Advanced Settings
You can manually configure agents by setting advanced settings from the agent command line interface. You can modify some system-wide agent settings from Tenable Nessus Manager advanced settings or the Linked Agents tab in Tenable Vulnerability Management (see Agent Settings in the Tenable Vulnerability Management User Guide for more information). Nessus Agent validates your input values to ensure only valid configurations are allowed.
Tenable Nessus Agent Advanced Settings
You can configure the following agent settings in the command line interface using the nessuscli utility.
Use the command # nessuscli fix --set setting=value. For more information, see Tenable Nessus Agent CLI Commands .
Name |
Setting |
Description |
Default | Valid Values |
---|---|---|---|---|
Agent Update Plan | agent_update_channel |
(Tenable Vulnerability Management-linked agents only) Sets the agent update plan to determine what version the agent automatically updates to. Note: For agents linked to Tenable Vulnerability Management, you need to run the agent_update_channel command from the agent nessuscli utility. For agents linked to Tenable Nessus Manager, you need to run the agent_update_channel command from the Tenable Nessus Managernessuscli utility. |
ga |
ga: Automatically updates to the latest ea: Automatically updates to the latest stable: Does not automatically update to the latest |
Always Validate SSL Server Certificates | strict_certificate_validation |
When enabled, always validate SSL server certificates, even during initial remote link (requires manager to use a trusted root CA). |
no | yes or no |
Automatic Hostname Update | update_hostname | When enabled, when someone modifies the endpoint hostname, the new hostname is updated in the agent's manager. This feature is disabled by default to prevent custom agent names from being overridden. | no | yes or no |
Connection Status Check Time | connection_status_check_time |
(Tenable Vulnerability Management-linked agents only) Determines how often the agent checks its connection status when offline in seconds. |
900 | Integers >299 |
Days To Keep Unused Plugins | days_to_keep_unused_plugins |
(Tenable Vulnerability Management-linked agents only) Determines the duration of time (in days) after which an agent deletes an unused plugin set. For example, if you set this setting to 14 and the agent has not used one of its plugin set for scanning in over 14 days, the agent deletes that plugin set. |
14 | Integers >7 |
Detect Duplicate Agents | detect_duplicates |
Regardless of this setting, the agent automatically checks if it is a duplicate agent by comparing its current list of MAC addresses to the MAC addresses the agent had at link time. For agents linked to Tenable Vulnerability Management or Tenable Nessus Manager 8.11.1 and later, the manager performs the same check to identify duplicate agents. When disabled, the agent automatically logs duplicates in backend.log, but no action is taken. When enabled, if either the agent or the manager detects a duplicate agent, the agent automatically unlinks and regenerates its identifying information (for example, the UUID) so that it can be linked again. This event is logged in backend.log. You must manually relink the agent. |
no | yes or no |
Disable Core Updates | disable_core_updates | When set to yes, the agent does not request automatic core updates. You can still upgrade software versions manually. The agent can still receive plugin updates. | no | yes or no |
Log File Maximum Files | logfile_max_files | Determines the maximum number of nessusd.messages files that Tenable Nessus Agent keeps on the disk. If the number of nessusd.messages log files exceeds the specified value, Tenable Nessus Agent deletes the oldest log files. |
Tenable Nessus — 100 Tenable Nessus Agent — 2 |
Integers 1-1000 |
Log File Maximum Size | logfile_max_size | Determines the maximum size of the nessusd.messages file in MB. If the file size exceeds the maximum size, Tenable Nessus Agent creates a new messages log file. |
Tenable Nessus —512 Tenable Nessus Agent — 10 |
Integers 1-2048 |
Log File Rotation Time | logfile_rotation_time | Determines how often Tenable Nessus Agent messages log files are rotated in days. | 1 | Integers 1-365 |
