Advanced Settings
The Advanced Settings page allows you to configure Tenable Nessus manually. You can configure advanced settings from the Tenable Nessus user interface, or from the command-line interface. Tenable Nessus validates your input values to ensure only valid configurations.
Note: You need the System Administrator role to configure Tenable Nessus settings. For more information, see Users.
Tenable Nessus groups the advanced settings into the following categories:
- User Interface
- Scanning
- Logging
- Performance
- Security
- Agents and Scanners
- Cluster
- Miscellaneous
- Custom
Details
-
Advanced settings apply globally across your Tenable Nessus instance.
- To configure advanced settings, you must use a Tenable Nessus administrator user account.
- Tenable Nessus does not automatically update all advanced settings.
- Changes may take several minutes to take effect.
- Tenable Nessus indicates the settings that require restarting for the change to apply with the
icon. - Custom policy settings supersede the global advanced settings.
User Interface
|
Setting |
Description |
Default | Valid Values | Restart Required? |
|---|---|---|---|---|
|
Allow Post-Scan Editing (allow_post_scan_editing) |
Allows a user to make edits to scan results after the scan is complete. |
yes | yes or no | no |
| Disable API (disable_api) | Disables the API, including inbound HTTP connections. Users cannot access Tenable Nessus via the user interface or the API. |
no |
yes or no |
yes |
| Disable Frontend (disable_frontend) | Disables the Tenable Nessus user interface. Users can still use the API. |
no |
yes or no |
yes |
| Login Banner (login_banner) |
A text banner that appears after you attempt to log in to Tenable Nessus.
Note: The banner only appears the first time you log in on a new browser or computer. |
None | String | no |
|
Maximum Concurrent Web Users (global.max_web_users) |
Maximum web users who can connect simultaneously. |
1024 |
Integers. If set to 0, there is no limit. |
no |
| Nessus Web Server IP ( listen_address) |
IPv4 address to listen for incoming connections. If set to 127.0.0.1, this restricts access to local connections only. |
0.0.0.0 | String in the format of an IP address | yes |
| Nessus Web Server Port (xmlrpc_listen_port) | The port that the Tenable Nessus web server listens on. | 8834 | Integers | yes |
| UI Theme (ui_theme) |
When enabled, changes user interface color theme to dark mode.
Note: The UI Theme setting may not function properly if you have SELinux enabled. |
Track Os Setting | Light, Dark, or Track Os Setting | no |
| Use Mixed Vulnerability Groups (scan_vulnerability_groups_mixed) | When enabled, Tenable Nessus shows the severity level as Mixed for vulnerability groups, unless all the vulnerabilities in a group have the same severity. When disabled, Tenable Nessus shows the highest severity indicator of a vulnerability in a group | yes | Yes or No | no |
| Use Vulnerability Groups (scan_vulnerability_groups) | When enabled, Tenable Nessus groups vulnerabilities in scan results by common attributes, giving you a shorter list of results. | yes | yes or no | no |
Scanning
|
Setting |
Description |
Default | Valid Values | Restart Required? |
|---|---|---|---|---|
| Audit Trail Verbosity (audit_trail) | Controls verbosity of the plugin audit trail. Full audit trails include the reason why Tenable Nessus did not include certain plugins in the scan. | full | full, partial, none | no |
| Auto Enable Plugin Dependencies (auto_enable_dependencies) |
Automatically activates the plugins that are depended on by other plugins. The setting does not enable plugins that are depended on by scan template settings. If disabled, not all plugins may run despite being selected in a scan policy. |
yes | yes or no | no |
| CGI Paths for Web Scans (cgi_path) |
A colon-delimited list of CGI paths to use for web server scans. |
/cgi-bin:/scripts |
String | no |
| Engine Thread Idle Time (engine.idle_wait) | Number of seconds a scan engine remains idle before shutting itself down. | 60 | Integers 0-600 | no |
| Max Plugin Output Size (plugin_output_max_size_kb) |
The maximum size, in KB, of plugin output that Tenable Nessus includes in the exported scan results with the .nessus format. If the output exceeds the maximum size, Tenable Nessus truncates the output in the report. |
1000 |
Integers. If set to 0, there is no limit. |
no |
