Configure Agent Profiles to Avoid Asset Duplication in Tenable Vulnerability Management

In Tenable Vulnerability Management configurations that scan hosts with both Tenable Nessus scanners and Tenable Nessus Agents, there are instances where a scanner scans and records an asset that already has an agent installed on it. This causes the asset to be identified as two (or more, in some cases) separate assets in Tenable Vulnerability Management.

For Tenable Nessus Agents versions 10.6.0 and later, you can configure an Open Agent Port in Tenable Vulnerability Management agent profiles to avoid this case of asset duplication.

Enabling and configuring an agent profile's Open Agent Port allows the agents of that profile to run an agent identification service on their installed hosts. The service opens a configurable port on the host and allows Tenable scanners to identify that the installed agent has already inventoried the host as an asset. This ensures that the host is recorded as a single asset in Tenable Vulnerability Management, regardless of whether they are the target of a scanner's network scan or are generating agent scans.

For information on how to configure the Open Agent Port for an agent profile, see Agent Profiles in the Tenable Vulnerability Management User Guide.

Considerations

Consider the following when configuring the Open Agent Port:

Only agents version 10.6.0 and later can use the Open Agent Port setting. The setting does not apply to any agent on an earlier version.
Configuring the Open Agent Port permits your network scanners to probe each target system on the port you select.
The agent identification service is only started if the agent profile specifies a valid Open Agent Port.
The agent identification service attempts to open and listen on the TCP port specified in the agent profile's Open Agent Port. If you have any local firewall or host protection products installed on the host, you need to configure them to allow the agent identification service to open this port for incoming connections. Tenable recommends allowlisting Tenable Nessus Agent files and processes to ensure that the Open Agent Port feature works without interruption.
On macOS and Linux, the agent identification service creates a low-privilege service account to execute under. On Windows, the agent identification service runs as a low integrity process.
The Open Agent Port assigned to an agent reopens whenever the agent upgrades or restarts or whenever the host reboots.
If the agent identification service detects a record that belongs to two Tenable networks, the merged asset is added to the network of the scanner that last found the asset.
On macOS and Linux hosts, the agent identification service requires a system user to run under. When you initially configure Open Agent Port, the agent automatically creates a system user called _tenabletag on macOS hosts, or tenabletag on Linux hosts. The tenabletag user is a locked system user and cannot be used for logging in.

When you uninstall Tenable Nessus Agent from a macOS or Linux host, the tenabletag user is not deleted to preserve the UID mapping. To remove the user, refer to your operating system's user deletion documentation.

Logging and Troubleshooting

You can view log information about the Open Agent Port in agent bug report bundles and in the following directories:

Operating System	Log Location
Windows	C:\ProgramData\Tenable\NessusAgent\nessus\mod\com.tenable.agent_identifier_service\data\com.tenable.agent_identifier_service.log
macOS	/Library/NessusAgent/run/var/nessus/mod/com.tenable.agent_identifier_service/data/com.tenable.agent_identifier_service.log
Linux	/opt/nessus_agent/var/nessus/mod/com.tenable.agent_identifier_service/data/com.tenable.agent_identifier_service.log

To verify that the agent identification service is working, view plugin 191492 - Tenable Agent Identification. The plugin generates an Info-level finding when the agent identification service triggers and provides the UUID of the detected agent.