP 375
IPMI 376
telnet/ rsh/ rexec 377
SNMPv1/ v2c 378
Compliance 379
Upload a Custom Audit File 382
SCAP Settings 385
Plugins 387
Configure Dynamic Plugins 388
Create and Manage Scans 390
Example: Host Discovery 391
- 9-
Create a Scan 393
Import a Scan 394
Create an Agent Scan 395
Modify Scan Settings 396
Configure vSphere Scanning 396
Scenario 1: Scanning ESXi/ vSphere Not Managed by vCenter 397
Scenario 2: Scanning vCenter-Managed ESXI/ vSpheres 398
Scenario 3: Scanning Virtual Machines 399
Configure an Audit Trail 400
Launch a Scan 401
Stop a Running Scan 402
Delete a Scan 403
Scan Folders 404
Manage Scan Folders 406
Scan Results 408
Severity 411
CVSS Scores vs. VPR 411
CVSS 412
CVSS-Based Severity 413
CVSS-Based Risk Factor 414
Vulnerability Priority Rating 415
VPR Key Drivers 416
Configure Your Default Severity Base 418
Configure Severity Base for an Individual Scan 420
- 10 -
Create a New Scan from Scan Results 422
Search and Filter Results 424
Compare Scan Results 431
Dashboard 433
Vulnerabilities 435
View Vulnerabilities 436
Modify a Vulnerability 437
Group Vulnerabilities 438
Snooze a Vulnerability 440
View VPR Top Threats 442
Live Results 444
Enable or Disable Live Results 446
Remove Live Results 447
Scan Exports and Reports 448
Export a Scan 449
Create a Scan Report 451
Customize Report Title and Logo 455
Policies 456
Create a Policy 458
Import a Policy 459
Modify Policy Settings 460
Delete a Policy 461
About Tenable Nessus Plugins 461
Example plugin information 462
- 11-
How do I get Tenable Nessus plugins? 463
How do I update Tenable Nessus plugins? 464
Create a Limited Plugin Policy 465
Install Plugins Manually 469
Plugin Rules 471
Create a Plugin Rule 473
Modify a Plugin Rule 474
Delete a Plugin Rule 475
Sensors (Tenable Nessus Manager) 476
Agents 476
Agent groups 478
Freeze windows 479
Agent clustering 480
Modify Agent Settings 481
Global Agent Settings 482
Remote Agent Settings 484
Filter Agents 485
Export Agents 487
Download Linked Agent Logs 488
Unlink an Agent 490
Agent Groups 492
Create a New Agent Group 493
Configure User Permissions for an Agent Group 494
Modify an Agent Group 496
- 12 -
Delete an Agent Group 498
Freeze Windows 499
Create a Freeze Window 500
Modify a Freeze Window 501
Delete a Freeze Window 502
Modify Global Freeze Window Settings 503
Clustering 505
Clustering System Requirements 506
Parent Node (Tenable Nessus Manager with Clustering Enabled) 507
Child Node (Tenable Nessus Scanner Managed by Tenable Nessus Manager Parent
Node) 508
Agents 509
Enable Clustering 510
Migrate Agents to a Cluster 511
Link Agents to a Cluster 513
Manage Nodes 516
Get Linking Key from Node 517
Link a Node 518
View or Edit a Node 521
Enable or Disable a Node 523
Rebalance Nodes 524
Delete a Node 526
Cluster Groups 527
Create a Cluster Group 528
Add a Node to a Cluster Group 529
- 13 -
Add an Agent to a Cluster Group 531
Move an Agent to a Cluster Group 533
Move a Node to a Cluster Group 535
Modify a Cluster Group 537
Delete a Cluster Group 538
Scanners 539
Link Nessus Scanner 540
Unlink Nessus Scanner 541
Enable or Disable a Scanner 542
Remove a Scanner 543
Download Managed Scanner Logs 544
Settings 546
About 547
Download Logs 549
Set an Encryption Password 550
Advanced Settings 551
User Interface 553
Scanning 556
Logging 561
Performance 567
Security 576
Agents & Scanners 579
Cluster 585
Miscellaneous 587
- 14 -
Custom 592
Create a New Setting 595
Modify a Setting 596
Delete a Setting 597
LDAP Server (Tenable Nessus Manager) 598
Configure an LDAP Server 600
Proxy Server 602
Configure a Proxy Server 604
Remote Link 606
SMTP Server 609
Configure an SMTP Server 611
Custom CA 613
Upgrade Assistant 614
Password Management 615
Configure Password Management 617
Scanner Health 617
Overview 618
Network 619
Alerts 620
Monitor Scanner Health 621
Notifications 622
Acknowledge Notifications 623
View Notifications 624
Accounts 625
- 15 -
My Account 626
Modify Your User Account 627
Generate an API Key 628
Users 629
Create a User Account 631
Modify a User Account 632
Delete a User Account 633
Transfer User Data 634
Command Line Operations 635
Start or Stop Tenable Nessus 635
Windows 636
Linux 637
macOS 637
Start or Stop a Tenable Nessus Agent 638
Windows 638
Linux 638
macOS 639
Nessus-Service 640
Nessus-Service Syntax 641
Suppress Command Output Examples 642
Nessusd Commands 643
Notes 645
Nessuscli 645
Nessuscli Syntax 646
- 16 -
Nessuscli Commands 647
Nessuscli Agent 656
Nessuscli Syntax 657
Nessuscli Commands 658
Update Tenable Nessus Software (CLI) 667
Additional Resources 668
Amazon Web Services 669
Configure Tenable Nessus for NIAP Compliance 670
Default Data Directories 673
Encryption Strength 674
File and Process Allowlist 675
Manage Logs 677
Default Log Locations 678
Modify Log Settings 679
Modify log.json 680
log.json Format 681
Mass Deployment Support 687
Tenable Nessus Environment Variables 688
Deploy Tenable Nessus using JSON 689
Location of config.json File 690
Example Tenable Nessus File Format 691
config.json Details 692
Linking 693
Preferences 694
- 17 -
User 695
Tenable Nessus Credentialed Checks 695
Purpose 696
Access Level 697
Detecting When Credentials Fail 698
Credentialed Checks on Windows 698
Configure a Domain Account for Authenticated Scanning 699
Create a Security Group called "Nessus Local Access" 700
Create a Group Policy called "Local Admin GPO" 701
Add the "Nessus Local Access" Group to the "Nessus Scan GPOPolicy" 702
Allow WMI on Windows 703
Link the GPO 704
Configure Windows 705
Prerequisites 707
Enable Windows Logins for Local and Remote Audits 708
Configure a Tenable Nessus Scan for Windows Logins 711
Credentialed Checks on Linux 712
Prerequisites 713
Enable SSH Local Security Checks 713
Generate SSH Public and Private Keys 714
Create a User Account and Set Up the SSH Key 715
Example 716
Return to the Public Key System 717
Configure Tenable Nessus for SSH Host-Based Checks 718
- 18 -
Run Tenable Nessus as Non-Privileged User 719
Run Nessus on Linux with Systemd as a Non-Privileged User 720
Run Nessus on Linux with init.d Script as a Non-Privileged User 723
Run Nessus on macOS as a Non-Privileged User 726
Run Nessus on FreeBSD as a Non-Privileged User 731
Upgrade Assistant 735
- 19 -
Welcome to Tenable Nessus 8.15.x
If you are new to Tenable Nessus®, see Get Started with Tenable Nessus.
To get started with creating a scan, see Create a Scan.
l To create a compliance scan, configure Compliance settings for the scan.
l To create a host discovery scan, see Example: Host Discovery.
Tenable Nessus Solutions
Tenable Vulnerability Management
Tenable Vulnerability Management is a subscription-based license and is available at the Tenable

Store.
Tenable Vulnerability Management enables security and audit teams to share multiple Tenable Nes-
sus scanners, scan schedules, scan policies and most importantly scan results among an unlimited
set of users or groups.
By making different resources available for sharing among users and groups, Tenable Vulnerability
Management allows for endless possibilities for creating highly customized work flows for your vul-
nerability management program, regardless of locations, complexity, or any of the numerous reg-
ulatory or compliance drivers that demand keeping your business secure.
In addition, Tenable Vulnerability Management can control multiple Tenable Nessus scanners, sched-
ule scans, push policies and view scan findings—all from the cloud, enabling the deployment of Nes-
sus scanners throughout your network to multiple physical locations, or even public or private
clouds.
The Tenable Vulnerability Management subscription includes:
l Unlimited scanning of your perimeter systems
l Web application audits
l Ability to prepare for security assessments against current PCI standards
l Up to two quarterly report submissions for PCI ASV validation through Tenable, Inc.
- 20 -
l 24/ 7 access to the Tenable Community site for Tenable Nessus knowledge base and support
ticket creation
Tenable Vulnerability Management Product Page
Tenable Vulnerability Management User Manual
Tenable Nessus Professional
Tenable Nessus Professional, the industry’s most widely deployed vulnerability assessment solution
helps you reduce your organization’s attack surface and ensure compliance. Tenable Nessus fea-
tures high-speed asset discovery, configuration auditing, target profiling, malware detection, sens-
itive data discovery, and more.
Tenable Nessus supports more technologies than competitive solutions, scanning operating sys-
tems, network devices, hypervisors, databases, web servers, and critical infrastructure for vul-
nerabilities, threats, and compliance violations.
With the world’s largest continuously updated library of vulnerability and configuration checks, and
the support of Tenable, Inc.’s expert vulnerability research team, Tenable Nessus sets the standard
for vulnerability scanning speed and accuracy.
Tenable Nessus Professional Product Page
Tenable Nessus Expert
Tenable Nessus Expert combines the industry’s most widely deployed vulnerability assessment solu-
tion with new features and functionality that are specifically engineered to address the extended
modern attack surface. With Nessus Expert you can not only reduce your organization’s IP-based
attack surface and ensure compliance, but also identify vulnerabilities and policy violations in Infra-
structure as Code (IaC) and identify previously unknown internet-facing assets.
Tenable Nessus Expert supports more technologies than competitive solutions, scanning operating
systems, network devices, IaC repositories, hypervisors, databases, web servers, and critical infra-
structure for vulnerabilities, threats, and compliance violations.
With the world’s largest continuously updated library of vulnerability and configuration checks, and
the support of Tenable's expert vulnerability research team, Tenable Nessus Expert sets the stand-
ard for vulnerability scanning speed, accuracy, and is the only tool designed to address today’s mod-
ern attack surface.
- 21-
Nessus Expert Product Page
Tenable Nessus Manager
Note:Tenable Nessus Manager is no longer sold as of February 1, 2018. For existing standalone Tenable Nes-
sus Manager customers, Tenable continues to provide service through the duration of your contract. Ten-
able continues to support and provision Tenable Nessus Manager for the purpose of managing agents.
Nessus Manager combines the powerful detection, scanning, and auditing features of Nessus, the
world’s most widely deployed vulnerability scanner, with extensive management and collaboration
functions to reduce your attack surface.
Nessus Manager enables the sharing of resources including Nessus scanners, scan schedules,
policies, and scan results among multiple users or groups. Users can engage and share resources
and responsibilities with their co-workers; system owners, internal auditors, risk and compliance
personnel, IT administrators, network admins, and security analysts. These collaborative features
reduce the time and cost of security scanning and compliance auditing by streamlining scanning,
malware and misconfiguration discovery, and remediation.
Nessus Manager protects physical, virtual, mobile, and cloud environments. Nessus Manager is avail-
able for on-premises deployment or from the cloud, as Tenable Vulnerability Management. Nessus
Manager supports the widest range of systems, devices and assets, and with both agent-less and
Nessus Agent deployment options, easily extends to mobile, transient, and other hard-to-reach
environments.
Tenable Nessus Agent
For Tenable Nessus Agent documentation, see the Tenable Nessus Agent User Guide.
Nessus Agents, available with Tenable Vulnerability Management and Nessus Manager, increase
scan flexibility by making it easy to scan assets without needing ongoing host credentials or assets
that are offline, and enable large-scale concurrent scanning with little network impact.
Tenable Nessus Agents are lightweight, low-footprint programs that you install locally on hosts to
supplement traditional network-based scanning or to provide visibility into gaps that traditional
scanning misses. Tenable Nessus Agents collect vulnerability, compliance, and system data, and
report that information back to a manager for analysis. With Tenable Nessus Agents, you extend
scan flexibility and coverage. You can scan hosts without using credentials, and offline assets and
- 22 -
endpoints that intermittently connect to the internet. You can also run large-scale concurrent agent
scans with little network impact.
Tenable Nessus Agents help you address the challenges of traditional network-based scanning, spe-
cifically for the assets where it's impossible or nearly impossible to consistently collect information
about your organization's security posture. Traditional scanning typically occurs at selected inter-
vals or during designated windows and requires systems to be accessible when a scan is executed.
If laptops or other transient devices are not accessible when a scan is executed, they are excluded
from the scan, leaving you blind to vulnerabilities on those devices. Tenable Nessus Agents help
reduce your organization’s attack surface by scanning assets that are off the network or powered-
down during scheduled assessments or by scanning other difficult-to-scan assets.
Once installed on servers, portable devices, or other assets found in today’s complex IT envir-
onments, Tenable Nessus Agents identify vulnerabilities, policy violations, misconfigurations, and
malware on the hosts where you install them and report results back to the managing product. You
can manage Tenable Nessus Agents with Tenable Nessus Manager or Tenable Vulnerability Man-
agement.
Nessus Agents Product Page
Get Started with Tenable Nessus
- 23 -
Prepare
l Ensure that your setup meets the minimum system requirements:
l Hardware Requirements
l Software Requirements
l Obtain your Activation Code for Tenable Nessus.
- 24 -
Install and Configure Tenable Nessus
l Follow the installation steps depending on your Tenable Nessus software and operating sys-
tem, as described in Install Tenable Nessus.
l Perform the initial configuration steps.
- 25 -
Create and Configure Scans
1. Run a host discovery scan to identify assets on your network.
2. Create a scan.
3. Select a scan template that fits your needs.
When you configure a Tenable-provided scan template, you can modify only the settings
included for the scan template type. When you create a user-defined scan template, you can
modify a custom set of settings for your scan. Tenable sometimes refers to a user-defined
template as a policy.
l Use a Tenable-provided scanner template.
l (Tenable Nessus Manager only) Use a Tenable-provided Agent template.
l Create and use a user-defined template by creating a policy.
4. Configure the scan:
l Configure the scan settings available for your template.
For information about scan targets, see Scan Targets.
l (Optional) To configure live results, see Live Results.
l (Optional) If you are running a credentialed scan, configure credentials.
l (Optional) If you are running a compliance scan, select the compliance audits your scan
includes.
l (Optional) If you are using an advanced scan template, select what plugins your scan
includes.
5. Launch the scan.
- 26 -
View and Analyze Scan Results
l View scan results.
l View and manage vulnerabilities.
l Manage scan folders.
l Create a scan report or export.
- 27 -
Refine Tenable Nessus Settings
l Adjust scan settings to address warning messages.
l Monitor scanner health.
l Configure Tenable Nessus advanced settings.
- 28 -
Navigate Tenable Nessus
The top navigation bar shows links to the two main pages: Scans and Settings. You can perform all
Tenable Nessus primary tasks using these two pages. Click a page name to open the corresponding
page.
Item Description
Toggles the Notifications box, which shows a list of noti-

fications, successful or unsuccessful login attempts, errors,
and system information generated by Tenable Nessus.
Username Shows a drop-down box with the following options: My

Account, What's New, Documentation, and Sign Out.
- 29 -
System Requirements
You can run Tenable Nessus in the following environments.
Environment More Information
Tenable Core Virtual VMware Requirements in the Tenable Core User

Guide
Microsoft
Hyper-V
Cloud Microsoft
Azure
Hardware
Other plat- Virtual VMware Virtual Machine and Software Requirements

forms
Hardware Hardware Requirements and Software
Requirements
For information about license requirements, see Licensing Requirements.
Hardware Requirements
Enterprise networks can vary in performance, capacity, protocols, and overall activity. Resource
requirements to consider for Nessus deployments include raw network speed, the size of the net-
work, and the configuration of Nessus.
Note: The following recommendations are guidelines for the minimum hardware allocations. Certain types
of scans are more resource intensive. If you run complex scans, especially those with credentials, you may
require more disk space, memory, and processing power.
Tip: For information about Tenable Core + Nessus, see Requirements in the Tenable Core User Guide.
- 30 -
Storage Requirements
Tenable Nessus only supports storage area networks (SANs) or network-attached storage (NAS) con-
figurations when installed on a virtual machine managed by an enterprise class hypervisor. Tenable
Nessus Manager requires higher disk throughput and may not be appropriate for remote storage. If
you install Tenable Nessus on a non-virtualized host, you must do so on direct-attached storage
(DAS) devices.
Tenable recommends a minimum of 5,000 MB of temporary space for the Nessus scanner to run
properly.
- 31-
NIC Requirements
Tenable recommends you configure the following, at minimum, to ensure network interface con-
troller (NIC) compatibility with Tenable Nessus:
l Disable NIC teaming or assign a single NIC to Tenable Nessus.
l Disable IPv6 tunneling on the NIC.
l Disable packet capture applications that share a NIC with Tenable Nessus.
l Avoid deploying Tenable Nessus in a Docker container that shares a NIC with another Docker
container.
For assistance confirming if other aspects of your NIC configuration are compatible with Tenable
Nessus, contact Tenable Support.
- 32 -
Tenable Nessus Scanners and Tenable Nessus Professional
The following table lists the hardware requirements for Tenable Nessus scanners and Tenable Nes-
sus Professional.
Scenario Minimum Recommended Hardware
Scanning up to 50,000 CPU: 4 2GHz cores

hosts per scan
Memory: 4 GB RAM (8 GB RAM recommended)
Disk space: 30 GB, not including space used by the host operating
system
Note: Your usage (e.g., scan results, plugin updates, and logs)
increases the amount of disk space needed over time.
Scanning more than CPU: 8 2GHz cores

50,000 hosts per scan
Memory: 8 GB RAM (16 GB RAM recommended)
Disk space: 30 GB, not including space used by the host operating
system
Note: Your usage (e.g., scan results, plugin updates, and logs)
increases the amount of disk space needed over time.
- 33 -
Tenable Nessus Manager
The following table lists the hardware requirements for Tenable Nessus Manager.
Note: The suggested minimum recommended hardware is based on the total number of agents that check
into the manager daily.
Scenario Minimum Recommended Hardware
Nessus Manager with 0-10,000 CPU: 4 2GHz cores

agents
Memory: 16 GB RAM
Disk space: 5 GB per 5,000 agents per concurrent scan
Note: Scan results and plugin updates require more disk

space over time.
Nessus Manager with 10,001-20,000 CPU: 8 2GHz cores

agents
Memory: 32 GB RAM
Disk space: 5 GB per 5,000 agents per concurrent scan
Note: Scan results and plugin updates require more disk

space over time.
Note: Engage with your Tenable representative for large

deployments.
- 34 -
Virtual Machine
You can install Tenable Nessus on a Virtual Machine that meets the same requirements.
Note: Using Network Address Translation (NAT) to connect your virtual machine to the network negatively
affects many of the Tenable Nessus vulnerability checks, host enumeration, and operating system iden-
tification.
- 35 -
Nessus Agents
Tenable Nessus Agents are lightweight and only minimal system resources. Generally, a Tenable
Nessus Agent uses 40 MB of RAM (all pageable). A Tenable Nessus Agent uses almost no CPU while
idle, but is designed to use up to 100% of CPU when available during jobs.
For more information on Tenable Nessus Agent resource usage, see Agent Software Footprint.
The following table outlines the minimum recommended hardware for operating a Tenable Nessus
Agent. You can install Tenable Nessus Agents on a virtual machine that meets the same require-
ments specified.
Hardware Minimum Requirement
Processor 1Dual-core CPU
Processor > 1GHz

Speed
RAM > 1GB
Disk Space l Agents 7.7.x and earlier: > 1GB, not including space used by the host
operating system
l Agents 8.0.x and later: > 3 GB, not including space used by the host oper-
ating system
l Agents 10.0.x and later: > 2 GB, not including space used by the host
operating system
The agent may require more space during certain processes, such as a plu-
gins-code.db defragmentation operation.
Disk Speed 15-50 IOPS
Note: You can control the priority of the Tenable Nessus Agent relative to the priority of other tasks run-
ning on the system. For more information see Agent CPU Resource Control in the Tenable Nessus Agent
Deployment and User Guide.
Software Requirements
- 36 -
Tenable Nessus supports Linux, Windows, and macOS operating systems.
Tip: For information about Tenable Core + Nessus, see System Requirements in the Tenable Core User Guide.
- 37 -
Tenable Nessus
For Tenable Nessus software requirements, see the Nessus Software Requirements in the General
Requirements User Guide.
- 38 -
Nessus Agents
For Tenable Nessus Agent software requirements, see the Agent Software Requirements in the Gen-
eral Requirements User Guide.
- 39 -
Supported Browsers
Nessus supports the following browsers:
l Google Chrome (76+)
l Apple Safari (10+)
l Mozilla Firefox (50+)
l Microsoft Edge (102+)
- 40 -
SELinux Requirements
Tenable Nessus supports disabled, permissive, and enforcing mode Security-Enhanced Linux
(SELinux) policy configurations.
l Disabled and permissive mode policies typically do not require customization to interact with
Tenable Nessus.
l Enforcing mode policies require customization to interact with Tenable Nessus. For more
information, see Customize SELinux Enforcing Mode Policies.
Note:Tenable recommends testing your SELinux configurations before deploying on a live network.
- 41-
PDF Report Requirements
The Nessus .pdf report generation feature requires the latest version of Oracle Java or OpenJDK.
Install Oracle Java or OpenJDK prior to installing Nessus.
Note: If you install Oracle Java or OpenJDK after you install Nessus, you must reinstall Nessus to enable
PDF report generation.
- 42 -
Customize SELinux Enforcing Mode Policies
Security-Enhanced Linux (SELinux) enforcing mode policies require customization to interact with
Tenable Nessus.
Tenable Support does not assist with customizing SELinux policies, but Tenable recommends mon-
itoring your SELinux logs to identify errors and solutions for your policy configuration.
Before you begin:

l Install the SELinux sealert tool in a test environment that resembles your production envir-
onment.
To monitor your SELinux logs to identify errors and solutions:
1. Run the sealert tool, where /var/log/audit/audit.log is the location of your SELinux
audit log:
sealert -a /var/log/audit/audit.log
The tool runs and generates a summary of error alerts and solutions. For example:
SELinux is preventing /usr/sbin/sshd from write access on the sock_file /dev/log

SELinux is preventing /usr/libexec/postfix/pickup from using the rlimitinh access
on a process.
2. Execute the recommended solution for each error alert.
3. Restart Tenable Nessus.
4. Run the sealert tool again to confirm you resolved the error alerts.
- 43 -
Licensing Requirements
Nessus is available to operate either as a subscription or managed by Tenable Security Center. Ten-
able Nessus requires a plugin feed Activation Code to operate in subscription mode. This code iden-
tifies which version of Tenable Nessus that Tenable licensed you to install and use, and if
applicable, how many IP addresses you can scan, how many remote scanners you can link to Ten-
able Nessus, and how many Nessus Agents you can link to Tenable Nessus Manager. Tenable Nes-
sus Manager licenses are specific to your deployment size, especially for large deployments or
deployments with multiple Tenable Nessus Manager instances. Discuss your requirements with your
Tenable Customer Success Manager.
Tenable recommends that you obtain the Activation Code before starting the installation process,
as it is required before you can set up Tenable Nessus.
Your activation code:
l is a one-time code, unless your license or subscription changes, at which point Tenable will
issue you a new activation code.
l must be used with the Tenable Nessus installation within 24 hours.
l cannot be shared between scanners.
l is not case-sensitive.
l is required to manage Tenable Nessus offline.
Note: For more information about managing Tenable Nessus offline, refer to the Nessus User Guide.
You may purchase a Tenable Nessus subscription through the Tenable, Inc. online store at
https:/ / store.tenable.com/ or via a purchase order through Authorized Nessus Partners. You will
then receive an Activation Code from Tenable, Inc.. This code will be used when configuring your
copy of Tenable Nessus for updates.
Note: See the Obtain an Activation Code page to obtain an Activation Code.
If you are using Tenable Security Center to manage your Nessus scanners, the Activation Code and
plugin updates are managed from Tenable Security Center. You must start Nessus before it com-
municates with Tenable Security Center, which it normally does not do without a valid Activation
Code and plugins. To have Nessus ignore this requirement and start (so that it can get the
- 44 -
information from Tenable Security Center), when you register your scanner, select Managed by
SecurityCenter.
- 45 -
Deployment Considerations
When deploying Tenable Nessus, knowledge of routing, filters, and firewall policies is often helpful.
Deploying behind a NAT device is not desirable unless it is scanning the internal network. Anytime a
vulnerability scan flows through a NAT device or application proxy of some sort, the check can dis-
tort and a false positive or negative can result.
In addition, if the system running Tenable Nessus has personal or desktop firewalls in place, these
tools can drastically limit the effectiveness of a remote vulnerability scan. Host-based firewalls can
interfere with network vulnerability scanning. Depending on your firewall’s configuration, it may pre-
vent, distort, or hide the probes of a Tenable Nessus scan.
Certain network devices that perform stateful inspection, such as firewalls, load balancers, and
Intrusion Detection/ Prevention Systems, may react negatively when Tenable Nessus conducts a
scan through them. Tenable Nessus has several tuning options that can help reduce the impact of
scanning through such devices, but the best method to avoid the problems inherent in scanning
through such network devices is to perform a credentialed scan.
If you configure Tenable Nessus Manager for agent management, Tenable does not recommend
using Tenable Nessus Manager as a local scanner. For example, do not configure Tenable Security
Center scan zones to include Tenable Nessus Manager and avoid running network-based scans dir-
ectly from Tenable Nessus Manager. These configurations can negatively impact agent scan per-
formance.
This section contains the following deployment considerations:
l Port Requirements
l Host-Based Firewalls
l IPv6 Support
l Network Address Translation (NAT) Limitation
l Antivirus Software
l Security Warnings
Port Requirements
- 46 -
Tenable Nessus port requirements include Tenable Nessus Manager, Tenable Nessus Professional,
Tenable Nessus Expert, Tenable Nessus Essentials, and Tenable Nessus scanner-specific require-
ments and Tenable Nessus Agent-specific requirements.
- 47 -
Tenable Nessus Manager, Tenable Nessus Professional, Tenable
Nessus Expert, Tenable Nessus Essentials, and Tenable Nessus
Scanners
Your Tenable Nessus instances require access to specific ports for inbound and outbound traffic.
Inbound Traffic
You must allow inbound traffic to the following ports.
Port Traffic
TCP 8834 Accessing the Tenable Nessus interface.
Communicating with Tenable Security Center.
Interacting with the API.
Outbound Traffic
You must allow outbound traffic to the following ports.
Port Traffic
TCP 25 Sending SMTP email notifications.
TCP 443 Communicating with Tenable Vulnerability Management.
Communicating with the plugins.nessus.org server for plugin updates.
UDP 53 Performing DNS resolution.
- 48 -
Tenable Nessus Agents
Your Tenable Nessus Agents require access to specific ports for outbound traffic.
Outbound Traffic
You must allow outbound traffic to the following ports.
Port Traffic
TCP 443 Communicating with Tenable Vulnerability Management.
TCP Communicating with Tenable Nessus Manager.

8834
Note: The default Tenable Nessus Manager port is TCP 8834. However, this port is con-
figurable and may be different for your organization.
UDP 53 Performing DNS resolution.
- 49 -
Host-Based Firewalls
Port 8834
The Nessus user interface uses port 8834. If not already open, open port 8834 by consulting your
firewall vendor's documentation for configuration instructions.
Allow Connections
If you configured the Nessus server on a host with 3rd-party firewall such as ZoneAlarm or Windows
firewall, you must configure it to allow connections from the IP addresses of the clients using Nes-
sus.
Nessus and FirewallD

You can configure Tenable Nessus to work with FirewallD. When you install Tenable Nessus on
RHEL 7, CentOS 7, and Fedora 20+ systems using firewalld, you can configure firewalld with
the Nessus service and Nessus port.
To open the ports required for Nessus, use the following commands:
>> firewall-cmd --permanent --add-service=nessus

>> firewall-cmd --reload
- 50 -
IPv6 Support
Nessus supports scanning of IPv6 based resources. Many operating systems and devices ship with
IPv6 support enabled by default. To perform scans against IPv6 resources, you must configure at
least one IPv6 interface on the host where Nessus is installed, and Nessus must be on an IPv6 cap-
able network (Nessus cannot scan IPv6 resources over IPv4, but it can enumerate IPv6 interfaces
via credentialed scans over IPv4). Both full and compressed IPv6 notation are supported when ini-
tiating scans.
Nessus does not support scanning IPv6 Global Unicast IP address ranges unless you enter the IPs
separately (in list format). Nessus does not support ranges expressed as hyphenated ranges or CIDR
addresses. Nessus supports Link-local ranges with the link6 directive as the scan target or local link
with eth0.
- 51-
Network Address Translation (NAT) Limitation
If your virtual machine uses Network Address Translation (NAT) to reach the network, many of Nes-
sus vulnerability checks, host enumeration, and operating system identification are negatively
affected.
- 52 -
Antivirus Software
Due to the large number of TCP connections generated during a scan, some anti-virus software
packages may classify Tenable Nessus as a worm or a form of malware. Antivirus software may
increase your scan processing times.
l If your anti-virus software warns you, select Allow to let Tenable Nessus continue scanning.
l If your anti-virus package gives you the option to add processes to an exception list, add
nessusd.exe, nessus-service.exe, and nessuscli.exe.
For more information about allowlisting Tenable Nessus folders, files, and processes in security
products, see File and Process Allowlist.
- 53 -
Security Warnings
By default, Nessus is installed and managed using HTTPS and SSL uses port 8834. The default
installation of Nessus uses a self-signed SSL certificate.
During the web-based portion of the Nessus installation, the following message regarding SSL
appears:
You are likely to get a security alert from your browser saying that the SSL certificate is
invalid. You may either choose to accept the risk temporarily, or you can obtain a valid
SSL certificate from a registrar.
This information refers to a security-related message you encounter when accessing the Nessus
user interface (https:/ / [ server IP] :8834).
Example Security Warning

l a connection privacy problem
l an untrusted site
l an unsecure connection
Because Nessus is providing a self-signed SSL certificate, this is normal behavior.
Bypassing SSL Warnings

Based on the browser you are using, use the following steps to proceed to the Nessus login page.
Browser Instructions
Google Select Advanced, and then Proceed to example.com (unsafe).

Chrome
Note: Some instances of Google Chrome do not allow you to proceed. If this hap-
pens, Tenable recommends using a different browser, such as Safari or Mozilla Fire-
fox.
Mozilla Fire- Select I Understand the Risks, and then select Add Exception.
fox
Next select Get Certificate, and finally select Confirm Security Exception.
- 54 -
Certificates and Certificate Authorities
Tenable Nessus includes the following defaults:
l The default Tenable Nessus SSL certificate and key, which consists of two files: server-
cert.pem and serverkey.pem.
l A Tenable Nessus certificate authority (CA), which signs the default Tenable Nessus
SSL certificate. The CA consists of two files: cacert.pem and cakey.pem.
However, you may want to upload your own certificates or CAs for advanced configurations or to
resolve scanning issues. For more information, see:
l Custom SSL Server Certificates —View an overview of Tenable Nessus SSL server certificates
and troubleshoot common certificate problems.
l Create a New Server Certificate and CA Certificate —If you do not have your own cus-
tom CA and server certificate, you can use Tenable Nessus to create a new server cer-
tificate and CA certificate.
l Upload a Custom Server Certificate and CA Certificate —Replace the default certificate
that ships with Tenable Nessus.
l Create SSL Client Certificates for Login —Create an SSL client certificate to log in to Tenable
Nessus instead of using a username and password.
l Trust a Custom CA —Add a custom root CA to the list of CAs that Tenable Nessus trusts.
l Tenable Nessus Manager Certificates and Tenable Nessus Agent —Understand the certificate
chain between Tenable Nessus Manager and Tenable Nessus Agents and troubleshoot issues.
Location of Certificate Files
Operating System Directory
Linux /opt/nessus/com/nessus/CA/servercert.pem
/opt/nessus/var/nessus/CA/serverkey.pem
/opt/nessus/com/nessus/CA/cacert.pem
/opt/nessus/var/nessus/CA/cacert.key
- 55 -
FreeBSD /usr/local/nessus/com/nessus/CA/servercert.pem
/usr/local/nessus/var/nessus/CA/serverkey.pem
/usr/local/nessus/com/nessus/CA/cacert.pem
/usr/local/nessus/var/nessus/CA/cacert.key
Windows C:\ProgramData\Tenable\Nessus\nessus\CA\servercert.pem
C:\ProgramData\Tenable\Nessus\nessus\CA\serverkey.pem
C:\ProgramData\Tenable\Nessus\nessus\CA\cacert.pem
C:\ProgramData\Tenable\Nessus\nessus\CA\cacert.key
macOS /Library/Nessus/run/com/nessus/CA/servercert.pem
/Library/Nessus/run/var/nessus/CA/serverkey.pem
/Library/Nessus/run/com/nessus/CA/cacert.pem
/Library/Nessus/run/var/nessus/CA/cacert.key
- 56 -
Custom SSL Server Certificates
By default, Tenable Nessus uses an SSL certificate signed by the Tenable Nessus certificate author-
ity (CA), Nessus Certification Authority. During installation, Tenable Nessus creates two files that
make up the certificate: servercert.pem and serverkey.pem. This certificate allows you to
access Tenable Nessus over HTTPS through port 8834.
Because Nessus Certification Authority is not a trusted valid certificate authority, the certificate is
untrusted, which can result in the following:
l Your browser may produce a warning regarding an unsafe connection when you access Ten-
able Nessus via HTTPS through port 8834.
l Plugin 51192 may report a vulnerability when scanning the Tenable Nessus scanner host.
To resolve these issues, you can use a custom SSL certificate generated by your organization or a
trusted CA.
To configure Tenable Nessus to use custom SSL certificates, see the following:
l Create a New Server Certificate and CA Certificate. —If your organization does not have a cus-
tom SSL certificate, create your own using the built-in Tenable Nessus mkcert utility.
l Upload a Custom Server Certificate and CA Certificate —Replace the default certificate that
ships with Tenable Nessus.
l Trust a Custom CA —Add a custom CA to the list of CAs that Tenable Nessus trusts.
Troubleshooting
To troubleshoot common problems with using the default CA certificate with Tenable Nessus, see
the following table:
Problem Solution
Your browser reports that the Do any of the following:

Tenable Nessus server cer-
l Get the Tenable Nessus self-signed certificate
tificate is untrusted.
signed by a trusted root CA, and upload that trusted
CA to your browser.
- 57 -
l Use the /getcert path to install the root CA in your
browsers. Go to the following address in your
browser: https://[IP address]:8834/getcert.
l Upload your own custom certificate and custom CA

to your browser:
a. Upload a Custom Server Certificate and

CA Certificate.
b. If Tenable Nessus does not trust the CA for

your certificate, configure Tenable Nessus to
Trust a Custom CA.
Plugin 51192 reports that the Ten- Do any of the following:

able Nessus server certificate is
l Replace the Tenable Nessus server certificate with
untrusted.
one that has been signed by a CA that Tenable Nes-
For example: sus already trusts.
l The certificate expired l Upload your own custom certificate and custom CA
to your browser:
l The certificate is self-
signed and therefore a. Upload a Custom Server Certificate and
untrusted CA Certificate.
b. If Tenable Nessus does not trust the CA for

your certificate, configure Tenable Nessus to
Trust a Custom CA.
Plugin 51192 reports that an Add your custom root CA to the list of CAs that Tenable
unknown CA was found at the Nessus trusts, as described in Trust a Custom CA.
top of the certificate chain.
- 58 -
Create a New Server Certificate and CA Certificate
If you do not have your own custom certificate authority (CA) and server certificate (for example, a
trusted certificate that your organization uses), you can use Tenable Nessus to create a new server
certificate and CA certificate.
The Tenable Nessus CA signs this server certificate, which means your browser may report that the
server certificate is untrusted.
Note: You need to be an administrator user or have root privileges to create a new custom CA and server
certificate.
Note: The following steps are applicable to both Tenable Nessus scanners and Tenable Nessus Manager.
To create a new custom CA and server certificate:
1. Access the Tenable Nessus CLI as an administrator user or a user with root privileges.
2. Run the nessuscli mkcert command:
Linux
# /opt/nessus/sbin/nessuscli mkcert
Windows
C:\Program Files\Tenable\Nessus\nessuscli.exe mkcert
macOS
# /Library/Nessus/run/sbin/nessuscli mkcert
This command places the certificates in their correct directories.
3. When prompted for the hostname, enter the DNS name or IP address of the Tenable Nessus
server in the browser such as https:/ / hostname:8834/ or https:/ / ipaddress:8834/ . The default
certificate uses the hostname.
What to do next:
- 59 -
l Because Nessus Certification Authority is not a trusted valid certificate authority, the cer-
tificate is untrusted, which can result in the following:
l Your browser may produce a warning regarding an unsafe connection when you access
Tenable Nessus via HTTPS through port 8834.
l Plugin 51192 may report a vulnerability when scanning the Tenable Nessus scanner host.
To resolve either of those issues, Trust a Custom CA. For more information about how Ten-
able Nessus uses custom SSL server certificates and CAs, see Custom SSL Server Cer-
tificates.
- 60 -
Upload a Custom Server Certificate and CA Certificate
These steps describe how to upload a custom server certificate and certificate authority
(CA) certificate to the Nessus web server through the command line.
You can use the nessuscli import-certs command to validate the server key, server certificate,
and CA certificate, check that they match, and copy the files to the correct locations. Alternatively,
you can also manually copy the files.
Before you begin:

l Ensure you have a valid server certificate and custom CA. If you do not already have your own,
create a custom CA and server certificate using the built-in Tenable Nessus mkcert utility.
To upload a custom CA certificate using a single command:
1. Access Tenable Nessus from the CLI.
2. Type the following, replacing the server key, server certificate, and CA certificate with the
appropriate path and file names for each file.
nessuscli import-certs --serverkey=<server key path> --servercert=<server

certificate path> --cacert=<CA certificate path>
Tenable Nessus validates the files, checks that they match, and copies the files to the correct
locations.
To upload a custom server certificate and CA certificate manually using the CLI:
1. Stop the Nessus server.
2. Back up the original Nessus CA and server certificates and keys.
For the location of the default certificate files for your operating system, see Location of Cer-
tificate Files.
Linux example
cp /opt/nessus/com/nessus/CA/cacert.pem /opt/nessus/com/nessus/CA/cacert.pem.orig
- 61-
cp /opt/nessus/var/nessus/CA/cakey.pem /opt/nessus/var/nessus/CA/cakey.pem.orig
cp /opt/nessus/com/nessus/CA/servercert.pem
/opt/nessus/com/nessus/CA/servercert.pem.orig
cp /opt/nessus/var/nessus/CA/serverkey.pem
/opt/nessus/var/nessus/CA/serverkey.pem.orig
Windows example
copy C:\ProgramData\Tenable\Nessus\nessus\CA\cacert.pem
C:\ProgramData\Tenable\Nessus\nessus\CA\cacert.pem.orig
copy C:\ProgramData\Tenable\Nessus\nessus\CA\cakey.pem
C:\ProgramData\Tenable\Nessus\nessus\CA\cakey.pem.orig
copy C:\ProgramData\Tenable\Nessus\nessus\CA\servercert.pem
C:\ProgramData\Tenable\Nessus\nessus\CA\servercert.pem.orig
copy C:\ProgramData\Tenable\Nessus\nessus\CA\serverkey.pem
C:\ProgramData\Tenable\Nessus\nessus\CA\serverkey.pem.orig
macOS example
cp /Library/NessusAgent/run/com/nessus/CA/cacert.pem
/Library/NessusAgent/run/com/nessus/CA/cacert.pem.orig
cp /Library/NessusAgent/run/var/nessus/CA/cakey.pem
/Library/NessusAgent/run/var/nessus/CA/cakey.pem.orig
cp /Library/NessusAgent/run/com/nessus/CA/servercert.pem
/Library/NessusAgent/run/com/nessus/CA/servercert.pem.orig
cp /Library/NessusAgent/run/var/nessus/CA/serverkey.pem
/Library/NessusAgent/run/var/nessus/CA/serverkey.pem.orig
3. Replace the original certificates with the new custom certificates:
Note: The certificates must be unencrypted, and you must name them servercert.pem and
serverkey.pem.
Note: If your certificate does not link directly to the root certificate, add an intermediate certificate
chain, a file named serverchain.pem, in the same directory as the servercert.pem file. This file
- 62 -
contains the 1-n intermediate certificates (concatenated public certificates) necessary to construct
the full certificate chain from the Nessus server to its ultimate root certificate (one trusted by the
user’s browser).
Linux example
cp customCA.pem /opt/nessus/com/nessus/CA/cacert.pem
cp cakey.pem /opt/nessus/var/nessus/CA/cakey.pem
cp servercert.pem /opt/nessus/com/nessus/CA/servercert.pem
cp serverkey.pem /opt/nessus/var/nessus/CA/serverkey.pem
Windows example
copy customCA.pem C:\ProgramData\Tenable\Nessus\nessus\CA\cacert.pem

copy cakey.em C:\ProgramData\Tenable\Nessus\nessus\CA\cakey.pem
copy servercert.pem C:\ProgramData\Tenable\Nessus\nessus\CA\servercert.pem
copy serverkey.pem C:\ProgramData\Tenable\Nessus\nessus\CA\serverkey.pem
macOS example
cp customCA.pem /Library/NessusAgent/run/com/nessus/CA/cacert.pem
cp cakey.em /Library/NessusAgent/run/var/nessus/CA/cakey.em
cp servercert.pem /Library/NessusAgent/run/com/nessus/CA/servercert.pem
cp serverkey.pem /Library/NessusAgent/run/var/nessus/CA/serverkey.pem
4. If prompted, overwrite the existing files.
5. Start the Nessus server.
6. In a browser, log in to the Tenable Nessus user interface as a user with administrator per-
missions.
7. When prompted, verify the new certificate details.
Subsequent connections should not show a warning if a browser-trusted CA generated the

certificate.
What to do next:
- 63 -
l If Tenable Nessus does not already trust the CA, configure Tenable Nessus to Trust a Custom
CA.
- 64 -
Trust a Custom CA
By default, Tenable Nessus trusts certificate authorities (CAs) based on root certificates in the Moz-
illa Included CA Certificate list. Tenable Nessus lists the trusted CAs in the known_CA.inc file in the
Tenable Nessus directory. Tenable updates known_CA.inc when updating plugins.
If you have a custom root CA that is not included in the known CAs, you can configure Tenable Nes-
sus to trust the custom CA to use for certificate authentication.
You can use either the Tenable Nessus user interface or the command-line interface (CLI).
Note: For information about using custom SSL certificates, see Create SSL Client Certificates for Login.
Note: known_CA.inc and custom_CA.inc are used for trusting certificates in your network, and are not
used for Nessus SSL authentication.
Before you begin:

l If your organization does not already have a custom CA, use Tenable Nessus to create a new
custom CA and server certificate, as described in Create a New Server Certificate and CA Cer-
tificate.
l Ensure your CA is in PEM (Base64) format.
To configure Tenable Nessus to trust a custom CA using the Tenable Nessus user inter-
face:
1. In the top navigation bar, click Settings.
The About page appears.
2. In the left navigation bar, click Custom CA.
The Custom CA page appears.
3. In the Certificate box, enter the text of your custom CA.
Note: Include the beginning text -----BEGIN CERTIFICATE----- and ending text -----
END CERTIFICATE-----.
- 65 -
Tip: You can save more than one certificate in a single text file, including the beginning and ending
text for each one.
4. Click Save.
The CA is available for use in Nessus.
To configure Tenable Nessus to trust a custom CA using the CLI:
1. Save your PEM-formatted CA as a text file.
Note: Include the beginning text -----BEGIN CERTIFICATE----- and ending text -----
END CERTIFICATE-----.
Tip: You can save more than one certificate in a single text file, including the beginning and ending
text for each one.
2. Rename the file custom_CA.inc.
3. Move the file to your plugins directory:
Linux
/opt/nessus/lib/nessus/plugins
Windows
C:\ProgramData\Tenable\Nessus\nessus\plugins
macOS
/Library/Nessus/run/lib/nessus/plugins
The CA is available for use in Nessus.
- 66 -
Create SSL Client Certificates for Login
You can configure Tenable Nessus to use SSL client certificate authentication for users to log in to
Tenable Nessus when accessing Tenable Nessus on port 8834. After you enable certificate authen-
tication, you can no longer log in using a username and password.
Caution: Tenable Nessus does not support connecting agents, remote scanners, or managed scanners
after you enable SSL client certificate authentication. Configure an alternate port to enable supporting
remote agents and scanners using the advanced setting remote_listen_port. For more information, see
Advanced Settings.
If you configure SSL client certificate authentication, Tenable Nessus also supports:
l Smart cards
l Personal identity verification (PIV) cards
l Common Access Cards (CAC)
Before you begin:

l If you are using a custom CA, configure Tenable Nessus to trust certificates from your CA, as
described in Trust a Custom CA.
To configure SSL client certificate authentication for Tenable Nessus user accounts:
1. Access the Tenable Nessus CLI as an administrator user or a user with equivalent privileges.
2. Set Tenable Nessus to allow SSL client certificate authentication.
Linux
# /opt/nessus/sbin/nessuscli fix --set force_pubkey_auth=yes
Windows
C:\Program Files\Tenable\Nessus\nessuscli.exe fix --set force_pubkey_auth-

h=yes
macOS
- 67 -
# /Library/Nessus/run/sbin/nessuscli fix --set force_pubkey_auth=yes
3. Create a client certificate for each user you want to be able to log in to Tenable Nessus via
SSL authentication.
a. On the Tenable Nessus server, run the nessuscli mkcert-client command.
Linux
# /opt/nessus/sbin/nessuscli mkcert-client
macOS
# /Library/Nessus/run/sbin/nessuscli mkcert-client
Windows
C:\Program Files\Tenable\Nessus\nessuscli.exe mkcert-client
b. Complete the fields as prompted.
Note: The answers you provided in the initial prompts remain as defaults if you create sub-
sequent client certificates during the same session. However, you can change the values for
each client certificate you create.
Tenable Nessus creates the client certificates and places them in the Tenable Nessus
temporary directory:
l Linux: /opt/nessus/var/nessus/tmp/
l macOS: /Library/Nessus/run/var/nessus/tmp/
l Windows: C:\ProgramData\Tenable\Nessus\tmp
c. Combine the two files (the certificate and the key) and export them into a format that
you can import into the browser, such as .pfx.
In the previous example, the two files were key_sylvester.pem and cert_sylvester-
.pem.
- 68 -
For example, you can combine the two files by using the openssl program and the fol-
lowing command:
# openssl pkcs12 -export -out combined_sylvester.pfx -inkey key_sylvester.pem

-in cert_sylvester.pem -chain -CAfile /opt/nessus/com/nessus/CA/cacert.pem -
passout 'pass:password' -name 'Nessus User Certificate for: sylvester'
Tenable Nessus creates the resulting file combined_sylvester.pfx in the directory

where you launched the command.
4. Upload the certificate to your browser’s personal certificate store.
Refer to the documentation for your browser.
5. Restart the Tenable Nessus service.
6. Log in to Tenable Nessus via https://<Tenable Nessus IP address or

hostname>:8834 and select the username you created.
- 69 -
Tenable Nessus Manager Certificates and Tenable Nessus Agent
When you link an agent to Tenable Nessus Manager, you can optionally specify the certificate that
the agent should use when it links with Tenable Nessus Manager. This allows the agent to verify the
server certificate from Tenable Nessus Manager when the agent links with Tenable Nessus
Manager, and secures subsequent communication between the agent and Tenable Nessus Manager.
For more information on linking Tenable Nessus Agent, see Nessuscli.
If you do not specify the certificate authority (CA) certificate at link time, the agent receives and
trusts the CA certificate from the linked Tenable Nessus Manager. This ensures that subsequent
communication between the agent and Tenable Nessus Manager is secure.
The CA certificate the agent receives at linking time saves in the following location:
l
Linux
/opt/nessus_agent/var/nessus/users/nessus_ms_agent/ms_cert.pem
l
Windows
C:\ProgramData\Tenable\Nessus Agent\nessus\users\nessus_ms_agent\ms_cer-
t.pem
l
macOS
/Library/NessusAgent/run/lib/nessus/users/nessus_ms_agent/ms_cert.pem
Troubleshooting
If the agent cannot follow the complete certificate chain, an error occurs and the agent stops con-
necting with the manager. You can see an example of this event in the following sensor logs:
l nessusd.messages - Example: Server certificate validation failed: unable to get local issuer
certificate
l backend.log - Example: [ error] [ msmanager] SSL error encountered when negotiating with
<Manager_IP>:<PORT>. Code 336134278, unable to get local issuer certificate,
error:14090086:SSL routines:ssl3_get_server_certificate:certificate verify failed
Scenario: Agent can't communicate to manager due to broken certificate chain
- 70 -
A common reason your certificate chain may break is that you change the server certificate on Ten-
able Nessus Manager but do not update the CA certificate. The agent is then unable to com-
municate to the manager upon restart. To resolve this issue, do one of the following:
l Unlink and relink the agent to Tenable Nessus Manager, which resets the certificate so the
agent gets the correct CA certificate from Tenable Nessus Manager.
l Manually upload the correct cacert.pem file from Tenable Nessus Manager into the custom_
CA.inc file in the agent plugin directory:
l
Linux
/opt/nessus_agent/lib/nessus/plugins
l
Windows
C:\ProgramData\Tenable\Nessus Agent\nessus\plugins
l
macOS
/Library/NessusAgent/run/lib/nessus/plugins
l Generate a new server certificate on Tenable Nessus Manager using the CA for which the
agent already has the CA certificate, so that the certificate chain is still valid.
- 71-
Install Tenable Nessus
This section includes information and steps required for installing Nessus on all supported oper-
ating systems.
l Install Tenable Nessus on macOS
l Install Tenable Nessus on Linux
l Install Tenable Nessus on Windows
l Deploy or Install Tenable Core+ Tenable Nessus
l Deploy Tenable Nessus as a Docker Image
- 72 -
Download Tenable Nessus
You can download Tenable Nessus from the Tenable Downloads site.
When you download Tenable Nessus, ensure the package selected is specific to your operating sys-
tem and processor.
There is a single Tenable Nessus package per operating system and processor. Tenable Nessus Man-
ager, Tenable Nessus Professional, and Tenable Nessus Expert do not have different packages;
your activation code determines which Tenable Nessus product is installed.
- 73 -
Install Tenable Nessus
This section describes how to install Tenable Nessus Manager, Tenable Nessus Professional, and
Tenable Nessus Expert on the following operating systems:
l Linux
l Windows
l macOS
l Deploy Tenable Nessus as a Docker Image
- 74 -
Install Tenable Nessus on Linux
Caution: If you install a Nessus Agent, Manager, or Scanner on a system with an existing Nessus Agent,
Manager, or Scanner running nessusd, the installation process will kill all other nessusd processes. You
may lose scan data as a result.
Note: Tenable Nessus does not support using symbolic links for /opt/nessus/.
To install Nessus on Linux:
1. Download the Nessus package file.
2. From the command line, run the Nessus installation command specific to your operating sys-
tem.
Example Nessus install commands:
Red Hat version 6
# yum install Nessus-<version number>-es6.x86_64.rpm
Debian version 6
# dpkg -i Nessus-<version number>-debian6_amd64.deb
FreeBSD version 10
# pkg add Nessus-<version number>-fbsd10-amd64.txz
3. From the command line, restart the nessusd daemon.
Example Nessus daemon start commands:
Red Hat, CentOS, Oracle Linux, Fedora, SUSE, FreeBSD
# systemctl start nessusd
Debian/ Kali and Ubuntu
# systemctl start nessusd
- 75 -
4. Open Tenable Nessus in your browser.
l To access a remotely installed Nessus instance, go to https:/ / <remote IP address>:8834

(for example, https:/ / 111.49.7.180:8834).
l To access a locally installed Nessus instance, go to https:/ / localhost:8834.
5. Perform the remaining Nessus installation steps in your browser.
Install Tenable Nessus on Windows
Note: You may be required to restart your computer to complete installation.
- 76 -
Download Nessus Package File
For details, refer to the Product Download topic.
- 77 -
Start Nessus Installation
1. Navigate to the folder where you downloaded the Nessus installer.
2. Next, double-click the file name to start the installation process.
- 78 -
Complete the Windows InstallShield Wizard
1. First, the Welcome to the InstallShield Wizard for Tenable, Inc. Nessus screen appears. Select
Next to continue.
2. On the License Agreement screen, read the terms of the Tenable, Inc. Nessus software
license and subscription agreement.
3. Select the I accept the terms of the license agreement option, and then click Next.
4. On the Destination Folder screen, select the Next button to accept the default installation
folder. Otherwise, select the Change button to install Nessus to a different folder.
5. On the Ready to Install the Program screen, select the Install button.
The Installing Tenable, Inc. Nessus screen appears and a Status indication bar shows the install-
ation progress. The process may take several minutes.
After the InstallShield Wizard completes, the Welcome to Nessus page loads in your default
browser.
If the page does not load, do one of the following steps to open Tenable Nessus in your browser.
l To access a remotely installed Nessus instance, go to https:/ / <remote IP address>:8834 (for

example, https:/ / 111.49.7.180:8834).
Perform the remaining Nessus installation steps in your web browser.
- 79 -
Install Tenable Nessus on macOS
Download Tenable Nessus Package File

For details, refer to the Product Download topic.
To install Nessus with the GUI installation package:
Extract the Nessus Files

Double-click the Nessus-<version number>.dmg file.

Double-click Install Nessus.pkg.
Complete the Tenable, Inc. Nessus Server Install

When the installation begins, the Install Tenable, Inc. Nessus Server screen appears and provides an
interactive navigation menu.
Introduction
The Welcome to the Tenable, Inc. Nessus Server Installer window provides general information
about the Nessus installation.
1. Read the installer information.
2. To begin, select the Continue button.
License
- 80 -
1. On the Software License Agreement screen, read the terms of the Tenable, Inc. Nessus soft-
ware license and subscription agreement.
2. OPTIONAL: To retain a copy of the license agreement, select Print or Save.
3. Next, select the Continue button.
4. To continue installing Nessus, select the Agree button, otherwise, select the Disagree button
to quit and exit.
Installation Type
On the Standard Install on <DriveName> screen, choose one of the following options:
l Select the Change Install Location button.
l Select the Install button to continue using the default installation location.
Installation
When the Preparing for installation screen appears, you are prompted for a username and pass-
word.
1. Enter the Name and Password of an administrator account or the root user account.
Next, the Installing Tenable, Inc. Nessus screen appears and shows a Status indication bar for the
remaining installation progress. The process may take several minutes.
Summary
1. When the installation is complete, the The installation was successful screen appears. After
the installation completes, select Close.

- 81-
To install Nessus from the command line:
1. Open Terminal.
2. Run the following commands in the listed order:
a. sudo hdiutil attach Nessus-<Nessus_Version>.dmg
b. sudo installer -package /Volumes/Nessus\ Install/Install\ Nessus.pkg -

target /
c. sudo hdiutil detach /Volumes/Nessus\ Install

Deploy Tenable Nessus as a Docker Image

You can deploy a managed Tenable Nessus scanner or an instance of Tenable Nessus Professional
as a Docker image to run on a container. Tenable provides two base Tenable Nessus images: Oracle
Linux 8 and Ubuntu. You can configure the Tenable Nessus instance with environment variables to
configure the image with the settings you configure automatically.
Tenable does not recommend deploying Tenable Nessus in a Docker container that shares a net-
work interface controller (NIC) with another Docker container.
Note: Tenable Nessus does not support storage volumes. Therefore, if you deploy a new Tenable Nessus
image, you will lose your data and need to reconfigure Tenable Nessus. However, while deploying the new
image, you can configure any initial user and linking information with environment variables, as described
in step 2 of the following procedure.
Before you begin:
- 82 -
l Download and install Docker for your operating system.
l Access the Tenable Nessus Docker image from https:/ / hub.docker.com/ r/ tenable/ nessus.
To deploy Tenable Nessus as a Docker image:
1. In your terminal, use the docker pull command to get the image.
$ docker pull tenable/nessus:<version-OS>
For the <version-OS> tag, you must specify the Tenable Nessus version and whether you are
pulling Oracle Linux 8 or Ubuntu. You can use the latest tag in place of a specific Tenable
Nessus version (for example, latest-ubuntu).
2. Use the docker run command to run your image.
l Use the operators with the appropriate options for your deployment, as described in
Operators.
l To preconfigure Tenable Nessus, use the -e operator to set environment variables, as

described in Environment Variables.
Note: Tenable recommends using environment variables to configure your instance of Tenable
Nessus when you run the image. If you do not include environment variables such as an activ-
ation code, username, password, or linking key (if creating a managed Tenable Nessus scan-
ner), you must configure those items later.
3. If you did not include environment variables, complete any remaining configuration steps in
the command-line interface or Tenable Nessus configuration wizard.
To stop and remove Tenable Nessus as a Docker image:

l To stop and remove the container, see Remove Tenable Nessus as a Docker Container.
- 83 -
Operators
Operator Description
--name Sets the name of the container in Docker.
-d Starts a container in detached mode.
-p Publishes to the specified port in the format host port:container port. By

default, the port is 8834:8834.
If you have several Tenable Nessus containers running, use a different host
port. The container port must be 8834 because Tenable Nessus listens on port
8834.
-e Precedes an environment variable.
For descriptions of environment variables you can set to configure settings in

your Tenable Nessus instance, see Environment Variables.
- 84 -
Environment Variables
The required and optional environment variables differ based on your Tenable Nessus license and
whether you are linking to Tenable Vulnerability Management. Click the following bullets to view the
environment variables.
Deploying a Tenable Nessus image that is linked to Tenable Vulnerability Management
Variable Required? Description
USERNAME Yes Creates the administrator user.
PASSWORD Yes Creates the password for the user.
Linking Options
LINKING_KEY Yes The linking key from the manager.
NAME No The name of the Tenable Nessus scanner to appear in the

manager. By default, the name is the container ID.
MANAGER_HOST No The hostname or IP address of the manager. By default,

the hostname is cloud.tenable.com.
MANAGER_PORT No The port of the manager. By default, the port is 443.
Proxy Options
PROXY No The hostname or IP address of the proxy server.
PROXY_PORT No The port number of the proxy server.
PROXY_USER No The name of a user account that has permissions to

access and use the proxy server.
PROXY_PASS No The password of the user account that you specified as

the proxy user.
Tenable Nessus Settings
AUTO_UPDATE No Sets whether Tenable Nessus should automatically receive
- 85 -
updates.
Valid values are as follows:
l all —(Default) Automatically update plugins and Ten-

able Nessus software.
l plugins —Only update plugins.
l no —Do not automatically update software or plu-

gins.
Example: Managed Tenable Nessus scanner linked to Tenable Vulnerability Management
docker run --name "nessus-managed" -d -p 8834:8834 -e LINKING_KEY=<Tenable.io linking

key> -e USERNAME=admin -e PASSWORD=admin -e MANAGER_HOST=cloud.tenable.com -e MANAGER_
PORT=443 tenable/nessus:<version-OS>
Deploying a Tenable Nessus Professional image
ACTIVATION_ Yes The activation code to register Tenable Nessus.

