Nessuscli

You can administer some Tenable Nessus functions through a command-line interface (CLI) using the nessuscli utility.

This allows the user to manage user accounts, modify advanced settings, manage digital certificates, report bugs, update Tenable Nessus, and fetch necessary license information.

Note: You must run all commands with administrative privileges.

Nessuscli Syntax

Operating System

Command

Windows

C:\Program Files\Tenable\Nessus\nessuscli.exe <cmd> <arg1> <arg2>

macOS

# /Library/Nessus/run/sbin/nessuscli <cmd> <arg1> <arg2>

Linux

# /opt/nessus/sbin/nessuscli <cmd> <arg1> <arg2>

This topic describes the following command types:

Nessuscli Commands

Command Description
Help Commands

nessuscli help

Shows a list of Tenable Nessus commands.

The help output may vary, depending on your Tenable Nessus license.

nessuscli <cmd> help

Shows more help information for specific commands identified in the nessuscli help output.

Backup Commands

nessuscli backup --create <backup_filename>

Creates a backup file of your Tenable Nessus instance, which includes your license and settings, and appends it with <Unix epoch timestamp>.tar.gz. The command does not back up scan results.

Example:

If you run nessuscli backup --create <december-backup>, Tenable Nessus creates the following backup file: december-backup.1671720758. tar.gz.

For more information, see Back Up Tenable Nessus.

nessuscli backup --restore <path/to/backup_filename>

Restores a previously saved backup of Tenable Nessus.

For more information, see Restore Tenable Nessus.

Bug Reporting Commands

The bug reporting commands create an archive that you can send to Tenable, Inc. to help diagnose issues. By default, the script runs in interactive mode.

nessuscli bug-report-generator

Generates an archive of system diagnostics.

Running this command without arguments prompts for values.

--quiet: run the bug report generator without prompting user for feedback.

--scrub: when in quiet mode, bug report generator sanitizes the last two octets of the IPv4 address.

--full: when in quiet mode, bug report generator collects extra data.

User Commands

nessuscli rmuser <username>

Allows you to remove a Tenable Nessus user.

nessuscli chpasswd <username>

Allows you to change a user’s password. The CLI prompts to enter the Tenable Nessus user’s name. The CLI does not echo passwords on the screen.

nessuscli adduser <username>

Allows you to add a Tenable Nessus user account.

The CLI prompts you for a username, password, and opted to allow the user to have an administrator type account. Also, the CLI prompts to add Users Rules for this new user account.

nessuscli lsuser

Shows a list of Tenable Nessus users.

Fetch Commands

Manage Tenable Nessus registration and fetch updates

nessuscli fetch --register <Activation Code>

Uses your Activation Code to register Tenable Nessus online.

Example:

# /opt/nessus/sbin/nessuscli fetch --register xxxx-xxxx-xxxx-xxxx

nessuscli fetch --register-only <Activation Code>

Uses your Activation Code to register Tenable Nessus online, but does not automatically download plugin or core updates.

Example:

# /opt/nessus/sbin/nessuscli fetch --register-only xxxx-xxxx-xxxx-xxxx

nessuscli fetch --register-offline nessus.license

Registers Tenable Nessus with the nessus.license file obtained from https://plugins.nessus.org/v2/offline.php and sets Tenable Nessus in offline mode.

Caution: Starting Tenable Nessus in offline mode disables all nessuscli commands that require connection to the Tenable Nessus feed (for example, nessuscli update and nessuscli fix --set_scanner_update_channel=). If Tenable Nessus is in offline mode, you cannot use a fix command to deactivate offline mode.

nessuscli fetch --check

Shows whether Tenable Nessus is properly registered and is able to receive updates.

nessuscli fetch --code-in-use

Shows the Activation Code that Tenable Nessus is using.

nessuscli fetch --challenge

Shows the challenge code needed to use when performing an offline registration.
Example challenge code: aaaaaa11b2222cc33d44e5f6666a777b8cc99999

nessuscli fetch --security-center

Prepares Tenable Nessus to be connected to Tenable Security Center.

