Recent Content
Webinar: Tenable Office Hours
If you have questions about your Tenable solutions, join our Office Hours webinars for answers. Led by Tenable security engineers, these sessions provide an open forum for addressing your challenges and sharing best practices through discussion and demonstrations. Sessions are recurring throughout the year. To view the full schedule and register, please visit: https://www.tenable.com/webinars/tenable-office-hours PLUS: Join the Office Hours Group on Tenable Connect to catch the latest Office Hours recordings.0likes0CommentsHow Does Tenable Vulnerability Management Identify an Asset as Unique
APPLIES TO Tenable Vulnerability Management OPERATING SYSTEM(S) N/A INFORMATION Identification is the process of matching a set of attributes collected by a sensor (e.g. Nessus) to an existing asset. If Tenable Vulnerability Management is unable to find an existing asset that matches the incoming host, it is treated as a new asset and added to Tenable Vulnerability Management. The following section explains how Tenable Vulnerability Management matches hosts to assets. DETAILS Each identification request is based on a list of key-value pairs representing properties that have been observed/collected. Tenable Vulnerability Management uses a subset of these properties, called Identification Attributes (IA), in an attempt to determine whether an asset has been previously seen. Our current list of IAs is below. These are ordered from authoritative to speculative, based on their ability to accurately link a host to an existing asset. Globally Authoritative Identifying Attributes Network Scoped Identifying Attributes AWS EC2 Instance ID Azure VM ID GCP ID (Composite of Project/Zone/Instance IDs) BigFix Asset ID Tenable Hardware Tag (Tenable UUID) Security Center Host UUID Microsoft Entra ID Hardware ID Microsoft Entra ID Device ID Active Directory ObjectSid Active Directory Distinguished Name Windows Defender Security Agent ID Crowdstrike Agent ID Qualys Agent ID Carbonblack Device ID Network Device Serial Identifier BIOS UUID MAC Address NetBIOS Name FQDN (including rDNS) IPv6 Addresses Primary IPv4 Address Other IPv4 Addresses Operating Systems Family* Internal IDs generated by cloud computing platforms (Amazon Elastic Cloud Compute, Microsoft Azure, Google Compute Engine, etc.) are 100% authoritative and unique. If the Tenable Vulnerability Management asset tracking system matches assets using one of these identifiers, the decision is guaranteed to be correct. Every asset should have at most one value for an identifier in this class. Network Scoped Identifying Attributes are considered to be "scoped" to the network, meaning that for an asset to be considered as unique with the same MAC Address, NetBIOS Name, FQDN or IPv4 the asset will need to belong to the same Tenable Vulnerability Management defined Network as well. For more information, refer to the Tenable Vulnerability Management documentation on Networks.1like0CommentsConfiguring a new Tenable One container
Applies To Tenable One Operating System(s) N/A Description This article contains links to documentation that is required when configuring a new Tenable One container. Information Configuring the New Environment When configuring a new Tenable One environment, begin by referring to the Tenable One Platform Deployment Guide This documentation provides step-by-step instructions for deployment in a new container, including provisioning, activation of point products, user management, and so on. Follow the instructions within this guide first to get your new environment configured. Tenable Agents To link Tenable Agents to the Tenable One environment, please follow the documentation below. For instructions on linking an agent, please see Install Tenable Agent and navigate to the relevant OS. If the agent was previously linked to another Tenable One environment, please ensure that it is unlinked from that environment before linking. For more information on unlinking an agent, please see Unlink a Tenable Agent. Note: If access to the previous Tenable One environment is not available, these instructions will need to be completed on a per-host basis.0likes0CommentsTenable Core Account Expiry
APPLIES TO Tenable Core OPERATING SYSTEM(S) TenableCore DESCRIPTION Tenable Core, a lightly customized version of Oracle Linux 8, is hardened in accordance with security best practices including some elements of the CIS Level 1 benchmarks. One benchmark in particular has the potential to lock users out and expire their account: Default Security Configuration Standards 5.4.1.4 Ensure inactive password lock is 30 days or less This requirement means that user accounts will be automatically disabled after a period of 30 days of inactivity following password expiration. In order to prevent this, Tenable Core users should log into the cockpit (8000) or SSH at least once every 365 days and update their account password to prevent it from expiring, which in turn prevents the account from becoming locked out. INFORMATION Please log into Tenable Connect to view the following additional resources