CODE
USERNAME Yes Creates the administrator user.
PASSWORD Yes Creates the password for the user.
Example: Tenable Nessus Professional
docker run --name "nessus-pro" -d -p 8834:8834 -e ACTIVATION_CODE=<activation code> -e

USERNAME=admin -e PASSWORD=admin tenable/nessus:<version-OS>
Deploying other Tenable Nessus images
USERNAME No Creates the administrator user.
- 86 -
PASSWORD No Creates the password for the user.
- 87 -
Install Tenable Nessus Agents
To install agents, use the procedures described in the Nessus Agent User Guide.
Once installed, Tenable Nessus Agents are linked to Tenable Nessus Manager. Linked agents auto-
matically download plugins from the manager upon connection; this process can take several
minutes and you must perform it before an agent can return scan results.
Once installed, an agent links to Tenable Nessus Manager after a random delay ranging from zero to
five minutes. Enforcing a delay reduces network traffic when deploying or restarting large amounts
of agents, and reduces the load on Tenable Nessus Manager. Agents automatically download plugins
from the manager upon linking; this process can take several minutes and you before an agent can
return scan results.
- 88 -
Retrieve the Nessus Agent Linking Key
Before you begin the Tenable Nessus Agents installation process, you must retrieve the agent link-
ing key from Tenable Nessus Manager.
To retrieve the agent linking key:
1. In the top navigation bar, click Sensors.
The Linked Agents page appears. By default, Linked Agents is selected in the left navigation
menu and the Linked Agents tab is active.
2. (Optional) To modify the Linking Key, click the button next to the linking key.
You may want to modify a linking key if:
l You regenerated your linking key and want to revert to a previous linking key.
l You have a mass deployment script where you want to predefine your linking key.
Note: The linking key must be a 64-character-alphanumeric string.
3. Record or copy the Linking Key.
What to do next:
l Install Nessus Agent
- 89 -
Link an Agent to Tenable Nessus Manager
After you install Tenable Nessus Agent, link the agent to Tenable Nessus Manager.
Before you begin:

l Retrieve the linking key from Tenable Nessus Manager.
l Install Tenable Nessus Agent.
To link Tenable Nessus Agent to Tenable Nessus Manager:
1. Log in to the Tenable Nessus Agent from a command terminal.
2. At the agent command prompt, use the command nessuscli agent link using the sup-
ported arguments.
For example:
Linux:
/opt/nessus_agent/sbin/nessuscli agent link

--key=00abcd00000efgh11111i0k222lmopq3333st4455u66v777777w88xy9999zabc00
--name=LinuxAgent --groups=All --host=yourcompany.com --port=8834
macOS:
# /Library/NessusAgent/run/sbin/nessuscli agent link

--name=MyOSXAgent --groups=All --host=yourcompany.com --port=8834
Windows:
# C:\Program Files\Tenable\Nessus Agent\nessuscli.exe agent link

--name=WindowsAgent --groups=All --host=yourcompany.com --port=8834
The following table lists the supported arguments for nessuscli agent link:
- 90 -
Argument Required Value
--key yes The linking key that you retrieved from the manager.
--host yes The static IP address or hostname you set during the Tenable
Nessus Manager installation.
--port yes 8834 or your custom port.
--name no A name for your agent. If you do not specify a name for your
agent, the name defaults to the name of the computer where
you are installing the agent.
--ca-path no A custom CA certificate to use to validate the manager's

server certificate.
--groups no One or more existing agent groups where you want to add the
agent. If you do not specify an agent group during the install
process, you can add your linked agent to an agent group
later in Tenable Nessus Manager.
List multiple groups in a comma-separated list. If any group

names have spaces, use quotes around the whole list.
For example: --groups="Atlanta,Global Headquarters"
Note: The agent group name is case-sensitive and must match

exactly.
--offline- no When enabled (set to "yes"), installs Tenable Nessus Agent

install on the system, even if it is offline. Tenable Nessus Agent peri-
odically attempts to link itself to its manager.
If the agent cannot connect to the controller, it retries every

hour. If the agent can connect to the controller but the link
fails, it retries every 24 hours.
--proxy-host no The hostname or IP address of your proxy server.
--proxy-port no The port number of the proxy server.
- 91-
Argument Required Value
--proxy-pass- no The password of the user account that you specified as the
word username.
--proxy-user- no The name of a user account that has permissions to access

name and use the proxy server.
--proxy- no The user agent name, if your proxy requires a preset user
agent agent.
- 92 -
Upgrade Tenable Nessus and Tenable Nessus Agents
This section included information for upgrading Nessus and Nessus Agents on all supported oper-
ating systems.
l Upgrade Nessus
l Upgrade from Evaluation
l Update Tenable Nessus Software
l Upgrade Nessus on macOS
l Upgrade Nessus on Linux
l Upgrade Nessus on Windows
l Update a Nessus Agent
l Downgrade Tenable Nessus Software
- 93 -
Upgrade Nessus
This section includes information for upgrading Nessus.
l Upgrade from Evaluation
l Update Tenable Nessus Software
l Upgrade Nessus on Linux
l Upgrade Nessus on Windows
l Upgrade Nessus on macOS
- 94 -
Upgrade from Evaluation
If you used an evaluation version of Nessus and are now upgrading to a full-licensed version of Nes-
sus, type your full-version activation code on the Settings page, on the About tab.
Update the Activation Code

1. Select the button next to the Activation Code.
2. In the Registration box, select your Nessus type.
3. In the Activation Code box, type your new activation code.
4. Click Activate.
Nessus downloads and install the Nessus engine and the latest Nessus plugins, and then
restarts.
For information about viewing, resetting, updating, and transferring activation codes, see Manage
Activation Code.
- 95 -
Update Tenable Nessus Software
Note: For information about upgrading an offline Tenable Nessus Manager that manages Tenable Nessus
scanners, see Update Nessus Manager Manually on an Offline System.
As an administrator user, you can configure how Tenable Nessus updates software components and
plugins. You can configure the Nessus update settings to update your Nessus version and plugins
automatically, or you can manually update the Nessus version and plugins.
To configure Tenable Nessus software update settings:

1. In Nessus, in the top navigation bar, click Settings.
2. Click the Software Update tab.
3. (Tenable Nessus Professional, Tenable Nessus Expert, and Tenable Nessus Manager only) In
the Automatic Updates section, select one of the following options:
l Update all components: Tenable Nessus automatically updates its software and engine
and downloads the latest plugin set.
In Tenable Nessus Professional and managed Tenable Nessus scanners, Tenable Nessus
updates the software version according to your Nessus Update Plan setting.
l Update plugins: Tenable Nessus automatically downloads the latest plugin set.
l Disabled: Tenable Nessus does not perform any automatic updates.
4. (Tenable Nessus Professional and Tenable Nessus Expert only) If you enabled automatic
updates, in the Update Frequency section, do one of the following:
l If you want to set a standard update interval, from the drop-down box, select Daily,
Weekly, or Monthly.
l If you want to set a custom update frequency in hours, click the button, then type the
number of hours.
5. (Tenable Nessus Professional, Tenable Nessus Expert, and Tenable Vulnerability Management-
managed Tenable Nessus scanners only) Set the Nessus Update Plan to determine what
- 96 -
version Tenable Nessus automatically updates to:
Note: If you change your update plan and have automatic updates enabled, Tenable Nessus may
immediately update to align with the version represented by your selected plan. Tenable Nessus may
either upgrade or downgrade versions.
Option Description
Update to the latest Automatically updates to the latest Tenable Nessus version
GA release when it is made generally available (GA).
(Default) Note: This date is the same day the version is made gen-
erally available.
Opt in to Early Access Automatically updates to the latest Tenable Nessus version as
releases soon as it is released for Early Access (EA), typically a few
weeks before general availability.
Delay updates, stay- Does not automatically update to the latest Tenable Nessus ver-
ing on an older sion. Remains on an earlier version of Tenable Nessus set by
release Tenable, usually one release older than the current
generally available version, but no earlier than 8.10.0. When Ten-
able Nessus releases a new version, your Tenable Nessus
instance updates software versions, but stays on a version prior
to the latest release.
6. (Optional) Only if instructed to by Tenable Support, in the Update Server box, type the server
from which you want Nessus to download plugins.
7. Click the Save button.
Nessus downloads any available updates automatically according to your settings.
To download updates manually:
Note: You cannot use this procedure to update Tenable Vulnerability Management or Tenable Security
Center-managed scanners.
- 97 -
3. In the upper-right corner, click Manual Software Update.
A window appears.
4. In the window, select one of the following options:
l Update all components: Tenable Nessus updates Nessus software and engine and down-
loads the latest plugin set.
In Tenable Nessus Professional and Tenable Nessus Expert, Tenable Nessus updates the
software version according to your Nessus Update Plan setting.
Note: If you change your update plan, Tenable Nessus may immediately update to align with
the version represented by your selected plan. Nessus may either upgrade or downgrade ver-
sions.
l Update plugins: Tenable Nessus downloads the latest plugin set.
l Upload your own plugin archive: Tenable Nessus downloads plugins from a file that you
upload.
5. Click the Continue button.
6. If you selected Upload your own plugin archive, browse for your file and select it.
Nessus downloads any available updates.
- 98 -
Upgrade Nessus on Linux
Download Nessus
From the Tenable Downloads Page, download the latest, full-license version of Nessus.
Use Commands to Upgrade Nessus

From a command prompt, run the Nessus upgrade command.
Note: Nessus automatically stops nessusd when you run the upgrade command.
Red Hat 6 and 7, CentOS 6 and 7, Oracle Linux 6 and 7
# yum upgrade Nessus-<version number and OS>.rpm
Red Hat 8 and later, CentOS 8 and later, Oracle Linux 8 and later, Fedora, SUSE
# dnf upgrade Nessus-<version number and OS>.rpm
# dpkg -i Nessus-<version number and OS>.deb
Start the Nessus Daemon

From a command prompt, restart the nessusd daemon.
Red Hat, CentOS, Oracle Linux, Fedora, SUSE, FreeBSD
# service nessusd start
# /etc/init.d/nessusd start
This completes the process of upgrading Nessus on a Linux operating system.
- 99 -
Upgrade Nessus on Windows
Download Nessus
From the Tenable Downloads Page, download the latest, full-license version of Nessus. The down-
load package is specific the Nessus build version, your platform, your platform version, and your
CPU.
Example Nessus Installer Files
Nessus-<version number>-Win32.msi
Nessus-<version number>-x64.msi

1. Navigate to the folder where you downloaded the Nessus installer.
2. Next, double-click the file name to start the installation process.
Complete the Windows InstallShield Wizard

1. At the Welcome to the InstallShield Wizard for Tenable, Inc. Nessus screen, select Next.
2. On the License Agreement screen, read the terms of the Tenable, Inc. Nessus software
license and subscription agreement.
3. Select the I accept the terms of the license agreement option, and then select the Next but-
ton.
4. On the Destination Folder screen, select the Next button to accept the default installation
folder. Otherwise, select the Change button to install Nessus to a different folder.
The Installing Tenable, Inc. Nessus screen appears and a Status indication bar shows the
upgrade progress.
6. On the Tenable Nessus InstallShield Wizard Completed screen, select the Finish button.
Nessus loads in your default browser, where you can log in.
- 100 -
Upgrade Nessus on macOS
The process of upgrading Nessus on macOS using the Nessus installation GUI is the same process
as a new Mac Install.
- 101-
Update a Nessus Agent
After you install an agent, Tenable Nessus Manager automatically updates the agent software based
on the agent update plan. For more information on configuring the agent update plan, see Agent
Updates.
Note: In addition to using the agent update plan, you can manually update agents through the command
line. For more information, see the Tenable Nessus Agent User Guide.
- 102 -
Downgrade Tenable Nessus Software
Tenable Nessus 8.10.0 and later supports the ability to downgrade Tenable Nessus to a previous ver-
sion of Tenable Nessus. You cannot downgrade to a version before 8.10.0.
You can downgrade Tenable Nessus software manually, or, for you can configure the Nessus Update
Plan to automatically downgrade to an older release.
Before you begin:

l Tenable recommends that you create a Tenable Nessus backup file.
l If Tenable Nessus has an encryption password, you cannot downgrade by changing the Ten-
able Nessus update plan. Remove the encryption password from Tenable Nessus before you
downgrade, then set the encryption password again after the downgrade is complete.
To remove the Tenable Nessus encryption password, see the How to remove the encryption
password (formerly master password) through the command-line knowledge base article. To
set the Tenable Nessus encryption password after downgrading, see Set an Encryption Pass-
word.
To downgrade Tenable Nessus manually on Linux or macOS:
Note: To manually downgrade Tenable Nessus on Windows, contact Tenable support .
1. Turn off automatic software updates by doing either of the following:
l Change your Tenable Nessus software update plan as described in Update Tenable Nes-
sus Software, set Automatic Updates to Disabled.
l Modify the advanced setting Automatically Update Nessus (auto_update_ui), as

described in Advanced Settings.
2. Use one of the following procedures depending on your operating system:
Linux
a. Download the Tenable Nessus version you want to install.
b. Manually install the Tenable Nessus version. Force install the new Tenable Nessus rpm
file over the current rpm file.
- 103 -
macOS
a. Download the Tenable Nessus version you want to install.
b. Manually install the Tenable Nessus version. Replace the current Tenable Nessus pkg file
with the new pkg file.
To configure Tenable Nessus to downgrade automatically (Tenable Nessus Pro-

fessional, Tenable Nessus Expert, and Tenable Vulnerability Management-managed
Tenable Nessus scanners only):
1. In Tenable Nessus, in the top navigation bar, click Settings.
3. Set the Nessus Update Plan to determine what version Tenable Nessus automatically updates
to. To automatically downgrade, select Delay updates, staying on an older release.
Note: If you change your update plan and have automatic updates enabled, Tenable Nessus may
immediately update to align with the version represented by your selected plan. Tenable Nessus may
either upgrade or downgrade versions.
Option Description
Update to the latest Automatically updates to the latest Tenable Nessus version
GA release when it is made generally available (GA).
(Default) Note: This date is the same day the version is made gen-
erally available.
Opt in to Early Access Automatically updates to the latest Tenable Nessus version as
releases soon as it is released for Early Access (EA), typically a few
Delay updates, stay- Does not automatically update to the latest Tenable Nessus ver-
ing on an older sion. Remains on an earlier version of Tenable Nessus set by
release
- 104 -
Tenable, usually one release older than the current
Tenable Nessus saves the update plan.
- 105 -
Configure Tenable Nessus
When you access Tenable Nessus in a browser, a warning appears to regard a connection privacy
problem, an untrusted site, an unsecure connection, or a related security certificate issue. This is
normal behavior. Tenable Nessus provides a self-signed SSL certificate.
Refer to the Security Warnings section for steps necessary to bypass the SSL warnings.
Note: Depending on your environment, plugin configuration and initialization can take several minutes.
To configure Tenable Core + Tenable Nessus, see Deploy or Install Tenable Core in the Tenable
Core+ Tenable Nessus User Guide.
Before you begin:

l Install Tenable Nessus.
To configure Tenable Nessus:
1. Follow the Install Tenable Nessus instructions to open to the Welcome to Nessus screen in
your browser.
2. On the Welcome to Nessus screen, select how you want to deploy Tenable Nessus.
3. Follow the configuration steps for your selected product:
l Install Tenable Nessus Essentials, Professional, or Manager
l Link to Tenable Vulnerability Management
l Link to Tenable Security Center
l Link to Tenable Nessus Manager
l Link a Node (Tenable Nessus Manager cluster)
l Manage Tenable Nessus Offline
- 106 -
Install Tenable Nessus Essentials, Professional, or Manager
This option installs a standalone version of Tenable Nessus Essentials, Nessus Professional, or Nes-
sus Manager. During installation, you must enter your Nessus Activation Code; this Activation Code
determines which product is installed.
For information on activating a Nessus trial, see Activate a Nessus Professional or Expert Trial.
To configure Tenable Nessus as Tenable Nessus Essentials, Tenable Nessus Professional,

or Tenable Nessus Manager:
1. On the Welcome to Nessus screen, select how you want to install Tenable Nessus:
l Nessus Home —The free version of Nessus for educators, students, and hobbyists.
l Nessus Professional —The de-facto industry standard vulnerability assessment solution

for security practitioners.
l Nessus Expert —The industry-leading vulnerability assessment solution for the modern
attack surface.
l Nessus Manager —The enterprise solution for managing Nessus Agents at scale.
2. Click Continue.
l If you selected Nessus Professional, Nessus Expert, or Nessus Manager, the Register
Nessus screen appears.
l If you selected Nessus Essentials, the Get an activation code screen appears. Do one of
the following:
l If you need an activation code:
a. On the Get an activation code screen, type your name and email address.
b. Click Email.
c. Check your email for your free activation code.
l If you already have an activation code, click Skip.
The Register Nessus page appears.
3. On the Register Nessus screen, type your Activation Code.
- 107 -
The Activation Code is the code you obtained from your activation email or from the Tenable
Downloads Page.
4. Click Continue.
The Create a user account screen appears.
5. Create a Tenable Nessus administrator user account that you use to log in to Tenable Nessus:
a. In the Username box, enter a username.
b. In the Password box, enter a password for the user account.
Note: Passwords cannot contain Unicode characters.
6. Click Submit.
Tenable Nessus finishes the configuration process, which may take several minutes.
7. Using the administrator user account you created, Sign In to Tenable Nessus.
- 108 -
Link to Tenable Vulnerability Management
During initial installation, you can install Tenable Nessus as a remote scanner linked to Tenable Vul-
nerability Management. If you choose not to link the scanner during initial installation, you can link
your Tenable Nessus scanner later.
Note: If you use domain allow lists for firewalls, Tenable recommends adding *.cloud.tenable.com (with the
wildcard character) to the allow list. This ensures communication with sensor.cloud.tenable.com, which
the scanner uses to communicate with Tenable Vulnerability Management.
Note: Once you link Tenable Nessus to Tenable Vulnerability Management, it remains linked until you unlink
it .
Before you begin:

l Configure Tenable Nessus as described in Configure Tenable Nessus.
l If the Tenable Nessus scanner is or was previously linked to Tenable Vulnerability Man-
agement, Tenable Security Center, or Tenable Nessus Manager, you need to unlink the scan-
ner or run the nessuscli fix --reset-all command (for more information, see Fix
Commands).
To link Tenable Nessus to Tenable Vulnerability Management from the Tenable Nessus
user interface:
1. On the Welcome to Nessus screen, select Managed Scanner.
2. Click Continue.
The Managed Scanner screen appears.
3. From the Managed by drop-down box, select Tenable.io.
4. In the Linking Key box, type the linking key of your Tenable Vulnerability Management
instance.
5. (Optional) If you want to use a proxy, select Use Proxy.
Configure the proxy settings in Settings.
- 109 -
6. (Optional) To configure advanced settings such as proxy, plugin feed, and encryption pass-
word, click Settings.
l (Optional) In the Proxy tab:
a. In the Host box, type the hostname or IP address of your proxy server.
b. In the Port box, type the port number of the proxy server.
Note: To view the ports that Tenable products require, see the What ports are required for
Tenable products? knowledge base article.
c. In the Username box, type the name of a user account that has permissions to
d. In the Password box, type the password of the user account that you specified in
the previous step.
e. In the Auth Method drop-down box, select an authentication method to use for the
proxy. If you do not know, select AUTO DETECT.
f. If your proxy requires a preset user agent, in the User-Agent box, type the user
agent name; otherwise, leave it blank.
g. Click Save.
l (Optional) In the Plugin Feed tab:
a. In the Custom Host box, type the hostname or IP address of a custom plugin feed.
b. Click Save.
l (Optional) In the Encryption Password tab:
a. In the Password box, type an encryption password.
If you set an encryption password, Nessus encrypts all policies, scans results, and
scan configurations. You must enter the password when Tenable Nessus restarts.
Caution: If you lose your encryption password, it cannot be recovered by an admin-
- 110 -
istrator or Tenable Support.
b. Click Save.
7. Click Continue.
8. Create a Tenable Nessus administrator user account that you use to log in to Tenable Nessus:
9. Click Submit.
To link Tenable Nessus to Tenable Vulnerability Management from the command-line inter-
face (CLI):
If you registered or linked Tenable Nessus previously, you need to reset Tenable Nessus before link-
ing to Tenable Vulnerability Management.
Run the following commands to reset Tenable Nessus and link to Tenable Vulnerability Management
based on your operating system. To retrieve the linking key needed in the following commands, see
Link a Sensor in the Tenable Vulnerability Management user guide.
Note: The --reset-all command used in the following steps removes any existing users, data, settings,
and configurations. Tenable recommends exporting scan data and creating a backup before resetting. For
more information, see Backing Up Tenable Nessus.
Note: When running the adduser command in the following steps, create the user as a full admin-
istrator/ system administrator when prompted.
Linux:
Note: You must have root permissions or greater to run the link commands successfully.
- 111-
1. Open the Linux CLI.
# service nessusd stop
# cd /opt/nessus/sbin
# ./nessuscli fix --reset-all
# ./nessuscli adduser
3. Do one of the following:
l If you are linking to a Tenable Vulnerability Management FedRAMP site, run the following
link command:
# /opt/nessus/sbin/nessuscli managed link --key=<key> --host-

t=fedcloud.tenable.com --port=443
l If you are not linking to a FedRAMP site, run the following link command:
# ./nessuscli managed link --key=<LINKING KEY> --cloud
4. Run the following linking command:
# service nessusd start
Windows:
Note: You must have admin permissions to run the link commands successfully.
1. Open the Windows CLI.
- 112 -
> net stop "tenable nessus"
> cd C:\Program Files\Tenable\Nessus
> nessuscli fix --reset-all
> nessuscli adduser
link command:
> \opt\nessus\sbin\nessuscli managed link --key=<key> --host-

> nessuscli managed link --key=<LINKING KEY> --cloud
4. Run the following command:
> net start "tenable nessus"
macOS:
Note: You must have admin permissions to run the link commands successfully.
1. Open Terminal.
# launchctl unload -w /Library/LaunchDae-

mons/com.tenablesecurity.nessusd.plist
- 113 -
# /Library/Nessus/run/sbin/nessuscli fix --reset-all
# /Library/Nessus/run/sbin/nessuscli adduser
link command:
# /opt/nessus/sbin/nessuscli managed link --key=<key> --host-

# /Library/Nessus/run/sbin/nessuscli managed link --key=<LINKING

KEY> --cloud
# launchctl load -w /Library/LaunchDae-

mons/com.tenablesecurity.nessusd.plist
- 114 -
Link to Tenable Security Center
During initial installation, you can install Tenable Nessus as a remote scanner linked to Tenable
Security Center. If you choose not to link the scanner during initial installation, you can link your Ten-
able Nessus scanner later.
Note: Once you link Tenable Nessus to Tenable Security Center, it remains linked until you unlink it .
Note: Tenable Security Center does not send plugins to linked Nessus Managers. Nessus Manager pulls plu-
gins directly from Tenable's plugin sites. Therefore, to update plugin sets, Nessus Manager needs access
to the internet and Tenable's plugin sites (for more information, see the Which Tenable sites should I allow?
community article). If your Nessus Manager does not have internet access, you can manually update its ver-
sion and plugins offline (for more information, see Manage Nessus Offline).
Before you begin:

Commands).
To link Nessus to Tenable Security Center:
1. On the Welcome to Nessus, select Managed Scanner.
2. Click Continue.
3. From the Managed by drop-down box, select Tenable.sc.
- 115 -
the previous step.
g. Click Save.
b. Click Save.

b. Click Save.
5. Click Continue.
6. Create a Tenable Nessus administrator user account, which you use to log in to Tenable Nes-
sus:
- 116 -
7. Click Submit.
What to do next:
l Add the Tenable Nessus scanner to Tenable Security Center as described in Add a Nessus
Scanner in the Tenable Security Center User Guide.
- 117 -
Link to Tenable Nessus Manager
Note: When deployed for Tenable Nessus Agent management in Tenable Security Center, Tenable Nessus
Manager does not support linking Tenable Nessus scanners.
During initial installation, you can install Tenable Nessus as a remote scanner linked to Tenable Nes-
sus Manager. If you choose not to link the scanner during initial installation, you can link your Ten-
able Nessus scanner later.
Note: Once you link Nessus to Tenable Nessus Manager, it remains linked until you unlink it .
Before you begin:

Commands).
To link Nessus to Tenable Nessus Manager:
1. On the Welcome to Nessus screen, select Managed Scanner.
2. Click Continue.
3. From the Managed by drop-down box, select Nessus Manager (Scanner).
4. In the Host box, type Tenable Nessus Manager host.
5. In the Port box, type the Tenable Nessus Manager port.
6. In the Linking Key box, type the linking key from Tenable Nessus Manager.
7. (Optional) If you want to use a proxy, select Use Proxy.
- 118 -
the previous step.
g. Click Save.
b. Click Save.

b. Click Save.
9. Click Continue.
- 119 -
sus:
11. Click Submit.
- 120 -
Link a Node
To link a child node to a cluster, you install an instance of Tenable Nessus as a cluster child node,
then configure the node to link to the parent node of the cluster.
Note: If cluster child nodes have automatic software updates disabled, you must manually update them to
Nessus 8.12 or later to use agent cluster groups. If cluster child nodes have automatic software updates
enabled, nodes can take up to 24 hours to update. To ensure correct linking and configuration, wait for all
child nodes to update to a supported Nessus version before configuring custom cluster groups. All child
nodes must be on the same Nessus version and operating system.
Before you begin:

l Get the linking key from the cluster parent node.
To install and configure Tenable Nessus as a child node:
1. Install Tenable Nessus as described in the appropriate Install Tenable Nessus procedure for
your operating system.
3. Click Continue.
4. From the Managed by drop-down box, select Nessus Manager (Cluster Node).
5. Click Continue.
sus:
7. Click Submit.
To link the child node to the parent node:
- 121-
1. In the Tenable Nessus child node, use the administrator user account you created during ini-
tial configuration to sign in to Tenable Nessus.
The Agents page appears. By default, the Node Settings tab is open.
2. Enable the toggle to On.
3. Configure the General Settings:
l Node Name —Type a unique name that identifies this Tenable Nessus child node on the
parent node.
l (Optional) Node Host —Type the hostname or IP address that Tenable Nessus Agents
should use to access the child node. If you do not provide a host node, Tenable Nessus
Agent uses the system hostname. If Tenable Nessus Agent cannot detect the hostname,
the link fails.
l (Optional) Node Port —Type the port for the specified host.
4. Configure the Cluster Settings:
l Cluster Linking Key —Paste or type the linking key that you copied from the Tenable Nes-
sus Manager parent node.
l Parent Node Host —Type the hostname or IP address of the Tenable Nessus Manager
parent node to which you are linking.
l Parent Node Port —Type the port for the specified host. The default is 8834.
l (Optional) Use Proxy —Select the check box if you want to connect to the parent node
via the proxy settings set in Proxy Server.
5. Click Save.
A confirmation window appears.
6. To confirm linking the node to the parent node, click Continue.
The Tenable Nessus child node links to the parent node. Tenable Nessus logs you out of the
user interface and disables the user interface.
What to do next:
- 122 -
l Log in to the Tenable Nessus Manager parent node to manage linked Tenable Nessus Agents
and nodes.
l Link or migrate agents to the cluster.
l On the Tenable Nessus Manager parent node, manage cluster groups to organize your nodes
into groups that conform to your network topology. You must segment your network with
cluster groups when certain agents only have access to certain child nodes. By default, Nes-
sus assigns the node to the default cluster group.
Manage Tenable Nessus Offline

To manage Tenable Nessus offline, you need two computers: the Nessus server, which is not con-
nected to the internet, and another computer that is connected to the internet.
- 123 -
Scenario 1: New Nessus Install
If you want to install Nessus, but, for security purposes, the server is not connected to the internet,
then follow the steps to install Nessus while offline. This process downloads and installs Nessus plu-
gins on the offline Nessus server.
- 124 -
Scenario 2: Update Nessus Licensing
If you have an existing Nessus server that is offline, and you want to update Nessus with the new
license/ activation code, then complete the following steps:
Caution: Tenable recommends saving the custom-offline plugin download URL described in step 5 before
continuing to step 6. The URL appears only once after registration. If you close the registration window
and forget the URL, you have to restart the registration process to generate a new URL.
1. Generate Challenge Code.
2. Generate Your License.
3. Download and copy the license file (nessus.license).
4. Register Your License with Nessus.
5. Download and copy plugins to Nessus.
6. Install Plugins Manually.
7. Update Nessus Manager Manually on an Offline System.
- 125 -
Scenario 3: Update Nessus Plugins
You have an existing Nessus server that is offline and you need to update Nessus plugins. In this
scenario, you have already completed steps to Install Tenable NessusOffline but you need to install
the latest plugins.
In this case, perform the following operations:
1. Use the Custom URL that you saved and copied during your first offline Download and Copy
Plugins operation.
2. Download and Copy Plugins
3. Install Plugins Manually
- 126 -
Nessus Offline Operations
For explanation purposes, we provide computers A (offline Nessus server) and B (online computer)
to demonstrate operations performed when managing Nessus offline.
Computer A Computer B
Operation
(Offline Nessus) (Online Computer)
Generate Challenge Code X
Generate Your License X
Download and Copy License File (nessus.license) X
Download and Copy Plugins X
Register Your License with Nessus X
Install Plugins Manually X
- 127 -
Manage Activation Code
To manage your activation code, use the following topics:
l View Activation Code
l Reset Activation Code
l Update Activation Code
l Transfer Activation Code
- 128 -
View Activation Code
View on Tenable Community

View your activation code on the Tenable Community site, as described in the Tenable Community
Guide.
View in Tenable Nessus

1. Log in to Tenable Nessus.
3. In the Overview tab, view your Activation Code.
View from Command Line

Use the nessuscli fetch --code-in-use command specific to your operating system.
Platform Command
Linux # /opt/nessus/sbin/nessuscli fetch --code-in-use
FreeBSD # /usr/local/nessus/sbin/nessuscli fetch --code-in-use
Windows C:\Program Files\Tenable\Nessus>nessuscli.exe fetch --code-in-

use
macOS # /Library/Nessus/run/sbin/nessuscli fetch --code-in-use
- 129 -
Reset Activation Code
You do not need to reset your activation code for the latest Tenable Nessus versions, and you are
able to re-register the same license with your original activation code.
In Nessus Professional 7.x and earlier versions, if you uninstall and reinstall Nessus, you need to
reset your activation code. Reset your activation code on the Tenable Community site, as described
in the Tenable Community Guide.
Note: Reset codes have a 10-day waiting period before you can reset your code again.
- 130 -
Update Activation Code
When you receive a new license with a corresponding activation code, you must register the new
activation code in Nessus.
Note: If you are working with Nessus offline, see Manage Tenable Nessus Offline.
User Interface
2. In the Overview tab, click the button next to the activation code.
3. Type the activation code and click Activate.
The license is now active on this instance of Nessus.
Command Line Interface

1. On the system running Nessus, open a command prompt.
2. Run the nessuscli fetch --register <Activation Code> command specific to your
operating system.
Platform Command
Linux # /opt/nessus/sbin/nessuscli fetch --register xxxx-xxxx-

xxxx-xxxx
FreeBSD # /usr/local/nessus/sbin/nessuscli fetch --register xxxx-

xxxx-xxxx-xxxx
Windows C:\Program Files\Tenable\Nessus>nessuscli.exe fetch --

register xxxx-xxxx-xxxx-xxxx
macOS # /Library/Nessus/run/sbin/nessuscli fetch --register

xxxx-xxxx-xxxx-xxxx
Nessus downloads and installs the Nessus engine and the latest Nessus plugins, and then
restarts.
- 131-
Note: To register Nessus without automatically downloading and installing the latest updates, use
the command nessuscli fetch --register-only.
Transfer Activation Code

In Tenable Nessus Professional and Tenable Nessus Expert, you can use an activation code on mul-
tiple systems. This allows you to transfer a Tenable Nessus license from one system to another eas-
ily and without resetting your activation code each time.
When you transfer the activation code to a system, it becomes the active instance of Nessus for
that license. Only the most recently activated system can receive plugin updates. All previous
instances of Nessus with that activation code still function, but cannot receive plugin updates. On
inactive instances, the following error message appears: Access to the feed has been denied, likely
due to an invalid or transferred license code.
To transfer an activation code, use one of the following procedures on the system that you want to
make the active instance of Nessus.
- 132 -
Nessus User Interface
Activate a new Nessus instance
1. Install Nessus as described in the appropriate procedure for your operating system.
2. Access the system in a browser.
3. In the Create an account window, type a username and password.
4. Click Continue.
5. In the Register your scanner window, in the Scanner Type drop-down box, select Tenable Nes-
sus Essentials, Professional, or Manager.
6. In the Activation Code box, type your activation code.
7. Click Continue.
Nessus finishes the installation process, which may take several minutes. Once installation is
complete, the license is active on this instance of Nessus.
Update an existing Nessus instance
1. Access the system on which you want to activate Nessus.
3. In the Overview tab, click the button next to the activation code.
4. Type the activation code and click Activate.
The license is now active on this instance of Nessus.
- 133 -
Command Line Interface
Perform the following procedure as root, or use sudo as a non-root user.
1. On the system on which you want to activate Nessus, open a command prompt.
2. Run the nessuscli fetch --register <Activation Code> command specific to your
operating system.
Platform Command
Linux # /opt/nessus/sbin/nessuscli fetch --register xxxx-xxxx-

xxxx-xxxx
FreeBSD # /usr/local/nessus/sbin/nessuscli fetch --register xxxx-

xxxx-xxxx-xxxx
macOS # /Library/Nessus/run/sbin/nessuscli fetch --register

xxxx-xxxx-xxxx-xxxx

register xxxx-xxxx-xxxx-xxxx
Nessus downloads and installs the Nessus engine and the latest Nessus plugins, and then
restarts.
Manage Tenable Nessus Offline

To manage Tenable Nessus offline, you need two computers: the Nessus server, which is not con-
nected to the internet, and another computer that is connected to the internet.
- 134 -
Scenario 1: New Nessus Install
If you want to install Nessus, but, for security purposes, the server is not connected to the internet,
then follow the steps to install Nessus while offline. This process downloads and installs Nessus plu-
gins on the offline Nessus server.
- 135 -
Scenario 2: Update Nessus Licensing
If you have an existing Nessus server that is offline, and you want to update Nessus with the new
license/ activation code, then complete the following steps:
Caution: Tenable recommends saving the custom-offline plugin download URL described in step 5 before
continuing to step 6. The URL appears only once after registration. If you close the registration window
and forget the URL, you have to restart the registration process to generate a new URL.
1. Generate Challenge Code.
2. Generate Your License.
3. Download and copy the license file (nessus.license).
4. Register Your License with Nessus.
5. Download and copy plugins to Nessus.
6. Install Plugins Manually.
7. Update Nessus Manager Manually on an Offline System.
- 136 -
Scenario 3: Update Nessus Plugins
You have an existing Nessus server that is offline and you need to update Nessus plugins. In this
scenario, you have already completed steps to Install Tenable NessusOffline but you need to install
the latest plugins.
In this case, perform the following operations:
1. Use the Custom URL that you saved and copied during your first offline Download and Copy
Plugins operation.
2. Download and Copy Plugins
3. Install Plugins Manually
- 137 -
Nessus Offline Operations
For explanation purposes, we provide computers A (offline Nessus server) and B (online computer)
to demonstrate operations performed when managing Nessus offline.
Computer A Computer B
Operation
(Offline Nessus) (Online Computer)
Generate Challenge Code X
Generate Your License X
Download and Copy License File (nessus.license) X
Register Your License with Nessus X
Install Plugins Manually X
Install Tenable NessusOffline

A Nessus Offline registration is suitable for computers that run Nessus, but are not connected to
the internet. To ensure that Nessus has the most up-to-date plugins, Nessus servers not connected
to the internet must perform these specific steps to register Nessus.
This process requires the use of two computers: the computer where you are installing Nessus,
which is not connected to the internet, and another computer that is connected to the internet.
For the following instructions, we use computers A (offline Tenable Nessus server) and B (online
computer) as examples.
1. During the browser portion of the Nessus installation, in the Registration drop-down, select
Offline.
A unique Challenge Code appears. In the following example, the challenge code is:
- 138 -
aaaaaa11b2222cc33d44e5f6666a777b8cc99999.
2. (Optional) Configure your Nessus setup to use Custom Settings.
- 139 -
Generate the License
1. On a system with internet access (B), navigate to the Nessus Offline Registration Page.
2. In the top field, type the challenge code shown on the Nessus Product Registration screen.
Example Challenge Code: aaaaaa11b2222cc33d44e5f6666a777b8cc99999
3. Next, where prompted, type your Nessus activation code.
Example Activation Code: AB-CDE-1111-F222-3E4D-55E5-CD6F
4. Click the Submit button.
The Offline Update Page Details appears and includes the following elements:
l Custom URL: The custom URL displayed downloads a compressed plugins file. This file
is used by Nessus to obtain plugin information. This URL is specific to your Nessus
license and must be saved and used each time plugins need to be updated.
l License: The complete text-string starting with -----BEGIN Tenable, Inc. LICENSE-----
and ends with -----END Tenable, Inc. LICENSE----- is your Nessus product license
information. Tenable uses this text-string to confirm your product license and regis-
tration.
l nessus.license file: At the bottom of the web page, there is an embedded file that
includes the license text-string.
- 140 -
Download and Copy Latest Plugins
1. While still using the computer with internet access (B), select the on-screen, custom URL.
A compressed TAR file downloads.
Tip: This custom URL is specific to your Nessus license. Save it and use it each time you need to
update plugins.
2. Copy the compressed TAR file to the Nessus offline (A) system.
Use the directory specific to your operating system:
Platform Command
Linux # /opt/nessus/sbin/
FreeBSD # /usr/local/nessus/sbin/
Windows C:\Program Files\Tenable\Nessus
macOS # /Library/Nessus/run/sbin/
- 141-
Copy and Paste License Text
1. While still using the computer with internet access (B), copy complete text string starting with
-----BEGIN Tenable, Inc. LICENSE----- and ends with -----END Tenable, Inc. LICENSE-----
2. On the computer where you are installing Nessus (A), on the Nessus Product Registration
screen, paste the complete text string starting with -----BEGIN Tenable, Inc. LICENSE-----
and ends with -----END Tenable, Inc. LICENSE-----.
3. Select Continue.
Nessus finishes the installation process; this may take several minutes.
4. Using the System Administrator account you created during setup, Sign In to Nessus.
- 142 -
Generate Challenge Code
Before performing offline update operations, you may need to generate a unique identifier on the
Tenable Nessus server. Tenable calls this identifier a challenge code.
Whereas you use an activation code when performing Tenable Nessus operations while connected
to the internet, you use a license when performing offline operations; the generated challenge code
enables you to view and use your license for offline operations.
To generate a challenge code in Tenable Nessus:
1. Log in to Tenable Nessus.
2. Click Settings.
3. Click the pencil icon next to the activation code.
The Update Activation Code window appears.
4. In the Registration drop-down menu, select Offline.
5. Click Activate.
The challenge code appears in the window.
To generate a challenge code from the command line:

1. On the offline system running Tenable Nessus (A), open a command prompt.
2. Use the nessuscli fetch --challenge command specific to your operating system.
Platform Command
Linux # / opt/ nessus/ sbin/ nessuscli fetch --challenge
FreeBSD # / usr/ local/ nessus/ sbin/ nessuscli fetch --challenge
Windows C:\ Program Files\ Tenable\ Nessus>nessuscli.exe fetch --challenge
macOS # / Library/ Nessus/ run/ sbin/ nessuscli fetch --challenge
3. Copy the alphanumeric challenge code.

Example Challenge Code:
- 143 -
aaaaaa11b2222cc33d44e5f6666a777b8cc99999
4. Use the copied challenge code to Generate Your License.
- 144 -
Generate Your License
By default, when you install Tenable Nessus, your license is hidden and automatically registered.
You cannot view this license.
However, if your Tenable Nessus Server is not connected to the internet (in other words, it is off-
line), you must generate a license. This license is unique to your Tenable Nessus product, and you
cannot share it.
Your license is a text-based file that contains a string of alphanumeric characters. The license is
created and based on your unique generated challenge code.
To generate your Tenable Nessus license:
1. On a system with internet access (B), navigate to the Tenable Nessus Offline Registration
Page.
2. Where prompted, type in your challenge code.
Example Challenge Code: aaaaaa11b2222cc33d44e5f6666a777b8cc99999
3. Next, where prompted, enter your Tenable Nessus activation code.
Example Activation Code: AB-CDE-1111-F222-3E4D-55E5-CD6F
4. Select Submit.
At the bottom of the resulting web page, an embedded nessus.license file that includes the
license text string appears.
5. Next, Download and Copy License File (nessus.license).
- 145 -
Download and Copy License File (nessus.license)
After you have generated your Tenable Nessus license, you now need to download and then copy
the license to the offline system (A) running Tenable Nessus.
1. At the Tenable Nessus Offline Registration Page, while still using the computer with internet
access (B), select the on-screen nessus.license link.
The link downloads the nessus.license file.
2. Copy the nessus.license file to the offline system (A) running Tenable Nessus 6.3 and newer.
Platform Directory
Linux # /opt/nessus/etc/nessus/
FreeBSD # /usr/local/nessus/etc/nessus
macOS # /Library/Nessus/run/etc/nessus
Windows C:\ProgramData\Tenable\Nessus\conf
3. Next, register your license with Tenable Nessus.
- 146 -
Register Your License with Nessus
When you receive a new license and Activation Code, you must re-register the license with Nessus.
When your Nessus server is offline, you must generate a license, download the license, and then
register your license with Nessus.
Once downloaded and copied to your offline Nessus server, use the nessuscli fetch -- register com-
mand that corresponds to your operating system.
1. On the offline system running Nessus (A), open a command prompt.
2. Use the nessuscli fetch --register-offline command specific to your operating system.
Platform Command
Linux # /opt/nessus/sbin/nessuscli fetch --register-offline

/opt/nessus/etc/nessus/nessus.license
FreeBSD # /usr/local/nessus/sbin/nessuscli fetch --register-

offline /usr/local/nessus/etc/nessus/nessus.license

register-offline
"C:\ProgramData\Tenable\Nessus\conf\nessus.license"
macOS # /Library/Nessus/run/sbin/nessuscli fetch --register-

offline /Library/Nessus/run/etc/nessus/nessus.license
- 147 -
Download and Copy Plugins
Note: The following process is only intended for organizations that do not want to enable automatic plugin
updates in their Tenable Nessus environment, or organizations that use offline environments. For inform-
ation about automatic plugin updates and how to enable them, see Update Tenable Nessus Software.
After submitting the required information on the Offline Update Page Details, download the Nessus
Plugins compressed TAR file.
Download Plugins
1. Using the computer with internet access (B), copy and save the on-screen custom URL link.
Note: This custom URL is specific to your Tenable Nessus license and you must use it each time you
need to download and update plugins again.
Caution: Tenable recommends saving the custom URL before continuing. The URL is only shown
once after registration. If you close the registration window and forget the URL, you have to restart
the registration process to generate a new URL.
2. Click the on-screen custom URL link.

The link downloads the compressed TAR file.
Copy Plugins to Tenable Nessus

3. Copy the compressed TAR file to the offline (A) system.
Platform Directory
Linux # /opt/nessus/sbin/
FreeBSD # /usr/local/nessus/sbin/
macOS # /Library/Nessus/run/sbin/
Windows C:\Program Files\Tenable\Nessus
4. Next, on the offline (A) system running Tenable Nessus, Install Plugins Manually.
- 148 -
Install Plugins Manually
You can manually update Nessus plugins in two ways: the user interface or the command-line inter-
face.
Before you begin:

l Download and copy the Nessus plugins compressed TAR file to your system.
To install plugins manually using the Tenable Nessus user interface:
3. In the upper-right corner, click the Manual Software Update button.
The Manual Software Update dialog box appears.
4. In the Manual Software Update dialog box, select Upload your own plugin archive, and then
click Continue.
5. Navigate to the compressed TAR file you downloaded, select it, then click Open.
Tenable Nessus updates with the uploaded plugins.
To install plugins manually using the command-line interface:
1. On the system running Tenable Nessus, open a command prompt.
2. Use the nessuscli update <tar.gz file name> command specific to your operating sys-
tem.
- 149 -
Platform Command
Linux # /opt/nessus/sbin/nessuscli update <tar.gz filename>
FreeBSD # /usr/local/nessus/sbin/nessuscli update <tar.gz file-

name>
macOS # /Library/Nessus/run/sbin/nessuscli update <tar.gz file-

name>
Windows C:\Program Files\Tenable\Nessus>nessuscli.exe update

<tar.gz filename>
Tenable Nessus updates with the uploaded plugins.
Note: If you receive a signature check failure error, check the integrity of your plugins archive, download
the plugins again, and retry the process. If the error persists, re-register Nessus or contact Tenable Sup-
port.
- 150 -
Update the Audit Warehouse Manually
The audit warehouse, which contains all currently published audits, updates automatically when you
upgrade to a new version of Tenable Nessus. You can perform an offline update to update the audit
warehouse without upgrading to a new version of Tenable Nessus.
Before you begin:

l Download the audit warehouse archive file from the Tenable audits page.
To update the audit warehouse manually using the Tenable Nessus user interface:
click Continue.
5. Navigate to the compressed TAR file you downloaded, select it, and then click Open.
Tenable Nessus updates with the uploaded audit files.
To update the audit warehouse manually using the command-line interface:
1. On the system running Tenable Nessus, open a command prompt.
2. Use the nessuscli update <tar.gz filename> command specific to your operating sys-
tem.
- 151-
Platform Command

name>

<tar.gz filename>

name>
Tenable Nessus updates with the uploaded audit files.
- 152 -
Update Nessus Manager Manually on an Offline System
Note: Use the following steps to upgrade an offline Tenable Nessus Manager that manages Tenable Nessus
scanners. When upgrading other forms of Tenable Nessus offline (for example, Tenable Nessus Pro-
fessional, a Tenable Nessus Manager not managing Tenable Nessus scanners, or Tenable Nessus scanners
managed by Tenable Security Center), use the steps described in Update Tenable Nessus Software.
On Nessus Manager, you can manually update software on an offline system in two ways.
l Option 1: Use the Manual Software Update feature in the Nessus user interface.
l Option 2: Use the command-line interface and the nessuscli update command.
Option 1: Manual Software Update via the User Interface

1. Download the file nessus-updates-x.x.x.tar.gz, where x.x.x is the version number, from
https:/ / www.tenable.com/ downloads/ nessus.
2. On the offline system running Nessus (A), in the top navigation bar, select Settings.
3. From the left navigation menu, select Software Update.
4. Select the Manual Software Update button.
select Continue.
6. Navigate to the directory where you downloaded the compressed TAR file.
7. Select the compressed TAR file and then select Open.
Nessus updates with the uploaded plugins.
Option 2: Update via the Command Line

1. Download the file nessus-updates-x.x.x.tar.gz, where x.x.x is the version number, from
https:/ / www.tenable.com/ downloads/ nessus.
tem.
- 153 -
Platform Command

name>

<tar.gz filename>

name>
- 154 -
Offline Update Page Details
When you are working with Nessus offline, use the https:/ / plugins.nessus.org/ v2/ offline.php page.
Based on the steps you are using to Manage Tenable Nessus Offline, the resulting web page
includes the following elements:
l Custom URL: The custom URL displayed downloads a compressed plugins file. This file is
used by Nessus to obtain plugin information. This URL is specific to your Nessus license and
must be saved and used each time plugins need to be updated.
l License: The complete text-string starting with -----BEGIN Tenable, Inc. LICENSE----- and
ends with -----END Tenable, Inc. LICENSE----- is your Nessus product license information.
Tenable uses this text-string to confirm your product license and registration.
l nessus.license file: At the bottom of the web page, there is an embedded file that includes
the license text-string.
- 155 -
Back Up Tenable Nessus
Using the Nessus CLI, you can back up your Tenable Nessus to restore it later on any system, even
if it is a different operating system. When you back up Tenable Nessus, your license information
and settings are preserved. Tenable Nessus does not back up scan results.
Note: If you perform a cross-platform backup and restore between Linux and Windows systems, after you
restore Tenable Nessus, you must reconfigure any Tenable Nessus configurations that use schedules.
Schedules do not transfer correctly across these platforms because the operating systems use different
timezone names.
To back up Tenable Nessus:
1. Access Tenable Nessus from a command terminal.
2. Create the Tenable Nessus backup file by running the following command:
> nessuscli backup --create <backup_filename>
Tenable Nessus creates the backup file in the following directory:
l Linux: /opt/nessus/var/nessus
l Windows: C:\ProgramData\Tenable\Nessus\nessus
l macOS: /Library/Nessus/run/var/nessus
3. (Optional) Move the Tenable Nessus backup file to a backup location on your system.
What to do next:
l Restore Tenable Nessus
- 156 -
Restore Tenable Nessus
Using the Nessus CLI, you can use a previous backup of Tenable Nessus to restore later on any sys-
tem, even if it is a different operating system. When you back up Tenable Nessus, your license
information and settings are preserved. Tenable Nessus does not restore scan results.
On Tenable Nessus 8.11.1and later, you can restore a backup even if it was created on an earlier ver-
sion of Tenable Nessus. For example, if you are on Tenable Nessus 8.11.1, you can restore a backup
from Tenable Nessus 8.10.0.
Note: If you perform a cross-platform backup and restore between Linux and Windows systems, after you
restore Tenable Nessus, you must reconfigure any Tenable Nessus configurations that use schedules.
Schedules do not transfer correctly across these platforms because the operating systems use different
timezone names.
Before you begin:

l Back Up Tenable Nessus
To restore Tenable Nessus:
1. Access Tenable Nessus from a command terminal.
2. Stop your Tenable Nessus service.
Tenable Nessus terminates all processes.
3. Restore Tenable Nessus from the backup file you previously saved by running the following
command:
> nessuscli backup --restore path/to/<backup_filename>
Tenable Nessus restores your backup.
4. Stop and start your Tenable Nessus service.
Tenable Nessus begins initializing and uses the license information and settings from the
backup.
- 157 -
Remove Nessus and Nessus Agents
This section includes information for removing Nessus and Nessus Agents.
l Remove Nessus
l Uninstall Nessus on macOS
l Uninstall Nessus on Linux
l Uninstall Nessus on Windows
l Remove Tenable Nessus as a Docker Container
l Remove Nessus Agent
l Uninstall a Nessus Agent on macOS
l Uninstall a Nessus Agent on Linux
l Uninstall a Nessus Agent on Windows
- 158 -
Remove Nessus
This section includes information for uninstalling and removing Nessus.
l Uninstall Nessus on Linux
l Uninstall Nessus on Windows
l Uninstall Nessus on macOS
l Remove Tenable Nessus as a Docker Container
Uninstall Nessus on Linux
- 159 -
Optional: Export your Scans and Policies
1. Go to the folder or folders where you store your scans.
2. Double-click the scan to view its dashboard.
3. In the upper right corner, select the Export button, and then choose the Nessus DB option.
- 160 -
Stop Nessus Processes
1. From within Nessus, verify any running scans have completed.
2. From a command prompt, stop the nessusd daemon.
Examples: Nessus Daemon Stop Commands
Red Hat, CentOS, and Oracle Linux
# /sbin/service nessusd stop
SUSE
# /etc/rc.d/nessusd stop
FreeBSD
# service nessusd stop
# /etc/init.d/nessusd stop
- 161-
Remove Nessus
1. Run the remove command specific to your Linux-style operating system.
Examples: Nessus Remove Commands
# yum remove Nessus
# dnf remove Nessus
# dpkg -r Nessus
FreeBSD
# pkg delete Nessus
2. Using the command specific to your Linux-style operating system, remove remaining files that
were not part of the original installation.
Examples: Nessus Remove Command
Linux
# rm -rf /opt/nessus
FreeBSD
# rm -rf /usr/local/nessus/bin
This completes the process of uninstalling the Nessus on the Linux operating systems.
- 162 -
Uninstall Nessus on Windows
1. (Optional) Export your scans and policies.
2. Stop Nessus.
3. Uninstall Nessus from the Windows user interface or the CLI following the steps below:
To uninstall Nessus from the Windows user interface:
1. Navigate to the portion of Windows that allows you to Add or Remove Programs or Uninstall or
change a program.
2. In the list of installed programs, select the Tenable Nessus product.
3. Click Uninstall.
A dialog box appears, confirming your selection to remove Nessus.
4. Click Yes.
Windows uninstalls Nessus.
To uninstall Nessus from the Windows CLI:
1. Open PowerShell with administrator privileges.
msiexec.exe /x <path to Nessus package>
Note: For information about optional msiexec /x parameters, see msiexec in the Microsoft doc-
umentation.
- 163 -
Uninstall Nessus on macOS
Stop Nessus
1. In System Preferences, select the Nessus button.
2. On the Nessus.Preferences screen, select the lock to make changes.
3. Next, enter your username and password.
4. Select the Stop Nessus button.
The Status becomes red and shows as Stopped.
5. Finally, exit the Nessus.Preferences screen.
Remove the Following Nessus Directories, Subdirectories, or Files
/Library/Nessus
/Library/LaunchDaemons/com.tenablesecurity.nessusd.plist
/Library/PreferencePanes/Nessus Preferences.prefPane
/Applications/Nessus
Disable the Nessus Service

1. To prevent the macOS from trying to start the now non-existent service, type the following
command from a command prompt.
$ sudo launchctl remove com.tenablesecurity.nessusd
2. If prompted, provide the administrator password.
- 164 -
Remove Tenable Nessus as a Docker Container
When you remove Tenable Nessus running as a Docker container, you lose the container data.
To remove Tenable Nessus as a docker container:
1. In your terminal, stop the container from running using the docker stop command.
$ docker stop <container name>
2. Remove your container using the docker rm command.
$ docker rm <container name>
- 165 -
Remove Nessus Agent
This section includes information for uninstalling a Tenable Nessus Agent from hosts.
l Uninstall a Nessus Agent on Linux
l Uninstall a Nessus Agent on Windows
l Uninstall a Nessus Agent on macOS
Note: For instructions on how to remove an agent from a manager while leaving the agent installed on the
host, see Unlink an Agent.
- 166 -
Uninstall a Nessus Agent on Linux
Before you begin:

l Unlink the agent from the manager.
To uninstall Tenable Nessus Agent on Linux:
1. Type the remove command specific to your Linux-style operating system.
Example Nessus Agent Remove Commands
# yum remove NessusAgent
# dnf remove NessusAgent
# dpkg -r NessusAgent
FreeBSD
# pkg delete NessusAgent
What to do next:
l If you plan on reinstalling the Tenable Nessus Agent on the system, see the knowledge base
article on how to avoid linking errors.
- 167 -
Uninstall a Nessus Agent on Windows
Before you begin:

To uninstall Tenable Nessus Agent from the Windows user interface:
1. Navigate to the portion of Windows where you can Add or Remove Programs or Uninstall or
change a program.
2. In the list of installed programs, select the Tenable Nessus product.
3. Click Uninstall.
A dialog box appears, prompting you to confirm your selection to remove Tenable Nessus
Agent.
4. Click Yes.
Windows deletes all Nessus related files and folders.
Note: On Windows, the Tenable Nessus Agent uninstall process automatically creates a backup file in
the %TEMP% directory. If you reinstall Tenable Nessus Agent within 24 hours, Tenable Nessus Agent
uses that backup file to restore the installation. If you want to reinstall Tenable Nessus Agent within
24 hours without using the backup, manually delete the backup file in the %TEMP% directory before-
hand.
To uninstall Tenable Nessus Agent from the Windows CLI:
1. Open PowerShell with administrator privileges.
msiexec.exe /x <path to Nessus Agent package>
Note: For information about optional msiexec /x parameters, see msiexec in the Microsoft doc-
umentation.
What to do next:
- 168 -
- 169 -
Uninstall a Nessus Agent on macOS
Before you begin:

To uninstall Tenable Nessus Agent on macOS:
1. Remove the Tenable Nessus directories. From a command prompt, type the following com-
mands:
l $ sudo rm -rf /Library/NessusAgent
l $ sudo rm /Library/LaunchDaemons/com.tenablesecurity.nessusagent.plist
l $ sudo rm -r "/Library/PreferencePanes/Nessus Agent Prefer-

ences.prefPane"
2. Disable the Nessus Agent service:
a. From a command prompt, type the following command:
$ sudo launchctl remove com.tenablesecurity.nessusagent
b. If prompted, provide the administrator password.
What to do next:
- 170 -
Scans
On the Scans page, you can create, view, and manage scans and resources. To access the Scans
page, in the top navigation bar, click Scans. The left navigation bar shows the Folders and
Resources sections.
For more information, see the following sections:
l Scan Templates
l Create and Manage Scans
l Scan Results
l Scan Folders
l Policies
l Terrascan
l Plugins
l Customized Reports
- 171-
l Scanners
l Agents
Scan Templates
You can use scan templates to create custom policies for your organization. Then, you can run
scans based on Tenable's scan templates or your custom policies' settings. For more information,
see Create a Policy.
When you first create a scan or policy, the Scan Templates section or Policy Templates section
appears, respectively. Tenable Nessus provides separate templates for scanners and agents,
depending on which sensor you want to use for scanning:
l Scanner Templates
l Agent Templates (Tenable Nessus Manager only) (Tenable Nessus Manager only)
If you have custom policies, they appear in the User Defined tab.
When you configure a Tenable-provided scan template, you can modify only the settings included
for the scan template type. When you create a user-defined scan template, you can modify a cus-
tom set of settings for your scan.
For descriptions of all the scanner and agent template settings, see Settings.
Note: If a plugin requires authentication or settings to communicate with another system, the
plugin is not available on agents. This includes, but is not limited to:
l Patch management
l Mobile device management
l Cloud infrastructure audit
l Database checks that require authentication
Scanner Templates
There are three scanner template categories in Tenable Nessus:
- 172 -
l Discovery —Tenable recommends using discovery scans to see what hosts are on your net-
work, and associated information such as IP address, FQDN, operating systems, and open
ports, if available. After you have a list of hosts, you can choose what hosts you want to target
in a specific vulnerability scan.
l Vulnerabilities —Tenable recommends using vulnerability scan templates for most of your
organization's standard, day-to-day scanning needs. Tenable also publishes vulnerability scan
templates that allow you to scan your network for a specific vulnerability or group of vul-
nerabilities. Tenable frequently updates the Tenable Nessus scan template library with tem-
plates that detect the latest vulnerabilities of public interest, such as Log4Shell.
l Compliance —Tenable recommends using configuration scan templates to check whether

host configurations are compliant with various industry standards. Compliance scans are
sometimes referred to as configuration scans. For more information about the checks that
compliance scans can perform, see Compliance and SCAP Settings.
The following table describes the available scanner templates.
Tip: In the Tenable Nessus user interface, use the search box to find a template quickly.
Note: If you configure Tenable Nessus Manager for agent management, Tenable does not recommend
using Tenable Nessus Manager as a local scanner. For example, do not configure Tenable Security Center
scan zones to include Nessus Manager and avoid running network-based scans directly from Tenable Nes-
sus Manager. These configurations can negatively impact agent scan performance. In most cases, use
agent scan templates when working in Tenable Nessus Manager.
Template Description
Discovery
Host Discovery Performs a simple scan to discover live hosts and open ports.
Launch this scan to see what hosts are on your network and associated
information such as IP address, FQDN, operating systems, and open
ports, if available. After you have a list of hosts, you can choose what
hosts you want to target in a specific vulnerability scan.
Tenable recommends that organizations who do not have a passive net-

work monitor, such as Tenable Nessus Network Monitor, run this scan
weekly to discover new assets on your network.
- 173 -
Note: Assets identified by discovery scans do not count toward your license.
Vulnerabilities
Basic Network Performs a full system scan that is suitable for any host. Use this tem-
Scan plate to scan an asset or assets with all of Nessus's plugins enabled. For
example, you can perform an internal vulnerability scan on your organ-
ization's systems.
Advanced Network The most configurable scan type. You can configure this scan template
Scan to match any policy. This template has the same default settings as the
basic scan template, but it allows for additional configuration options.
Note: Advanced scan templates allow you to scan more deeply using custom
configuration, such as faster or slower checks, but misconfigurations can
cause asset outages or network saturation. Use the advanced templates with
caution.
Advanced Dynamic An advanced scan without any recommendations, where you can con-
Scan figure dynamic plugin filters instead of manually selecting plugin families
or individual plugins. As Tenable releases new plugins, any plugins that
match your filters are automatically added to the scan or policy. This
allows you to tailor your scans for specific vulnerabilities while ensuring
that the scan stays up to date as new plugins are released.
Malware Scan Scans for malware on Windows and Unix systems.
Tenable Nessus detects malware using a combined allow list and block
list approach to monitor known good processes, alert on known bad pro-
cesses, and identify coverage gaps between the two by flagging
unknown processes for further inspection.
Mobile Device (Tenable Nessus Manager only)

Scan
Assesses mobile devices via Microsoft Exchange or an MDM.
Use this template to scan what is installed on the targeted mobile

devices and report on the installed applications or application versions'
vulnerabilities.
- 174 -
The Mobile Device Scan plugins allow you to obtain information from
devices registered in a Mobile Device Manager (MDM) and from Active Dir-
ectory servers that contain information from Microsoft Exchange Serv-
ers.
l To query for information, the Tenable Nessus scanner must be able

to reach the Mobile Device Management servers. Ensure no screen-
ing devices block traffic to these systems from the Nessus scan-
ner. In addition, you must give Tenable Nessus administrative
credentials (for example, domain administrator) to the Active Dir-
ectory servers.
l To scan for mobile devices, you must configure Tenable Nessus

with authentication information for the management server and
the mobile plugins. Since Tenable Nessus authenticates directly to
the management servers, you do not need to configure a scan
policy to scan specific hosts.
l For ActiveSync scans that access data from Microsoft Exchange

servers, Tenable Nessus retrieves information from phones that
have been updated in the last 365 days.
Web Application Scan for published and unknown web vulnerabilities.

Tests
Credentialed Patch Authenticates hosts and enumerates missing updates.

Audit
Use this template with credentials to give Tenable Nessus direct access
to the host, scan the target hosts, and enumerate missing patch
updates.
Intel AMT Security Performs remote and local checks for CVE-2017-5689.
Bypass
Spectre and Melt- Performs remote and local checks for CVE-2017-5753, CVE-2017-5715,
down and CVE-2017-5754.
WannaCry Scans for the WannaCry ransomware (MS17-010).

Ransomeware
- 175 -
Ripple20 Remote Detects hosts running the Treck stack in the network, which may be
Scan affected by Ripple20 vulnerabilities.
Zerologon Remote Detects Microsoft Netlogon elevation of privilege vulnerability (Zer-

Scan ologon).
Solarigate Detects SolarWinds Solorigate vulnerabilities using remote and local

checks.
ProxyLogon: Performs remote and local checks to detect Microsoft Exchange Server
MS Exchange vulnerabilities related to CVE-2021-26855, CVE-2021-26857, CVE-2021-
26858, and CVE-2021-27065.
PrintNightmare Performs local checks for CVE-2021-34527, the PrintNightmare Windows

Print Spooler vulnerability.
Active Directory Scans for misconfigurations in Active Directory.

Starter Scan
Note: Active Directory Starter Scans require ADSI credentials. For more
information, see Miscellaneous.
Use this template to check Active Directory for Kerberoasting, Weak Ker-
beros encryption, Kerberos pre-authentication validation, non-expiring
account passwords, unconstrained delegation, null sessions, Kerberos
KRBTGT, dangerous trust relationships, Primary Group ID integrity, and
blank passwords.
Log4Shell Detects the Log4Shell vulnerability (CVE-2021-44228) in Apache Log4j

via local checks.
Log4Shell Remote Detects the Log4Shell vulnerability (CVE-2021-44228) in Apache Log4j

Checks via remote checks.
Log4Shell Vul- Detects the Log4Shell vulnerability (CVE-2021-44228) in Apache Log4j

nerability Ecosys- via local and remote checks. This template is dynamic and is regularly
tem updated with new plugins as third-party vendors patch their software.
2022 Threat Land- Detects vulnerabilities featured in Tenable's 2022 Threat Landscape Ret-
scape Ret- rospective report.
rospective (TLR)
- 176 -
CISA Alerts AA22- Performs remote and local checks for vulnerabilities from CISA alerts
011A and AA22- AA22-011A and AA22-047A.
047A
ContiLeaks Performs remote and local checks for ContiLeaks vulnerabilities.
Ransomware Performs remote and local checks for common ransomware vul-
Ecosystem nerabilities.
Compliance
Audit Cloud Infra- Audits the configuration of third-party cloud services.

structure
You can use this template to scan the configuration of Amazon Web Ser-
vice (AWS), Google Cloud Platform, Microsoft Azure, Rackspace, Sales-
force.com, and Zoom, given that you provide credentials for the service
you want to audit.
Internal PCI Net- Performs an internal PCI DSS (11.2.1) vulnerability scan.
work Scan
This template creates scans that you can use to satisfy internal (PCI DSS
11.2.1) scanning requirements for ongoing vulnerability management pro-
grams that satisfy PCI compliance requirements. You can use these
scans for ongoing vulnerability management and to perform rescans until
passing or clean results are achieved. You can provide credentials to enu-
merate missing patches and client-side vulnerabilities.
Note: While the PCI DSS requires you to provide evidence of passing or
"clean" scans on at least a quarterly basis, you must also perform scans after
any significant changes to your network (PCI DSS 11.2.3).
MDM Config Audit Audits the configuration of mobile device managers.
The MDM Config Audit template reports on a variety of MDM vul-

nerabilities, such as password requirements, remote wipe settings, and
the use of insecure features, such as tethering and Bluetooth.
Offline Config Audits the configuration of network devices.

Audit
Offline configuration audits allow Tenable Nessus to scan hosts without
the need to scan over the network or use credentials. Organizational
- 177 -
policies may not allow you to scan devices or know credentials for
devices on the network for security reasons. Offline configuration audits
use host configuration files from hosts to scan instead. Through scan-
ning these files, you can ensure that devices' settings comply with audits
without the need to scan the host directly.
Tenable recommends using offline configuration audits to scan devices

that do not support secure remote access and devices that scanners can-
not access.
Unofficial Performs quarterly external scans as required by PCI.

PCI Quarterly
You can use this template to simulate an external scan (PCI DSS 11.2.2) to
External Scan
meet PCI DSS quarterly scanning requirements. However, you cannot
submit the scan results from this template to Tenable for PCI Validation.
Only Tenable Vulnerability Management customers can submit their PCI
scan results to Tenable for PCI ASV validation.
Policy Compliance Audits system configurations against a known baseline.

Auditing
The compliance checks can audit against custom security policies, such
as password complexity, system settings, or registry values on Windows
operating systems. For Windows systems, the compliance audits can
test for a large percentage of anything that can be described in a Win-
dows policy file. For Unix systems, the compliance audits test for run-
ning processes, user security policy, and content of files.
SCAP and OVAL Audits systems using SCAP and OVAL definitions.
Auditing
The National Institute of Standards and Technology (NIST) Security Con-
tent Automation Protocol (SCAP) is a set of policies for managing vul-
nerabilities and policy compliance in government agencies. It relies on
multiple open standards and policies, including OVAL, CVE, CVSS, CPE,
and FDCC policies.
l SCAP compliance auditing requires sending an executable to the

remote host.
l Systems running security software (for example, McAfee Host Intru-
- 178 -
sion Prevention), may block or quarantine the executable required
for auditing. For those systems, you must make an exception for
either the host or the executable sent.
l When using the SCAP and OVAL Auditing template, you can per-
form Linux and Windows SCAP CHECKS to test compliance stand-
ards as specified in NIST’s Special Publication 800-126.
Agent Templates (Tenable Nessus Manager only)

There are two agent template categories in Tenable Nessus Manager:
l Vulnerabilities —Tenable recommends using vulnerability scan templates for most of your
organization's standard, day-to-day scanning needs.
l Compliance —Tenable recommends using configuration scan templates to check whether

host configurations are compliant with various industry standards. Compliance scans are
sometimes referred to as configuration scans. For more information about the checks that
compliance scans can perform, see Compliance and SCAP Settings.
The following table describes the available agent templates.
Tip: In the Tenable Nessus user interface, use the search box to find a template quickly.
Template Description
Vulnerabilities
Basic Agent Performs a full system scan that is suitable for any host. Use this template
Scan to scan an asset or assets with all of Nessus's plugins enabled. For example,
you can perform an internal vulnerability scan on your organization's sys-
tems.
Advanced The most configurable scan type. You can configure this scan template to
Agent Scan match any policy. This template has the same default settings as the basic
scan template, but it allows for additional configuration options.
- 179 -
Note: Advanced scan templates allow you to scan more deeply using custom con-
figuration, such as faster or slower checks, but misconfigurations can cause
asset outages or network saturation. Use the advanced templates with caution.
Malware Scan Scans for malware on Windows and Unix systems.
Tenable Nessus Agent detects malware using a combined allow list and
block list approach to monitor known good processes, alert on known bad
processes, and identify coverage gaps between the two by flagging unknown
processes for further inspection.
Agent Detects the Log4Shell vulnerability (CVE-2021-44228) in Apache Log4j via

Log4Shell local checks.
Compliance
Policy Com- Audits system configurations against a known baseline.

pliance Audit-
The compliance checks can audit against custom security policies, such as
ing
password complexity, system settings, or registry values on Windows oper-
ating systems. For Windows systems, the compliance audits can test for a
large percentage of anything that can be described in a Windows policy file.
For Unix systems, the compliance audits test for running processes, user
security policy, and content of files.
SCAP and Audits systems using SCAP and OVAL definitions.

