Install a Tenable Nessus Agent on Linux
Caution: If you install a Tenable Nessus Agent on a system where an existing Tenable Nessus Agent, Tenable Nessus Manager, or Tenable Nessus scanner is running
nessusd, the installation process kills all other
nessusd processes. You may lose scan data as a result.
Before you begin:
- Retrieve the Nessus Agents linking key. For more information, see the Tenable Nessus User Guide or the Tenable Vulnerability Management User Guide, depending on what manager you use.
- If you previously had the Tenable Nessus Agent installed on your system, see the knowledge base article on how to avoid linking errors.
Download the Nessus Agent
On the Nessus Agents Download Page, download the package specific to your operating system.
Install Nessus Agent
Note: The following procedure requires root privileges.
Using the command line interface, install the Tenable Nessus Agent.
Example Linux Install Commands
# dnf install NessusAgent-<version number>-es8.x86_64.rpm
# rpm -ivh NessusAgent-<version number>-es7.x86_64.rpm
# dnf install NessusAgent-<version number>-fc34.x86_64.rpm
# rpm -ivh NessusAgent-<version number>-fc34.x86_64.rpm
# dpkg -i NessusAgent-<version number>-ubuntu1110_i386.deb
# dpkg -i NessusAgent-<version number>-debian6_amd64.deb
You can install a full plugins set before linking to reduce the bandwidth impact during a mass installation. You can accomplish this by using the nessuscli agent update command with the --file parameter, which specifies the location the plugins set. You must do this before starting the Tenable Nessus Agent. For example:
The plugins set must be less than five days old. A stale plugin set older than five days forces a full plugin download to occur. You can download a recent plugins set from the Nessus Agents download page.
Note: After installing a Nessus Agent, you must manually start the service using the
/sbin/service nessusagent start command. Tenable also recommends running systemctl enable nessusagent to ensure that the Nessus Agent service starts anytime the host is rebooted.
Link Agent Using Command Line Interface
At the command prompt, use the
nessuscli agent link command. For example:
/opt/nessus_agent/sbin/nessuscli agent link
--name=MyOSXAgent --groups="All" --host=yourcompany.com --port=8834
The supported arguments for this command are:
|Use the values you retrieved from the manager.|
|--host||yes||Use the values you retrieved from the manager.|
|--port||yes||Use the values you retrieved from the manager.|
|no||Specify a name for your agent. If you do not specify a name for your agent, the name defaults to the name of the computer where you are installing the agent.|
Specify existing agent group or groups where you want to add the agent. If you do not specify an agent group during the install process, you can add your linked agent to an agent group later in Tenable Nessus Manager or Tenable Vulnerability Management.
Note: The agent group name is case-sensitive and must match exactly. You must encase the agent group name in quotation marks (for example, --groups="My Group").
For Nessus Agents 7.0.3 or later, you can install the Tenable Nessus Agent on a system even if it is offline. Add the command line option offline-install="yes" to the command line input. The Tenable Nessus Agent periodically attempts to link itself to either Tenable Vulnerability Management or Tenable Nessus Manager.
If the agent cannot connect to the controller then it retries every hour, and if the agent can connect to the controller but the link fails then it retries every 24 hours.
Specify the --cloud argument to link to Tenable Vulnerability Management.
The --cloud argument is a shortcut to specifying --host=sensor.cloud.tenable.com --port=443 (or --host=cloud.tenable.com --port=443 for agents 8.0.x and earlier).
Note: Starting with Tenable Nessus Agent 8.1.0, Tenable Vulnerability Management-linked agents communicate with Tenable Vulnerability Management using sensor.cloud.tenable.com. If agents are unable to connect to sensor.cloud.tenable.com, they use cloud.tenable.com instead. Agents with earlier versions continue to use the cloud.tenable.com domain.
For Tenable Vulnerability Management-linked agents, add the agent to a custom network. If you do not specify a network, the agent belongs to the default network.
Note: You must encase the network name in quotation marks (for example, --network="My Network").
If the information that you provide is incorrect, a "Failed to link agent" error appears.
Note: If you attempt to clone an agent and link it to Tenable Nessus Manager or Tenable Vulnerability Management, a 409 error may appear. This error appears because another machine was linked with the same UUID value in the
/etc/tenable_tag file. To resolve this issue, replace the value in the
/etc/tenable_tag file with a valid UUIDv4 value. If the
/etc/machine_id file does not exist, you can delete
/etc/tenable_tag to generate a new value.
Note: For more information about linking agents to Tenable Vulnerability Management, see Link a Sensor in the Tenable Vulnerability Management User Guide.
Verify a Linked Agent
To verify a linked agent in Tenable Vulnerability Management:
In the upper-left corner, click the button.
The left navigation plane appears.
In the left navigation plane, click Settings.
The Settings page appears.
Click the Sensors tile.
The Sensors page appears. By default, Nessus Scanners is selected in the left navigation menu and the Cloud Scanners tab is active.
In the left navigation menu, click Nessus Agents.
The Nessus Agents page appears and the Linked Agents tab is active.
Locate the new agent in the linked agents table.
To verify a linked agent in Tenable Nessus Manager:
In the top navigation bar, click Sensors.
The Linked Agents page appears.
Locate the new agent in the linked agents table.