| Maximum Ports in Scan Reports (report.max_ports) | The maximum number of allowable ports. If there are more ports in the scan results than this value, Tenable Nessus discards the port scan results. This limit helps guard against fake targets that may have thousands of reported ports, but can also result in the deletion of valid results from the scan results database, so you may want to increase the default if this is a problem. | 1024 | Integers | no |
| Maximum Ports Reported by Portscanner Plugins (portscanner.max_ports) | The maximum number of ports that the Tenable Nessus port-scanning plugins can mark as open. This includes the port scanners proper and any plugin that calls NASL function scanner_add_port(). | 1024 | Integers 0-65535 | no |
| Maximum Size for E-mailed Reports (attached_report_maximum_size) | Specifies the maximum size, in MB, of any report attachment. If the report exceeds the maximum size, then it is not attached to the email. Tenable Nessus does not support report attachments larger than 50 MB. | 25 | Integers 0-50 | no |
| Nessus Rules File Location (rules) |
Location of the Tenable Nessus rules file (nessusd.rules). The following are the defaults for each operating system: Linux: /opt/nessus/etc/nessus/nessusd.rules macOS: /Library/Nessus/run/var/nessus/conf/nessusd.rules Windows: C:\ProgramData\Tenable\Nessus\nessus\conf\nessusd.rules |
Nessus config directory for your operating system | String | no |
| Non-Simultaneous Ports (non_simult_ports) | Specifies ports against which two plugins you cannot run simultaneously. | 139, 445, 3389 | String | no |
| Paused Scan Timeout (paused_scan_timeout) | The duration, in minutes, that a scan can remain in the paused state before Tenable Nessus terminates it. | 0 | Integers 0-10080 | no |
| PCAP Snapshot Length (pcap.snaplen) | The snapshot size used for packet capture; the maximum size of a captured network packet. Typically, Tenable Nessus sets this value automatically based on the scanner's NIC. However, depending on your network configuration, Tenable Nessus may truncate the packages, resulting in the following message in your scan report: "The current snapshot length of ### for interface X is too small." You can increase the length to avoid packet truncation. | 0 | Integers 0-262144 | no |
| Port Range (port_range) | The default range of ports that the scanner plugins probe. | default |
default, all, a range of ports, a comma-separated list of ports and/or port ranges. Specify UDP and TCP ports by prefixing each range by T: or U:. |
no |
| Reverse DNS Lookups (reverse_lookup) | When enabled, Tenable Nessus identifies targets by their fully qualified domain name (FQDN) in the scan report. When disabled, the report identifies the target by hostname or IP address. | no | yes or no | no |
| Safe Checks (safe_checks) |
When enabled, Tenable Nessus uses safe checks, which use banner grabbing rather than active testing for a vulnerability. |
yes | yes or no | no |
| Silent Plugin Dependencies (silent_dependencies) | When enabled, Tenable Nessus does not include the list of plugin dependencies and their output in the report. You can select a plugin as part of a policy that depends on other plugins to run. By default, Tenable Nessus runs those plugin dependencies, but does not include their output in the report. When disabled, Tenable Nessus includes both the selected plugin and any plugin dependencies in the report. | yes | yes or no | no |
| Slice Network Addresses (slice_network_addresses) | If you set this option, Tenable Nessus does not scan a network incrementally (10.0.0.1, then 10.0.0.2, then 10.0.0.3, and so on) but attempts to slice the workload throughout the whole network (for example, it scans 10.0.0.1, then 10.0.0.127, then 10.0.0.2, then 10.0.0.128, and so on). | no | yes or no | no |
| System Default Severity Basis (severity_basis) |
In Tenable Nessus scanners and Tenable Nessus Professional, you can choose whether Tenable Nessus calculates the severity of vulnerabilities using CVSSv2 or CVSSv3 scores (when available) by configuring your default severity base setting. In Tenable Nessus scanners and Tenable Nessus Professional, you can choose whether Tenable Nessus calculates the severity of vulnerabilities using CVSSv2, CVSSv3, or CVSSv4 scores (when available) by configuring your default severity base setting. When you change the default severity base, the change applies to all existing scans that are configured with the default severity base. Future scans also use the default severity base. For more information about CVSS scores and severity ranges, see CVSS Scores vs. VPR. Note: This setting is not available for Tenable Nessus Manager.
