Deploy Tenable Nessus Agent Using JSON

When you first launch the agent after installation, the agent first checks for the presence of environment variables, then checks for the config.json file. When the agent launches for the first time, the agent uses that information to link to a manager and set preferences.

To deploy Tenable Nessus Agent with the config.json file:

  1. Configure the config.json file.

    Note: config.json must be in ASCII format. Some tools, such as PowerShell, create test files in other formats by default.

    Example Tenable Nessus Agent config.json file format:

    { "link": { "name": "sensor name", "host": "hostname or IP address", "port": 443, "key": "abcdefghijklmnopqrstuvwxyz", "ms_cert": "CA certificate for linking", "retry": 1, "proxy": { "proxy": "proxyhostname", "proxy_port": 443, "proxy_username": "proxyusername", "proxy_password": "proxypassword", "user_agent": "proxyagent", "proxy_auth": "NONE" } }, "preferences": { "global.max_hosts": "500" } }

    Example Tenable Nessus Agent config.json file format (when using auto_proxy):

    { "link": { "name": "sensor name", "host": "hostname or IP address", "port": 443, "key": "abcdefghijklmnopqrstuvwxyz", "ms_cert": "CA certificate for linking", "retry": 1, "proxy": { "proxy": "proxyhostname", "proxy_port": 443, "auto_proxy": "true" } } }

    config.json Details

    The following describes the format of the different settings in each section of config.json.

    Note: All sections are optional; if you do not include a section, it is not configured when you first launch Tenable Nessus Agent. You can manually configure the settings later.

    Linking

    The link section sets preferences to link the agent to a manager.

    Setting Description
    name

    (Optional)

    A name for the scanner.

     A name for your agent. If you do not specify a name for your agent, the name defaults to the name of the computer where you are installing the agent.

    host

    The hostname or IP address of the manager you want to link to.

    To link to Tenable Vulnerability Management, use cloud.tenable.com.

    port

    The port for the manager you want to link to.

    For Tenable Nessus Manager: 8834 or your custom port.

    For Tenable Vulnerability Management: 443

    key The linking key that you retrieved from the manager.
    network

    (Optional, Tenable Vulnerability Management-linked agents only)

    The custom network you want to link to. If you do not specify a network, the agent belongs to the default network.

    ms_cert

    (Optional)

    A custom CA certificate to use to validate the manager's server certificate.

    groups

    (Optional)

    One or more existing scanner groups where you want to add the scanner. List multiple groups in a comma-separated list. If any group names have spaces, use quotes around the whole list.

    For example: "Atlanta,Global Headquarters"

    One or more existing agent groups where you want to add the agent. If you do not specify an agent group during the install process, you can add your linked agent to an agent group later in Tenable Nessus Manager or Tenable Vulnerability Management.

    List multiple groups in a comma-separated list. If any group names have spaces, use quotes around the whole list.

    For example: "Atlanta,Global Headquarters"

    Note: The agent group name is case-sensitive and must match exactly. You must encase the agent group name in quotation marks (for example, --groups="My Group").

    retry

    (Optional)

    The number of times the agent attempts to link to the manager if it fails the first attempt.

    If you do not include the retry preference, the agent does not attempt to link after the first failure. The maximum accepted value is 10.

    Note: If you set retry to 1, the agent tries to link to the manager 30 seconds after the initial failure. Every proceeding retry occurs twice as long after the prior retry. For example, if you set retry to 5, the agent attempts to link 30 seconds after the first failure, 60 seconds after the second failure, 120 seconds after the third failure, 240 seconds after the fourth failure, and 480 seconds after the fifth failure.

    proxy

    (Optional)

    If you are using a proxy server, include the following:

    • proxy: The hostname or IP address of your proxy server.

    • proxy_port:The port number of the proxy server.

    • auto_proxy (Windows only): If enabled, the agent uses Web Proxy Auto Discovery (WPAD) to obtain a Proxy Auto Config (PAC) file for proxy settings. This setting overrides all other proxy configuration preferences. If disabled, the agent defaults to the remaining proxy settings.

      Note: If you include auto_proxy in your configuration file, you must also provide the proxy and proxy_port parameters.

    • proxy_username: The name of a user account that has permissions to access and use the proxy server.

    • proxy_password: The password of the user account that you specified as the username.

    • user_agent: The user agent name, if your proxy requires a preset user agent.

    • proxy_auth: The authentication method to use for the proxy.

    profile_uuid

    (Optional)

    The UUID of the agent profile that you want to assign the agent to (for example, 12345678-9abc-4ef0-9234-56789abcdef0). For more information, see Agent Profiles in the Tenable Vulnerability Management User Guide.

    Preferences

    The preferences section configures any advanced settings. For more information, see Advanced Settings.

  2. Download the Tenable Nessus Agent installation package for your operating system.

  3. (Windows only) Before you install the package, you must modify the package so that the agent does not start automatically after installation. This is because the agent must read the config.json file when you start the agent service for the first time.

    To modify the package, run the following command:

    msiexec /i <agent package>.msi NESSUS_SERVICE_AUTOSTART=false /qn

  4. Install Tenable Nessus Agent. For more information, see Install a Tenable Nessus Agent on Windows , Install a Tenable Nessus Agent on macOS, or Install a Tenable Nessus Agent on Linux.

  5. (macOS only) Unlike Windows, there is no way to turn off autostart before installing Tenable Nessus Agent. Therefore, you need to reset the Tenable Nessus Agent to a fresh state before adding config.json and starting the agent service.

    To return Tenable Nessus Agent to a fresh state on macOS, validate config.json, and place config.json in the correct directory, run the following command:

    /Library/NessusAgent/run/sbin/nessuscli prepare-image --json=<path to json file>

    Note: Tenable Nessus Agent autostart is disabled by default in Linux packages. Therefore, if you are using Linux, you can ignore steps 3 and 5.
  6. Place config.json in the Tenable Nessus Agent directory if it is not already there:

    • Windows — C:\ProgramData\Tenable\Nessus Agent\nessus\config.json
    • macOS — /Library/NessusAgent/run/var/nessus/config.json
    • Linux — /opt/nessus_agent/var/nessus/config.json
  7. Start the agent service.

  8. Depending on your operating system, run the following command to verify the config.json preferences:

    • Windows — "C:\Program Files\Tenable\Nessus Agent\nessuscli.exe" fix --secure --list

    • macOS — /Library/NessusAgent/run/sbin/nessuscli fix --secure --list

    • Linux — /opt/nessus_agent/sbin/nessuscli fix --secure --list

    Once you verify that the preferences were successfully applied, the linking process is complete.