Nessuscli

You can administer some Nessus functions through a command-line interface (CLI) using the nessuscli utility.

This allows the user to manage user accounts, modify advanced settings, manage digital certificates, report bugs, update Nessus, and fetch necessary license information.

Note: You must run all commands with administrative privileges.

Nessuscli Syntax

Operating System

Command

Linux

# /opt/nessus/sbin/nessuscli <cmd> <arg1> <arg2>

macOS

# /Library/Nessus/run/sbin/nessuscli <cmd> <arg1> <arg2>

Windows

C:\Program Files\Tenable\Nessus\nessuscli.exe <cmd> <arg1> <arg2>

This topic describes the following command types:

Nessuscli Commands

Command Description
Help Commands

nessuscli help

Shows a list of Nessus commands.

The help output may vary, depending on your Nessus license.

nessuscli <cmd> help

Shows more help information for specific commands identified in the nessuscli help output.

Backup Commands

nessuscli backup --create <backup_filename>

Creates a backup of your Nessus instance, which includes your license and settings. Does not back up scan results.

For more information, see Back Up Nessus.

nessuscli backup --restore <path/to/backup_filename>

Restores a previously saved backup of Nessus.

For more information, see Restore Nessus.

Bug Reporting Commands

The bug reporting commands create an archive that you can send to Tenable, Inc. to help diagnose issues. By default, the script runs in interactive mode.

nessuscli bug-report-generator

Generates an archive of system diagnostics.

Running this command without arguments prompts for values.

--quiet: run the bug report generator without prompting user for feedback.

--scrub: when in quiet mode, bug report generator sanitizes the last two octets of the IPv4 address.

--full: when in quiet mode, bug report generator collects extra data.

User Commands

nessuscli rmuser <username>

Allows you to remove a Nessus user.

nessuscli chpasswd <username>

Allows you to change a user’s password. The CLI prompts to enter the Nessus user’s name. The CLI does not echo passwords on the screen.

nessuscli adduser <username>

Allows you to add a Nessus user account.

The CLI prompts you for a username, password, and opted to allow the user to have an administrator type account. Also, the CLI prompts to add Users Rules for this new user account.

nessuscli lsuser

Shows a list of Nessus users.

Fetch Commands

Manage Nessus registration and fetch updates

nessuscli fetch --register <Activation Code>

Uses your Activation Code to register Nessus online.

Example:

# /opt/nessus/sbin/nessuscli fetch --register xxxx-xxxx-xxxx-xxxx

nessuscli fetch --register-only <Activation Code>

Uses your Activation Code to register Nessus online, but does not automatically download plugin or core updates.

Example:

# /opt/nessus/sbin/nessuscli fetch --register-only xxxx-xxxx-xxxx-xxxx

nessuscli fetch --register-offline nessus.license

Registers Nessus with the nessus.license file obtained from https://plugins.nessus.org/v2/offline.php.

nessuscli fetch --check

Shows whether Nessus is properly registered and is able to receive updates.

nessuscli fetch --code-in-use

Shows the Nessus Activation Code that Nessus is using.

nessuscli fetch --challenge

Shows the challenge code needed to use when performing an offline registration.
Example challenge code: aaaaaa11b2222cc33d44e5f6666a777b8cc99999

nessuscli fetch --security-center

Prepares Nessus to be connected to Security Center.

Caution: Do not use this command if you do not want to switch your Nessus instance to Tenable.sc. This command irreversibly changes the Nessus scanner or Manager to a Tenable.sc-managed scanner, resulting in several user interface changes (for example, the site logo changes, and you do not have access to the Sensors page).
Fix Commands

nessuscli fix

Reset registration, show network interfaces, and list advanced settings that you have set.

Using the --secure option acts on the encrypted preferences, which contain information about registration.

You can use --list, --set, --get, and --delete to modify or view preferences.

nessuscli fix [--secure] --list

nessuscli fix [--secure] --set <setting=value>

nessuscli fix [--secure] --get <setting>

nessuscli fix [--secure] --delete <setting>

nessuscli fix --list-interfaces

List the network adapters on this machine.

nessuscli fix --set listen_address=<address>

Tell the server to only listen to connections on the address <address> that is an IP, not a machine name. This option is useful if you are running nessusd on a gateway and if you do not want people on the outside to connect to your nessusd.

nessuscli fix --show List all advanced settings, including those you have not set. If you have not set an advanced setting, the CLI shows the default value.

nessuscli fix --reset

This command deletes all your registration information and preferences, causing Nessus to run in a non-registered state. Nessus Manager retains the same linking key after resetting.

Before running nessuscli fix --reset, verify running scans have completed, then stop the nessusd daemon or service, as described in Start or Stop Nessus.

nessuscli fix --reset-all

This command resets Nessus to a fresh state, deleting all registration information, settings, data, and users.

Caution: You cannot undo this action. Contact Tenable Support before performing a full reset.

nessuscli fix --secure --get agent_linking_key

Retrieve your unique agent linking key.

Note: You can only use this linking key to link an agent. You cannot use it to link a scanner or a child node.
nessuscli fix --secure --get child_node_linking_key

Retrieve your unique child node linking key.

Note: You can only use this linking key to link a child node. You cannot use it to link an agent or a scanner.
nessuscli fix --secure --get scanner_linking_key

Retrieve your unique scanner linking key.

Note: You can only use this linking key to link a scanner. You cannot use it to link an agent or a child node.
nessuscli fix --set niap_mode=enforcing

Enforces NIAP mode for Nessus. For more information about NIAP mode, see Configure Nessus for NIAP Compliance.

