Tenable Nessus Agent CLI Commands

Use the Agent nessuscli utility to perform some Tenable Nessus Agent functions through a command line interface.

Note: You must run all Agent nessuscli commands as a user with administrative privileges.

Nessuscli Syntax

Operating System

Command

Windows

C:\Program Files\Tenable\Nessus Agent\nessuscli.exe <cmd> <arg1> <arg2>

macOS

# sudo /Library/NessusAgent/run/sbin/nessuscli <cmd> <arg1> <arg2>

Linux

# /opt/nessus_agent/sbin/nessuscli <cmd> <arg1> <arg2>

Nessuscli Commands

Command Description
Informational Commands

# nessuscli help

Shows a list of nessuscli commands.

# nessuscli -v Shows your current version of Tenable Nessus Agent.
# nessuscli fix --get <agent setting> Shows the current value of an agent setting.
Bug Reporting Commands

# nessuscli bug-report-generator

Generates an archive of system diagnostics.

If you run this command without arguments, the utility prompts you for values.

Optional arguments:

  • --quiet — Run the bug report generator without prompting user for feedback.

  • --scrub — The bug report generator sanitizes the last two octets of the IPv4 address.

  • --full — The bug report generator collects extra data.

Image Preparation Commands
# nessuscli prepare-image

Performs pre-imaging cleanup, including the following:

  • Unlinks the agent, if linked.

  • Deletes any host tag on the agent. For example, the registry key on Windows or tenable_tag on Unix.

  • Deletes any UUID file on the agent. For example, /opt/nessus/var/nessus/uuid (or equivalent on MacOS/Windows).

  • Deletes plugin dbs.

  • Deletes global db.

  • Deletes master.key.

  • Deletes the backups directory.

Optional arguments:

  • --json=<file> — Validates an auto-configuration .json file and places it in the appropriate directory.

Local Agent Commands

Used to link, unlink, and display agent status

# nessuscli agent link --key=<key> --host=<host> --port=<port>

Using the Tenable Nessus Agent Linking Key, this command links the agent to the Tenable Nessus Manager or Tenable Vulnerability Management.

Required arguments:

  • --key — The linking key that you retrieved from the manager.
  • --hostTo link to Tenable Nessus Manager: The static IP address or hostname you set during the Tenable Nessus Manager installation.
    To link to Tenable Vulnerability Management: sensor.cloud.tenable.com (for Tenable Nessus Agents 8.0.x and earlier, cloud.tenable.com)

    Note: Starting with Tenable Nessus Agent 8.1.0, Tenable Vulnerability Management-linked agents communicate with Tenable Vulnerability Management using sensor.cloud.tenable.com. If agents are unable to connect to sensor.cloud.tenable.com, they use cloud.tenable.com instead. Agents with earlier versions continue to use the cloud.tenable.com domain.
  • --port — To link to Tenable Nessus Manager, use 8834 or your custom port.
    To link to Tenable Vulnerability Management, use 443.

Tenable Vulnerability Management arguments:

  • --cloud— To link to Tenable Vulnerability Management, pass the argument --cloud.

    The --cloud argument is a shortcut to specifying --host=sensor.cloud.tenable.com --port=443. If you use --cloud, you do not need to set --host and --port.

    Caution: The --cloud argument is not supported in FedRAMP environments. You must specify --host=fedcloud.tenable.com --port=443.

    Note: If you are connecting to Tenable Vulnerability Management through Tenable Nessus scanners, Tenable Nessus Agents, Tenable Web App Scanning scanners, or Tenable Nessus Network Monitors (NNM) located in mainland China, you must connect through sensor.cloud.tenablecloud.cn instead of sensor.cloud.tenable.com.

Optional arguments:

  • --auto-proxy — (Windows-only) When set, the agent uses Web Proxy Auto Discovery (WPAD) to obtain a Proxy Auto Config (PAC) file for proxy settings. This setting overrides all other proxy configuration preferences.
  • --name —  A name for your agent. If you do not specify a name for your agent, the name defaults to the name of the computer where you are installing the agent.
  • --groups — One or more existing agent groups where you want to add the agent. If you do not specify an agent group during the install process, you can add your linked agent to an agent group later in Tenable Nessus Manager or Tenable Vulnerability Management. List multiple groups in a comma-separated list. If any group names have spaces, use quotes around the whole list. For example: "Atlanta,Global Headquarters"

    Note: The agent group name is case-sensitive and must match exactly. You must encase the agent group name in quotation marks (for example, --groups="My Group").

  • --ca-path — A custom CA certificate to use to validate the manager's server certificate.
  • --offline-install — When enabled, installs Tenable Nessus Agent on the system, even if it is offline. Tenable Nessus Agent periodically attempts to link itself to its manager.

    If the agent cannot connect to the controller, it retries every hour. If the agent can connect to the controller but the link fails, it retries every 24 hours.

    Tip: Specifying the link preferences in config.json and leaving the retry preference blank achieves the same result as using the --install-offline linking argument.

