Maximum Compliance Check Timeout and Find Command Check Type

Summary

Long running commands in compliance scans is a consistent source of concern. Tenable is releasing some features to help assist customers in understanding when command timeouts happen and have more control over the time the commands can take.

Maximum Compliance Check Timeout Preference

In an effort to normalize compliance timeouts for specific compliance checks and improve on the reporting of timeout issues, a new preference name "Maximum Compliance Check Timeout in Seconds" is being added to the Tenable product scan policies under Advanced Settings in a section named "Compliance Output Settings".

This setting is applied to checks that run commands on the targets and will affect the time that the command will wait before moving on to the next step of the scan. Initial implementation of this new timeout preference will affect the Windows Compliance Check and Unix Compliance Check plugins.

In addition to the timeout preference, check items that use the check timeout will have an indicator in its results if the timeout was triggered.

Find Command Check Type

In the Unix Compliance Check plugin, "find" commands are the largest source of long running commands. There have been preferences to help narrow the scope of searching in scan policies, but were not available in compliance checks. To better support the "Unix find command Options", Tenable is implementing a new check type for Find Commands.

The Find Command check type will use all settings found in the "Unix find command Options" section of scan policy Advanced Settings to find files that can meet various search criteria and allow customers to use the advanced settings to control how much of the target systems to scan. In a future update, Tenable content that uses CMD_EXEC check types will be updated to the new FIND_CMD check type where they can apply.

A new configuration option in the "Unix find command Options" section, named "Command Timeout", has been added to control the timeout for the find commands. This timeout controls the time it takes for each of the find commands to complete on a target system for each of the filesystems in each compliance check.

Potential Impacts:

Implementation of new policy defaults and support added to the compliance plugins may cause some scans to run longer or have increased timeout errors due to differences in default values. These issues can be adjusted or remediated with modifying the new preferences.

These features are directed towards compliance plugins primarily. Vulnerability and detection plugins that use find commands will not immediately support the find command timeout. Tenable’s Research team will enable this new feature on a per-plugin basis as needed.

The timeout for the find command is per execution of find command.  For targets that contain many filesystems and execute many find commands, individual plugin timeouts should be adjusted to allow for all find command executions to complete. See product documentation on how to adjust plugin timeouts.

Tenable Plugins

• 21156 - Windows Compliance Checks
• 21157 - Unix Compliance Checks

Target Release Date

January 22, 2025