OVAL Auditing
The National Institute of Standards and Technology (NIST) Security Content
Automation Protocol (SCAP) is a set of policies for managing vulnerabilities
and policy compliance in government agencies. It relies on multiple open
standards and policies, including OVAL, CVE, CVSS, CPE, and FDCC policies.
l SCAP compliance auditing requires sending an executable to the

remote host.
l Systems running security software (for example, McAfee Host Intru-

sion Prevention), may block or quarantine the executable required for
auditing. For those systems, you must make an exception for either
the host or the executable sent.
- 180 -
l When using the SCAP and OVAL Auditing template, you can perform
Linux and Windows SCAP CHECKS to test compliance standards as
specified in NIST’s Special Publication 800-126.
- 181-
Scan and Policy Settings
Scan settings enable you to refine parameters in scans to meet your specific network security
needs. The scan settings you can configure vary depending on the Tenable-provided template on
which a scan or policy is based.
You can configure these settings in individual scans or in policy from which you create individual
scans.
Tenable Nessus organizes scan settings into the following categories:
l Basic Settings for Scans
l Basic Settings for Policies
l Discovery Settings
l Assessment Settings
l Report Settings
l Advanced Settings
Settings in Policies
When configuring settings for policies, note the following:
l If you configure a setting in a policy, that setting applies to any scans you create based on
that policy.
l You base a policy on a Tenable-provided template. Most of the settings are identical to the set-
tings you can configure in an individual scan that uses the same Tenable-provided template.
However, certain Basic settings are unique to creating a policy, and do not appear when con-
figuring an individual scan. For more information, see Basic Settings for Policies.
l You can configure certain settings in a policy, but cannot modify those settings in an indi-
vidual scan based on a policy. These settings include Discovery, Assessment, Report,
Advanced, Compliance, SCAP, and Plugins. If you want to modify these settings for individual
scans, create individual scans based on a Tenable-provided template instead.
- 182 -
l If you configure Credentials in a policy, other users can override these settings by adding
scan-specific or managed credentials to scans based on the policy.
Basic Settings for Scans
Note: This topic describes Basic settings you can set in scans. For Basic settings in policies, see Basic
Settings for Policies.
The Basic scan settings are used to specify certain organizational and security-related aspects of
the scan, including the name of the scan, its targets, whether the scan is scheduled, and who has
access to the scan, among other settings.
Configuration items that are required by a particular scan are indicated in the Tenable Nessus inter-
face.
The Basic settings include the follow sections:
The following tables list all available Basic settings by section.
- 183 -
General
Default
Setting Description
Value
Name None Specifies the name of the scan. This value is displayed on
the Tenable Nessus interface.
Description None (Optional) Specifies a description of the scan.
Folder My Scans Specifies the folder where the scan appears after being
saved.
Dashboard Disabled (Tenable Nessus Manager only) (Optional) Determines

whether the scan results page defaults to the interactive
dashboard view.
Agent Groups None (Agent scans only) Specifies the agent group or groups you
want the scan to target. Select an existing agent group from
the drop-down box, or create a new agent group. For more
information, see Create a New Agent Group.
Scan Window 1hour (Agent scans only) (Required) Specifies the time frame dur-
ing which agents must report in order to be included and vis-
ible in vulnerability reports. Use the drop-down box to select
an interval of time, or click to type a custom scan window.
Scanner Auto-Select (Tenable Nessus Manager only) Specifies the scanner that
performs the scan.
The scanners you can select for this parameter depend on

the scanners and scanner groups configured for your Ten-
able Vulnerability Management instance, as well as your per-
missions for those scanners or groups.
Policy None This setting appears only when the scan owner edits an exist-
ing scan that is based on a policy.
- 184 -
Default
Setting Description
Value
Note: After scan creation, you cannot change the Tenable-

provided template on which a scan is based.
In the drop-down box, select a policy on which to base the

scan. You can select policies for which you have Can View or
higher permissions.
In most cases, you set the policy at scan creation, then keep
the same policy each time you run the scan. However, you
may want to change the policy when troubleshooting or
debugging a scan. For example, changing the policy makes it
easy to enable or disable different plugin families, change
performance settings, or apply dedicated debugging policies
with more verbose logging.
When you change the policy for a scan, the scan history
retains the results of scans run under the previously-
assigned policy.
Target URL None (Web App templates only) Specifies the URL for the target
you want to scan, as it appears on your Tenable Nessus Web
Application Scanning license. Regular expressions and wild-
cards are not allowed. Targets must start with the http://
or https:// protocol identifier.
Note: If the URL you type in the Target box has a different
FQDN host from the URL that appears on your license, and your
scan runs successfully, the new URL you type counts as an addi-
tional asset on your license.
Note: If you create a user-defined scan template, the target

setting is not saved to the template. Type a target each time
you create a new scan.
Targets None Specifies one or more targets to be scanned. If you select a
- 185 -
Default
Setting Description
Value
target group or upload a targets file, you are not required to

specify additional targets.
Targets can be specified using a number of different

formats.
Tip: You can force Tenable Nessus to use a given host name
for a server during a scan by using the hostname[ip] syntax
(e.g., www.example.com[192.168.1.1]).
Upload Targets None Uploads a text file that specifies targets.
The targets file must be formatted in the following manner:
l ASCII file format
l Only one target per line
l No extra spaces at the end of a line
l No extra lines following the last target
Note: Unicode/ UTF-8 encoding is not supported.
Show Dash- Off Select this check box to show a scan dashboard as the
board scan's default landing page.
- 186 -
Schedule
By default, scans are not scheduled. When you first access the Schedule section, the Enable Sched-
ule setting appears, set to Off. To modify the settings listed on the following table, click the Off but-
ton. The rest of the settings appear.
Setting Default Value Description
Frequency Once Specifies how often the scan is launched.
l Once: Schedule the scan at a specific time.
l Daily: Schedule the scan to occur on a daily basis,

at a specific time or to repeat up to every 20 days.
l Weekly: Schedule the scan to occur on a recurring

basis, by time and day of week, for up to 20 weeks.
l Monthly: Schedule the scan to occur every month,

by time and day or week of month, for up to 20
months.
l Yearly: Schedule the scan to occur every year, by

time and day, for up to 20 years.
Starts Varies Specifies the exact date and time when a scan launches.
The starting date defaults to the date when you are cre-
ating the scan. The starting time is the nearest half-hour
interval. For example, if you create your scan on
09/ 31/ 2018 at 9:12 AM, the default starting date and time
is set to 09/ 31/ 2018 and 09:30.
Note: If you schedule your scan to repeat monthly, Tenable

recommends setting a start date no later than the 28th
day. If you select a start date that does not exist in some
months (e.g., the 29th), Tenable Nessus cannot run the
scan on those days.
Timezone America/ New Specifies the timezone of the value set for Starts.
- 187 -
York
Repeat Every Varies Specifies the interval at which a scan is relaunched. The
default value of this item varies based on the frequency
you choose.
Repeat On Varies Specifies what day of the week a scan repeats. This
item appears only if you specify Weekly for Frequency.
The value for Repeat On defaults to the day of the week

on which you create the scan.
Repeat By Day of the Month Specifies when a monthly scan is relaunched. This item
appears only if you specify Monthly for Frequency.
Summary N/ A Provides a summary of the schedule for your scan based

on the values you have specified for the available set-
tings.
- 188 -
Notifications
Default
Setting Description
Value
Email Recip- None Specifies zero or more email addresses, separated by com-
ient(s) mas, that are alerted when a scan completes and the results
are available.
Attach Report Off (Tenable Nessus Professional only) Specifies whether you
want to attach a report to each email notification. This option
toggles the Report Type and Max Attachment Size settings.
Report Type Nessus (Tenable Nessus Professional only) Specifies the report type
(CSV, Nessus, or PDF) that you want to attach to the email.
Max Attach- 25 (Tenable Nessus Professional only) Specifies the maximum

ment Size size, in megabytes (MB), of any report attachment. If the
report exceeds the maximum size, then it is not attached to
the email. Tenable Nessus does not support report attach-
ments larger than 50 MB.
Result Filters None Defines the type of information to be emailed.
- 189 -
Permissions
Using settings in the Permissions section, you can assign various permissions to groups and indi-
vidual users. When you assign a permission to a group, that permission applies to all users within
the group. The following table describes the permissions that can be assigned.
Tip: Tenable recommends assigning permissions to user groups, rather than individual users, to minimize
maintenance as individual users leave or join your organization.
Permission Description
No Access Groups and users set to No Access cannot interact with the scan in any way.
When you create a scan, by default no other users or groups have access to
it.
Can View Groups and users set to Can View can view the results of the scan.
Can Control Groups and users set to Can Control can launch, pause, and stop a scan, as
well as view its results.
Can Configure Groups and users set to Can Configure can modify the configuration of the
scan in addition to all other permissions.
- 190 -
Scan Targets
You can specify the targets of a scan using several different formats. The following table explains
target types, examples, and a short explanation of what occurs when that Tenable Nessus scans
that target type.
Target Descrip-
Example Explanation
tion
A single IPv4 192.168.0.1 Tenable Nessus scans the single

address IPv4 address.
A single IPv6 2001:db8::2120:17ff:fe56:333b Tenable Nessus scans the single

address IPv6 address.
A single link fe80:0:0:0:216:cbff:fe92:88d0%eth0 Tenable Nessus scans the single

local IPv6 IPv6 address.
address with a
Tenable Nessus does not sup-
scope iden-
port using the interface names
tifier
instead of interface indexes for
the scope identifier on Windows
platforms.
A small list of 192.168.0.1, 192.169.1.1 Tenable Nessus scans the list of

IPv4 or IPv6 addresses. Separate each
addresses address with a comma or a new
line; otherwise, Nessus cannot
read the list.
An IPv4 range 192.168.0.1-192.168.0.255 Tenable Nessus scans all IPv4

with a start addresses between the start
and end address and end address, includ-
address ing both addresses.
An IPv4 192.168.0-1.3-5 The example expands to all com-

address with binations of the values given in
one or more the octet ranges: 192.168.0.3,
octets 192.168.0.4, 192.168.0.5,
- 191-
Target Descrip-
Example Explanation
tion
replaced with 192.168.1.3, 192.168.1.4 and

numeric 192.168.1.5.
ranges
An IPv4 subnet 192.168.0.0/ 24 Tenable Nessus scans all

with CIDR nota- addresses within the specified
tion subnet. The address given is not
the start address. Specifying
any address within the subnet
with the same CIDR scans the
same set of hosts.
An IPv4 subnet 192.168.0.0/ 255.255.255.128 Tenable Nessus scans all

with netmask addresses within the specified
notation subnet. The address is not a
start address. Specifying any
address within the subnet with
the same netmask scans the
same hosts.
A host resolv- www.yourdomain.com Tenable Nessus scans the single

able to either host. If the hostname resolves
an IPv4 or an to multiple addresses the
IPv6 address address to scan is the first IPv4
address or if it did not resolve to
an IPv4 address, the first IPv6
address.
A host resolv- www.yourdomain.com/ 24 Tenable Nessus resolves the

able to an IPv4 hostname to an IPv4 address
address with and then treats it like any other
CIDR notation IPv4 address with CIDR target.
A host resolv- www.yourdomain.com/ 255.255.252.0 Tenable Nessus resolves the
- 192 -
Target Descrip-
Example Explanation
tion
able to an IPv4 hostname to an IPv4 address

address with and then treats it like any other
netmask nota- IPv4 address with netmask nota-
tion tion.
The text 'link6' link6 or link6%16 Tenable Nessus sends out mul-
optionally fol- ticast ICMPv6 echo requests on
lowed by an the interface specified by the
IPv6 scope scope identifier to the ff02::1
identifier address. Tenable Nessus scans
all hosts that respond to the
request. If you do not provide a
IPv6 scope identifier, Tenable
Nessus sends out the requests
on all interfaces.
Tenable Nessus does not sup-

port using the interface names
instead of interface indexes for
the scope identifier on Windows
platforms.
Some text "Test Host 1[ 10.0.1.1] " or "Test Host 2 Tenable Nessus scans the IPv4
with either a [ 2001:db8::abcd] " or IPv6 address within the brack-
single IPv4 or ets like a normal single target.
IPv6 address
within square
brackets
Tip: You can process hostname targets that look like either a link6 target (start with the text "link6") or like
one of the two IPv6 range forms as a hostname by putting single quotes around the target.
Basic Settings for Policies
- 193 -
Note: This topic describes Basic settings you can set in policies. For Basic settings in individual scans, see
Basic Settings for Scans.
You can use Basic settings to specify basic aspects of a policy, including who has access to the
policy.
The Basic settings include the following sections:
- 194 -
General
The general settings for a policy.
Name None Specifies the name of the policy.
Description None (Optional) Specifies a description of the policy.
- 195 -
Permissions
You can share the policy with other users by setting permissions for users or groups. When you
assign a permission to a group, that permission applies to all users within the group.
Permission Description
No Access (Default user only) Groups and users set to this permission cannot interact
with the policy in any way.
Can Use Groups and users with this permission can view the policy configuration and
use the policy to create scans.
Can Edit In addition to viewing the policy and using the policy to create scans, groups
and users with this permission can modify any policy settings except user per-
missions. However, they cannot export or delete the policy.
Note: Only the policy owner can export or delete a policy.
Discovery Scan Settings
Note: If a scan is based on a policy, you cannot configure Discovery settings in the scan. You can only
modify these settings in the related policy.
Note: Tenable Nessus indicates the settings that are required by a particular scan or policy.
The Discovery settings relate to discovery and port scanning, including port ranges and methods.
Certain Tenable-provided scanner templates include preconfigured discovery settings.
If you select the Custom preconfigured setting option, or if you are using a scanner template that
does not include preconfigured discovery settings, you can manually configure Discovery settings in
the following categories:
Note: The following tables include settings for the Advanced Scan template. Depending on the template
you select, certain settings may not be available, and default values may vary.
- 196 -
Host Discovery
By default, Tenable Nessus enables some settings in the Host Discovery section. When you first
access the Host Discovery section, the Ping the remote host item appears and is set to On.
The Host Discovery section includes the following groups of settings:
l General Settings
l Ping Methods
l Fragile Devices
l Wake-on-LAN
Default
Setting Description
Value
Ping the remote On If set to On, the scanner pings remote hosts on multiple
host ports to determine if they are alive. Additional options
General Settings and Ping Methods appear.
If set to Off, the scanner does not ping remote hosts on

multiple ports during the scan.
Note: To scan VMware guest systems, Ping the remote

host must be set to Off.
Scan unresponsive Disabled Specifies whether the Nessus scanner scans hosts that
hosts do not respond to any ping methods. This option is only
available for scans using the PCI Quarterly External Scan
template.
General Settings
Test the local Nes- Enabled When enabled, includes the local Nessus host in the
sus host scan. This is used when the Nessus host falls within the
target network range for the scan.
Use Fast Network Disabled When disabled, if a host responds to ping, Nessus
- 197 -
Discovery attempts to avoid false positives, performing additional
tests to verify the response did not come from a proxy
or load balancer. These checks can take some time,
especially if the remote host is firewalled.
When enabled, Nessus does not perform these checks.
Ping Methods
ARP Enabled Ping a host using its hardware address via Address Res-
olution Protocol (ARP). This only works on a local net-
work.
TCP Enabled Ping a host using TCP.
Destination ports built-in Destination ports can be configured to use specific

(TCP) ports for TCP ping. This specifies the list of ports that
are checked via TCP ping.
Type one of the following: built-in, a single port, or a

comma-separated list of ports.
For more information about which ports built-in spe-

cifies, see the knowledge base article.
ICMP Enabled Ping a host using the Internet Control Message Protocol
(ICMP).
Assume ICMP Disabled Assume ICMP unreachable from the gateway means the
unreachable from host is down. When a ping is sent to a host that is down,
the gateway its gateway may return an ICMP unreachable message.
means the host is When this option is enabled, when the scanner receives
down an ICMP Unreachable message, it considers the targeted
host dead. This approach helps speed up discovery on
some networks.
Note: Some firewalls and packet filters use this same beha-
vior for hosts that are up, but connected to a port or pro-
tocol that is filtered. With this option enabled, this leads to
the scan considering the host is down when it is indeed up.
- 198 -
Maximum number 2 Specifies the number of attempts to retry pinging the
of retries remote host.
UDP Disabled Ping a host using the User Datagram Protocol (UDP). UDP
is a stateless protocol, meaning that communication is
not performed with handshake dialogues. UDP-based
communication is not always reliable, and because of
the nature of UDP services and screening devices, they
are not always remotely detectable.
Fragile Devices
Scan Network Disabled When enabled, the scanner scans network printers.
Printers
Scan Novell Net- Disabled When enabled, the scanner scans Novell NetWare hosts.
ware hosts
Scan Operational Disabled When enabled, the scanner performs a full scan of Oper-
Technology ational Technology (OT) devices such as programmable
devices logic controllers (PLCs) and remote terminal units (RTUs)
that monitor environmental factors and the activity and
state of machinery.
When disabled, the scanner uses ICS/ SCADA Smart Scan-

ning to cautiously identify OT devices and stops scan-
ning them once they are discovered.
Wake-on-LAN
List of None The Wake-on-LAN (WOL) menu controls which hosts to

MAC Addresses send WOL magic packets to before performing a scan.
Hosts that you want to start prior to scanning are

provided by uploading a text file that lists one MAC
address per line.
For example:
33:24:4C:03:CC:C7
- 199 -
FF:5C:2C:71:57:79
Boot time wait (in 5 The amount of time to wait for hosts to start before per-
minutes) forming the scan.
- 200 -
Port Scanning
The Port Scanning section includes settings that define how the port scanner behaves and which
ports to scan.
The Port Scanning section includes the following groups of settings:
l Ports
l Local Port Enumerators
l Network Port Scanners
Default
Setting Description
Value
Ports
Consider Disabled When enabled, if a port is not scanned with a selected port
Unscanned scanner (for example, the port falls outside of the specified
Ports as Closed range), the scanner considers it closed.
Port Scan Default Specifies the range of ports to be scanned.

Range
Supported keyword values are:
l default instructs the scanner to scan approximately

4,790 commonly used ports. The list of ports can be
found in the nessus-services file on the Nessus scan-
ner.
l all instructs the scanner to scan all 65,536 ports,

including port 0.
Additionally, you can indicate a custom list of ports by

using a comma-separated list of ports or port ranges. For
example, 21,23,25,80,110 or 1-1024,8080,9000-9200.
If you wanted to scan all ports excluding port 0, you would
type 1-65535.
The custom range specified for a port scan is applied to
- 201-
Default
Setting Description
Value
the protocols you have selected in the Network Port Scan-

ners group of settings.
If scanning both TCP and UDP, you can specify a split range
specific to each protocol. For example, if you want to scan
a different range of ports for TCP and UDP in the same
policy, you would type T:1-1024,U:300-500.
You can also specify a set of ports to scan for both pro-
tocols, as well as individual ranges for each separate pro-
tocol. For example, 1-1024,T:1024-65535,U:1025.
Local Port Enumerators
SSH (netstat) Enabled When enabled, the scanner uses netstat to check for open
ports from the local machine. It relies on the netstat com-
mand being available via an SSH connection to the target.
This scan is intended for Linux-based systems and requires
authentication credentials.
WMI (netstat) Enabled When enabled, the scanner uses netstat to determine open
ports while performing a WMI-based scan.
In addition, the scanner:
l Ignores any custom range specified in the Port Scan

Range setting.
l Continues to treat unscanned ports as closed if the

Consider unscanned ports as closed setting is
enabled.
If any port enumerator (netstat or SNMP) is successful, the

port range becomes all.
SNMP Enabled When enabled, if the appropriate credentials are provided

by the user, the scanner can better test the remote host
- 202 -
Default
Setting Description
Value
and produce more detailed audit results. For example,

there are many Cisco router checks that determine the vul-
nerabilities present by examining the version of the
returned SNMP string. This information is necessary for
these audits.
Only run net- Enabled If a local port enumerator runs, all network port scanners
work port scan- will be disabled for that asset.
ners if local port
enumeration
failed
Verify open TCP Disabled When enabled, if a local port enumerator (for example, WMI
ports found by or netstat) finds a port, the scanner also verifies that the
local port enu- port is open remotely. This approach helps determine if
merators some form of access control is being used (for example,
TCP wrappers or a firewall).
Network Port Scanners
TCP Disabled Use the built-in Tenable Nessus TCP scanner to identify
open TCP ports on the targets, using a full TCP three-way
handshake. TCP scans are only possible if you are using
Linux or FreeBSD. On Windows or macOS, the scanner does
not do a TCP scan and instead uses the SYN scanner to
avoid performance issues native to those operating sys-
tems.
If you enable this option, you can also set the Override Auto-
matic Firewall Detection option.
SYN Enabled Use the built-in Tenable Nessus SYN scanner to identify
open TCP ports on the target hosts. SYN scans do not ini-
tiate a full TCP three-way handshake. The scanner sends a
SYN packet to the port, waits for SYN-ACK reply, and
- 203 -
Default
Setting Description
Value
determines the port state based on a response or lack of

response.
If you enable this option, you can also set the Override Auto-
matic Firewall Detection option.
Override auto- Disabled This setting can be enabled if you enable either the TCP or
matic firewall SYN option.
detection
When enabled, this setting overrides automatic firewall
detection.
This setting has three options:
l Use aggressive detection attempts to run plugins

even if the port appears to be closed. It is recom-
mended that this option not be used on a production
network.
l Use soft detection disables the ability to monitor how

often resets are set and to determine if there is a lim-
itation configured by a downstream network device.
l Disable detection disables the firewall detection fea-

ture.
UDP Disabled This option engages the built-in Tenable Nessus UDP scan-
ner to identify open UDP ports on the targets.
Due to the nature of the protocol, it is generally not pos-

sible for a port scanner to tell the difference between open
and filtered UDP ports. Enabling the UDP port scanner may
dramatically increase the scan time and produce unreliable
results. Consider using the netstat or SNMP port enu-
meration options instead if possible.
- 204 -
Service Discovery
The Service Discovery section includes settings that attempt to map each open port with the ser-
vice that is running on that port.
The Service Discovery section includes the following groups of settings:
l General Settings
l Search for SSL/ TLS Services
Default
Setting Description
Value
General Settings
Probe all ports Enabled When enabled, the scanner attempts to map each open port
to find ser- with the service that is running on that port, as defined by
vices the Port scan range option.
Caution: In some rare cases, probing might disrupt some ser-

vices and cause unforeseen side effects.
Search for SSL On Controls how the scanner tests SSL-based services.
based services
Caution: Testing for SSL capability on all ports may be dis-
ruptive for the tested host.
Search for SSL/ TLS/ DTLS Services (enabled)
Search for Known Specifies which ports on target hosts the scanner searches
SSL/ TLS on SSL/ TLS for SSL/ TLS services.
ports
This setting has two options:
l Known SSL/ TLS ports
l All TCP ports
Search for None Specifies which ports on target hosts the scanner searches
DTLS On for DTLS services.
- 205 -
Default
Setting Description
Value
This setting has the following options:
l None
l Known SSL/ TLS ports
l All TCP ports
Identify cer- 60 When enabled, the scanner identifies SSL and TLS cer-
tificates expir- tificates that are within the specified number of days of
ing within x expiring.
days
Enumerate all True When enabled, the scanner ignores the list of ciphers advert-
SSL ciphers ised by SSL/ TLS services and enumerates them by attempt-
ing to establish connections using all possible ciphers.
Enable CRL False When enabled, the scanner checks that none of the iden-
checking (con- tified certificates have been revoked.
nects to inter-
net)
- 206 -
Identity
The Identity section allows you to enable or disable the collection of Active Directory data.
Note: This section is only applicable in Tenable One Enterprise environments.
Default
Setting Description
Value
General Settings
Collect Identity Disabled Enable this setting to allow Tenable Nessus to gather user,
Data from Act- computer, and group objects from Active Directory.
ive Directory
This setting requires that you specify an Active Directory
user account for the scan. You also need to enable LDAPS
on the Domain Controller that the scan is targeting.
- 207 -
Preconfigured Discovery Scan Settings
Certain Tenable-provided scanner templates include preconfigured discovery settings, described in
the following table. The preconfigured discovery settings are determined by both the template and
the Scan Type that you select.
Template Scan Type Preconfigured Settings
Discovery
Host Discovery Host enumeration (default) l General Settings:

o Always test the local Nes-
sus host
o Use fast network dis-
covery
l Ping hosts using:

o TCP
o ARP
o ICMP (2 retries)
OS Identification l General Settings:

sus host
covery
l Ping hosts using:

o TCP
o ARP
o ICMP
Port scan (common ports) l General Settings:
- 208 -
sus host
covery
l Port Scanner Settings:

o Scan common ports
o Use netstat if credentials
are provided
o Use SYN scanner if
necessary
l Ping hosts using:

o TCP
o ARP
o ICMP (2 retries)
Port scan (all ports) l General Settings:

sus host
covery

o Scan all ports (1-65535)
are provided
necessary
l Ping hosts using:
- 209 -
o TCP
o ARP
o ICMP (2 retries)
Custom All defaults
Vulnerabilities
Basic Network Scan Port scan (common ports) l General Settings:

(default) o Always test the local Nes-
sus host
covery

o Scan common ports
are provided
necessary
l Ping hosts using:

o TCP
o ARP
o ICMP (2 retries)

sus host
covery
- 210 -
are provided
necessary
l Ping hosts using:

o TCP
o ARP
o ICMP (2 retries)
Use fast network discovery Use fast network discovery
Advanced Scan – All defaults
Advanced Dynamic – All defaults

Scan
Malware Scan Host enumeration (default) l General Settings:

sus host
covery
l Ping hosts using:

o TCP
o ARP
o ICMP (2 retries)
Host enumeration (include l General Settings:

fragile hosts) o Always test the local Nes-
sus host
- 211-
covery
l Ping hosts using:

o TCP
o ARP
o ICMP (2 retries)
l Scan all devices, including:

o Printers
o Novell Netware hosts
Custom All defaults
Mobile Device Scan – –
Web Application Tests Port scan (common ports) l General Settings:

(default) o Always test the local Nes-
sus host
covery

o Scan common ports
are provided
necessary
l Ping hosts using:

o TCP
o ARP
- 212 -
o ICMP (2 retries)

sus host
covery

are provided
necessary
l Ping hosts using:

o TCP
o ARP
o ICMP (2 retries)
Custom All defaults
Credentialed Patch Port scan (common ports) l General Settings:

Audit (default) o Always test the local Nes-
sus host
covery

o Scan common ports
are provided
- 213 -
necessary
l Ping hosts using:

o TCP
o ARP
o ICMP (2 retries)

sus host
covery

are provided
necessary
l Ping hosts using:

o TCP
o ARP
o ICMP (2 retries)
Custom All defaults
Badlock Detection Normal (default) l General Settings:

o Ping the remote host
sus host
- 214 -
covery
l Service Discovery Settings:

o Scan the default Nessus
port range
o Detect SSL/ TLS on ports
where it is commonly
used
Quick l General Settings:

sus host
covery

o Scan TCP ports 23, 25,
80, and 443
used
Thorough l General Settings:

sus host
covery
- 215 -
o Scan all TCP ports
o Detect SSL on all open
ports
Custom All defaults
Bash Shellshock Detec- Normal (default) l General Settings:

tion o Ping the remote host
sus host
covery

port range
used

o Printers

sus host
covery
- 216 -
80, and 443
used

o Printers

sus host
covery

ports

o Printers
Custom All defaults
DROWN Detection Normal (default) l General Settings:

sus host
- 217 -
covery

port range
used

sus host
covery

80, and 443
used

sus host
covery
- 218 -
ports
Custom All defaults
Intel AMT Security Normal (default) l General Settings:

Bypass o Ping the remote host
sus host
covery

port range
used

sus host
covery

o Scan TCP ports 16992,
16993, 623, 80, and 443
- 219 -
used

sus host
covery

ports
Custom All defaults
Shadow Brokers Scan Normal (default) l General Settings:

sus host
covery

port range
used

o Printers
- 220 -

sus host
covery

ports

o Printers
Custom All defaults
Spectre and Meltdown Normal (default) l General Settings:

sus host
covery

port range
- 221-
used

sus host
covery

ports
Custom All defaults
WannaCry Ransomware Normal (default) l General Settings:

sus host
covery

port range
used

- 222 -
sus host
covery

o Scan TCP ports 139 and
445
used

sus host
covery

ports
Custom All defaults
Log4Shell Normal l General Settings:

o Always test the local Ten-
able Nessus host
covery
- 223 -
o Scan the default Tenable
Nessus port range
used
l Do not scan fragile devices.

able Nessus host
covery

443
used
Thorough (default) l General Settings:

able Nessus host
covery
- 224 -
ports
Custom All defaults
Log4Shell Remote Normal (default) l General Settings:

Checks o Ping the remote host
able Nessus host
covery

Nessus port range
used

able Nessus host
covery

- 225 -
443
used

able Nessus host
covery

ports
Custom All defaults
Log4Shell Vulnerability Normal l General Settings:

Ecosystem o Ping the remote host
able Nessus host
covery

Nessus port range
- 226 -
used

able Nessus host
covery

443
used
Thorough (default) l General Settings:

able Nessus host
covery

ports
- 227 -
Custom All defaults
Compliance
Audit Cloud Infra- – –

structure
Internal PCI Network Port scan (common ports) l General Settings:

Scan (default) o Always test the local Nes-
sus host
covery

o Scan common ports
are provided
necessary
l Ping hosts using:

o TCP
o ARP
o ICMP (2 retries)

sus host
covery
- 228 -
are provided
necessary
l Ping hosts using:

o TCP
o ARP
o ICMP (2 retries)
Custom All defaults
MDM Config Audit – –
Offline Config Audit – –
PCI Quarterly External – Scan unresponsive hosts default

Scan
Policy Compliance Default (default) l General Settings:

Auditing o Ping the remote host
sus host

o Printers
Custom All defaults
SCAP and OVAL Audit- Host enumeration (default) l General Settings:

ing o Always test the local Nes-
sus host
- 229 -
covery
l Ping hosts using:

o TCP
o ARP
o ICMP (2 retries)
Custom All defaults
Assessment Scan Settings
Note: If a scan is based on a policy, you cannot configure Assessment settings in the scan. You can only
You can use Assessment settings to configure how a scan identifies vulnerabilities, as well as what
vulnerabilities are identified. This includes identifying malware, assessing the vulnerability of a sys-
tem to brute force attacks, and the susceptibility of web applications.
Certain Tenable-provided scanner templates include preconfigured assessment settings.
If you select the Custom preconfigured setting option, or if you are using a scanner template that
does not include preconfigured assessment settings, you can manually configure Assessment set-
tings in the following categories:
- 230 -
General
The General section includes the following groups of settings:
l Accuracy
l Antivirus
l SMTP
Accuracy
Override nor- Disabled In some cases, Tenable Nessus cannot remotely determine
mal Accur- whether a flaw is present or not. If report paranoia is set to
acy Show potential false alarms, a flaw is reported every time,
even when there is a doubt about the remote host being
affected. Conversely, a paranoia setting of Avoid potential
false alarms causes Tenable Nessus to not report any flaw
whenever there is a hint of uncertainty about the remote
host. As a middle ground between these two settings, dis-
able this setting.
Perform thor- Disabled Causes various plugins to work harder. For example, when
ough tests looking through SMB file shares, a plugin can analyze 3 dir-
(may disrupt ectory levels deep instead of 1. This could cause much more
your network network traffic and analysis sometimes. By being more thor-
or impact ough, the scan is more intrusive and is more likely to disrupt
scan speed) the network, while potentially providing better audit results.
Antivirus
Antivirus 0 Configure the delay of the Antivirus software check for a set
definition number of days (0-7). The Antivirus Software Check menu
grace period allows you to direct Tenable Nessus to allow for a specific
(in days) grace time in reporting when antivirus signatures are con-
sidered out of date. By default, Tenable Nessus considers
- 231-
signatures out of date regardless of how long ago an update
was available (for example, a few hours ago). You can con-
figure this setting to allow for up to 7 days before reporting
them out of date.
SMTP
Third party Tenable Nessus attempts to send spam through each SMTP device to the
domain address listed in this field. This third-party domain address must be outside
the range of the site Tenable Nessus is scanning or the site performing the
scan. Otherwise, the SMTP server might abort the test.
From The test messages sent to the SMTP server or servers appear as if they ori-
address ginated from the address specified in this field.
To address Tenable Nessus attempts to send messages addressed to the mail recipient lis-
ted in this field. The postmaster address is the default value since it is a valid
address on most mail servers.
- 232 -
Brute Force
The Brute Force section includes the following groups of settings:
l General Settings
l Oracle Database
l Hydra
Default
Setting Description
Value
General Settings
Only use cre- Enabled In some cases, Tenable Nessus can test default accounts
dentials and known default passwords. This can lock out an account
provided by the if too many consecutive invalid attempts trigger security
user protocols on the operating system or application. By
default, this setting is enabled to prevent Tenable Nessus
from performing these tests.
Oracle Database
Test default Disabled Test for known default accounts in Oracle software.
accounts (slow)
Hydra
Note: Hydra options only appear when Hydra is installed on the same computer as the scanner or
agent executing the scan.
Always enable Disabled Enables Hydra whenever Tenable Nessus performs the
Hydra (slow) scan.
Logins file A file that contains usernames that Hydra uses during the
scan.
Passwords file A file that contains passwords for user accounts that Hydra
uses during the scan.
- 233 -
Number of par- 16 The number of simultaneous Hydra tests that you want to
allel tasks execute. By default, this value is 16.
Timeout (in 30 The number of seconds per login attempt.

seconds)
Try empty pass- Enabled If enabled, Hydra tries usernames without using a pass-
words word.
Try login as Enabled If enabled, Hydra tries a username as the corresponding

password password.
Stop brute for- Disabled If enabled, Hydra stops brute forcing user accounts after
cing after the the first time an account is successfully accessed.
first success
Add accounts Enabled If disabled, Tenable Nessus only uses the usernames spe-
found by other cified in the logins file for the scan. Otherwise, Tenable Nes-
plugins to the sus discovers more usernames using other plugins and
login file adds them to the logins file to use for the scan.
PostgreSQL The database that you want Hydra to test.

database name
SAP R/ 3 Client The ID of the SAP R/ 3 client that you want Hydra to test.
ID (0 - 99)
Windows Local You can set this to Local accounts, Domain Accounts, or
accounts to accounts Either.
test
Interpret pass- Disabled If enabled, Hydra interprets passwords as NTLM hashes.

words as NTLM
hashes
Cisco login You use this password to log in to a Cisco system before
password brute forcing enable passwords. If you do not enter a pass-
word here, Hydra attempts to log in using credentials that
were successfully brute forced earlier in the scan.
- 234 -
Web page to Enter a web page protected by HTTP basic or digest authen-
brute force tication. If you do not enter a web page here, Hydra
attempts to brute force a page discovered by the Tenable
Nessus web crawler that requires HTTP authentication.
HTTP proxy If Hydra successfully brute forces an HTTP proxy, it

test website attempts to access the website provided here via the
brute-forced proxy.
LDAP DN The LDAP Distinguish Name scope that Hydra authenticates

against.
- 235 -
SCADA
Default
Setting Description
Value
Modbus/ TCP Coil Access Modbus uses a function code of 1to read coils in a Modbus
server. Coils represent binary output settings and are typically
mapped to actuators. The ability to read coils may help an
attacker profile a system and identify ranges of registers to alter
via a write coil message.
Start at 0 The register at which to start scanning.

Register
End at 16 The register at which to stop scanning.

Register
ICCP/ COTP TSAP Address- The ICCP/ COTP TSAP Addressing menu determines a Con-
ing Weakness nection-Oriented Transport Protocol (COTP) Transport Service
Access Points (TSAP) value on an ICCP server by trying possible
values.
Start COTP 8 Specifies the starting TSAP value to try.

TSAP
Stop COTP 8 Specifies the ending TSAP value to try. Tenable Nessus tries all
TSAP values between the Start and Stop.
- 236 -
Web Applications
By default, Tenable Nessus does not scan web applications. When you first access the Web Applic-
ation section, the Scan Web Applications setting appears and is Off. To modify the Web Application
settings listed on the following table, click the Off button. The rest of the settings appear.
The Web Applications section includes the following groups of settings:
l General Settings
l Web Crawler
l Application Test Settings
General Settings
Use a custom Mozilla/ 4.0 (compatible; MSIE Specifies which type of browser Tenable
User-Agent 8.0; Windows NT 5.1; Nessus impersonates while scanning.
Trident/ 4.0)
Web Crawler
Start crawling / The URL of the first page that Tenable Nes-
from sus tests. If you want to test multiple
pages, use a colon delimiter to separate
them (for example, /:/php4:/base).
Excluded / server_privileges\ .php <> log Specifies portions of the web site to
pages (regex) out exclude from being crawled. For example,
to exclude the / manual directory and all
Perl CGI, set this field to: (^/ manual) <>
(\ .pl(\ ?.*)?$).
Tenable Nessus supports POSIX regular

expressions for string matching and hand-
ling and Perl-compatible regular expres-
sions (PCRE).
- 237 -
Maximum 1000 The maximum number of pages to crawl.

pages to crawl
Maximum 6 Limit the number of links Tenable Nessus

depth to crawl follows for each start page.
Follow Disabled If you enable this setting, Tenable Nessus

dynamic follows dynamic links and may exceed the
pages parameters set above.
Application Test Settings
Enable gen- Disabled Enables the following Application Test Set-

eric web tings.
application
tests
Abort web Disabled If Tenable Nessus cannot log in to the tar-

application get via HTTP, then do not run any web
tests if HTTP application tests.
login fails
Try all HTTP Disabled This option instructs Tenable Nessus to

methods use POST requests for enhanced web form
testing. By default, the web application
tests only use GET requests, unless you
enable this option. Generally, more com-
plex applications use the POST method
when a user submits data to the applic-
ation. This setting provides more thorough
testing, but may considerably increase the
time required. When selected, Tenable
Nessus tests each script or variable with
both GET and POST requests. This setting
provides more thorough testing, but may
considerably increase the time required.
- 238 -
Attempt HTTP Disabled When performing web application tests,

Parameter Pol- attempt to bypass filtering mechanisms by
lution injecting content into a variable while also
supplying the same variable with valid con-
tent. For example, a normal SQL injection
test may look like / target.cgi?a='&b=2.
With HTTP Parameter Pollution (HPP)
enabled, the request may look like / tar-
get.cgi?a='&a=1&b=2.
Test embed- Disabled Embedded web servers are often static

ded web serv- and contain no customizable CGI scripts. In
ers addition, embedded web servers may be
prone to crash or become non-responsive
when scanned. Tenable recommends scan-
ning embedded web servers separately
from other web servers using this option.
Test more Disabled This setting manages the combination of

than one para- argument values used in the HTTP
meter at a requests. The default, without checking
time per form this option, is testing one parameter at a
time with an attack string, without trying
non-attack variations for additional para-
meters. For example, Tenable Nessus
would attempt
/test.php?arg1=XSS&b=1&c=1, where b
and c allow other values, without testing
each combination. This is the quickest
method of testing with the smallest result
set generated.
This setting has four options:
l Test random pairs of parameters:
- 239 -
This form of testing randomly checks

a combination of random pairs of
parameters. This is the fastest way
to test multiple parameters.
l Test all pairs of parameters (slow):

This form of testing is slightly slower
but more efficient than the one value
test. While testing multiple para-
meters, it tests an attack string, vari-
ations for a single variable and then
use the first value for all other vari-
ables. For example, Tenable Nessus
would attempt /test.php?a-
a=XSS&b=1&c=1&d=1 and then cycle
through the variables so that one is
given the attack string, one is cycled
through all possible values (as dis-
covered during the mirror process)
and any other variables are given the
first value. In this case, Tenable Nes-
sus would never test for
/test.php?a=XSS&b=3&c=3&d=3
when the first value of each variable
is 1.
l Test random combinations of three

or more parameters (slower): This
form of testing randomly checks a
combination of three or more para-
meters. This is more thorough than
testing only pairs of parameters.
Increasing the amount of com-
binations by three or more increases
- 240 -
the web application test time.
l Test all combinations of parameters

(slowest): This method of testing
checks all possible combinations of
attack strings with valid input to vari-
ables. Where all pairs testing seeks
to create a smaller data set as a
tradeoff for speed, all combinations
makes no compromise on time and
uses a complete data set of tests.
This testing method may take a long
time to complete.
Do not stop Disabled This setting determines when a new flaw is

after first flaw targeted. This applies at the script level.
is found per Finding an XSS flaw does not disable
web page searching for SQL injection or header injec-
tion, but unless otherwise specified, there
is at most one report for each type on a
given port. Note that several flaws of the
same type (for example, XSS or SQLi) may
be reported if they were caught by the
same attack.
If this option is disabled, as soon as a flaw

is found on a web page, the scan moves on
to the next web page.
If you enable this option, select one of the

following options:
l Stop after one flaw is found per web

server (fastest) —(Default) As soon
as a flaw is found on a web server by
a script, Tenable Nessus stops and
- 241-
switches to another web server on a

different port.
l Stop after one flaw is found per para-

meter (slow) —As soon as one type
of flaw is found in a parameter of a
CGI (for example, XSS), Tenable Nes-
sus switches to the next parameter
of the same CGI, the next known CGI,
or to the next port or server.
l Look for all flaws (slowest) —Perform

extensive tests regardless of flaws
found. This option can produce a
very verbose report and is not recom-
mend in most cases.
URL for http:/ / rfi.nessus.org/ rfi.txt During Remote File Inclusion (RFI) testing,
Remote File this setting specifies a file on a remote
Inclusion host to use for tests. By default, Tenable
Nessus uses a safe file hosted by Tenable,
Inc. for RFI testing. If the scanner cannot
reach the internet, you can use an intern-
ally hosted file for more accurate RFI test-
ing.
Maximum run 5 This option manages the amount of time in

time (min) minutes spent performing web application
tests. This option defaults to 60 minutes
and applies to all ports and CGIs for a given
website. Scanning the local network for
web sites with small applications typically
completes in under an hour, however web
sites with large applications may require a
higher value.
- 242 -
Windows
The Windows section contains the following groups of settings:
l General Settings
l User Enumeration Methods
Default
Setting Description
Value
General Settings
Request inform- Disabled If enabled, the sensor queries domain users instead of
ation about the local users. Enabling this setting allows plugins 10892 and
SMB Domain 10398 to run and plugins 72684 and 10907 to query domain
users.
User Enumeration Methods
You can enable as many of the user enumeration methods as appropriate for user discovery.
SAM Registry Enabled Tenable Nessus enumerates users via the Security
Account Manager (SAM) registry.
ADSI Query Enabled Tenable Nessus enumerates users via Active Directory Ser-
vice Interfaces (ADSI). To use ADSI, you must configure cre-
dentials under Credentials > Miscellaneous > ADSI.
WMI Query Enabled Tenable Nessus enumerates users via Windows Man-
agement Interface (WMI).
RID Brute For- Disabled Tenable Nessus enumerates users via relative identifier
cing (RID) brute forcing. Enabling this setting enables the Enu-
merate Domain Users and Enumerate Local User settings.
Enumerate Domain Users (available with RID Brute Forcing enabled)
Start UID 1000 The beginning of a range of IDs where Tenable Nessus
attempts to enumerate domain users.
- 243 -
End UID 1200 The end of a range of IDs where Tenable Nessus attempts
to enumerate domain users.
Enumerate Local User (available with RID Brute Forcing enabled)
Start UID 1000 The beginning of a range of IDs where Tenable Nessus
attempts to enumerate local users.
End UID 1200 The end of a range of IDs where Tenable Nessus attempts
to enumerate local users.
- 244 -
Malware
The Malware section contains the following groups of settings:
l General Settings
l Hash and Allow List Files
l File System Scanning
Default
Setting Description
Value
General Settings
Disable DNS res- Disabled Checking this option prevents Tenable Nessus from
olution using the cloud to compare scan findings against
known malware.
Hash and Allowlist Files
Custom Netstat IP None A text file that contains a list of known bad IP
Threat List addresses that you want to detect.
Each line in the file must begin with an IPv4 address.

Optionally, you can add a description by adding a
comma after the IP address, followed by the descrip-
tion. You can also use hash-delimited comments (e.g.,
# ) in addition to comma-delimited comments.
Note: Tenable does not detect private IP ranges in the

text file.
Provide your own list None You can upload any additional bad MD5 hashes via a
of known bad MD5 text file that contains one MD5 hash per line. Option-
hashes ally, you can include a description for a hash by adding
a comma after the hash, followed by the description. If
Tenable Nessus finds any matches while scanning a tar-
get, the description appears in the scan results. You
- 245 -
can use standard hash-delimited comments (for
example, #) in addition to the comma-separated com-
ments.
Provide your own list None You can upload any additional good MD5 hashes via a
of known good MD5 text file that contains one MD5 hash per line. It is pos-
hashes sible to (optionally) add a description for each hash in
the uploaded file. This is done by adding a comma
after the hash, followed by the description. If Tenable
Nessus finds any matches while scanning a target, and
a description was provided for the hash, the descrip-
tion appears in the scan results. You can use standard
hash-delimited comments (for example, #) in addition
to the comma-separated comments.
Hosts file allowlist None Tenable Nessus checks system hosts files for signs of
a compromise (for example, Plugin ID 23910 titled Com-
promised Windows System (hosts File Check). This
option allows you to upload a file containing a list of
IPs and hostnames that Tenable Nessus will ignore dur-
ing the scan. Include one IP and one hostname (format-
ted identically to your hosts file on the target) per line
in a regular text file.
Yara Rules
Yara Rules None A .yar file containing the YARA rules to be applied in
the scan. You can only upload one file per scan, so
include all rules in a single file. For more information,
see yara.readthedocs.io.
File System Scanning
Scan file system Off Enabling this option allows you to scan system dir-
ectories and files on host computers.
Caution: Enabling this setting in scans targeting 10 or

more hosts could result in performance degradation.
- 246 -
Windows Directories
Scan %Sys- Off Enables file system scanning to scan %Systemroot%.

temroot%
Scan %Pro- Off Enables file system scanning to scan %ProgramFiles%.

gramFiles%
Scan %ProgramFiles Off Enables file system scanning to scan %ProgramFiles

(x86)% (x86)%.
Scan %Pro- Off Enables file system scanning to scan %ProgramData%.

gramData%
Scan User Profiles Off Enables file system scanning to scan user profiles.
Linux Directories
Scan $PATH Off Enable file system scanning to scan for $PATH loc-
ations.
Scan / home Off Enable file system scanning to scan / home.
MacOS Directories
Scan $PATH Off Enable file system scanning to scan $PATH locations.
Scan / Users Off Enable file system scanning to scan / Users.
Scan / Applications Off Enable file system scanning to scan / Applications.
Scan / Library Off Enable file system scanning to scan / Library.
Custom Directories
Custom Filescan Dir- None A custom file that lists directories to be scanned by
ectories malware file scanning. In the file, list each directory on
a new line. Tenable Nessus does not accept root dir-
ectories (such as C:\ or /) or variables (such as %Sys-
temroot%).
- 247 -
Databases
Default
Setting Description
Value
Oracle Database
Use Disabled When enabled, if at least one host credential and one
detected SIDs Oracle database credential are configured, the scanner
authenticates to scan targets using the host credentials,
and then attempts to detect Oracle System IDs (SIDs) loc-
ally. The scanner then attempts to authenticate using the
specified Oracle database credentials and the detected
SIDs.
If the scanner cannot authenticate to scan targets using

host credentials or does not detect any SIDs locally, the
scanner authenticates to the Oracle database using the
manually specified SIDs in the Oracle database cre-
dentials.
- 248 -
Preconfigured Assessment Scan Settings
Certain Tenable-provided scanner templates include preconfigured assessment settings, described
in the following table. The preconfigured assessment settings are determined by both the template
and the Scan Type that you select.
Discovery
Host Discovery – –
Vulnerabilities
Basic Network Scan Default (default) l General Settings:

o Avoid false alarms
o Disable CGI scanning
l Web Applications:
o Disable web application scan-
ning
Scan for known web vul- l General Settings:

nerabilities o Avoid potential false alarms
o Enable CGI scanning
l Web Applications:
o Start crawling from "/ "
o Crawl 1000 pages (max)
o Traverse 6 directories (max)
o Test for known vul-
nerabilities in commonly
used web applications
o Generic web application
- 249 -
tests disabled
- 250 -
Scan for all web vul- l General Settings:
nerabilities (quick) o Avoid potential false alarms
l Web Applications:
o Perform each generic web
app test for 5 minutes (max)

nerabilities (complex) o Avoid potential false alarms
o Perform thorough tests
l Web Applications:
app test for 10 minutes
(max)
- 251-
o Try all HTTP methods
o Attempt HTTP Parameter
Pollution
Custom All defaults
Advanced Scan – –
Advanced Dynamic – –
Scan
Malware Scan – Malware Settings defaults
Mobile Device Scan – –
Web Application Scan for known web vul- l General Settings:

Tests nerabilities o Avoid potential false alarms
l Web Applications:
tests disabled

nerabilities (quick) (Default) o Avoid potential false alarms
l Web Applications:
- 252 -

l Web Applications:
(max)
Pollution
Custom All defaults
- 253 -
Credentialed Patch – Brute Force, Windows, and Malware
Audit defaults
Badlock Detection – –
Bash Shellshock Web Crawler defaults

Detection
DROWN Detection – –
Intel AMT Security – –

Bypass
Log4Shell Default l General Settings

o Avoid potential false alarms
l Web Applications
ning
Log4Shell Remote Default l General Settings

Checks o Avoid potential false alarms
l Web Applications
ning
Log4Shell Vul- Default l General Settings

nerability Ecosys- o Avoid potential false alarms
tem
l Web Applications
- 254 -
ning
Shadow Brokers – –
Scan
Spectre and Melt- – –

down
WannaCry Ransom- – –
ware
Compliance
Audit Cloud Infra- – –

structure
Internal PCI Net- Default l General Settings:

work Scan o Avoid false alarms
l Web Applications:
ning
Scan for known web vul- l General Settings:

nerabilities o Avoid potential false alarms
l Web Applications:
- 255 -
tests disabled

nerabilities (quick) o Avoid potential false alarms
l Web Applications:

l Web Applications:
- 256 -
(max)
Pollution
Custom All defaults
Offline Config Audit – –
PCI Quarterly – –
External Scan
Policy Compliance – –
Auditing
SCAP and OVAL – –

Auditing
- 257 -
Report Scan Settings
The Report scan settings include the following groups of settings:
l Processing
l Output
Default
Setting Description
Value
Processing
Override normal Disabled When disabled, provides the standard level of plugin activity
verbosity in the report. The output does not include the informational
plugins 56310, 64582, and 58651.
When enabled, this setting has two options:
l I have limited disk space. Report as little information

as possible —Provides less information about plugin
activity in the report to minimize impact on disk
space.
l Report as much information as possible —Provides

more information about plugin activity in the report.
When this option is selected, the output includes the
informational plugins 56310, 64582, and 58651.
Show missing Enabled When enabled, includes superseded patch information in

patches that the scan report.
have been
superseded
Hide results Enabled When enabled, the list of dependencies is not included in
from plugins ini- the report. If you want to include the list of dependencies in
tiated as a the report, disable this setting.
dependency
Output
- 258 -
Default
Setting Description
Value
Allow users to Enabled When enabled, allows users to delete items from the report.
edit scan res- When performing a scan for regulatory compliance or other
ults types of audits, disable the setting to show that the scan
was not tampered with.
Designate Disabled Uses the host name rather than IP address for report out-
hosts by their put.
DNS name
Display hosts Disabled Reports hosts that successfully respond to a ping.

that respond to
ping
Display unreach- Disabled When enabled, hosts that did not reply to the ping request
able hosts are included in the security report as dead hosts. Do not
enable this option for large IP blocks.
Display Unicode Disabled When enabled, Unicode characters appear in plugin output
characters such as usernames, installed application names, and SSL
certificate information.
Note: Plugin output may sometimes incorrectly parse or trun-

cate strings with Unicode characters. If this issue causes prob-
lems with regular expressions in plugins or custom audits,
disable this setting and scan again.
Advanced Scan Settings
Note: If a scan is based on a policy, you cannot configure Advanced settings in the scan. You can only
The Advanced settings provide increased control over scan efficiency and the operations of a scan,
as well as the ability to enable plugin debugging.
Certain Tenable-provided scanner templates include preconfigured advanced settings.
- 259 -
If you select the Custom preconfigured setting option, or if you are using a Nessus Scanner tem-
plate that does not include preconfigured advanced settings, you can manually configure Advanced
settings in the following categories:
l General Settings
l Performance
l Debug Settings
General Settings
Enable Safe Enabled When enabled, disables all plugins that may have an
Checks adverse effect on the remote host.
Stop scanning Disabled When enabled, Tenable Nessus stops scanning if it

hosts that become detects that the host has become unresponsive. This
unresponsive dur- may occur if users turn off their PCs during a scan, a
ing the scan host has stopped responding after a denial of service
plugin, or a security mechanism (for example, an IDS)
has started to block traffic to a server. Normally, con-
tinuing scans on these machines sends unnecessary
traffic across the network and delay the scan.
Scan IP addresses Disabled By default, Tenable Nessus scans a list of IP addresses

in a random order in sequential order. When this option is enabled, Ten-
able Nessus scans the list of hosts in a random order
within an IP address range. This approach is typically
useful in helping to distribute the network traffic dur-
ing large scans.
Automatically Disabled When enabled, if a credentialed scan tries to connect

accept detected via SSH to a FortiOS host that presents a disclaimer
SSH disclaimer prompt, the scanner provides the necessary text input
- 260 -
prompts to accept the disclaimer prompt and continue the scan.
The scan initially sends a bad ssh request to the target

in order to retrieve the supported authorization meth-
ods. This allows you to determine how to connect to
the target, which is helpful when you configure a cus-
tom ssh banner and then try to determine how to con-
nect to the host.
When disabled, credentialed scans on hosts that

present a disclaimer prompt fail because the scanner
cannot connect to the device and accept the dis-
claimer. The error appears in the plugin output.
Scan targets with Disabled When disabled, to avoid overwhelming a host, Tenable
multiple domain Nessus prevents against simultaneously scanning mul-
names in parallel tiple targets that resolve to a single IP address.
Instead, Tenable Nessus scanners serialize attempts to
scan the IP address, whether it appears more than
once in the same scan task or in multiple scan tasks on
that scanner. Scans may take longer to complete.
When enabled, a Tenable Nessus scanner can sim-

ultaneously scan multiple targets that resolve to a
single IP address within a single scan task or across
multiple scan tasks. Scans complete more quickly, but
hosts could potentially become overwhelmed, causing
timeouts and incomplete results.
Performance
Slow down the Disabled When enabled, Tenable detects when it is sending too
scan when net- many packets and the network pipe is approaching
work congestion is capacity. If network congestion is detected, throttles
detected the scan to accommodate and alleviate the congestion.
- 261-
Once the congestion has subsided, Tenable auto-

matically attempts to use the available space within
the network pipe again.
Network timeout 5 Specifies the time that Tenable waits for a response
(in seconds) from a host unless otherwise specified within a plugin.
If you are scanning over a slow connection, you may
want to set this to a higher number of seconds.
Max simultaneous 5 Specifies the maximum number of checks a Tenable

checks per host scanner will perform against a single host at one time.
Max simultaneous 30, or the Ten- Specifies the maximum number of hosts that a scanner
hosts per scan able Nessus scans at the same time.
scanner
If you set Max simultaneous hosts per scan to more
advanced set-
than scanner’s max_hosts setting, Nessus caps Max
ting max_
simultaneous hosts per scan at the max_hosts value.
hosts value,
For example, if you set the Max simultaneous hosts per
whichever is
scan to 150 and scanner's max_hosts is set to 100, with
smaller.
more than 100 targets, Nessus scans 100 hosts sim-
ultaneously.
Max number of none Specifies the maximum number of established TCP ses-
concurrent TCP sions for a single host.
sessions per host
This TCP throttling option also controls the number of
packets per second the SYN scanner sends, which is 10
times the number of TCP sessions. For example, if this
option is set to 15, the SYN scanner sends 150 packets
per second at most.
Max number of none Specifies the maximum number of established TCP ses-
concurrent TCP sions the entire scan, regardless of the number of
sessions per scan hosts being scanned.
- 262 -
Unix find command exclusions
Exclude Filepath none A plain text file containing a list of filepaths to exclude
from all plugins that search using the find command
on Unix systems.
In the file, enter one filepath per line, formatted per pat-
terns allowed by the Unix find command -path argu-
ment. For more information, see the find command
man page.
Exclude Filesys- none A plain text file containing a list of filesystems to

tem exclude from all plugins that search using the find
command on Unix systems.
In the file, enter one filesystem per line, using filesys-

tem types supported by the Unix find command -
fstype argument. For more information, see the find
command man page.
Include Filepath none A plain text file containing a list of filepaths to include
from all plugins that search using the find command
on Unix systems.
In the file, enter one filepath per line, formatted per pat-
terns allowed by the Unix find command -path argu-
ment. For more information, see the find command
man page.
Including filepaths increases the locations that are

searched by plugins, which extends the duration of the
scan. Make your inclusions as specific as possible.
Tip: Avoid having the same filepaths in Include Filepath

and Exclude Filepath. This conflict may result in the file-
path being excluded from the search, though results may
vary by operating system.
- 263 -
Windows file search Options
Windows Exclude none A plain text file containing a list of filepaths to exclude
Filepath from all plugins that search using Tenable's unmanaged
software directory scans.
In the file, enter one absolute or partial filepath per

line, formatted as the literal strings you want to
exclude. You can include absolute or relative directory
names, examples such as E:\, E:\Testdir\, and
\Testdir\.
Tip: The default exclusion paths include \Win-

dows\WinSxS\ and \Windows\servicing\ if you do not
configure this setting. If you configure this setting, Ten-
able recommends adding those two paths to the file;
those directories are very slow and do not contain unman-
aged software.
Windows Include none A plain text file containing a list of filepaths to include
Filepath from all plugins that search using Tenable's unmanaged
software directory scans.
In the file, enter one absolute or partial filepath per

line, formatted as the literal strings you want to
exclude. You can only include absolute directory
names, examples such as E:\, E:\Testdir\, and C:\.
Caution: Avoid having the same filepaths in the Windows

Include Filepath and Windows Exclude Filepath settings.
This conflict results in the filepath being excluded from
the search.
Debug Settings
Log scan details Disabled Logs the start and finish time for each plugin used dur-
ing a scan to nessusd.messages.
- 264 -
Enable plugin Disabled Attaches available debug logs from plugins to the vul-
debugging nerability output of this scan.
Audit Trail Verb- Default Controls verbosity of the plugin audit trail. All audit trail
osity data includes the reason why plugins were not included
in the scan.
Default uses the audit trail verbosity global setting set

in Advanced Settings. For Tenable Nessus scans, the
scan uses the advanced setting Audit Trail Verbosity
(audit_trail). For agent scans, the scan uses
the advanced setting Include Audit Trail Data (agent_
merge_audit_trail).
Include the KB Default Controls whether to include the scan KB, which
includes more debugging data, in the scan results.
For Tenable Nessus scans, Default includes the KB. For

agent scans, Default uses the global setting Include
KB Data (agent_merge_kb) set in Advanced Settings.
Enumerate Disabled Shows a list of plugins that Tenable Nessus launched

launched plugins during the scan. You can view the list in scan results
under plugin 112154.
Note: The setting does not function correctly if you dis-

able plugin 112154.
Stagger scan start
Maximum delay 0 (Agents 8.2 and later) If set, each agent in the agent
(minutes) group delays starting the scan for a random number of
minutes, up to the specified maximum. Staggered
starts can reduce the impact of agents that use a
shared resource, such as virtual machine CPU.
If the maximum delay you set exceeds your scan win-
- 265 -
dow, Tenable shortens your maximum delay to ensure

that agents begin scanning at least 30 minutes before
the scan window closes.
- 266 -
Preconfigured Advanced Scan Settings
Certain Tenable-provided Nessus Scanner templates include preconfigured advanced settings,
described in the following table. The preconfigured advanced settings are determined by both the
template and the Scan Type that you select.
Discovery
Host Discovery – Performance Options defaults
Vulnerabilities
Basic Network Scan Default (default) l Performance options:

o 30 simultaneous hosts
(max)
o 4 simultaneous checks
per host (max)
o 5 second network read
timeout
Scan low band- l Performance options:

width links o 2 simultaneous hosts
(max)
per host (max)
timeout
o Slow down the scan
when network con-
gestion is detected
Custom All defaults
- 267 -
Advanced Scan – All defaults
Advanced Dynamic Scan – All defaults
Malware Scan Default (default) l Performance options:

(max)
per host (max)
timeout

(max)
per host (max)
timeout
when network con-
gestion is detected
Custom All defaults
Mobile Device Scan – Debug Settings defaults
Web Application Tests Default (default) l Performance options:

(max)
per host (max)
- 268 -
timeout

(max)
per host (max)
timeout
when network con-
gestion is detected
Custom All defaults
Credentialed Patch Audit Default (default) l Performance options:

(max)
per host (max)
timeout

(max)
per host (max)
timeout
- 269 -
when network con-
gestion is detected
Custom All defaults
Badlock Detection – All defaults
Bash Shellshock Detection – All defaults
DROWN Detection – All defaults
Intel AMT Security Bypass – All defaults
Log4Shell - All defaults
Log4Shell Remote Checks - All defaults
Log4Shell Vulnerability Ecosystem - All defaults
Shadow Brokers Scan – All defaults
Spectre and Meltdown – All defaults
WannaCry Ransomware – All defaults
Compliance
Audit Cloud Infrastructure – Debug Settings defaults
Internal PCI Network Scan Default (default) l Performance options:

(max)
per host (max)
timeout

(max)
- 270 -
per host (max)
timeout
when network con-
gestion is detected
Custom All defaults
Offline Config Audit – Debug Settings defaults
PCI Quarterly External Scan Default (default) l Performance options:

(max)
per host (max)
timeout

(max)
per host (max)
timeout
when network con-
gestion is detected
- 271-
Custom All defaults
Policy Compliance Auditing Default (default) l Performance options:

(max)
per host (max)
timeout

(max)
per host (max)
timeout
when network con-
gestion is detected
Custom All defaults
SCAP and OVAL Auditing Default (default) l Performance options:

(max)
per host (max)
timeout
- 272 -
(max)
per host (max)
timeout
when network con-
gestion is detected
Custom All defaults
- 273 -
Credentials
When you configure a scan or policy's Credentials, you can grant the Tenable Nessus scanner local
access to scan the target system without requiring an agent. This can facilitate scanning of a large
network to determine local exposures or compliance violations. As noted, some steps of policy cre-
ation may be optional. Once created, Tenable Nessus saves the policy with recommended settings.
Tenable Nessus has the ability to log into remote Linux hosts via Secure Shell (SSH); and with Win-
dows hosts, Tenable Nessus uses various Microsoft authentication technologies. Tenable Nessus
also uses the Simple Network Management Protocol (SNMP) to make version and information quer-
ies to routers and switches.
The scan or policy’s Credentials page allows you to configure the Tenable Nessus scanner to use
authentication credentials during scanning. Configuring credentials allows Tenable Nessus to per-
form a wider variety of checks that result in more accurate scan results.
There are several forms of authentication supported including but not limited to databases, SSH,
Windows, network devices, patch management servers, and various plaintext authentication pro-
tocols.
In addition to operating system credentials, Tenable Nessus supports other forms of local authen-
tication.
You can manage the following types of credentials in the Credentials section of the scan or policy:
l Cloud Services
l Database, which includes MongoDB, Oracle, MySQL, DB2, PostgreSQL, and SQL Server
l Host, which includes Windows logins, SSH, and SNMPv3
l Miscellaneous services, which include VMware, Red Hat Enterprise Virtualization (RHEV), IBM
iSeries, Palo Alto Networks PAN-OS, and directory services (ADSI and X.509)
l Mobile Device Management
l Patch Management servers
l Plaintext Authentication mechanisms including FTP, HTTP, POP3, and other services
- 274 -
Credentialed scans can perform any operation that a local user can perform. The level of scanning
depends on the privileges granted to the user account. The more privileges the scanner has via the
login account (for example, root or administrator access), the more thorough the scan results.
Note: Tenable Nessus opens several concurrent authenticated connections. Ensure that the host being
audited does not have a strict account lockout policy based on concurrent sessions.
If a scan contains multiple instances of one type of credential, Tenable Nessus tries the credentials
on each scan target in the order you added the credentials to the scan.
Note: Tenable Nessus uses the first credential that allows successful login to perform credentialed checks
on the target. After a credential allows a successful login, Tenable Nessus does not try any of the other cre-
dentials in the list, even if a different credential has greater privileges.
- 275 -
Cloud Services Credentials
Tenable Nessus supports Amazon Web Services (AWS), Microsoft Azure, Rackspace, and Sales-
force.com.
AWS
Users can select Amazon Web Service (AWS) from the Credentials menu and enter credentials for
compliance auditing an account in AWS.
Option Description
AWS Access Key The AWS access key ID string.

IDS
AWS Secret Key AWS secret key that provides the authentication for AWS Access Key
ID.
AWS Global Credential Settings
Option Default Description
Regions to Rest of the For Tenable Nessus to audit an AWS account, you must define
access World the regions you want to scan. Per Amazon policy, you need dif-
ferent credentials to audit account configuration for the
China region than you need for the Rest of the World. Choos-
ing the Rest of the World opens the following choices:
l us-east-1
l us-east-2
l us-west-1
l us-west-2
l ca-central-1
l eu-west-1
l eu-west-2
- 276 -
l eu-central-1
l ap-northeast-1
l ap-northeast-2
l ap-southeast-1
l ap-southeast-2
l sa-east-1
l us-gov-west-1
HTTPS Enabled Use HTTPS to access AWS.
Verify SSL Enabled Verify the validity of the SSL digital certificate.
Certificate
Microsoft Azure
There are two authentication methods for Microsoft Azure.
Authentication Method: Key
Option Description Required
Tenant ID The Tenant ID or Directory ID for your Azure environment. Yes
Application ID The application ID (also known as client ID) for your Yes
registered application.
Client Secret The secret key for your registered application. Yes
Subscription IDs List of subscription IDs to scan, separated by a comma. If No

this field is blank, all subscriptions are audited.
Authentication Method: Password
- 277 -
Username The username required to log in to Microsoft Azure. Yes
Password The password associated with the username. Yes
Client ID The application ID (also known as client ID) for your Yes
registered application.
Subscription IDs List of subscription IDs to scan, separated by a comma. If No

this field is blank, all subscriptions are audited.
Rackspace
Option Description
Username Username required to log in.
Password or API Password or API keys associated with the username.

Keys
Authentication Specify Password or API-Key from the drop-down box.

Method
Global Settings Location of Rackspace Cloud instance.
Salesforce.com
Users can select Salesforce.com from the Credentials menu. This allows Tenable Nessus to log in to
Salesforce.com as the specified user to perform compliance audits.
Option Description
Username Username required to log in to Salesforce.com
Password Password associated with the Salesforce.com username
Database Credentials
The following topic describes the available Database credentials.
- 278 -
DB2
The following table describes the additional options to configure for IBM DB2 credentials.
Options Description
Auth Type The authentication method for providing the required credentials.
l Password
l Import
l CyberArk
l Lieberman
l Hashicorp Vault
For descriptions of the options for your selected authentication type, see
Database Credentials Authentication Types.
Database Port The TCP port that the IBM DB2 database instance listens on for com-
munications from Tenable Nessus Manager. The default is port 50000.
Database Name The name for your database (not the name of your instance).
Options Description
Username The username for a user on the database.
The password associated with the username you provided.
Port The TCP port that the Informix/ DRDA database instance listens on for com-
munications from Tenable Security Center. The default is port 1526.
- 279 -
MySQL
The following table describes the additional options to configure for MySQL credentials.
Options Description
l Password
l Import
l CyberArk
l Lieberman
l Hashicorp Vault
Password The password associated with the username you provided.
Database Port The TCP port that the MySQL database instance listens on for com-
- 280 -
Oracle
The following table describes the additional options to configure for Oracle credentials.
Options Description
l Password
l Import
l CyberArk
l Lieberman
l Hashicorp Vault
For descriptions of the options for your selected authentication type,

see Database Credentials Authentication Types.
Database Port The TCP port that the Oracle database instance listens on for com-
Auth Type The type of account you want Tenable Nessus Manager to use to access
the database instance:
l Normal
l System Operator
l System Database Administrator
l SYSDBA
l SYSOPER
l NORMAL
Service Type The Oracle parameter you want to use to specify the database instance:
SID or Service NameSERVICE_NAME.
Service The SID value or SERVICE_NAME value for your database instance.
- 281-
Options Description
The Service value you enter must match your parameter selection for
the Service Type option.
- 282 -
PostgreSQL
The following table describes the additional options to configure for PostgreSQL credentials.
Options Description
l Password
l Client Certificate
l CyberArk
l Lieberman
l Hashicorp Vault
Database Port The TCP port that the PostgreSQL database instance listens on for com-
Database Name The name for your database instance.
- 283 -
SQL Server
The following table describes the additional options to configure for SQL Server credentials.
Options Description
l Password
l Import
l CyberArk
l Lieberman
l Hashicorp Vault
Password The password associated with the username you provided.
Database Port The TCP port that the SQL Server database instance listens on for com-
AuthType The type of account you want Tenable Nessus Manager to use to access the
database instance: SQL or Windows.
Instance Name The name for your database instance.
Sybase ASE
The following table describes the additional options to configure for Sybase ASE credentials.
Options Description
l Password
- 284 -
Options Description
l CyberArk
l Lieberman
l Hashicorp Vault
Database Port The TCP port that the Sybase ASE database instance listens on for com-
Auth Type The type of authentication used by the Sybase ASE database: RSA or Plain
Text.
Cassandra
Option Description
Auth The authentication method for providing the required credentials.

