Nessus-Service
If necessary, whenever possible, you should start and stop Tenable Nessus services using Tenable Nessus service controls in your operating system’s interface.
However, there are many nessus-service
functions that you can perform through a command line interface.
Unless otherwise specified, you can use the nessusd
command interchangeably with nessus-service
server commands.
You can use the # killall nessusd
command to stop all Tenable Nessus services and in-process scans.
Note: You must have administrative privileges to run the following commands.
Nessus-Service Syntax
Operating System | Command |
---|---|
Linux |
# /opt/nessus/sbin/nessus-service [-vhD] [-c <config-file>] [-p <port-number>] [-a <address>] [-S <ip[,ip,…]>] |
macOS |
# /Library/Nessus/run/sbin/nessus-service [-vhD] [-c <config-file>] [-p <port-number>] [-a <address>] [-S <ip[,ip,…]>] |
Nessusd Commands
Option | Description |
---|---|
-c <config-file> |
When starting the nessusd server, this option specifies the server-side nessusd configuration file to use. It allows for the use of an alternate configuration file instead of the standard db. |
-S <ip[,ip2,…]> |
When starting the nessusd server, this option specifies the source IP of Tenable Nessus during scanning. This setting relates to the source IP address of the device that hosts Tenable Nessus, not the scan target IP address. This option is only useful if you have a multi-homed machine with multiple public IP addresses that you would like to use instead of the default one. For this setup to work, the host running nessusd must have multiple NICs with these IP addresses set. |
-D |
When starting the nessusd server, this option forces the server to run in the background (daemon mode). |
-v |
Show the version number and exit. |
-l |
Show a list of those third-party software licenses. |
-h |
Show a summary of the commands and exit. |
--ipv4-only |
Only listen on the IPv4 socket. |
--ipv6-only |
Only listen on the IPv6 socket. |
-q |
Operate in "quiet" mode, suppressing all messages to stdout. |
-R |
Force a reprocessing of the plugins. |
-t |
Check the time stamp of each plugin when starting up to compile newly updated plugins only. |
-K |
Set a parent password for the scanner. If you set a parent password, Tenable Nessus encrypts all policies and credentials contained in the policy. When you set a password, the Tenable Nessus user interface prompts you for the password. Caution: If you set your parent password and lose it, neither your administrator nor Tenable Support can recover it. |
Suppress Command Output Example
You can suppress command output by using the -q
option. For example:
# /opt/nessus/sbin/nessus-service -q -D
Considerations
If you are running nessusd on a gateway and if you do not want people on the outside to connect to your nessusd, set your listen_address advanced setting.
To set this setting, run the following command:
nessuscli fix --set listen_address=<IP address>
This setting tells the server to only listen to connections on the address <IP address> that is an IP address, not a machine name.