Deploy Tenable Nessus Agent Using JSON

To deploy Tenable Nessus Agent with the config.json file:

1. Configure the config.json file.

   Note: config.json must be in ASCII format. Some tools, such as PowerShell, create test files in other formats by default.

   Example Tenable Nessus Agent config.json file format:

   { "link": { "name": "sensor name", "host": "hostname or IP address", "port": 443, "key": "abcdefghijklmnopqrstuvwxyz", "ms_cert": "CA certificate for linking", "retry": 1, "proxy": { "proxy": "proxyhostname", "proxy_port": 443, "proxy_username": "proxyusername", "proxy_password": "proxypassword", "user_agent": "proxyagent", "proxy_auth": "NONE" } }, "preferences": { "global.max_hosts": "500" } }

   Example Tenable Nessus Agent config.json file format (when using auto_proxy):

   { "link": { "name": "sensor name", "host": "hostname or IP address", "port": 443, "key": "abcdefghijklmnopqrstuvwxyz", "ms_cert": "CA certificate for linking", "retry": 1, "proxy": { "proxy": "proxyhostname", "proxy_port": 443, "auto_proxy": "true" } } }

   config.json Details

   The following describes the format of the different settings in each section of config.json.

   Note: All sections are optional; if you do not include a section, it is not configured when you first launch Tenable Nessus Agent. You can manually configure the settings later.

   Linking

   The link section sets preferences to link the agent to a manager.

   Tip: Specifying the link preferences in config.json and leaving the retry preference blank achieves the same result as using the --install-offline linking argument in the nessuscli. Doing so installs Tenable Nessus Agent on the specified host, even if it is offline. The agent then indefinitely tries to link to the host, given that you did not specify a retry value.

   Setting	Description
   groups	(Optional) One or more existing scanner groups where you want to add the scanner. List multiple groups in a comma-separated list. If any group names have spaces, use quotes around the whole list. For example: "Atlanta,Global Headquarters" One or more existing agent groups where you want to add the agent. If you do not specify an agent group during the install process, you can add your linked agent to an agent group later in Tenable Nessus Manager or Tenable Vulnerability Management. List multiple groups in a comma-separated list. If any group names have spaces, use quotes around the whole list. For example: "Atlanta,Global Headquarters" Note: The agent group name is case-sensitive and must match exactly. You must encase the agent group name in quotation marks (for example, --groups="My Group").
   host	The hostname or IP address of the manager you want to link to. To link to Tenable Vulnerability Management, use cloud.tenable.com.
   key	The linking key that you retrieved from the manager.
   ms_cert	(Optional) A custom CA certificate to use to validate the manager's server certificate.
   name	(Optional) A name for the scanner.  A name for your agent. If you do not specify a name for your agent, the name defaults to the name of the computer where you are installing the agent.
   network	(Optional, Tenable Vulnerability Management-linked agents only) The custom network you want to link to. If you do not specify a network, the agent belongs to the default network.
   port	The port for the manager you want to link to. For Tenable Nessus Manager: 8834 or your custom port. For Tenable Vulnerability Management: 443
   profile_uuid	(Optional) The UUID of the agent profile that you want to assign the agent to (for example, 12345678-9abc-4ef0-9234-56789abcdef0). For more information, see Agent Profiles in the Tenable Vulnerability Management User Guide.
   proxy	(Optional) If you are using a proxy server, include the following: proxy: The hostname or IP address of your proxy server. proxy_port:The port number of the proxy server. auto_proxy (Windows only): If enabled, the agent uses Web Proxy Auto Discovery (WPAD) to obtain a Proxy Auto Config (PAC) file for proxy settings. This setting overrides all other proxy configuration preferences. If disabled, the agent defaults to the remaining proxy settings. Note: If you include auto_proxy in your configuration file, you must also provide the proxy and proxy_port parameters. proxy_username: The name of a user account that has permissions to access and use the proxy server. proxy_password: The password of the user account that you specified as the username. user_agent: The user agent name, if your proxy requires a preset user agent. proxy_auth: The authentication method to use for the proxy.
   retry	(Optional) The number of times the agent attempts to link to the manager if it fails the first attempt. If you do not include the retry preference, the agent attempts to link indefinitely. Note: If you set retry to 1, the agent tries to link to the manager 30 seconds after the initial failure. Every proceeding retry occurs twice as long after the prior retry. For example, if you set retry to 5, the agent attempts to link 30 seconds after the first failure, 60 seconds after the second failure, 120 seconds after the third failure, 240 seconds after the fourth failure, and 480 seconds after the fifth failure.

   Preferences

   The preferences section configures any advanced settings. For more information, see Advanced Settings.

2. Download the Tenable Nessus Agent installation package for your operating system.

3. (Windows only) Before you install the package, you must modify the package so that the agent does not start automatically after installation. This is because the agent must read the config.json file when you start the agent service for the first time.

   To modify the package, run the following command:

   msiexec /i <agent package>.msi NESSUS_SERVICE_AUTOSTART=false /qn

4. Install Tenable Nessus Agent. For more information, see Install a Tenable Nessus Agent on Windows , Install a Tenable Nessus Agent on macOS, or Install a Tenable Nessus Agent on Linux.

5. (macOS only) Unlike Windows, there is no way to turn off autostart before installing Tenable Nessus Agent. Therefore, you need to reset the Tenable Nessus Agent to a fresh state before adding config.json and starting the agent service.

   To return Tenable Nessus Agent to a fresh state on macOS, validate config.json, and place config.json in the correct directory, run the following command:

   /Library/NessusAgent/run/sbin/nessuscli prepare-image --json=<path to json file>

   Note: Tenable Nessus Agent autostart is disabled by default in Linux packages. Therefore, if you are using Linux, you can ignore steps 3 and 5.

6. Place config.json in the Tenable Nessus Agent directory if it is not already there:

   • Windows — C:\ProgramData\Tenable\Nessus Agent\nessus\config.json
   • macOS — /Library/NessusAgent/run/var/nessus/config.json
   • Linux — /opt/nessus_agent/var/nessus/config.json

7. Start the agent service.

8. Depending on your operating system, run the following command to verify the config.json preferences:

   • Windows — "C:\Program Files\Tenable\Nessus Agent\nessuscli.exe" fix --secure --list

   • macOS — /Library/NessusAgent/run/sbin/nessuscli fix --secure --list

   • Linux — /opt/nessus_agent/sbin/nessuscli fix --secure --list

   Once you verify that the preferences were successfully applied, the linking process is complete.