Type
l Password
l CyberArk
l Lieberman
l Hashicorp Vault
For descriptions of the options for your selected authentication type, see Data-
base Credentials Authentication Types.
Port The port the database listens on. The default is port 9042.
MongoDB
- 285 -
Option Description
Note: This option is only available for non-legacy versions of the MongoDB authen-
tication method.
l Password
l Client Certificate
l CyberArk
l Lieberman
l Hashicorp Vault
Username (Required) The username for the database.
Password (Required) The password for the supplied username.
Database The name of the database to authenticate to.
Tip: To authenticate via LDAP or saslauthd, type $external.
Port (Required) The TCP port that the MongoDB database instance listens on for
communications from Tenable Nessus Manager.
Database Credentials Authentication Types

Depending on the authentication type you select for your database credentials, you must configure
the options described in this topic.
- 286 -
Client Certificate
The Client Certificate authentication type is supported for PostgreSQL databases only.
Username The username for the database. yes
Client Certificate The file that contains the PEM certificate for the yes
database.
Client CA Certificate The file that contains the PEM certificate for the yes
database.
Client Certificate Priv- The file that contains the PEM private key for the yes
ate Key client certificate.
Client Certificate Priv- The passphrase for the private key, if required in no
ate Key Passphrase your authentication implementation.
Database Port The port on which Tenable Vulnerability Man- yes

agement communicates with the database.
Database Name The name of the database. no
- 287 -
Password
Option Database Types Description Required
Username All The username for a user yes

on the database.
Password All The password for the no

supplied username.
Database Port All The port on which Ten- yes

able Vulnerability Man-
agement communicates
with the database.
Database Name DB2 The name of the data- no

base.
PostgreSQL
Auth type Oracle SQL Server values yes

include:
SQL Server
l Windows
Sybase ASE
l SQL
Oracle values include:
l SYSDBA
l SYSOPER
l NORMAL
Sybase ASE values

include:
l RSA
l Plain Text
Instance name SQL Server The name for your data- no
- 288 -
base instance.
Service type Oracle Valid values include: yes
l SID
l SERVICE_NAME
Service Oracle The SID value for your no

database instance or a
SERVICE_NAME value.
The Service value you
enter must match your
parameter selection for
- 289 -
Import
Upload a .csv file with the credentials entered in the specified format. For descriptions of valid val-
ues to use for each item, see Database Credentials.
You must configure either CyberArk or HashiCorp credentials for a database credential in the same
scan so that Tenable Nessus can retrieve the credentials.
Database Credential CSV Format
DB2 target, port, database_name, username, cred_manager,

accountname_or_secretname
MySQL target, port, database_name, username, cred_manager,

accountname_or_secretname
Oracle target, port, service_type, service_ID, username,

auth_type, cred_manager, accountname_or_secretname
SQL Server target, port, instance_name, username, auth_type,

cred_manager, accountname_or_secretname
Note: Include the required data in the specified order, with commas between each value, without spaces.
For example, for Oracle with CyberArk: 192.0.2.255,1521,SID,service_id,username,SYSDBA,Cy-
berArk,Database-Oracle-SYS.
Note: The value for cred_manager must be either CyberArk or HashiCorp.
CyberArk
CyberArk is a popular enterprise password vault that helps you manage privileged credentials. Ten-
able Vulnerability Management can get credentials from CyberArk to use in a scan.
CyberArk Host The IP address or FQDN name for the CyberArk AIM yes
Web Service. This can be the host, or the host with
a custom URL added on in a single string.
- 290 -
Port The port on which the CyberArk API communicates. yes

By default, Tenable uses 443.
AppID The Application ID associated with the CyberArk yes

API connection.
Client Certificate The file that contains the PEM certificate used to no
communicate with the CyberArk host.
Client Certificate Priv- The file that contains the PEM private key for the yes, if private
ate Key client certificate. key is applied
Client Certificate Priv- The passphrase for the private key, if required. yes, if private
ate Key Passphrase key is applied
Get credential by The method with which your CyberArk yes

API credentials are retrieved. Can be Username,
Identifier, or Address.
Note: The frequency of queries for Username is one

query per target. The frequency of queries for Iden-
tifier is one query per chunk. This feature requires all
targets have the same identifier.
Note: The Username option also adds the Address

parameter of the API query and assigns the target IP
of the resolved host to the Address parameter. This
may lead to failure to fetch credentials if the Cyber-
Ark Account Details Address field contains a value
other than the target IP address.
Username (If Get credential by is Username) The username of no

the CyberArk user to request a password from.
Safe The CyberArk safe the credential should be no

retrieved from.
Account Name (If Get credential by is Identifier) The unique no

account name or identifier assigned to the Cyber-
- 291-
Ark API credential.
Use SSL If enabled, the scanner uses SSL through IIS for no
secure communications. Enable this option if Cyber-
Ark is configured to support SSL through IIS.
Verify SSL Certificate If enabled, the scanner validates the SSL cer- no
tificate. Enable this option if CyberArk is con-
figured to support SSL through IIS and you want to
validate the certificate.
- 292 -
CyberArk (Legacy)
able Vulnerability Management can get credentials from CyberArk to use in a scan.
Database
Types
Username All The target system’s username. yes
Central Cre- All The CyberArk Central Credential Provider yes

dential Pro- IP/ DNS address.
vider Host
Central Cre- All The port on which the CyberArk Central yes
dential Pro- Credential Provider is listening.
vider Port
CyberArk AIM All The URL of the AIM service. By default, no

Service URL this field uses
/AIMWebservice/v1.1/AIM.asmx.
Central Cre- All If the CyberArk Central Credential Pro- no

dential Pro- vider is configured to use basic authen-
vider tication, you can fill in this field for
Username authentication.
Central Cre- All If the CyberArk Central Credential Pro- no

dential Pro- vider is configured to use basic authen-
vider Password tication, you can fill in this field for
authentication.
CyberArk Safe All The safe on the CyberArk Central Cre- no

dential Provider server that contained
the authentication information you
would like to retrieve.
CyberArk Cli- All The file that contains the PEM certificate no
- 293 -
Database
Types
ent Certificate used to communicate with the CyberArk

host.
CyberArk Cli- All The file that contains the PEM private no
ent Certificate key for the client certificate.
Private Key
CyberArk Cli- All The passphrase for the private key, if no

ent Certificate your authentication implementation
Private Key requires it.
Passphrase
CyberArk All The AppId that has been allocated per- yes
AppId missions on the CyberArk Central Cre-
dential Provider to retrieve the target
password.
CyberArk All The folder on the CyberArk Central Cre- no

Folder dential Provider server that contains the
authentication information you would
like to retrieve.
CyberArk All The unique name of the credential you yes

Account want to retrieve from CyberArk.
Details Name
PolicyId All The PolicyID assigned to the credentials no

that you want to retrieve from the Cyber-
Ark Central Credential Provider.
Use SSL All If CyberArk Central Credential Provider is no

configured to support SSL through IIS
check for secure communication.
Verify SSL Cer- All If CyberArk Central Credential Provider is no

tificate configured to support SSL through IIS
- 294 -
Database
Types
and you want to validate the certificate,

select this option. Refer to the custom_
CA.inc documentation for how to use
self-signed certificates.
Database Port All The port on which Tenable Nessus com- yes
municates with the database.
Database DB2 The name of the database. no

Name
PostgreSQL
Auth type Oracle SQL Server values include: yes
SQL Server l Windows
Sybase ASE l SQL
l Normal
l System Operator
l System Database Administrator
l SYSDBA
l SYSOPER
l NORMAL
Sybase ASE values include:
l RSA
l Plain Text
Instance Name SQL Server The name for your database instance. no
Service type Oracle Valid values include: yes
- 295 -
Database
Types
l SID
l SERVICE_NAME
Service Oracle The SID value for your database instance no

or a SERVICE_NAME value. The Service
value you enter must match your para-
meter selection for the Service Type
option.
- 296 -
HashiCorp Vault
HashiCorp Vault is a popular enterprise password vault that helps you manage privileged cre-
dentials. Tenable Nessus can get credentials from HashiCorp Vault to use in a scan.
Hashicorp Vault host All The Hashicorp Vault IP yes

address or DNS address.
Note: If your Hashicorp

Vault installation is in a
subdirectory, you must
include the subdirectory
path. For example, type
IP address or hostname
/ subdirectory path.
Hashicorp Vault port All The port on which yes

Hashicorp Vault listens.
Authentication Type All Specifies the authen- yes

tication type for con-
necting to the instance:
App Role or Certificates.
If you select Certificates,

additional options for
Hashicorp Client Cer-
tificate and Hashicorp Cli-
ent Certificate Private
Key appear. Click Add File
to select the appropriate
files for the client cer-
tificate and private key.
Role ID All The GUID provided by yes

Hashicorp Vault when you
- 297 -
configured your App Role.
Role Secret ID All The GUID generated by yes

Hashicorp Vault when you
Authentication URL All The URL Tenable Nessus yes

Manager uses to access
Hashicorp Vault.
Username Source All A drop-down box to spe- yes

cify if the username is
input manually or pulled
from Hashicorp Vault.
Username Key All The name in Hashicorp yes

Vault that usernames are
stored under.
Password Key All The key in Hashicorp yes

Vault that passwords are
stored under.
Secret Name All The key secret you want yes

to retrieve values for.
Use SSL All When enabled, Tenable no

Nessus Manager uses SSL
through IIS for secure
communications. You
must configure SSL
through IIS in Hashicorp
Vault before enabling this
option.
Verify SSL Certificate All When enabled, Tenable no

Nessus Manager validates
the SSL certificate. You
must configure SSL
- 298 -
through IIS in Hashicorp
Vault before enabling this
option.
Database Port All The port on whichTenable yes

Nessus Manager com-
municates with the data-
base.
Auth Type Oracle The authentication yes

method for the database
credentials.
Valid values include:
l SYSDBA
l SYSOPER
l NORMAL
Service Type Oracle Valid values include: yes
l SID
l SERVICE_NAME
Service Oracle The SID value for your yes

database instance or a
SERVICE_NAME value.
The Service value you
enter must match your
parameter selection for
- 299 -
Lieberman
Lieberman is a popular enterprise password vault that helps you manage privileged credentials. Ten-
able Vulnerability Management can get credentials from Lieberman to use in a scan.
Option Database Type Description Required
Username All The target system’s username. yes
Lieberman host All The Lieberman IP/ DNS address. yes
Note: If your Lieberman installation is

in a subdirectory, you must include the
subdirectory path. For example, type
IP address or hostname / subdirectory
path.
Lieberman port All The port on which Lieberman listens. yes
Lieberman API All The URL Tenable Nessus Manager no

URL uses to access Lieberman.
Lieberman user All The Lieberman explicit user for authen- yes
ticating to the Lieberman API.
Lieberman pass- All The password for the Lieberman expli- yes
word cit user.
Lieberman All The alias used for the authenticator in no

Authenticator Lieberman. The name should match
the name used in Lieberman.
Note: If you use this option, append a

domain to the Lieberman user option,
i.e., domain\ user.
Lieberman Client All The file that contains the PEM cer- no
Certificate tificate used to communicate with the
Lieberman host.
- 300 -
Note: If you use this option, you do not

have to enter information in the Lieber-
man user, Lieberman password, and
Lieberman Authenticator fields.
Lieberman Client All The file that contains the PEM private no
Certificate Priv- key for the client certificate.
ate Key
Lieberman Client All The passphrase for the private key, if no

Certificate Priv- required.
ate Key Pass-
phrase
Use SSL All If Lieberman is configured to support no

SSL through IIS, check for secure com-
munication.
Verify SSL Cer- All If Lieberman is configured to support no

tificate SSL through IIS and you want to val-
idate the certificate, check this
option. Refer to Custom CA doc-
umentation for how to use self-signed
certificates.
System Name All In the rare case your organization uses no

one default Lieberman entry for all
managed systems, enter the default
entry name.
Database Port All The port on which Tenable Nessus yes

Manager communicates with the data-
base.
Database Name DB2 (PostgreSQL and DB2 databases only) no

The name of the database.
PostgreSQL
- 301-
Auth type Oracle (SQL Server, Oracle. and Sybase ASE yes
databases only)
SQL Server
SQL Server values include:
Sybase ASE
l Windows
l SQL
l SYSDBA
l SYSOPER
l NORMAL
Sybase ASE values include:
l RSA
l Plain Text
Instance Name SQL Server The name for your database instance. no
Service type Oracle Valid values include: no
l SID
l SERVICE_NAME
Service Oracle The SID value for your database yes

instance or a SERVICE_NAME value.
The Service value you enter must
match your parameter selection for
- 302 -
Host Credentials
Nessus supports the following forms of host authentication:
l SNMPv3
l Secure Shell (SSH)
l Windows
- 303 -
SNMPv3
Users can select SNMPv3 settings from the Credentials menu and enter credentials for scanning
systems using an encrypted network management protocol.
Use these credentials to obtain local information from remote systems, including network devices,
for patch auditing or compliance checks.
There is a field for entering the SNMPv3 username for the account that performs the checks on the
target system, along with the SNMPv3 port, security level, authentication algorithm and password,
and privacy algorithm and password.
If Nessus is unable to determine the community string or password, it may not perform a full audit
of the service.
Note: You cannot configure SNMPv3 settings for the Basic Network Scan template.
Option Description Default
Username (Required) The username for the SNMPv3 account -

that Tenable Nessus uses to perform checks on
the target system.
Port The TCP port that SNMPv3 listens on for com- 161
munications from Tenable Nessus.
Security level The security level for SNMP: Authentication

and privacy
l No authentication and no privacy
l Authentication without privacy
l Authentication and privacy
Authentication The algorithm the remove service supports: MD5 or SHA1

algorithm SHA1.
Authentication (Required) The password associated with the User- -

password name.
Privacy algorithm The encryption algorithm to use for SNMP traffic: AES
- 304 -
AES or DES.
Privacy password (Required) A password used to protect encrypted -

SNMP communication.
- 305 -
SSH
Use SSH credentials for host-based checks on Unix systems and supported network devices. Ten-
able Nessus uses these credentials to obtain local information from remote Unix systems for patch
auditing or compliance checks. Tenable Nessus uses Secure Shell (SSH) protocol version 2 based
programs (e.g., OpenSSH, Solaris SSH, etc.) for host-based checks.
Tenable Nessus encrypts the data to protect it from being viewed by sniffer programs.
Note: Non-privileged users with local access on Linux systems can determine basic security issues, such
as patch levels or entries in the /etc/passwd file. For more comprehensive information, such as system
configuration data or file permissions across the entire system, an account with root privileges is required.
Note: You can add up to 1000 SSH credentials in a single scan. For best performance, Tenable recom-
mends adding no more than 10 SSH credentials per scan.
See the following settings for the different SSH authentication methods:
Global Credential Settings
There are four settings for SSH credentials that apply to all SSH Authentication methods.
Option Default Value Description
known_hosts none If an SSH known_hosts file is available and provided as part

file of the Global Credential Settings of the scan policy in the
known_hosts file field, Tenable Nessus attempts to log into
hosts in this file. This can ensure that someone does not use
the same username and password you are using to audit
your known SSH servers to attempt a log into a system that
may not be under your control.
Preferred 22 You can set this option to direct Tenable Nessus to connect
port to SSH if it is running on a port other than 22.
Client ver- OpenSSH_5.0 Specifies which type of SSH client Tenable Nessus imper-
sion sonates while scanning.
Attempt Cleared Enables or disables dynamic privilege escalation. When
- 306 -
Option Default Value Description
least priv- enabled, Tenable Nessus attempts to run the scan with an
ilege account with lesser privileges, even if you enable the Elevate
privileges with option. If a command fails, Tenable Nessus
escalates privileges. Plugins 102095 and 102094 report which
plugins ran with or without escalated privileges.
Note: Enabling this option may increase scan run time by up to

30%.
Certificate
Option Description
Username Username of the account which is being used for authentication on the
host system.
User Certificate RSA or DSA certificate file of the user.
Private Key RSA or DSA private key of the user.
Private key pass- Passphrase of the private key.

phrase
Elevate privileges Allows for increasing privileges once authenticated.

with
CyberArk (Tenable Nessus Manager only)
able Nessus Manager can get credentials from CyberArk to use in a scan.
Web Service.
- 307 -

API connection.
Kerberos Target If enabled, Kerberos authentication is used to log in no

Authentication to the specified Linux or Unix target.
Key Distribution (Required if Kerberos Target Authentication is yes

Center (KDC) enabled.) This host supplies the session tickets for
the user.
KDC Port The port on which the Kerberos authentication API no

communicates. By default, Tenable uses 88.
KDC Transport The KDC uses TCP by default in Linux imple- no

mentations. For UDP, change this option. If you
need to change the KDC Transport value, you may
also need to change the port as the KDC UDP uses
either port 88 or 750 by default, depending on the
implementation.
Realm (Required if Kerberos Target Authentication is yes

enabled.) The Realm is the authentication domain,
usually noted as the domain name of the target (for
example, example.com). By default, Tenable Nes-
sus uses 443.
- 308 -





retrieved from.
Address The option should only be used if the Address value no

is unique to a single CyberArk account credential.

Ark API credential.
- 309 -
CyberArk (Legacy) (Tenable Nessus Manager only)
The following is the legacy CyberArk authentication method.
Option Description
Username The target system’s username.
CyberArk AIM The URL of the AIM service. By default, this field uses
Service URL /AIMWebservice/v1.1/AIM.asmx.
Central Cre- The CyberArk Central Credential Provider IP/ DNS address.
dential Provider
Host
Central Cre- The port on which the CyberArk Central Credential Provider is listening.
dential Provider
Port
Central Cre- If you configured the CyberArk Central Credential Provider to use basic
dential Provider authentication, you can fill in this field for authentication.
Username
Central Cre- If you configured the CyberArk Central Credential Provider to use basic
dential Provider authentication, you can fill in this field for authentication.
Password
Safe The safe on the CyberArk Central Credential Provider server that contained
the authentication information you would like to retrieve.
CyberArk Client The file that contains the PEM certificate used to communicate with the
Certificate CyberArk host.
CyberArk Client The file that contains the PEM private key for the client certificate.
Certificate Priv-
ate Key
CyberArk Client (Optional) The passphrase for the private key, if required.
Certificate Priv-
- 310 -
Option Description
ate Key Pass-

phrase
AppId The AppId that has been allocated permissions on the CyberArk Central Cre-
dential Provider to retrieve the target password.
Folder The folder on the CyberArk Central Credential Provider server that contains
PolicyId The PolicyID assigned to the credentials you would like to retrieve from the
CyberArk Central Credential Provider.
Use SSL If you configured the CyberArk Central Credential Provider to support SSL
through IIS, select this for secure communication.
Verify SSL Cer- Select this if you configured CyberArk Central Credential Provider to sup-
tificate port SSL through IIS and you want to validate the certificate. Refer to the
custom_CA.inc documentation for how to use self-signed certificates.
CyberArk The unique name of the credential you want to retrieve from CyberArk.
Account Details
Name
CyberArk The domain for the user account.

Address
CyberArk Elev- The privilege escalation method you want to use to increase the user's priv-
ate Privileges ileges after initial authentication. Your selection determines the specific
With options you must configure.
Kerberos
Kerberos, developed by MIT’s Project Athena, is a client/ server application that uses a symmetric
key encryption protocol. In symmetric encryption, the key used to encrypt the data is the same as
the key used to decrypt the data. Organizations deploy a KDC (Key Distribution Center) that contains
all users and services that require Kerberos authentication. Users authenticate to Kerberos by
requesting a TGT (Ticket Granting Ticket). Once you grant a user a TGT, the user can use it to
request service tickets from the KDC to be able to utilize other Kerberos based services. Kerberos
- 311-
uses the CBC (Cipher Block Chain) DES encryption protocol to encrypt all communications.
Note: You must already have a Kerberos environment established to use this method of authentication.
The Tenable Nessus implementation of Linux-based Kerberos authentication for SSH supports the
aes-cbc and aes-ctr encryption algorithms. An overview of how Tenable Nessus interacts with Ker-
beros is as follows:
l End user gives the IP of the KDC
l nessusd asks sshd if it supports Kerberos authentication
l sshd says yes
l nessusd requests a Kerberos TGT, along with login and password
l Kerberos sends a ticket back to nessusd
l nessusd gives the ticket to sshd
l nessusd is logged in
In both Windows and SSH credentials settings, you can specify credentials using Kerberos keys
from a remote system. There are differences in the configurations for Windows and SSH.
Option Description
Password Password of the username specified.
Key Dis- This host supplies the session tickets for the user.
tribution
Center (KDC)
KDC Port You can set this option to direct Tenable Nessus to connect to the KDC if it
is running on a port other than 88.
KDC Transport The KDC uses TCP by default in Linux implementations. For UDP, change
this option. If you need to change the KDC Transport value, you may also
need to change the port as the KDC UDP uses either port 88 or 750 by
default, depending on the implementation.
- 312 -
Option Description
Realm The Realm is the authentication domain, usually noted as the domain name
of the target (for example, example.com).
Elevate priv- Allows for increasing privileges once authenticated.

ileges with
If Kerberos is used, you must configure sshd with Kerberos support to verify the ticket with the
KDC. You must configure reverse DNS lookups properly for this to work. The Kerberos interaction
method must be gssapi-with-mic.
Password
Option Description
Password Password of the username specified.
Elevate priv- Allows for increasing privileges once authenticated.

ileges with
Custom pass- The password prompt used by the target host. Only use this setting when an
word prompt interactive SSH session fails due to Tenable Vulnerability Management receiv-
ing an unrecognized password prompt on the target host's interactive SSH
shell.
Public Key
Public Key Encryption, also referred to as asymmetric key encryption, provides a more secure
authentication mechanism by the use of a public and private key pair. In asymmetric cryptography,
Tenable Nessus uses the public key to encrypt data and Tenable Nessus uses the private key to
decrypt it. The use of public and private keys is a more secure and flexible method for SSH authen-
tication. Tenable Nessus supports both DSA and RSA key formats.
Like Public Key Encryption, Tenable Nessus supports RSA and DSA OpenSSH certificates. Tenable
Nessus also requires the user certificate, which is signed by a Certificate Authority (CA), and the
user’s private key.
- 313 -
Note: Tenable Nessus supports the openssh SSH public key format (pre-7.8 OpenSSH). Tenable Nessus
does not support the new OPENSSH format (OpenSSH versions 7.8+). To check which version you have,
check your private key contents. openssh shows -----BEGIN RSA PRIVATE KEY----- or -----BEGIN DSA
PRIVATE KEY-----, and the new, incompatible OPENSSH shows -----BEGIN OPENSSH PRIVATE KEY-----. You
must convert non-openssh formats, including PuTTY and SSH Communications Security, to the openssh
public key format.
The most effective credentialed scans are when the supplied credentials have root privileges. Since
many sites do not permit a remote login as root, Tenable Nessus can invoke su, sudo, su+sudo,
dzdo, .k5login, or pbrun with a separate password for an account that you set up to have su or sudo
privileges. In addition, Tenable Nessus can escalate privileges on Cisco devices by selecting Cisco
‘enable’ or .k5login for Kerberos logins.
Note: Tenable Nessus supports the blowfish-cbc, aes-cbc, and aes-ctr cipher algorithms. Some com-
mercial variants of SSH do not have support for the blowfish algorithm, possibly for export reasons. It is
also possible to configure an SSH server to accept certain types of encryption only. Check your SSH server
to ensure that it supports the correct algorithm.
Tenable Nessus encrypts all passwords stored in policies. However, Tenable recommends using
SSH keys for authentication rather than SSH passwords. This helps ensure that someone does not
use the same username and password you are using to audit your known SSH servers to attempt a
log into a system that may not be under your control.
Note: For supported network devices, Tenable Nessus only supports the network device’s username and
password for SSH connections.
If you have to use an account other than root for privilege escalation, you can specify it under the
Escalation account with the Escalation password.
Option Description
Username Username of the account which is being used for authentication on the
host system.
Private Key RSA or DSA private key of the user.
Private key pass- Passphrase of the private key.

phrase
- 314 -
Option Description
Elevate privileges Allows for increasing privileges once authenticated.

with
Thycotic Secret Server (Tenable Nessus Manager only)
Option Default Value
Username The username that is used to authenticate via ssh to the system.
(required)
Domain Set the domain the username is part of if using Windows credentials.
Thycotic Secret This is the value to store the secret as on the Thycotic server. It is referred
Name (required) to as the “Secret Name” on the Thycotic server.
Thycotic Secret Use this option to set the transfer method, target, and target directory for
Server URL the scanner. You can find this value in Admin > Configuration > Application
(required) Settings > Secret Server URL on the Thycotic server. For example consider
the following address https:/ / pw.mydomain.com/ SecretServer/ . We parse
this to know that HTTPS defines it is a ssl connection, pw.mydomain.com is
the target address, / SecretServer/ is the root directory.
Thycotic Login The username to authenticate to the Thycotic server.

Name (required)
Thycotic Pass- The password associated with the Thycotic Login Name.
word (required)
Thycotic Organ- Use this value in cloud instances of Thycotic to define which organization
ization your query should hit.
(required)
Thycotic This is an optional value set if you set the domain value for the Thycotic
Domain server.
(optional)
Private Key Use key based authentication for SSH connections instead of password.
(optional)
- 315 -
Verify SSL Cer- Verify if the SSL Certificate on the server is signed by a trusted CA.
tificate
Thycotic elev- The privilege escalation method you want to use to increase the user's priv-
ate privileges ileges after initial authentication. Tenable Nessus supports multiple options
with for privilege escalation, including su, su+sudo and sudo. Your selection
determines the specific options you must configure.
BeyondTrust (Tenable Nessus only)
Username (Required) The username to log in to the hosts you want to scan.
BeyondTrust (Required) The BeyondTrust IP address or DNS address.

host
BeyondTrust (Required) The port BeyondTrust is listening on.

port
BeyondTrust (Required) The API key provided by BeyondTrust.

API key
Checkout dur- (Required) The length of time, in minutes, that you want to keep credentials
ation checked out in BeyondTrust. Configure the Checkout duration to exceed
the typical duration of your Tenable Nessus scans. If a password from a pre-
vious scan is still checked out when a new scan begins, the new scan fails.
Note: Configure the password change interval in BeyondTrust so that password

changes do not disrupt your Tenable Nessus scans. If BeyondTrust changes a
password during a scan, the scan fails.
Use SSL If enabled, Tenable Nessus uses SSL through IIS for secure com-
munications. You must configure SSL through IIS in BeyondTrust before
enabling this option.
Verify SSL cer- If enabled, Tenable Nessus validates the SSL certificate. You must con-
tificate figure SSL through IIS in BeyondTrust before enabling this option.
- 316 -
Use private key If enabled, Tenable Nessus uses private key-based authentication for SSH
connections instead of password authentication. If it fails, Tenable Nessus
requests the password.
Use privilege If enabled, BeyondTrust uses the configured privilege escalation command.
escalation If it returns something, it uses it for the scan.
Lieberman (Tenable Nessus Manager only)
Username The target system’s username. yes
Lieberman host The Lieberman IP/ DNS address. yes
Note: If your Lieberman installation is in a subdirectory, you

must include the subdirectory path. For example, type IP
address or hostname / subdirectory path.
Lieberman port The port on which Lieberman listens. yes
Lieberman API The URL Tenable Nessus uses to access Lieberman. no

URL
Lieberman user The Lieberman explicit user for authenticating to the yes
Lieberman RED API.
Lieberman pass- The password for the Lieberman explicit user. yes
word
Lieberman The alias used for the authenticator in Lieberman. The no

Authenticator name should match the name used in Lieberman.
Note: If you use this option, append a domain to the Lieber-

man user option, i.e., domain\ user.
Lieberman Client The file that contains the PEM certificate used to com- no
Certificate municate with the Lieberman host.
- 317 -
Note: If you use this option, you do not have to enter inform-
ation in the Lieberman user, Lieberman password, and
Lieberman Authenticator fields.
Lieberman Client The file that contains the PEM private key for the client no
Certificate Priv- certificate.
ate Key
Lieberman Client The passphrase for the private key, if required. no

Certificate Priv-
ate Key Pass-
phrase
Use SSL If Lieberman is configured to support SSL through IIS, no

check for secure communication.
Verify SSL Cer- If Lieberman is configured to support SSL through IIS and no
tificate you want to validate the certificate, check this option.
Refer to Custom CA documentation for how to use self-
signed certificates.
System Name In the rare case your organization uses one default Lieber- no
man entry for all managed systems, enter the default
entry name.
Custom pass- The password prompt used by the target host. Only use no
word prompt this setting when an interactive SSH session fails due to
Tenable Nessus receiving an unrecognized password
prompt on the target host's interactive SSH shell.
Wallix Bastion (Tenable Nessus Manager only)
WALLIX Host The IP address for the WALLIX Bastion host. yes
WALLIX Port The port on which the WALLIX Bastion API com- yes
- 318 -
municates. By default, Tenable uses 443.
Authentication Type Basic authentication (with WALLIX Bastion user no

interface username and Password requirements)
or API Key authentication (with username and
WALLIX Bastion-generated API key require-
ments).
WALLIX User Your WALLIX Bastion user interface login user- yes
name.
WALLIX Password Your WALLIX Bastion user interface login pass- yes
word. Used for Basic authentication to the API.
WALLIX API Key The API key generated in the WALLIX Bastion yes
user interface. Used for API Key authentication
to the API.
Get Credential by The account name associated with a Device you Required only if
Device Account Name want to log in to the target systems with. you have a tar-
get and/ or
Note: If your device has more than one account device with mul-
you must enter the specific device name for the
account you want to retrieve credentials for. Fail-
tiple accounts.
ure to do this may result in credentials for the
wrong account returned by the system.
HTTPS This is enabled by default. yes
Caution: The integration fails if you disable

HTTPS.
Verify SSL Certificate This is disabled by default and is not supported no

in WALLIX Bastion PAM integrations.
Elevate privileges with This enables WALLIX Bastion Privileged Access Required if you
Management (PAM). Use the drop-down menu to wish to escalate
- 319 -
select the privilege elevation method. To bypass privileges.

this function, leave this field set to Nothing.
Caution: In your WALLIX Bastion account, the

WALLIX Bastion super admin must have enabled
"credential recovery" on your account for PAM to
be enabled. Otherwise, your scan may not return
any results. For more information, see your
WALLIX Bastion documentation.
Note: Multiple options for privilege escalation are

supported, including su, su+sudo and sudo. For
example, if you select sudo, more fields for sudo
user, Escalation Account Name, and Location of
su and sudo (directory) are provided and can be
completed to support authentication and privilege
escalation through WALLIX Bastion PAM. The
Escalation Account Name field is then required to
complete your privilege escalation.
Note: For more information about supported priv-

ilege escalation types and their accompanying
fields, see the Tenable Nessus User Guide.
Database The TCP port that the Oracle database instance no

Port listens on for communications from. The default
is port 1521.
Auth Type The type of account you want Tenable to use to no

access the database instance:
l SYSDBA
l SYSOPER
l NORMAL
Service Type The Oracle parameter you want to use to specify no
- 320 -
the database instance: SID or SERVICE_NAME.
Service The SID value or SERVICE_NAME value for your yes

database instance.
The Service value you enter must match your

parameter selection for the Service Type option.
HashiCorp Vault (Tenable Nessus Manager only)
Option Default Value Required
Hashicorp Vault (Required) The Hashicorp Vault IP address or DNS yes

host address.
Note: If your Hashicorp Vault installation is in a sub-

directory, you must include the subdirectory path. For
example, type IP address or hostname/sub-
directory path.
Hashicorp Vault (Required) The port on which Hashicorp Vault listens. yes
port
Hashicorp Vault API The URL Tenable Nessus Manager uses to access yes
URL Hashicorp Vault.
Authentication Type Specifies the authentication type for connecting to yes

the instance: App Role or Certificates.
If you select Certificates, additional options for

Hashicorp Client Certificate and Hashicorp Client Cer-
tificate Private Key appear. Click Add File to select
files for the client certificate and private key.
Role ID Required if you select App Role for Authentication yes

Type. The GUID provided by Hashicorp Vault when you
- 321-
Role Secret ID Required if you select App Role for Authentication yes
Type. The GUID generated by Hashicorp Vault when
you configured your App Role.
Authentication URL The URL Tenable Nessus Manager uses to access yes
Hashicorp Vault.
Namespace The name of a specified team in a multi-team envir- no

onment. For more information about multi-team envir-
onments, see the Hashicorp documentation.
KV Engine URL The URL Tenable Nessus Manager uses to access the yes
Hashicorp Vault secrets engine.
Username Source Specifies if the username is input manually or pulled yes

Username Key The name in Hashicorp Vault that usernames are yes
stored under.
Password Key The key in Hashicorp Vault that passwords are stored yes
under.
Secret Name The key secret you want to retrieve values for. yes
Use SSL When enabled, Tenable Nessus Manager uses SSL no

through IIS for secure communications. You must con-
figure SSL through IIS in Hashicorp Vault before
Verify SSL When enabled, Tenable Nessus Manager validates the no

SSL certificate. You must configure SSL through IIS
in Hashicorp Vault before enabling this option.
Enable for Enables/ disables IBM DataPower Gateway use with yes
Hashicorp Vault Hashicorp Vault.
Elevate privileges Use a privilege escalation method such as su or sudo Required if

with (SSH) to use extra privileges when scanning. you wish to
- 322 -
Note: Tenable supports multiple options for privilege escalate priv-
escalation, including su, su+sudo and sudo. For ileges.
example, if you select sudo, more fields for sudo user,
Escalation Account Name, and Location of sudo (dir-
ectory) are provided and can be completed to support
authentication and privilege escalation through
Hashicorp Vault.
Note: For more information about supported privilege

escalation types and their accompanying fields, see the
Nessus User Guide and the Tenable Vulnerability Man-
agement User Guide.
Escalation account If the escalation account has a different username or no

secret name (SSH) password from the least privileged user, enter the cre-
dential ID or identifier for the escalation account cre-
dential here.
Centrify (Tenable Nessus Manager only)
Centrify Host (Required) The Centrify IP address or DNS address.
Note: If your Centrify installation is in a subdirectory, you must include the

subdirectory path. For example, type IP address or hostname/sub-
directory path.
Centrify Port The port on which Centrify listens.
API User (Required) The API user provided by Centrify
API Key (Required) The API key provided by Centrify.
Tenant The name of a specified team in a multi-team environment.
Authentication The URL Tenable Nessus Manager uses to access Centrify.

URL
Password Engine The name of a specified team in a multi-team environment.
- 323 -
URL
Checkout Dur- The length of time, in minutes, that you want to keep credentials checked
ation out in Centrify.
Configure the Checkout Duration to exceed the typical duration of your

Tenable Nessus Manager scans. If a password from a previous scan is still
checked out when a new scan begins, the new scan fails.
Note: Configure the password change interval in Centrify so that password

changes do not disrupt your Tenable Nessus Manager scans. If Centrify
changes a password during a scan, the scan fails.
Use SSL When enabled, Tenable Nessus Manager uses SSL through IIS for secure
communications. You must configure SSL through IIS in Centrify before
Verify SSL When enabled, Tenable Nessus Manager validates the SSL certificate.
You must configure SSL through IIS in Centrify before enabling this
option.
Arcon (Tenable Nessus Manager only)
Arcon host (Required) The Arcon IP address or DNS address.
Note: If your Arcon installation is in a subdirectory, you must

include the subdirectory path. For example, type IP address or
hostname/ subdirectory path.
Arcon port The port on which Arcon listens.
API User (Required) The API user provided by Arcon.
API Key (Required) The API key provided by Arcon.
- 324 -
Authentication URL The URL Tenable Nessus Manager uses to access Arcon.
Password Engine URL The URL Tenable Nessus Manager uses to access the pass-
words in Arcon.
Username (Required) The username to log in to the hosts you want to

scan.
Checkout Duration (Required) The length of time, in hours, that you want to
keep credentials checked out in Arcon.
Configure the Checkout Duration to exceed the typical dur-

ation of your Tenable Vulnerability Management scans. If a
password from a previous scan is still checked out when a
new scan begins, the new scan fails.
Note: Configure the password change interval in Arcon so that

password changes do not disrupt your Tenable Vulnerability
Management scans. If Arcon changes a password during a
scan, the scan fails.
Use SSL When enabled, Tenable Nessus Manager uses SSL through
IIS for secure communications. You must configure SSL
through IIS in Arcon before enabling this option.
Verify SSL When enabled, Tenable Nessus Manager validates the SSL
certificate. You must configure SSL through IIS in Arcon
before enabling this option.
Windows
The Windows credentials menu item has settings to provide Nessus with information such as SMB
account name, password, and domain name. By default, you can specify a username, password, and
domain with which to log in to Windows hosts. Also, Nessus supports several different types of
authentication methods for Windows-based systems.
Regarding the authentication methods:
- 325 -
l The Lanman authentication method was prevalent on Windows NT and early Windows 2000
server deployments. It is retained for backward compatibility.
l The NTLM authentication method, introduced with Windows NT, provided improved security
over Lanman authentication. The enhanced version, NTLMv2, is cryptographically more secure
than NTLM and is the default authentication method chosen by Nessus when attempting to
log into a Windows server. NTLMv2 can use SMB Signing.
l SMB signing is a cryptographic checksum applied to all SMB traffic to and from a Windows
server. Many system administrators enable this feature on their servers to ensure that remote
users are 100% authenticated and part of a domain. In addition, make sure you enforce a
policy that mandates the use of strong passwords that cannot be easily broken via dictionary
attacks from tools like John the Ripper and L0phtCrack. It is automatically used by Nessus if
the remote Windows server requires it. There have been many different types of attacks
against Windows security to illicit hashes from computers for re-use in attacking servers.
SMB Signing adds a layer of security to prevent these man-in-the-middle attacks.
l The SPNEGO(Simple and Protected Negotiate) protocol provides Single Sign On (SSO) cap-
ability from a Windows client to various protected resources via the users’ Windows login cre-
dentials. Nessus supports use of SPNEGOScans and Policies: Scans 54 of 151with either
NTLMSSP with LMv2 authentication or Kerberos and RC4 encryption. SPNEGOauthentication
happens through NTLM or Kerberos authentication; nothing needs to be configured in the Nes-
sus policy.
l If an extended security scheme (such as Kerberos or SPNEGO) is not supported or fails, Nes-
sus attempts to log in via NTLMSSP/ LMv2 authentication. If that fails, Nessus then attempts
to log in using NTLM authentication.
l Nessus also supports the use of Kerberos authentication in a Windows domain. To configure
this, the IP address of the Kerberos Domain Controller (actually, the IP address of the Win-
dows Active Directory Server) must be provided.
Server Message Block (SMB) is a file-sharing protocol that allows computers to share information
across the network. Providing this information to Nessus allows it to find local information from a
remote Windows host. For example, using credentials enables Nessus to determine if important
security patches have been applied. It is not necessary to modify other SMB parameters from
default settings.
- 326 -
The SMB domain setting is optional and Nessus is able to log on with domain credentials without
this setting. The username, password, and optional domain refer to an account that the target
machine is aware of. For example, given a username of joesmith and a password of my4x4mpl3, a
Windows server first looks for this username in the local system’s list of users, and then determines
if it is part of a domain.
Regardless of credentials used, Nessus always attempts to log into a Windows server with the fol-
lowing combinations:
l Administrator without a password
l A random username and password to test Guest accounts
l No username or password to test null sessions
The actual domain name is only required if an account name is different on the domain from that on
the computer. It is entirely possible to have an Administrator account on a Windows server and
within the domain. In this case, to log on to the local server, use the username of Administrator with
the password of that account. To log on to the domain, use the Administrator username with the
domain password and the name of the domain.
When multiple SMB accounts are configured, Nessus tries to log in with the supplied credentials
sequentially. Once Nessus is able to authenticate with a set of credentials, it checks subsequent
credentials supplied, but only use them if administrative privileges are granted when previous
accounts provided user access.
Some versions of Windows allow you to create a new account and designate it as an administrator.
These accounts are not always suitable for performing credentialed scans. Tenable recommends
that the original administrative account, named Administrator be used for credentialed scanning to
ensure full access is permitted. On some versions of Windows, this account may be hidden. The real
administrator account can be unhidden by running a DOS prompt with administrative privileges and
typing the following command:
C:\> net user administrator /active:yes
If an SMB account is created with limited administrator privileges, Nessus can easily and securely
scan multiple domains. Tenable recommends that network administrators consider creating spe-
cific domain accounts to facilitate testing. Nessus includes various security checks for Windows 10,
11, Windows Server 2012, Server 2012 R2, Server 2016, Server 2019, and Server 2022 that are more
- 327 -
accurate if you provide a domain account. Nessus attempts to try several checks if no account is
provided.
Note: The Windows Remote Registry service allows remote computers with credentials to
access the registry of the computer being audited. If the service is not running, reading keys
and values from the registry is not possible, even with full credentials. This service must be star-
ted for a Nessus credentialed scan to fully audit a system using credentials.
For more information, see the Tenable blog post.
Credentialed scans on Windows systems require that you use a full administrator level account.
Several bulletins and software updates by Microsoft have made reading the registry to determine
software patch level unreliable without administrator privileges, but not all of them. Nessus plugins
check that the provided credentials have full administrative access to ensure they execute properly.
For example, full administrative access is required to perform direct reading of the file system. This
allows Nessus to attach to a computer and perform direct file analysis to determine the true patch
level of the systems being evaluated.
- 328 -
Authentication Methods
Never send cre- Enabled For security reasons, Windows credentials are not sent in
dentials in the the clear by default.
clear
Do not use Enabled If this option is disabled, then it is theoretically possible

NTLMv1authen- to trick Nessus into attempting to log into a Windows
tication server with domain credentials via the NTLM version 1pro-
tocol. This provides the remote attacker with the ability
to use a hash obtained from Nessus. This hash can be
potentially cracked to reveal a username or password. It
may also be used to log into other servers directly. Force
Nessus to use NTLMv2 by enabling the Only use NTLMv2
setting at scan time. This prevents a hostile Windows
server from using NTLM and receiving a hash. Because
NTLMv1is an insecure protocol this option is enabled by
default.
Start the Remote Disabled This option tells Nessus to start the Remote Registry ser-
Registry service vice on computers being scanned if it is not running. This
during the scan service must be running for Nessus to execute some Win-
dows local check plugins.
Enable admin- Disabled This option allows Nessus to access the ADMIN$ and C$
istrative shares administrative shares, which can be read with admin-
during the scan istrator privileges.
Caution: The administrative shares have to be enabled for

this setting to work properly. For most operating systems,
ADMIN$ and C$ are enabled by default. However, Windows
10, Windows 11, and later Windows versions disable ADMIN$
- 329 -
by default. Therefore, you need to manually enable ADMIN$

in Windows environments in addition to using this setting
for full access to the registry entries. For more information,
see https:/ / support.microsoft.com/ kb/ 842715/ en-us.
Start the Server Disabled When enabled, the scanner temporarily enables the Win-
service during the dows Server service, which allows the computer to share
scan files and other devices on a network. The service is dis-
abled after the scan completes.
By default, Windows systems have the Windows Server

service enabled, which means you do not need to enable
this setting. However, if you disable the Windows Server
service in your environment, and want to scan using SMB
credentials, you must enable this setting so that the scan-
ner can access files remotely.
CyberArk (Nessus Manager only)
CyberArk is a popular enterprise password vault that helps you manage privileged credentials. Nes-
sus Manager can get credentials from CyberArk to use in a scan.
Web Service. This can be the host, or the host with
a custom URL added on in a single string.


API connection.
- 330 -
Kerberos Target If enabled, Kerberos authentication is used to log in no

Authentication to the specified Linux or Unix target.
Key Distribution (Required if Kerberos Target Authentication is yes

Center (KDC) enabled.) This host supplies the session tickets for
the user.
KDC Port The port on which the Kerberos authentication API no

communicates. By default, Tenable uses 88.
KDC Transport The KDC uses TCP by default in Linux imple- no

mentations. For UDP, change this option. If you
need to change the KDC Transport value, you may
also need to change the port as the KDC UDP uses
either port 88 or 750 by default, depending on the
implementation.
Domain (Required if Kerberos Target Authentication is yes

enabled.) The domain to which Kerberos Target
Authentication belongs, if applicable.


- 331-



retrieved from.
Address The option should only be used if the Address value no

is unique to a single CyberArk account credential.

Ark API credential.
CyberArk (Legacy) (Nessus Manager only)
CyberArk is a popular enterprise password vault that helps you manage privileged credentials. Nes-
sus Manager can get credentials from CyberArk to use in a scan.
Option Description
- 332 -
Option Description
CyberArk AIM The URL of the AIM service. By default, this setting uses
Service URL /AIMWebservice/v1.1/AIM.asmx.
Central Cre- The CyberArk Central Credential Provider IP/ DNS address.
dential Provider
Host
Central Cre- The port on which the CyberArk Central Credential Provider is listening.
dential Provider
Port
Central Cre- If the CyberArk Central Credential Provider is configured to use basic
dential Provider authentication, you can fill in this setting for authentication.
Username
Central Cre- If the CyberArk Central Credential Provider is configured to use basic
dential Provider authentication, you can fill in this setting for authentication.
Password
Safe The safe on the CyberArk Central Credential Provider server that contained
CyberArk Client The file that contains the PEM certificate used to communicate with the
Certificate CyberArk host.
CyberArk Client The file that contains the PEM private key for the client certificate.
Certificate Priv-
ate Key
CyberArk Client The passphrase for the private key, if required.

Certificate Priv-
ate Key Pass-
phrase
AppId The AppId that has been allocated permissions on the CyberArk Central Cre-
dential Provider to retrieve the target password.
- 333 -
Option Description
Folder The folder on the CyberArk Central Credential Provider server that contains
PolicyId The PolicyID assigned to the credentials you would like to retrieve from the
CyberArk Central Credential Provider.
Use SSL If CyberArk Central Credential Provider is configured to support SSL

through IIS check for secure communication.
Verify SSL Cer- If CyberArk Central Credential Provider is configured to support SSL
tificate through IIS and you want to validate the certificate check this. Refer to cus-
tom_CA.inc documentation for how to use self-signed certificates.
CyberArk The unique name of the credential you want to retrieve from CyberArk.
Account Details
Name
Kerberos
Password none Like with other credentials methods, this is the user pass-
word on the target system. This is a required setting.
Key Dis- none This host supplies the session tickets for the user. This is a
tribution required setting.
Center (KDC)
KDC Port 88 You can configure this setting to direct Nessus to connect to
the KDC if it is running on a port other than 88.
KDC Transport TCP If you need to change the KDC Transport value, you may also
need to change the port as the KDC UDP uses either port 88
or 750 by default, depending on the implementation.
Domain none The Windows domain that the KDC administers. This is a
required setting.
- 334 -
LM Hash
Option Description
Hash The hash to use.
Domain The Windows domain of the specified user’s name.
NTLM Hash
Option Description
Hash The hash to use.
Domain The Windows domain of the specified user’s name.
Thycotic Secret Server (Tenable Nessus Manager only)
Username (Required) The username for a user on the target system.
Domain The domain of the username, if set on the Thycotic server.
Thycotic Secret (Required) The Secret Name value on the Thycotic server.
Name
Thycotic Secret (Required) The value you want Tenable Nessus to use when setting the
Server URL transfer method, target, and target directory for the scanner. Find the value
on the Thycotic server, in Admin > Configuration > Application Settings >
Secret Server URL.
For example, if you type https:/ / pw.mydomain.com/ SecretServer, Tenable

Nessus determines it is an SSL connection, that pw.mydomain.com is the
target address, and that / SecretServer is the root directory.
- 335 -
Thycotic Login (Required) The username for a user on the Thycotic server.
Name
Thycotic Pass- (Required) The password associated with the Thycotic Login Name you
word provided.
Thycotic Organ- In cloud instances of Thycotic, the value that identifies which organization
ization the Tenable Nessus query should target.
Thycotic The domain, if set for the Thycotic server.

Domain
Private Key If enabled, Tenable Nessus uses key-based authentication for SSH con-
nections instead of password authentication.
Verify SSL Cer- If enabled, Tenable Nessus verifies the SSL Certificate on the Thycotic
tificate server.
For more information about using self-signed certificates, see Custom SSL
Server Certificates.
BeyondTrust (Tenable Nessus Manager only)
Domain The domain of the username, if required by BeyondTrust.
BeyondTrust (Required) The BeyondTrust IP address or DNS address.

host
BeyondTrust (Required) The port BeyondTrust is listening on.

port
BeyondTrust (Required) The API key provided by BeyondTrust.

API key
Checkout dur- (Required) The length of time, in minutes, that you want to keep credentials
- 336 -
ation checked out in BeyondTrust. Configure the Checkout duration to exceed

the typical duration of your Nessus scans. If a password from a previous
scan is still checked out when a new scan begins, the new scan fails.
Note: Configure the password change interval in BeyondTrust so that password

changes do not disrupt your Nessus scans. If BeyondTrust changes a password
during a scan, the scan fails.
Use SSL If enabled, Nessus uses SSL through IIS for secure communications. You
must configure SSL through IIS in BeyondTrust before enabling this option.
Verify SSL cer- If enabled, Nessus validates the SSL certificate. You must configure SSL
tificate through IIS in BeyondTrust before enabling this option.
Use private key If enabled, Nessus uses private key-based authentication for SSH con-
nections instead of password authentication. If it fails, the password is
requested.
Use privilege If enabled, BeyondTrust uses the configured privilege escalation command.
escalation If it returns something, it uses it for the scan.
Lieberman (Tenable Nessus Manager only)
Username The target system’s username. yes
Domain The domain, if the username is part of a no

domain.
Lieberman host The Lieberman IP/ DNS address. yes
Note: If your Lieberman installation is in a

subdirectory, you must include the sub-
directory path. For example, type IP address
or hostname / subdirectory path.
- 337 -
Lieberman port The port on which Lieberman listens. yes
Lieberman API URL The URL Tenable Nessus uses to access no

Lieberman.
Lieberman user The Lieberman explicit user for authen- yes

ticating to the Lieberman RED API.
Lieberman password The password for the Lieberman explicit yes

user.
Lieberman Authenticator The alias used for the authenticator in no

Lieberman. The name should match the
name used in Lieberman.
Note: If you use this option, append a domain

to the Lieberman user option, i.e.,
domain\ user.
Lieberman Client Certificate The file that contains the PEM certificate no
used to communicate with the Lieberman
host.
Note: If you use this option, you do not have

to enter information in the Lieberman user,
Lieberman password, and Lieberman
Authenticator fields.
Lieberman Client Certificate The file that contains the PEM private key no
Private Key for the client certificate.
Lieberman Client Certificate The passphrase for the private key, if no

Private Key Passphrase required.
Use SSL If Lieberman is configured to support SSL no

through IIS, check for secure com-
munication.
- 338 -
Verify SSL Certificate If Lieberman is configured to support SSL no

through IIS and you want to validate the cer-
tificate, check this. Refer to custom_CA.inc
documentation for how to use self-signed
certificates.
System Name In the rare case your organization uses one no

default Lieberman entry for all managed sys-
tems, enter the default entry name.
Wallix Bastion (Tenable Nessus Manager only)
WALLIX Host The IP address for the WALLIX Bastion host. yes
WALLIX Port The port on which the WALLIX Bastion API com- yes
municates. By default, Tenable uses 443.
Authentication Type Basic authentication (with WALLIX Bastion user no

interface username and Password requirements)
or API Key authentication (with username and
WALLIX Bastion-generated API key require-
ments).
WALLIX User Your WALLIX Bastion user interface login user- yes
name.
WALLIX Password Your WALLIX Bastion user interface login pass- yes
word. Used for Basic authentication to the API.
WALLIX API Key The API key generated in the WALLIX Bastion yes
user interface. Used for API Key authentication
to the API.
Get Credential by The account name associated with a Device you Required only if
Device Account Name want to log in to the target systems with.
- 339 -
Note: If your device has more than one account you have a tar-
you must enter the specific device name for the get and/ or
account you want to retrieve credentials for. Fail- device with mul-
ure to do this may result in credentials for the
tiple accounts.
wrong account returned by the system.
HTTPS This is enabled by default. yes
Caution: The integration fails if you disable

HTTPS.
Verify SSL Certificate This is disabled by default and is not supported no

in WALLIX Bastion PAM integrations.
Elevate privileges with This enables WALLIX Bastion Privileged Access Required if you
Management (PAM). Use the drop-down menu to wish to escalate
select the privilege elevation method. To bypass privileges.
this function, leave this field set to Nothing.
Caution: In your WALLIX Bastion account, the

WALLIX Bastion super admin must have enabled
"credential recovery" on your account for PAM to
be enabled. Otherwise, your scan may not return
any results. For more information, see your
WALLIX Bastion documentation.
Note: Multiple options for privilege escalation are

supported, including su, su+sudo and sudo. For
example, if you select sudo, more fields for sudo
user, Escalation Account Name, and Location of
su and sudo (directory) are provided and can be
completed to support authentication and privilege
escalation through WALLIX Bastion PAM. The
Escalation Account Name field is then required to
complete your privilege escalation.
Note: For more information about supported priv-
- 340 -
ilege escalation types and their accompanying

fields, see the Tenable Nessus User Guide.
Database The TCP port that the Oracle database instance no

Port listens on for communications from. The default
is port 1521.
Auth Type The type of account you want Tenable to use to no

access the database instance:
l SYSDBA
l SYSOPER
l NORMAL
Service Type The Oracle parameter you want to use to specify no

the database instance: SID or SERVICE_NAME.
Service The SID value or SERVICE_NAME value for your yes

database instance.
The Service value you enter must match your

parameter selection for the Service Type option.
HashiCorp Vault (Tenable Nessus Manager only)
Hashicorp Vault host (Required) The Hashicorp Vault IP address or DNS yes
address.
Note: If your Hashicorp Vault installation is in a sub-

directory, you must include the subdirectory path. For
example, type IP address or hostname/ subdirectory
path.
Hashicorp Vault port The port on which Hashicorp Vault listens. yes
- 341-
Authenticaton Type Specifies the authentication type for connecting to yes

the instance: App Role or Certificates.
If you select Certificates, additional options for

Hashicorp Client Certificate and Hashicorp Client
Certificate Private Key appear. Click Add File to
select files for the client certificate and private key.
Role ID Required if you select App Role for Authentication yes

Type. The GUID provided by Hashicorp Vault when
Role Secret ID Required if you select App Role for Authentication yes
Type. The GUID generated by Hashicorp Vault when
Authentication URL The URL Tenable Nessus Manager uses to access yes
Hashicorp Vault.
Namespace The name of a specified team in a multi-team envir- no

onment. For more information about multi-team
environments, see the Hashicorp documentation.
KV Engine URL The URL Tenable Nessus Manager uses to access yes
the Hashicorp Vault secrets engine.
Username Source Specifies if the username is input manually or pulled yes

Username Key The name in Hashicorp Vault that usernames are yes
stored under.
Password Key The key in Hashicorp Vault that passwords are yes
stored under.
Secret Name (Required) The key secret you want to retrieve val- yes
ues for.
- 342 -
Use SSL When enabled, Tenable Nessus Manager uses SSL no

through IIS for secure communications. You must
configure SSL through IIS in Hashicorp Vault before
Verify SSL When enabled, Tenable Nessus Manager validates no

the SSL certificate. You must configure SSL through
IIS in Hashicorp Vault before enabling this option.
Centrify (Tenable Nessus Manager only)
Centrify Host (Required) The Centrify IP address or DNS address.
Note: If your Centrify installation is in a subdirectory, you must include the

subdirectory path. For example, type IP address or hostname/sub-
directory path.
Centrify Port The port on which Centrify listens.
API User (Required) The API user provided by Centrify
API Key (Required) The API key provided by Centrify.
Tenant The name of a specified team in a multi-team environment.
Authentication The URL Tenable Nessus Manager uses to access Centrify.

URL
Password Engine The name of a specified team in a multi-team environment.

URL
Checkout Dur- The length of time, in minutes, that you want to keep credentials checked
ation out in Centrify.
- 343 -
Configure the Checkout Duration to exceed the typical duration of your

Tenable Nessus Manager scans. If a password from a previous scan is still
checked out when a new scan begins, the new scan fails.
Note: Configure the password change interval in Centrify so that password

changes do not disrupt your Tenable Nessus Manager scans. If Centrify
changes a password during a scan, the scan fails.
Use SSL When enabled, Tenable Nessus Manager uses SSL through IIS for secure
communications. You must configure SSL through IIS in Centrify before
Verify SSL When enabled, Tenable Nessus Manager validates the SSL certificate.
You must configure SSL through IIS in Centrify before enabling this
option.
Arcon (Tenable Nessus Manager only)
Arcon host (Required) The Arcon IP address or DNS address.
Note: If your Arcon installation is in a subdirectory, you must

include the subdirectory path. For example, type IP address or
hostname/ subdirectory path.
Arcon port The port on which Arcon listens.
API User (Required) The API user provided by Arcon.
API Key (Required) The API key provided by Arcon.
Authentication URL The URL Tenable Nessus Manager uses to access Arcon.
Password Engine URL The URL Tenable Nessus Manager uses to access the pass-
words in Arcon.
Username (Required) The username to log in to the hosts you want to
- 344 -
scan.
Checkout Duration (Required) The length of time, in hours, that you want to
keep credentials checked out in Arcon.
Configure the Checkout Duration to exceed the typical dur-

ation of your Tenable Vulnerability Management scans. If a
password from a previous scan is still checked out when a
new scan begins, the new scan fails.
Note: Configure the password change interval in Arcon so that

password changes do not disrupt your Tenable Vulnerability
Management scans. If Arcon changes a password during a
scan, the scan fails.
Use SSL When enabled, Tenable Nessus Manager uses SSL through
IIS for secure communications. You must configure SSL
through IIS in Arcon before enabling this option.
Verify SSL When enabled, Tenable Nessus Manager validates the SSL
certificate. You must configure SSL through IIS in Arcon
before enabling this option.
- 345 -
Miscellaneous Credentials
This section includes information and settings for credentials in the Miscellaneous section.
ADSI
ADSI requires the domain controller information, domain, and domain admin and password.
ADSI allows Tenable Nessus to query an ActiveSync server to determine if any Android or iOS-based
devices are connected. Using the credentials and server information, Tenable Nessus authenticates
to the domain controller (not the Exchange server) to directly query it for device information. These
settings are required for mobile device scanning and Active Directory Starter Scans.
Tenable Nessus supports obtaining the mobile information from Exchange Server 2010 and 2013
only.
Domain Con- (Required) The name of the domain controller for Act- -
troller iveSync.
Domain (Required) The name of the NetBIOS domain for ActiveSync. -
Domain Admin (Required) The domain administrator's username. -
Domain Pass- (Required) The domain administrator's password. -

word
Nessus supports obtaining the mobile information from Exchange Server 2010 and 2013 only; Nes-
sus cannot retrieve information from Exchange Server 2007.
F5
Username (Required) The username for the scanning F5 account that -

Tenable Nessus uses to perform checks on the target system.
Password (Required) The password for the F5 user. -
Port (Required) The TCP port that F5 listens on for com- 443
- 346 -
HTTPS When enabled, Tenable Nessus connects using secure com- enabled
munication (HTTPS).
When disabled, Tenable Nessus connects using

standard HTTP.
Verify SSL When enabled, Tenable Nessus verifies that the enabled
Certificate SSL certificate on the server is signed by a trusted CA.
Tip: If you are using a self-signed certificate, disable this setting.
IBM iSeries
Username (Required) The username for the IBM iSeries account that Ten- -
able Nessus uses to perform checks on the target system.
Password (Required) The password for the IBM iSeries user. -
Netapp API
Username (Required) The username for the Netapp API account with -
HTTPS access that Tenable Nessus uses to perform checks on
the target system.
Password (Required) The password for the Netapp API user. -
vFiler The vFiler nodes to scan for on the target systems. -
To limit the audit to a single vFiler, type the name of the vFiler.
To audit for all discovered Netapp virtual filers (vFilers) on tar-

get systems, leave the field blank.
Port (Required) The TCP port that Netapp API listens on for com- 443
- 347 -
Nutanix Prism
Nutanix Host (Required) Hostname or IP address of the Nutanix -

Prism Central host.
Nutanix Port (Required) The TCP port that the Nutanix Prism Cen- 9440
tral host listens on for communications from Ten-
able.
Username (Required) Username used for authentication to the -

Nutanix Prism Central host.
Password (Required) Password used for authentication to the -

Nutanix Prism Central host.
Discover Host This option adds any discovered Nutanix Prism Cen- -
tral hosts to the scan targets to be scanned.
Discover Virtual This option adds any discovered Nutanix Prism Cen- -
Machines tral Virtual Machines to the scan targets to be
scanned.
HTTPS When enabled, Tenable Nessus connects using enabled

secure communication (HTTPS).

standard HTTP.
Verify SSL Certificate When enabled, Tenable Nessus verifies that the enabled
SSL certificate on the server is signed by a trusted
CA.
Tip: If you are using a self-signed certificate, disable

this setting.
OpenStack
- 348 -
Username (Required) The username for the OpenStack account that -

Tenable Nessus uses to perform checks on the target sys-
tem.
Password (Required) The password for the OpenStack user. -
Tenant Name for (Required) The name of the specific tenant the scan uses admin
Authentication to authenticate.
Port (Required) The TCP port that OpenStack listens on for 443
communications from Tenable Nessus.
HTTPS When enabled, Tenable Nessus connects using secure enabled

communication (HTTPS).

standard HTTP.
Verify SSL Cer- When enabled, Tenable Nessus verifies that the enabled
tificate SSL certificate on the server is signed by a trusted CA.
Tip: If you are using a self-signed certificate, disable this

setting.
Palo Alto Networks PAN-OS
Username (Required) The username for the PAN-OS account that Ten- -
able Nessus uses to perform checks on the target system.
Password (Required) The password for the PAN-OS user. -
Port (Required) The TCP port that PAN-OS listens on for com- 443
HTTPS When enabled, Tenable Nessus connects using secure com- enabled
munication (HTTPS).
- 349 -
standard HTTP.
Red Hat Enterprise Virtualization (RHEV)
Username (Required) The username for RHEV account that Tenable Nes- -
sus uses to perform checks on the target system.
Password (Required) The password for the RHEV user. -
Port (Required) The TCP port that the RHEV server listens on for 443
VMware ESX SOAP API
Access to VMware servers is available through its native SOAP API. VMware ESX SOAP API allows
you to access the ESX and ESXi servers via username and password. Also, you have the option of
not enabling SSL certificate verification:
For more information on configuring VMWare ESX SOAP API, see Configure vSphere Scanning.
Tenable Nessus can access VMware servers through the native VMware SOAP API.
Username (Required) The username for the ESXi server account that -
Tenable Nessus uses to perform checks on the target sys-
- 350 -
tem.
Password (Required) The password for the ESXi user. -
Do not verify Do not validate the SSL certificate for the ESXi server. disabled
SSL Cer-
tificate
VMware vCenter Auto Discovery
For more information on configuring VMWare vCenter SOAP API, see Configure vSphere Scanning.
Tenable Nessus can access vCenter through the native VMware vCenter SOAP API. If available, Ten-
able Nessus uses the vCenter REST API to collect data in addition to the SOAP API.
(missing or bad snippet)
vCenter Host (Required) The name of the vCenter host. -
vCenter Port (Required) The TCP port that vCenter listens on for com- 443
Username (Required) The username for the vCenter server account -

with admin read/ write access that Tenable Nessus uses
to perform checks on the target system.
Password (Required) The password for the vCenver server user. -
HTTPS When enabled, Tenable Nessus connects using secure enabled

communication (HTTPS). When disabled, Tenable Nessus
connects using standard HTTP.
Verify SSL Cer- When enabled, Tenable Nessus verifies that the enabled
tificate SSL certificate on the server is signed by a trusted CA.

setting.
- 351-
Auto Discover Man- This option adds any discovered VMware ESXi hypervisor not
aged VMware ESXi hosts to the scan targets you include in your scan. enabled
Hosts
Auto Discover Man- This option adds any discovered VMware ESXi hypervisor not
aged VMware ESXi virtual machines to the scan targets you include in your enabled
Virtual Machines scan.
X.509
Client certificate (Required) The client certificate. -
Client key (Required) The client private key. -
Password for key (Required) The passphrase for the client private key. -
CA certificate to (Required) The trusted Certificate Authority's (CA) digital -

trust certificate.
- 352 -
Mobile Credentials
AirWatch
Option Description
AirWatch Environment API URL The URL of the SOAP or REST API.
(required)
Port Set to use a different port to authenticate with Airwatch.
Username (required) The username to authenticate with Airwatch’s API.
Password (required) The password to authenticate with Airwatch’s API.
API Keys (required) The API Key for the Airwatch REST API.
HTTPS Set to use HTTPS instead of HTTP.
Verify SSL Certificate Verify whether the SSL Certificate on the server is signed
by a trusted CA.
Apple Profile Manager
Option Description
Server (required) The server URL to authenticate with Apple Profile Manager.
Port Set to use a different port to authenticate with Apple Profile Man-
ager.
Username (required) The username to authenticate.
Password (required) The password to authenticate.
Verify SSL Certificate Verify whether the SSL Certificate on the server is signed by a
trusted CA.
- 353 -
Force device updates Force devices to update with Apple Profile Manager immediately.
Device update timeout Number of minutes to wait for devices to reconnect with Apple
(minutes) Profile Manager
Good MDM
Option Description
Server (required) The server URL to authenticate with Good MDM.
Port (required) Set the port to use to authenticate with Good MDM.
Domain (required) The domain name for Good MDM.
Username (required) The username to authenticate.
Password (required) The password to authenticate.
Verify SSL Cer- Verify whether the SSL Certificate on the server is signed by a trusted
tificate CA.
MaaS360
Option Description
Username The username to authenticate.

(required)
Password The password to authenticate.

(required)
Root URL The server URL to authenticate with MaaS360.

(required)
Platform ID The Platform ID provided for MaaS360.

(required)
Billing ID The Billing ID provided for MaaS360.
- 354 -
(required)
App ID The App ID provided for MaaS360.

(required)
App Version The App Version of MaaS360.