|
On a new installation of Tenable Nessus: cvss_v3 On preexisting upgraded instance: cvss_v2 |
|
no |
Logging
|
Setting |
Description |
Default | Valid Values | Restart Required? |
|---|---|---|---|---|
| Log Additional Scan Details (log_details) | When enabled, scan logs include the username, scan name, and current plugin name in addition to the base information. You may not see these additional details unless you also enable log_whole_attack. | no | yes or no | no |
| Log Verbose Scan Details (log_whole_attack) | Logs verbose details of the scan. Helpful for debugging issues with the scan, but this may be disk intensive. To add more details, enable log_details. | no | yes or no | no |
| Nessus Dump File Location (dumpfile) |
Location of nessusd.dump, a log file for debugging output if generated. The following are the defaults for each operating system: Linux: /opt/nessus/var/nessus/logs/nessusd.dump macOS: /Library/Nessus/run/var/nessus/logs/nessusd.dump Windows: C:\ProgramData\Tenable\Nessus\nessus\logs\nessusd.dump |
Nessus log directory for your operating system |
String | yes |
| Nessus Dump File Log Level (nasl_log_type) |
The type of NASL engine output in nessusd.dump. |
normal | normal, none, trace, or full. | yes |
| Nessus Dump File Max Files (dumpfile_max_files) | The maximum number of the nessusd.dump files kept on disk. If the number exceeds the specified value, Tenable Nessus deletes the oldest dump file. | 100 | Integers 1-1000 | yes |
| Nessus Dump File Max Size (dumpfile_max_size) | The maximum size of the nessusd.dump files in MB. If file size exceeds the maximum size, Tenable Nessus creates a new dump file. | 512 | Integers 1-2048 | yes |
| Nessus Dump File Rotation Time (dumpfile_rotation_time) | Determines how often Tenable Nessus dump files are rotated in days. | 1 | Integers 1-365 | yes |
| Nessus Dump File Rotation (dumpfile_rot) |
Determines whether Tenable Nessus rotates dump files based on maximum rotation size or rotation time. |
size | size — Tenable Nessusrotates dump files based on size, as specified in dumpfile_max_size. time — Tenable Nessus rotates dump files based on time, as specified in dumpfile_rotation_time. |
yes |
| Nessus Log Level (backend_log_level) |
The logging level of the backend.log log file, as indicated by a set of log tags that determine what information to include in the log. If you manually edited log.json to set a custom set of log tags for backend.log, this setting overwrites that content. For more information, see Manage Logs. |
normal |
|
yes |
| Nessus Scanner Log Location (logfile) |
Location where Tenable Nessus stores its scanner log file. The following are the defaults for each operating system: Linux: /opt/nessus/var/nessus/logs/nessusd.messages macOS: /Library/Nessus/run/var/nessus/logs/nessusd.messages Windows: C:\ProgramData\Tenable\Nessus\nessus\logs\nessusd.messages |
Nessus log directory for your operating system | String | yes |
| Log File Maximum Files (logfile_max_files) | Determines the maximum number of nessusd.messages files that Tenable Nessus keeps on the disk. If the number of nessusd.messages log files exceeds the specified value, Tenable Nessus deletes the oldest log files. |
Tenable Nessus — 100 Tenable Nessus Agent — 2 |
Integers 1-1000 |
yes |
| Log File Maximum Size (logfile_max_size) | Determines the maximum size of the nessusd.messages file in MB. If the file size exceeds the maximum size, Tenable Nessus creates a new messages log file. |
Tenable Nessus —512 Tenable Nessus Agent — 10 |
Integers 1-2048 |
yes |
| Log File Rotation Time (logfile_rotation_time) | Determines how often Tenable Nessus messages log files are rotated in days. | 1 | Integers 1-365 | yes |
| Log File Rotation (logfile_rot) |
Determines whether Tenable Nessus rotates messages log files based on maximum rotation size or rotation time. |
size |
size — Tenable Nessus rotates log files based on size, as specified in logfile_max_size. time — Tenable Nessus rotates log files based on time, as specified in logfile_rotation_time. |
yes |
| Scanner Metric Logging (scanner.metrics) | Enables scanner performance metrics data gathering. | 0 |