  • --network — For Tenable Vulnerability Management-linked agents, adds the agent to a custom network. If you do not specify a network, the agent belongs to the default network.

  • --profile-uuid — The UUID of the agent profile that you want to assign the agent to (for example, 12345678-9abc-4ef0-9234-56789abcdef0). For more information, see Agent Profiles in the Tenable Vulnerability Management User Guide.

  • --proxy-host — The hostname or IP address of your proxy server.
  • --proxy-port — The port number of the proxy server.
  • --proxy-password — The password of the user account that you specified as the username.
  • --proxy-username — The name of a user account that has permissions to access and use the proxy server.
  • --proxy-agent — The user agent name, if your proxy requires a preset user agent.

# nessuscli agent unlink

Unlinks agent from the Tenable Nessus Manager or Tenable Vulnerability Management.

# nessuscli scan-triggers --list

Lists details about the agent's rule-based scans:

  • Scan name

  • Status (for example, uploaded)

  • Time of last activity (shown next to the status)

  • Scan description

  • Time of last policy modification

  • Time of last run

  • Scan triggers

  • Scan configuration template

  • Command to launch the scan (nessuscli scan-triggers --start --UUID=<scan-uuid>)

# nessuscli scan-triggers --start --UUID=<scan-uuid>

(Tenable Vulnerability Management-linked agents only)

Manually executes a rule-based scan based on UUID.

# nessuscli agent status

Displays the status of the agent, rule-based scanning information, jobs pending, and whether the agent is linked to the server.

The command output provides some of the following information:

  • Running — Indicates whether the agent is currently active on the host.

  • Linked to — Indicates which manager the agent is linked to.

  • Link status — Indicates the agent's current link status with the manager.

  • Proxy — Indicates the proxy the agent is connected through, if any.

  • Plugin set — Indicates the agent's current plugin set.

  • Scanning — Indicates whether the agent is currently scanning the host. This value also shows the number of scan jobs pending and the number of scan triggers configured for the agent (this value is labeled smart scan configs in the output).

  • Scans run today — Indicates the number of scans the agent has run today.

  • Last scanned — Indicates the last date and time at which the agent ran a scan.

  • Last connect — Indicates the last date and time at which the agent connected to its manager.

  • Last connection attempt — Indicates the last date and time at which the agent attempted to connect with its manager.

Optional arguments:

  • --local — (Default behavior) Provides the status, current jobs count, and jobs pending. This option prevents the agent from contacting its management software to fetch the status. Instead, it shows the last known information from its most recent sync.

  • --remote — Fetches the job count from the manager and displays the status.

    Note: Tenable does not recommend running frequent status checks with the --remote option (for example, when using automation).

  • --offline — Provides the most recently cached agent status when it cannot connect to Tenable Nessus Manager or Tenable Vulnerability Management.

  • --show-token — Displays the agent's token that is used to identify and authenticate with its manager.

  • --show-uuid — Displays the agent's Tenable UUID.

# nessuscli plugins --info

Lists details about the agent's full and inventory plugin sets:

  • Installed version

  • Last downloaded

  • Last needed

  • Expires in — The plugin set's expiration time and date (that is, when the plugin set is no longer needed).

  • Plugins — The total number of plugins in the plugin set.

  • Uncompressed source size

Lists details and statistics about the agent's plugins, such as:

  • Last plugin update time

  • Last plugin update check time

  • Total compressed plugins source size

  • Total compiled plugins size

  • Total plugins attributes data

  • Total plugin size on disk

# nessuscli plugins --reset

Deletes all plugins and plugin-related data off the disk. The agent is able to download plugins immediately after the deletion completes.

Note: This command only triggers if the agent has plugin data on its disk.

# nessuscli install-relay --linking-key=<Tenable Identity Exposure relay linking key>

Installs a Tenable Identity Exposure Secure Relay on the agent.

To retrieve the Tenable Identity Exposure relay linking key, see Secure Relay in the Tenable Identity Exposure Administrator Guide.

install-relay supports the following optional parameters:

  • proxy_address — The proxy IP or DNS to use if you require a proxy to reach Tenable domains. If you enter a proxy_address, you need to enter a proxy_port.

  • proxy_port — The proxy port to use if you require a proxy to reach Tenable domains. If you enter a proxy_port, you need to enter a proxy_address.

  • proxy_basic_login — The proxy login username. If you enter a proxy_basic_login, you need to enter a proxy-basic-password.

  • proxy-basic-password — The proxy login password. If you enter a proxy-basic-password, you need to enter a proxy_basic_login.

If you do not want to specify a proxy, do not enter any proxy parameters. To specify an unauthorized proxy, enter a proxy_address and a proxy_port. To specify an authorized proxy, enter a proxy_address, a proxy_port, a proxy_basic_login, and a proxy-basic-password.

Update Commands
# nessuscli agent update --file=<plugins_set.tgz>

Manually installs a plugin set.

