Authentication Reporting in Tenable Scans

Enhancing reporting clarity through updated terminology and superior organization

In an effort to delight our customers, we’re making it easier to answer the following questions about scans. What makes a Nessus scan successful? How can we tell when a scan was unsuccessful and what we need to do about it?

Over the past few years, Tenable Research has been working to extend our capabilities to report issues related to scan success. We've expanded the types of issues we're able to identify during a Nessus scan, such as permissions failures and intermittent authentication failures, and we've brought those issues to light in scan results so that they can be addressed. We've worked to eliminate blind spots and highlight failures that would otherwise be silent. Reporting this information has helped empower users to more easily identify and resolve issues in their scans for more accurate and complete scan results.

The next major step to improving our reporting around Nessus scan success focuses on clarity. We're rolling out updates to enhance clarity and facilitate better understanding of scan success status. We've reworked the terminology we use to describe scan success to make it more consistent and we're updating the names and descriptions of scan success reporting plugins to more clearly convey how they are organized and the meaning of their results.

Plugin Updates

In order to clearly report scan success in Nessus scans, we’re updating names and descriptions of the scan status reporting plugins and adding a new plugin as well. These changes will also be visible in Tenable.io and Tenable.sc.

Naming Conventions

One part of the update is to establish naming conventions to clearly show how plugins are organized and what they mean. These naming conventions also allow easy filtering of scan results based on plugin name to quickly zero in on scan status information.

The naming conventions organize plugins based on the component of the scan they’re reporting on, such as credentials / authentication. The naming conventions also organize plugins based on the type of information they’re reporting. “Status” plugins report whether or not a certain status was achieved, such as Valid Credentials Provided. “Issues” plugins report issues that occurred with individual plugins during the scan. These plugins report more detailed information such as insufficient privilege or intermittent authentication issues encountered when using valid credentials.

Summary

Target Credentials and Authentication

These plugins are used today to report the status of target credentials and authentication:

• 110095 Authentication Success
• 110385 Authentication Success Insufficient Access
• 117885 Authentication Success with Intermittent Failure
• 104410 Authentication Failure(s) for Provided Credentials
• 110723 No Credentials Provided

These are being updated to organize them into Status plugins and Issues plugins. In addition, a new plugin is being added to report when valid credentials have been found, regardless of whether or not there were any subsequent issues encountered with those valid credentials.

Status

• 141118 Target Credential Status by Authentication Protocol - Valid Credentials Provided
• 104410 Target Credential Status by Authentication Protocol - Failure for Provided Credentials
• 110723 Target Credential Status by Authentication Protocol - No Credentials Provided

Issues

• 110095 Target Credential Issues by Authentication Protocol - No Issues Found
• 110385 Target Credential Issues by Authentication Protocol - Insufficient Privilege
• 117885 Target Credential Issues by Authentication Protocol - Intermittent Authentication Failure 

Integration Credentials and Authentication

These plugins are used today to report the status of credentials for integration tools such as patch management systems that provide information about targets:

• 122502 Patch Management Authentication Success
• 122503 Authentication to Patch Management Failed for Provided Credentials

These plugins are being updated to use more consistent names.

Status

• 122502 Integration Credential Status by Authentication Protocol - Valid Credentials Provided
• 122503 Integration Credential Status by Authentication Protocol - Failure for Provided Credentials

This diagram shows how the plugins work in sequence to report the success or failure of credentials:

Plugin Descriptions

The plugins listed above are also being updated with more accurate and detailed descriptive text to communicate the purpose and functionality of each plugin.

Release Date

15 October 2020

Impact

When searching for these plugins you should use the new names. Since all names are consistent, this enables new searches to identify all the plugins related to the status of credentialed scans. The function of the plugins has not been changed. Plugin IDs are not changing, so existing dashboards or filters will not be impacted. There are minor changes to plugin output, such as more accurate descriptive text in reports and additional reference information. For example:

• "Nessus was able to log in to the following host as <username>" is replaced with "Nessus was able to log in to the remote host via the following protocol as <username>" when the following information in the report is a protocol and port, not a hostname.
• Additional reference information is added in plugin 110385 "Target Credential Issues by Authentication Protocol - Insufficient Privilege" when SSH privilege issues were encountered to note that details can be found in the output of plugin 102094 "SSH Commands Require Privilege Escalation."