0 (off), 0x3f (full data except plugin metrics), 0x7f (full data including plugin metrics) Note: Including plugin metrics greatly increases the size of the log file. Tenable Nessus does not automatically clean up log files. |
no |
| Use Milliseconds in Logs (logfile_msec) | When enabled, nessusd.messages |
no | yes or no | yes |
Performance
|
Setting |
Description |
Default | Valid Values | Restart Required? |
|---|---|---|---|---|
| Database Synchronous Setting (db_synchronous_setting) |
Control how database updates are synchronized to disk. NORMAL is faster, with some risk of data loss during unexpected system shutdowns (for example, during a power outage or crash). FULL is safer, with some performance cost. |
NORMAL | NORMAL or FULL | yes |
| Engine Logging (global.log.engine_details) | When enabled, logs additional information about which scan engine you assigned each target to during scanning. | no | yes or no | no |
| Global Max Hosts Concurrently Scanned (global.max_hosts) |
Maximum number of hosts that Tenable Nessus can scan simultaneously across all scans. |
Varies depending on hardware |
Integers | no |
| Global Max Port Scanners (global.max_portscanners) | Maximum number of port scanners. | 100 | Integers 0-1024 | no |
| Global Max TCP Sessions (global.max_simult_tcp_sessions) | Maximum number of simultaneous TCP sessions across all scans. |
50 for desktop operating systems (for example, Windows 10). 50000 for other operating systems (for example, Windows Server 2016). |
Integers |
no |
| Max Concurrent Checks Per Host (max_checks) |
Maximum number of simultaneous plugins that can run concurrently on each host. |
5 |
Integers |
no |
| Max Concurrent Hosts Per Scan (max_hosts) | Maximum number of hosts checked at one time during a scan. | Varies, up to 100. |
Integers. If set to 0, defaults to 100. |
no |
| Max Concurrent Scans (global.max_scans) | Maximum number of simultaneous scans that the scanner can run. | 0 |
Integers 0-1000 If set to 0, there is no limit. |
no |
| Max Engine Checks (engine.max_checks) |
Maximum number of simultaneous plugins that can run concurrently on a single scan engine. |
64 | Integers | no |
| Max Engine Threads (engine.max) | Maximum number of scan engines that run in parallel. Each scan engine scans multiple targets concurrently from one or more scans (see engine.max_hosts). | 8 times the number of CPU cores on the machine | Integers | no |
| Max Hosts Per Engine Thread (engine.max_hosts) | Maximum number of targets that run concurrently on a single scan engine. | 16 | Integers | no |
| Max HTTP Connections (max_http_connections) | The number of simultaneous connection attempts before the web server responds with HTTP code 503 (Service Unavailable, Too Many Connections). | 600 | Integers | yes |
| Max HTTP Connections Hard (max_http_connections_hard) |
The number of simultaneous connection attempts before the web server does not allow further connections. |
3000 | Integers | yes |
| Max TCP Sessions Per Host (host.max_simult_tcp_sessions) |
Maximum number of simultaneous TCP sessions for a single host. This TCP throttling option also controls the number of packets per second the SYN scanner sends, which is 10 times the number of TCP sessions. For example, if you set this option to 15, the SYN scanner sends 150 packets per second at most. |
0 |
Integers. If set to 0, there is no limit. |
no |
| Max TCP Sessions Per Scan (max_simult_tcp_sessions) | Maximum number of simultaneous TCP sessions for the entire scan, regardless of the number of hosts the scanner is scanning. | 0 |
Integers 0-2000. If set to 0, there is no limit. |
no |
| Engine Thread Pool Minimum Size (thread_pool.min) | The minimum size of the pool of threads available for use by the scan engine. You can defer asynchronous tasks to these threads, and this value controls the maximum number of threads. | 2 | Integers 0-100 | no |
| Engine Thread Pool Maximum Size (thread_pool.max) | The maximum size of the pool of threads available for use by the scan engine. You can defer asynchronous tasks to these threads, and this value controls the maximum number of threads. | 200 | Integers 0-500 | no |
