Install a Nessus Agent on macOS

Caution: If you install a Tenable Nessus Agent on a system where an existing Tenable Nessus Agent, Tenable Nessus Manager, or Tenable Nessus scanner is running nessusd, the installation process kills all other nessusd processes. You may lose scan data as a result.

Note: Nessus Agents may need Full Disk Access when using some audits for full directory access. Therefore, Tenable recommends granting Full Disk Access to Nessus Agents installed on macOS.

Before You Begin

Download Nessus Agent

From the Nessus Agents Download Page, download the package specific to your operating system.

Install Nessus Agent

Note: You need root privileges to perform the following steps.

To install the Tenable Nessus Agent, you can use either the GUI installation wizard or the command line.

GUI Installation:

  1. Double-click the Nessus Agent .dmg (macOS disk image) file.
  2. Double-click Install Nessus Agent.pkg.
  3. Complete the Nessus Agent Install Wizard.

Command Line Installation:

  1. Extract Install Nessus Agent.pkg and .NessusAgent.pkg from NessusAgent-<version number>.dmg.

    Note: The .NessusAgent.pkg file is normally invisible in macOS Finder.

  2. Open Terminal.
  3. From the command line, enter the following command:
  4. # sudo installer -pkg /<path-to>/Install Nessus Agent.pkg -target /

You can install a full plugins set before linking to reduce the bandwidth impact during a mass installation. You can accomplish this by using the nessuscli agent update command with the --file parameter, which specifies the location the plugins set. You must do this before starting the Tenable Nessus Agent. For example:

/opt/nessus_agent/sbin/nessuscli agent update --file=./plugins_set.tgz

The plugins set must be less than five days old. A stale plugin set older than five days forces a full plugins download to occur. You can download a recent plugin set from the Nessus Agents download page.

Link Agent Using Command Line Interface

To link an agent on macOS:

  1. Open Terminal.
  2. From the command line, use the nessuscli agent link command.

    For example:

    # sudo /Library/NessusAgent/run/sbin/nessuscli agent link
    --name=MyOSXAgent --groups=All --port=8834

    The supported arguments for this command are:

    Argument Required? Value


    Use the values you retrieved from the manager.
    --host yes
    --port yes


    no Specify a name for your agent. If you do not specify a name for your agent, the name defaults to the name of the computer where you are installing the agent.
    --groups no

    Specify existing agent group or groups where you want to add the agent. If you do not specify an agent group during the install process, you can add your linked agent to an agent group later in Tenable Nessus Manager or Tenable Vulnerability Management.

    Note: The agent group name is case-sensitive and must match exactly.

    --offline-install no

    For Nessus Agents 7.0.3 or later, you can install the Tenable Nessus Agent on a system even if it is offline. Add the command line option NESSUS_OFFLINE_INSTALL="yes" to the command line input. The Tenable Nessus Agent periodically attempts to link itself to either Tenable Vulnerability Management or Tenable Nessus Manager.

    If the agent cannot connect to the controller then it retries every hour, and if the agent can connect to the controller but the link fails then it retries every 24 hours.

    --cloud no

    Specify the --cloud argument to link to Tenable Vulnerability Management.

    The --cloud argument is a shortcut to specifying --port=443.

    --network no For agents, add the agent to a custom network. If you do not specify a network, the agent belongs to the default network.

Note: If you attempt to clone an agent and link it to Tenable Nessus Manager or Tenable Vulnerability Management, a 409 error may appear. This error appears because another machine was linked with the same UUID value in the /private/etc/tenable_tag file. To resolve this issue, replace the value in the /private/etc/tenable_tag file with a valid UUIDv4 value.

Note: For more information about linking agents to Tenable Vulnerability Management, see Link a Sensor in the User Guide.

Verify a Linked Agent

To verify a linked agent in Tenable Vulnerability Management:

  1. In the upper-left corner, click the Menu button.

    The left navigation plane appears.

  2. In the left navigation plane, click Settings.

    The Settings page appears.

  3. Click the Sensors tile.

    The Sensors page appears. By default, Nessus Scanners is selected in the left navigation menu and the Cloud Scanners tab is active.

  4. In the left navigation menu, click Nessus Agents.

    The Nessus Agents page appears and the Linked Agents tab is active.

  5. Locate the new agent in the linked agents table.

To verify a linked agent in Tenable Nessus Manager:

  1. In the top navigation bar, click Sensors.

    The Linked Agents page appears.

  2. Locate the new agent in the linked agents table.