(required)
App access The App Access Key provided for MaaS360.

key (required)
Collect All When enabled, the scan collects all data types.
Device Data
When disabled, the scan collects one or more types of data to decrease the
scan time. When disabled, choose one or more of the following collection
options:
l Collect Device Summary
l Collect Device Applications
l Collect Device Compliance
l Collect Device Policies
MobileIron
Option Description
VSP Admin The server URL Tenable Nessus uses to authenticate to the MobileIron admin-
Portal URL istrator portal.
VSP Admin (Optional) The port Tenable Nessus uses to authenticate to the MobileIron
Portal Port administrator portal (typically, port 443 or 8443). The system assumes port
443 by default.
Port (Optional) The port Tenable Nessus uses to authenticate to MobileIron (typ-
ically, port 443).
Username The username for the account you want Tenable Nessus to use to authen-
ticate to MobileIron.
- 355 -
Password The password for the account you want Tenable Nessus to use to authen-
ticate to MobileIron.
HTTPS (Optional) When enabled, Tenable Nessus uses an encrypted connection to

authenticate to MobileIron.
Verify SSL Cer- When enabled, Tenable Nessus verifies that the SSL Certificate on the server
tificate is signed by a trusted CA.
VMware Workspace One
Option Description Default Required
VMware Work- The SOAP URL or REST API URL you -- Yes
space One Envir- want to use to authenticate with VMware
onment API URL Workspace One.
Port The TCP port that VMware Workspace 443 Yes

One listens on for communications from
Tenable.
Username The username for the VMware Work- -- Yes

space One user account Tenable uses to
authenticate to VMware Workspace
One's REST API.
Password The password for the VMware Work- -- Yes

space One user.
API Key The API key for the VMware Workspace -- Yes
One REST API.
HTTPS When enabled, Tenable connects using Enabled No

secure communication (HTTPS).
When disabled, Tenable connects using

standard HTTP.
Verify When enabled, Tenable verifies that the Enabled No

SSL Certificate SSL certificate on the server is signed by
- 356 -
Option Description Default Required
a trusted CA.
Tip: If you are using a self-signed cer-

tificate, disable this setting.
Scanner Specifies which Nessus scanner Tenable -- Yes

Security Center uses when scanning the
server. Tenable Security Center can only
use one Nessus scanner to add data to a
mobile repository.
Update Schedule Specifies when Tenable Security Center Every day No

scans the server to update the mobile at 12:30 -
repository. On each scan, Tenable Secur- 04:00
ity Center removes the current data in
the repository and replaces it with data
from the latest scan.
- 357 -
Patch Management Credentials
Tenable Nessus can leverage credentials for patch management systems to perform patch auditing
on systems for which credentials may not be available to Nessus Professional or managed scan-
ners.
Note: Patch management integration is not available on Nessus Professional or managed scanners.
Tenable Nessus supports:
l Dell KACE K1000
l HCL BigFix
l Microsoft System Center Configuration Manager (SCCM)
l Microsoft Windows Server Update Services (WSUS)
l Red Hat Satellite Server
l Symantec Altiris
You can configure patch management options in the Credentials section while creating a scan, as
described in Create a Scan.
IT administrators are expected to manage the patch monitoring software and install any agents
required by the patch management system on their systems.
Note: If the credential check sees a system but it is unable to authenticate against the system, it uses the
data obtained from the patch management system to perform the check. If Tenable Nessus is able to con-
nect to the target system, it performs checks on that system and ignores the patch management system
output.
Note: The data returned to Tenable Nessus by the patch management system is only as current as the
most recent data that the patch management system has obtained from its managed hosts.
Scanning with Multiple Patch Managers

If you provide multiple sets of credentials to Tenable Nessus for patch management tools, Tenable
Nessus uses all of them.
- 358 -
If you provide credentials for a host and for one or more patch management systems, Tenable Nes-
sus compares the findings between all methods and report on conflicts or provide a satisfied find-
ing. Use the Patch Management Windows Auditing Conflicts plugins to highlight patch data
differences between the host and a patch management system.
Dell KACE K1000
KACE K1000 is available from Dell to manage the distribution of updates and hotfixes for Linux, Win-
dows, and macOS systems. Tenable Nessus can query KACE K1000 to verify whether or not patches
are installed on systems managed by KACE K1000 and display the patch information through the
Tenable Nessus user interface.
Tenable Nessus supports KACE K1000 versions 6.x and earlier.
KACE K1000 scanning uses the following Tenable plugins: 76867, 76868, 76866, and 76869.
Server (Required) The KACE K1000 IP address or system name. -
Database Port (Required) The TCP port that KACE K1000 listens on for com- 3306
Organization (Required) The name of the organization component for the ORG1
Database Name KACE K1000 database (e.g., ORG1).
Database User- (Required) The username for the KACE K1000 account that R1
name Tenable Nessus uses to perform checks on the target sys-
tem.
K1000 Database (Required) The password for the KACE K1000 user. -
Password
HCL Tivoli Endpoint Manager (BigFix)
HCL Bigfix is available to manage the distribution of updates and hotfixes for desktop systems. Ten-
able Nessus can query HCL Bigfix to verify whether or not patches are installed on systems man-
aged by HCL Bigfix and display the patch information.
- 359 -
Package reporting is supported by RPM-based and Debian-based distributions that HCL Bigfix offi-
cially supports. This includes Red Hat derivatives such as RHEL, CentOS, Scientific Linux, and
Oracle Linux, as well as Debian and Ubuntu. Other distributions may also work, but unless
HCL Bigfix officially supports them, there is no support available.
For local check plugins to trigger, only RHEL, CentOS, Scientific Linux, Oracle Linux, Debian,
Ubuntu, and Solaris are supported. Plugin 160250 must be enabled.
Tenable Nessus supports HCL Bigfix 9.5 and later and 10.x and later.
HCL Bigfix scanning uses the following Tenable plugins: 160247, 160248, 160249, 160250, and
160251.
Web Reports (Required) The name of HCL Bigfix Web Reports server. -
Server
Web Reports (Required) The TCP port that the HCL Bigfix Web Reports -
Port server listens on for communications from Tenable Nessus.
Web Reports (Required) The username for the HCL Bigfix Web Reports -
Username administrator account that Tenable Nessus uses to perform
checks on the target system.
Web Reports (Required) The password for the HCL Bigfix Web Reports -
Password administrator user.
HTTPS When enabled, Tenable Nessus connects using secure com- Enabled
munication (HTTPS).

standard HTTP.
Verify SSL When enabled, Tenable Nessus verifies that the Enabled
certificate SSL certificate on the server is signed by a trusted CA.
HCL Bigfix Server Configuration
- 360 -
In order to use these auditing features, you must make changes to the HCL Bigfix server. You must
import a custom analysis into HCL Bigfixso that detailed package information is retrieved and made
available to Tenable Nessus.
From the HCL BigFix Console application, import the following .bes files.
BES file:
<?xml version="1.0" encoding="UTF-8"?>

<BES xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:noNamespaceSchemaLocation="BES.xsd">
<Analysis>
<Title>Tenable</Title>
<Description>This analysis provides SecurityCenter with the data it needs for vulnerability reporting. <
<Relevance>true</Relevance>
<Source>Internal</Source>
<SourceReleaseDate>2013-01-31</SourceReleaseDate>
<MIMEField>
<Name>x-fixlet-modification-time</Name>
<Value>Thu, 13 May 2021 21:43:29 +0000</Value>
</MIMEField>
<Domain>BESC</Domain>
<Property Name="Packages - With Versions (Tenable)" ID="74"><![CDATA[if (exists true whose (if true then
repository) else false)) then unique values of (lpp_name of it & "|" & version of it as string & "|" & "fileset"
tecture of operating system) of filesets of products of object repository else if (exists true whose (if true th
anpackage) else false)) then unique values of (name of it & "|" & version of it as string & "|" & "deb" & "|" &
it & "|" & architecture of operating system) of packages whose (exists version of it) of debianpackages else if
whose (if true then (exists rpm) else false)) then unique values of (name of it & "|" & version of it as string
"|" & architecture of it & "|" & architecture of operating system) of packages of rpm else if (exists true whose
(exists ips image) else false)) then unique values of (full name of it & "|" & version of it as string & "|" & "
architecture of operating system) of latest installed packages of ips image else if (exists true whose (if true
pkgdb) else false)) then unique values of(pkginst of it & "|" & version of it & "|" & "pkg10") of pkginfos of pk
"<unsupported>"]]></Property>
<Property Name="Tenable AIX Technology Level" ID="76">current technology level of operating system</Prop
<Property Name="Tenable Solaris - Showrev -a" ID="77"><![CDATA[if ((operating system as string as lowerc
"SunOS 5.10" as lowercase) AND (exists file "/var/opt/BESClient/showrev_patches.b64")) then lines of file "/var/
opt/BESClient/showrev_patches.b64" else "<unsupported>"]]></Property>
</Analysis>
</BES>
BES file:
<?xml version="1.0" encoding="UTF-8"?>

<BES xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:noNamespaceSchemaLocation="BES.xsd">
<Task>
<Title>Tenable - Solaris 5.10 - showrev -a Capture</Title>
<Description><![CDATA[<enter a description of the task here> ]]></Description>
<GroupRelevance JoinByIntersection="false">
<SearchComponentPropertyReference PropertyName="OS" Comparison="Contains">
<SearchText>SunOS 5.10</SearchText>
<Relevance>exists (operating system) whose (it as string as lowercase contains "SunOS
5.10" as lowercase)</Relevance>
</SearchComponentPropertyReference>
- 361-
</GroupRelevance>
<Category></Category>
<Source>Internal</Source>
<SourceID></SourceID>
<SourceReleaseDate>2021-05-12</SourceReleaseDate>
<SourceSeverity></SourceSeverity>
<CVENames></CVENames>
<SANSID></SANSID>
<MIMEField>
<Name>x-fixlet-modification-time</Name>
<Value>Thu, 13 May 2021 21:50:58 +0000</Value>
</MIMEField>
<Domain>BESC</Domain>
<DefaultAction ID="Action1">
<Description>
<PreLink>Click </PreLink>
<Link>here</Link>
<PostLink> to deploy this action.</PostLink>
</Description>
<ActionScript MIMEType="application/x-sh"><![CDATA[#!/bin/sh
/usr/bin/showrev -a > /var/opt/BESClient/showrev_patches
/usr/sfw/bin/openssl base64 -in /var/opt/BESClient/showrev_patches -out /var/opt/BESClient/showrev_
patches.b64
]]></ActionScript>
</DefaultAction>
</Task>
</BES>
Microsoft System Center Configuration Manager (SCCM)
Microsoft System Center Configuration Manager (SCCM) is available to manage large groups of Win-
dows-based systems. Tenable Nessus can query the SCCM service to verify whether or not patches
are installed on systems managed by SCCM and display the patch information through the scan res-
ults.
Tenable Nessus connects to the server that is running the SCCM site (e.g., credentials must be
valid for the SCCM service, so the selected user must have privileges to query all the data in the
SCCM MMC). This server may also run the SQL database, or the database and the SCCM repository
can be on separate servers. When leveraging this audit, Tenable Nessus must connect to the SCCM
server via WMI and HTTPS.
SCCM scanning uses the following Tenable plugins: 57029, 57030, 73636, and 58186.
Note: SCCM patch management plugins support SCCM 2007, SCCM 2012, SCCM 2016, and SCCM 2019.
- 362 -
Credential Description Default
Server (Required) The SCCM IP address or system name. -
Domain (Required) The name of the SCCM server's domain. -
Username (Required) The username for the SCCM user account that Ten- -
able Nessus uses to perform checks on the target system. The
user account must have privileges to query all data in the
SCCM MMC.
Password (Required) The password for the SCCM user with privileges to -
query all data in the SCCM MMC.
Windows Server Update Services (WSUS)
Windows Server Update Services (WSUS) is available from Microsoft to manage the distribution of
updates and hotfixes for Microsoft products. Tenable Nessus can query WSUS to verify whether or
not patches are installed on systems managed by WSUS and display the patch information through
the Tenable Nessus user interface.
WSUS scanning uses the following Tenable plugins: 57031, 57032, and 58133.
Server (Required) The WSUS IP address or system name. -
Port (Required) The TCP port that Microsoft WSUS listens on 8530
for communications from Tenable Nessus.
Username (Required) The username for the WSUS administrator -

account that Tenable Nessus uses to perform checks on
the target system.
Password (Required) The password for the WSUS administrator -

user.
HTTPS When enabled, Tenable Nessus connects using secure Enabled

- 363 -

standard HTTP.
Verify When enabled, Tenable Nessus verifies that the Enabled

SSL Certificate SSL certificate on the server is signed by a trusted CA.

setting.
Red Hat Satellite Server
Red Hat Satellite is a systems management platform for Linux-based systems. Tenable Nessus can
query Satellite to verify whether or not patches are installed on systems managed by Satellite and
display the patch information.
Although not supported by Tenable, the Red Hat Satellite plugin also works with Spacewalk Server,
the Open Source Upstream Version of Red Hat Satellite. Spacewalk can manage distributions based
on Red Hat (RHEL, CentOS, Fedora) and SUSE. Tenable supports the Satellite server for Red Hat
Enterprise Linux.
Satellite scanning uses the following Tenable plugins: 84236, 84235, 84234, 84237, and 84238.
Satellite (Required) The Red Hat Satellite IP address or system name. -

server
Port (Required) The TCP port that Red Hat Satellite listens on for 443
Username (Required) The username for the Red Hat Satellite account -
that Tenable Nessus uses to perform checks on the target sys-
tem.
Password (Required) The password for the Red Hat Satellite user. -
Verify SSL When enabled, Tenable Nessus verifies that the Enabled
- 364 -
Tip: If you are using a self-signed certificate, disable this set-

ting.
Red Hat Satellite 6 Server
Red Hat Satellite 6 is a systems management platform for Linux-based systems. Tenable Nessus
can query Satellite to verify whether or not patches are installed on systems managed by Satellite
and display the patch information.
Although not supported by Tenable, the Red Hat Satellite 6 plugin also works with Spacewalk
Server, the Open Source Upstream Version of Red Hat Satellite. Spacewalk can manage dis-
tributions based on Red Hat (RHEL, CentOS, Fedora) and SUSE. Tenable supports the Satellite
server for Red Hat Enterprise Linux.
Red Hat Satellite 6 scanning uses the following Tenable plugins: 84236, 84235, 84234, 84237, 84238,
84231, 84232, and 84233.
Satellite server (Required) The Red Hat Satellite 6 IP address or system -

name.
Port (Required) The TCP port that Red Hat Satellite 6 listens 443
on for communications from Tenable Nessus.
Username (Required) The username for the Red Hat Satellite 6 -

account that Tenable Nessus uses to perform checks on
the target system.
Password (Required) The password for the Red Hat Satellite 6 user. -
HTTPS When enabled, Tenable Nessus connects using secure Enabled

- 365 -
standard HTTP.
Verify When enabled, Tenable Nessus verifies that the Enabled

SSL Certificate SSL certificate on the server is signed by a trusted CA.

setting.
Symantec Altris
Altiris is available from Symantec to manage the distribution of updates and hotfixes for Linux, Win-
dows, and macOS systems. Tenable Nessus has the ability to use the Altiris API to verify whether or
not patches are installed on systems managed by Altiris and display the patch information through
the Tenable Nessus user interface.
Tenable Nessus connects to the Microsoft SQL server that is running on the Altiris host. When lever-
aging this audit, if the MSSQL database and Altiris server are on separate hosts, Tenable Nessus
must connect to the MSSQL database, not the Altiris server.
Altiris scanning uses the following Tenable plugins: 78013, 78012, 78011, and 78014.
Server (Required) The Altiris IP address or system name. -
Database Port (Required) The TCP port that Altiris listens on for com- 5690
Database Name (Required) The name of the MSSQL database that man- Symantec_
ages Altiris patch information. CMDB
Database User- (Required) The username for the Altiris MSSQL data- -
name base account that Tenable Nessus uses to perform
checks on the target system. Credentials must be valid
for a MSSQL databas account with the privileges to
query all the data in the Altiris MSSQL database.
- 366 -
Database Pass- (Required) The password for the Altiris MSSQL data- -
word base user.
Use Windows When enabled, use NTLMSSP for compatibility with Disabled
Authentication older Windows Servers.
When disabled, use Kerberos.
Plaintext Authentication Credentials
Caution: Tenable does not recommend using plaintext credentials. Use encrypted authentication methods
when possible.
If a secure method of performing credentialed checks is not available, users can force Nessus to try
to perform checks over unsecure protocols; use the Plaintext Authentication options.
This menu allows the Nessus scanner to use credentials when testing HTTP , NNTP, FTP, POP2,
POP3, IMAP, IPMI, telnet/ rsh/ rexec, and SNMPv1/ v2c.
By supplying credentials, Nessus can perform more extensive checks to determine vulnerabilities.
Nessus uses the supplied HTTP credentials for Basic and Digest authentication only.
Credentials for FTP, IPMI, NNTP, POP2, and POP3 require only a username and password.
- 367 -
HTTP
There are four different types of HTTP Authentication methods: Automatic
authentication, Basic/ Digest authentication, HTTP login form, and HTTP cookies import.
HTTP Global Settings
Login method POST Specify if the login action is performed via a GET or POST
request.
Re-authenticate 0 The time delay between authentication attempts. This is

delay (seconds) useful to avoid triggering brute force lockout mech-
anisms.
Follow 30x redir- 0 If a 30x redirect code is received from a web server, this
ections directs Nessus to follow the link provided or not.
(# of levels)
Invert authen- Disabled A regex pattern to look for on the login page, that if found,
ticated regex tells Nessus authentication was not successful (for
example, Authentication failed!).
Use authen- Disabled Rather than search the body of a response, Nessus can
ticated regex on search the HTTP response headers for a given regex pat-
HTTP headers tern to determine the authentication state more accur-
ately.
Use authen- Disabled The regex searches are case sensitive by default. This
ticated regex on instructs Nessus to ignore case.
HTTP headers
Authentication methods
Automatic authentication
Username and Password Required
- 368 -
Basic/ Digest authentication
Username and Password Required
HTTP Login Form
The HTTP login page settings provide control over where authenticated testing of a custom web-
based application begins.
Option Description
Username Login user’s name.
Password Password of the user specified.
Login page The absolute path to the login page of the application (for example, / lo-
gin.html).
Login submission The action parameter for the form method. For example, the login form
page for <form method="POST" name="auth_form" action="/ login.php"> would
be / login.php.
Login parameters Specify the authentication parameters (for example, login-

n=%USER%&password=%PASS%). If you use the keywords %USER% and
%PASS%, they are substituted with values supplied on the Login con-
figurations drop-down box. You can use this field to provide more than
two parameters if required (for example, a group name or some other
piece of information is required for the authentication process).
Check authen- The absolute path of a protected web page that requires authentication,
tication on page to assist Nessus in determining authentication status (for example, / ad-
min.html).
Regex to verify A regex pattern to look for on the login page. Simply receiving a 200-
successful authen- response code is not always sufficient to determine session state. Nes-
tication sus can attempt to match a given string such as "Authentication suc-
cessful!"
HTTP cookies import
- 369 -
To facilitate web application testing, Nessus can import HTTP cookies from another piece of soft-
ware (for example, browser, web proxy, etc.) with the HTTP cookies import settings. You can upload
a cookie file so that Nessus uses the cookies when attempting to access a web application. The
cookie file must be in Netscape format.
- 370 -
NNTP
Setting Description Default
Username (Required) The username for the NNTP account that Tenable -
Nessus uses to perform checks on the target system.
Password (Required) The password for the NNTP user. -
- 371-
FTP
Username (Required) The username for the FTP account that Tenable Nes- -
Password (Required) The password for the FTP user. -
- 372 -
POP2
Username (Required) The username for the POP2 account that Tenable -
Password (Required) The password for the POP2 user. -
- 373 -
POP3
Username (Required) The username for the POP3 account that Tenable -
Password (Required) The password for the POP3 user. -
- 374 -
IMAP
Username (Required) The username for the IMAP account that Tenable -
Password (Required) The password for the IMAP user. -
- 375 -
IPMI
Username (Required) The username for the IMPI account that Tenable Nes- -
Password (Required) The password for the IPMI user. -

(sent in clear)
- 376 -
telnet/ rsh/ rexec
The telnet/ rsh/ rexec authentication section is also username and password, but there are more
Global Settings for this section that can allow you to perform patch audits using any of these three
protocols.
- 377 -
SNMPv1/ v2c
SNMPv1/ v2c configuration allows you to use community strings for authentication to network
devices. You can configure up to four SNMP community strings.
Community (Required) The community string Tenable Vulnerability Man- public

string agement uses to authenticate on the host device.
UDP Port (Required) The TCP ports that SNMPv1/ v2c listens on for com- 161
Additional
UDP port # 1
Additional UDP
port # 2
Additional UDP
port # 3
- 378 -
Compliance
Note: If a scan is based on a user-defined policy, you cannot configure Compliance settings in the scan.
You can only modify these settings in the related user-defined policy.
Tenable Nessus can perform vulnerability scans of network services as well as log in to servers to
discover any missing patches.
However, a lack of vulnerabilities does not mean the servers are configured correctly or are “com-
pliant” with a particular standard.
You can use Tenable Nessus to perform vulnerability scans and compliance audits to obtain all of
this data at one time. If you know how a server is configured, how it is patched, and what vul-
nerabilities are present, you can determine measures to mitigate risk.
At a higher level, if this information is aggregated for an entire network or asset class, security and
risk can be analyzed globally. This allows auditors and network managers to spot trends in non-com-
pliant systems and adjust controls to fix these on a larger scale.
When configuring a scan or policy, you can include one or more compliance checks, also known as
audits. Each compliance check requires specific credentials.
Some compliance checks are preconfigured by Tenable, but you can also create and upload custom
audits.
For more information on compliance checks and creating custom audits, see the Compliance
Checks Reference.
Compliance Check Required Credentials
Adtran AOS SSH
Alcatel TiMOS SSH
Amazon AWS Amazon AWS
Arista EOS SSH
Aruba0S SSH
Blue Coat ProxySG SSH
- 379 -
Brocade FabricOS SSH
Check Point GAiA SSH
Cisco ACI SSH
Cisco Firepower SSH
Cisco IOS SSH
Cisco Viptela SSH
Citrix Application Delivery SSH
Citrix XenServer SSH
Database Database
Dell Force10 FTOS SSH
Extreme ExtremeXOS SSH
F5 F5
FireEye SSH
Fortigate FortiOS SSH
Generic SSH SSH
Google Cloud Platform SSH
HP ProCurve SSH
Huawei VRP SSH
IBM iSeries IBM iSeries
Juniper Junos SSH
Microsoft Azure Microsoft Azure
Mobile Device Manager AirWatch, Apple Profile Manager, or Mobileiron
- 380 -
MongoDB MongoDB
NetApp API NetApp API
NetApp Data ONTAP SSH
OpenStack OpenStack
NetApp Data ONTAP SSH
Palo Alto Networks PAN-OS PAN-OS
Rackspace Rackspace
RHEV RHEV
Salesforce.com Salesforce SOAP API
SonicWALL SonicOS SSH
Splunk Splunk API
Unix SSH
Unix File Contents SSH
VMware vCenter/ vSphere VMware ESX SOAP API or VMware vCenter SOAP API
WatchGuard SSH
Windows Windows
Windows File Contents Windows
Zoom Zoom
ZTE ROSNG SSH
- 381-
Upload a Custom Audit File
When you configure the Compliance settings of a Nessus scan, you can upload the following custom
audit files:
l A Tenable-created audit file downloaded from the Tenable downloads page.
l A Security Content Automation Protocol (SCAP) Data Stream file downloaded from a
SCAP repository (for example, https:/ / nvd.nist.gov/ ncp/ repository).
The file must contain full SCAP content (Open Vulnerability and Assessment Language
(OVAL) and Extensible Configuration Checklist Description Format (XCCDF) content) or
OVAL standalone content.
l A custom audit file created or customized for a specific environment. For more information,
see the Nessus Compliance Checks Reference.
Before you begin:

l Download or prepare the file you intend to upload.
To upload a custom audit file:
1. Log in to the Tenable Nessus user interface.
2. In the top navigation bar, click Scans.
The My Scans page appears.
3. In the upper right corner, click the New Scan button.
The Scan Templates page appears.
4. Click the scan template that you want to use.
The scan settings page appears.
5. Open the Compliance tab.
6. In the Filter Compliance box, type custom.
A list of the custom audit file types that you can upload appears.
- 382 -
7. Select the custom audit file type that you want to upload.
An Upload a custom audit file pane appears.
- 383 -
8. Click Add File. Select the custom audit file to upload from your machine.
Depending on the audit type, you may need to configure additional settings once you upload
the custom audit.
l To launch the scan immediately, click the button, and then click Launch.
Tenable Nessus saves and launches the scan.
l To launch the scan later, click the Save button.
Tenable Nessus saves the scan.
- 384 -
SCAP Settings
Security Content Automation Protocol (SCAP) is an open standard that enables automated man-
agement of vulnerabilities and policy compliance for an organization. It relies on multiple open
standards and policies, including OVAL, CVE, CVSS, CPE, and FDCC policies.
When you select the SCAP and OVAL Auditing template, you can modify SCAP settings.
You can select Linux (SCAP), Linux (OVAL), Windows (SCAP), or Windows (OVAL). The following table
describes the settings for each option.
Linux (SCAP) or Windows (SCAP)
SCAP File None A valid zip file that contains full SCAP content
(XCCDF, OVAL, and CPE for versions 1.0 and 1.1;
DataStream for version 1.2).
SCAP Version 1.2 The SCAP version that is appropriate for the con-
tent in the uploaded SCAP file.
SCAP Data Stream ID None (SCAP Version 1.2 only) The Data Stream ID that
you copied from the SCAP XML file.
Example:
<data-stream id="scap_gov.nist_
datastream_USGCB-Windows-7-
1.2.3.1.zip">
SCAP Benchmark ID None The Benchmark ID that you copied from the
SCAP XML file.
Example:
<xccdf:Benchmark id="xccdf_
gov.nist_benchmark_USGCB-Windows-
7">
- 385 -
SCAP Profile ID None The Profile ID that you copied from the
SCAP XML file.
Example:
<xccdf:Profile id="xccdf_gov.nist_
profile_united_states_government_
configuration_baseline_version_
1.2.3.1">
OVAL Result Type Full results w/ sys- The information you want the results file to
tem char- include.
acteristics
The results file can be one of the following
types: full results with system characteristics,
full results without system characteristics, or
thin results.
Linux (OVAL) or Windows (OVAL)
OVAL definitions file None A valid zip file that contains OVAL standalone
content.
- 386 -
Plugins
The Advanced Scan templates include Plugin options.
Plugins options enable you to select security checks by Plugin Family or individual plugins checks.
For more information on specific plugins, see the Tenable plugins site. For more information on plu-
gin families, see About Plugin Families on the Tenable plugins site.
Clicking on the Plugin Family allows you to enable (green) or disable (gray) the entire family. Select-
ing a family shows the list of its plugins. You can enable or disable individual plugins to create spe-
cific scans.
A family with some plugins disabled is blue and shows Mixed to indicate only some plugins are
enabled. Clicking on the plugin family loads the complete list of plugins, and allow for granular selec-
tion based on your scanning preferences.
Selecting a specific Plugin Name shows the plugin output that you would see in a report.
The plugin details include a Synopsis, Description, Solution, Plugin Information, and Risk Inform-
ation.
Note: When you create and save a scan or policy, it records all the plugins that you select initially. When
Tenable Nessus receives new plugins via a plugin update, Nessus enables the new plugins automatically if
the family they are associated with is enabled. If the family was disabled or partially enabled, Nessus also
disables the new plugins in that family.
Caution: The Denial of Service family contains some plugins that could cause outages on a network if you
do not enable the Safe Checks option, in addition to some useful checks that do not cause any harm. You
can use the Denial of Service family with Safe Checks to ensure that Nessus does not run any potentially
dangerous plugins. However, Tenable recommends that you do not use the Denial of Service family on a
production network unless scheduled during a maintenance window and with staff ready to respond to any
issues.
- 387 -
Configure Dynamic Plugins
With the Advanced Dynamic Scan template, you can create a scan or policy with dynamic plugin fil-
ters instead of manually selecting plugin families or individual plugins. As Tenable releases new plu-
gins, any plugins that match your filters are added to the scan or policy automatically. This allows
you to tailor your scans for specific vulnerabilities while ensuring that the scan stays up to date as
new plugins are released.
For more information on specific plugins, see the Tenable plugins site. For more information on plu-
gin families, see About Plugin Families on the Tenable plugins site.
To configure dynamic plugins:
l Create a Scan.
l Create a Policy.
2. Click the Advanced Dynamic Scan template.
3. Click the Dynamic Plugins tab.
4. Specify your filter options:
l Match Any or Match All: If you select All, only results that match all filters appear. If you
select Any, results that match any one of the filters appear.
l Plugin attribute: See the Plugin Attributes table for plugin attribute descriptions.
l Filter argument: Select is equal to, is not equal to, contains, does not contain, greater
than, or less than to specify how the filter should match for the selected plugin attrib-
ute.
l Value: Depending on the plugin attribute you selected, enter a value or select a value
from the drop-down menu.
5. (Optional) Click to add another filter.
6. Click Preview Plugins.
Tenable Nessus lists the plugins that match the specified filters.
7. Click Save.
- 388 -
Tenable Nessus creates the scan or policy, which automatically updates when Tenable adds
new plugins that match the dynamic plugin filters.
- 389 -
Create and Manage Scans
This section contains the following tasks available on the Scans page.
l Create a Scan
l Import a Scan
l Create an Agent Scan
l Modify Scan Settings
l Configure an Audit Trail
l Delete a Scan
- 390 -
Example: Host Discovery
Knowing what hosts are on your network is the first step to any vulnerability assessment. Launch a
host discovery scan to see what hosts are on your network, and associated information such as IP
address, FQDN, operating systems, and open ports, if available. After you have a list of hosts, you
can choose what hosts you want to target in a specific vulnerability scan.
The following overview describes a typical workflow of creating and launching a host discovery
scan, then creating a follow-up scan that target-discovered hosts that you choose.
Create and launch a host discovery scan:
3. Under Discovery, click the Host Discovery template.
4. Configure the host discovery scan:
l For Name, enter a name for the scan.
l For Targets, enter targets as hostnames, IPv4 addresses, or IPv6 addresses.
Tip: For IP addresses, you can use CIDR notation (for example, 192.168.0.0/ 24), a range (for
example, 192.168.0.1-192.168.0.255), or a comma-separated list (for example,
192.168.0.0,192.168.0.1). For more information, see Scan Targets.
l (Optional) Configure the remaining settings.
5. To launch the scan immediately, click the button, and then click Launch.
Tenable Nessus runs the host discovery scan, and the My Scans page appears.
6. In the scans table, click the row of a completed host discovery scan.
The scan's results page appears.
- 391-
7. In the Hosts tab, view the hosts that Tenable Nessus discovered, and any available associated
information, such as IP address, FQDN, operating system, and open ports.
Create and launch a scan on one or more discovered hosts:
2. In the scans table, click the row of your completed host discovery scan.
3. Click the Hosts tab.
Tenable Nessus displays a table of scanned hosts.
4. Select the check box next to each host you want to scan in your new scan.
At the top of the page, the More button appears.
5. Click the More button.
A drop-down box appears.
6. Click Create Scan.
7. Select a scan template for your new scan.
Tenable Nessus automatically populates the Targets list with the hosts you previously selec-
ted.
8. Configure the rest of the scan settings, as described in Scan and Policy Settings.
9. To launch the scan immediately, click the button, and then click Launch.
- 392 -
Create a Scan
4. Configure the scan's settings.
- 393 -
Import a Scan
You can import an exported Tenable Nessus (.nessus) or Tenable Nessus DB (.db) scan. With an
imported scan, you can view scan results, export new reports for the scan, rename the scan, and
update the description. You cannot launch imported scans or update policy settings.
You can also import .nessus files as policies. For more information, see Import a Policy.
To import a scan:
2. In the upper-right corner, click Import.
Your browser's file manager window appears.
3. Browse to and select the scan file that you want to import.
Note: Supported file types are exported Nessus (.nessus) and Nessus DB (.db) files.
The Scan Import window appears.
4. If the file is encrypted, type the Password.
5. Click Upload.
Nessus imports the scan and its associated data.
- 394 -
Create an Agent Scan
To create an agent scan:
2. In the upper-right corner, click the New Scan button.
3. Click the Agent tab.
The Agent scan templates page appears.
Tip: Use the search box in the top navigation bar to filter templates on the tab currently in view.
5. Configure the scan's settings.
6. (Optional) Configure compliance checks for the scan.
7. (Optional) Configure security checks by plugin family or individual plugin.
l If you want to launch the scan later, click the Save button.
l If you want to launch the scan immediately:
a. Click the button.
b. Click Launch.
- 395 -
Modify Scan Settings
A standard user or administrator can perform this procedure.
2. Optionally, in the left navigation bar, click a different folder.
3. In the scans table, select the check box on the row corresponding to the scan that you want
to configure.
In the upper-right corner, the More button appears.
5. Click Configure.
The Configuration page for the scan appears.
6. Modify the settings.
Tenable Nessus saves the settings.
Configure vSphere Scanning
Note: You need administrator permissions to complete the following procedures.
You can configure a scan to scan the following virtual environments:
l ESXi/ vSphere that vCenter manages
l ESXi/ vSphere that vCenter does not manage
l Virtual machines
- 396 -
Scenario 1: Scanning ESXi/ vSphere Not Managed by vCenter
To configure an ESXi/ vSphere scan that vCenter does not manage:
1. Create a scan.
2. In the Basic scan settings, in the Targets section, type the IP address or addresses of the
ESXi host or hosts.
3. Click the Credentials tab.
The Credentials options appear.
4. From the Categories drop-down, select Miscellaneous.
A list of miscellaneous credential types appears.
5. Click VMware ESX SOAP API.
6. In the Username box, type the username associated with the local ESXi account.
7. In the Password box, type the password associated with the local ESXi account.
8. If your vCenter host includes an SSL certificate (not a self-signed certificate), deselect the Do
not verify SSL Certificate check box. Otherwise, select the check box.
9. Click Save.
- 397 -
Scenario 2: Scanning vCenter-Managed ESXI/ vSpheres
To configure an ESXi/ vSphere scan managed by vCenter:
1. Create a scan.
2. In the Basic scan settings, in the Targets section, type the IP addresses of:
l the vCenter host.
l the ESXi host or hosts.
The Credentials options appear.
4. From the Categories drop-down, select Miscellaneous.
A list of miscellaneous credential types appears.
5. Click VMware vCenter SOAP API.
6. In the vCenter Host box, type the IP address of the vCenter host.
7. In the vCenter Port box, type the port for the vCenter host. By default, this value is 443.
8. In the Username box, type the username associated with the local ESXi account.
9. In the Password box, type the password associated with the local ESXi account.
10. If the vCenter host is SSL enabled, enable the HTTPS toggle.
11. If your vCenter host includes an SSL certificate (not a self-signed certificate), select the
Verify SSL Certificate check box. Otherwise, deselect the check box.
12. Click Save.
- 398 -
Scenario 3: Scanning Virtual Machines
You can scan virtual machines just like any other host on the network. Be sure to include the IP
address or addresses of your virtual machine in your scan targets. For more information, see Create
a Scan.
- 399 -
Configure an Audit Trail
2. (Optional) In the left navigation bar, click a different folder.
3. On the scans table, click the scan for which you want to configure an audit trail.
The scan results appear.
4. In the upper right corner, click the Audit Trail button.
The Audit Trail window appears.
5. In the Plugin ID box, type the plugin ID used by one or more scans.
and/ or
In the Host box, type the hostname for a detected host.
6. Click the Search button.
A list appears and shows the results that match the criteria that you entered in one or both
boxes.
- 400 -
Launch a Scan
In addition to configuring Schedule settings for a scan, you can manually start a scan run.
To launch a scan:
2. In the scans table, in the row of the scan you want to launch, click the button.
Tenable Nessus launches the scan.
What to do next:
If you need to stop a scan manually, see Stop a Running Scan.
- 401-
Stop a Running Scan
When you stop a scan, Tenable Nessus terminates all tasks for the scan and categorizes the scan as
canceled. The Tenable Nessus scan results associated with the scan reflect only the completed
tasks. You cannot stop individual tasks, only the scan as a whole.
For local scans (that is, not a scan run by Tenable Nessus Agent or a linked scanner in Tenable Nes-
sus Manager), you can force stop the scan to stop the scan quickly and terminate all in-progress plu-
gins. Tenable Nessus may not get results from any plugins that were running when you force
stopped the scan.
To stop a running scan:
2. In the scans table, in the row of the scan you want to stop, click the button.
The Stop Scan dialog box appears.
3. To stop the scan, click Stop.
Nessus begins terminating the scan processes.
4. (Optional) For local scans, to force stop the scan, click the button.
Nessus immediately terminates the scan and all its processes.
- 402 -
Delete a Scan
Note: Moving and deleting scans are tag-based, user-specific actions. For example, when one user deletes
a scan, it will only move to the trash folder for that user. For other users, the scan remains in the original
folder and is updated with a trash tag. For more information, see Scan Folders.
2. Optionally, in the left navigation bar, click a different folder.
3. On the scans table, on the row corresponding to the scan that you want to delete, click the
button.
The scan moves to the Trash folder.
4. To delete the scan permanently, in the left navigation bar, click the Trash folder.
The Trash page appears.
5. On the scans table, on the row corresponding to the scan that you want to delete per-
manently, click the button.
A dialog box appears, confirming your selection to delete the scan.
6. Click the Delete button.
Tenable Nessus deletes the scan.
Tip: On the Trash page, in the upper right corner, click the Empty Trash button to delete all scans in the
Trash folder permanently.
- 403 -
Scan Folders
On the Scans page, the left navigation bar is divided into the Folders and Resources sections. The
Folders section always includes the following default folders that you cannot remove:
l My Scans
l All Scans
l Trash
Note: All scan folders and related actions (for example, moving and deleting scans) are user-specific and
tag-based. For example, when one user deletes a scan, it only moves to the trash folder for that user. For
other users, the scan remains in the original folder and Tenable Nessus updates it with a trash tag.
When you access the Scans page, the My Scans folder appears. When you create a scan, it appears
by default in the My Scans folder.
The All Scans folder shows all scans you have created as well as any scans with which you have per-
mission to interact. You can click on a scan in a folder to view scan results.
The Trash folder shows scans that you have deleted. In the Trash folder, you can permanently
remove scans from your Tenable Nessus instance, or restore the scans to a selected folder. If you
delete a folder that contains scans, Tenable Nessus moves all scans in that folder to the Trash
folder. Tenable Nessus deletes the scans stored in the Trash folder automatically after 30 days.
- 404 -
- 405 -
Manage Scan Folders
A standard user or administrator can complete the following procedures.
Note: Moving and deleting scans are tag-based, user-specific actions. For example, when one user deletes
a scan, it will only move to the trash folder for that user. For other users, the scan remains in the original
folder and is updated with a trash tag. For more information, see Scan Folders.
Create a folder:
2. In the upper-right corner, click the New Folder button.
The New Folder window appears.
3. In the Name box, type a name for the folder.
4. Click the Create button.
Tenable Nessus creates the folder and shows it in the left navigation bar.
Move a scan to a folder:
2. If the scan you want to move is not in the My Scans folder, on the left navigation bar, click the
folder that contains the scan you want to move.
3. On the scans table, select the check box on the row corresponding to the scan that you want
to configure.
4. Click More. Point to Move To, and click the folder that you want to move the scan to.
The scan moves to that folder.
Rename a folder:
- 406 -
2. In the left navigation bar, next to the folder that you want to rename, click the button, and
then click Rename.
The Rename Folder window appears.
3. In the Name box, type a new name.
The folder name changes.
Delete a folder:
2. In the left navigation bar, next to the folder that you want to rename, click the button, and
then click Delete.
The Delete Folder dialog box appears.
Tenable Nessus deletes the folder. If the folder contained scans, Tenable Nessus moves those
scans to the Trash folder.
- 407 -
Scan Results
You can view scan results to help you understand your organization’s security posture and vul-
nerabilities. Color-coded indicators and customizable viewing options allow you to customize how
you view your scan’s data.
You can view scan results in one of several views:
Page Description
Dashboard In Tenable Nessus Manager, the default scan results page shows the Dash-
board view.
Hosts The Hosts page shows all scanned targets.
Vulnerabilities List of identified vulnerabilities, sorted by severity.
Tip: To view vulnerabilities by VPR, click in the table header, click Disable
Groups, and sort the table by VPR Score.
Compliance If the scan includes compliance checks, this list shows counts and details
sorted by vulnerability severity.
If you configure the scan for compliance scanning, the button allows
you to navigate between the Compliance and Vulnerability results.
Remediations If the scan's results include Remediation information, this list shows sug-
gested remediations that address the highest number of vulnerabilities.
Notes The Notes page shows additional information about the scan and the
scan’s results.
History The History shows a listing of scans: Start Time, End Time, and the Scan
Statuses.
Summary (Attack View a summary of your attack surface discovery scan configuration. The
Surface Dis- summary table shows a row for each scanned domain with the following
covery scan tem- details:
plate only)
l Domain —The scanned domain name.
- 408 -
Page Description
l First Complete Pull —The date and time the scanned domain data
was, or will be, available.
l Data Refreshed —The date and time that the domain data Tenable
Nessus pulls was updated in Bit Discovery. Bit Discovery refreshes
the data that Tenable Nessus pulls every 90 days.
l Next Data Refresh —The date and time of the next refresh of this
domain's data in Bit Discovery. Bit Discovery refreshes the data that
Tenable Nessus pulls every 90 days.
l Ages Out from License —The data and time the domain ages out
from your Tenable Nessus license.
l Record Count —The number of subdomain records generated
Records (Attack View a list of the DNS records identified during the last attack surface dis-
Surface Dis- covery scan. The list only shows a maximum of 2,500 records across all
covery scan tem- scanned domains, but you can filter the table and only view certain record
plate only) types or records from a specific domain. Tenable Nessus provides the fol-
lowing information for each record:
l Hostname —The record's hostname.
l IP Address —The IP address related to the record.
l Ports —The discovered open ports on the scanned IP, if applicable.
l Type —The DNS record type. Some of the most common record
types are:
l A —Host address
l AAAA —IPv6 host address
l CNAME —Canonical name for an alias
l MX —Mail exchange
l NS —Name server
- 409 -
Page Description
l PTR —Pointer
l SOA —Start of authority
l SRV —Location of service
l TXT —Text
l Target Hostname —The hostname targeted by the DNS record. This

is often the same as the Hostname.
The Records page also shows details about the latest attack surface dis-
covery scan:
l Policy —The scan policy used for the scan (Domain Discovery).
l Status —The current scan status.
l Severity Base —The severity base used in the scan (for example,
CVSS v2.0).
l Scanner —The scanner used for the scan.
l Start —The scan start time and date.
l End —The scan end time and date.
l Elapsed —The time elapsed between the Start and End times.
- 410 -
Severity
Severity is a categorization of the risk and urgency of a vulnerability.
For more information, see CVSS Scores vs. VPR.
CVSS-Based Severity
When you view vulnerabilities in scan results, Tenable Nessus shows severity based on CVSSv2
scores or CVSSv3 scores, depending on your configuration.
l You can choose whether Tenable Nessus calculates the severity of vulnerabilities using
CVSSv2 or CVSSv3 scores by configuring your default severity base setting. For more inform-
ation, see Configure Your Default Severity Base.
l You can also configure individual scans to use a particular severity base, which overrides the
default severity base for those scan results. For more information, see Configure Severity
Base for an Individual Scan.
VPR
You can also view the top 10 vulnerabilities by VPR threat. For more information, see View VPR Top
Threats.
CVSS Scores vs. VPR

Tenable uses CVSS scores and a dynamic Tenable-calculated Vulnerability Priority Rating (VPR) to
quantify the risk and urgency of a vulnerability.
- 411-
CVSS
Tenable uses and displays third-party Common Vulnerability Scoring System (CVSS) values retrieved
from the National Vulnerability Database (NVD) to describe risk associated with vulnerabilities. CVSS
scores power a vulnerability's Severity and Risk Factor values.
Tip: Risk Factor and Severity values are unrelated; they are calculated separately.
- 412 -
CVSS-Based Severity
Tenable assigns all vulnerabilities a severity (Info, Low, Medium, High, or Critical) based on the vul-
nerability's static CVSSv2 or CVSSv3 score, depending on your configuration. For more information,
see Configure Default Severity.
Tenable Nessus analysis pages provide summary information about vulnerabilities using the fol-
lowing CVSS categories.
Severity CVSSv2 Range CVSSv3 Range
Critical The plugin's highest vulnerability The plugin's highest vulnerability

CVSSv2 score is 10.0. CVSSv3 score is between 9.0 and 10.0.
High The plugin's highest vulnerability The plugin's highest vulnerability

CVSSv2 score is between 7.0 and 9.9. CVSSv3 score is between 7.0 and 8.9.
Medium The plugin's highest vulnerability The plugin's highest vulnerability

CVSSv2 score is between 4.0 and 6.9. CVSSv3 score is between 4.0 and 6.9.
Low The plugin's highest vulnerability The plugin's highest vulnerability

CVSSv2 score is between 0.1and 3.9. CVSSv3 score is between 0.1and 3.9.
Info The plugin's highest vulnerability The plugin's highest vulnerability

CVSSv2 score is 0. CVSSv3 score is 0.
- or - - or -
The plugin does not search for vul- The plugin does not search for vul-
nerabilities. nerabilities.
- 413 -
CVSS-Based Risk Factor
For each plugin, Tenable interprets the CVSSv2 or CVSSv3 scores for the vulnerabilities associated
with the plugin and assigns an overall risk factor (Low, Medium, High, or Critical) to the plugin. The
Vulnerability Details page shows the highest risk factor value for all the plugins associated with a
vulnerability.
Note: Detection (non-vulnerability) plugins and some automated vulnerability plugins do not receive CVSS
scores. In these cases, Tenable determines the risk factor based on vendor advisories.
Tip: Info plugins receive a risk factor of None. Other plugins without associated CVSS scores receive a cus-
tom risk factor based on information provided in related security advisories.
- 414 -
Vulnerability Priority Rating
Tenable calculates a dynamic VPR for most vulnerabilities. The VPR is a dynamic companion to the
data provided by the vulnerability's CVSS score, since Tenable updates the VPR to reflect the cur-
rent threat landscape. VPR values range from 0.1-10.0, with a higher value representing a higher like-
lihood of exploit.
VPR Category VPR Range
Critical 9.0 to 10.0
High 7.0 to 8.9
Medium 4.0 to 6.9
Low 0.1to 3.9
Note: Vulnerabilities without CVEs in the National Vulnerability Database (NVD) (for example, many vul-
nerabilities with the Info severity) do not receive a VPR. Tenable recommends remediating these vul-
nerabilities according to their CVSS-based severity.
Note: You cannot edit VPR values.
Note: VPR scores shown in Nessus are static and do not update dynamically. You have to rescan to view
the latest and most accurate VPR scores.
Tenable Nessus provides a VPR value the first time you scan a vulnerability on your network.
Tenable recommends resolving vulnerabilities with the highest VPRs first. You can view VPR scores
and summary data in:
l The VPR Top Threats for an individual scan, as described in View VPR Top Threats.
l The Top 10 Vulnerabilities report for an individual scan. For information on creating the report,
see Create a Scan Report.
- 415 -
VPR Key Drivers
You can view the following key drivers to explain a vulnerability's VPR.
Note: Tenable does not customize these values for your organization; VPR key drivers reflect a vul-
nerability's global threat landscape.
Key Driver Description
Age of Vuln The number of days since the National Vulnerability Database (NVD) published
the vulnerability.
CVSSv3 The NVD-provided CVSSv3 impact score for the vulnerability. If the NVD did
Impact not provide a score, Tenable Nessus displays a Tenable-predicted score.
Score
Exploit Code The relative maturity of a possible exploit for the vulnerability based on the
Maturity existence, sophistication, and prevalence of exploit intelligence from internal
and external sources (e.g., Reversinglabs, Exploit-db, Metasploit, etc.). The pos-
sible values (High, Functional, PoC, or Unproven) parallel the CVSS Exploit Code
Maturity categories.
Product The relative number of unique products affected by the vulnerability: Low,
Coverage Medium, High, or Very High.
Threat A list of all sources (e.g., social media channels, the dark web, etc.) where
Sources threat events related to this vulnerability occurred. If the system did not
observe a related threat event in the past 28 days, the system displays No
recorded events.
Threat The relative intensity based on the number and frequency of recently observed
Intensity threat events related to this vulnerability: Very Low, Low, Medium, High, or
Very High.
Threat The number of days (0-180) since a threat event occurred for the vulnerability.
Recency
Threat Event Examples
- 416 -
Common threat events include:
l An exploit of the vulnerability
l A posting of the vulnerability exploit code in a public repository
l A discussion of the vulnerability in mainstream media
l Security research about the vulnerability
l A discussion of the vulnerability on social media channels
l A discussion of the vulnerability on the dark web and underground
l A discussion of the vulnerability on hacker forums
- 417 -
Configure Your Default Severity Base
Note: By default, new installations of Tenable Nessus use CVSSv3 scores (when available) to cal-
culate severity for vulnerabilities. Preexisting, upgraded installations retain the previous default
of CVSSv2 scores.
In Tenable Nessus scanners and Tenable Nessus Professional, you can choose whether Tenable Nes-
sus calculates the severity of vulnerabilities using CVSSv2 or CVSSv3 scores (when available) by con-
figuring your default severity base setting. When you change the default severity base, the change
applies to all existing scans that are configured with the default severity base. Future scans also
use the default severity base.
You can also configure individual scans to use a particular severity base, which overrides the
default severity base for that scan, as described in Configure Severity Base for an Individual Scan.
For more information about CVSS scores and severity ranges, see CVSS Scores vs. VPR.
Note: You cannot configure the default severity base in Tenable Nessus Manager.
To configure your default severity base:
2. In the left navigation bar, click Advanced.
The Advanced Settings page appears.
3. Click the Scanning tab.
The scanning advanced settings appear.
4. In the table, click the row for the System Default Severity Basis setting.
Tip: Use the search bar to search for any part of the setting name.
The setting configuration window appears.
5. In the Value drop-down box, select CVSS v2.0 or CVSS v3.0 for your default severity base.
6. Click Save.
- 418 -
Tenable Nessus updates the default severity base for your instance. Existing scans with the
default severity base update to reflect the new default. Individual scans with overridden sever-
ity bases do not change.
- 419 -
Configure Severity Base for an Individual Scan
Note: By default, new installations of Tenable Nessus use CVSSv3 scores (when available) to cal-
culate severity for vulnerabilities. Preexisting, upgraded installations retain the previous default
of CVSSv2 scores.
You can configure individual scans to use a particular severity base, which overrides the default
severity base for that scan. If you change the default severity base, scans with overridden severity
bases do not change.
To change the default severity base across the Tenable Nessus instance, see Configure Your
Default Severity Base.
For more information about CVSS scores and severity ranges, see CVSS Scores vs. VPR.
To configure the severity base for an individual scan:
2. In the scans table, click the scan for which you want to change the severity base.
The scan page appears. The Scan Details, including the scan's current severity base, appear
on the right side of the page.
3. Under Scan Details, next to the current Severity Base, click the button.
The Change Severity Rating Base window appears.
4. From the Severity Rating Base drop-down box, select one of the following:
l CVSS v2.0 —The severity for vulnerabilities found by the scan is based on CVSSv2
scores. This setting overrides the default severity base set on the Tenable Nessus
instance.
l CVSS v3.0 —The severity for vulnerabilities found by the scan is based on CVSSv3
scores. This setting overrides the default severity base set on the Tenable Nessus
instance.
- 420 -
l Default —The severity for vulnerabilities found by the scan use the Tenable Nessus
default severity base, which appears in parentheses. If you change the default severity
base later, the scan automatically uses the new default severity base.
5. Click Save.
Tenable Nessus updates the severity base for your scan. The scan results update to reflect
the updated severity.
- 421-
Create a New Scan from Scan Results
When you view scan results, you can select scanned hosts that you want to target in a new scan.
When you create a new scan, Tenable Nessus automatically populates the targets with the hosts
that you selected.
To create a new scan from scan results:
2. In the scans table, click the row of a completed scan.
3. Click the Hosts tab.
Tenable Nessus displays a table of scanned hosts.
4. Select the check box next to each host you want to scan in your new scan.
At the top of the page, the More button appears.
6. Click Create Scan.
7. Select a scan template for your new scan.
Tenable Nessus automatically populates the Targets list with the hosts you previously selec-
ted.
8. Configure the rest of the scan settings, as described in Scan and Policy Settings.
- 422 -
- 423 -
Search and Filter Results
You can search or use filters to view specific scan results. You can filter hosts and vulnerabilities,
and you can create detailed and customized scan result views by using multiple filters.
To search for hosts:
1. In scan results, click the Hosts tab.
If you are working with an attack surface discovery scan, click the Records tab.
2. In the Search Hosts box above the hosts table, type text to filter for matches in hostnames.
As you type, Nessus automatically filters the results based on your text.
To search for vulnerabilities:
l In scan results, in the Hosts tab, click a specific host to view its vulnerabilities.
l In scan results, click the Vulnerabilities tab to view all vulnerabilities.
2. In the Search Vulnerabilities box above the vulnerabilities table, type text to filter for matches
in vulnerability titles.
As you type, Nessus automatically filters the results based on your text.
To create a filter:
l In scan results, click the Hosts tab.
l In scan results, in the Hosts tab, click a specific host to view its vulnerabilities.
l In scan results, click the Vulnerabilities tab to view all vulnerabilities.
2. Click Filters next to the search box.
The Filters window appears.
3. Specify your filter rule options:
- 424 -
l Match Any or Match All: If you select All, only results that match all filters appear. If you
select Any, results that match any one of the filters appear.
l Plugin attribute: See the Plugin Attributes table for plugin attribute descriptions.
l Filter argument: Select is equal to, is not equal to, contains, or does not contain to spe-
cify how the filter should match for the selected plugin attribute.
l Value: Depending on the plugin attribute you selected, enter a value or select a value
from the drop-down menu.
4. (Optional) Click to add another filter rule.
5. Click Apply.
Tenable Nessus applies your filters and the table shows vulnerabilities or records that match
your filters.
To clear an applied filter:
1. Click Filter next to the search box.
The Filter window appears.
2. To remove a single filter, click next to the filter entry.
3. To remove all filters, click Clear Filters.
Tenable Nessus removes the filters from the vulnerabilities shown in the table.
Plugin Attributes
The following table lists plugins attributes you can use to filter results.
Option Description
Bugtraq ID Filter results based on if a Bugtraq ID is equal to, is not equal to, contains,
or does not contain a given string (for example, 51300).
CANVAS Exploit Filter results based on if the presence of an exploit in the CANVAS exploit
Framework framework is equal to or is not equal to true or false.
CANVAS Pack- Filter results based on which CANVAS exploit framework package an
- 425 -
Option Description
age exploit exists for. Options include CANVAS, D2ExploitPack, or White_Phos-

phorus.
CERT Advisory Filter results based on if a CERT Advisory ID (now called Technical Cyber
ID Security Alert) is equal to, is not equal to, contains, or does not contain a
given string (for example, TA12-010A).
CORE Exploit Filter results based on if the presence of an exploit in the CORE exploit
Framework framework is equal to or is not equal to true or false.
CPE Filter results based on if the Common Platform Enumeration (CPE) is equal
to, is not equal to, contains, or does not contain a given string (for example,
Solaris).
CVE Filter results based on if a Common Vulnerabilities and Exposures (CVE)

v2.0 reference is equal to, is not equal to, contains, or does not contain a
given string (for example, 2011-0123).
CVSS Base Filter results based on if a Common Vulnerability Scoring System (CVSS)
Score v2.0 base score is less than, is more than, is equal to, is not equal to, con-
tains, or does not contain a string (for example, 5).
You can use this filter to select by risk level. The severity ratings are
derived from the associated CVSS score, where 0 is Info, less than 4 is
Low, less than 7 is Medium, less than 10 is High, and a CVSS score of 10 is
Critical.
CVSS Temporal Filter results based on if a CVSS v2.0 temporal score is less than, is more
Score than, is equal to, is not equal to, contains, or does not contain a string (for
example, 3.3).
CVSS Temporal Filter results based on if a CVSS v2.0 temporal vector is equal to, is not
Vector equal to, contains, or does not contain a given string (for example, E:F).
CVSS Vector Filter results based on if a CVSS v2.0 vector is equal to, is not equal to, con-
tains, or does not contain a given string (for example, AV:N).
CVSS 3.0 Base Filter results based on if a Common Vulnerability Scoring System (CVSS)
- 426 -
Option Description
Score v3.0 base score is less than, is more than, is equal to, is not equal to, con-
tains, or does not contain a string (for example, 5).
You can use this filter to select by risk level. The severity ratings are
derived from the associated CVSS score, where 0 is Info, less than 4 is
Low, less than 7 is Medium, less than 10 is High, and a CVSS score of 10 is
Critical.
CVSS 3.0 Tem- Filter results based on if a CVSS v3.0 temporal score is less than, is more
poral Score than, is equal to, is not equal to, contains, or does not contain a string (for
example, 3.3).
CVSS 3.0 Tem- Filter results based on if a CVSS v3.0 temporal vector is equal to, is not
poral Vector equal to, contains, or does not contain a given string (for example, E:F).
CVSS 3.0 Vector Filter results based on if a CVSS v3.0 vector is equal to, is not equal to, con-
tains, or does not contain a given string (for example, AV:N).
CWE Filter results based on Common Weakness Enumeration (CWE) if a CVSS

vector is equal to, is not equal to, contains, or does not contain a CWE ref-
erence number (for example, 200).
Exploit Available Filter results based on the vulnerability having a known public exploit.
Exploit Data- Filter results based on if an Exploit Database ID (EBD-ID) reference is equal
base ID to, is not equal to, contains, or does not contain a given string (for example,
18380).
Exploitability Filter results based on if the exploitability ease is equal to or is not equal to
Ease the following values: Exploits are available, No exploit is required, or No
known exploits are available.
Exploited by Mal- Filter results based on if the presence of a vulnerability is exploitable by

ware malware is equal to or is not equal to true or false.
Exploited by Filter results based on whether a plugin performs an actual exploit, usually
Nessus an ACT_ATTACK plugin.
- 427 -
Option Description
Hostname Filter results if the host is equal to, is not equal to, contains, or does not
contain a given string (for example, 192.168 or lab). For agents, you can
search by the agent target name. For other targets, you can search by the
target's IP address or DNS name, depending on how you configured the
scan.
IAVA Filter results based on if an IAVA reference is equal to, is not equal to, con-
tains, or does not contain a given string (for example, 2012-A-0008).
IAVB Filter results based on if an IAVB reference is equal to, is not equal to, con-
tains, or does not contain a given string (for example, 2012-A-0008).
IAVM Severity Filter results based on the IAVM severity level (for example, IV).
In The News Filter results based on whether the vulnerability covered by a plugin has
had coverage in the news.
Malware Filter results based on whether the plugin detects malware; usually ACT_
GATHER_INFOplugins.
Metasploit Filter results based on if the presence of a vulnerability in the Metasploit

Exploit Frame- Exploit Framework is equal to or is not equal to true or false.
work
Metasploit Filter results based on if a Metasploit name is equal to, is not equal to, con-
Name tains, or does not contain a given string (for example, xslt_password_
reset).
Microsoft Bul- Filter results based on Microsoft security bulletins like MS17-09, which have
letin the format MSXX-XXX , where X is a number.
Microsoft KB Filter results based on Microsoft knowledge base articles and security
advisories.
OSVDB ID Filter results based on if an Open Source Vulnerability Database (OSVDB) ID

is equal to, is not equal to, contains, or does not contain a given string (for
example, 78300).
- 428 -
Option Description
Patch Public- Filter results based on if a vulnerability patch publication date is less than,
ation Date is more than, is equal to, is not equal to, contains, or does not contain a
string (for example, 12/ 01/ 2011).
Plugin Descrip- Filter results if Plugin Description contains, or does not contain a given
tion string (for example, remote).
Plugin Family Filter results if Plugin Name is equal to or is not equal to one of the des-
ignated Nessus plugin families. Tenable Nessus provides the possible
matches via a drop-down menu.
Plugin ID Filter results if plugin ID is equal to, is not equal to, contains, or does not
contain a given string (for example, 42111).
Plugin Modi- Filter results based on if a Nessus plugin modification date is less than, is
fication Date more than, is equal to, is not equal to, contains, or does not contain a
Plugin Name Filter results if Plugin Name is equal to, is not equal to, contains, or does
not contain a given string (for example, windows).
Plugin Output Filter results if Plugin Description is equal to, is not equal to, contains, or
does not contain a given string (for example, PHP)
Plugin Public- Filter results based on if a Nessus plugin publication date is less than, is
ation Date more than, is equal to, is not equal to, contains, or does not contain a
Plugin Type Filter results if Plugin Type is equal to or is not equal to one of the two
types of plugins: local or remote.
Port Filter results based on if a port is equal to, is not equal to, contains, or does
not contain a given string (for example, 80).
Protocol Filter results if a protocol is equal to or is not equal to a given string (for
example, HTTP).
Risk Factor Filter results based on the risk factor of the vulnerability (for example, Low,
- 429 -
Option Description
Medium, High, Critical).
Secunia ID Filter results based on if a Secunia ID is equal to, is not equal to, contains,
or does not contain a given string (for example, 47650).
See Also Filter results based on if a Nessus plugin see also reference is equal to, is
not equal to, contains, or does not contain a given string (for example,
seclists.org).
Solution Filter results if the plugin solution contains or does not contain a given
string (for example, upgrade).
Synopsis Filter results if the plugin solution contains or does not contain a given
string (for example, PHP).
Vulnerability Filter results based on if a vulnerability publication date earlier than, later
Publication Date than, on, not on, contains, or does not contain a string (for example,
01/ 01/ 2012).
Note: Pressing the button next to the date brings up a calendar interface for
easier date selection.
- 430 -
Compare Scan Results
You can compare two scan results to see differences between them. This comparison is not a true
differential of the two results; it shows the new vulnerabilities that Tenable Nessus detected
between the older baseline scan and the newer scan.
Comparing scan results helps you see how a given system or network has changed over time. This
information is useful for compliance analysis by showing how vulnerabilities are being remediated,
if systems are patched as Tenable Nessus finds new vulnerabilities, or how two scans may not be
targeting the same hosts.
Note: You cannot compare imported scans or more than two scans.
To compare two scan results:
2. Click a scan.
3. Click the History tab.
4. In the row of both scan results you want to compare, select the check box.
5. In the upper-right corner, click Diff.
The Choose Primary Result window appears.
6. In the drop-down box, select which of the scan results is the primary result.
The primary result is your differential baseline. The scan differential shows the vulnerabilities
that Tenable Nessus detected in the non-baseline scan.
Tip: To see a true differential of the two scan results, Tenable recommends generating the dif-
ferential twice: once using the older scan result as the baseline, and once using the newer scan res-
ult as the baseline. Doing so allows you to see the vulnerabilities that were only detected in one of
the scan results.
7. Click Continue.
- 431-
The scan differential appears. The differential shows the hosts on which the non-baseline
scan detected vulnerabilities since the baseline scan under the Hosts tab and a list of the vul-
nerabilities detected under the Vulnerabilities tab. The differential also shows which of those
new vulnerabilities are VPR Top Threats under the VPR Top Threats tab.
You can generate a report of the scan differential. For more information, see step four of
Create a Scan Report.
- 432 -
Dashboard
In Tenable Nessus Manager, you can configure a scan to show the scan’s results in an interactive
dashboard view.
Note: This feature is only available for non-clustered Manager configurations.
Based on the type of scan performed and the type of data collected, the dashboard shows key val-
ues and trending indicators.
Dashboard View
Based on the type of scan performed and the type of data collected, the dashboard shows key val-
ues and a trending indicator.
Dashboard Details
- 433 -
Name Description
Current Vul- The number of vulnerabilities identified by the scan, by severity.

nerabilities
Operating System The percentage of operating systems identified by the scan.

Comparison
Vulnerability Com- The percentage of all vulnerabilities identified by the scan, by severity.
parison
Host Count Com- The percentage of hosts scanned by credentialed and non-credentialed
parison authorization types: without authorization, new without authorization,
with authorization, and new with authorization.
Vulnerabilities Vulnerabilities found over a period of time. You must complete at least
Over Time two scans for this chart to appear.
Top Hosts Top 8 hosts that had the highest number of vulnerabilities found in the
scan.
Top Vul- Top 8 vulnerabilities based on severity.

nerabilities
- 434 -
Vulnerabilities
Vulnerabilities are instances of a potential security issue found by a plugin. In your scan results, you
can choose to view all vulnerabilities found by the scan, or vulnerabilities found on a specific host.
Vulnerability view Path
All vulnerabilities detected by a scan Scans > [ scan name] > Vulnerabilities
Vulnerabilities detected by a scan on a specific host Scans > Hosts > [ scan name]
Example Vulnerability Information

List of a single host's scan results by plugin
Details of a single host's plugin scan result
severity and plugin name
For information on managing vulnerabilities, see:
l View Vulnerabilities
l Search and Filter Results
l Modify a Vulnerability
l Group Vulnerabilities
l Snooze a Vulnerability
l Live Results
- 435 -
View Vulnerabilities
You can view all vulnerabilities found by a scan, or vulnerabilities found on a specific host by a scan.
When you drill down on a vulnerability, you can view information such as plugin details, description,
solution, output, risk information, vulnerability information, and reference information.
Tip: To view vulnerabilities by VPR, click in the table header, click Disable Groups, and sort the table by
VPR Score.
To view vulnerabilities:
2. Click the scan for which you want to view vulnerabilities.
l To view vulnerabilities on a specific host, click the host.
l To view all vulnerabilities, click the Vulnerabilities tab.
The Vulnerabilities tab appears.
4. (Optional) To sort the vulnerabilities, click an attribute in the table header row to sort by that
attribute.
5. To view details for the vulnerability, click the vulnerability row.
The vulnerability details page appears and shows plugin information and output for each
instance on a host.
- 436 -
Modify a Vulnerability
You can modify a vulnerability to change its severity level or hide it. This allows you to re-prioritize
the severity of results to better account for your organization’s security posture and response plan.
When you modify a vulnerability from the scan results page, the change only applies to that vul-
nerability instance for that scan unless you indicate that the change should apply to all future
scans. To modify severity levels for all vulnerabilities, use Plugin Rules.
To modify a vulnerability:
2. Click the scan for which you want to view vulnerabilities.
l Click a specific host to view vulnerabilities found on that host.
l Click the Vulnerabilities tab to view all vulnerabilities.
4. In the row of the vulnerability you want to modify, click .
The Modify Vulnerability window appears.
5. In the Severity drop-down box, select a severity level or Hide this result.
Note: If you hide a vulnerability, you cannot recover it and you accept its associated risks. To hide a
vulnerability temporarily, use Vulnerability Snoozing.
6. (Optional) Select Apply this rule to all future scans.
If you select this option, Tenable Nessus modifies this vulnerability for all future scans. Ten-
able Nessus does not modify vulnerabilities found in past scans.
7. Click Save.
Tenable Nessus updates the vulnerability with your setting.
- 437 -
Group Vulnerabilities
When you group vulnerabilities, plugins with common attributes such as Common Platform
Enumeration (CPE), service, application, and protocol nest under a single row in scan results. Group-
ing vulnerabilities gives you a shorter list of results, and shows your related vulnerabilities together.
When you enable groups, the number of vulnerabilities in the group appears next to the severity
indicator, and the group name says (Multiple Issues).
The severity indicator for a group is based on the vulnerabilities in the group. If all the vul-
nerabilities in a group have the same severity, Tenable Nessus shows that severity level. If the vul-
nerabilities in a group have differing severities, Nessus shows the Mixed severity level.
To group vulnerabilities:
2. Click on the scan for which you want to view vulnerabilities.
- 438 -
-or-
4. In the header row of the vulnerabilities table, click .
5. Click Enable Groups.
Nessus groups similar vulnerabilities in one row.
To ungroup vulnerabilities:
2. Click Disable Groups.
Vulnerabilities appear on their own row.
To view vulnerabilities within a group:
l In the vulnerabilities table, click the vulnerability group row.
A new vulnerabilities table appears and shows the vulnerabilities in the group.
To set group severity types to the highest severity within the group:
l Set the advanced setting scans_vulnerability_groups_mixed to no.
- 439 -
Snooze a Vulnerability
When you snooze a vulnerability, it does not appear in the default view of your scan results. You
choose a period of time for which the vulnerability is snoozed – once the snooze period age outs,
the vulnerability awakes and appears in your list of scan results. You can also manually wake a vul-
nerability or choose to show snoozed vulnerabilities. Snoozing affects all instances of the vul-
nerability in a given scan, so you cannot snooze vulnerabilities only on a specific host.
When you snooze a vulnerability, you only snooze the vulnerability for the scan result that you are
working in. The vulnerability still appears in other existing scan results, and in future scan results.
To snooze a vulnerability:
2. Click on the scan for which you want to view vulnerabilities.
-or-
4. In the row of the vulnerability you want to snooze, click .
The Snooze for drop-down box appears.
5. Choose the period of time you want the vulnerability to snooze:
l Click 1Day, 1Week, or 1Month.
-or-
l Click Custom.
The Snooze Vulnerability window appears.
- 440 -
6. In the Snooze Vulnerability window:
l If you selected a preset snooze period, click Snooze to confirm your selection.
l If you selected a custom snooze period, select the date you want the vulnerability to
snooze until, then click Snooze.
Tenable Nessus snoozes the vulnerability for the selected period of time and does not appear
in the default view of scan results.
To show snoozed vulnerabilities:
2. Click Show Snoozed.
Snoozed vulnerabilities appear in the list of scan results.
To wake a snoozed vulnerability:
1. In the row of the snoozed vulnerability click .
The Wake Vulnerability window appears.
2. Click Wake.
The vulnerability is no longer snoozed, and appears in the default list of scan results.
- 441-
View VPR Top Threats
In Tenable Nessus scan results, VPR Top Threats represent a scan's top 10 vulnerabilities with the
highest VPR scores. For information about VPR, see CVSS Scores vs. VPR.
Although you may have more than 10 vulnerabilities found by a scan, VPR top threats show the 10
most severe vulnerabilities as determined by their VPR score. To view all vulnerabilities by their
static CVSS score, see View Vulnerabilities.
Note: To ensure VPR data is available for your scans, enable plugin updates.
Tip: VPR is a dynamic score that changes over time to reflect the current threat landscape. However, the
VPR top threats reflect the VPR score for the vulnerability at the time Tenable Nessus ran the scan. To get
updated VPR scores, re-run the scan.
To view a scan's top 10 vulnerabilities by VPR threat:
2. In the scans table, click the scan for which you want to view the top VPR threats.
The scan page appears.
3. Click the VPR Top Threats tab.
The VPR Top Threats page appears. On this page, you can view:
Section Description
Assessed The highest VPR-based severity from your top 10 vulnerabilities.