Caution: Do not use this command if you do not want to switch your Tenable Nessus instance to Tenable Security Center. This command irreversibly changes the Tenable Nessus scanner or Manager to a Tenable Security Center-managed scanner, resulting in several user interface changes (for example, the site logo changes, and you do not have access to the Sensors page).
Fix Commands

nessuscli fix

Reset registration, show network interfaces, and list advanced settings that you have set.

Using the --secure option acts on the encrypted preferences, which contain information about registration.

You can use --list, --set, --get, and --delete to modify or view preferences.

nessuscli fix [--secure] --list

nessuscli fix [--secure] --set <setting=value>

nessuscli fix [--secure] --get <setting>

nessuscli fix [--secure] --delete <setting>

nessuscli fix --list-interfaces

List the network adapters on this machine.

nessuscli fix --set listen_address=<address>

Tell the server to only listen to connections on the address <address> that is an IP, not a machine name. This option is useful if you are running nessusd on a gateway and if you do not want people on the outside to connect to your nessusd.

nessuscli fix --show

List all advanced settings, including those you have not set. If you have not set an advanced setting, the CLI shows the default value.

Note: This command only lists settings that are shared by all Tenable Nessus license types. In other words, the command does not list any settings specific to Tenable Nessus Expert, Tenable Nessus Professional, or Tenable Nessus Manager.

nessuscli fix --reset

This command deletes all your registration information and preferences, causing Tenable Nessus to run in a non-registered state. Tenable Nessus Manager retains the same linking key after resetting.

Before running nessuscli fix --reset, verify running scans have completed, then stop the nessusd daemon or service, as described in Start or Stop Tenable Nessus.

nessuscli fix --reset-all

This command resets Tenable Nessus to a fresh state, deleting all registration information, settings, data, and users.

Caution: You cannot undo this action. Contact Tenable Support before performing a full reset.

nessuscli fix --set agent_update_channel=<value>

(Tenable Nessus Manager-linked agents only)

Sets the agent update plan to determine what version the agent automatically updates to.

Values:

  • ga — Automatically updates to the latest Tenable Nessus Agent version when it is made generally available (GA).

  • ea — Automatically updates to the latest Tenable Nessus version as soon as it is released for Early Access (EA), typically a few weeks before general availability.

  • stable — Does not automatically update to the latest Tenable Nessus version. Remains on an earlier version of Tenable Nessus set by Tenable, usually one release older than the current generally available version, but no earlier than 8.10.0. When Tenable Nessus releases a new version, your Tenable Nessus instance updates software versions, but stays on a version prior to the latest release.

Note: For agents linked to Tenable Nessus Manager, you need to run the agent_update_channel command from the Tenable Nessus Manager nessuscli utility. For agents linked to Tenable Vulnerability Management, you need to run the agent_update_channel command from the agent nessuscli utility.

nessuscli fix --secure --get agent_linking_key

Retrieve your unique agent linking key.

Note: You can only use this linking key to link an agent. You cannot use it to link a scanner or a child node.
nessuscli fix --secure --get child_node_linking_key

Retrieve your unique child node linking key.

Note: You can only use this linking key to link a child node. You cannot use it to link an agent or a scanner.
nessuscli fix --secure --get scanner_linking_key

Retrieve your unique scanner linking key.

Note: You can only use this linking key to link a scanner. You cannot use it to link an agent or a child node.
nessuscli fix --set niap_mode=enforcing

Enforces NIAP mode for Tenable Nessus. For more information about NIAP mode, see Configure Tenable Nessus for NIAP Compliance.

nessuscli fix --set niap_mode=non-enforcing

Disables NIAP mode for Tenable Nessus. For more information about NIAP mode, see Configure Tenable Nessus for NIAP Compliance.

nessuscli fix --set fips_mode=enforcing

Enforces the current validated FIPS module for Tenable Nessus communication and database encryption. The FIPS module does not affect scanning encryption.

