There exists a policy shipped as part of the distribution service called "Prepare for PCI-DSS audits (section 11.2.2)". This is a policy that has all plugins enabled, TCP scan of all ports, safe checks enabled, web tests enabled, the PCI-DSS setting enabled, and several other things that are less important. I would recommend copying this policy to something else and modifying it instead.
Many of the checks used are local, so you will definitely need to add credentials for an account that has Administrator or root level privileges. For Windows that user should be a Domain Admin or be in the Local Administrators group. For Linux/UNIX the user should have escalation rights, this would be sudo, su, enable, or whatever your distribution uses.
You also need to take into account what type of services the target host is running. Is that server hosting a web application? Web testing is enabled, but it will likely require authentication to use. If your website is using form based auth, then you can go to the 'Preferences' tab, from the drop down select "HTTP login page" and configure it from there. If it's doing Basic Auth then pick the "Login configurations" drop down. Is your server hosting a database? Go to the "Database settings" page and punch in the right values.
You should also look into the various and sundry audit policies. If you log into the Support Center and go to the Downloads page you'll see a link for "PCI Audit Policies". That contains audit policies for many different operating systems. Download the appropriate one and add it to your scan. All of the audits are added, and configured, within the "Preferences" tab. Just pick the appropriate entry from the drop-down box for whatever policy you're using. While you're at it, look through the other audit policies as well. They'll mostly based off DISA STIGs, CIS documents, or FSMA. However, some are written against best practices documents published by the vendors, such as the PostgreSQL audits. Some of the audits may require local customizations so be wary of taking the PASS/FAIL marks as Truth. Keep in mind that the audits are only available to ProfessionalFeed customers (you are a ProfessionalFeed customer right?).
The real take away is that while the shipped scan policy does get you started it is by no means complete. You'll need to customize it to work in your environment. After all,
Alternatively, if you use the Perimeter Service they have much of this already set up and ready to go. This service is sanctioned as an ASV by the PCI Council. A full write-up on using it is available on the Tenable blog.
The information provided above is in no way intended to be taken as official advice and is provided without warrant, guarantee, or good faith. The statements provided do not represent the views of the PCI council, any QSA/ASV, my employer, your employer, the set of all Rorys, this site, any other site, nor the ISP on which you are viewing this message.