Threat Level
VPR Top Threats Table —Summary View
VPR Severity The severity for the vulnerability, based on VPR score. This severity
may differ from the CVSS-based severity. For more information, see
CVSS Scores vs. VPR.
- 442 -
Name The name of the vulnerability.
Reasons Threat sources where threat events related to this vulnerability

occurred.
VPR Score The Vulnerability Priority Rating score for the vulnerability.
Hosts The number of affected hosts where Tenable Nessus found the vul-
nerability.
4. (Optional) To view details for a specific vulnerability, click the row in the table.
The vulnerability details window appears.
- 443 -
Live Results
Nessus updates with new plugins automatically, which allows you to assess your assets for new vul-
nerabilities. However, if your scan is on an infrequent schedule, the scan may not run new plugins
until several days after the plugin update. This gap could leave your assets exposed to vul-
nerabilities that you are not aware of.
In Nessus Professional and Nessus Expert, you can use live results to view scan results for new plu-
gins based on a scan's most recently collected data, without running a new scan. Live results allow
you to see potential new threats and determine if you need to launch a scan manually to confirm the
findings. Live results are not results from an active scan; they are an assessment based on already-
collected data. Live results don't produce results for new plugins that require active detection, like
an exploit, or that require data that was not previously collected.
Live results appear with striped coloring in scan results. In the Vulnerabilities tab, the severity indic-
ator is striped, and the Live icon appears next to the plugin name.
The results page shows a note indicating that the results include live results. Tenable recommends
that you manually launch a scan to confirm the findings. The longer you wait between active scans,
the more outdated the data may be, which lessens the effectiveness of live results.
To manage live results, see the following:
- 444 -
l Enable or Disable Live Results
l Remove Live Results
- 445 -
Enable or Disable Live Results
The first time you enable live results on a scan, the scan results update to include findings for plu-
gins that were enabled since the last scan. The scan then updates with live results whenever there
is a new plugin update. Live results are not results from an active scan; they are an assessment
based on a scan's most recently collected data. Live results do not produce results for new plugins
that require active detection, like an exploit, or that require data that was not previously collected.
To learn more, see Live Results.
To enable or disable live results:
1. In Tenable Nessus Professional or Tenable Nessus Expert, create a new scan or edit an exist-
ing scan.
2. Go to the Settings tab.
3. Under Post-Processing, enable or disable Live Results:
l To enable, select the Live Results check box.
l To disable, clear the Live Results check box.
4. Click Save.
Tenable Nessus enables or disables live results for this scan.
- 446 -
Remove Live Results
In Nessus Professional and Nessus Expert, if a scan includes live results, Tenable Nessus shows the
following notice on the scan results page.
If you remove live results, they no longer appear on the scan results page. However, live results will
re-appear the next time Nessus updates the plugins (unless you disable the feature for the scan).
Tip: To launch the scan and confirm the live results findings, click Launch in the notice before you remove
the findings.
To remove Live Results findings from the scan results page:

l In the notice, click remove.
- 447 -
Scan Exports and Reports
You can export scans as a Tenable Nessus file or a Tenable Nessus DB file, as described in Export a
Scan. You can then import these files as a scan or policy, as described in Import a Scan and Import
a Policy.
You can also create a scan report in several different formats. For all formats, you can configure a
report to include all scan information or specify a custom set of information. For an HTML or
PDF report, you can also use a Tenable-provided report with preconfigured filters. For more inform-
ation, see Create a Scan Report.
Allows Cus-
Format Description
tomization?
Exports
Nessus A .nessus file in XML format that contains the list of tar- No
gets, policies defined by the user, and scan results. Nes-
sus strips the password credentials so they are not
exported as plain text in the XML. If you import a .nessus
file as a policy, you must re-apply your passwords to any
credentials.
Nessus DB A proprietary encrypted database format that contains all No

the information in a scan, including the audit trails and res-
ults. When you export in this format, you must enter a
password to encrypt the results of the scan.
Reports
PDF A report generated in PDF format. Depending on the size Yes

of the report, PDF generation may take several minutes.
You need either Oracle Java or OpenJDK for PDF reports.
HTML A report generated using standard HTML output. This Yes

report opens in a new tab in your browser.
CSV A CSV export that you can use to import into many Yes
external programs such as databases, spreadsheets, and
more.
- 448 -
Export a Scan
You can export a scan from one Tenable Nessus scanner and import it to a different Tenable Nes-
sus scanner. This helps you manage your scan results, compare reports, back up reports, and facil-
itates communication between groups within an organization. For more information, see Import a
Scan and Import a Policy.
You can export scan results as a Tenable Nessus file or as a Tenable Nessus DB file. For more
information, see Scan Exports and Reports.
For Tenable Nessus files, if you modified scan results using plugin rules or by modifying a vul-
nerability (for example, you hid or changed the severity of a plugin), the exported scan does not
reflect these modifications.
To export a scan:
2. Click a scan.
3. In the upper-right corner, click Export.
4. From the drop-down box, select the format in which you want to export the scan results.
l If you select Tenable Nessus, Tenable Nessus exports the .nessus XML file.
l If you select Tenable Nessus DB, the Export as Tenable Nessus DB dialog box appears.
a. Type a password to protect the file.
When you import the Tenable Nessus DB file to another scanner, you must enter
this password.
b. Click Export.
Tenable Nessus exports the Tenable Nessus Manager DB file.
l If you select Policy, Tenable Nessus exports an informational JSON file that contains the
scan policy details.
- 449 -
l If you select Timing Data, Tenable Nessus exports an information CSV file that contains
the scan hostname, IP, FQDN, scan start and end times, and the scan duration in
seconds.
- 450 -
Create a Scan Report
You can create a scan report to help you analyze the vulnerabilities and remediations on affected
hosts. You can create a scan report in PDF, HTML, or CSV format, and customize it to contain only
certain information.
When you create a scan report, it includes the results that are currently visible on your scan results
page. You can also select certain hosts or vulnerabilities to specify your report.
To create a scan report:
2. Click a scan.
3. (Optional) To create a scan report that includes specific scan results, do the following:
l Use search to narrow your scan results.
l Use filters to narrow your scan results.
l In the Hosts tab, select the check box in each row of a host you want to include in the
scan report.
l In the Vulnerabilities tab, select the check box in each row of each vulnerability or vul-
nerability group that you want to include in the scan report.
Note: You can make selections in either Hosts or Vulnerabilities, but not across both tabs.
4. In the upper-right corner, click Report.
5. From the drop-down box, select the format in which you want to export the scan results.
6. Configure the report for your selected format:
CSV
- 451-
a. Select the check boxes for the columns you want to appear in the CSV report.
Tip: To select all columns, click Select All. To clear all columns, click Clear. To reset columns
to the system default, click System.
b. (Optional) To save your current configuration as the default for CSV reports, select the
Save as default check box.
c. Click Generate Report.
Tenable Nessus creates the scan report.
PDF
Do one of the following:
l Create a high-level summary scan report:
a. Select Executive Summary.
b. Click Generate Report.
l (Tenable Nessus Professional only) Create a Tenable-provided report:
a. From the drop-down box, select a report.
For more information, see Nessus Reports.
l Create a custom scan report:
a. Select Custom.
b. Configure the following settings:
l Data —Select the scan result sections you want Tenable Nessus to include in
the report: Vulnerabilities, Remediations, and Compliance (only for scans
with compliance scans).
- 452 -
l Group Vulnerabilities By —From the drop-down box, select whether the
report groups vulnerabilities by Host or Plugin.
l If you group by Host, select whether to include Scan Information and

Host Information.
l If your report includes Vulnerabilities, select the Vulnerabilities Details that

you want to include. If a vulnerability does not have available data for the
details you selected, Tenable Nessus omits it for that result.
l Formatting Options —Select whether to Include page breaks between vul-

nerability results.
HTML
Do one of the following:
l Create a high-level summary scan report:
a. Select Executive Summary.
l (Tenable Nessus Professional only) Create a Tenable-provided report:
a. From the drop-down box, select a report.
For more information, see Nessus Reports.
l Create a custom scan report:
a. Select Custom.
b. Configure the following settings:
- 453 -
l Data —Select the scan result sections you want Tenable Nessus to include in
the report: Vulnerabilities, Remediations, and Compliance (only for scans
with compliance scans).
l Group Vulnerabilities By —From the drop-down box, select whether Tenable

Nessus groups vulnerabilities by Host or Plugin.
l If you group by Host, select whether to include Scan Information and

Host Information.
l If your report includes Vulnerabilities, select the Vulnerabilities Details that

you want to include. If a vulnerability does not have available data for the
details you selected, Tenable Nessus omits it for that result.
- 454 -
Customize Report Title and Logo
In Tenable Nessus, you can customize the title and logo that appear on each report. This allows you
to prepare reports for different stakeholders.
To customize the report title and logo:
2. In the left navigation bar, click Customized Reports.
3. In the Custom Name box, type the name that you want to appear on the report.
4. To upload a custom logo, click the Upload button.
A window appears in which you can select a file to upload.
Tenable Nessus saves your custom title and logo.
What to do next:
l Create a Scan Report
- 455 -
Policies
A policy is a set of predefined configuration options related to performing a scan. After you create a
policy, you can select it as a template when you create a scan.
Note: For information about default policy templates and settings, see Scan Templates.
Policy Characteristics
l Parameters that control technical aspects of the scan such as timeouts, number of hosts,
type of port scanner, and more.
l Credentials for local scans (for example, Windows, SSH), authenticated Oracle database
scans, HTTP, FTP, POP, IMAP, or Kerberos based authentication.
l Granular family or plugin-based scan specifications.
- 456 -
l Database compliance policy checks, report verbosity, service detection scan settings, Unix
compliance checks, and more.
l Offline configuration audits for network devices, allowing safe checking of network devices
without needing to scan the device directly.
l Windows malware scans which compare the MD5 checksums of files, both known good and
malicious files.
- 457 -
Create a Policy
2. In the left navigation bar, click Policies.
The Policies page appears.
3. In the upper right corner, click the New Policy button.
The Policy Templates page appears.
4. Click the policy template that you want to use.
5. Configure the policy's settings.
Tenable Nessus saves the policy.
- 458 -
Import a Policy
You can import an exported Tenable Nessus (.nessus) scan or policy and import it as a policy. You
can then view and modify the configuration settings for the imported policy. You cannot import a
Nessus DB file as a policy.
To import a policy:
The Policies page appears.
3. In the upper-right corner, click Import.
Your browser's file manager window appears.
4. Browse to and select the scan file that you want to import.
Note: Supported file type is an exported Nessus (.nessus) file.
Tenable Nessus imports the file as a policy.
5. (Optional) Modify Policy Settings.
- 459 -
Modify Policy Settings
3. In the policies table, select the check box on the row corresponding to the policy that you
want to configure.
5. Click Configure.
The Configuration page for the policy appears.
6. Modify the settings.
- 460 -
Delete a Policy
This procedure can be performed by a standard user or administrator.
3. On the policies table, on the row corresponding to the policy that you want to delete, click the
button.
A dialog box appears, confirming your selection to delete the policy.
Tenable Nessus deletes the policy.
About Tenable Nessus Plugins

As information about new vulnerabilities is discovered and released into the general public domain,
Tenable, Inc. research staff designs programs to enable Tenable Nessus to detect them.
These programs are called plugins. Tenable writes plugins in the Tenable Nessus proprietary script-
ing language called Tenable Nessus Attack Scripting Language (NASL).
Plugins contain vulnerability information, a generic set of remediation actions, and the algorithm to
test for the presence of the security issue.
Tenable Nessus supports the Common Vulnerability Scoring System (CVSS) and supports both v2
and v3 values simultaneously. If both CVSS2 and CVSS3 attributes are present, Tenable Nessus cal-
culates both scores. However in determining the Risk Factor attribute, currently the CVSS2 scores
take precedence.
Tenable Nessus also uses plugins to obtain configuration information from authenticated hosts,
which Tenable Nessus uses for configuration audit purposes against security best practices.
To view plugin information, see a list of newest plugins, view all Tenable Nessus plugins, and search
for specific plugins, see the Tenable Nessus Plugins home page.
- 461-
Example plugin information
List of a single host's scan results by plugin

Details of a single host's plugin scan result
severity and plugin name
- 462 -
How do I get Tenable Nessus plugins?
By default, Tenable Nessus automatically updates plugins and checks for updated components and
plugins every 24 hours.
During the Product Registration portion of the Browser Portion of the Tenable Nessus install, Ten-
able Nessus downloads all plugins and compiles them into an internal database.
You can also use the nessuscli fetch —register command to download plugins manually. For
more details, see the Command Line section of this guide.
Optionally, during the Registration portion of the Browser Portion of the Tenable Nessus install, you
can choose the Custom Settings link and provide a hostname or IP address to a server which hosts
your custom plugin feed.
- 463 -
How do I update Tenable Nessus plugins?
By default, Tenable Nessus checks for updated components and plugins every 24 hours. Altern-
atively, you can update plugins manually from the Scanner Settings Page in the user interface.
You can also use the nessuscli update --plugins-only command to update plugins manually.
For more details, see the Command Line section of this guide.
- 464 -
Create a Limited Plugin Policy
3. In the upper right corner, click the New Policy button.
The Policy Templates page appears.
4. Click the Advanced Scan template.
The Advanced Scan page appears.
5. Click the Plugins tab.
The list of plugin families appears, and by default, Tenable Nessus enables all the plugin fam-
ilies.
6. In the upper right corner, click the Disable All button.
- 465 -
Tenable Nessus disables all the plugin families.
Tip: To enable or disable all plugins quickly, click the Enable All and Disable All buttons in the upper
right corner. If you only need to enable one or a few individual plugins, Tenable recommends dis-
abling all plugins. Then, you can select individual plugins as described in step 8.
7. Click the plugin family that you want to include.
The list of plugins appears in the left navigation bar.
- 466 -
8. For each plugin that you want to enable, click the Disabled button.
Tenable Nessus enables each plugin.
- 467 -
Tip: You can search for plugins and plugin families using the Filter option in the upper right corner.
This can help you search fro individual plugins in large plugin families more quickly. For example, if
you need to find an individual plugin, set the filter to Match All of the following: Plugin ID
is equal to <plugin ID>. For more information, see Search and Filter Results.
Tenable Nessus saves the policy.
- 468 -
Install Plugins Manually
You can manually update plugins on an offline Tenable Nessus system in two ways: the user inter-
face or the command-line interface.
Before you begin:

l Download and copy the Nessus plugins compressed TAR file to your system.
To install plugins manually using the Tenable Nessus user interface:
1. On the offline system running Nessus (A), in the top navigation bar, click Settings.
select Continue.
5. Navigate to the compressed TAR file you downloaded, select it, then click Open.
Nessus updates with the uploaded plugins.
To install plugins manually using the command-line interface:
tem.
Platform Command
- 469 -
Platform Command
name>

<tar.gz filename>

name>
- 470 -
Plugin Rules
Plugin rules allow you to re-prioritize the severity of plugin results to better account for your organ-
ization’s security posture and response plan.
The Plugin Rules page allows you to hide or change the severity of any given plugin. In addition, you
can limit rules to a specific host or specific timeframe. From this page you can view, create, edit,
and delete your rules.
Note: You cannot apply custom plugin rules to PCI templates.
You can configure the following options for a plugin rule:
Option Description
Host The host that the plugin rule applies to. You can enter a single IP address or
DNS address, or you can leave the box blank to apply the rule to all hosts.
The Host option must follow the same formatting as the Designate hosts by
their DNS name setting. In other words, if you disabled the setting, enter an IP
address for Host. If you have the setting enabled, enter a DNS address for
Host.
Note: If the plugin is enabled in two different scan configurations that have con-
flicting Designate hosts by their DNS name settings, Tenable recommends creating
two separate plugin rules for the plugin: one rule for the IP address, and one rule
for the DNS address.
Plugin ID The plugin that the plugin rule applies to.
Expiration (Optional) The date on which the plugin rule ages out.
Date
Severity The severity that Nessus assigns the plugin while the plugin rule is active.
Example Plugin Rule

Host: 192.168.0.6
Plugin ID: 79877
- 471-
Expiration Date: 12/ 31/ 2022
Severity: Low
This example rule applies to scans performed on IP address 192.168.0.6. Once saved, this plugin rule
changes the default severity of plugin ID 79877 (CentOS 7: rpm (CESA-2014:1976) to a severity of low
until 12/ 31/ 2022. After 12/ 31/ 2022, the results of plugin ID 79877 returns to its critical severity.
- 472 -
Create a Plugin Rule
2. In the left navigation bar, click Plugin Rules.
3. In the upper right corner, click the New Rule button.
The New Rule window appears.
4. Configure the settings.
Tenable Nessus saves the plugin rule.
- 473 -
Modify a Plugin Rule
3. On the plugin rules table, select the plugin rule that you want to modify.
The Edit Rule window appears.
4. Modify the settings as necessary.
- 474 -
Delete a Plugin Rule
3. On the plugin rules table, in the row for the plugin that you want to modify, click the button.
A dialog box appears, confirming your selection to delete the plugin rule.
Tenable Nessus deletes the plugin rule.
- 475 -
Sensors (Tenable Nessus Manager)
In Tenable Nessus Manager, you can manage linked agents and scanners from the Sensors page.
In the Agents section, you can do the following:
l Modify Agent Settings
l Filter Agents
l Export Agents
l Download Linked Agent Logs
l Unlink an Agent
l Manage Agent Groups
l Manage Freeze Windows
l Manage Clustering
In the Scanners section, you can do the following:
l Link Nessus Scanner
l Unlink Nessus Scanner
l Enable or Disable a Scanner
l Remove a Scanner
l Download Managed Scanner Logs
Agents
Agents increase scan flexibility by making it easy to scan assets without needing ongoing host cre-
dentials or assets that are offline. Additionally, agents enable large-scale concurrent scanning with
little network impact.
Once linked, you must add an agent to an agent group to use when configuring scans. Linked agents
automatically download plugins from the manager upon connection. Agents are automatically
unlinked after a period of inactivity.
- 476 -
Note: Agents must download plugins before they return scan results. This process can take several
minutes.
To manage agents, see the following:
l Modify Agent Settings
l Filter Agents
l Export Agents
l Download Linked Agent Logs
l Unlink an Agent
- 477 -
Agent groups
You can use agent groups to organize and manage the agents linked to your scanner. You can add
each agent to any number of groups and you can configured scans to use these groups as targets.
Note: Agent group names are case-sensitive. When you link agents using System Center Configuration Man-
ager (SCCM) or the command line, you must use the correct case.
For more information, see Agent Groups.
- 478 -
Freeze windows
Freeze windows allow you to schedule times where Tenable Nessus suspends certain activities for
all linked agents.
For more information, see Freeze Windows.
- 479 -
Agent clustering
With Tenable Nessus Manager clustering, you can deploy and manage large numbers of agents from
a single Tenable Nessus Manager instance.
For more information, see Clustering.
- 480 -
Modify Agent Settings
In Tenable Nessus Manager, you can configure global agent settings to specify agent settings for all
your linked agents. You can configure advanced settings for individual agents remotely. You can
also set up agent freeze windows.
To modify agent settings in Tenable Nessus Manager:
2. Do any of the following:
l To modify global agent settings:
a. Click the Settings tab.
b. Modify the settings as described in Global Agent Settings.
c. Click Save.
l To modify individual agent settings remotely, see Remote Agent Settings.
l To modify agent freeze window settings, see Modify Global Freeze Window Settings.
- 481-
Global Agent Settings
The following table describes the global agent settings you can configure in Tenable Nessus Man-
ager:
Option Description
Manage Agents
Track unlinked agents When this setting is enabled, agents that are unlinked
without manual intervention (due to an inactivity timeout)
are preserved in the manager along with the cor-
responding agent data. This option can also be set using
the nessuscli utility.
Note: This option does not allow the manager to track

deleted agents. When you delete an agent, the manager
and/ or cluster no longer tracks or recognizes the agent.
Unlink inactive agents after X Specifies the number of days an agent can be inactive
days before the manager unlinks the agent.
Inactive agents that were automatically unlinked by Ten-

able Nessus Manager automatically relink if they come
back online.
Requires that Track unlinked agents is enabled.
Remove agents that have been Specifies the number of days an agent can be inactive
inactive for X days before the manager removes the agent.
Remove bad agents When this setting is enabled, agents with one or more of
the following criteria are removed from Tenable Nessus
Manager:
l The agent was previously deleted or removed by a

user.
l The agent does not provide a valid access token.
l The agent was blocklisted.
- 482 -
Option Description
Freeze Windows
Configure global freeze windows as described in Modify Freeze Window Settings.
- 483 -
Remote Agent Settings
All agent advanced settings can be set via the agent's command line interface, as described in
Advanced Settings in the Tenable Nessus Agent Deployment and User Guide. However, you can
modify some settings remotely via Tenable Nessus Manager.
To modify remote agent settings:
2. In the linked agents table, click the row for the agent you want to modify.
The agent details page appears.
3. Click the Remote Settings tab.
4. In the settings table, click the remote setting you want to modify.
The setting window appears.
5. Modify the setting.
For setting and value descriptions, see Advanced Settings in the Tenable Nessus Agent
l To save and immediately apply the setting, click Save and Apply.
Note: For some settings, applying the setting requires an agent soft (backend) restart or full
service restart.
l To save the setting but not yet apply settings, click the Save button.
Note: For the setting to take effect on the agent, you must apply the setting. In the banner
that appears, click Apply all changes now. For some settings, applying the setting requires an
agent soft (backend) restart or full service restart.
- 484 -
Filter Agents
Use this procedure to filter agents in Tenable Nessus Manager.
To filter agents in the agents table:
2. Above the agents table, click the Filter button.
The Filter window appears.
3. Configure the filters as necessary. For more information, see Agent Filters.
4. Click Apply.
Tenable Nessus Manager filters the list of agents to include only those that match your con-
figured options.
Agent Filters
Parameter Operator Expression
IP Address is equal to In the text box, type the IPv4 or IPv6 addresses on which you
want to filter.
is not equal
to
contains
does not
contain
Last Con- earlier than In the text box, type the date on which you want to filter.
nection
later than
Last Plugin
on
Update
not on
Last Scanned
- 485 -
Parameter Operator Expression
Member of is equal to From the drop-down list, select from your existing agent
Group groups.
is not equal
to
Name is equal to In the text box, type the agent name on which you want to fil-
ter.
is not equal
to
contains
does not
contain
Platform contains In the text box, type the platform name on which you want to
filter.
does not
contain
Status is equal to In the drop-down list, select an agent status. For more
information, see Agent Status in the Tenable Nessus Agent
is not equal
to
Version is equal to In the text box, type the version you want to filter.
is not equal
to
contains
does not
contain
- 486 -
Export Agents
To export agents data in Tenable Nessus Manager:
The Linked Agents page appears.
2. (Optional) Click the Filter button to apply a filter to the agents list.
3. In the upper right corner, click Export. If a drop-down appears, click CSV.
Your browser's download manager appears.
4. Click OK to save the agents.csv file.
The agents.csv file exported from Tenable Nessus Manager contains the following data:
Field Description
Agent Name The name of the agent.
Status The status of the agent at the time of export. Possible values are unlinked,
online, or offline.
IP Address The IPv4 or IPv6 address of the agent.
Platform The platform the agent is installed on.
Groups The names of any groups the agent belongs to.
Version The version of the agent.
Last Plugin The date (in ISO-8601format) the agent's plugin set was last updated.
Update
Last Scanned The date (in ISO-8601format) the agent last performed a scan of the host.
- 487 -
Download Linked Agent Logs
As an administrator in Tenable Nessus Manager, you can request and download a log file containing
logs and system configuration data from any of your managed scanners and agents. This inform-
ation can help you troubleshoot system problems, and also provides an easy way to gather data to
submit to Tenable Support.
You can store a maximum of five log files from each agent in Tenable Nessus Manager. Once the
limit is reached, you must remove an old log file to download a new one.
To download logs from a linked agent:
2. In the agents table, click the agent for which you want to download logs.
The Agents page for that agent appears.
3. Click the Logs tab.
4. In the upper-right corner, click Request Logs.
Note: If you have reached the maximum of five log files, the Request Logs button is disabled.
Remove an existing log before downloading a new one.
Tenable Nessus Manager requests the logs from the agent the next time it checks in, which
may take several minutes. You can view the status of the request in the user interface until
the download is complete.
5. To download the log file, click the file name.
Your system downloads the log file.
To remove an existing log:
l In the row of the log you want to remove, click the button.
To cancel a pending or failed log download:
- 488 -
l In the row of the pending or failed log download that you want to cancel, click the button.
- 489 -
Unlink an Agent
When you unlink an agent manually, the agent disappears from the Tenable Nessus Agents page,
but the system retains related data for the period of time specified in agent settings. When you
unlink an agent manually, the agent does not automatically relink to Tenable Nessus Manager.
Tip: You can configure agents to unlink automatically if they are inactive for some days, as described in
agent settings.
To unlink agents in Tenable Nessus Manager manually:
2. In the left navigation bar, click Agents.
The Agents page appears.
To unlink a single agent:
a. In the agents table, in the row for the agent that you want to unlink, click the button.
To unlink one agent or multiple agents:
a. In the agents table, select the check box in each row for each agent you want to unlink.
b. In the upper-right corner, click the Manage button.
A drop down menu appears.
c. Click the Unlink button.
Note: The Unlink button does not show in the drop down menu if none of the agents you selec-
ted are linked.
- 490 -
4. Click the Unlink button.
The manager unlinks the agent or agents.
- 491-
Agent Groups
You can use agent groups to organize and manage the agents linked to Tenable Nessus Manager.
You can add an agent to more than one group, and configure scans to use these groups as targets.
Tenable recommends that you size agent groups appropriately, particularly if you are managing
scans in Tenable Nessus Manager and then importing the scan data into Tenable Security Center.
You can size agent groups when you manage agents in Tenable Nessus Manager.
The more agents that you scan and include in a single agent group, the more data that the manager
must process in a single batch. The size of the agent group determines the size of the .nessus file
that you must import into Tenable Security Center. The .nessus file size affects hard drive space
and bandwidth.
Use the following processes to create and manage agent groups:
l Create a New Agent Group
l Configure User Permissions for an Agent Group
l Modify an Agent Group
l Delete an Agent Group
- 492 -
Create a New Agent Group
You can use agent groups to organize and manage the agents linked to your account. You can add
an agent to more than one group, and configure scans to use these groups as targets.
Use this procedure to create an agent group in Tenable Nessus Manager.
To create a new agent group:
2. In the left navigation bar, click Agent Groups.
The Agent Groups page appears.
3. In the upper-right corner, click the New Group button.
The New Agent Group window appears.
4. In the Name box, type a name for the new agent group.
5. Click Add.
Tenable Nessus Manager adds the agent group and it appears in the table.
What to do next:
l Configure user permissions for the agent group.
l Use the agent group in an agent scan configuration.
- 493 -
Configure User Permissions for an Agent Group
You can share an agent group with other users or user groups in your organization.
User permissions for agent groups include the following:
l No access —(Default user only) The user or user group cannot add the agent group to an
agent scan. If a user or user group with this permission attempts to launch an existing scan
that uses the agent group, the scan fails.
l Can use —The user or user group can add the agent group to an agent scan and can launch
existing scans that use the agent group.
Use this procedure to configure permissions for an agent group in Tenable Nessus Manager.
To configure user permissions for an agent group:
1. Create or modify an agent group.
2. In the agent groups table, click the agent group for which you want to configure permissions.
The agent group details page appears.
3. Click the Permissions tab.
The Permissions tab appears.
Tip: Tenable recommends assigning permissions to user groups, rather than individual users, to min-
imize maintenance as individual users leave or join your organization.
l
Add permissions for a new user or user group:
a. In the Add users or groups box, type the name of a user or group.
As you type, a filtered list of users and groups appears.
b. Select a user or group from the search results.
Tenable Vulnerability Management adds the user to the permissions list, with a
default permission of Can Use.
- 494 -
l
Change the permissions for an existing user or user group:
Note: The Default user represents any users who have not been specifically added to the
agent group.
a. Next to the permission drop-down for the Default user, click the button.
b. Select a permissions level.
c. Click Save.
l
Remove permissions for a user or user group:
l For the Default user, set the permissions to No Access.
l For any other user or user group, click the button next to the user or user group
for which you want to remove permissions.
5. Click Save.
Tenable Vulnerability Management saves the changes you made to the agent group.
- 495 -
Modify an Agent Group
Use this procedure to modify an agent group in Tenable Nessus Manager.
To modify an agent group:

l
Modify the group name.
a. In the row for the agent group that you want to modify, click the button.
The Edit Agent Group window appears.
b. In the Name box, type a new name for the agent group.
c. Click Save.
The manager saves your changes.

l
Add agents to the agent group.
a. In the agent groups table, click the agent group you want to modify.
b. In the upper-right corner of the page, click the Add Agents button.
The Add Agents window appears. This window contains a table of available agents.
c. (Optional) In the Search box, type the name of an agent, then click Enter.
The table of agents refreshes to display the agents that match your search cri-
teria.
- 496 -
d. Click the check box next to each agent you want to add to the group.
e. Click Add.
The manager adds the selected agent or agents to the group.

l
Remove agents from the agent group.
The agent group details page appears. By default, the Group Details tab is active.
b. (Optional) Filter the agent groups in the table.
c. (Optional) Search for an agent by name.
d. Select the agent or agents you want to remove:
l For an individual agent, click the button next to the agent.
l For multiple agents, select the check box next to each, then click the
Remove button in the upper-right corner of the page.
e. In the confirmation window, confirm the removal.

l
Modify the user permissions for the agent group.
b. Click the Permissions tab.
The Permissions tab appears.
c. Configure the user permissions for the group.
- 497 -
Delete an Agent Group
Use this procedure to delete an agent group in Tenable Nessus Manager.
To modify an agent group:
3. In the row for the agent group that you want to delete, click the button.
4. To confirm, click Delete.
The manager deletes the agent group.
- 498 -
Freeze Windows
Freeze windows allow you to schedule times when Tenable Nessus Manager suspends certain agent
activities for all linked agents. This activity includes:
l Receiving and applying software updates
l Receiving plugin updates
l Installing or executing agent scans
To manage freeze windows, use the following procedures:
l Create a Freeze Window
l Modify a Freeze Window
l Delete a Freeze Window
l Modify Global Freeze Window Settings
- 499 -
Create a Freeze Window
Freeze windows allow you to schedule times where certain agent activities are suspended for all
linked agents. This activity includes:
l Receiving and applying software updates
l Receiving plugin updates
l Installing or executing agent scans
To create a freeze window for linked agents:
2. In the left navigation bar, click Freeze Windows.
The Freeze Windows page appears.
3. In the upper-right corner, click the New Window button.
The New Freeze Window page appears.
4. Configure the options as necessary.
5. Click Save.
The freeze window goes into effect and appears on the Freeze Windows tab.
- 500 -
Modify a Freeze Window
Use this procedure to modify a freeze window in Tenable Nessus Manager.
To configure global freeze window settings, see Agent Settings.
To modify a freeze window:
3. In the freeze windows table, click the freeze window you want to modify.
The freeze window details page appears.
4. Modify the options as necessary.
5. Click Save to save your changes.
- 501-
Delete a Freeze Window
Use this procedure to delete a freeze window in Tenable Nessus Manager.
To delete a freeze window for linked agents:
3. In the freeze window table, in the row for the freeze window that you want to delete, click the
button.
A dialog box appears, confirming your selection to delete the freeze window.
4. Click Delete to confirm the deletion.
Tenable Nessus Manager deletes the freeze window.
- 502 -
Modify Global Freeze Window Settings
In Tenable Nessus Manager, you can configure a permanent freeze window and global settings for
how freeze windows work on linked agents.
To modify global freeze window settings:
3. Click the Settings tab.
4. Modify any of the following settings:
Freeze Windows
Enforce a per- When enabled, Tenable Nessus Manager creates a permanent freeze
manent freeze window that prevents agents from updating software. The permanent
window sched- freeze window takes effect immediately after you save the settings
ule (step 5), and it overrides any other existing freeze windows.
Note: Disabling this setting is the only way to end the permanent freeze win-
dow.
The following freeze window settings also apply during the permanent
freeze window.
Prevent soft- When enabled, agents do not receive software updates during sched-
ware updates uled freeze windows.
Prevent plugin When enabled, agents do not receive plugin updates during scheduled
updates freeze windows.
Prevent agent When enabled, the system does not run agent scans during scheduled
scans freeze windows.
- 503 -
5. Click Save.
Tenable Nessus Manager saves your changes.
- 504 -
Clustering
With Tenable Nessus Manager clustering, you can deploy and manage large numbers of agents from
a single Tenable Nessus Manager instance. For Tenable Security Center users with over 10,000
agents and up to 200,000 agents, you can manage your agent scans from a single Tenable Nessus
Manager, rather than needing to link multiple instances of Tenable Nessus Manager to Tenable
Security Center.
A Tenable Nessus Manager instance with clustering enabled acts as a parent node to child nodes,
each of which manage a smaller number of agents. Once a Tenable Nessus Manager instance
becomes a parent node, it no longer manages agents directly. Instead, it acts as a single point of
access where you can manage scan policies and schedules for all the agents across the child
nodes. With clustering, you can scale your deployment size more easily than if you had to manage
several different Tenable Nessus Manager instances separately.
Example scenario: Deploying 100,000 agents
You are a Tenable Security Center user who wants to deploy 100,000 agents, managed by Tenable
Nessus Manager.
Without clustering, you deploy 10 Tenable Nessus Manager instances, each supporting 10,000
agents. You must manually manage each Tenable Nessus Manager instance separately, such as set-
ting agent scan policies and schedules, and updating your software versions. You must separately
link each Tenable Nessus Manager instance to Tenable Security Center.
With clustering, you use one Tenable Nessus Manager instance to manage 100,000 agents. You
enable clustering on Tenable Nessus Manager, which turns it into a parent node, a management
point for child nodes. You link 10 child nodes, each of which manages around 10,000 agents. You
can either link new agents or migrate existing agents to the cluster. The child nodes receive agent
scan policy, schedule, and plugin and software updates from the parent node. You link only the Ten-
able Nessus Manager parent node to Tenable Security Center.
Note: All Tenable Nessus nodes in a cluster must be on the same version (for example, using the clustering
example above, the Tenable Nessus Manager parent node and 10 children nodes need be on the same Ten-
able Nessus version). Otherwise, the cluster deployment is unsupported.
Definitions
- 505 -
Parent node —The Tenable Nessus Manager instance with clustering enabled, which child nodes
link to.
Child node —A Tenable Nessus instance that acts as a node that Tenable Nessus Agents connect
to.
Tenable Nessus Manager cluster —A parent node, its child nodes, and associated agents.
For more information, see the following topics:

l Clustering System Requirements
l Enable Clustering
l Get Linking Key from Node
l Link a Node
l Migrate Agents to a Cluster
l Link Agents to a Cluster
l Enable or Disable a Node
l Rebalance Nodes
l View or Edit a Node
l Delete a Node
l Cluster Groups
Clustering System Requirements

The following are system requirements for the parent node and child nodes. These estimations
assume that the KB and audit trail settings are disabled. If those settings are enabled, the size
required can significantly increase. In these cases, Tenable recommends increasing the standard
system requirements by at least 50%.
Note: All Tenable Nessus nodes in a cluster must be on the same Tenable Nessus version. Otherwise, the
cluster deployment is unsupported.
- 506 -
Parent Node (Tenable Nessus Manager with Clustering Enabled)
Note: The amount of disk space needed depends on how many agent scan results you keep and for how
long. For example, if you run a single 5,000 agent scan result once per day and keep scan results for seven
days, the estimated disk space used is 35 GB. The disk space required per scan result varies based on the
consistency, number, and types of vulnerabilities detected.
l Disk: Estimated minimum of 5 GB per 5000 agents per scan per day
l CPU: 8 core minimum for all implementations, with an additional 8 cores for every three child
nodes
l RAM: 16 GB minimum for all implementations, with an additional 4 GB for every additional child
node
- 507 -
Child Node (Tenable Nessus Scanner Managed by Tenable Nessus
Manager Parent Node)
Note: Disk space is used to store agent scan results temporarily, both individual and combined, before
uploading the results to the parent node.
Child node with 0-10,000 agents:

l Disk: Estimated minimum of 5 GB per 5000 agents per concurrent scan.
l CPU: 4 cores
l RAM: 16 GB
Child node with 10,000-20,000 agents:
A child node can support a maximum of 20,000 agents.
l Disk: Estimated minimum of 5 GB per 5000 agents per concurrent scan.
l CPU: 8 cores
l RAM: 32 GB
- 508 -
Agents
Linked agents must be on a supported Tenable Nessus Agent version.
- 509 -
Enable Clustering
When you enable clustering on Tenable Nessus Manager it becomes a parent node. You can then
link child nodes, each of which manages Tenable Nessus Agents. Once you enable clustering on a
parent node, you cannot undo the action and turn Tenable Nessus Manager into a regular scanner or
Tenable Nessus Agent manager.
Note: To enable Tenable Nessus Manager clustering in Tenable Nessus 8.5.x or 8.6.x, you must contact
your Tenable representative. In Tenable Nessus Manager 8.7.x and later, you can enable clustering using
the following procedure.
Note: All Tenable Nessus nodes in a cluster must be on the same version. Otherwise, the cluster deploy-
ment is unsupported.
To enable clustering in Tenable Nessus Manager:
2. In the left navigation bar, click Agent Clustering.
The Cluster Setup page appears and displays the Settings tab.
3. Select Enable Cluster.
Caution: Once you enable clustering on a parent node, you cannot undo the action and turn Tenable
Nessus Manager into a regular scanner or Tenable Nessus Agent manager.
4. Click Save.
Your Tenable Nessus Manager becomes a parent node of a cluster.
What to do next:
l Link child nodes to the parent node.
l Manage cluster groups.
- 510 -
Migrate Agents to a Cluster
If you have a non-clustered instance of Tenable Nessus Manager with linked agents, you can
migrate the linked agents to an existing cluster. After the agents successfully migrate to the
cluster, the agents are then unlinked from their original Tenable Nessus Manager. Any agents that
did not successfully migrate remain linked to the original Tenable Nessus Manager. The original Ten-
able Nessus Manager remains as a Tenable Nessus Manager instance and does not become part of
the cluster.
Before you begin

l Ensure there is a functional cluster available for the agents to migrate to. The cluster should
meet the Nessus Clustering System Requirements. If you do not have a functional cluster,
enable clustering on the Tenable Nessus Manager instance you want to act as the parent node
for the cluster.
l Get the linking key from the Tenable Nessus Manager parent node for the cluster you want the
agents to migrate to.
To migrate agents to a cluster:
1. Access a non-clustered instance of Tenable Nessus Manager with linked agents.
The Cluster Setup page appears and displays the Settings tab.
4. Click the Cluster Migration tab.
5. Complete the Cluster Information:
l Parent Node Hostname —Type the hostname or IP address of the Tenable Nessus Man-
ager parent node of the cluster to which you are migrating.
l Parent Node Port —Type the port for the specified parent node host. The default is
8834.
- 511-
l Parent Node Linking Key —Paste or type the linking key that you copied from the Ten-
able Nessus Manager parent node, as described in Get Linking Key from Node.
l Enable Agent Migration —Select this check box to migrate agents to the cluster. Disable
the check box to stop migrating agents, if agents are currently in the process of migrat-
ing.
6. Click Save.
Tenable Nessus Manager begins or stops migrating agents to the cluster, depending on
whether you have selected Enable Agent Migration.
What to do next:
Log in to the Tenable Nessus Manager parent node to manage linked Tenable Nessus Agents.
- 512 -
Link Agents to a Cluster
Depending on your cluster group configuration, you can link an agent to a parent node or a child
node. Usually, Tenable recommends linking to a parent node. However, linking to a child node may
be helpful if you have geographically distributed cluster groups and want to ensure that an agent is
linked to a particular cluster group.
For general information about clusters, see Clustering.
Before you begin:

l Get Linking Key from Node. You need the node's linking key for the agent link command's --
key argument.
To link an agent to a parent node:
In this scenario, the agent links to the cluster's parent node, receives a list of child nodes, and
attempts to connect to a child node within the cluster.
1. Log in to the Tenable Nessus Agent from the command terminal.
2. At the agent command prompt, use the command nessuscli agent link with the sup-
ported arguments to link to the parent node.
For example:
Linux:

macOS:

- 513 -
Windows:

To view a list of the supported agent-linking arguments, see Nessus CLI Agent Commands
To link an agent to a child node:
In this scenario, the agent links to a child node in a specific cluster group and receives a list of all
the child nodes within that cluster group. The agent then attempts to connect to a child node within
the cluster group.
1. Log in to the Tenable Nessus Agent from the command terminal.
2. At the agent command prompt, use the command nessuscli agent link with the sup-
ported arguments to link to the child node.
For example:
Linux:

macOS:

Windows:

- 514 -
To view a list of the supported agent-linking arguments, see Nessus CLI Agent Commands
- 515 -
Manage Nodes
To manage cluster nodes, see the following:
l Get Linking Key from Node
l Link a Node
l Enable or Disable a Node
l Rebalance Nodes
l Delete a Node
To manage cluster groups, see Cluster Groups.
- 516 -
Get Linking Key from Node
You need the linking key from the cluster parent node to link child nodes or migrate agents to the
cluster. Similarly, you need the linking key from the cluster child node to link an agent to the child
node directly.
Before you begin:

l Enable Clustering on the node that you want to link to.
To get the linking key from the node:
The Cluster Groups page appears.
3. Copy or make note of the Linking Key.
What to do next:
l Link a child node to the cluster.
l Link new agents to the cluster.
l Migrate existing agents to the cluster.
- 517 -
Link a Node
To link a child node to a cluster, you install an instance of Tenable Nessus as a cluster child node,
then configure the node to link to the parent node of the cluster.
Before you begin:

l Get the linking key from the cluster parent node.
To install and configure Tenable Nessus as a child node:
1. Install Tenable Nessus as described in the appropriate Install Tenable Nessus procedure for
your operating system.
3. Click Continue.
4. From the Managed by drop-down box, select Nessus Manager (Cluster Node).
5. Click Continue.
sus:
7. Click Submit.
To link the child node to the parent node:
- 518 -
1. In the Tenable Nessus child node, use the administrator user account you created during ini-
tial configuration to sign in to Tenable Nessus.
The Agents page appears. By default, the Node Settings tab is open.
2. Enable the toggle to On.
3. Configure the General Settings:
l Node Name —Type a unique name that identifies this Tenable Nessus child node on the
parent node.
l (Optional) Node Host —Type the hostname or IP address that Tenable Nessus Agents
should use to access the child node. If you do not provide a host node, Tenable Nessus
Agent uses the system hostname. If Tenable Nessus Agent cannot detect the hostname,
the link fails.
l (Optional) Node Port —Type the port for the specified host.
4. Configure the Cluster Settings:
l Cluster Linking Key —Paste or type the linking key that you copied from the Tenable Nes-
sus Manager parent node.
l Parent Node Host —Type the hostname or IP address of the Tenable Nessus Manager
parent node to which you are linking.
l Parent Node Port —Type the port for the specified host. The default is 8834.
l (Optional) Use Proxy —Select the check box if you want to connect to the parent node
via the proxy settings set in Proxy Server.
5. Click Save.
6. To confirm linking the node to the parent node, click Continue.
The Tenable Nessus child node links to the parent node. Tenable Nessus logs you out of the
user interface and disables the user interface.
What to do next:
- 519 -
l Log in to the Tenable Nessus Manager parent node to manage linked Tenable Nessus Agents
and nodes.
l Link or migrate agents to the cluster.
l On the Tenable Nessus Manager parent node, manage cluster groups to organize your nodes
into groups that conform to your network topology. You must segment your network with
cluster groups when certain agents only have access to certain child nodes. By default, Nes-
sus assigns the node to the default cluster group.
- 520 -
View or Edit a Node
On Tenable Nessus Manager with clustering enabled, you can view the list of child nodes currently
linked to the parent node. Tenable Nessus assigns these child nodes to cluster groups. You can
view details for a specific node, such as its status, IP address, number of linked agents, software
information, and plugin set. If agents on the node are currently running a scan, a scan progress bar
appears.
You can edit a node's name or the maximum number of agents that can be linked to the child node.
To view or edit a child node:
3. In the cluster groups table, click the row of a cluster group that contains child nodes.
4. Click the row of the child node you want to view.
Tenable Nessus Manager shows the Node Details tab.
5. In the Node Details tab, view detailed information for the selected node.
6. To move the node to another cluster group, do the following:
a. Next to Cluster Group, click the button.
The Change Cluster Group dialog box appears.
b. In the drop-down menu, select a different cluster group.
c. Click Save.
The node moves to another cluster group.
7. To edit node settings, click the Settings tab.
8. Edit any of the following:
- 521-
l Node Name —Type a unique name to identify the node.
l Max Agents —Type the maximum number of agents that can be linked to the child node.
The default value is 10000 and the maximum value is 20000.
9. Click Save.
Tenable Nessus Manager updates the node settings.
- 522 -
Enable or Disable a Node
If you disable a child node, its linked Tenable Nessus Agents relink to another available child node in
the same cluster group. If you re-enable a child node, Tenable Nessus Agents may become unevenly
distributed, at which point you can choose to Rebalance Nodes.
To enable or disable child nodes:
4. In the row of a child node, do one of the following:
l To disable a node:
a. Hover over the button, which becomes .
b. Click the button.
Tenable Nessus Manager disables the child node.
l To enable a node:
a. Hover over the . button, which becomes .
b. Click the button.
Tenable Nessus Manager enables the child node.
- 523 -
Rebalance Nodes
Tenable Nessus Agents may become unevenly distributed across child nodes for various reasons: a
child node or multiple child nodes may be temporarily unavailable, disabled, deleted, or recently
added. Events such as these negatively impact the cluster's performance. When the imbalance
passes a certain threshold, Tenable Nessus Manager gives you the option to rebalance child nodes.
This threshold is passed when one or both of the following criteria are met:
l 10% of your agents are not ideally distributed, based on your nodes' ideal capacity.
l A single node has at least 5% more agents than the node's ideal capacity.
Example:
Your organization has four nodes and 100 linked agents. To evenly distribute linked agents
across four nodes, Tenable Nessus Manager should assign each node 25% of the total linked
agents which, in this case, would be 25 linked agents per node.
Tenable Nessus Manager gives you the option to rebalance child nodes if either:
l Tenable Nessus Manager can redistribute 10% or more of your linked agents (in this
example, 10 linked agents or more) for better results. For example, if two of your nodes
have 20 linked agents and two of your nodes have 30 linked agents, Tenable Nessus Man-
ager would allow you to rebalance the nodes to reach the ideal 25-25-25-25 distribution.
l One of your nodes reaches 30% of its capacity (in this example, ~33 linked agents)
When you rebalance child nodes, Tenable Nessus Agents get redistributed more evenly across child
nodes within a cluster group. Tenable Nessus Agents unlink from an overloaded child node and
relink to a child node with more availability.
To rebalance child nodes:

- 524 -
3. In the cluster groups table, click the row of a cluster group.
4. In the upper-right corner of the page, click Rebalance Nodes.
Tenable Nessus Manager rebalances the Tenable Nessus Agent distribution across child
nodes.
- 525 -
Delete a Node
When you delete a child node, linked Tenable Nessus Agents eventually relink to another available
child node in the same cluster group. The agents may take longer to relink if you delete a node com-
pared to if you disable the node instead.
If the node you want to delete is the last node in a cluster group with linked agents, you must first
move those agents to a different cluster group. If you only want to disable a child node temporarily,
see Enable or Disable a Node.
To delete a child node:
4. In the row of the child node you want to delete, click the button.
The Delete Agent Node dialog box appears.
Note: If you delete a node, you cannot undo this action.
5. To confirm you want to delete the child node, click Delete.
Tenable Nessus Manager deletes the child node.
- 526 -
Cluster Groups
Clusters are divided into cluster groups that allow you to deploy and link agents in a way that con-
forms to your network topology. For example, you could create cluster groups for different regions
of where your nodes and agents are physically located, which could minimize network traffic and
control where your agents' connections occur.
Cluster child nodes must belong to a cluster group, and can only belong to one cluster group at a
time. Agents in each cluster group only link to nodes in the same cluster group.
A cluster group is different from an agent group, which is a group of agents that you designate to
scan a target. You use cluster groups to manage the nodes that agents link to within a cluster.
To manage your cluster groups and their assigned nodes and agents, see the following:
l Create a Cluster Group
l Modify a Cluster Group
l Add a Node to a Cluster Group
l Add an Agent to a Cluster Group
l Move a Node to a Cluster Group
l Move an Agent to a Cluster Group
l Delete a Cluster Group
- 527 -
Create a Cluster Group
By default, Tenable Nessus assigns new nodes and agents to the default cluster group. You can cre-
ate cluster groups that conform to your network topology. For example, you could create cluster
groups for different regions of where your nodes and agents are physically located, which could min-
imize network traffic and control where your agents' connections occur.
A cluster group is different from an agent group, which is a group of agents that you designate to
scan a target. You can use cluster groups to manage the nodes that agents link to within a cluster.
Before you begin:

l Enable Clustering on the Tenable Nessus Manager parent node.
To create a cluster group:
1. Log in to the Tenable Nessus Manager parent node.
3. In the upper-right corner, click New Cluster Group.
The New Cluster Group window appears.
4. Type a Name for the cluster group.
5. Click Add.
Tenable Nessus Manager creates a new cluster group.
What to do next:
l Add a Node to a Cluster Group
- 528 -
Add a Node to a Cluster Group
By default, Tenable Nessus assigns new linked nodes to the default cluster group. You can also add
a node to a different cluster group manually; for example, you could add nodes that are in a similar
location to the same cluster group. A node can only belong to one cluster group at a time.
When you move a node that belonged to another cluster group, any agents that were linked to that
node remain in their original cluster group and relink to another node in the original cluster group.
Before you begin:

l Ensure you have added at least one child node to the cluster, as described in Link a Node.
l If you want to add a node to a cluster group other than the default cluster group, first Create a
Cluster Group.
To add a child node to a cluster group:
3. In the cluster groups table, click the row of the cluster group to which you want to add a node.
The cluster group details page appears and shows the Cluster Nodes tab by default.
4. In the upper-right corner, click Add Nodes.
The Add Nodes window appears and shows the available nodes.
5. (Optional) Search for a node by name to filter the results.
6. In the nodes table, select the check box next to each node you want to add.
- 529 -
Note: A node can only belong to one cluster group at a time. When you move a node that belonged
to another cluster group, any agents that were linked to that node remain in their original cluster
group and relink to another node in the original cluster group.
7. Click Add.
Tenable Nessus Manager moves the node to the cluster group.
What to do next:
- 530 -
Add an Agent to a Cluster Group
By default, Tenable Nessus assigns new agents to the default cluster group. You can also add
agents to a different cluster group manually; for example, you could add agents that are in a similar
location to the same cluster group. An agent can only belong to one cluster group at a time.
When you add an agent to a cluster group, the agent relinks to an available node in the cluster
group.
Before you begin:

l Ensure the cluster group you want to add an agent to has at least one node, as described in
Add a Node to a Cluster Group.
To add an agent to a cluster group:
3. In the cluster groups table, click the row of the cluster group to which you want to add an
agent.
4. Click the Agents tab.
The agents assigned to the cluster group appear in a table.
5. In the upper-right corner, click Add Agents.
The Add Agents window appears and shows available agents.
6. (Optional) Search for an agent by name to filter the results.
7. In the agents table, select the check box next to each agent you want to add.
Note: Agents can only belong to one cluster group at a time. If you move the agent to a different
group, it relinks to an available node in the new cluster group.
- 531-
8. Click Add.
Tenable Nessus Manager adds the agent to the cluster group.
- 532 -
Move an Agent to a Cluster Group
By default, Tenable Nessus assigns new agents to the default cluster group. You can manually add
agents to a different cluster group; for example, you could add agents that are in a similar location
to the same cluster group. An agent can only belong to one cluster group at a time.
When you move an agent to a cluster group, the agent relinks to an available node in the cluster
group. There may be a mismatch in the number of agents listed for the cluster group and actual
usage when an agent is moving or relinking.
Before you begin:

l Ensure the cluster group you want to add an agent to has at least one node, as described in
Add a Node to a Cluster Group.
To move an agent to a different cluster group:
4. In the cluster groups table, click the row of the cluster group that contains the agent you want
to move.
5. Click the Agents tab.
The agents assigned to the cluster group appear in a table.
6. In the agents table, select the check box for each agent that you want to move to a different
cluster group.
7. In the upper-right corner, click Move.
- 533 -
The Move Agent window appears.
8. In the drop-down box, select the cluster group to which you want to move the agent.
Note: Agents can only belong to one cluster group at a time. If you move the agent to a different
group, it relinks to an available node in the new cluster group.
9. Click Move.
Tenable Nessus Manager moves the agent to the cluster group.
- 534 -
Move a Node to a Cluster Group
By default, Tenable Nessus assigns new linked nodes to the default cluster group. You can manually
add a node to a different cluster group; for example, you could add nodes that are in a similar loc-
ation to the same cluster group. A node can only belong to one cluster group at a time.
When you move a node that belonged to another cluster group, any agents that were linked to that
node remain in their original cluster group and relink to another node in the original cluster group.
Before you begin:

l If you want to move a node to a cluster group other than the default cluster group, first Create
a Cluster Group.
To move a child node to a different cluster group:
3. In the cluster groups table, click the row of the cluster group that contains the agent you want
to move.
4. In the cluster nodes table, select the check box for each node that you want to move to a dif-
ferent cluster group.
Note: If there are agents assigned to the cluster group, you must leave at least one node in the
cluster group.
5. In the upper-right corner, click Move.
The Move Node window appears.
6. In the drop-down box, select the cluster group to which you want to move the node.
- 535 -
Note: A node can only belong to one cluster group at a time. When you move a node that belonged
to another cluster group, any agents that were linked to that node remain in their original cluster
group and relink to another node in the original cluster group.
7. Click Move.
Tenable Nessus Manager moves the node to the selected cluster group.
- 536 -
Modify a Cluster Group
You can edit a cluster group name or set a cluster group as the default cluster group. Tenable Nes-
sus assigns the new linked nodes to the default cluster group.
To modify a cluster group:
4. In the cluster groups table, in the row of the cluster group you want to modify, click the but-
ton.
The Edit Cluster Group window appears.
5. Edit any of the following settings:
l Name —Type a new name for the cluster group.
l Set as Default —Select this check box to set this cluster group as the default cluster
group that Tenable Nessus adds new linked nodes to.
6. Click Save.
Tenable Nessus Manager updates the cluster group settings.
- 537 -
Delete a Cluster Group
You can delete a cluster group that does not have any assigned nodes or agents. You cannot delete
the default cluster group. To change the default cluster group, see Modify a Cluster Group.
Before you begin:

l Move assigned agents to a different cluster group, as described in Move an Agent to a Cluster
Group.
l Move or delete the nodes in the cluster group.
To delete a cluster group:
4. In the cluster groups table, in the row of the cluster group you want to delete, click the but-
ton.
The Delete Cluster Group window appears.
5. To confirm that you want to delete the cluster group, click Delete.
Note: You cannot undo this action.
Tenable Nessus Manager deletes the cluster group.
- 538 -
Scanners
In Tenable Nessus Manager, you can view the instance's linking key and a list of linked remote scan-
ners. You can click on a linked scanner to view details about that scanner.
Scanners are identified by scanner type and indicate whether the scanner has Shared permissions.
You can link remote scanners to Nessus Manager with the Linking Key or valid account credentials.
Once linked, you can manage scanners locally and select them when configuring scans.
For more information, see:
l Link Nessus Scanner
l Unlink Nessus Scanner
l Enable or Disable a Scanner
l Remove a Scanner
l Download Managed Scanner Logs
- 539 -
Link Nessus Scanner
To link your Tenable Nessus scanner during initial installation, see Configure Nessus.
If you choose not to link the scanner during initial installation, you can link Tenable Nessus scanner
later. You can link a Tenable Nessus scanner to a manager such as Tenable Nessus Manager or Ten-
able Vulnerability Management.
Note: You cannot link to Tenable Security Center from the user interface after initial installation. If your
scanner is already linked to Tenable Security Center, you can unlink and then link the scanner to Tenable
Vulnerability Management or Tenable Nessus Manager, but you cannot relink to Tenable Security Center
from the interface.
To link a Tenable Nessus scanner to a manager:
1. In the user interface of the manager you want to link to, copy the Linking Key, found on the fol-
lowing page:
l Tenable Vulnerability Management: Settings > Sensors > Linked Scanners > Add Nes-
sus Scanner
l Tenable Nessus Manager: Sensors > Linked Scanners
2. In the Tenable Nessus scanner you want to link, in the top navigation bar, click Settings.
3. In the left navigation bar, click Remote Link.
The Remote Link page appears.
4. Fill out the linking settings for your manager as described in Remote Link.
5. Click Save.
Tenable Nessus links to the manager.
- 540 -
Unlink Nessus Scanner
You can unlink your Tenable Nessus scanner from a manager so that you can relink it to another
manager.
from the interface.
To unlink a Tenable Nessus scanner from a manager:
1. In the Tenable Nessus scanner you want to unlink, in the top navigation bar, click Settings.
2. In the left navigation bar, click Remote Link.
The Remote Link page appears.
3. Switch the toggle to Off.
4. Click Save.
Tenable Nessus unlinks from the manager.
What to do next
l If you unlinked Tenable Nessus from Tenable Security Center, delete the scanner from Ten-
able Security Center.
- 541-
Enable or Disable a Scanner
A standard user or administrator in Tenable Nessus Manager can perform this procedure.
To enable a linked scanner:
2. In the left navigation bar, click Linked Scanners.
3. In the scanners table, in the row for the scanner that you want to enable, hover over the
button, which becomes .
4. Click the button.
Tenable Nessus enables the scanner.
To disable a linked scanner:
3. In the scanners table, in the row for the scanner that you want to disable, hover over the
button, which becomes .
Tenable Nessus disables the scanner.
- 542 -
Remove a Scanner
An administrator can perform the following procedure in Tenable Nessus Manager.
l To remove a single scanner:
l In the scanners table, in the row for the scanner that you want to remove, click the
button.
l To remove multiple scanners:
a. In the scanners table, select the check box in the row for each scanner that you
want to remove.
b. In the upper-right corner, click the Remove button.
4. In the confirmation window, click Remove.
Tenable Nessus Manager removes the scanner or scanners.
- 543 -
Download Managed Scanner Logs
As an administrator in Tenable Nessus Manager, you can request and download a log file containing
logs and system configuration data from any of your managed scanners and Tenable Nessus
Agents. This information can help you troubleshoot system problems, and also provides an easy way
to gather data to submit to Tenable Support.
You can store a maximum of five log files from each managed scanner in Tenable Nessus Manager.
Once the limit is reached, you must remove an old log file to download a new one.
Note: You can only request logs from Nessus scanners running 8.1and later.
To download logs from a managed scanner:
The Scanners page appears and displays the linked scanners table.
3. In the linked scanners table, click the scanner for which you want to download logs.
The detail page for that scanner appears.
4. Click the Logs tab.
5. In the upper-right corner, click Request Logs.
Note: If you have reached the maximum of five log files, the Request Logs button is disabled.
Remove an existing log before downloading a new one.
Tenable Nessus Manager requests the logs from the managed scanner the next time it checks
in, which may take several minutes. You can view the status of the request in the user inter-
face until the download is complete.
6. To download the log file, click the file name.
Your system downloads the log file.
To remove an existing log:
- 544 -
l In the row of the log you want to remove, click the button.
To cancel a pending or failed log download:
l In the row of the pending or failed log download that you want to cancel, click the button.
- 545 -
Settings
The Settings page contains the following sections:
l About
l Advanced
l Proxy Server
l Remote Link
l SMTP Server
l Custom CA
l My Account
l Users
- 546 -
About
The About page shows an overview of Tenable Nessus licensing and plugin information. When you
access the product settings, the About page appears. By default, Tenable Nessus shows the Over-
view tab, which contains information about your Tenable Nessus instance, as described in the Over-
view table.
On the Software Update tab, you can set your automatic software update preferences or manually
update Tenable Nessus software.
On the Encryption Password tab, you can set an encryption password.
Basic users cannot view the Software Update or Encryption Password tabs. Standard users can only
view the product version and basic information about the current plugin set.
To download logs, click the Download Logs button in the upper-right corner of the page. For more
information, see Download Logs.
Overview
Value Description
Nessus Professional and Nessus Expert
Version The version of your Nessus instance.
Last Updated The date on which the plugin set was last refreshed.
Expiration The date on which your license age outs.
Note: For Tenable Nessus Professional 8.5 and later, you cannot run scans or
download new plugins after your license age outs. You can still access your system
and scan reports for 30 days after expiration.
Plugin Set The ID of the current plugin set.
Policy Tem- The ID of the current version of the policy template set.
plate Version
Activation The activation code for your instance of Nessus.

Code
- 547 -
Value Description
Nessus Manager
Version The version of your Nessus instance.
Licensed The number of hosts you can scan, depending on your license.
Hosts
Licensed The number of scanners that you have licensed that are currently in use.
Scanners
Licensed The number of agents that you have licensed that are currently in use.
Agents
Last Updated The date on which the plugin set was last refreshed.
Expiration The date on which your license age outs.
Plugin Set The ID of the current plugin set.
Policy Tem- The ID of the current version of the policy template set.
plate Version
Activation The activation code for your instance of Nessus.