Fix Commands
# nessuscli fix --list Shows a list of agent settings and their values.
nessuscli fix --set <setting>=<value> Set an agent setting to the specified value.

For a list of agent settings, see Advanced Settings.

# nessuscli fix --set update_hostname="<value>"

Updates agent hostnames automatically in Tenable Vulnerability Management or Tenable Nessus Manager.

You can set the update_hostname parameter to yes or no. By default, this preference is disabled.

Note: Restart the agent service for the change to take effect in Tenable Nessus Manager.

# nessuscli fix --set agent_update_channel=<value>

(Tenable Vulnerability Management-linked agents only)

Sets the agent update plan to determine what version the agent automatically updates to.

Values:

  • ga — Automatically updates to the latest Agent version when it is made generally available (GA). Note: This date is usually one week after the version is made generally available. For versions that address critical security issues, Tenable may make the version available immediately.

  • ea — Automatically updates to the latest Agent version as soon as it is released for Early Access (EA), typically a few weeks before general availability.

  • stable — Does not automatically update to the latest Tenable Nessus Agent version. Remains on an earlier version of Tenable Nessus Agent set by Tenable, usually one release older than the current generally available version, but no earlier than 7.7.0. When Tenable Nessus Agent releases a new version, your agent updates software versions, but stays on a version prior to the latest release.

Note: For agents linked to Tenable Vulnerability Management, you need to run the agent_update_channel command from the agent nessuscli utility. For agents linked to Tenable Nessus Manager, you need to run the agent_update_channel command from the Tenable Nessus Managernessuscli utility.

# nessuscli fix --set maximum_scans_per_day=<value>

(Tenable Vulnerability Management-linked agents only)

Sets the maximum number of scans an agent can run per day. The minimum amount is 1, the maximum amount is 48, and the default amount is 10.

# nessuscli fix --set max_retries="<value>"

Sets the maximum number of times an agent should retry in the event of a failure when executing the agent link, agent status, or agent unlink commands. The commands retry, the specified number of times, consecutively, sleeping increasing increments of time set by retry_sleep_milliseconds between attempts. The default value for max_retries is 0. The minimum value is 0, and the maximum value is 10.

For example, if you set max_retries to 4 and set retry_sleep_milliseconds to the default of 1500, then the agent will sleep for 1.5 seconds after the first try, 3 seconds after the second try, and 4.5 seconds after the third try.

Note: This setting does not affect offline updates or the agent's normal 24 hour check-in after it is linked.
# nessuscli fix --set retry_sleep_milliseconds="<value>"

Sets the number of milliseconds that an agent sleeps for between retries in event of a failure when executing the agent link, agent status, or agent unlink commands. The default is 1500 milliseconds (1.5 seconds).

# nessuscli fix --set niap_mode=enforcing

Enforces NIAP mode for Tenable Nessus Agent. For more information about NIAP mode, see Configure Tenable Nessus Agent for NIAP Compliance.

# nessuscli fix --set niap_mode=non-enforcing

Disables NIAP mode for Nessus Agent. For more information about NIAP mode, see Configure Tenable Nessus Agent for NIAP Compliance.

# nessuscli fix --set fips_mode=enforcing

Enforces the current validated FIPS module for Tenable Nessus Agent communication and database encryption. The FIPS module does not affect scanning encryption.

Note: Tenable Nessus Agent also enforces the FIPS module when you enforce NIAP mode. For more information, see Configure Tenable Nessus Agent for NIAP Compliance.

# nessuscli fix --set fips_mode=non-enforcing

Disables the FIPS module for Tenable Nessus Agent communication and database encryption.

Note: Tenable Nessus Agent also disables the FIPS module when you disable NIAP mode. For more information, see Configure Tenable Nessus Agent for NIAP Compliance.

Fix Secure Settings
nessuscli fix

You can use --list, --set, --get, and --delete to modify or view advanced agent settings.

Using the --secure option acts on the encrypted preferences, which contain information about registration.

Caution: Tenable does not recommend changing undocumented --secure settings as it may result in an unsupported configuration.

For a list of agent settings, see Advanced Settings.

nessuscli fix [--secure] --list
nessuscli fix [--secure] --set <setting=value>
nessuscli fix [--secure] --get <setting>
nessuscli fix [--secure] --delete <setting>
# nessuscli fix --secure --get agent_linking_key

(Tenable Nessus Manager versions 10.4.0 and later only) Retrieve your unique agent linking key.

Note: You can only use this linking key to link an agent. You cannot use it to link a scanner or a child node.
Resource Control Commands  

# nessuscli fix --set process_priority="<value>"

# nessuscli fix --get process_priority

# nessuscli fix --delete process_priority

Commands

Set, get, or delete the process_priority setting.

You can control the priority of the Tenable Nessus Agent relative to the priority of other tasks running on the system by using the process_priority preference.

For valid values and more information on how the setting works, see Agent CPU Resource Control.