Deploy Nessus using JSON

You can automatically configure and deploy Nessus scanners using a JSON file, config.json. To determine the location of this file on your operating system, see Default Data Directories.

When you first launch Nessus after installation, Nessus first checks for the presence of environment variables, then checks for the config.json file. When Nessus launches for the first time, Nessus uses that information to link the scanner to a manager, set preferences, and create a user.

Location of config.json file

Place the config.json file in the following location:

  • Linux: /opt/nessus/var/nessus/config.json
  • Windows: C:\ProgramData\Tenable\Nessus\nessus\config.json
  • Mac OS X: /Library/Nessus/run/var/nessus/config.json

Example Nessusconfig.json file format:

{ "link": { "name": "sensor name", "host": "hostname or IP address", "port": 443, "key": "abcdefghijklmnopqrstuvwxyz", "ms_cert": "CA certificate for linking", "retry": 1, "groups": ["group 1", "group 2"], "proxy": { "proxy": "proxyhostname", "proxy_port": 443, "proxy_username": "proxyusername", "proxy_password": "proxypassword", "user_agent": "proxyagent", "proxy_auth": "NONE" } }, "preferences": { "global.max_hosts": "500" },

"user": { "username": "admin", "password": "password", "role": "system_administrator", "type": "local" } }

config.json Details

The following describes the format of the different settings in each section of config.json.

Note: All sections are optional; if you do not include a section, it is not configured when you first launch Nessus. You can manually configure the settings later.

Linking

The link section sets preferences to link Nessus to a manager.

Setting Description
name

(Optional)

A name for the scanner.

host

The hostname or IP address of the manager you want to link to.

To link to Tenable.io, use cloud.tenable.com.

port

The port for the manager you want to link to.

For Nessus Manager: 8834 or your custom port.

For Tenable.io: 443

key The linking key that you retrieved from the manager.
ms_cert

(Optional)

A custom CA certificate to use to validate the manager's server certificate.

groups

(Optional)

One or more existing scanner groups where you want to add the scanner. List multiple groups in a comma-separated list. If any group names have spaces, use quotes around the whole list.

For example: "Atlanta,Global Headquarters"

proxy

(Optional)

If you are using a proxy server, include the following:

proxy: The hostname or IP address of your proxy server.

proxy_port: The port number of the proxy server.

proxy_username: The name of a user account that has permissions to access and use the proxy server.

proxy_password: The password of the user account that you specified as the username.

user_agent: The user agent name, if your proxy requires a preset user agent.

proxy_auth: The authentication method to use for the proxy.

Preferences

The preferences section configures any advanced settings. For more information, see Advanced Settings.

User

The user section creates a Nessus user.

Setting Description
username Username for the Nessus user.
password

(Optional but recommended)

Password for the Nessus user.

If you create a user but leave the password value empty, Nessus automatically generates a password. To log in as the user, use nessuscli to change the user's password first.

role The role for the user. Set to disabled, basic, standard, administrator, or system_administrator. For more information, see Users.
type Set to local.