| Minimum Engine Threads (engine.min) | The number of scan engines that start initially as Tenable Nessus scans the targets. After the engine reaches engine.optimal_hosts number of targets, Tenable Nessus adds more scan engines up to engine.max. | 2 times the number of CPU cores on the machine | Integers | no |
| Optional Hosts Per Engine Thread (engine.optimal_hosts) | The minimum number of targets that are running on each scan engine before Tenable Nessus adds more engines (up to engine.max). | 2 | Integers | no |
| Optimize Tests (optimize_test) | Optimizes the test procedure. If you disable this setting, scans may take longer and typically generate more false positives. | yes | yes or no | no |
| Plugin Check Optimization Level (optimization_level) |
Determines the type of check that Tenable Nessus performs before a plugin runs. If you set this setting to open_ports, then Tenable Nessus checks that required ports are open; if they are not, the plugin does not run. If you set this setting to required_keys, then Tenable Nessus performs the open port check, and also checks that required keys (KB entries) exist, ignoring the excluded key check. |
None | open_ports or required_keys | no |
| Plugin Timeout (plugins_timeout) | Maximum lifetime of a plugin’s activity in seconds. | 320 | Integers 0-1000 | no |
| QDB Memory Usage (qdb_mem_usage) | Directs Tenable Nessus to use more or less memory when idle. If Tenable Nessus is running on a dedicated server, setting this to high uses more memory to increase performance. If Tenable Nessus is running on a shared machine, setting this to low uses considerably less memory, but has a moderate performance impact. | low | low or high | no |
| Reduce TCP Sessions on Network Congestion (reduce_connections_on_congestion) | Reduces the number of TCP sessions in parallel when the network appears to be congested. | no | yes or no | no |
| Remediations Limit (remediations_limit) |
Limits the number of remediations that Tenable Nessus generates and shows in a scan result. |
500 | Integers > 0 | no |
| Scan Check Read Timeout (checks_read_timeout) |
Read timeout for the sockets of the tests. |
5 | Integers 0-1000 | no |
| Stop Scan on Host Disconnect (stop_scan_on_disconnect) | When enabled, Tenable Nessus stops scanning a host that disconnects during the scan. | no | yes or no | no |
| XML Enable Plugin Attributes (xml_enable_plugin_attributes) | When enabled, Tenable Nessus includes plugin attributes in exported scans to Tenable Security Center. | no | yes or no | no |
| Webserver Thread Pool Minimum Size (www.thread_pool.min) | The minimum thread pool size for the webserver/backend. | 2 | Integers 0-100 | no |
| Webserver Thread Pool Maximum Size (www.thread_pool.max) | The maximum thread pool size for the webserver/backend. | 200 | Integers 0-500 | no |
Security
|
Setting |
Description |
Default | Valid Values | Restart Required? |
|---|---|---|---|---|
| Always Validate SSL Server Certificates (strict_certificate_validation) |
Always validate SSL server certificates, even during initial remote link (requires manager to use a trusted root CA). |
no | yes or no | no |
| Cipher Files on Disk (cipher_files_on_disk) | Encipher files that Tenable Nessus writes. | yes | yes or no | yes |
| Force Public Key Authentication (force_pubkey_auth) | Force logins for Tenable Nessus to use public key authentication. | no | yes or no | yes |
| Max Concurrent Sessions Per User (max_sessions_per_user) | Maximum concurrent sessions per user | 0 |
Integers 0-2000. If set to 0, there is no limit. |
no |
| SSL Cipher List (ssl_cipher_list) |
Cipher list to use for Tenable Nessus backend connections. You can use a preconfigured list of cipher strings, or enter a custom cipher list or cipher strings. Note: This setting only sets ciphers for TLS 1.2. |
compatible |
|
yes |
| SSL Mode (ssl_mode) |
Minimum supported version of TLS. |
tls_1_2 |
|
yes |
Agents & Scanners
Note: The following settings are only available in Tenable Nessus Manager.