Log File Rotation | logfile_rot | Determines whether Tenable Nessus Agent rotates messages log files based on maximum rotation size or rotation time. | size |
size — Tenable Nessus Agent rotates log files based on size, as specified in logfile_max_size. time — Tenable Nessus Agent rotates log files based on time, as specified in logfile_rotation_time. |
Long Term Upload Interval Seconds | long_term_upload_interval_seconds |
(Tenable Vulnerability Management-linked agents only) Determines the number of seconds the agent waits between attempting to upload smart scan results. |
180 | Integers >59 |
Maximum Ports in Scan Reports | report.max_ports | The maximum number of allowable ports. If there are more ports in the scan results than this value, Tenable Nessus discards the port scan results. This limit helps guard against fake targets that may have thousands of reported ports, but can also result in the deletion of valid results from the scan results database, so you may want to increase the default if this is a problem. | 1024 | Integers |
Maximum Ports Reported by Portscanner Plugins | portscanner.max_ports | The maximum number of ports that the Tenable Nessus port-scanning plugins can mark as open. This includes the port scanners proper and any plugin that calls NASL function scanner_add_port(). | 1024 | Integers 0-65535 |
Maximum Scans Per Day | maximum_scans_per_day | Determines the maximum number of scans an agent can run per day. | 10 | Integers 1-48 |
Minimum Metadata Update Interval | min_metadata_update_interval |
(Tenable Vulnerability Management-linked agents only) Determines the minimum number of minutes between the agent's attempts to push metadata to Tenable Vulnerability Management. Note: The agent only attempts to push metadata to Tenable Vulnerability Management if the metadata changes. |
10 | Integers >4 |
Nessus Dump File Max Files | dumpfile_max_files | Sets the maximum number of the nessusd.dump files kept on disk. If the number exceeds the specified value, the setting deletes the oldest dump file. | 100 | Integers 1-1000 |
Nessus Dump File Max Size | dumpfile_max_size | Sets the maximum size of the nessusd.dump files in MB. If file size exceeds the maximum size, the setting creates a new dump file. | 512 | Integers 1-2048 |
Offline Agent Scan Trigger Execution Threshold | offline_agent_scan_trigger_execution_threshold_days |
(Tenable Vulnerability Management-linked agents only) Determines the number of days of being offline after which rule-based scans no longer launch. |
14 | Integers >0 |
Plugin Compilation Performance | plugin_load_performance_mode |
Sets plugin compilation performance, which affects CPU usage. Low performance slows down plugin compilation, but reduces the agent's CPU consumption. Setting the performance to medium or high means that plugin compilation completes more quickly, but the agent consumes more CPU. For more information, see Agent CPU Resource Control. |
high |
low, medium, or high |
Scan Performance | scan_performance_mode | Sets scan performance, which affects CPU usage. Low performance slows down scans, but reduces the agent's CPU consumption. Setting the performance to medium or high means that scans complete more quickly, but the agent consumes more CPU. For more information, see Agent CPU Resource Control. | high | low, medium, or high |
Skip Asset Observation On Update | skip_asset_observation_on_update |
Determines whether the agent only updates the asset metadata when linking to Tenable Vulnerability Management. When you set this setting to no, the agent updates Tenable Vulnerability Management with new asset metadata based on the Minimum Metadata Update Interval. |
no | yes or no |
SSL Cipher List | ssl_cipher_list | Sets the cipher list to use for Agent outbound connections. | compatible |
|
SSL Mode | ssl_mode | Minimum supported version of TLS. | tls_1_2 |
|
Tenable Nessus Agent Secure Settings
You can configure the following secure settings in the command line interface, using the nessuscli utility.
Use the command # nessuscli fix --secure --set setting=value. For more information, see Tenable Nessus Agent CLI Commands .
Caution: Tenable does not recommend changing undocumented --secure settings as it may result in an unsupported configuration.
