Install a Tenable Nessus Agent on Linux

Caution: If you install a Tenable Nessus Agent on a system where an existing Tenable Nessus Agent, Tenable Nessus Manager, or Tenable Nessus scanner is running nessusd, the installation process kills all other nessusd processes. You may lose scan data as a result.

Before you begin:

Download the Nessus Agent

On the Nessus Agents Download Page, download the package specific to your operating system.

Install Nessus Agent

Note: The following procedure requires root privileges.

Using the command line interface, install the Tenable Nessus Agent.

Example Linux Install Commands

# dnf install NessusAgent-<version number>-es8.x86_64.rpm

# rpm -ivh NessusAgent-<version number>-es7.x86_64.rpm

# dnf install NessusAgent-<version number>-fc34.x86_64.rpm

# rpm -ivh NessusAgent-<version number>-fc34.x86_64.rpm

# dpkg -i NessusAgent-<version number>-ubuntu1110_i386.deb

# dpkg -i NessusAgent-<version number>-debian6_amd64.deb

You can install a full plugins set before linking to reduce the bandwidth impact during a mass installation. You can accomplish this by using the nessuscli agent update command with the --file parameter, which specifies the location the plugins set. You must do this before starting the Tenable Nessus Agent. For example:

/opt/nessus_agent/sbin/nessuscli agent update --file=./plugins_set.tgz

The plugins set must be less than five days old. A stale plugin set older than five days forces a full plugin download to occur. You can download a recent plugins set from the Nessus Agents download page.

Note: After installing a Nessus Agent, you must manually start the service using the /sbin/service nessusagent start command. Tenable also recommends running systemctl enable nessusagent to ensure that the Nessus Agent service starts anytime the host is rebooted.

Link Agent Using Command Line Interface

At the command prompt, use the nessuscli agent link command. For example:

/opt/nessus_agent/sbin/nessuscli agent link

--key=00abcd00000efgh11111i0k222lmopq3333st4455u66v777777w88xy9999zabc00

--name=MyOSXAgent --groups="All" --host=yourcompany.com --port=8834

The supported arguments for this command are:

Argument Required? Value
--key

yes

 Use the values you retrieved from the manager.
--host yes Use the values you retrieved from the manager.
--port yes Use the values you retrieved from the manager.

--name

 no Specify a name for your agent. If you do not specify a name for your agent, the name defaults to the name of the computer where you are installing the agent.
--groups no

Specify existing agent group or groups where you want to add the agent. If you do not specify an agent group during the install process, you can add your linked agent to an agent group later in Tenable Nessus Manager or Tenable Vulnerability Management.

Note: The agent group name is case-sensitive and must match exactly. You must encase the agent group name in quotation marks (for example, --groups="My Group").
--offline-install no

For Nessus Agents 7.0.3 or later, you can install the Tenable Nessus Agent on a system even if it is offline. Add the command line option offline-install="yes" to the command line input. The Tenable Nessus Agent periodically attempts to link itself to either Tenable Vulnerability Management or Tenable Nessus Manager.

If the agent cannot connect to the controller then it retries every hour, and if the agent can connect to the controller but the link fails then it retries every 24 hours.
--cloud no

Specify the --cloud argument to link to Tenable Vulnerability Management.

The --cloud argument is a shortcut to specifying --host=sensor.cloud.tenable.com --port=443 (or --host=cloud.tenable.com --port=443 for agents 8.0.x and earlier).

Note: Starting with Tenable Nessus Agent 8.1.0, Tenable Vulnerability Management-linked agents communicate with Tenable Vulnerability Management using sensor.cloud.tenable.com. If agents are unable to connect to sensor.cloud.tenable.com, they use cloud.tenable.com instead. Agents with earlier versions continue to use the cloud.tenable.com domain.
--network no

For Tenable Vulnerability Management-linked agents, add the agent to a custom network. If you do not specify a network, the agent belongs to the default network.

Note: You must encase the network name in quotation marks (for example, --network="My Network").

If the information that you provide is incorrect, a "Failed to link agent" error appears.

Note: If you attempt to clone an agent and link it to Tenable Nessus Manager or Tenable Vulnerability Management, a 409 error may appear. This error appears because another machine was linked with the same UUID value in the /etc/machine_id or /etc/tenable_tag file. To resolve this issue, replace the value in the /etc/tenable_tag file with a valid UUIDv4 value. If the /etc/machine_id file does not exist, you can delete /etc/tenable_tag to generate a new value.

Note: For more information about linking agents to Tenable Vulnerability Management, see Link a Sensor in the Tenable Vulnerability Management User Guide.

Verify a Linked Agent

To verify a linked agent in Tenable Vulnerability Management:

  1. In the upper-left corner, click the Menu button.

    The left navigation plane appears.

  2. In the left navigation plane, click Settings.

    The Settings page appears.

  3. Click the Sensors tile.

    The Sensors page appears. By default, Nessus Scanners is selected in the left navigation menu and the Cloud Scanners tab is active.

  4. In the left navigation menu, click Nessus Agents.

    The Nessus Agents page appears and the Linked Agents tab is active.

  5. Locate the new agent in the linked agents table.

To verify a linked agent in Tenable Nessus Manager:

  1. In the top navigation bar, click Sensors.

    The Linked Agents page appears.

  2. Locate the new agent in the linked agents table.