|
Name |
Setting |
Description |
Default | Valid Values | Restart Required? |
|---|---|---|---|---|---|
| Agent Auto Delete | agent_auto_delete | Controls whether agents are automatically deleted after they have been inactive for the duration of time set for agent_auto_delete_threshold. | no | yes or no | no |
| Agent Auto Delete Threshold | agent_auto_delete_threshold | The number of days after which inactive agents are automatically deleted if agent_auto_delete is set to yes. | 60 | Integers 1-365 | no |
| Agent Auto Unlink | agent_auto_unlink |
Controls whether agents are automatically unlinked after they have been inactive for the duration of time set for agent_auto_unlink_threshold. |
no | yes or no | no |
| Agent Auto Unlink Threshold | agent_auto_unlink_threshold |
The number of days after which inactive agents are automatically unlinked if agent_auto_unlink is set to yes. Note: This value must be less than the agent_auto_delete_threshold. |
30 | Integers 30-90 | no |
| Agents Progress | agents_progress_viewable | When a scan gathers information from agents, Tenable Nessus Manager does not show detailed agents information if the number of agents exceeds this setting. Instead, a message indicates that results are being gathered and will be viewable when the scan is complete. | 100 |
Integers. If set to 0, this defaults to 100. |
no |
| Automatically Download Agent Updates | agent_updates_from_feed |
When enabled, new Tenable Nessus Agent software updates are automatically downloaded. |
yes | yes or no | yes |
| Concurrent Agent Software Updates | cloud.manage.download_max | The maximum concurrent agent update downloads. | 10 | Integers | no |
| Include Audit Trail Data | agent_merge_audit_trail |
Controls whether or not agent scan result audit trail data is included in the main agent database. Excluding audit trail data can significantly improve agent result processing performance. If this setting is set to false, the Audit Trail Verbosity setting in an individual scan or policy defaults to No audit trail. |
false | true or false | no |
| Include KB Data | agent_merge_kb |
Includes the agent scan result KB data in the main agent database. Excluding KB data can significantly improve agent result processing performance. If this setting is set to false, the Include the KB setting in an individual scan or policy defaults to Exclude KB. |
false | true or false | no |
| Result Processing Journal Mode | agent_merge_journal_mode |
Sets the journaling mode to use when processing agent results. Depending on the environment, this can somewhat improve processing performance, but also introduces a small risk of a corrupted scan result in the event of a crash. For more details, refer to the sqlite3 documentation. |
DELETE |
MEMORY TRUNCATE DELETE |
no |
| Result Processing Sync Mode | agent_merge_synchronous_setting |
Sets the filesystem sync mode to use when processing agent results. Turning this off will significantly improve processing performance, but also introduces a small risk of a corrupted scan result in the event of a crash. For more details, refer to the sqlite3 documentation. |
FULL |
OFF NORMAL FULL |
no |
| Track Unique Agents | track_unique_agents | When enabled, Tenable Nessus Manager checks if MAC addresses of agents trying to link match MAC addresses of currently linked agents with the same hostname, platform, and distro. Tenable Nessus Manager deletes duplicates that it finds. | no | yes or no | no |
Cluster
Note: The following settings are only available in Tenable Nessus Manager with clustering enabled.
|
Setting |
Description |
Default | Valid Values |
|---|---|---|---|
| Agent Blacklist Duration Days (agent_blacklist_duration_days) |
The number of days that an agent remains blocked from relinking to a cluster node. For example, Tenable Nessus blocks an agent if it tries to link with a UUID that matches an existing agent in a cluster. Note: Tenable Nessus blocks an agent after Tenable Nessus deletes or removes the agent due to inactivity. However, Tenable Nessus places the agent back in good standing if an administrator manually unlinks and relinks the agent. |
7 |
Integers > 0 |
| Agent Clustering Scan Cutoff (agent_cluster_scan_cutoff) | Tenable Nessus aborts scans after running this many seconds without a child node update. | 3600 | Integers > 299 |
| Agent Node Global Maximum Default (agent_node_global_max_default) |
The global default maximum number of agents allowed per cluster node. If you set an individual maximum for a child node, that setting overrides this setting. |
10000 | Integers 0-20000 |
Miscellaneous
|
Setting |
Description |
Default | Valid Values | Restart Required? |
|---|---|---|---|---|
| Allow Special Characters in User Names (allow_special_chars_in_username) | Determines whether Tenable Nessus usernames can include parentheses: ( and ). | true | true or false | no |
| Automatic Update Delay (auto_update_delay) | Number of hours that Tenable Nessus waits between automatic updates. | 24 |
Integers > 0 |
no |
| Automatic Updates (auto_update) |
Automatically updates plugins. If you enable this setting and register Tenable Nessus, Tenable Nessus automatically gets the newest plugins from Tenable when they are available. If your scanner is on an isolated network that is not able to reach the internet, disable this setting.