Setting | Description | Valid Values |
---|---|---|
auto_proxy |
(Windows-only) If enabled, the agent uses Web Proxy Auto Discovery (WPAD) to obtain a Proxy Auto Config (PAC) file for proxy settings. This setting overrides all other proxy configuration preferences. If disabled, the agent defaults to the remaining proxy settings. |
true or false |
ignore_proxy |
If enabled, the agent attempts a direct connection to the manager instead of using the set proxy, until it fails 10 times. If disabled, the agent attempts to connect using the set proxy, until it fails three times. This setting changes automatically, as described in Proxy Connection Fallback. You can also set this setting manually; however, if at any point the agent meets one of the conditions described in Proxy Connection Fallback, the agent automatically changes the setting. |
yes or no |
ms_proxy |
When enabled, the agent uses a proxy to connect to its manager. | true or false |
proxy | The hostname or IP address of your proxy server. | String |
proxy_port |
The port number of the proxy server. | String |
proxy_auth | (Optional) If you want to use authentication to connect to the proxy, specify the authentication scheme. | basic, digest, ntlm, or auto |
proxy_username | If using authentication to connect to the proxy, the name of a user account that has permissions to access and use the proxy server. | String. If there are spaces, use quotes ("). |
proxy_password | If authenticating with the proxy, password associated with the username. | String |
Tenable Nessus Manager advanced settings
You can configure the following system-wide agent settings in Tenable Nessus Manager, under the Agents & Scanners section. For more information, see Advanced Settings in the Tenable Nessus User Guide.
Name |
Setting |
Description |
Default | Valid Values | Restart Required? |
---|---|---|---|---|---|
Agent Auto Delete | agent_auto_delete | Controls whether agents are automatically deleted after they have been inactive for the duration of time set for agent_auto_delete_threshold. | no | yes or no | no |
Agent Auto Delete Threshold | agent_auto_delete_threshold | The number of days after which inactive agents are automatically deleted if agent_auto_delete is set to yes. | 60 | Integers 1-365 | no |
Agent Auto Unlink | agent_auto_unlink |
Controls whether agents are automatically unlinked after they have been inactive for the duration of time set for agent_auto_unlink_threshold. |
no | yes or no | no |
Agent Auto Unlink Threshold | agent_auto_unlink_threshold |
The number of days after which inactive agents are automatically unlinked if agent_auto_unlink is set to yes. Note: This value must be less than the agent_auto_delete_threshold. |
30 | Integers 30-90 | no |
Agents Progress | agents_progress_viewable | When a scan gathers information from agents, Tenable Nessus Manager does not show detailed agents information if the number of agents exceeds this setting. Instead, a message indicates that results are being gathered and will be viewable when the scan is complete. | 100 |
Integers. If set to 0, this defaults to 100. |
no |
Automatically Download Agent Updates | agent_updates_from_feed |
When enabled, new Tenable Nessus Agent software updates are automatically downloaded. |
yes | yes or no | yes |
Concurrent Agent Software Updates | cloud.manage.download_max | The maximum concurrent agent update downloads. | 10 | Integers | no |
Include Audit Trail Data | agent_merge_audit_trail |
Controls whether or not agent scan result audit trail data is included in the main agent database. Excluding audit trail data can significantly improve agent result processing performance. If this setting is set to false, the Audit Trail Verbosity setting in an individual scan or policy defaults to No audit trail. Available in Nessus 8.3 and later. |
false | true or false | no |
Include KB Data | agent_merge_kb |
Includes the agent scan result KB data in the main agent database. Excluding KB data can significantly improve agent result processing performance. If this setting is set to false, the Include the KB setting in an individual scan or policy defaults to Exclude KB. Available in Nessus 8.3 and later. |
false | true or false | no |
Result Processing Journal Mode | agent_merge_journal_mode |
Sets the journaling mode to use when processing agent results. Depending on the environment, this can somewhat improve processing performance, but also introduces a small risk of a corrupted scan result in the event of a crash. For more details, refer to the sqlite3 documentation. Available in Nessus 8.3 and later. |
DELETE |
MEMORY TRUNCATE DELETE |
no |
Result Processing Sync Mode | agent_merge_synchronous_setting |
Sets the filesystem sync mode to use when processing agent results. Turning this off will significantly improve processing performance, but also introduces a small risk of a corrupted scan result in the event of a crash. For more details, refer to the sqlite3 documentation. Available in Nessus 8.3 and later. |
FULL |
OFF NORMAL FULL |
no |
Track Unique Agents | track_unique_agents | When enabled, Tenable Nessus Manager checks if MAC addresses of agents trying to link match MAC addresses of currently linked agents with the same hostname, platform, and distro. Tenable Nessus Manager deletes duplicates that it finds. | no | yes or no | no |