Note: Tenable Nessus also enforces the FIPS module when you enforce NIAP mode. For more information, see Configure Tenable Nessus for NIAP Compliance.

nessuscli fix --set fips_mode=non-enforcing

Disables the FIPS module for Tenable Nessus communication and database encryption.

Note: Tenable Nessus also disables the FIPS module when you disable NIAP mode. For more information, see Configure Tenable Nessus for NIAP Compliance.

nessuscli fix --set path_to_java=<custom file path>

Sets a custom file path to Java for PDF exports. If not set, Tenable Nessus uses the system path.

You must use an absolute file path that contains the Java binary. For example, if the Tenable Nessus installation is in /usr/lib/jvm/java-17-openjdk-amd64, the custom file path must be /usr/lib/jvm/java-17-openjdk-amd64/bin.

nessuscli fix --set global.path_to_docker=<custom path>

Sets the custom file path to Docker for web application scans in Tenable Nessus Expert. Tenable Nessus Expert uses the Docker system path by default (for example, /usr/bin/docker).

You must use an absolute file path.

nessuscli fix --set old_user_files_cleanup_hours=

Sets the interval of time, in hours, after which Tenable Nessus deletes old user files (located in the /nessus/users/<user>/files directory). You may find this setting useful if you are experiencing scan errors due to an excess of user files.

The default and minimum value for this setting is 0. The setting does not have a maximum value. When the setting is set to zero, Tenable Nessus does not perform the file cleanup.

nessuscli fix --set <password_setting>=<value>

Sets parameters and limitations for user passwords. You can use this command to edit the following settings:

  • Password Complexity (passwd_complexity)— Determines whether Tenable Nessus passwords must have a minimum of eight characters, and at least three of the following: an upper case letter, a lower case letter, a special character, and a number. This setting is turned off by default.

  • Session Timeout (xmlrpc_idle_session_timeout)— Defines the web session timeout in minutes. Tenable Nessus logs users out automatically if their session is idle for longer than this timeout value. This setting is set to 30 by default.

  • Max Login Attempts (user_max_login_attempt)— Defines the maximum number of user login attempts allowed by Tenable Nessus before the application locks the account out. Setting this value to 0 disables this feature. This setting is set to 5 by default.

  • Min Password Length (min_password_len)— This setting is set to 8 by default. Defines the minimum number of characters for passwords of accounts.

  • Login Notifications (passwd_notifications)— Determines whether Tenable Nessus can see login notifications. Login notifications allow the user to see the last successful login and failed login attempts (date, time, and IP), and if any failed login attempts have occurred since the last successful login. This setting is turned off by default.

Note: You need the System Administrator role to configure password settings. For more information, see Users.

Tip: You can also manage these settings on the Password Management page. To view the default and valid values of each password settings, see Password Management.

Certificate Commands

nessuscli mkcert-client

Creates a certificate for the Tenable Nessus server.

nessuscli mkcert [-q]

Creates a certificate with default values.

-q for quiet creation.

nessuscli import-certs --serverkey=<server key path> --servercert=<server certificate path> --cacert=<CA certificate path> [--serverchain=<server chain pem path>]

Validates the server key, server certificate, the CA certificate, and the serverchain.pem file and checks that they match. Then, copies the files to the correct locations.

The serverchain parameter is optional.

Software Update Commands

nessuscli update

By default, this tool updates based on the software update options selected through the Tenable Nessus user interface.

Note: This command only works for standalone Tenable Nessus scanners. The command does not work for scanners managed by Tenable Vulnerability Management or Tenable Security Center.

nessuscli update --all

Forces updates for all Tenable Nessus components.

Note: This command only works for standalone Tenable Nessus scanners. The command does not work for scanners managed by Tenable Vulnerability Management or Tenable Security Center.

nessuscli update --plugins-only

Forces updates for Tenable Nessus plugins only.

