NIAP: Compliant Product
  NIAP  »»  Product Compliant List  »»  Compliant Product  
Compliant Product - Nessus Agent 8.0.0

Certificate Date:  2020.12.08

Validation Report Number:  CCEVS-VR-VID11066-2020

Product Type:    Application Software

Conformance Claim:  Protection Profile Compliant

PP Identifier:    Functional Package for TLS Version 1.1
  Protection Profile for Application Software Version 1.3

CC Testing Lab:  Leidos Common Criteria Testing Laboratory

CC Certificate [PDF] Security Target [PDF] Validation Report [PDF]

Assurance Activity [PDF]

Administrative Guide [PDF]

Product Description

Tenable Nessus Agent is a software product that is designed to be installed on an endpoint system to facilitate local scanning of that system. Local scanning allows Nessus Agent to collect detailed information about the system’s hardware, software, and configuration, which can be used to determine compliance with organizational security policies and whether potential exploitable vulnerabilities are present on that system.

Nessus Agent is deployed and configured by an environmental instance of Nessus Manager, which also collects scan results from Nessus Agent for aggregation and analysis. Nessus Manager in turn will transmit this data to an environmental instance of (SecurityCenter), where it can be combined with network traffic and system log data to provide a comprehensive window into the security posture of an organization.

The evaluated version of Tenable Nessus Agent is supported on Red Hat Enterprise Linux 7 and Windows Server 2016.

Evaluated Configuration

Security Evaluation Summary

The evaluation was carried out in accordance with the Common Criteria Evaluation and Validation Scheme (CCEVS) process and scheme for the Protection Profile for Application Software, Version 1.3 and Functional Package for Transport Layer Security (TLS), Version 1.1.  The evaluation methodology used by the evaluation team to conduct the evaluation is the Common Methodology for Information Technology Security Evaluation, Version 3.1 release 5. The product, when delivered configured as identified in the guidance document, satisfies all of the security functional requirements stated in the Tenable Nessus Agent Security Target. The evaluation was completed in December 2020. Results of the evaluation can be found in the Common Criteria Evaluation and Validation Scheme Validation Report prepared by CCEVS.

Environmental Strengths

Timely Security Updates

The TOE developer has internal mechanisms for receiving reports of security flaws, tracking product vulnerabilities, and distributing software updates to customers in a timely manner.

Cryptographic Support

The TOE implements cryptography to protect data in transit. The TOE does not store credential data on the local system so no separate data at rest protection mechanism is implemented.

For data in transit, the TOE implements TLS/HTTPS as a client to communicate with an instance of Nessus Manager in the operational environment. The TOE’s TLS client does not support mutual authentication.

The TOE implements all cryptography used for this function using its own implementations of OpenSSL with NIST-approved algorithms. The TOE’s DRBG is seeded using entropy from the underlying OS platform.

User Data Protection

The TOE is compatible with the use of platform full disk encryption to protect sensitive data at rest.

The TOE relies on the network connectivity and system log capabilities of its host OS platform. The TOE supports application-initiated uses of the network. The TOE also accesses various system resources as part of conducting system scans. Specifically, the TOE supports local scanning of the system that it is installed on.

Identification and Authentication

The TOE supports X.509 certificate validation as part of establishing TLS and HTTPS connections. The TOE supports various certificate validity checking methods and can also check certificate revocation status using OCSP. If the validity status of a certificate cannot be determined, the certificate will be accepted. All other cases where a certificate is found to be invalid will result in rejection without an administrative override.

Security Management

Both the TOE binary components themselves and the configuration settings they use are stored in locations recommended by the platform vendors.

The TOE does not include a direct user interface to manage its functionality. Security-relevant configuration of the TOE is initiated from the Nessus Manager application in the TOE’s operational environment. This configuration relates to the circumstances under which the TOE will transmit data about the local system’s hardware, software, and configuration information (i.e., scan results) back to its operational environment.


The TOE does not handle Personally Identifiable Information (PII) of any individuals.

Protection of the TSF

The TOE enforces various mechanisms to prevent itself from being used as an attack vector to its host OS platform. The TOE: implements address space layout randomization (ASLR); does not allocate any memory with both write and execute permissions; does not write user-modifiable files to directories that contain executable files; is compiled using stack overflow protection; and is compatible with the security features of its host OS platform.

The TOE contains libraries and invokes system APIs that are well-known and explicitly identified.

The TOE has a mechanism to determine its current software version. Software updates to the TOE can be acquired by leveraging its OS platform or through its connection with the environmental Nessus Manager application. The format of the software update is dependent on the TOE platform version. All updates are digitally signed to guarantee their authenticity and integrity.

Trusted Path/Channels

The TOE encrypts sensitive data in transit between itself and its operational environment using TLS and HTTPS.

Vendor Information

Tenable, Inc.
Brian Girardi
443-545-2102 x8315
Site Map              Contact Us              Home