Tenable Vulnerability Management: Why an audit check would return a “Warning” or “Medium” severity

I stumble upon a massive number of Warnings after a scan in Tenable Vulnerability Management. And I found 2 causes:

• Tenable glitch: I re-run the same scan and the number of warnings reduced. It could be because I’ve recently updated the Compliance Audit templates.
• Medium Severity: if an <item> or <custom_item> has severity: MEDIUM in its definition, all FAILED findings will be shown as Warning.

More details below.

When I clicked into a warning, there’s no OUTPUT and it does not explain why it is a warning.

After a re-scan, many warnings disappeared. But there are still warnings.

At a closer look at the audit templates, they have severity: MEDIUM added to the definition. e.g.

    <custom_item>
      description   : "1.3.3 Ensure GPG keys are configured"
      cmd           : "/usr/bin/apt-key list"
      expect        : ""
      severity      : MEDIUM
    </custom_item>

This aligns with this Tenable doc.

What do you do with Warnings

Conventionally, warnings are ignored. It looks like the intention of Warnings (or MEDIUM severity) in Nessus is for human to review each standard output from the scan command. This is inefficient at scale. The results are not very valuable, unless you change the check command to pass/fail on specific conditions.