Nessuscli
Some Nessus functions can be administered through a command line interface using the nessuscli utility.
This allows the user to manage user accounts, modify advanced settings, manage digital certificates, report bugs, update Nessus, and fetch necessary license information.
Note: All commands must be run by a user with administrative privileges.
Nessuscli Syntax
|
Operating System |
Command |
|---|---|
|
Linux |
# /opt/nessus/sbin/nessuscli <cmd> <arg1> <arg2> |
|
Mac OS X |
# /Library/Nessus/run/sbin/nessuscli <cmd> <arg1> <arg2> |
|
Windows |
C:\Program Files\Tenable\Nessus\nessuscli.exe <cmd> <arg1> <arg2> |
Nessuscli Commands
| Command | Description |
|---|---|
| Help Commands | |
|
nessuscli help |
Displays a list of Nessus commands. The help output may vary, depending on your Nessus license. |
|
nessuscli <cmd> help |
Displays additional help for specific commands identified in the nessuscli help output. |
|
Bug Reporting Commands The bug reporting commands create an archive that can be sent to Tenable, Inc. to help diagnose issues. By default, the script runs in interactive mode. |
|
|
nessuscli bug-report-generator |
Generates an archive of system diagnostics. Running this command without arguments prompts for values. --quiet: run the bug report generator without prompting user for feedback. --scrub: when in quiet mode, bug report generator sanitizes the last two octets of the IPv4 address. --full: when in quiet mode, bug report generator collects extra data. |
| User Commands | |
|
nessuscli rmuser <username> |
Allows you to remove a Nessus user. |
|
nessuscli chpasswd <username> |
Allows you to change a user’s password. You are prompted to enter the Nessus user’s name. Passwords are not echoed on the screen. |
|
nessuscli adduser <username> |
Allows you to add a Nessus user account. You are prompted for a username, password, and opted to allow the user to have an administrator type account. Additionally, you are prompted to add Users Rules for this new user account. |
|
nessuscli lsuser |
Displays a list of Nessus users. |
|
Fetch Commands Manage Nessus registration and fetch updates |
|
|
nessuscli fetch --register <Activation Code> |
Uses your Activation Code to register Nessus online. Example: # /opt/nessus/sbin/nessuscli fetch --register xxxx-xxxx-xxxx-xxxx |
| nessuscli fetch --register-only <Activation Code> |
Uses your Activation Code to register Nessus online, but does not automatically download plugin or core updates. Example: # /opt/nessus/sbin/nessuscli fetch --register-only xxxx-xxxx-xxxx-xxxx |
|
nessuscli fetch --register-offline nessus.license |
Registers Nessus 6.3 and newer with the nessus.license file obtained from https://plugins.nessus.org/v2/offline.php. Note: If you are using a version of Nessus 6.2 or earlier, you must use the information and instructions displayed on https://plugins.nessus.org/offline.php. In Nessus 6.2 and earlier, the license is contained in the fc.file. |
|
nessuscli fetch --check |
Displays whether Nessus is properly registered and is able to receive updates. |
|
nessuscli fetch --code-in-use |
Displays the Nessus Activation Code being used by Nessus. |
|
nessuscli fetch --challenge |
Displays the challenge code needed to use when performing an offline registration. |
|
nessuscli fetch --security-center |
Prepares Nessus to be connected to Security Center. |
| Fix Commands | |
|
nessuscli fix |
Reset registration, display network interfaces, and list advanced settings that you have set. Using the --secure option acts on the encrypted preferences, which contain information about registration. --list, --set, --get, and --delete can be used to modify or view preferences. |
|
nessuscli fix [--secure] --list |
|
|
nessuscli fix [--secure] --set <setting=value> |
|
|
nessuscli fix [--secure] --get <setting> |
|
|
nessuscli fix [--secure] --delete <setting> |
|
|
nessuscli fix --list-interfaces |
List the network adapters on this machine. |
|
nessuscli fix --set listen_address=<address> |
Tell the server to only listen to connections on the address <address> that is an IP, not a machine name. This option is useful if you are running nessusd on a gateway and if you do not want people on the outside to connect to your nessusd. |
| nessuscli fix --show | List all advanced settings, including those you have not set. If you have not set an advanced setting, the default value is listed. |
|
nessuscli fix --reset |
This command deletes all your registration information and preferences, causing Nessus to run in a non-registered state. Nessus Manager retains the same linking key after resetting. Before running nessuscli fix --reset, verify running scans have completed, then stop the nessusd daemon or service, as described in Start or Stop Nessus. |
| nessuscli fix --reset-all |
This command resets Nessus to a fresh state, deleting all registration information, settings, data, and users. Caution: This action cannot be undone. Contact Tenable Support before performing a full reset. |
| Certificate Commands | |
|
nessuscli mkcert-client |
Creates a certificate for the Nessus server. |
|
nessuscli mkcert [-q] |
Creates a certificate with default values. -q for quiet creation. |
| Software Update Commands | |
|
nessuscli update |
By default, this tool updates based on the software update options selected through the Nessus user interface. |
|
nessuscli update --all |
Forces updates for all Nessus components. |
|
nessuscli update --plugins-only |
Forces updates for Nessus plugins only. |
|
nessuscli update <tar.gz filename> |
Updates Nessus plugins by using a TAR file instead of getting the updates from the plugin feed. The TAR file is obtained when you Manage Nessus Offline - Download and Copy Plugins steps. |
|
Manager Commands Used for generating plugin updates for your managed scanners and agents connected to a manager. |
|
|
nessuscli manager download-core |
Downloads core component updates for remotely managed agents and scanners. |
|
nessuscli manager generate-plugins |
Generates plugins archives for remotely managed agents and scanners. |
|
Managed Scanner Commands Used for linking, unlinking and viewing the status of remote managed scanners. |
|
|
nessuscli managed help |
Displays nessuscli managed commands and syntax. |
|
nessuscli managed link --key=<key> --host=<host> --port=<port> [optional parameters] |
Link an unregistered scanner to a manager.
Note: You cannot link a scanner via the CLI if the scanner has already been registered. You can either link via the user interface, or reset the scanner to unregister it (however, you lose all scanner data). Optional Parameters: --name: A name for the scanner. --ca-path: A custom CA certificate to use to validate the manager's server certificate. --proxy-host: The hostname or IP address of your proxy server. --proxy-port: The port number of the proxy server. --proxy-username: The name of a user account that has permissions to access and use the proxy server. --proxy-password: The password of the user account that you specified as the username. --proxy-agent: The user agent name, if your proxy requires a preset user agent. |
|
nessuscli managed unlink |
Unlink a managed scanner from its manager. |
|
nessuscli managed status |
Identifies the status of the managed scanner. |