Note: This command only works for standalone Tenable Nessus scanners. The command does not work for scanners managed by Tenable Vulnerability Management or Tenable Security Center.

nessuscli update <tar.gz filename>

Updates Tenable Nessus plugins by using a TAR file instead of getting the updates from the plugin feed. You obtain the TAR file when you Manage Tenable Nessus Offline - Download and Copy Plugins steps.

nessuscli fix --set scanner_update_channel=<value>

(Tenable Nessus Professional and Tenable Vulnerability Management-managed scanners only)

Sets the Tenable Nessus to determine what version Tenable Nessus automatically updates to.

Note: If you change your update plan and have automatic updates enabled, Tenable Nessus may immediately update to align with the version represented by your selected plan. Tenable Nessus may either upgrade or downgrade versions.

Values:

  • ga: Automatically updates to the latest Tenable Nessus version when it is made generally available (GA). Note: This date is the same day the version is made generally available.

  • ea: Automatically updates to the latest Tenable Nessus version as soon as it is released for Early Access (EA), typically a few weeks before general availability.

  • stable: Does not automatically update to the latest Tenable Nessus version. Remains on an earlier version of Tenable Nessus set by Tenable, usually one release older than the current generally available version, but no earlier than 8.10.0. When Tenable Nessus releases a new version, your Tenable Nessus instance updates software versions, but stays on a version prior to the latest release.

Manager Commands

Used for generating plugin updates for your managed scanners and agents connected to a manager.

nessuscli manager download-core

Downloads core component updates for remotely managed agents and scanners.

nessuscli manager generate-plugins

Generates plugins archives for remotely managed agents and scanners.

Managed Scanner Commands

Used for linking, unlinking, and viewing the status of remote managed scanners.

nessuscli managed help

Shows nessuscli-managed commands and syntax.

nessuscli managed link --key=<key> --host=<host> --port=<port> [optional parameters]

Link an unregistered scanner to a manager.

Note: You cannot link a scanner via the CLI if you have already registered the scanner. You can either link via the user interface, or reset the scanner to unregister it (however, you lose all scanner data).

Optional Parameters:

  • --name: A name for the scanner.

  • --ca-path: A custom CA certificate to use to validate the manager's server certificate.

  • --groups: One or more existing scanner groups where you want to add the scanner. List multiple groups in a comma-separated list. If any group names have spaces, use quotes around the whole list.


    For example: --groups="Atlanta,Global Headquarters"

    Note: The scanner group name is case-sensitive and must match exactly.

  • --proxy-host: The hostname or IP address of your proxy server.

  • --proxy-port: The port number of the proxy server.

  • --proxy-username: The name of a user account that has permissions to access and use the proxy server.

  • --proxy-password: The password of the user account that you specified as the username.

  • --proxy-agent: The user agent name, if your proxy requires a preset user agent.

  • --aws-scanner: Indicates that the Tenable Nessus scanner links as an AWS scanner.

    Note: The Tenable Nessus scanner must already be running on an AWS instance for this option to take effect.

    Caution: --aws-scanner is not supported in Amazon Linux 2023 AMI environments.

nessuscli managed unlink

Unlink a managed scanner from its manager.

nessuscli managed status

Identifies the status of the managed scanner.

Dump Command

nessuscli dump --plugins Adds a plugins.xml file in the sbin directory. For example, running the /opt/nessus/sbin/nessuscli dump --plugins on Linux adds a plugins.xml file to the /opt/nessus/sbin/plugins directory.

Node Commands

Used for viewing and changing node links in a cluster environment.

nessuscli node link --key=<key> --host=<host> --port=<port>

Links the child node to the parent node in a clustering environment.

For more information on key, host, and port, see Link a Node.

nessuscli node unlink Unlinks the child node from the parent node.
nessuscli node status Shows whether the child node is linked to parent node and the number of agents that are linked.