Code
- 548 -
Download Logs
As an administrator, you can download a log file containing local logs and system configuration data
for Tenable Nessus instance you are currently logged into. This information can help you
troubleshoot system problems, and also provides an easy way to gather data to submit to Tenable
Support.
You can choose to download two types of log files: Basic or Extended. The Basic option contains
recent Tenable Nessus log data and system information, including operating system version, CPU
statistics, available memory and disk space, and other data that can help you troubleshoot. The
Extended option also includes recent Tenable Nessus web server log records, system log data, and
network configuration information.
For information on managing individual Tenable Nessus log files, see Manage Logs.
To download logs:
2. In the upper-right corner, click Download Logs.
The Download Logs window appears.
3. Select the Debug Log Type:
l Basic: Standard Tenable Nessus log data and system configuration information.
l Extended: All information in the Basic option, Tenable Nessus web server log data, and
more system logs.
4. (Optional) Select Sanitize IPs to hide the first two octets of IPv4 addresses in the logs.
5. Click Download.
Tip: To cancel the download, click Cancel.
Tenable Nessus generates the file nessus-bug-report-XXXXX.tar.gz, which downloads

and appears in your browser window.
- 549 -
Set an Encryption Password
If you set an encryption password, Nessus encrypts all policies, scans results, and scan con-
figurations. You must enter the password when Tenable Nessus restarts.
Caution: If you lose your encryption password, it cannot be recovered by an administrator or Tenable Sup-
port.
To set an encryption password in the Tenable Nessus user interface:
2. Click the Encryption Password tab.
3. In the New Password box, type your encryption password.
Tenable Nessus saves the encryption password.
To set an encryption password in the command-line interface:
1. Access Tenable Nessus from the CLI.
2. Type the following command specific to your operating system:
l Linux:
/opt/nessus/sbin/nessusd --set-encryption-passwd
l Windows:
C:\Program Files\Tenable\Nessus\nessusd --set-encryption-passwd
l macOS:
/Library/Nessus/run/sbin/nessusd --set-encryption-passwd
3. When prompted, type a new password.
- 550 -
Note: The password does not appear when you are typing.
/opt/nessus/sbin/nessusd --set-encryption-passwd
New password :
Again :
New password is set
If your password is valid, a success message appears.
Advanced Settings
The Advanced Settings page allows you to configure Tenable Nessus manually. You can configure
advanced settings from the Tenable Nessus user interface, or from the command-line interface.
Tenable Nessus validates your input values to ensure only valid configurations.
Tenable Nessus groups the advanced settings into the following categories:
l User Interface
l Scanning
l Logging
l Performance
l Security
l Agents and Scanners
l Cluster
l Miscellaneous
l Custom
Details
l Advanced settings apply globally across your Tenable Nessus instance.
l To configure advanced settings, you must use a Tenable Nessus administrator user account.
- 551-
l Tenable Nessus does not automatically update all advanced settings.
l Changes may take several minutes to take effect.
l Tenable Nessus indicates the settings that require restarting for the change to apply with the
icon.
l Custom policy settings supersede the global advanced settings.
- 552 -
User Interface
Setting Identifier Description Default Valid Values
Allow Post- allow_post_ Allows a user to yes yes or no

Scan Editing scan_editing make edits to scan
results after the scan
is complete.
Disable API disable_api Disables the API, no yes or no

including inbound
HTTP connections.
Users cannot access
Tenable Nessus via
the user interface or
the API.
Disable Fron- disable_frontend Disables the Tenable no yes or no

tend Nessus user inter-
face. Users can still
use the API.
Disable Tenable disable_rss In Tenable Nessus no yes or no

News Essentials or Tenable
Nessus Professional
trial, the left nav-
igation bar shows a
Tenable news wid-
get. Use this setting
to disable the wid-
get.
Disable UI disable_ui Disables the user no yes or no

interface on man-
aged scanners.
Login Banner login_banner A text banner that None String
- 553 -
appears after you

attempt to log in to
Tenable Nessus.
Note: The banner

only appears the
first time you log in
on a new browser
or computer.
Maximum Con- global.max_ Maximum web users 1024 Integers.

current Web web_users who can connect sim-
If set to 0,
Users ultaneously.
there is no
limit.
Nessus Web listen_address IPv4 address to 0.0.0.0 String in the

Server IP listen for incoming format of an
connections. If set to IP address
127.0.0.1, this
restricts access to
local connections
only.
Nessus Web xmlrpc_listen_ The port that the Ten- 8834 Integers
Server Port port able Nessus web
server listens on.
Use Mixed Vul- scan_vul- When enabled, Ten- yes Yes or No

nerability nerability_ able Nessus shows
Groups groups_mixed the severity level as
Mixed for vul-
nerability groups,
unless all the vul-
nerabilities in a
group have the same
- 554 -
severity. When dis-

abled, Tenable Nes-
sus shows the
highest severity indic-
ator of a vulnerability
in a group
Use Vul- scan_vul- When enabled, Ten- yes yes or no

nerability nerability_ able Nessus groups
Groups groups vulnerabilities in
scan results by com-
mon attributes, giv-
ing you a shorter list
of results.
- 555 -
Scanning
Valid
Setting Identifier Description Default
Values
Audit audit_ Controls verbosity of the plugin audit trail. full full,
Trail Verb- trail Full audit trails include the reason why Ten- par-
osity able Nessus did not include certain plugins tial,
in the scan. none
Auto auto_ Automatically activates the plugins that are yes yes or
Enable enable_ depended on by other plugins. The setting no
Plugin depend- does not enable plugins that are depended
Depend- encies on by scan template settings.
encies
If disabled, not all plugins may run despite
being selected in a scan policy.
CGI Paths cgi_path A colon-delimited list of CGI paths to use for / cgi- String
for Web web server scans. bin:/ scr-
Scans ipts
Engine engine.idl- Number of seconds a scan engine remains 60 Integer-

Thread e_wait idle before shutting itself down. s 0-
Idle Time 600
Max Plu- plugin_ The maximum size, in KB, of plugin output 1000 Integer-
gin Out- output_ that Tenable Nessus includes in the expor- s.
put Size max_ ted scan results with the .nessus format. If
If set
size_kb the output exceeds the maximum size, Ten-
to 0,
able Nessus truncates the output in the
there
report.
is no
limit.
Maximum report.m- The maximum number of allowable ports. If 1024 Integer-

Ports in ax_ports there are more ports in the scan results than s
Scan this value, Tenable Nessus discards the port
- 556 -
Valid
Values
Reports scan results. This limit helps guard against

fake targets that may have thousands of
reported ports, but can also result in the
deletion of valid results from the scan res-
ults database, so you may want to increase
the default if this is a problem.
Maximum attache- Specifies the maximum size, in MB, of any 25 Integer-

Size for d_report_ report attachment. If the report exceeds the s 0-50
E-mailed max- maximum size, then it is not attached to the
Reports imum_ email. Tenable Nessus does not support
size report attachments larger than 50 MB.
Nessus rules Location of the Tenable Nessus rules file Nessus String
Rules File (nessusd.rules). config
Location dir-
The following are the defaults for each oper-
ectory
ating system:
for your
Linux: oper-
/op- ating
t/nessus/etc/nessus/nessusd.rules system
macOS:
/Library/Nes-
sus/run-
/var/nessus/conf/nessusd.rules
Windows:
C:\Pro-
gramData\Ten-
able\Nes-
sus\nessus\conf\nessusd.rules
- 557 -
Valid
Values
Non-Sim- non_sim- Specifies ports against which two plugins 139, String
ultaneous ult_ports you cannot run simultaneously. 445,
Ports 3389
Paused paused_ The duration, in minutes, that a scan can 0 Integer-

Scan scan_ remain in the paused state before Tenable s 0-
Timeout timeout Nessus terminates it. 10080
PCAP pcap.sna- The snapshot size used for packet capture; 0 Integer-
Snapshot plen the maximum size of a captured network s 0-
Length packet. Typically, Tenable Nessus sets this 262144
value automatically based on the scanner's
NIC. However, depending on your network
configuration, Tenable Nessus may truncate
the packages, resulting in the following mes-
sage in your scan report: "The current snap-
shot length of # # # for interface X is too
small." You can increase the length to avoid
packet truncation.
Port port_ The default range of ports that the scanner defaul- defau-
Range range plugins probe. t lt,
all, a
range
of
ports,
a
comm-
a-sep-
arated
list of
ports
and/ or
port
- 558 -
Valid
Values
ranges.
Spe-
cify
UDP
and
TCP
ports
by pre-
fixing
each
range
by T:
or U:.
Reverse reverse_ When enabled, Tenable Nessus identifies tar- no yes or

DNS Look- lookup gets by their fully qualified domain name no
ups (FQDN) in the scan report. When disabled,
the report identifies the target by hostname
or IP address.
Safe safe_ When enabled, Tenable Nessus uses safe yes yes or
Checks checks checks, which use banner grabbing rather no
than active testing for a vulnerability.
Silent Plu- silent_ When enabled, Tenable Nessus does not yes yes or
gin depend- include the list of plugin dependencies and no
Depend- encies their output in the report. You can select a
encies plugin as part of a policy that depends on
other plugins to run. By default, Tenable Nes-
sus runs those plugin dependencies, but
does not include their output in the report.
When disabled, Tenable Nessus includes
both the selected plugin and any plugin
- 559 -
Valid
Values
dependencies in the report.
Slice Net- slice_net- If you set this option, Tenable Nessus does no yes or
work work_ not scan a network incrementally (10.0.0.1, no
Addresse- addresse- then 10.0.0.2, then 10.0.0.3, and so on) but
s s attempts to slice the workload throughout
the whole network (for example, it scans
10.0.0.1, then 10.0.0.127, then 10.0.0.2, then
10.0.0.128, and so on).
System severity_ In Tenable Nessus scanners and Tenable Nes- On a cvss_

Default basis sus Professional, you can choose whether new v2 or
Severity Tenable Nessus calculates the severity of vul- install- cvss_
Basis nerabilities using CVSSv2 or CVSSv3 scores ation of v3
(when available) by configuring your default Tenable
severity base setting. Nessus
: cvss_
When you change the default severity base,
v3
the change applies to all existing scans that
are configured with the default severity On
base. Future scans also use the default preex-
severity base. isting
upgrade-
For more information about CVSS scores
d
and severity ranges, see CVSS Scores vs.
instanc-
VPR.
e:
Note: This setting is not available for Tenable cvss_
Nessus Manager. v2
- 560 -
Logging
Defaul- Valid Val-

Setting Identifier Description
t ues
Log log_details When enabled, scan logs include the user- no yes or no
Addi- name, scan name, and current plugin name in
tional addition to the base information. You may
Scan not see these additional details unless you
Details also enable log_whole_attack.
Log log_ Logs verbose details of the scan. Helpful for no yes or no
Verbose whole_ debugging issues with the scan, but this may
Scan attack be disk intensive. To add more details,
Details enable log_details.
Nessus dumpfile Location of nessusd.dump, a log file for Nes- String

Dump debugging output if generated. sus
File log dir-
Loca- ectory
ating system:
tion for
Linux: your
/op- oper-
t/nes- ating
sus/var/nessus/logs/nessusd.dump sys-
tem
macOS:
/Library/Nes-
sus/run/var/nessus/logs/nessusd.dump
Windows:
C:\Pro-
gramData\Ten-
able\Nessus\nessus\logs\nessusd.dump
Nessus nasl_log_ The type of NASL engine output in nes- nor- normal,
- 561-
Defaul- Valid Val-
t ues
Dump type susd.dump. mal none,

File Log trace, or
Level full.
Nessus dumpfile_ The maximum number of the nessusd.dump 100 Integers

Dump max_files files kept on disk. If the number exceeds the 1-1000
File Max specified value, Tenable Nessus deletes the
Files oldest dump file.
Nessus dumpfile_ The maximum size of the nessusd.dump 512 Integers

Dump max_size files in MB. If file size exceeds the maximum 1-2048
File Max size, Tenable Nessus creates a new dump
Size file.
Nessus backend_ The logging level of the backend.log log nor- l nor-
Log log_level file, as indicated by a set of log tags that mal mal
Level determine what information to include in the —
log. set-
s
If you manually edited log.json to set a cus-
log
tom set of log tags for backend.log, this
tag-
setting overwrites that content.
s to
For more information, see log.json Format.
lo-
g,
inf-
o,
war-
n,
err-
or,
tra-
ce
- 562 -
Defaul- Valid Val-
t ues
l deb-
ug
—
set-
s
log
tag-
s to
lo-
g,
inf-
o,
war-
n,
err-
or,
tra-
ce,
deb-
ug
l ver-
bos-
e—
set-
s
log
tag-
s to
lo-
g,
inf-
- 563 -
Defaul- Valid Val-
t ues
o,
war-
n,
err-
or,
tra-
ce,
deb-
ug,
ver-
bos-
e
Nessus logfile Location where Tenable Nessus stores its Nes- String
Scanner scanner log file. sus
Log log dir-
Loca- ectory
ating system:
tion for
Linux: your
/op- oper-
t/nes- ating
sus/var/nessus/logs/nessusd.messages sys-
tem
macOS:
/Library/Nes-
sus/run-
/var/nessus/logs/nessusd.messages
Windows:
C:\Pro-
gramData\Ten-
able\Nes-
sus\nessus\logs\nessusd.messages
- 564 -
Defaul- Valid Val-
t ues
Log File logfile_rot Determines whether Tenable Nessus rotates size size —
Rota- messages log files based on maximum rota- Tenable
tion tion size or rotation time. Nessus
rotates
log files
based on
size, as
specified
in log-
file_
max_
size.
time —
Tenable
Nessus
rotates
log files
based on
time, as
specified
in log-
file_
rota-
tion_
time.
Scanner scan- Enables scanner performance metrics data 0 0 (off),

Metric ner- gathering. 0x3f (full
Logging .metrics data
except
plugin
metrics),
- 565 -
Defaul- Valid Val-
t ues
0x7f (full
data
including
plugin
metrics)
Note:
Includ-
ing plu-
gin
met-
rics
greatl-
y
increa-
ses
the
size of
the
log
file.
Ten-
able
Nes-
sus
does
not
auto-
mat-
ically
clean
up log
files.
Use Mil- logfile_ When enabled, nessusd.messages and nes- no yes or no

lisecon- msec susd.dump log timestamps are in mil-
ds in liseconds. When disabled, log timestamps
Logs are in seconds.
- 566 -
Performance
Valid Val-
ues
Database Syn- db_syn- Control how data- NORMAL NORMAL or

chronous Setting chronous_set- base updates are FULL
ting synchronized to
disk.
NORMAL is faster,
with some risk of
data loss during
unexpected sys-
tem shutdowns
(for example, dur-
ing a power outage
or crash).
FULL is safer, with

some performance
cost.
Engine Logging glob- When enabled, no yes or no

al.log.engine_ logs additional
details information about
which scan engine
you assigned each
target to during
scanning.
Engine Thread Pool thread_pool_size The size of the 200 Integers 0-

Size pool of threads 500
available for use
by the scan
engine. You can
- 567 -
Valid Val-
ues
defer asyn-
chronous tasks to
these threads, and
this value controls
the maximum num-
ber of threads.
Global Max Hosts Con- global.max_ Maximum number Varies Integers

currently Scanned hosts of hosts that Ten- depending
able Nessus can on hard-
scan sim- ware
ultaneously across
all scans.
Global Max Port Scan- global.max_ports- Maximum number 100 Integers 0-

ners canners of port scanners. 1024
Global Max global.max_sim- Maximum number 50 for Integers

TCP Sessions ult_tcp_sessions of simultaneous desktop
TCP sessions operating
across all scans. systems
(for
example,
Windows
10).
50000 for
other oper-
ating
systems
(for
example,
Windows
Server
- 568 -
Valid Val-
ues
2016).
Max Concurrent max_checks Maximum number 5 Integers

Checks Per Host of simultaneous
plugins that can
run concurrently
on each host.
Max Concurrent max_hosts Maximum number Varies, up Integers.

Hosts Per Scan of hosts checked to 100.
If set to 0,
at one time during
defaults to
a scan.
100.
Max Concurrent global.max_ Maximum number 0 Integers 0-

Scans scans of simultaneous 1000
scans that the
If set to 0,
scanner can run.
there is no
limit.
Max Engine Checks engine.max_ Maximum number 64 Integers

checks of simultaneous
plugins that can
run concurrently
on a single scan
engine.
Max Engine Threads engine.max Maximum number 8 times Integers

of scan engines the num-
that run in parallel. ber of CPU
Each scan engine cores on
scans multiple tar- the
gets concurrently machine
from one or more
scans (see
- 569 -
Valid Val-
ues
engine.max_
hosts).
Max Hosts Per Engine engine.max_ Maximum number 16 Integers

Thread hosts of targets that run
concurrently on a
single scan engine.
Max max_http_con- The number of sim- 600 Integers

HTTP Connections nections ultaneous con-
nection attempts
before the web
server responds
with HTTP code
503 (Service
Unavailable, Too
Many Con-
nections).
Max max_http_con- The number of sim- 3000 Integers

HTTP Connections Ha- nections_hard ultaneous con-
rd nection attempts
before the web
server does not
allow further con-
nections.
Max TCP Sessions host.max_sim- Maximum number 0 Integers.

Per Host ult_tcp_sessions of simultaneous
If set to 0,
TCP sessions for a
there is no
single host.
limit.
This TCP throttling
option also con-
- 570 -
Valid Val-
ues
trols the number

of packets per
second the SYN
scanner sends,
which is 10 times
the number of TCP
sessions. For
example, if you set
this option to 15,
the SYN scanner
sends 150 packets
per second at
most.
Max TCP Sessions max_simult_tcp_ Maximum number 0 Integers 0-

Per Scan sessions of simultaneous 2000.
TCP sessions for
If set to 0,
the entire scan,
there is no
regardless of the
limit.
number of hosts
the scanner is
scanning.
Minimum Engine engine.min The number of 2 times Integers

Threads scan engines that the num-
start initially as ber of
Tenable Nessus CPU cores
scans the targets. on the
After the engine machine
reaches engine.-
optimal_hosts
number of targets,
Tenable Nessus
- 571-
Valid Val-
ues
adds more scan

engines up to
engine.max.
Optional Hosts Per engine.optimal_ The minimum num- 2 Integers

Engine Thread hosts ber of targets that
are running on
each scan engine
before Tenable
Nessus adds more
engines (up to
engine.max).
Optimize Tests optimize_test Optimizes the test yes yes or no

procedure. If you
disable this set-
ting, scans may
take longer and
typically generate
more false pos-
itives.
Plugin Check Optim- optimization_ Determines the None open_

ization Level level type of check that ports or
Tenable Nessus required_
performs before a keys
plugin runs.
If you set this set-

ting to open_
ports, then Ten-
able Nessus
checks that
required ports are
- 572 -
Valid Val-
ues
open; if they are

not, the plugin
does not run.
If you set this set-

ting to required_
keys, then Ten-
able Nessus per-
forms the open
port check, and
also checks that
required keys (KB
entries) exist,
ignoring the
excluded key
check.
Plugin Timeout plugins_timeout Maximum lifetime 320 Integers 0-

of a plugin’s activ- 1000
ity in seconds.
QDB Memory Usage qdb_mem_usage Directs Tenable low low or

Nessus to use high
more or less
memory when idle.
If Tenable Nessus
is running on a ded-
icated server, set-
ting this to high
uses more memory
to increase per-
formance. If Ten-
able Nessus is
- 573 -
Valid Val-
ues
running on a
shared machine,
setting this to low
uses considerably
less memory, but
has a moderate
performance
impact.
Reduce TCP Sessions reduce_con- Reduces the num- no yes or no

on Network Conges- nections_on_con- ber of TCP ses-
tion gestion sions in parallel
when the network
appears to be con-
gested.
Remediations Limit remediations_ Limits the number 500 Integers

limit of remediations >0
that Tenable Nes-
sus generates and
shows in a scan
result.
Scan Check Read checks_read_ Read timeout for 5 Integers 0-

Timeout timeout the sockets of the 1000
tests.
Stop Scan on Host stop_scan_on_ When enabled, no yes or no

Disconnect disconnect Tenable Nessus
stops scanning a
host that dis-
connects during
the scan.
- 574 -
Valid Val-
ues
XML Enable Plugin xml_enable_plu- When enabled, no yes or no

Attributes gin_attributes Tenable Nessus
includes plugin
attributes in expor-
ted scans to Ten-
able Security
Center.
Webserver Thread www_thread_ The thread pool 100 Integers 0-

Pool Size pool_size size for the web- 500
server/ backend.
- 575 -
Security
Always Val- strict_cer- Always validate no yes or no

idate SSL tificate_val- SSL server cer-
Server Cer- idation tificates, even
tificates during initial
remote link
(requires man-
ager to use a
trusted root
CA).
Cipher Files on cipher_ Encipher files yes yes or no

Disk files_on_ that Tenable
disk Nessus writes.
Force Public force_pub- Force logins for no yes or no

Key Authentic- key_auth Tenable Nessus
ation to use public
key authen-
tication.
Max Con- max_ses- Maximum con- 0 Integers 0-2000.

current Ses- sions_per_ current ses-
If set to 0, there is no
sions Per User user sions per user
limit.
SSL Cipher ssl_cipher_ Cipher list to compatible l legacy - A list of

List list use for Tenable ciphers that can
Nessus integrate with
backend con- older and
nections. You insecure browser-
can use a pre- s and APIs.
configured list l compatible - A
of cipher
- 576 -
strings, or list of secure

enter a custom ciphers that is
cipher list or compatible with
cipher strings. all browsers,
including Internet
Explorer 11. May
not include all
the latest
ciphers.
l modern - A list
of the latest and
most secure
ciphers. May not
be compatible
with older
browsers, such
as Internet
Explorer 11.
l custom - A cus-
tom OpenSSL
cipher list. For
more information
on valid cipher
list formats, see
the OpenSSL doc-
umentation.
l niap - A list of
ciphers that con-
forms to NIAP
standards.
- 577 -
ECDHE-RSA-
AES128-
SHA256:ECDH-
E-RSA-
AES128-GCM-
SHA256:ECDH-
E-RSA-
AES256-
SHA384:ECDH-
E-RSA-
AES256-GCM-
SHA384
SSL Mode ssl_mode Minimum sup- tls_1_2 l compat -

ported version TLS v1.0+
of TLS. l ssl_3_0 -
SSL v3+
l tls_1_1 - TLS
v1.1+
l tls_1_2 - TLS
v1.2+
l niap - TLS v1.2
- 578 -
Agents & Scanners
Note: The following settings are only available in Tenable Nessus Manager.
Name Setting Description Default Valid Values
Agent Auto agent_auto_delete Controls whether no yes or no

Delete agents are auto-
matically deleted
after they have
been inactive for
the duration of
time set for
agent_auto_
delete_
threshold.
Agent Auto agent_auto_delete_ The number of 30 Integers 1-

Delete threshold days after which 365
Threshold inactive agents
are automatically
deleted if
agent_auto_
delete is set to
yes.
Agent Auto agent_auto_unlink Controls whether no yes or no

Unlink agents are auto-
matically
unlinked after
they have been
inactive for the
duration of time
set for agent_
auto_unlink_
- 579 -
threshold.
Agent Auto agent_auto_unlink_ The number of 30 Integers

Unlink threshold days after which 30-90
Threshold inactive agents
are automatically
unlinked if
agent_auto_
unlink is set to
yes.
Note: This
value must be
less than the
agent_auto_
delete_
threshold.
Agents Pro- agents_progress_view- When a scan 100 Integers.

gress able gathers inform-
If set to 0,
ation from
this
agents, Tenable
defaults to
Nessus Manager
100.
does not show
detailed agents
information if
the number of
agents exceeds
this setting.
Instead, a mes-
sage indicates
that results are
being gathered
and will be view-
able when the
- 580 -
scan is com-
plete.
Automatically agent_updates_from_ When enabled, yes yes or no

Download feed new Tenable Nes-
Agent Updates sus Agent soft-
ware updates are
automatically
downloaded.
Concurrent cloud.manage.download_ The maximum 10 Integers

Agent Soft- max concurrent agent
ware Updates update down-
loads.
Include Audit agent_merge_audit_trail Controls whether false true or

Trail Data or not agent false
scan result audit
trail data is
included in the
main agent data-
base. Excluding
audit trail data
can significantly
improve agent
result processing
performance.
If this setting is
set to false, the
Audit Trail Verb-
osity setting in
an individual
scan or policy
defaults to No
- 581-
audit trail.
Include KB agent_merge_kb Includes the false true or

Data agent scan result false
KB data in the
main agent data-
base. Excluding
KB data can sig-
nificantly
improve agent
result processing
performance.
If this setting is
set to false, the
Include the KB
setting in an indi-
vidual scan or
policy defaults to
Exclude KB.
Result Pro- agent_merge_journal_ Sets the journ- DELETE MEMORY

cessing mode aling mode to
TRUNCATE
Journal Mode use when pro-
cessing agent DELETE
results. Depend-
ing on the envir-
onment, this can
somewhat
improve pro-
cessing per-
formance, but
also introduces a
small risk of a
- 582 -
corrupted scan
result in the
event of a crash.
For more details,
refer to the sql-
ite3 doc-
umentation.
Result Pro- agent_merge_syn- Sets the filesys- FULL OFF

cessing Sync chronous_setting tem sync mode
NORMAL
Mode to use when pro-
cessing agent FULL
results. Turning
this off will sig-
nificantly
improve pro-
cessing per-
formance, but
also introduces a
small risk of a
corrupted scan
result in the
event of a crash.
For more details,
refer to the sql-
ite3 doc-
umentation.
Track Unique track_unique_agents When enabled, no yes or no

Agents Tenable Nessus
Manager checks
if MAC addresses
of agents trying
to link match
- 583 -
MAC addresses
of currently
linked agents
with the same
hostname, plat-
form, and distro.
Tenable Nessus
Manager deletes
duplicates that it
finds.
- 584 -
Cluster
Note: The following settings are only available in Tenable Nessus Manager with clustering enabled.
Agent Black- agent_black- The number of days that 7 Integers > 0

list Duration list_dur- an agent remains blocked
Days ation_days from relinking to a cluster
node.
For example, Tenable Nes-

sus blocks an agent if it
tries to link with a UUID
that matches an existing
agent in a cluster.
Note: Tenable Nessus

blocks an agent after Ten-
able Nessus deletes or
removes the agent due to
inactivity. However, Ten-
able Nessus places the
agent back in good stand-
ing if an administrator
manually unlinks and
relinks the agent.
Agent Clus- agent_ Tenable Nessus aborts 3600 Integers > 299
tering Scan cluster_ scans after running this
Cutoff scan_cutoff many seconds without a
child node update.
Agent Node agent_node_ The global default max- 10000 Integers 0-

Global Max- global_max_ imum number of agents 20000
imum Default default allowed per cluster node.
If you set an individual
- 585 -
maximum for a child node,

that setting overrides this
setting.
- 586 -
Miscellaneous
Valid Val-
ues
Automatic auto_ Number of hours that Tenable Nessus 24 Integers

Update update_ waits between automatic updates. >0
Delay delay
Automatic auto_ Automatically updates plugins. If you yes yes or no

Updates update enable this setting and register Tenable
Nessus, Tenable Nessus automatically
gets the newest plugins from Tenable
when they are available. If your scanner
is on an isolated network that is not able
to reach the internet, disable this set-
ting.
Note: This setting does not work for Ten-

able Nessus scanners that you con-
nected to Tenable Vulnerability
Management. Scanners linked to Tenable
Vulnerability Management automatically
receive updates from cloud.tenable.com.
For more information, see the knowledge
base article.
Auto- auto_ Automatically download and apply Ten- yes yes or no

matically update_ui able Nessus updates.
Update
Nessus Note: This setting does not work for Ten-
able Nessus scanners that you con-
nected to Tenable Vulnerability
Management. Scanners linked to Tenable
Vulnerability Management automatically
receive updates from cloud.tenable.com.
For more information, see the knowledge
base article.
- 587 -
Valid Val-
ues
Child child_ Allows Tenable Nessus child nodes to none Any valid
Node Port node_ communicate to the parent node on a dif- port value
listen_ ferent port.
port
Initial ms_ (Tenable Nessus Manager only) Sleep 30 Integers

Sleep agent_ time between managed scanner and 5-3300
Time sleep agent requests. You can override this
setting in Tenable Nessus Manager or
Tenable Vulnerability Management.
Java Heap java_ Determines Java heap size (the system auto auto or
Size heap_size memory used to store objects instan- Integers >
tiated by applications running on the 0
Java virtual machine) Tenable Nessus
uses when exporting PDF reports.
Max max_http_ Determines the maximum number of con- 4 Integers >

HTTP Clie- client_ current outbound HTTP connections on 0
nt requests managed scanners and agents.
Requests
Nessus dbg_port The port on which nessusd listens for None String in
Debug ndbg client connections. If left empty, one of the
Port Tenable Nessus does not establish a following
debug port. formats:
port or loc-
alhost
:port or
ip:port
Nessus config_ Location of the configuration file that Tenable String

Prefer- file contains the engine preference settings. Nessus
ences data-
The following are the defaults for each
Database
- 588 -
Valid Val-
ues
operating system: base

dir-
Linux:
ectory
/op- for your
t/nessus/etc/nessus/nessusd.db oper-
macOS: ating
system
/Library/Nes-
sus/run-
/etc/nessus/conf/nessusd.db
Windows:
C:\Pro-
gramData\Ten-
able\Nessus\conf\nessusd.db
Non-User report_ The age threshold (in days) for removing 30 Integers >
Scan Res- cleanup_ old system-user scan reports. 0
ult threshol-
Cleanup d_days
Threshold
Orphaned orphane- The number of days after which Tenable 30 Integers >
Scan His- d_scan_ Nessus removes orphaned scans. For 0
tory cleanup_ example, an orphaned scan could be a
Cleanup days scan executed via Tenable Security
Center that was not properly removed.
If set to 0, Tenable Nessus does not per-

form a cleanup.
Packet packet_ The number of days after which Tenable 30 Integers >
Capture capture_ Nessus removes packet capture 0
Archive archive_ archives from the filesystem. If set to 0,
Cleanup cleanup_ Tenable Nessus does not perform a
- 589 -
Valid Val-
ues
days cleanup.
Plugin plugin_ Determines the frequency, in minutes, at 10080 Integers

Integrity healthche- which Tenable Nessus runs a full plugin 1440-
Check Fre- ck_fre- integrity check. 10080
quency quency
(Minutes)
Remote remote_ This setting allows Tenable Nessus to None Integer

Scanner listen_ operate on different ports: one ded-
Port port icated to communicating with remote
agents and scanners (comms port) and
the other for user logins (management
port). By adding this setting, you can link
your managed scanners and agents a dif-
ferent port (for example, 9000) instead
of the port defined in xmlrpc_listen_
port (default 8834).
Report report_ When enabled, Tenable Nessus sends yes yes or no

Crashes to crashes crash information to Tenable, Inc. auto-
Tenable matically to identify problems. Tenable
Nessus does not send personal or sys-
tem-identifying information to Tenable,
Inc..
Scan source_ip Source IPs to use when running on a None IP address

Source IP multi-homed host. If you provide mul- or
(s) tiple IPs, Tenable Nessus cycles through comma-
them whenever it performs a new con- separated
nection. list of
IP addres-
ses.
Send Tele- send_tele- When enabled, Tenable Nessus peri- yes yes or no
- 590 -
Valid Val-
ues
metry metry odically and securely sends non-con-

fidential product usage data to Tenable.
Usage statistics include, but are not lim-

ited to, data about your visited pages
within the Tenable Nessus interface,
your used reports and dashboards, your
Tenable Nessus license, and your con-
figured features. Tenable uses the data
to improve your user experience in
future Tenable Nessus releases. You can
disable this option at any time to stop
sharing usage statistics with Tenable.
User Scan scan_his- The number of days after which Tenable 0 0 or

Result tory_expir- Nessus deletes the scan history and data integers
Deletion ation_ for completed scans permanently. larger
Threshold days than or
equal to 3.
If set to 0,
Tenable
Nessus
retains
the his-
tory.
Windows windows_ Determines whether Tenable Nessus gen- no yes or no

Minidump minidump erates a Windows minidump file in the
log folder if Tenable Nessus for Windows
crashes.
- 591-
Custom
Not all advanced settings are populated in the Tenable Nessus user interface, but you can set some
settings in the command-line interface. If you create a custom setting, it appears in the Custom
tab.
The following table lists the advanced settings that you can configure, even though Tenable Nessus
does not list them by default.
Identifier Description Default Valid Values
acas_classification Adds a classification banner to the None UNCLASSIFIED

top and bottom of the Tenable Nes- (green banner),
sus user interface, and turns on CONFIDENTIAL
last successful and failed login noti- (blue banner),
fication. SECRET (red ban-
ner), or a custom
value (orange ban-
ner).
multi_scan_same_ When disabled, to avoid over- no yes or no

host whelming a host, Tenable Vul-
nerability Management prevents a
single scanner from sim-
ultaneously scanning multiple tar-
gets that resolve to a single IP
address. Instead, Tenable Vul-
nerability Management scanners
serialize attempts to scan the IP
address, whether it appears more
than once in the same scan task or
in multiple scan tasks on that scan-
ner. Scans may take longer to com-
plete.
When enabled, a Tenable Vul-
- 592 -
nerability Management scanner

can simultaneously scan multiple
targets that resolve to a single IP
address within a single scan task
or across multiple scan tasks.
Scans complete more quickly, but
scan targets could potentially
become overwhelmed, causing
timeouts and incomplete results.
merge_plugin_res- Supports merging plugin results no yes or no

ults for plugins that generate multiple
findings with the same host, port,
and protocol. Tenable recom-
mends enabling this option for
scanners linked to Tenable Secur-
ity Center.
nessus_syn_scan- Sets the max number of SYN pack- 65536 Integers

ner.global_through- ets that Tenable Nessus sends per
put.max second during its port scan (no
matter how many hosts Tenable
Nessus scans in parallel). Adjust
this setting based on the sens-
itivity of the remote device to large
numbers of SYN packets.
login_banner A text banner shows that appears None String

after you attempt to log in to Ten-
able Nessus. The banner only
appears the first time you log in on
a new browser or computer.
timeout.<plugin ID> Enter the plugin ID in place of <plu- None Integers 0-86400
gin ID>. The maximum time, in
- 593 -
seconds, that Tenable Nessus per-

mits the <pluginID> to run before
Tenable Nessus stops it. If you set
this option for a plugin, this value
supersedes plugins_timeout.
- 594 -
Create a New Setting
3. In the upper right corner, click the New Setting button.
The Add Setting window appears.
4. In the Name box, type the key for the new setting.
5. In the Value box, type the corresponding value.
6. Click the Add button.
The new setting appears in the list.
- 595 -
Modify a Setting
3. In the settings table, click the row for the setting you want to modify.
The Edit Setting box appears.
4. Modify the settings as needed.
Tenable Nessus saves the setting.
- 596 -
Delete a Setting
3. In the settings table, in the row for the setting you want to delete, click the button.
A dialog box appears, confirming your selection to delete the setting.
4. Click Delete.
Tenable Nessus deletes the setting.
- 597 -
LDAP Server (Tenable Nessus Manager)
In Tenable Nessus Manager, the LDAP Server page shows options that allow you to configure a
Lightweight Directory Access Protocol (LDAP) server to import users from your directory.
The following table describes the LDAP Server fields:
Setting Description
Host The LDAP server host.
Port The LDAP server port. Confirm the selection with your LDAP server admin-
istrators.
Username The username for an account on the LDAP server with credentials to search
for user data.
Format the username as provided by the LDAP server.
Password The password for an account on the LDAP server with credentials to search
- 598 -
for user data.
Base DN The LDAP search base used as the starting point to search for the user data.
Show Click the Show advanced settings checkbox to show or hide the advanced
advanced set- LDAP settings.
tings
Advanced Settings (Optional)
Username The attribute name on the LDAP server that contains the username for the
Attribute account. This is often specified by the string sAMAccountName in servers that
may be used by LDAP.
Contact your LDAP server administrator for the correct value.
Email Attrib- The attribute name on the LDAP server that contains the email address for
ute the account. This is often specified by the string mail in servers that may be
used by LDAP.
Name Attrib- The attribute name on the LDAP server that contains the name associated
ute with the account. This is often specified by the string CN in servers that may
be used by LDAP.
CA (PEM The LDAP server's certificate authority (CA) certificate, if applicable. Enter the
Format) certificate in PEM format.
- 599 -
Configure an LDAP Server
1. In Tenable Nessus Manager, in the top navigation bar, click Settings.
2. In the left navigation bar, click LDAP Server.
The LDAP Server page appears.
3. Configure the settings as necessary:
Setting Description
Host The LDAP server host.
Port The LDAP server port. Confirm the selection with your LDAP server
administrators.
Username The username for an account on the LDAP server with credentials to
search for user data.
Format the username as provided by the LDAP server.
Password The password for an account on the LDAP server with credentials to
Base DN The LDAP search base used as the starting point to search for the user
data.
Show Click the Show advanced settings checkbox to show or hide the
advanced set- advanced LDAP settings.
tings
Advanced Settings (Optional)
Username The attribute name on the LDAP server that contains the username for
Attribute the account. This is often specified by the string sAMAccountName in
servers that may be used by LDAP.
- 600 -
Email Attrib- The attribute name on the LDAP server that contains the email address
ute for the account. This is often specified by the string mail in servers that
may be used by LDAP.
Name Attrib- The attribute name on the LDAP server that contains the name asso-
ute ciated with the account. This is often specified by the string CN in serv-
ers that may be used by LDAP.
CA (PEM The LDAP server's certificate authority (CA) certificate, if applicable.

Format) Enter the certificate in PEM format.
4. (Optional) Click the Test LDAP Server button to verify the LDAP configuration you entered.
A message appears on the top-right corner of the page that confirms whether your LDAP con-
figuration is valid. If the configuration is not valid, review the settings and adjust them as
needed.
Tenable Nessus Manager saves the LDAP server configuration.
- 601-
Proxy Server
The Proxy Server page allows you to configure a proxy server. If the proxy you use filters specific
HTTP user agents, you can type a custom user-agent string in the User-Agent box. To configure a
proxy server, see Configure a Proxy Server.
The following table describes the Proxy Server settings:
Setting Description
Host The proxy server host.
Port The proxy server port.
Username The username for an account on the proxy server with credentials to search
for user data.
Format the username as provided by the proxy server.
Password The password for an account on the proxy server with credentials to search
- 602 -
for user data.
Auth Method The authentication method Nessus uses to connect to the proxy server:
l AUTODETECT —Tenable Nessus secures the connection with authen-

tication based on what you entered for the previous settings. Tenable
recommends selecting this option if you do not know what to select.
l NONE —Tenable Nessus does not authenticate.
l BASIC —Tenable Nessus secures the connection with basic authen-

tication.
l DIGEST —Tenable Nessus secures the connection with digest authen-

tication.
l NTLM —Tenable Nessus secures the connection with NTLM authen-

tication.
User-Agent The user agent for the proxy server, if your proxy requires a preset user agent.
- 603 -
Configure a Proxy Server
2. In the left navigation bar, click Proxy Server.
The Proxy Server page appears.
3. Configure the settings as necessary:
Setting Description
Host The proxy server host.
Port The proxy server port.
Username The username for an account on the proxy server with credentials to
Format the username as provided by the proxy server.
Password The password for an account on the proxy server with credentials to
Auth Method The authentication method Nessus uses to connect to the proxy server:
l AUTODETECT —Tenable Nessus secures the connection with

authentication based on what you entered for the previous set-
tings. Tenable recommends selecting this option if you do not
know what to select.
l NONE —Tenable Nessus does not authenticate.
l BASIC —Tenable Nessus secures the connection with basic

authentication.
l DIGEST —Tenable Nessus secures the connection with digest

authentication.
l NTLM —Tenable Nessus secures the connection with NTLM

authentication.
- 604 -
User-Agent The user agent for the proxy server, if your proxy requires a preset user
agent.
Tenable Nessus saves the proxy server.
- 605 -
Remote Link
The Remote Link page allows you to link your Tenable Nessus scanner to a licensed Tenable Nessus
Manager or Tenable Vulnerability Management.
from the interface.
Enable or disable the toggle to link a scanner or unlink a scanner.
Remote Link Settings

Option Set To
Link Tenable Nessus to Tenable Nessus Manager
- 606 -
Option Set To
Link to Nessus Manager
Scanner The name you want to use for this Tenable Nessus scanner.
Name
Manager The static IP address or hostname of the Tenable Nessus Manager instance
Host you want to link to.
Manager Your Tenable Nessus Manager port, or the default 8834.

Port
Linking Key The key specific to your instance of Tenable Nessus Manager.
Use Proxy Select or deselect the check box depending on your proxy settings. If you
select Use Proxy, you must also configure:
l Host —The hostname or IP address of the proxy server.
l Port —The port number of the proxy server.
l Username —The username for an account that has permissions to

l Password —The password associated with the username you provided.
Link Tenable Nessus to Tenable Vulnerability Management
Link to Tenable.io
Scanner cloud.tenable.com
Name
Linking Key The key specific to your instance of Tenable Vulnerability Management. The
key looks something like the following string:
2d38435603c5b59a4526d39640655c3288b00324097a08f7a93e5480940d1cae
Use Proxy Select or deselect the check box depending on your proxy settings. If you
select Use Proxy, you must also configure:
l Host —The hostname or IP address of the proxy server.
- 607 -
Option Set To
l Port —The port number of the proxy server.
l Username —The username for an account that has permissions to

l Password —The password associated with the username you provided.
- 608 -
SMTP Server
The SMTP Server page allows you to configure a Simple Mail Transfer Protocol (SMTP) server. Once
you configure an SMTP server, Nessus can email HTML scan results to the list of recipients that you
specify in the scan settings.
The following table describes the SMTP Server settings:
Setting Description
Host The SMTP server host.
Port The SMTP server port.
From (sender The email address that shows as the sender in the scan results email.
email)
Encryption The email encryption type:
l No Encryption —Tenable Nessus does not encrypt the email.
- 609 -
l Force SSL —Tenable Nessus forces SSL encryption for the email.
l Force TLS —Tenable Nessus forces TLS encryption for the email.
l Use TLS if available —Tenable Nessus uses TLS encryption if the

receiving server is compatible.
Hostname (for The hostname that shows for the sender host and port in the email.
email links)
Auth Method The authentication method Nessus uses to connect to the STMP server:
l NONE —Tenable Nessus does not authenticate the connection.
l PLAIN —Tenable Nessus secures the connection with plain (user-

name/ password) authentication.
l LOGIN —Tenable Nessus secures the connection with login authen-

tication.
l NTLM —Tenable Nessus secures the connection with NTLM authen-

tication.
l CRAM-MD5 —Tenable Nessus secures the connection with CRAM-

MD5 authentication.
- 610 -
Configure an SMTP Server
2. In the left navigation bar, click SMTP Server.
The SMTP Server page appears.
3. Configure the settings as necessary.
Setting Description
Host The SMTP server host.
Port The SMTP server port.
From (sender The email address that shows as the sender in the scan results
email) email.
Encryption The email encryption type:
l No Encryption —Tenable Nessus does not encrypt the email.
l Force SSL —Tenable Nessus forces SSL encryption for the

email.
l Force TLS —Tenable Nessus forces TLS encryption for the

email.
l Use TLS if available —Tenable Nessus uses TLS encryption if

the receiving server is compatible.
Hostname (for The hostname that shows for the sender host and port in the email.
email links)
Auth Method The authentication method Nessus uses to connect to the STMP
server:
l NONE —Tenable Nessus does not authenticate the con-

nection.
- 611-
l PLAIN —Tenable Nessus secures the connection with plain
(username/ password) authentication.
l LOGIN —Tenable Nessus secures the connection with login

authentication.
l NTLM —Tenable Nessus secures the connection with NTLM

authentication.
l CRAM-MD5 —Tenable Nessus secures the connection with

CRAM-MD5 authentication.
Tenable Nessus saves the SMTP server.
- 612 -
Custom CA
The Custom CA page shows a text box that you can use to upload a custom certificate authority
(CA) in Nessus. For more information, see Certificates and Certificate Authorities.
Note: Include the beginning text -----BEGIN CERTIFICATE----- and ending text -----END
CERTIFICATE-----.
Tip: You can save more than one certificate in a single text file, including the beginning and ending text for
each one.
- 613 -
Upgrade Assistant
The following feature is not supported in Federal Risk and Authorization Manage Program (FedRAMP) envir-
onments. For more information, see the FedRAMP Product Offering.
You can upgrade data from Tenable Nessus to Tenable Vulnerability Management via the Upgrade
Assistant tool.
For more information, see Nessus to Tenable Vulnerability Management Upgrade Assistant.
- 614 -
Password Management
The Password Management page allows you to set parameters for passwords, login notifications,
and the session timeout.
Setting Default Description
Password Com- Off Requires password to have a minimum of 8 characters,

plexity and at least 3 of the following: an upper case letter, a
lower case letter, a special character, and a number.
Session Timeout 30 The web session timeout in minutes. Tenable Nessus logs
(mins) users out automatically if their session is idle for longer
than this timeout value.
- 615 -
Setting Default Description
Max Login 5 The maximum number of user login attempts allowed by

Attempts Nessus before Tenable Nessus locks the account out. Set-
ting this value to 0 disables this feature.
Min Password 8 This setting defines the minimum number of characters

Length for passwords of accounts.
Login Noti- Off Login notifications allow the user to see the last suc-
fications cessful login and failed login attempts (date, time, and
IP), and if any failed login attempts have occurred since
the last successful login.
- 616 -
Configure Password Management
2. In the left navigation bar, click Password Mgmt.
The Password Management page appears.
3. Configure the settings as necessary.
Tenable Nessus saves the password setting.
Note: Changes to the Session Timeout and Max Login Attempts settings require a restart to take
effect.
Scanner Health
The Scanner Health page provides you with information about the performance of your Tenable Nes-
sus scanner. You can monitor real-time health and performance data to help troubleshoot scanner
issues. Scanner alerts provide information about system errors that may cause your scanner to mal-
function. Tenable Nessus updates the information every 30 seconds.
For information, see Monitor Scanner Health.
Tenable Nessus organizes the scanner health information into three categories: Overview, Network,
and Alerts.
- 617 -
Overview
Widget Description Actions
Current Health Widgets showing Nessus memory used in MB, None

CPU load, and the number of hosts Tenable Nes-
sus is scanning.
Scanner Alerts Alerts about areas where your Tenable Nessus Click an alert to see
scanner performance may be suffering. Alerts more details.
can have a severity level of Info, Low, Medium, or
If there are more than
High.
five alerts, click More
Alerts to see the full list
of alerts.
System Chart showing how much of your system None

Memory memory Tenable Nessus is using.
Nessus Data Chart showing the percentage of free and used None
Disk Space disk space on the disk where you installed Ten-
able Nessus's data directory.
Memory Usage Graph showing how many MB of memory Tenable Hover over a point on
History Nessus used over time. the graph to see
detailed data.
CPU Usage Graph showing the percentage of CPU load Ten- Hover over a point on
History able Nessus used over time. the graph to see
detailed data.
Scanning His- Graph showing the number of scans Tenable Nes- Hover over a point on
tory sus ran and active targets Tenable Nessus the graph to see
scanned over time. detailed data.
- 618 -
Network
Scanning History Graph showing the number of scans Tenable Nes- Hover over a point on
sus ran and active targets Tenable Nessus the graph to see
scanned over time. detailed data.
Network Con- Graph showing the number of TCP sessions Ten- Hover over a point on
nections able Nessus creates during scans over time. the graph to see
detailed data.
Network Traffic Graph showing how much traffic Tenable Nessus Hover over a point on
is sending and receiving over the network over the graph to see
time. detailed data.
Number of Graph showing how many reverse DNS Hover over a point on
DNS Lookups (rDNS) and DNS lookups Tenable Nessus per- the graph to see
forms over time. detailed data.
DNS Lookup Graph showing the average time that Tenable Hover over a point on
Time Nessus takes to perform rDNS and DNS lookups the graph to see
over time. detailed data.
- 619 -
Alerts
Scanner List of alerts about areas where your Tenable Nessus scanner Click an
Alerts performance may be suffering. Alerts can have a severity level alert to see
of Info, Low, Medium, or High. more
details.
- 620 -
Monitor Scanner Health
The Scanner Health page provides you with information about the performance of your Tenable Nes-
sus scanner. For more information about performance data, see Scanner Health.
To monitor scanner health:
2. In the left navigation bar, click Scanner Health.
3. (Optional) To adjust the time scale on a graph, on the Overview tab, from the drop-down box,
select a time period.
The graphs on both the Overview and Network tabs reflect the selected time period.
4. (Optional) To hide an item from a time graph, click the item in the legend.
Tip: Hiding items automatically adjusts the scale to the visible items and allows you to view one data-
set at a time.
5. Click the Overview, Network or Alerts tab.
- 621-
Notifications
Tenable Nessus may periodically show notifications such as login attempts, errors, system inform-
ation, and license expiration information. These notifications appear after you log in, and you can
choose to acknowledge or dismiss each notification. For more information, see Acknowledge Noti-
fications.
The following table describes the two ways you can view notifications:
Notification View Location Description
Current notifications The bell icon in the top Shows notifications that appeared during
this session.
navigation bar ( )
When you acknowledge a notification, it
no longer appears in your current noti-
fication session, but remains listed in the
notification history.
Notification history Settings > Noti- Shows all notifications from the past 90
fications days.
The notifications table shows each noti-

fication and the time and date it
appeared, whether you acknowledged it,
the severity, and the message. Unac-
knowledged notifications appear in bold.
You cannot acknowledge a notification
from the notification history view.
For more information, see View Notifications.
- 622 -
Acknowledge Notifications
When you acknowledge a notification, it no longer appears in your current notification session, but
remains listed in the notification history. You cannot acknowledge notifications from the noti-
fication history view. For more information on viewing notification history, see View Notifications.
If you choose not to acknowledge a notification, it appears the next time you log in. You cannot
acknowledge some notifications – instead, you must take the recommended action.
To acknowledge a notification:
l For a notification window, click Acknowledge.
l For a notification banner, click Dismiss.
l For a notification in the upper-right corner, click .
To clear current notifications:
1. In the top navigation bar, click .
2. Click Clear Notifications.
Note: Clearing notifications does not acknowledge notifications; it removes them from your current
notifications. You can still view cleared notifications in notification history.
- 623 -
View Notifications
You can view outstanding notifications from your current session, and you can also view a history of
notifications from the past 90 days. For information on managing notifications, see Acknowledge
Notifications.
To view your current notifications:
In the top navigation bar, click .
To view your notification history:
2. In the left navigation bar, click Notifications.
The Notifications page appears and shows the notifications table.
3. (Optional) Filter or search the notifications to narrow results in the notifications table.
- 624 -
Accounts
This section contains the following tasks available in the Accounts section of the Settings page.
l Modify Your User Account
l Generate an API Key
l Create a User Account
l Modify a User Account
l Delete a User Account
- 625 -
My Account
The Account Settings page shows settings for the current authenticated user.
Note: Once created, you cannot change a username.
API Keys
An API Key consists of an access key and a secret key. API Keys authenticate with the Nessus REST
API (version 6.4 or greater) and pass with requests using the X-ApiKeys HTTP header.
Note:
l Nessus only presents API Keys upon initial generation. Store API keys in a safe location.
l Tenable Nessus cannot retrieve API Key. If you lose your API Key, you must generate a new API Key.
l Regenerating an API Key immediately deauthorizes any applications currently using the key.
- 626 -
Modify Your User Account
2. In the left navigation bar, click My Account.
The My Account page appears.
3. Modify your name, email, or password as needed.
Note: You cannot modify a username after you create the account.
4. Click Save.
Tenable Nessus saves your account settings.
- 627 -
Generate an API Key
In Tenable Nessus Manager, you can generate an API key from the API Keys tab in the Tenable Nes-
sus user interface. Generating an API key can help you automate various tasks and integrate Ten-
able Nessus with other security tools and systems within your organization.
Note: In addition to Tenable Nessus Manager, the API Keys tab may also be available in Tenable Nessus Pro-
fessional and Tenable Nessus Expert, depending on your license and configuration. For more information,
contact your Tenable Customer Success Manager.
Note: Customers may not directly access Tenable Nessus scanning APIs to configure or launch scans,
except as permitted as part of the Tenable Security Center and Tenable Vulnerability Management enter-
prise solutions.
Caution: Generating a new API key replaces any existing keys and deauthorizes any linked applications.
To generate an API key:
2. In the left navigation bar, click My Account.
The My Account page appears.
3. Click the API Keys tab.
4. Click Generate.
A dialog box appears, confirming your selection to generate a new API key.
5. Click Generate.
Your new API key appears.
- 628 -
Users
Note: The Users page is only available in Tenable Nessus Manager.
The Users page shows a table of all Tenable Nessus user accounts. This documentation refers to
that table as the users table. Each row of the users table includes the username, the date of the
last login, and the role assigned to the account.
User accounts are assigned roles that dictate the level of access a user has in Tenable Nessus. You
can disable or change the role of a user account at any time. The following table describes the roles
that you can assign to users:
Name Description
Basic Basic user roles can read scan results.
Note: This role is not available in Tenable Nessus Professional or Tenable Nes-
sus Expert.
Standard Standard users can create scans and policies.
A scan created by a Standard user cannot be edited by other Standard

users unless they're given editing permissions from the scan creator.
sus Expert.
Administrator Administrators have the same privileges as Standard users, but can also
manage users, user groups, and scanners. In Nessus Manager, Admin-
istrators can view scans that are shared by users.
Tenable Nessus Professional and Tenable Nessus Expert users are Admin-
istrators by default.
System Admin- System Administrators have the same privileges as Administrators, but
istrator can also manage and modify system configuration settings.
sus Expert.
- 629 -
Name Description
Disabled Disabled user accounts cannot be used to log in to Tenable Nessus.
- 630 -
Create a User Account
Note: You can only perform this procedure in Tenable Nessus Manager. You cannot have multiple user
accounts in Tenable Nessus Professional or Tenable Nessus Expert.
2. In the left navigation bar, click Users.
The Users page appears.
3. In the upper right corner, click the New User button.
The Account Settings tab appears.
4. Type in the settings as necessary, and select a role for the user.
Note: You cannot modify a username after you save the account.
5. Click Save.
Tenable Nessus saves the user account.
- 631-
Modify a User Account
3. In the users table, click the user whose account you want to modify.
The <Username> page appears, where <Username> is the name of the selected user.
4. Modify the user's name, email, role, or password as needed.
Note: You cannot modify a username after you create the account.
5. Click Save.
Tenable Nessus saves your account settings.
- 632 -
Delete a User Account
3. In the users table, in the row for the user that you want to delete, click the button.
A dialog box appears, confirming your selection to delete the user.
4. Click Delete.
Tenable Nessus deletes the user.
- 633 -
Transfer User Data
In Tenable Nessus Manager, you can transfer a user's data to a system administrator. When you
transfer user data, you transfer ownership of all policies, scans, scan results, and plugin rules to a
system administrator account. Transferring user data is useful if you need to remove a user
account but do not want to lose their associated data in Tenable Nessus.
To transfer user data:
1. Log in to Tenable Nessus with the system administrator account to which you want to trans-
fer user data.
3. In the left navigation bar, under Accounts, click Users.
The Users page appears and shows the users table.
4. In the users table, select the check box for each user whose data you want to transfer to your
account.
5. In the upper-right corner, click Transfer Data.
A warning window appears.
Note: Once you transfer user data, you cannot undo the action.
6. To transfer the data, click Transfer.
Tenable Nessus transfers ownership of the selected user's policies, scans, scan results, and
plugin rules to the administrator account.
- 634 -
Command Line Operations
This section includes command line operations for Tenable Nessus and Tenable Nessus Agents.
Tip: During command line operations, prompts for sensitive information, such as a password, do not show
characters as you type. However, the command line records the data and accepts it when you press
the Enter key.
This section includes the following topics:
l Start or Stop Tenable Nessus
l Start or Stop Tenable Nessus Agent
l Nessus-Service
l Nessuscli
l Nessuscli Agent
l Update Tenable Nessus Software (CLI)
Start or Stop Tenable Nessus

The following represent best practices for starting and stopping the Nessus service on your
machine.
Note: This topic refers to starting or stopping the Nessus service that runs on host machines. To launch or
stop an individual scan, see Launch a Scan and Stop a Running Scan.
- 635 -
Windows
1. Navigate to Services.
2. In the Name column, click Tenable Nessus.
l To stop the Nessus service, right-click Tenable Nessus, and then click Stop.
l To restart the Nessus service, right-click Tenable Nessus, and then click Start.
Start or Stop Windows Command-Line Operation
Start C:\Windows\system32>net start "Tenable Nessus"
Stop C:\Windows\system32>net stop "Tenable Nessus"
Note: You must have root permissions to run the start and stop commands.
- 636 -
Linux
Use the following commands:
Start or Stop Linux Command-Line Operation
RedHat, CentOS, and Oracle Linux
Start # /sbin/service nessusd start
Stop # /sbin/service nessusd stop
SUSE
Start # /etc/rc.d/nessusd start
Stop # /etc/rc.d/nessusd stop
FreeBSD
Start # service nessusd start
Stop # service nessusd stop
Debian, Kali, and Ubuntu
Start # /etc/init.d/service nessusd start
Stop # /etc/init.d/service nessusd stop
macOS
1. Navigate to System Preferences.
4. Type your username and password.
- 637 -
l To stop the Nessus service, click the Stop Nessus button.
l To start the Nessus service, click the Start Nessus button.
Start or Stop macOS Command-Line Operation
Start # sudo launchctl start com.tenablesecurity.nessusd
Stop # sudo launchctl stop com.tenablesecurity.nessusd
Start or Stop a Tenable Nessus Agent

The following sections describe best practices for starting and stopping a Nessus Agent on a host.
Windows
1. Navigate to Services.
2. In the Name column, click Tenable Nessus Agent.
3. To stop the service, right-click Tenable Nessus Agent, and then click Stop.
-or-
To restart the Nessus Agent service, right-click Tenable Nessus Agent, and then click Start.
Start or Stop Windows Command Line Operation
Start C:\Windows\system32>net start "Tenable Nessus Agent"
Stop C:\Windows\system32>net stop "Tenable Nessus Agent"
Linux
Use the following commands:
- 638 -
Start or Stop Linux Command Line Operation
RedHat, CentOS, and Oracle Linux
Start # /sbin/service nessusagent start
Stop # /sbin/service nessusagent stop
SUSE
Start # /etc/rc.d/nessusagent start
Stop # /etc/rc.d/nessusagent stop
FreeBSD
Start # service nessusagent start
Stop # service nessusagent stop
Debian, Kali, and Ubuntu
Start # /etc/init.d/service nessusagent start
Stop # /etc/init.d/service nessusagent stop
macOS
1. Navigate to System Preferences.
4. Type your username and password.
5. To stop the Nessus Agent service, click the Stop Nessus Agent button.
-or-
To start the Nessus Agent service, click the Start Nessus Agent button.
- 639 -
Start or Stop macOS Command Line Operation
Start # sudo launchctl start com.tenablesecurity.nessusagent
Stop # sudo launchctl stop com.tenablesecurity.nessusagent
Nessus-Service
If necessary, whenever possible, you should start and stop Nessus services using Nessus service
controls in your operating system’s interface.
However, there are many nessus-service functions that you can perform through a command line
interface.
Unless otherwise specified, you can use the nessusd command interchangeably with nessus-
service server commands.
You can use the # killall nessusd command to stop all Nessus services and in-process scans.
Note: You must have administrative privileges to run the following commands.
- 640 -
Nessus-Service Syntax
Operating
Command
System
Linux # / opt/ nessus/ sbin/ nessus-service [ -vhD] [ -c <config-file>] [ -p <port-num-

ber>] [ -a <address>] [ -S <ip[ ,ip,…] >]
FreeBSD # / usr/ local/ nessus/ sbin/ nessus-service [ -vhD] [ -c <config-file>] [ -p <port-

number>] [ -a <address>] [ -S <ip[ ,ip,…] >]
macOS # / Library/ Nessus/ run/ sbin/ nessus-service [ -vhD] [ -c <config-file>] [ -p <port-

number>] [ -a <address>] [ -S <ip[ ,ip,…] >]
- 641-
Suppress Command Output Examples
You can suppress command output by using the -q option.
Linux
# /opt/nessus/sbin/nessus-service -q -D
FreeBSD
# /usr/local/nessus/sbin/nessus-service -q -D
- 642 -
Nessusd Commands
Option Description
-c <config- When starting the nessusd server, this option specifies the server-side nes-
file> susd configuration file to use. It allows for the use of an alternate configuration
file instead of the standard db.
-S <ip When starting the nessusd server, force the source IP of the connections estab-
[ ,ip2,…] > lished by Nessus during scanning to <ip>. This option is only useful if you have
a multihomed machine with multiple public IP addresses that you would like to
use instead of the default one. For this setup to work, the host running nes-
susd must have multiple NICs with these IP addresses set.
-D When starting the nessusd server, this option forces the server to run in the
background (daemon mode).
-v Display the version number and exit.
-l Display a list of those third-party software licenses.
-h Show a summary of the commands and exit.
--ipv4-only Only listen on IPv4 socket.
--ipv6-only Only listen on IPv6 socket.
-q Operate in "quiet" mode, suppressing all messages to stdout.
-R Force a reprocessing of the plugins.
-t Check the time stamp of each plugin when starting up to only compile newly
updated plugins.
-K Set a parent password for the scanner.
If you set a parent password, Nessus encrypts all policies and credentials con-
tained in the policy. When you set a password, the Nessus user interface
prompts you for the password.
Caution: If you set your parent password and lose it, neither your administrator nor
- 643 -
Option Description
Tenable Support can recover it.
- 644 -
Notes
If you are running nessusd on a gateway and if you do not want people on the outside to connect to
your nessusd, set your listen_address advanced setting.
To set this setting:
nessuscli fix --set listen_address=<IP address>
This setting tells the server to only listen to connections on the address <address> that is an IP
address, not a machine name.
Nessuscli
You can administer some Tenable Nessus functions through a command-line interface (CLI) using
the nessuscli utility.
This allows the user to manage user accounts, modify advanced settings, manage digital cer-
tificates, report bugs, update Tenable Nessus, and fetch necessary license information.
Note: You must run all commands with administrative privileges.
- 645 -
Nessuscli Syntax
Operating Sys-
Command
tem
Linux # /opt/nessus/sbin/nessuscli <cmd> <arg1> <arg2>
Windows C:\Program Files\Tenable\Nessus\nessuscli.exe <cmd> <arg1>

<arg2>
macOS # /Library/Nessus/run/sbin/nessuscli <cmd> <arg1> <arg2>
This topic describes the following command types:
l Help Commands
l Backup Commands
l Bug Reporting Commands
l User Commands
l Fetch Commands
l Fix Commands
l Certificate Commands
l Software Update Commands
l Manager Commands
l Managed Scanner Commands
l Dump Command
l Node Commands
- 646 -
Nessuscli Commands
Command Description
Help Commands
nessuscli help Shows a list of Tenable Nessus commands.
The help output may vary, depending on your Tenable Nessus

license.
nessuscli <cmd> help Shows more help information for specific commands identified in
the nessuscli help output.
Backup Commands
nessuscli backup -- Creates a backup of your Tenable Nessus instance, which includes
create <backup_file- your license and settings. Does not back up scan results.
name>
For more information, see Back Up Tenable Nessus.
nessuscli backup -- Restores a previously saved backup of Tenable Nessus.

restore <path/to/-
For more information, see Restore Tenable Nessus.
backup_filename>
Bug Reporting Commands
The bug reporting commands create an archive that you can send to Tenable, Inc. to help dia-
gnose issues. By default, the script runs in interactive mode.
nessuscli bug- Generates an archive of system diagnostics.

report-generator
Running this command without arguments prompts for values.
--quiet: run the bug report generator without prompting user for
feedback.
--scrub: when in quiet mode, bug report generator sanitizes the

last two octets of the IPv4 address.
--full: when in quiet mode, bug report generator collects extra

data.
- 647 -
Command Description
User Commands
nessuscli rmuser Allows you to remove a Tenable Nessus user.

<username>
nessuscli chpasswd Allows you to change a user’s password. The CLI prompts to enter
<username> the Tenable Nessus user’s name. The CLI does not echo passwords
on the screen.
nessuscli adduser Allows you to add a Tenable Nessus user account.

<username>
The CLI prompts you for a username, password, and opted to allow
the user to have an administrator type account. Also, the CLI
prompts to add Users Rules for this new user account.
nessuscli lsuser Shows a list of Tenable Nessus users.
Fetch Commands
Manage Tenable Nessus registration and fetch updates
nessuscli fetch -- Uses your Activation Code to register Tenable Nessus online.
register <Activation
Example:
Code>
# /opt/nessus/sbin/nessuscli fetch --register xxxx-
xxxx-xxxx-xxxx
nessuscli fetch -- Uses your Activation Code to register Tenable Nessus online, but
register-only does not automatically download plugin or core updates.
<Activation Code>
Example:
# /opt/nessus/sbin/nessuscli fetch --register-only

xxxx-xxxx-xxxx-xxxx
nessuscli fetch -- Registers Tenable Nessus with the nessus.license file obtained
register-offline from https:/ / plugins.nessus.org/ v2/ offline.php.
nessus.license
nessuscli fetch -- Shows whether Tenable Nessus is properly registered and is able
- 648 -
Command Description
check to receive updates.
nessuscli fetch -- Shows the Activation Code that Tenable Nessus is using.
code-in-use
nessuscli fetch -- Shows the challenge code needed to use when performing an off-
challenge line registration.
Example challenge code: aaaaaa11b2222c-
c33d44e5f6666a777b8cc99999
nessuscli fetch -- Prepares Tenable Nessus to be connected to Tenable Security

security-center Center.
Caution: Do not use this command if you do not want to switch your
Tenable Nessus instance to Tenable Security Center. This command
irreversibly changes the Tenable Nessus scanner or Manager to a Ten-
able Security Center-managed scanner, resulting in several user inter-
face changes (for example, the site logo changes, and you do not have
access to the Sensors page).
Fix Commands
nessuscli fix Reset registration, show network interfaces, and list advanced set-
tings that you have set.
nessuscli fix [--
secure] --list Using the --secure option acts on the encrypted preferences,
which contain information about registration.
nessuscli fix [--
secure] --set <set- You can use --list, --set, --get, and --delete to modify or
ting=value> view preferences.
nessuscli fix [--

secure] --get <set-
ting>
nessuscli fix [--

secure] --delete
<setting>
- 649 -
Command Description
nessuscli fix -- List the network adapters on this machine.

list-interfaces
nessuscli fix --set Tell the server to only listen to connections on the address
listen_address- <address> that is an IP, not a machine name. This option is useful
s=<address> if you are running nessusd on a gateway and if you do not want
people on the outside to connect to your nessusd.
nessuscli fix --show List all advanced settings, including those you have not set. If you
have not set an advanced setting, the CLI shows the default value.
Note: This command only lists settings that are shared by all Tenable
Nessus license types. In other words, the command does not list any
settings specific to Tenable Nessus Expert, Tenable Nessus Pro-
fessional, or Tenable Nessus Manager.
nessuscli fix -- This command deletes all your registration information and pref-
reset erences, causing Tenable Nessus to run in a non-registered state.
Tenable Nessus Manager retains the same linking key after reset-
ting.
Before running nessuscli fix --reset, verify running scans

have completed, then stop the nessusd daemon or service, as
described in Start or Stop Tenable Nessus.
nessuscli fix -- This command resets Tenable Nessus to a fresh state, deleting all
reset-all registration information, settings, data, and users.
Caution: You cannot undo this action. Contact Tenable Support before
performing a full reset.
nessuscli fix --set (Tenable Nessus Manager-linked agents only)

agent_update_chan-
Sets the agent update plan to determine what version the agent
nel=<value>
automatically updates to.
Values:
l ga —Automatically updates to the latest Tenable Nessus
- 650 -
Command Description
Agent version when it is made generally available (GA).
l ea —Automatically updates to the latest Tenable Nessus ver-

sion as soon as it is released for Early Access (EA), typically a
few weeks before general availability.
l stable —Does not automatically update to the latest Ten-

able Nessus version. Remains on an earlier version of Ten-
able Nessus set by Tenable, usually one release older than
the current generally available version, but no earlier than
8.10.0. When Tenable Nessus releases a new version, your
Tenable Nessus instance updates software versions, but
stays on a version prior to the latest release.
Note: For agents linked to Tenable Nessus Manager, you need to run
the agent_update_channel command from the Tenable Nessus Man-
ager nessuscli utility. For agents linked to Tenable Vulnerability Man-
agement, you need to run the agent_update_channel command
from the agent nessuscli utility.
nessuscli fix --set Enforces NIAP mode for Tenable Nessus. For more information
niap_mode=enforcing about NIAP mode, see Configure Tenable Nessus for
NIAP Compliance.
This version of Tenable Nessus is not NIAP-certified, but the niap_

mode command still functions as expected.
nessuscli fix --set Disables NIAP mode for Tenable Nessus. For more information
niap_mode=non-enfor- about NIAP mode, see Configure Tenable Nessus for
cing NIAP Compliance.
This version of Tenable Nessus is not NIAP-certified, but the niap_

mode command still functions as expected.
Certificate Commands
nessuscli mkcert- Creates a certificate for the Tenable Nessus server.
- 651-
Command Description
client
nessuscli mkcert [- Creates a certificate with default values.

q]
-q for quiet creation.
nessuscli import- Validates the server key, server certificate, and CA certificate and
certs -- checks that they match. Then, copies the files to the correct loc-
serverkey=<server ations.
key path> --server-
cert=<server cer-
tificate path> --
cacert=
<CA certificate
path>
Software Update Commands
nessuscli update By default, this tool updates based on the software update options
selected through the Tenable Nessus user interface.
Note: This command only works for standalone Tenable Nessus scan-
ners. The command does not work for scanners managed by Tenable
Vulnerability Management or Tenable Security Center.
nessuscli update -- Forces updates for all Tenable Nessus components.

all
nessuscli update -- Forces updates for Tenable Nessus plugins only.

plugins-only
nessuscli update Updates Tenable Nessus plugins by using a TAR file instead of get-
- 652 -
Command Description
<tar.gz filename> ting the updates from the plugin feed. You obtain the TAR file
when you Manage Tenable Nessus Offline - Download and Copy Plu-
gins steps.
nessuscli fix --set (Tenable Nessus Professional and Tenable Vulnerability Man-
scanner_update_chan- agement-managed scanners only)
nel=<value>
Sets the Tenable Nessus to determine what version Tenable Nes-
sus automatically updates to.
Note: If you change your update plan and have automatic updates
enabled, Tenable Nessus may immediately update to align with the ver-
sion represented by your selected plan. Tenable Nessus may either
upgrade or downgrade versions.
Values:
l ga: Automatically updates to the latest Tenable Nessus ver-

sion when it is made generally available (GA). Note: This date
is the same day the version is made generally available.
l ea: Automatically updates to the latest Tenable Nessus ver-

sion as soon as it is released for Early Access (EA), typically a
few weeks before general availability.
l stable: Does not automatically update to the latest Tenable

Nessus version. Remains on an earlier version of Tenable
Nessus set by Tenable, usually one release older than the cur-
rent generally available version, but no earlier than 8.10.0.
When Tenable Nessus releases a new version, your Tenable
Nessus instance updates software versions, but stays on a
version prior to the latest release.
Manager Commands
Used for generating plugin updates for your managed scanners and agents connected to a man-
ager.
- 653 -
Command Description
nessuscli manager Downloads core component updates for remotely managed agents
download-core and scanners.
nessuscli manager Generates plugins archives for remotely managed agents and scan-
generate-plugins ners.
Managed Scanner Commands
Used for linking, unlinking, and viewing the status of remote managed scanners.
nessuscli managed Shows nessuscli-managed commands and syntax.

help
nessuscli managed Link an unregistered scanner to a manager.

link --key=<key> --
host=<host> -- Note: You cannot link a scanner via the CLI if you have already
registered the scanner. You can either link via the user interface, or
port=<port>
reset the scanner to unregister it (however, you lose all scanner data).
[optional para-
meters] Optional Parameters:
l --name: A name for the scanner.
l --ca-path: A custom CA certificate to use to validate the

manager's server certificate.
l --groups: One or more existing scanner groups where you

want to add the scanner. List multiple groups in a comma-
separated list. If any group names have spaces, use quotes
around the whole list.
For example: --groups="Atlanta,Global Headquar-

ters"
Note: The scanner group name is case-sensitive and must

match exactly.
l --proxy-host: The hostname or IP address of your proxy

server.
- 654 -
Command Description
l --proxy-port: The port number of the proxy server.
l --proxy-username: The name of a user account that has

permissions to access and use the proxy server.
l --proxy-password: The password of the user account that

you specified as the username.
l --proxy-agent: The user agent name, if your proxy requires

a preset user agent.
nessuscli managed Unlink a managed scanner from its manager.

unlink
nessuscli managed Identifies the status of the managed scanner.

status
Dump Command
nessuscli dump -- Adds a plugins.xml file in the sbin directory. For example, run-
plugins ning the /opt/nessus/sbin/nessuscli dump --plugins on
Linux adds a plugins.xml file to the /op-
t/nessus/sbin/plugins directory.
Node Commands
Used for viewing and changing node links in a cluster environment.
nessuscli node link Links the child node to the parent node in a clustering envir-
--key=<key> -- onment.
host=<host> --
For more information on key, host, and port, see Link a Node.
port=<port>
nessuscli node Unlinks the child node from the parent node.
unlink
nessuscli node Shows whether the child node is linked to parent node and the
status number of agents that are linked.
- 655 -
Nessuscli Agent
Use the Agent nessuscli utility to perform some Tenable Nessus Agent functions through a com-
mand line interface.
Note: You must run all Agent nessuscli commands as a user with administrative privileges.
- 656 -
Nessuscli Syntax
Operating Sys-
Command
tem
Linux # /opt/nessus_agent/sbin/nessuscli <cmd> <arg1> <arg2>
Windows C:\Program Files\Tenable\Nessus Agent\nessuscli.exe

<cmd> <arg1> <arg2>
macOS # sudo /Library/NessusAgent/run/sbin/nessuscli <cmd> <arg1>

<arg2>
- 657 -
Nessuscli Commands
Command Description
Informational Commands
# nessuscli help Displays a list of nessuscli commands.
# nessuscli -v Displays your current version of Tenable Nessus Agent.
Bug Reporting Commands
# nessuscli bug- Generates an archive of system diagnostics.

report-generator
If you run this command without arguments, the utility prompts you
for values.
Optional arguments:
l --quiet —Run the bug report generator without prompting user

for feedback.
l --scrub —The bug report generator sanitizes the last two oct-
ets of the IPv4 address.
l --full —The bug report generator collects extra data.
Image Preparation Commands
# nessuscli pre- Performs pre-imaging cleanup, including the following:

pare-image
l Unlinks the agent, if linked.
l Deletes any host tag on the agent. For example, the registry key
on Windows or tenable_tag on Unix.
l Deletes any UUID file on the agent. For example, /op-

t/nessus/var/nessus/uuid (or equivalent on MacOS/ Win-
dows).
l Deletes plugin dbs.
l Deletes global db.
- 658 -
Command Description
l Deletes master.key.
l Deletes the backups directory.
Optional arguments:
l --json=<file> —Validates an auto-configuration .json file

and places it in the appropriate directory.
Local Agent Commands
Used to link, unlink, and display agent status
# nessuscli agent Using the Tenable Nessus Agent Linking Key, this command links the
link --key=<key> agent to the Tenable Nessus Manager or Tenable Vulnerability Man-
--host=<host> -- agement.
port=<port>
Required arguments:
l --key —The linking key that you retrieved from the manager.
l --host —The static IP address or hostname you set during the

Tenable Nessus Manager installation.
Note: Starting with Tenable Nessus Agent 8.1.0, Tenable Vul-

nerability Management-linked agents communicate with Tenable Vul-
nerability Management using sensor.cloud.tenable.com. If
agents are unable to connect to sensor.cloud.tenable.com, they
use cloud.tenable.com instead. Agents with earlier versions con-
tinue to use the cloud.tenable.com domain.
l --port —8834 or your custom port.
Optional arguments:
l --auto-proxy —(Windows-only) When set, the agent uses Web

Proxy Auto Discovery (WPAD) to obtain a Proxy Auto Config (PAC)
file for proxy settings. This setting overrides all other proxy con-
figuration preferences.
l --name — A name for your agent. If you do not specify a name
- 659 -
Command Description
for your agent, the name defaults to the name of the computer
where you are installing the agent.
l --groups —One or more existing agent groups where you want

to add the agent. If you do not specify an agent group during the
install process, you can add your linked agent to an agent group
later in Tenable Nessus Manager. List multiple groups in a
comma-separated list. If any group names have spaces, use
quotes around the whole list. For example: "Atlanta,Global
Headquarters"
Note: The agent group name is case-sensitive and must match

exactly.
l --ca-path —A custom CA certificate to use to validate the man-

ager's server certificate.
l --offline-install —When enabled (set to "yes"), installs

Tenable Nessus Agent on the system, even if it is offline. Ten-
able Nessus Agent periodically attempts to link itself to its man-
ager.
If the agent cannot connect to the controller, it retries every

hour. If the agent can connect to the controller but the link fails,
it retries every 24 hours.
l --network —For Tenable Vulnerability Management-linked

agents, adds the agent to a custom network. If you do not spe-
cify a network, the agent belongs to the default network.
l --proxy-host —The hostname or IP address of your proxy

server.
l --proxy-port —The port number of the proxy server.
l --proxy-password —The password of the user account that

you specified as the username.
- 660 -
Command Description
l --proxy-username —The name of a user account that has per-

missions to access and use the proxy server.
l --proxy-agent —The user agent name, if your proxy requires a

preset user agent.
# nessuscli agent Unlinks agent from the Tenable Nessus Manager or Tenable Vul-
unlink nerability Management.
# nessuscli scan- Lists details about the agent's rule-based scans:

triggers --list
l Scan name
l Status (for example, uploaded)
l Time of last activity (shown next to the status)
l Scan description
l Time of last policy modification
l Time of last run
l Scan triggers
l Scan configuration template
l Command to launch the scan (nessuscli scan-triggers --

start --UUID=<scan-uuid>)
# nessuscli scan- (Tenable Vulnerability Management-linked agents only)

triggers --start
Manually executes a rule-based scan based on UUID.
--UUID=<scan-
uuid>
# nessuscli agent Displays the status of the agent, rule-based scanning information, jobs
status pending, and whether the agent is linked to the server.
Optional arguments:
l --local —(Default behavior) Provides the status, current jobs

count, and jobs pending. This option prevents the agent from
- 661-
Command Description
contacting its management software to fetch the status.

