Nessus
Tenable Nessus Professional Agent for Faraday¶
Description:¶
This agent connects to a Tenable Nessus Professional scanner, executes vulnerability scans, and imports the results directly into Faraday for centralized analysis and management. It allows you to launch new scans or import existing ones from your local Nessus scanner.
Important Distinction: This agent is for the Nessus Professional desktop scanner, which typically runs on a single server. For cloud-based Tenable.io or managed Nessus Manager deployments, a different agent configuration may be required.
Configuration¶
You can access the instructions for configuring an agent and the new executor by following this link. Remember to select nessus as the executor during the configuration process.
Required Environment Variables:
These credentials are stored in the executor's environment and allow it to authenticate with your Nessus scanner.
NESSUS_USERNAME: The username for your Nessus Professional scanner account (e.g.,admin).NESSUS_PASSWORD: The password associated with the above username.-
NESSUS_URL: The full URL to access your Nessus Professional web interface. The default is typicallyhttps://<your-nessus-server>:8834.- Example:
https://nessus.mycompany.com:8834orhttps://10.0.1.5:8834
- Example:
Optional & Mandatory Execution Arguments:
These parameters are provided each time you run the agent to define what action to perform.
| Parameter | Mandatory | Type | Description & Example |
|---|---|---|---|
NESSUS_SCAN_TARGET |
YES | string |
The target(s) for the vulnerability scan. Accepts IPs, ranges, or hostnames. Example: 192.168.1.0/24, server1.domain.com,10.0.0.1-10.0.0.50 |
NESSUS_SCAN_NAME |
No | string |
A descriptive name for the new scan. If not provided, a default name may be generated. Example: Faraday Agent Weekly Scan - Web Servers |
NESSUS_SCAN_TEMPLATE |
No | string |
The name of the scan policy/template to use (e.g., basic, discovery, webapp_full). You must create these templates in the Nessus UI first. |
NESSUS_URL |
No | url |
Can override the URL set in environment variables for this specific run. Useful if you manage multiple scanners. |
Running Your Agent¶
Once you have configured your executor, you can proceed to run your agent by following the instructions outlined here.
Prerequisite in Nessus: Before running a scan via the agent, ensure you have the desired Scan Template created in your Nessus Professional UI. Go to Policies > Create Policy to configure a scan template with your preferred plugins, settings, and credentials.
Typical Agent Execution Workflow:
When you trigger the nessus executor, it will:
1. Authenticate to the Nessus scanner at the specified NESSUS_URL.
2. Create a new scan using the provided name, template, and target.
3. Launch the scan and wait for it to complete.
4. Download the scan results and import all vulnerabilities into your selected Faraday workspace.
Troubleshooting Notes¶
- Certificate Warnings: If your Nessus instance uses a self-signed SSL certificate (common for on-prem deployments), you may need to configure the Faraday agent to ignore SSL verification errors. This is typically done via an additional environment variable (e.g.,
PYTHONWARNINGS="ignore:Unverified HTTPS request"), depending on the underlying library. - Port Access: Ensure the machine running the Faraday agent can reach your Nessus Professional scanner on port 8834 (or the custom port you have configured).
- Template Names: The value for
NESSUS_SCAN_TEMPLATEmust match the exact name of a policy you created in the Nessus UI under the "Policies" section.