Note: This setting does not work for Tenable Nessus scanners that you connected to Tenable Vulnerability Management. Scanners linked to Tenable Vulnerability Management automatically receive updates from cloud.tenable.com. For more information, see the knowledge base article. |
yes | yes or no | yes |
| Automatically Update Nessus (auto_update_ui) |
Automatically download and apply Tenable Nessus updates. Note: This setting does not work for Tenable Nessus scanners that you connected to Tenable Vulnerability Management. Scanners linked to Tenable Vulnerability Management automatically receive updates from cloud.tenable.com. For more information, see the knowledge base article. |
yes | yes or no | no |
| Backups to keep (backup_days_to_keep) |
Tenable Nessus automatically creates a backup file every 24 hours. Use this setting to determine how many days Tenable Nessus keeps the backup files before discarding them. For example, if you keep this setting at the default 30 days, Tenable Nessus stores daily backup files for the past 30 days. For more information about Tenable Nessus backup files, see Back Up Tenable Nessus. |
30 | Integers > 0 | no |
| Child Node Port (child_node_listen_port) | Allows Tenable Nessus child nodes to communicate to the parent node on a different port. | none | Any valid port value | yes |
| Initial Sleep Time (ms_agent_sleep) | (Tenable Nessus Manager only) Sleep time between managed scanner and agent requests. You can override this setting in Tenable Nessus Manager or Tenable Vulnerability Management. | 30 | Integers 5-3300 | no |
| Java Heap Size (java_heap_size) |
Determines Java heap size (the system memory used to store objects instantiated by applications running on the Java virtual machine) Tenable Nessus uses when exporting PDF reports. |
auto | auto or Integers > 0 | yes |
| Max HTTP Client Requests (max_http_client_requests) | Determines the maximum number of concurrent outbound HTTP connections on managed scanners and agents. | 4 | Integers > 0 | yes |
| Nessus Debug Port (dbg_port) | The port on which nessusd listens for ndbg client connections. If left empty, Tenable Nessus does not establish a debug port. | None | String in one of the following formats: port or localhost:port or ip:port | no |
| Nessus Preferences Database (config_file) |
Location of the configuration file that contains the engine preference settings. The following are the defaults for each operating system: Linux: /opt/nessus/etc/nessus/nessusd.db macOS: /Library/Nessus/run/etc/nessus/conf/nessusd.db Windows: C:\ProgramData\Tenable\Nessus\conf\nessusd.db |
Tenable Nessus database directory for your operating system | String | yes |
| Non-User Scan Result Cleanup Threshold (report_cleanup_threshold_days) | The age threshold (in days) for removing old system-user scan reports. | 30 | Integers > 0 | no |
| Old User Files Cleanup (old_user_files_cleanup_hours) | The number of hours after which Tenable Nessus removes old user files from the file system. If set to 0, Tenable Nessus does not perform a cleanup. | 0 | Integers > 0 | no |
| Orphaned Scan History Cleanup (orphaned_scan_cleanup_days) |
The number of days after which Tenable Nessus removes orphaned Tenable Security Center scans. For example, an orphaned scan could be a scan executed via Tenable Security Center that was not properly removed. If set to 0, Tenable Nessus does not perform a cleanup. Note: This setting only applies to network scans launched from Tenable Security Center. It does not apply to agent or web application scans. |
30 | Integers > 0 | no |
| Packet Capture Archive Cleanup (packet_capture_archive_cleanup_days) | The number of days after which Tenable Nessus removes packet capture archives from the filesystem. If set to 0, Tenable Nessus does not perform a cleanup. | 30 | Integers > 0 | no |
| Plugin Integrity Check Frequency (Minutes) (plugin_healthcheck_frequency) | Determines the frequency, in minutes, at which Tenable Nessus runs a full plugin integrity check. | 10080 | Integers 1440-10080 | yes |
| Remote Scanner Port (remote_listen_port) | This setting allows Tenable Nessus to operate on different ports: one dedicated to communicating with remote agents and scanners (comms port) and the other for user logins (management port). By adding this setting, you can link your managed scanners and agents a different port (for example, 9000) instead of the port defined in xmlrpc_listen_port (default 8834). | None | Integer | yes |
