Deploy Tenable Nessus as a Docker Image
You can deploy a managed Tenable Nessus scanner or an instance of Tenable Nessus Professional as a Docker image to run on a container. Tenable provides two base Tenable Nessus images: Oracle Linux 8 (x86_64 and AArch64) and Ubuntu (x86_64). You can configure the Tenable Nessus instance with environment variables to configure the image with the settings you configure automatically.
Tenable does not recommend deploying Tenable Nessus in a Docker container that shares a network interface controller (NIC) with another Docker container.
Note: Tenable Nessus does not support storage volumes. Therefore, if you deploy a new Tenable Nessus image, you will lose your data and need to reconfigure Tenable Nessus. However, while deploying the new image, you can configure any initial user and linking information with environment variables, as described in step two of the following procedure.
Before you begin:
-
Download and install Docker for your operating system.
-
Access the Tenable Nessus Docker image from https://hub.docker.com/r/tenable/nessus.
To deploy Tenable Nessus as a Docker image:
-
In your terminal, use the docker pull command to get the image.
$ docker pull tenable/nessus:<version-OS>
For the <version-OS> tag, you must specify the Tenable Nessus version and whether you are pulling Oracle Linux 8 or Ubuntu. You can use the latest tag in place of a specific Tenable Nessus version (for example, latest-ubuntu).
- Use the docker run command to run your image.
-
Use the operators with the appropriate options for your deployment, as described in Operators.
-
To preconfigure Tenable Nessus, use the -e operator to set environment variables, as described in Environment Variables.
Note: Tenable recommends using environment variables to configure your instance of Tenable Nessus when you run the image. If you do not include environment variables such as an activation code, username, password, or linking key (if creating a managed Tenable Nessus scanner), you must configure those items later.
-
Open Tenable Nessus in your browser:
-
To access a remotely installed Tenable Nessus instance, go to https://<remote IP address>:8834 (for example, https://111.49.7.180:8834).
-
To access a locally installed Tenable Nessus instance, go to https:/</localhost>:8834.
-
-
Perform the remaining Tenable installation steps in your browser. If you did not include environment variables, complete any remaining configuration steps in the command-line interface or Tenable Nessus configuration wizard.
To stop and remove Tenable Nessus as a Docker image:
-
To stop and remove the container, see Remove Tenable Nessus as a Docker Container.
Operators
| Operator | Description |
|---|---|
| --name | Sets the name of the container in Docker. |
| -d | Starts a container in detached mode. |
| -p |
Publishes to the specified port in the format host port:container port. By default, the port is 8834:8834. If you have several Tenable Nessus containers running, use a different host port. The container port must be 8834 because Tenable Nessus listens on port 8834. |
| -e |
Precedes an environment variable. For descriptions of environment variables you can set to configure settings in your Tenable Nessus instance, see Environment Variables. |
Environment Variables
The required and optional environment variables differ based on your Tenable Nessus license and whether you are linking to Tenable Vulnerability Management. Click the following bullets to view the environment variables.
Deploying a Tenable Nessus image that is linked to Tenable Vulnerability Management
| Variable | Required? | Description |
|---|---|---|
| USERNAME | Yes |
Creates the administrator user. |
| PASSWORD | Yes | Creates the password for the user. |
| Linking Options | ||
| LINKING_KEY | Yes | The linking key from the manager. |
| NAME | No | The name of the Tenable Nessus scanner that shows in the manager. By default, the name is the container ID. |
| MANAGER_HOST | No | The hostname or IP address of the manager. By default, the hostname is cloud.tenable.com. |
| MANAGER_PORT | No |
The port of the manager. By default, the port is 443. |
| GROUPS | No | A single group or comma-separated list of groups that the scanner should be added to. Group names are case-sensitive. |
| Proxy Options | ||
| PROXY | No | The hostname or IP address of the proxy server. |
| PROXY_PORT | No | The port number of the proxy server. |
| PROXY_USER | No | The name of a user account that has permissions to access and use the proxy server. |
| PROXY_PASS | No | The password of the user account that you specified as the proxy user. |
| Tenable Nessus Settings | ||
| AUTO_UPDATE | No |
Sets whether Tenable Nessus should automatically receive updates. Valid values are as follows:
|
Example: Managed Tenable Nessus scanner linked to Tenable Vulnerability Management
docker run --name "nessus-managed" -d -p 8834:8834 -e LINKING_KEY=<Tenable Vulnerability Management linking key> -e USERNAME=admin -e PASSWORD=admin -e MANAGER_HOST=cloud.tenable.com -e MANAGER_PORT=443 tenable/nessus:<version-OS>
Deploying a Tenable Nessus image that is linked to Tenable Security Center
| Variable | Required? | Description |
|---|---|---|
| USERNAME | Yes |
Creates the administrator user. |
| PASSWORD | Yes | Creates the password for the user. |
| Linking Options | ||
| SC_MANAGED | Yes | If set to yes, starts the container in Tenable Security Center mode. You must include this operator to deploy the image as a Tenable Security Center-managed scanner. |
| NAME | No | The name of the Tenable Nessus scanner that shows in the manager. By default, the name is the container ID. |
| Proxy Options | ||
| PROXY-HOST | No | The hostname or IP address of the proxy server. |
| PROXY-PORT | No | The port number of the proxy server. |
| PROXY-USERNAME | No | The name of a user account that has permissions to access and use the proxy server. |
| PROXY-PASSWORD | No | The password of the user account that you specified as the proxy user. |
| PROXY-AGENT | No | The user agent name, if your proxy requires a preset user agent. |
Example: Managed Tenable Nessus scanner linked to Tenable Security Center
docker run --name "nessus-managed" -d -p 8834:8834 -e SC_MANAGED=yes -e USERNAME=admin -e PASSWORD=admin -e PROXY-HOST=cloud.tenable.com -e PROXY-PORT=443 tenable/nessus:<version-OS>
Deploying a Tenable Nessus Professional image
| Variable | Required? | Description |
|---|---|---|
| ACTIVATION_CODE | Yes | The activation code to register Tenable Nessus. |
| USERNAME | Yes |
Creates the administrator user. |
| PASSWORD | Yes | Creates the password for the user. |
Example: Tenable Nessus Professional
docker run --name "nessus-pro" -d -p 8834:8834 -e ACTIVATION_CODE=<activation code> -e USERNAME=admin -e PASSWORD=admin tenable/nessus:<version-OS>
Deploying other Tenable Nessus images
| Variable | Required? | Description |
|---|---|---|
| USERNAME | No |
Creates the administrator user. |
| PASSWORD | No | Creates the password for the user. |