and access more support. If your account has already expired due to the above requirement, the following knowledge base article will help to resolve it: Unable to Sign Into Tenable Core "Authentication failed: internal-error" For a physical hardware hosted Tenable Core instance, this may require a keyboard and monitor hooked up or serial access. If needed, steps 10-15 of the following article can be used to attach to the serial console for direct interaction: Installing a new platform via USB for Tenable OT Security Hardware Appliances For Tenable OT Security environments, please see Leveraging the Remote Unlock Feature in Tenable Core for instructions on how to remotely unlock administrative accounts on Tenable Core machines.1like0CommentsWebinar: Customer Product Update Webinars - August 2025
Check out the latest monthly Customer Update Webinars below and save your spot! Recordings will be posted after the live webinar has concluded. Tuesday, August 12, 2025 Nessus Customer Update - 1 pm ET / 10 am PT How to: Using credentialed scanning to discover AI software. Wednesday, August 13, 2025 Tenable Vulnerability Management - 1 pm ET / 10 am ET How-to: Assessing network conformance with common compliance benchmarks. Thursday, August 14, 2025 Tenable One Customer Update - 11 am ET/ 8 am PT This month, we'll explore how you can leverage Tenable Cloud Security data within Tenable One. Tenable Security Center - 1 pm ET / 10 am PT How-to: Generating trending dashboards in Tenable Security Center.Webinar: Customer Product Update Webinars - July 2025
Check out the latest monthly Customer Update Webinars below and save your spot! Recordings will be posted after the live webinar has concluded. Tenable WAS, July 8, 2025, 11 am ET: Join us for a deep dive into recently released WAS features and capabilities. Tenable Nessus, July 8, 2025, 1 pm ET: Testing for specific CVEs with Nessus. Tenable OT Security, July 9, 2025, 11 am ET: Learn how Tenable OT Security 4.3 unlocks unprecedented visibility and control across your OT/IT environment. Tenable Vulnerability Management, July 9, 2025, 1 pm ET: Credentialed scans versus uncredentialed scans and how to use managed credentials. Tenable One, July 10, 2025, 11 am ET: Learn how Tenable One can now ingest important security context from non-Tenable security tools to help better identify, prioritize and reduce cyber risk. Tenable Security Center, July 10, 2025, 1 pm ET: OS breakdown: reporting exposures by operating system.What is the nessusd.rules file?
INFORMATION The nessusd.rules file is an editable, text-based file used to configure Nessus scans to allow and reject ports, IP addresses, IP ranges, plugins, and targets. Please note that if the scans are launching from Tenable.sc or Tenable.io, all scans that use this Nessus scanner will be subject to the nessusd.rules file. By default, based on your operating system, the nessusd.rules file can be found in the following locations: Linux /opt/nessus/etc/nessus/nessusd.rules Windows (default location) C:\ProgramData\Tenable\Nessus\conf\nessusd.rules Note: The ProgramData folder is by default a hidden folder in Windows. In addition, the path specified is the default but can vary if Nessus was installed on another drive (i.e. E:\Programdata\...\). For more information, see the Microsoft article Show hidden files. macOS /Library/Nessus/run/etc/nessus/nessusd.rule Tenable Core Log in to Tenable Core on port 8000. In the left navigation, click Nessus. The nessusd.rules file can be found on the left side of the resulting screen. DETAILS Lines that start with # are comments. Lines that do not start with # are actual settings. The default nessusd.rules file begins with a series of comments which include explanations and examples. These are divided into 3 syntax sections: Target Syntax, Plugin Syntax, and Default Rule Syntax. The syntax section heading name is followed by a colon and then lists the exact allowable syntax. You can use CIDR notation, ranges using a -, or hostnames to identify the targets. Below each section heading, a sample explanation is followed by an indented line, which includes what the actual setting would look like. # Target Syntax: accept|reject address/netmask:port[-port_max] # # Reject the target with IP 10.42.123.10 # reject 10.42.123.10 # Reject any target on 10.42.123.x # reject 10.42.123.0/24 # Reject any target between 10.42.123.10-10.42.123.50 # reject 10.42.123.10-10.42.123.50 # Reject the target with hostname 'NessusHost' # reject NessusHost # Reject connecting to port 80 for 10.0.0.1 # reject 10.0.0.1:80 # Reject connecting to port 8100 for all IP addresses # reject 0.0.0.0/0:8100 All settings in the nessusd.rules file take precedence over the scan's settings configured in the Nessus GUI. If a setting is added to the nessusd.rules file to not scan certain ports, those ports will not be scanned even if those ports are listed to be scanned in any scan setting. Note: Rules work from top down. Add new rules above the default accept the line, never below it. For example, to stop port 80 from being scanned on 10.0.0.1: In the nessusd.rules file, add