| Report Crashes to Tenable (report_crashes) | When enabled, Tenable Nessus sends crash information to Tenable, Inc. automatically to identify problems. Tenable Nessus does not send personal or system-identifying information to Tenable, Inc.. | yes | yes or no | no |
| Scan Source IP(s) (source_ip) | Source IPs to use when running on a multi-homed host. If you provide multiple IPs, Tenable Nessus cycles through them whenever it performs a new connection. | None | IP address or comma-separated list of IP addresses. | yes |
| Send Telemetry (send_telemetry) |
When enabled, Tenable Nessus periodically and securely sends non-confidential product usage data to Tenable. Usage statistics include, but are not limited to, data about your visited pages within the Tenable Nessus interface, your used reports and dashboards, your Tenable Nessus license, and your configured features. Tenable uses the data to improve your user experience in future Tenable Nessus releases. You can disable this option at any time to stop sharing usage statistics with Tenable. |
yes | yes or no | yes |
| User Scan Result Deletion Threshold (scan_history_expiration_days) |
The number of days after which Tenable Nessus deletes the scan history and data for completed scans permanently. Note: This setting affects any scanner, agent, and web application scans launched from Tenable Security Center. |
0 |
Integers > 0 If set to 0, Tenable Nessus retains the history. |
no |
| Windows Minidump (windows_minidump) | Determines whether Tenable Nessus generates a Windows minidump file in the log folder if Tenable Nessus for Windows crashes. | no | yes or no | no |
Custom
Not all advanced settings are populated in the Tenable Nessus user interface, but you can set some settings in the command-line interface.
The following table lists the advanced settings that you can configure, even though Tenable Nessus does not list them by default.
| Identifier |
Description |
Default | Valid Values |
|---|---|---|---|
| acas_classification |
Adds a classification banner to the top and bottom of the Tenable Nessus user interface, and turns on last successful and failed login notification. |
None | UNCLASSIFIED (green banner), CONFIDENTIAL (blue banner), SECRET (red banner), or a custom value (orange banner). |
| multi_scan_same_host |
When disabled, to avoid overwhelming a host, Tenable Vulnerability Management prevents a single scanner from simultaneously scanning multiple targets that resolve to a single IP address. Instead, Tenable Vulnerability Management scanners serialize attempts to scan the IP address, whether it appears more than once in the same scan task or in multiple scan tasks on that scanner. Scans may take longer to complete. When enabled, a Tenable Vulnerability Management scanner can simultaneously scan multiple targets that resolve to a single IP address within a single scan task or across multiple scan tasks. Scans complete more quickly, but scan targets could potentially become overwhelmed, causing timeouts and incomplete results. |
no | yes or no |
| merge_plugin_results |
Supports merging plugin results for plugins that generate multiple findings with the same host, port, and protocol. Tenable recommends enabling this option for scanners linked to Tenable Security Center. |
no | yes or no |
| nessus_syn_scanner.global_throughput.max | Sets the max number of SYN packets that Tenable Nessus sends per second during its port scan (no matter how many hosts Tenable Nessus scans in parallel). Adjust this setting based on the sensitivity of the remote device to large numbers of SYN packets. | 65536 | Integers |
| login_banner |
A text banner shows that appears after you attempt to log in to Tenable Nessus. The banner only appears the first time you log in on a new browser or computer. |
None | String |
|
timeout.<plugin ID> |
Enter the plugin ID in place of <plugin ID>. The maximum time, in seconds, that Tenable Nessus permits the <pluginID> to run before Tenable Nessus stops it. If you set this option for a plugin, this value supersedes plugins_timeout. | None | Integers 0-86400 |