This version of Nessus is not NIAP-certified, but the niap_mode command still functions as expected.

nessuscli fix --set niap_mode=non-enforcing

Disables NIAP mode for Nessus. For more information about NIAP mode, see Configure Nessus for NIAP Compliance.

This version of Nessus is not NIAP-certified, but the niap_mode command still functions as expected.

nessuscli fix --set fips_mode=enforcing

Enforces the current validated FIPS module for Nessus communication and database encryption. The FIPS module does not affect scanning encryption.

Note: Nessus also enforces the FIPS module when you enforce NIAP mode. For more information, see Configure Nessus for NIAP Compliance.

nessuscli fix --set fips_mode=non-enforcing

Disables the FIPS module for Nessus communication and database encryption.

Note: Nessus also disables the FIPS module when you disable NIAP mode. For more information, see Configure Nessus for NIAP Compliance.

Certificate Commands

nessuscli mkcert-client

Creates a certificate for the Nessus server.

nessuscli mkcert [-q]

Creates a certificate with default values.

-q for quiet creation.

nessuscli import-certs --serverkey=<server key path> servercert=<server certificate path> --cacert=<CA certificate path>

Validates the server key, server certificate, and CA certificate and checks that they match. Then, copies the files to the correct locations.

Software Update Commands

nessuscli update

By default, this tool updates based on the software update options selected through the Nessus user interface.

Note: This command only works for standalone Nessus scanners. The command does not work for scanners managed by Tenable.io or Tenable.sc.

nessuscli update --all

Forces updates for all Nessus components.

Note: This command only works for standalone Nessus scanners. The command does not work for scanners managed by Tenable.io or Tenable.sc.

nessuscli update --plugins-only

Forces updates for Nessus plugins only.

Note: This command only works for standalone Nessus scanners. The command does not work for scanners managed by Tenable.io or Tenable.sc.

nessuscli update <tar.gz filename>

Updates Nessus plugins by using a TAR file instead of getting the updates from the plugin feed. You obtain the TAR file when you Manage Nessus Offline - Download and Copy Plugins steps.

nessuscli fix --set scanner_update_channel=<value>

(Nessus Professional and Tenable.io-managed scanners only)

Sets the Nessus to determine what version Nessus automatically updates to.

Note: If you change your update plan and have automatic updates enabled, Nessus may immediately update to align with the version represented by your selected plan. Nessus may either upgrade or downgrade versions.

Values:

  • ga: Automatically updates to the latest Nessus version when it is made generally available (GA). Note: For Nessus Professional, this date is the same day the version is made generally available. For Tenable.io-linked Nessus scanners, this date is usually one week after the version is made generally available. For versions that address critical security issues, Tenable may make the version available immediately.

  • ea: Automatically updates to the latest Nessus version as soon as it is released for Early Access (EA), typically a few weeks before general availability.

  • stable: Does not automatically update to the latest Nessus version. Remains on an earlier version of Nessus set by Tenable, usually one release older than the current generally available version, but no earlier than 8.10.0. When Nessus releases a new version, your Nessus instance updates software versions, but stays on a version prior to the latest release.

Manager Commands

Used for generating plugin updates for your managed scanners and agents connected to a manager.

nessuscli manager download-core

Downloads core component updates for remotely managed agents and scanners.

nessuscli manager generate-plugins

Generates plugins archives for remotely managed agents and scanners.

Managed Scanner Commands

Used for linking, unlinking, and viewing the status of remote managed scanners.

nessuscli managed help

Shows nessuscli-managed commands and syntax.

nessuscli managed link --key=<key> --host=<host> --port=<port> [optional parameters]

Link an unregistered scanner to a manager.

Note: You cannot link a scanner via the CLI if you have already registered the scanner. You can either link via the user interface, or reset the scanner to unregister it (however, you lose all scanner data).

Optional Parameters:

  • --name: A name for the scanner.

  • --ca-path: A custom CA certificate to use to validate the manager's server certificate.

  • --groups: One or more existing scanner groups where you want to add the scanner. List multiple groups in a comma-separated list. If any group names have spaces, use quotes around the whole list.


    For example: --groups="Atlanta,Global Headquarters"

    Note: The scanner group name is case-sensitive and must match exactly.

  • --proxy-host: The hostname or IP address of your proxy server.

  • --proxy-port: The port number of the proxy server.

  • --proxy-username: The name of a user account that has permissions to access and use the proxy server.

  • --proxy-password: The password of the user account that you specified as the username.

  • --proxy-agent: The user agent name, if your proxy requires a preset user agent.

  • --aws-scanner: Indicates that the Nessus scanner links as an AWS scanner.

    Note: The Nessus scanner must already be running on an AWS instance for this option to take effect.

nessuscli managed unlink

Unlink a managed scanner from its manager.

nessuscli managed status

Identifies the status of the managed scanner.

Dump Command

nessuscli dump --plugins Adds a plugins.xml file in the sbin directory. For example, running the /opt/nessus/sbin/nessuscli dump --plugins on Linux adds a plugins.xml file to the /opt/nessus/sbin/plugins directory.

Node Commands

Used for viewing and changing node links in a cluster environment.

nessuscli node link --key=<key> --host=<host> --port=<port>

Links the child node to the parent node in a clustering environment.

For more information on key, host, and port, see Link a Node.

nessuscli node unlink Unlinks the child node from the parent node.
nessuscli node status Shows whether the child node is linked to parent node and the number of agents that are linked.