the following: reject 10.0.0.1:80 This statement tells Nessus to not connect to port 80 on 10.0.0.1. In Nessus, a scan configured to scan 10.0.0.1 and port 80 in the Discovery's Port Scanning range would be ignored. No plugins will fire against port 80. As a result, port 80 will not be scanned because the nessusd.rules settings take precedence over all scans configured in the GUI. If desired, you can change the location of the nessusd.rules file. The rules setting and its file location is listed in the Advanced settings of Nessus. To ensure the file's location change takes effect, restart the Nessus service. ADDITIONAL RESOURCES Default nessusd.rules file contents: # Nessus rules # # # Target Syntax: accept|reject address/netmask:port[-port_max] # # Reject any target on 10.42.123.x # reject 10.42.123.0/24 # Reject connecting to port 80 for 10.0.0.1 # reject 10.0.0.1:80 # Reject connecting to ports 8000 - 10000 (inclusive) for any host in the 192.168.0.0/24 subnet # reject 192.168.0.0/24:8000-10000 # Reject connecting to ports 1 - 1024 (inclusive) for the host 2001:db8::abcd # reject [2001:db8::abcd]:1-1024 # # # Plugin Syntax: plugin-accept|plugin-reject id[-id_max] # # Reject plugin #10335 # plugin-reject 10335 # Allow plugins #10000 through #40000 (inclusive) # plugin-accept 10000-40000 # # # Default Rule Syntax (if no other rules apply): default accept|reject # # Accept everything else # default accept # Reject everything else # default reject default accept0likes0CommentsWhat ports does "built-in" represent?
INFORMATION In a policy's "Host Discovery" tab is a section labeled Ping Methods. Configuring the Destination Ports to utilize the 'built-in' setting designates a specific set of ports to be used. DETAILS The "built-in" ports are defined by the scanner's ping_host4.inc file. This file includes the following TCP ports: 139 135 445 80 22 515 23 21 6000 1025 25 111 1028 9100 1029 79 497 548 5000 1917 53 161 9001 49000 443 993 8080 2869 You can confirm that the metadata in ping_host4.inc is used by the ping plugin by looking at the plugin code for plugin ID 10180, Ping the remote host, where the nasl code lists the included .inc files: 81 include("raw.inc"); 82 include("misc_func.inc"); 83 include("ping_host4.inc");0likes0CommentsList of ports in Nessus defined by Port Scan Range : default
INFORMATION In a Nessus or Tenable Vulnerability Management scan policy, under Discovery > Port Scanning, you can define the port scan range. This field can be set to an explicit value, range, combination of both, or default. When set using the keyword 'default', the scanner will scan approximately 4,790 common ports. The list of ports can be found in the nessus-services file on the Nessus scanner. This list can change over time. Note: 'default' is case sensitive and must be lowercase. DETAILS The nessus-services file can be found in these default locations on a Nessus scanner: Windows C:\ProgramData\Tenable\Nessus\nessus\nessus-services Mac /Library/Nessus/run/var/nessus/nessus-services Linux /opt/nessus/var/nessus/nessus-services ADDITIONAL RESOURCES An example of the nessus-services file is attached to this article. Please note that the contents of this file are subject to change. Previously, when creating a new scan or policy using the Internal PCI Network Scan template, by default the port scan range was set to 'common'. This is not the same as the 'default' list mentioned above. However, the Internal PCI Network Scan template now uses the default range.0likes0CommentsCreate custom audit policies
INFORMATION Tenable has made documentation available for writing custom audit policies as well as several command line tools and very detailed example policies. In most cases, Tenable customers have been able to use the default audit policies and remove unneeded tests. In cases where more detail is needed than the current example tests, Tenable has documented examples for each type of Unix and Windows audit point. These can be modified with values that are in line with your organization’s configuration guidelines. NOTE: Technical Support Engineers cannot directly support custom audit files. Support is available for bugs or other issues with specific functions or calls. See Support for custom audit files, plugins, and API scripts for more information. DETAILS The following are links to Tenable documentation on Compliance checks. The Audits Portal - This site allows you to search our audit file database from a convenient interface. Nessus Compliance Checks - This paper discusses how to configure Nessus to perform these audits and how Tenable's SecurityCenter can be used to manage and automate this process. Nessus Compliance Checks Reference - This document describes the syntax used to create custom .audit files that can be used to audit the configuration of Unix, Windows, database, SCADA, IBM iSeries, and Cisco systems against a compliance policy as well as search the contents of various systems for sensitive content.2likes0Comments
About Tenable Connect Support
Support guides and resources to help you get the most out of the Tenable Connect community.36 Articles