Instead, it shows the last known information from its most
recent sync.
l --remote —(Default behavior) Fetches the job count from the

manager and displays the status.
Note: Tenable does not recommend running frequent status checks

with the --remote option (for example, when using automation).
l --offline —Provides the most recently cached agent status

when it cannot connect to Tenable Nessus Manager or Tenable
Vulnerability Management.
l --show-token —Displays the agent's token that is used to

identify and authenticate with its manager.
l --show-uuid —Displays the agent's Tenable UUID.
# nessuscli plu- Lists details about the agent's full and inventory plugin sets:
gins --info
l Installed version
l Last downloaded
l Last needed
l Expires in —The plugin set's expiration time and date (that is,
when the plugin set is no longer needed).
l Plugins —The total number of plugins in the plugin set.
l Uncompressed source size
Lists details and statistics about the agent's plugins, such as:
l Last plugin update time
l Last plugin update check time
l Total compressed plugins source size
- 662 -
Command Description
l Total compiled plugins size
l Total plugins attributes data
l Total plugin size on disk
# nessuscli plu- Deletes all plugins and plugin-related data off the disk. The agent is
gins --reset able to download plugins immediately after the deletion completes.
Note: This command only triggers if the agent has plugin data on its disk.
# install-relay - Installs a Tenable Identity Exposure Secure Relay on the agent.

-linking-
To retrieve the Tenable Identity Exposure relay linking key, see Secure
key=<Tenable
Relay in the Tenable Identity Exposure Administrator Guide.
Identity Exposure
relay linking
key>
Update Commands
# nessuscli agent Manually installs a plugin set.

update --file-
e=<plugins_
set.tgz>
# nessuscli fix - (Tenable Vulnerability Management-linked agents only)

-set agent_
Sets the agent update plan to determine what version the agent auto-
update_
matically updates to.
channel=<value>
Values:
l ga —Automatically updates to the latest Tenable Nessus version

when it is made generally available (GA). Note: This date is the
same day the version is made generally available.
l ea —Automatically updates to the latest Tenable Nessus version

as soon as it is released for Early Access (EA), typically a few
- 663 -
Command Description
l stable —Does not automatically update to the latest Tenable

Nessus version. Remains on an earlier version of Tenable Nessus
set by Tenable, usually one release older than the current
Note: For agents linked to Tenable Vulnerability Management, you need to

run the agent_update_channel command from the agent nessuscli util-
ity. For agents linked to Tenable Nessus Manager, you need to run the
agent_update_channel command from the Tenable Nessus Manager nes-
suscli utility.
# nessuscli fix - (Tenable Vulnerability Management-linked agents only)

-set maximum_
Sets the maximum number of scans an agent can run per day. The min-
scans_per_day-
imum amount is 1, the maximum amount is 48, and the default amount
y=<value>
is 10.
Fix Commands
# nessuscli fix - Displays a list of agent settings and their values.

-list
nessuscli fix -- Set an agent setting to the specified value.

set
For a list of agent settings, see Advanced Settings in the Tenable Nes-
<setting>=<value>
sus Agent User Guide.
# nessuscli fix - Updates agent hostnames automatically in Tenable Vulnerability Man-

-set update_host- agement or Tenable Nessus Manager 7.1.1or later.
name="<value>"
You can set the update_hostname parameter to yes or no. By default,
this preference is disabled.
Note: Restart the agent service for the change to take effect in Tenable
Nessus Manager.
- 664 -
Command Description
# nessuscli fix - Sets the maximum number of times an agent should retry in the event
-set max_ of a failure when executing the agent link, agent status, or agent
retries="<value>" unlink commands. The commands retry, the specified number of
times, consecutively, sleeping increasing increments of time set by
retry_sleep_milliseconds between attempts. The default value
for max_retries is 0.
For example, if you set max_retries to 4 and set retry_sleep_mil-

liseconds to the default of 1500, then the agent will sleep for 1.5
seconds after the first try, 3 seconds after the second try, and 4.5
seconds after the third try.
Note: This setting does not affect offline updates or the agent's normal 24
hour check-in after it is linked.
# nessuscli fix - Sets the number of milliseconds that an agent sleeps for between
-set retry_sleep_ retries in event of a failure when executing the agent link, agent
milliseconds=" status, or agent unlink commands. The default is 1500 mil-
<value>" liseconds (1.5 seconds).
# nessuscli fix - Enforces NIAP mode for Tenable Nessus Agent. For more information
-set niap_mod- about NIAP mode, see Configure Tenable Nessus Agent for NIAP Com-
e=enforcing pliance.
# nessuscli fix - Disables NIAP mode for Nessus Agent. For more information about
-set niap_mod- NIAP mode, see Configure Tenable Nessus Agent for NIAP Compliance.
e=non-enforcing
# nessuscli fix - Enforces the current validated FIPS module for Tenable Nessus Agent
-set fips_mod- communication and database encryption. The FIPS module does not
e=enforcing affect scanning encryption.
Note: Tenable Nessus Agent also enforces the FIPS module when you
enforce NIAP mode. For more information, see Configure Tenable Nessus
Agent for NIAP Compliance.
# nessuscli fix - Disables the FIPS module for Tenable Nessus Agent communication
- 665 -
Command Description
-set fips_mod- and database encryption.

e=non-enforcing
Note: Tenable Nessus Agent also disables the FIPS module when you dis-
able NIAP mode. For more information, see Configure Tenable Nessus Agent
for NIAP Compliance.
Fix Secure Settings
# nessuscli fix - Set secure settings on the agent.

-secure --set
<setting>=<value> Caution: Tenable does not recommend changing undocumented --secure
settings as it may result in an unsupported configuration.
For a list of supported secure settings, see Advanced Settings in the

Tenable Nessus Agent User Guide.
# nessuscli fix - (Nessus versions 10.4.0 and later only) Retrieve your unique agent link-
-secure --get ing key.
agent_linking_key
Note: You can only use this linking key to link an agent. You cannot use it
to link a scanner or a child node.
Resource Control
Commands
# nessuscli fix - Commands

-set process_pri-
Set, get, or delete the process_priority setting.
ority="<value>"
You can control the priority of the Tenable Nessus Agent relative to
# nessuscli fix -
the priority of other tasks running on the system by using the pro-
-get process_pri-
cess_priority preference.
ority
For valid values and more information on how the setting works, see
# nessuscli fix -
Agent CPU Resource Control in the Tenable Nessus Agent Deployment
-delete process_
and User Guide for <value> preference options
priority
- 666 -
Update Tenable Nessus Software (CLI)
When updating Tenable Nessus components, you can use the nessuscli update commands, also
found in the command-line section.
Note: If you are working with Tenable Nessus offline, see Manage Tenable Nessus Offline.
Note: You must run the following commands with administrator privileges.
Operating System Command
Linux # /opt/nessus/sbin/nessuscli <cmd> <arg1> <arg2>
Windows C:\Program Files\Tenable\Nessus <cmd> <arg1> <arg2>
macOS # /Library/Nessus/run/sbin/nessuscli <cmd> <arg1>

<arg2>
Software Update Commands
nessuscli update By default, this tool respects the software update options selected
through the Nessus user interface.
nessuscli update -- Forces updates for all Nessus components.

all
nessuscli update -- Forces updates for Nessus plugins only.

plugins-only
- 667 -
Additional Resources
This section contains the following resources:
l About Tenable Nessus Plugins
l Amazon Web Services
l Command Line Operations
l Configure Tenable Nessus for NIAP Compliance
l Create a Limited Plugin Policy
l Default Data Directories
l Manage Logs
l Tenable Nessus Credentialed Checks
l Offline Update Page Details
l Run Tenable Nessus as Non-Privileged User
l Scan Targets
- 668 -
Amazon Web Services
For information on integrating Tenable Nessus with Amazon Web Services, see the following:
l Tenable Nessus BYOL Scanner on Amazon Web Services
l Tenable Nessus Pre-Authorized Scanner
l Link a BYOL Scanner to with Pre-Authorized Scanner Features
- 669 -
Configure Tenable Nessus for NIAP Compliance
This version of Tenable Nessus is not NIAP-certified, but the niap_mode command still functions as expec-
ted.
If your organization requires that your instance of Tenable Nessus meets National Information
Assurance Partnership (NIAP) standards, you can configure Tenable Nessus so that relevant set-
tings are compliant with NIAP standards.
Before you begin:

l If you are using SSL certificates to log in SSL certificates to log in to Tenable Nessus, ensure
your server and client certificates are NIAP-compliant. You can either use your own cer-
tificates signed by a CA, or you can Create SSL Client Certificates for Login using Tenable Nes-
sus.
l Confirm you have enabled the full disk encryption capabilities provided by the operating sys-
tem on the host where you installed Tenable Nessus.
To configure Tenable Nessus for NIAP compliance:
1. Log in to your instance of Tenable Nessus.
2. Enable NIAP mode using the command line interface:
a. Access Tenable Nessus from a command line interface.
b. In the command line, enter the following command:
nessuscli fix --set niap_mode=enforcing
Linux example:
/opt/nessus/sbin/nessuscli fix --set niap_mode=enforcing
Tenable Nessus does the following:
Note: When Tenable Nessus is in NIAP mode, Tenable Nessus overrides the following settings as
long as Tenable Nessus remains in NIAP mode. If you disable NIAP mode, Tenable Nessus reverts to
what you had set before.
- 670 -
l Overrides the SSL Mode (ssl_mode_preference) with the TLS 1.2 (niap) option.
l Overrides the SSL Cipher List (ssl_cipher_list) setting with the NIAP Approved
Ciphers (niap) setting, which sets the following ciphers:
l ECDHE-RSA-AES128-SHA256
l ECDHE-RSA-AES128-GCM-SHA256
l ECDHE-RSA-AES256-SHA384
l ECDHE-RSA-AES256-GCM-SHA384
l Uses strict certificate validation:
l Disallows certificate chains if any intermediate certificate lacks the CA extension.
l Authenticates a server certificate, using the signing CA certificate.
l Authenticates a client certificate when using client certificate authentication for

login.
l Checks the revocation status of a CA certificate using the Online Certificate Status
Protocol (OCSP). If the certificate is revoked, then Tenable Nessus marks the cer-
tificate as invalid. If there is no response, then Tenable Nessus does not mark the
certificate as invalid.
l Ensure that the certificate has a valid, trusted CA that is in known_CA.inc. CA Cer-
tificates for Tenable Vulnerability Management and plugins.nessus.org are already
in known_CA.inc in the plugins directory.
l If you want to use a custom CA certificate that is not in known_CA.inc, copy it to

custom_CA.inc in the plugins directory.
Database encryption
You can convert encrypted databases from the default format (OFB-128) to NIAP-compliant encryp-
tion (XTS-AES-128).
Tenable Nessus in NIAP mode can read databases with the default format (OFB-128).
To convert encrypted databases to NIAP-compliant encryption:
- 671-
1. Stop Tenable Nessus.
2. Enable NIAP mode, as described in the previous procedure.
3. Enter the following command:
nessuscli security niapconvert
Tenable Nessus converts encrypted databases to XTS-AES-128 format.
- 672 -
Default Data Directories
The default Tenable Nessus data directory contains logs, certificates, temporary files, database
backups, plugins databases, and other automatically generated files.
Refer to the following table to determine the default data directory for your operating system.
Linux /opt/nessus/var/nessus
Windows C:\ProgramData\Tenable\Nessus\nessus
macOS /Library/Nessus/run/var/nessus
- 673 -
Encryption Strength
Tenable Nessus uses the following default encryption for storage and communications.
Function Default Encryption
Storing user account passwords SHA-512 and the PBKDF2 function with a 512-bit key
Storing user and service AES-128

accounts for scan credentials,
as described in Credentials
Scan Results AES-128
Communications between Ten- TLS 1.3 (fallback to TLS 1.2 or earlier, as configured) with
able Nessus and clients (GUI/ API the strongest encryption method supported by Tenable
users) Nessus and your browser or API program
Communications between Ten- TLS 1.2 with ECDHE-RSA-AES256-GCM-SHA384

able Nessus and the Tenable
product registration server
Communications between Ten- TLS 1.2 with ECDHE-RSA-AES256-GCM-SHA384

able Nessus and the Tenable plu-
gin update server
- 674 -
File and Process Allowlist
You need to allow Tenable Nessus to access third-party endpoint security products such as anti-
virus applications and host-based intrusion and prevention systems.
Note: If your Windows installation uses a non-standard drive or folder structure, use the
%PROGRAMFILES% and %PROGRAMDATA% environment variables.
The table following contains a list of Tenable Nessus folders, files, and processes that you should
allow. For information about allowlisting Tenable Nessus Agent processes, see File and Process
Allowlist in the Tenable Nessus Agent User Guide.
Note: In addition to the files and processes listed below, Tenable recommends allowlisting certain Tenable
sites on your firewall. For more information, see the Which Tenable sites should I allow? KB article.
Windows
Files
C:\ Program Files\ Tenable\ Nessus\ *
C:\ Program Files (x86)\ Tenable\ Nessus\ *
C:\ ProgramData\ Tenable\ Nessus\ *
Processes
C:\ Program Files\ Tenable\ Nessus\ nessuscli.exe
C:\ Program Files\ Tenable\ Nessus\ nessusd.exe
C:\ Program Files\ Tenable\ Nessus\ nasl.exe
C:\ Program Files\ Tenable\ Nessus\ nessus-service.exe
C:\ Program Files\ Tenable\ Nessus\ openssl.exe
C:\ Program Files (x86)\ Tenable\ Nessus\ nasl.exe
C:\ Program Files (x86)\ Tenable\ Nessus\ nessuscli.exe
C:\ Program Files (x86)\ Tenable\ Nessus\ nessusd.exe
- 675 -
C:\ Program Files (x86)\ Tenable\ Nessus\ nessus-service.exe
C:\ Program Files (x86)\ Tenable\ Nessus\ openssl.exe
Linux
Files
/ opt/ nessus/ bin/ *
/ opt/ nessus/ bin/ openssl
/ opt/ nessus/ sbin/ *
/ opt/ nessus_agent/ lib/ nessus/ *
Processes
/ opt/ nessus/ bin/ nasl
/ opt/ nessus/ sbin/ nessusd
/ opt/ nessus/ sbin/ nessuscli
/ opt/ nessus/ sbin/ nessus-service
macOS
Files
/ Library/ Nessus/ run/ sbin/ *
/ Library/ Nessus/ run/ bin/ *
Processes
/ Library/ Nessus/ run/ bin/ nasl
/ Library/ Nessus/ run/ bin/ openssl
/ Library/ Nessus/ run/ sbin/ nessus-service
/ Library/ Nessus/ run/ sbin/ nessuscli
/ Library/ Nessus/ run/ sbin/ nessusd
- 676 -
/ Library/ Nessus/ run/ sbin/ nessusmgt
Manage Logs
Tenable Nessus has the following default log files:
l nessusd.dump —Nessus dump log file used for debugging output.
l nessusd.messages —Nessus scanner log.
l www_server.log —Nessus web server log.
l backend.log —Nessus backend log.
l nessuscli.log —Nessuscli log.
- 677 -
Default Log Locations
The following are the default log file locations for each operating system.
l Linux —/opt/nessus/var/nessus/logs/<filename>
l macOS —/Library/Nessus/run/var/nessus/logs/<filename>
l Windows —C:\ProgramData\Tenable\Nessus\nessus\logs\<filename>
You can customize log file locations when you modify log settings.
- 678 -
Modify Log Settings
To modify log settings, use one of the following methods, depending on the log file:
l To modify log settings for www_server.log, backend.log, nessusd.dump, and custom logs,
see Modify log.json.
l To modify log settings for nessusd.dump and nessusd.messages, see Modify advanced set-
tings.
- 679 -
Modify log.json
You can configure log locations and rotation strategies for www_server.log and backend.log by
editing the log.json file. You can also configure custom logs by creating a new reporters[x].re-
porter section and creating a custom file name.
Note: You cannot configure nessusd.dump or nessusd.messages settings using log.json. Configure
those log settings using logfile_rot in the advanced settings.
To modify log settings using log.json:
1. Using a text editor, open the log.json file, located in the corresponding directory:
l Linux —/opt/nessus/var/nessus/log.json
l macOS —/Library/Nessus/run/var/nessus/log.json
l Windows —C:\ProgramData\Tenable\Nessus\nessus\log.json
2. For each log file, edit or create a reporters[x].reporter section, and add or modify the
parameters described in log.json Format.
3. Save the log.json file.
4. Restart the Tenable Nessus service.
The Tenable Nessus updates the log settings.
- 680 -
log.json Format
The following describe parameters in the log.json file, and whether Tenable recommends that you
modify the parameter. Some parameters are advanced and you do not need to modify them often. If
you are an advanced user who wants to configure a custom log file with advanced parameters, see
the knowledge base article for more information.
Parameter Default value Can be modified? Description
tags www_server.log: www_server.log: no Determines what log

response information the log
backend.log: yes
includes.
backend.log: log,
info, warn, l response —Web
error, trace server activity logs
Note: response
is the only valid
tag for www_serv-
er.log.
l info —Inform-
ational logs for a
specific task
l warn —Warning
logs for a specific
task
l error —Error logs

for a specific task
l debug —Debugging
output
l verbose —Debug-
ging output with
more information
than debug
- 681-
l trace —Logs used

to trace output
type file not recommended Determines the type of

the log file.
rotation_ size yes Determines whether the

strategy log archives files based
on maximum rotation
size or rotation time.
Valid values:
l size —Rotate the

log based on size,
as specified in
max_size.
l daily —Rotate the

log based on time,
as specified in
rotation_time.
rotation_ 86400 (1day) yes Rotation time in

time seconds.
Only used if rotation_

strategy is daily.
max_size Tenable yes Rotation size in bytes.

Nessus: 536870912
Only used if rotation_
(512 MB)
strategy is size.
Agent: 10485760 (10
MB)
max_files Tenable Nessus: 10 yes Maximum number of files

allowed in the file rota-
Agent: 2
- 682 -
tion.
The maximum number

includes the main file, so
10 max_files is 1main
file and 9 backups. If you
decrease this number,
Tenable Nessus deletes
the old logs.
file Depends on operating yes The location and name of

system and log file the log file. See Default
Log Locations.
If you change the name

of a default Tenable Nes-
sus log file, some
advanced settings may
not be able to modify the
log settings.
context true not recommended Enables more context

information for logs in
the system format, such
as backend.log.
format www_server.log: com- not recommended Determines the format

bined of the output.
backend.log: sys- l combined —

tem Presents output in
a format used for
web server logs.
l system —Presents
output in the
default operating
- 683 -
system log format.
The following are examples of a log.json file.
Linux example
{
"reporters": [
{
"tags": [
"response"
],
"reporter": {
"type": "file",
"rotation_strategy": "daily",
"rotation_time": "86400",
"max_size": "536870912",
"max_files": "1024",
"file": "/opt/nessus/var/nessus/logs/www_server.log"
},
"format": "combined"
},
{
"tags": [
"log",
"info",
"warn",
"error",
"trace"
],
"reporter": {
"type": "file",
"file": "/opt/nessus/var/nessus/logs/backend.log"
},
"context": true,
"format": "system"
}
]
- 684 -
}
Windows example
Note: The backslash (\) is a special character in JSON. To enter a backslash in a path string, you must
escape the first backslash with a second backslash so the path parses correctly.
{
"reporters": [
{
"tags": [
"response"
],
"reporter": {
"type": "file",
"max_size": "536870912",
"file": "C:\\ProgramData\\Tenable\\Nessus\\nessus\\logs\\www_server.log"
},
},
{
"tags": [
"log",
"info",
"warn",
"error",
"trace"
],
"reporter": {
"type": "file",
"file": "C:\\ProgramData\\Tenable\\Nessus\\nessus\\logs\\backend.log"
},
"context": true,
"format": "system"
}
- 685 -
]
}
macOS example
{
"reporters": [
{
"tags": [
"response"
],
"reporter": {
"type": "file",
"max_size": "536870912",
"file": "/Library/Nessus/run/var/nessus/logs/www_server.log"
},
},
{
"tags": [
"log",
"info",
"warn",
"error",
"trace"
],
"reporter": {
"type": "file",
"file": /Library/Nessus/run/var/nessus/logs/backend.log"
},
"context": true,
"format": "system"
}
]
}
- 686 -
Mass Deployment Support
You can automatically configure and deploy Tenable Nessus scanners using environment variables
or a configuration JSON file. This allows you to streamline a mass deployment.
When you first launch Tenable Nessus after installation, Tenable Nessus first checks for the pres-
ence of environment variables, then checks for the config.json file. When Tenable Nessus
launches for the first time, Tenable Nessus uses that information to link the scanner to a manager,
set preferences, and create a user.
Note: If you have information in both environment variables and config.json, Tenable Nessus uses both
sources of information. If there is conflicting information (for example, environment variables and con-
fig.json contain a different linking key), Tenable Nessus uses the information from the environment vari-
ables.
For more information, see the following:
l Tenable Nessus Environment Variables
l Deploy Tenable Nessus using JSON
- 687 -
Tenable Nessus Environment Variables
If you want to configure Tenable Nessus based on environment variables, you can set the following
environment variables in the shell environment that Tenable Nessus is running in.
User Configuration
Use the following environment variables for initial user configuration:
l NCONF_USER_USERNAME - Tenable Nessus username.
l NCONF_USER_PASSWORD - Tenable Nessus user password.
Note: If you create a user but leave the NCONF_USER_PASSWORD value empty, Tenable Nessus auto-
matically generates a password. To log in as the user, use nessuscli to change the user's pass-
word first.
l NCONF_USER_ROLE - Tenable Nessus user role.
Linking Configuration
Use the following environment variables for linking configuration:
l NCONF_LINK_HOST - The hostname or IP address of the manager you want to link to. To link to
Tenable Vulnerability Management, use cloud.tenable.com.
l NCONF_LINK_PORT - Port of the manager you want to link to.
l NCONF_LINK_NAME - Name of the scanner to use when linking.
l NCONF_LINK_KEY - Linking key of the manager you want to link to.
l NCONF_LINK_CERT - (Optional) CA certificate to use to validate the connection to the man-

ager.
l NCONF_LINK_RETRY - (Optional) Number of times Tenable Nessus should retry linking.
- 688 -
l NCONF_LINK_GROUPS - (Optional) One or more existing scanner groups where you want to add
the scanner. List multiple groups in a comma-separated list. If any group names have spaces,
use quotes around the whole list. For example: "Atlanta,Global Headquarters"
Deploy Tenable Nessus using JSON

You can automatically configure and deploy Tenable Nessus scanners using a JSON file, con-
fig.json. To determine the location of this file on your operating system, see Default Data Dir-
ectories.
Note: config.json must be in ASCII format. Some tools, such as PowerShell, create test files in other
formats by default.
- 689 -
Location of config.json File
Place the config.json file in the following location:
l Linux: /opt/nessus/var/nessus/config.json
l Windows: C:\ProgramData\Tenable\Nessus\nessus\config.json
- 690 -
Example Tenable Nessus File Format
{
"link": {
"name": "sensor name",
"host": "hostname or IP address",
"port": 443,
"key": "abcdefghijklmnopqrstuvwxyz",
"ms_cert": "CA certificate for linking",
"retry": 1,
"proxy": {
"proxy": "proxyhostname",
"proxy_port": 443,
"proxy_username": "proxyusername",
"proxy_password": "proxypassword",
"user_agent": "proxyagent",
"proxy_auth": "NONE"
}
},
"preferences": {
"global.max_hosts": "500"
},
"user": {
"username": "admin",
"password": "password",
"role": "system_administrator",
"type": "local"
}
}
- 691-
config.json Details
The following describes the format of the different settings in each section of config.json.
Note: All sections are optional; if you do not include a section, it is not configured when you first launch
Tenable Nessus. You can manually configure the settings later.
- 692 -
Linking
The link section sets preferences to link Tenable Nessus to a manager.
Setting Description
name (Optional)
A name for the scanner.
host The hostname or IP address of the manager you want to link to.
port The port for the manager you want to link to.
For Tenable Nessus Manager: 8834 or your custom port.
key The linking key that you retrieved from the manager.
ms_cert (Optional)
A custom CA certificate to use to validate the manager's server

certificate.
proxy (Optional)
If you are using a proxy server, include the following:
proxy: The hostname or IP address of your proxy server.
proxy_port:The port number of the proxy server.
proxy_username: The name of a user account that has per-

missions to access and use the proxy server.
proxy_password: The password of the user account that you spe-

cified as the username.
user_agent: The user agent name, if your proxy requires a preset

user agent.
proxy_auth: The authentication method to use for the proxy.
- 693 -
Preferences
The preferences section configures any advanced settings. For more information, see Advanced
Settings.
- 694 -
User
The user section creates a Tenable Nessus user.
Setting Description
username Username for the Tenable Nessus user.
password (Optional but recommended)
Password for the Tenable Nessus user.
If you create a user but leave the password value empty, Tenable Nessus auto-
matically generates a password. To log in as the user, use nessuscli to
change the user's password first.
role The role for the user. Set to disabled, basic, standard, administrator, or
system_administrator. For more information, see Users.
type Set to local.
Tenable Nessus Credentialed Checks

In addition to remote scanning, you can use Tenable Nessus to scan for local exposures. For inform-
ation about configuring credentialed checks, see Credentialed Checks on Windows and Cre-
dentialed Checks on Linux.
- 695 -
Purpose
External network vulnerability scanning is useful to obtain a snapshot in time of the network ser-
vices offered and the vulnerabilities they may contain. However, it is only an external perspective. It
is important to determine what local services are running and to identify security exposures from
local attacks or configuration settings that could expose the system to external attacks that an
external scan might not detect.
A typical network vulnerability assessment performs a remote scan against the external points of
presence and an on-site scan is performed from within the network. Neither of these scans can
determine local exposures on the target system. Some of the information gained relies on the ban-
ner information shown, which may be inconclusive or incorrect. By using secured credentials, you
can grant the Nessus scanner local access to scan the target system without requiring an agent.
This can facilitate scanning of a large network to determine local exposures or compliance viol-
ations.
The most common security problem in an organization is that security patches are not applied in a
timely manner. A Nessus credentialed scan can quickly determine which systems are out of date on
patch installation. This is especially important when a new vulnerability is made public and exec-
utive management wants a quick answer regarding the impact to the organization.
Another major concern for organizations is to determine compliance with site policy, industry stand-
ards (such as the Center for Internet Security (CIS) benchmarks) or legislation (such as Sarbanes-
Oxley, Gramm-Leach-Bliley, or HIPAA). Organizations that accept credit card information must
demonstrate compliance with the Payment Card Industry (PCI) standards. There have been quite a
few well-publicized cases where the credit card information for millions of customers was
breached. This represents a significant financial loss to the banks responsible for covering the pay-
ments and heavy fines or loss of credit card acceptance capabilities by the breached merchant or
processor.
- 696 -
Access Level
Credentialed scans can perform any operation that a local user can perform. The level of scanning
depends on the privileges granted to the user account that you configure Tenable Nessus to use.
Non-privileged users with local access on Linux systems can determine basic security issues, such
as patch levels or entries in the / etc/ passwd file. For more comprehensive information, such as sys-
tem configuration data or file permissions across the entire system, you need an account with
“root” privileges.
Tenable Nessus needs to use a local administrator account for credentialed scans on Windows sys-
tems. Several bulletins and software updates by Microsoft have made reading the registry to
determine software patch level unreliable without administrator privileges. Tenable Nessus needs
local administrative access to perform direct reading of the file system. This allows Nessus to
attach to a computer and perform direct file analysis to determine the true patch level of the sys-
tems that Tenable Nessus evaluates.
- 697 -
Detecting When Credentials Fail
If you are using Nessus to perform credentialed audits of Linux or Windows systems, analyzing the
results to determine if you had the correct passwords and SSH keys can be difficult. You can detect
if your credentials are not working using plugin 21745.
This plugin detects if either SSH or Windows credentials did not allow the scan to log into the
remote host. When a login is successful, this plugin does not produce a result.
Credentialed Checks on Windows

The process described in this section enables you to perform local security checks on Windows sys-
tems. You can only use Domain Administrator accounts to scan Domain Controllers.
Note: To run some local checks, Tenable Nessus requires that the host runs PowerShell 5.0 or newer.
Before you begin this process, ensure that there are no security policies in place that block cre-
dentialed checks on Windows, such as:
l Windows security policies
l Local computer policies (for example, Deny access to this computer from the network, Access
this computer from the network)
l Antivirus or endpoint security rules
l IPS/ IDS
- 698 -
Configure a Domain Account for Authenticated Scanning
To create a domain account for remote host-based auditing of a Windows server, the server must
first be a supported version of Windows and be part of a domain.
- 699 -
Create a Security Group called "Nessus Local Access"
1. Log in to a Domain Controller and open Active Directory Users and Computers.
2. To create a security group, select Action > New > Group.
3. Name the group Nessus Local Access. Set Scope to Global and Type to Security.
4. Add the account you plan to use to perform Tenable Nessus Windows Authenticated Scans to
the Tenable Nessus Local Access group.
- 700 -
Create a Group Policy called "Local Admin GPO"
1. Open the Group Policy Management Console.
2. Right-click Group Policy Objects and select New.
3. Type the name of the policy Nessus Scan GPO.
- 701-
Add the "Nessus Local Access"Group to the "Nessus Scan GPO
Policy"
1. Right-click Nessus Scan GPOPolicy, then select Edit.
2. Expand Computer configuration > Policies > Windows Settings > Security Settings > Restric-
ted Groups.
3. In the left navigation bar on Restricted Groups, right-click and select Add Group.
4. In the Add Group dialog box, select browse and enter Nessus Local Access.
5. Select Check Names.
6. Select OK twice to close the dialog box.
7. Select Add under This group is a member of:
8. Add the Administrators Group.
9. Select OK twice.
Tenable Nessus uses Server Message Block (SMB) and Windows Management Instrumentation
(WMI). Ensure Windows Firewall allows access to the system.
- 702 -
Allow WMI on Windows
1. Right-click Nessus Scan GPOPolicy, then select Edit.
2. Expand Computer configuration > Policies > Windows Settings > Security Settings > Windows
Firewall with Advanced Security > Windows Firewall with Advanced Security > Inbound Rules.
3. Right-click in the working area and choose New Rule....
4. Choose the Predefined option, and select Windows Management Instrumentation (WMI) from
the drop-down box.
5. Select Next.
6. Select the check boxes for:
l Windows Management Instrumentation (ASync-In)
l Windows Management Instrumentation (WMI-In)
l Windows Management Instrumentation (DCOM-In)
7. Select Next.
8. Select Finish.
Tip: Later, you can edit the predefined rule created and limit the connection to the ports by IP Address and
Domain User to reduce any risk for abuse of WMI.
- 703 -
Link the GPO
1. In Group policy management console, right-click the domain or the OU and select Link an
Existing GPO.
2. Select the Tenable Nessus` Scan GPO.
- 704 -
Configure Windows
1. Under Windows Firewall > Windows Firewall Settings, enable File and Printer Sharing.
2. Using the gpedit.msc tool (via the Run prompt), invoke the Group Policy Object Editor. Nav-
igate to Local Computer Policy > Administrative Templates > Network > Network Connections
> Windows Firewall > Standard Profile > Windows Firewall : Allow inbound file and printer
exception, and enable it.
3. (Windows 8 and earlier only) While in the Group Policy Object Editor, navigate to Local Com-
puter Policy > Administrative Templates > Network > Network Connections > Prohibit use of
Internet connection firewall on your DNS domain and set it to either Disabled or Not Con-
figured.
4. Enable the Remote Registry service (it is disabled by default). If the service is set to manual
(rather than enabled), plugin IDs 42897 and 42898 only enable the registry during the scan.
Note: Enabling this option configures Tenable Nessus to attempt to start the remote
registry service before starting the scan.
The Windows credentials provided in the Tenable Nessus scan policy must have admin-
istrative permissions to start the Remote Registry service on the host being scanned.
5. Open TCP ports 139 and 445 between Tenable Nessus and the target.
6. Using either the AutoShareServer (Windows Server) or AutoShareWks (Windows Workstation),

enable the following default administrative shares:
l IPC$
l ADMIN$
Note: Windows 10 disables ADMIN$ by default. For all other operating systems, the three
shares are enabled by default and can cause other issues if disabled by default. For more
information, see http:/ / support.microsoft.com/ kb/ 842715/ en-us.
l C$
Caution: While not recommended, you can disable Windows User Account Control (UAC).
- 705 -
Tip: To turn off UAC completely, open the Control Panel, select User Accounts, and then set
Turn User Account Control to off. Alternatively, you can add a new registry key named LocalAc-
countTokenFilterPolicy and set its value to 1.
You must create this key in the registry at the following location: HKLM\SOFTWARE\Microsoft\
Windows\CurrentVersion\Policies\system\LocalAccountTokenFilterPolicy.
For more information on this registry setting, consult the MSDN 766945 KB. In Windows 7 and 8,
if you disable UAC, then you must set EnableLUA to 0 in HKEY_LOCAL_MACHINE\Soft-
ware\Microsoft\Windows\CurrentVersion\Policies\System as well.
What to do next:
l View the prerequisites for Windows credentialed checks.
l Enable Windows logins for local and remote audits.
l Configure a Tenable Nessus scan for Windows Logins.
- 706 -
Prerequisites
A common mistake is to create a local account that does not have enough privileges to log on
remotely and do anything useful. By default, Windows assigns new local accounts Guest privileges if
they are logged into remotely. This prevents remote vulnerability audits from succeeding. Another
common mistake is to increase the amount of access that the Guest users obtain. This reduces the
security of your Windows server.
- 707 -
Enable Windows Logins for Local and Remote Audits
The most important aspect of Windows credentials is that the account used to perform the checks
needs privileges to access all required files and registry entries which, often, means administrative
privileges. If you do not provide Tenable Nessus with credentials for an administrative account, at
best, you can use it to perform registry checks for the patches. While this is still a valid method to
find installed patches, it is incompatible with some third-party patch management tools that may
neglect to set the key in the policy. If Tenable Nessus has administrative privileges, it checks the
version of the dynamic-link library (.dll) on the remote host, which is considerably more accurate.
The following bullets describe how to configure a domain or local account to use for Windows cre-
dentialed checks, depending on your needs.
l
Use Case # 1: Configure a Domain Account for Local Audits
To create a domain account for remote, host-based auditing of a Windows server, the server
must be part of a domain. To configure the server to allow logins from a domain account, use
the Classic security model, as described in the following steps:
1. Open the Start menu and select Run.
2. Enter gpedit.msc and select OK.
3. Select Computer Configuration > Windows Settings > Security Settings > Local Policies >
Security Options.
4. In the list, select Network access: Sharing and security model for local accounts.
The Network access: Sharing and security model for local accounts window appears.
5. In the Local Security Setting section, in the drop-down box, select Classic - local users
authenticate as themselves.
This allows local users of the domain to authenticate as themselves, even though they
are not physically local on the particular server. Without doing this, all remote users,
even real users in the domain, authenticate as guests and do not have enough cre-
- 708 -
dentials to perform a remote audit.
6. Click OK.
Note: To learn more about protecting scanning credentials, see 5 Ways to Protect Scanning Credentials
for Windows Hosts.
l
Use Case # 2: Configure a Local Account
To configure a standalone (in other words, not part of a domain) Windows server with cre-
dentials you plan to use for credentialed checks, create a unique account as the admin-
istrator.
Do not set the configuration of this account to the default of Guest only: local users authen-
ticate as guest. Instead, switch this to Classic: local users authenticate as themselves.
Configure Windows
Once you create an appropriate account for credentialed checks, there are several Windows con-
figuration options that you must enable or disable before scanning (for more information, see Cre-
dentialed Checks on Windows):
l
(Local accounts only) User Account Control (UAC)
Disable Windows User Account Control (UAC), or you must change a specific registry setting
allow Tenable Nessus audits. To disable UAC, open the Control Panel, select User Accounts,
and set Turn User Account Control to Off.
Alternatively, instead of disabling UAC, Tenable recommends adding a new registry DWORD
named LocalAccountTokenFilterPolicy and setting its value to 1. Create this key in the fol-
lowing registry: HKLM\SOFTWARE\Mi-
crosoft\Win-
dows\CurrentVersion\Policies\system\LocalAccountTokenFilterPolicy. For more
information on this registry setting, see the MSDN 766945 KB.
l
Host Firewall
- 709 -
l Using the Run prompt, run gpedit.msc and enable Group Policy Object Editor. Navigate
to Local Computer Policy > Administrative Templates > Network > Network Connections
> Windows Firewall > Standard Profile > Windows Firewall: Allow inbound file and printer
exception and enable it.
While in the Group Policy Object Editor, navigate to Local Computer Policy > Admin-
istrative Templates > Network > Network Connections > Prohibit use of Internet con-
nection firewall on your DNS domain. Set this option to either Disabled or Not
Configured.
l Open any host firewalls to allow connections from Tenable Nessus to File and Printer
Sharing on TCP ports 139 and 445.
l If you want Tenable Nessus to pick up any open ports or services on the host,
those ports also need to be accessible to the scanner.
l
Remote Registry
Enable the Remote Registry. You can enable it for a one-time audit, or leave it enabled per-
manently if you perform frequent audits.
Note: For information on enabling the Remote Registry during scans, see How to enable the "Start the
Remote Registry service during the scan" option in a scan policy.
l
Administrative Shares
Enable administrative shares (IP$, ADMIN$, C$).
Note: Windows 10 disables ADMIN$ by default. For all other operating systems, the three admin-
istrative shares are enabled by default and can cause other issues if disabled. For more information,
see http:/ / support.microsoft.com/ kb/ 842715/ en-us.
Note: To troubleshoot missing administrative shares, see the related Microsoft troubleshooting topic.
- 710 -
Configure a Tenable Nessus Scan for Windows Logins
Tenable Nessus allows you to configure your scan configurations with the credentials needed for
Windows logins. You can do so during the Create a Scan process, or you can add credentials to an
existing scan configuration.
To configure a Tenable Nessus scan configuration for Windows logins:

1. In the scan settings, click the Credentials tab.
The Credentials menu opens.
2. In the Categories drop-down menu, select Host.
3. In the Host category, click Windows.
A Windows credentials pane appears.
4. Select an authentication method. Depending on the method, the remaining Windows settings
change.
5. Depending on the authentication method, specify the SMB account username, password or
hash, and domain.
To view the Windows credential setting descriptions, see Windows.
6. Click Save. Tenable Nessus saves the new Windows credentials.
- 711-
Credentialed Checks on Linux
The process described in this section enables you to perform local security checks on Linux based
systems. The SSH daemon used in this example is OpenSSH. If you have a commercial variant of
SSH, your procedure may be slightly different.
You can enable local security checks using an SSH private/ public key pair or user credentials and
sudo or su access.
What to do next:
l View the prerequisites for Linux credentialed checks.
l Enable SSH local security checks.
l Configure Tenable Nessus for SSH host-based checks.
- 712 -
Prerequisites
Configuration Requirements for SSH

Nessus supports the blowfish-cbc, aesXXX-cbc (aes128, aes192, and aes256), 3des-cbc, and aes-ctr
algorithms.
Some commercial variants of SSH do not have support for the blowfish cipher, possibly for export
reasons. It is also possible to configure an SSH server to only accept certain types of encryption.
Check that your SSH server supports the correct algorithm.
User Privileges
For maximum effectiveness, the SSH user must be able to run any command on the system. On
Linux systems, the SSH user must have root privileges. While it is possible to run some checks
(such as patch levels) with non-privileged access, full compliance checks that audit system con-
figuration and file permissions require root access. For this reason, Tenable recommends that you
use SSH keys instead of credentials when possible.
Configuration Requirements for Kerberos

If you use Kerberos, you must configure sshd with Kerberos support to verify the ticket with the
KDC. You must properly configure reverse DNS lookups for this to work. The Kerberos interaction
method must be gssapi-with-mic.
Enable SSH Local Security Checks

This section provides a high-level procedure for enabling SSH between the systems involved in the
Tenable Nessus credential checks. It is not an in-depth tutorial on SSH, and assumes the reader has
the prerequisite knowledge of Linux system commands.
- 713 -
Generate SSH Public and Private Keys
The first step is to generate a private/ public key pair for the Tenable Nessus scanner to use. You
can generate this key pair from any of your Linux systems, using any user account. However, it is
important that the defined Tenable Nessus user owns the keys.
To generate the key pair, use ssh-keygen and save the key in a safe place (see the following Red
Hat ES 3 installation example).
# ssh-keygen -t dsa
Generating public/private dsa key pair.
Enter file in which to save the key (/Users/test/.ssh/id_dsa):
/home/test/Nessus/ssh_key
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in
/home/test/Nessus/ssh_key.
Your public key has been saved in
/home/test/Nessus/ssh_key.pub.
The key fingerprint is:
06:4a:fd:76:ee:0f:d4:e6:4b:74:84:9a:99:e6:12:ea
#
Do not transfer the private key to any system other than the one running the Tenable Nessus server.
When ssh-keygen asks you for a passphrase, enter a strong passphrase or press the Return key
twice (that is, do not set any passphrase). If you specify a passphrase, you must specify it in
Policies > Credentials > SSH settings for Tenable Nessus to use key-based authentication.
Tenable Nessus Windows users may wish to copy both keys to the main Tenable Nessus application
directory on the system running Tenable Nessus (C:\Program Files\Tenable\Nessus by
default), and then copy the public key to the target systems as needed. This makes it easier to man-
age the public and private key files.
- 714 -
Create a User Account and Set Up the SSH Key
On every target system that you want to scan using local security checks, create a new user
account dedicated to Tenable Nessus. This user account must have exactly the same name on all
systems. For this document, we call the user nessus, but you can use any name.
Once you create the user account, make sure that the account has no valid password set. On Linux
systems, new user accounts are locked by default, unless you explicitly set an initial password. If
you are using an account where someone had set a password, use the passwd –l command to lock
the account.
You must also create the directory under this new account’s home directory to hold the public key.
For this exercise, the directory is /home/nessus/.ssh. See the following Linux systems example:
# passwd –l nessus
# cd /home/nessus
# mkdir .ssh
#
For Solaris 10 systems, Sun has enhanced the passwd(1) command to distinguish between locked
and non-login accounts. This is to ensure that you cannot use a locked user account to execute
commands (for example, cron jobs). You only use non-login accounts to execute commands, and
they do not support an interactive login session. These accounts have the “NP” token in the pass-
word field of /etc/shadow. To set a non-login account and create the SSH public key directory in
Solaris 10, run the following commands:
# passwd –N nessus
# grep nessus /etc/shadow
nessus:NP:13579::::::
# cd /export/home/nessus
# mkdir .ssh
#
Now that you have created the user account, you must transfer the key to the system, place it in
the appropriate directory, and set the correct permissions.
- 715 -
Example
From the system containing the keys, secure copy the public key to system that you want to scan
for host checks as shown in the following example.
# scp ssh_key.pub root@192.1.1.44:/home/nessus/.ssh/authorized_keys

#
You can also copy the file from the system on which you installed Tenable Nessus using the secure
ftp command, sftp. You must name the file on the target system authorized_keys.
- 716 -
Return to the Public Key System
Set the permissions on both the /home/nessus/.ssh directory and the authorized_keys file.
# chown -R nessus:nessus ~nessus/.ssh/

# chmod 0600 ~nessus/.ssh/authorized_keys
# chmod 0700 ~nessus/.ssh/
#
Repeat this process on all systems that you want to test for SSH checks (starting at “Creating a
User Account and Setting up the SSH Key” above).
Test to make sure that the accounts and networks are configured correctly. Using the simple Linux
command id, from the Tenable Nessus scanner, run the following command:
# ssh -i /home/test/nessus/ssh_key nessus@192.1.1.44 id

uid=252(nessus) gid=250(tns) groups=250(tns)
#
If it successfully returns information about the Tenable Nessus user, the key exchange was suc-
cessful.
- 717 -
Configure Tenable Nessus for SSH Host-Based Checks
If you have not already done so, secure copy the private and public key files to the system that you
plan to use to access the Tenable Nessus scanner, as described in Enable SSH Local Security
Checks.
Tenable Nessus User Interface Steps

1. Click New Scan to create a new scan and select a template.
-or-
Click My Scans in the left navigation bar, choose an existing scan, then click the Configure but-
ton.
3. Select SSH.
4. In the Authentication method drop-down box, select an authentication method.
5. Configure the remaining settings.
- 718 -
Run Tenable Nessus as Non-Privileged User
Tenable Nessus can run as a non-privileged user.
Limitations
l When scanning localhost, Nessus plugins assume that they are running as root. Therefore, cer-
tain types of scans may fail. For example, because Nessus is now running as a non-privileged
user, file content Compliance Audits may fail or return erroneous results since the plugins are
not able to access all directories.
l nessuscli does not have a --no-root mode. Running commands with nessuscli as root
could potentially create files in the Nessus install directory owned by root, which can prohibit
Nessus from accessing them successfully. Use care when running nessuscli, and potentially
fix permissions with chown after using it.
- 719 -
Run Nessus on Linux with Systemd as a Non-Privileged User
Limitations
could potentially create files in the Nessus install directory owned by root, which can prohibit
Nessus from accessing them successfully. Use care when running nessuscli, and potentially
fix permissions with chown after using it.
Steps
l If you have not already, install Nessus.
l If you already installed Nessus and are running it, stop nessusd.
2. Create a non-root account to run the Nessus service.
sudo useradd -r -m nonprivuser
3. Remove world permissions on Nessus binaries in the /sbin directory.
sudo chmod 750 /opt/nessus/sbin/*
4. Change ownership of /opt/nessus to the non-root user.
sudo chown nonprivuser:nonprivuser -R /opt/nessus
Note: You need to complete steps 3 and 4 every time Tenable Nessus is updated.
5. Set capabilities on nessusd and nessus-service.
- 720 -
Tip: Use cap_net_admin to put interface in promiscuous mode.
Use cap_net_raw to create raw sockets for packet forgery.
Use cap_sys_resource to set resource limits.
If this is only a manager, and you do not want this instance of Nessus to perform scans, you
need to provide it only with the capability to change its resource limits.
sudo setcap "cap_sys_resource+eip" /opt/nessus/sbin/nessusd

sudo setcap "cap_sys_resource+eip" /opt/nessus/sbin/nessus-service
If you want this instance of Nessus to perform scans, you need to add more permissions to
allow packet forgery and enabling promiscuous mode on the interface.
sudo setcap "cap_net_admin,cap_net_raw,cap_sys_resource+eip"

/opt/nessus/sbin/nessusd
/opt/nessus/sbin/nessus-service
6. Create an override configuration file by running the following two commands:
mkdir -p /etc/systemd/system/nessusd.service.d/
printf '[Service]\nExecStart=\nExecStart=/opt/nessus/sbin/nessus-service -q --no-
root\nUser=nonprivuser\n' > /etc/systemd/system/nessusd.service.d/override.conf
This file overrides the ExecStart and User options in the nessusd service unit file (/ us-
r/ lib/ systemd/ system/ nessusd.service) with the non-privileged settings.
7. Reload the systemd manager configuration to include the override configuration file by run-
ning the following command:
sudo systemctl daemon-reload
8. Start nessusd by running the following command:
sudo service nessusd start
9. Verify Tenable Nessus is running as a non-privileged user by running the following command:
- 721-
service nessusd status
If Tenable Nessus is running as a non-privileged user, override.conf shows under /etc/sys-

temd/system/nessusd.service.d and CGroup (Control Group) shows that you started both nes-
sus-service and nessusd with the --no-root parameter.
- 722 -
Run Nessus on Linux with init.d Script as a Non-Privileged User
Limitations
When scanning localhost, Nessus plugins assume that they are running as root. Therefore, certain
types of scans may fail. For example, because Nessus is now running as a non-privileged user, file
content Compliance Audits may fail or return erroneous results since the plugins are not able to
access all directories.
Because nessuscli does not have a --no-root mode, running commands with nessuscli as
root could potentially create files in the Nessus install directory owned by root, which can prohibit
Nessus from accessing them successfully. Use care when running nessuscli, and potentially fix
permissions with chown after using it.
Steps
1. If you have not already, install Nessus.
sudo useradd -r -m nonprivuser
3. Remove 'world' permissions on Nessus binaries in the / sbin directory.
sudo chmod 750 /opt/nessus/sbin/*
4. Change ownership of / opt/ nessus to the non-root user.
sudo chown nonprivuser:nonprivuser -R /opt/nessus
5. Set capabilities on nessusd and nessus-service.
Tip:
Use cap_net_admin to put the interface in promiscuous mode.
Use cap_net_raw to create raw sockets for packet forgery.
- 723 -
Use cap_sys_resource to set resource limits.
If this is only a manager, and you do not want this instance of Nessus install to perform scans,
you need to provide it only with the capability to change its resource limits.
sudo setcap "cap_sys_resource+eip" /opt/nessus/sbin/nessusd

sudo setcap "cap_sys_resource+eip" /opt/nessus/sbin/nessus-service
If you want this instance of Nessus to perform scans, you need to add extra permissions to
allow packet forgery and enabling promiscuous mode on the interface.

/opt/nessus/sbin/nessusd
/opt/nessus/sbin/nessus-service
6. Add the following line to the /etc/init.d/nessusd script:
CentOS
daemon --user=nonprivuser /opt/nessus/sbin/nessus-service -q -D --no-root
Debian
start-stop-daemon --start --oknodo --user nonprivuser --name nessus --

pidfile --chuid nonprivuser --startas /opt/nessus/sbin/nessus-service -- -q
-D --no-root
Depending on your operating system, the resulting script should appear as follows:
CentOS
start() {
KIND="$NESSUS_NAME"
echo -n $"Starting $NESSUS_NAME : "
daemon --user=nonprivuser /opt/nessus/sbin/nessus-service -q -D --no-root
- 724 -
echo "."
return 0
}
Debian
start() {
KIND="$NESSUS_NAME"
echo -n $"Starting $NESSUS_NAME : "
start-stop-daemon --start --oknodo --user nonprivuser --name nessus --pidfile
--chuid nonprivuser --startas /opt/nessus/sbin/nessus-service -- -q -D --no-root
echo "."
return 0
}
7. Start nessusd.
In this step, Nessus starts as root, but init.d starts it as nonprivuser.
sudo service nessusd start
Note: If you are running Nessus on Debian, after starting Nessus, run the chown -R
nonprivuser:nonprivuser /opt/nessus command to regain ownership of directories created at
runtime.
- 725 -
Run Nessus on macOS as a Non-Privileged User
Limitations
could potentially create files in the Nessus install directory owned by root, which could cause
Nessus to be unable to access them appropriately. Use care when running nessuscli, and
potentially fix permissions with chown after using it.
Steps
1. If you have not already done so, Install Nessus on MacOSX.
2. Since the Nessus service is running as root, you need to unload it.
Use the following command to unload the Nessus service:
sudo launchctl unload /Library/LaunchDaemons/com.tenablesecurity.nessusd.plist
3. On the Mac, in System Preferences > Users & Groups, create a new Group.
4. Next, in System Preferences > Users & Groups, create the new Standard User. Configure this
user to run as the Nessus non-privileged account.
- 726 -
5. Add the new user to the group you created in Step 1.
- 727 -
6. Remove 'world' permissions on Nessus binaries in the / sbin directory.
sudo chmod 750 /Library/Nessus/run/sbin/*
7. Change ownership of /Library/Nessus/run directory to the non-root (Standard) user you

created in Step 2.
sudo chown -R nonprivuser:nonprivuser /Library/Nessus/run
8. Give that user read/ write permissions to the /dev/bpf* devices. A simple way to do this is to
install Wireshark, which creates a group called access_bpf and a corresponding launch dae-
mon to set appropriate permissions on /dev/bpf* at startup. In this case, you can simply
assign the nonpriv user to be in the access_bpf group. Otherwise, you need to create a
launch daemon giving the "nonpriv" user, or a group that it is a part of, read/ write permissions
to all / dev/ bpf*.
9. For Step 8. changes to take effect, reboot your system.
- 728 -
10. Using a text editor, modify the Nessus / Library/ LaunchDae-
mons/ com.tenablesecurity.nessusd.plist file and add the following lines. Do not modify any of
the existing lines.
<string>--no-root</string>
<key>UserName</key>
<string>nonprivuser</string>
11. Using sysctl, verify the following parameters have the minimum values:
$ sysctl debug.bpf_maxdevices
debug.bpf_maxdevices: 16384
$ sysctl kern.maxfiles
kern.maxfiles: 12288
$ sysctl kern.maxfilesperproc
kern.maxfilesperproc: 12288
$ sysctl kern.maxproc
kern.maxproc: 1064
$ sysctl kern.maxprocperuid
kern.maxprocperuid: 1064
12. If any of the values in Step 9. do not meet the minimum requirements, take the following
steps to modify values.
- 729 -
Create a file called / etc/ sysctl.conf.
Using a text editor, edit the systctl.conf file with the correct values found in Step 9.
Example:
$ cat /etc/sysctl.conf
kern.maxfilesperproc=12288
kern.maxproc=1064
kern.maxprocperuid=1064
13. Next, using the launchctl limit command, verify your OS default values.
Example: MacOSX 10.10 and 10.11values.
$ launchctl limit
cpu unlimited unlimited
filesize unlimited unlimited
data unlimited unlimited
stack 8388608 67104768
core 0 unlimited
rss unlimited unlimited
memlock unlimited unlimited
maxproc 709 1064
maxfiles 256 unlimited
14. If you do not set any of the values in Step 11to the default OSX values above, take the fol-
lowing steps to modify values.
Using a text editor, edit the launchd.conf file with the correct, default values as shown in Step
11.
Example:
$ cat /etc/launchd.conf
limit maxproc 709 1064
Note: Some older versions of OSX have smaller limits for maxproc. If your version of OSX supports
increasing the limits through / etc/ launchctl.conf, increase the value.
15. For all changes to take effect either reboot your system or reload the launch daemon.
- 730 -
sudo launchctl load /Library/LaunchDaemons/com.tenablesecurity.nessusd.plist
Run Nessus on FreeBSD as a Non-Privileged User
Limitations
could potentially create files in the Nessus install directory owned by root, which could cause
Nessus to be unable to access them appropriately. Use care when running nessuscli, and
potentially fix permissions with chown after using it.
Note: Unless otherwise noted, execute the following commands in a root login shell.
1. If you have not already done so, Install Nessus on FreeBSD.
pkg add Nessus-*.txz

In this example, the user creates nonprivuser in the nonprivgroup.
# adduser
Username: nonprivuser
Full name: NonPrivUser
Uid (Leave empty for default):
Login group [nonprivuser]:
Login group is nonprivuser. Invite nonprivuser into other groups? []:
Login class [default]:
Shell (sh csh tcsh bash rbash nologin) [sh]:
Home directory [/home/nonprivuser]:
Home directory permissions (Leave empty for default):
- 731-
Use password-based authentication? [yes]:
Use an empty password? (yes/no) [no]:
Use a random password? (yes/no) [no]:
Enter password:
Enter password again:
Lock out the account after creation? [no]:
Username : nonprivuser
Password : *****
Full Name : NonPrivUser
Uid : 1003
Class :
Groups : nonprivuser
Home : /home/nonprivuser
Home Mode :
Shell : /bin/sh
Locked : no
OK? (yes/no): yes
adduser: INFO: Successfully added (nonprivuser) to the user database.
Add another user? (yes/no): no
Goodbye!
3. Remove 'world' permissions on Nessus binaries in the /sbin directory.
chmod 750 /usr/local/nessus/sbin/*
4. Change ownership of /opt/nessus to the non-root user.
chown -R nonprivuser:nonprivuser /usr/local/nessus
5. Create a group to give the non-root user access to the /dev/bpf device and allow them to
use raw sockets.
pw groupadd access_bpf
pw groupmod access_bpf -m nonprivuser
- 732 -
6. Confirm that nonprivuser appears in the group.
# pw groupshow access_bpf
access_bpf:*:1003:nonprivuser
7. Next, check your system limit values.

Using the ulimit -a command, verify that each parameter has, at minimum, the following val-
ues.
This example shows FreeBSD 10 values:
# ulimit -a
cpu time (seconds, -t) unlimited
file size (512-blocks, -f) unlimited
data seg size (kbytes, -d) 33554432
stack size (kbytes, -s) 524288
core file size (512-blocks, -c) unlimited
max memory size (kbytes, -m) unlimited
locked memory (kbytes, -l) unlimited
max user processes (-u) 6670
open files (-n) 58329
virtual mem size (kbytes, -v) unlimited
swap limit (kbytes, -w) unlimited
sbsize (bytes, -b) unlimited
pseudo-terminals (-p) unlimited
8. If any of the values in Step 6. do not meet the minimum requirements, take the following
steps to modify values.
Using a text editor, edit the /etc/sysctl.conf file.

Next, using the service command, restart the sysctl service:
service sysctl restart
Alternatively, you can reboot your system.

Verify the new, minimum required values by using the ulimit -a command again.
- 733 -
9. Next, using a text editor, modify the /usr/local/etc/rc.d/nessusd service script to
remove and add the following lines:
Remove: /usr/local/nessus/sbin/nessus-service -D -q
Add: chown root:access_bpf /dev/bpf
Add: chmod 660 /dev/bpf
Add: daemon -u nonprivuser /usr/local/nessus/sbin/nessus-service -D -q --
no-root
The resulting script should appear as follows:
nessusd_start() {
echo 'Starting Nessus...'
chown root:access_bpf /dev/bpf
chmod 660 /dev/bpf
daemon -u nonprivuser /usr/local/nessus/sbin/nessus-service -D -q --no-root
}
nessusd_stop() {
test -f /usr/local/nessus/var/nessus/nessus-service.pid && kill `cat
/usr/local/nessus/var/nessus/nessus-service.pid` && echo 'Stopping Nessus...' &&
sleep 3
}
- 734 -
Upgrade Assistant
The following feature is not supported in Federal Risk and Authorization Manage Program (FedRAMP) envir-
onments. For more information, see the FedRAMP Product Offering.
You can upgrade data from Tenable Nessus to Tenable Vulnerability Management via the Upgrade
Assistant tool.
For more information, see Nessus to Tenable Vulnerability Management Upgrade Assistant.
- 735 -

Nessus 8 15

Uploaded by

Copyright:

Available Formats

Nessus 8 15

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Nessus 8 15

Uploaded by

Copyright:

Available Formats

Tenable Nessus 8.15.

Welcome to Tenable Nessus 8.15.x 20

Get Started with Tenable Nessus 23

Install and Configure Tenable Nessus 25

Create and Configure Scans 26

View and Analyze Scan Results 27

Refine Tenable Nessus Settings 28

Navigate Tenable Nessus 29

Tenable Nessus Scanners and Tenable Nessus Professional 33

Tenable Nessus Manager 34

PDF Report Requirements 42

Customize SELinux Enforcing Mode Policies 43

Tenable Nessus Agents 49

Network Address Translation (NAT) Limitation 52

Certificates and Certificate Authorities 55

Custom SSL Server Certificates 57

Create a New Server Certificate and CA Certificate 59

Upload a Custom Server Certificate and CA Certificate 61

Create SSL Client Certificates for Login 67

Tenable Nessus Manager Certificates and Tenable Nessus Agent 70

Install Tenable Nessus 72

Download Tenable Nessus 73

Install Tenable Nessus 74

Install Tenable Nessus on Linux 75

Install Tenable Nessus on Windows 76

Download Nessus Package File 77

Start Nessus Installation 78

Install Tenable Nessus on macOS 80

Deploy Tenable Nessus as a Docker Image 82

Install Tenable Nessus Agents 88

Retrieve the Nessus Agent Linking Key 89

Link an Agent to Tenable Nessus Manager 90

Upgrade Tenable Nessus and Tenable Nessus Agents 93

Upgrade from Evaluation 95

Update Tenable Nessus Software 96

Upgrade Nessus on Linux 99

Upgrade Nessus on Windows 100

Upgrade Nessus on macOS 101

Update a Nessus Agent 102

Downgrade Tenable Nessus Software 103

Configure Tenable Nessus 106

Install Tenable Nessus Essentials, Professional, or Manager 107

Link to Tenable Vulnerability Management 109

Link to Tenable Security Center 115

Link to Tenable Nessus Manager 118

Link a Node 121

Manage Tenable Nessus Offline 123

Scenario 2: Update Nessus Licensing 125

Scenario 3: Update Nessus Plugins 126

Nessus Offline Operations 127

Manage Activation Code 128

View Activation Code 129

Reset Activation Code 130

Update Activation Code 131

Transfer Activation Code 132

Nessus User Interface 133

Command Line Interface 134

Manage Tenable Nessus Offline 134

Scenario 1: New Nessus Install 135