Advanced Settings

You can manually configure agents by setting advanced settings from the agent command line interface. You can modify some system-wide agent settings from Tenable Nessus Manager advanced settings or the Linked Agents tab in Tenable Vulnerability Management (see Agent Settings in the Tenable Vulnerability Management User Guide for more information). Nessus Agent validates your input values to ensure only valid configurations are allowed.

Tenable Nessus Agent Advanced Settings

You can configure the following agent settings in the command line interface using the nessuscli utility.

Use the command # nessuscli fix --set setting=value. For more information, see Tenable Nessus Agent CLI Commands .

Tip: Customers with many agents (10,000+) may want to configure the agent_merge_audit_trail, agent_merge_kb, agent_merge_journal_mode, and agent_merge_synchronous_setting settings. Modifying these settings can dramatically lower the amount of time it takes to merge agent scan results. Review the descriptions in the following table for suggested configurations.

Name

Setting

Description

Default Valid Values
Agent Update Plan agent_update_channel

(Tenable Vulnerability Management-linked agents only)

Sets the agent update plan to determine what version the agent automatically updates to.

Note: For agents linked to Tenable Vulnerability Management, you need to run the agent_update_channel command from the agent nessuscli utility. For agents linked to Tenable Nessus Manager, you need to run the agent_update_channel command from the Tenable Nessus Managernessuscli utility.

ga

ga: Automatically updates to the latest Agent version when it is made generally available (GA). Note: This date is usually one week after the version is made generally available. For versions that address critical security issues, Tenable may make the version available immediately.

ea: Automatically updates to the latest Agent version as soon as it is released for Early Access (EA), typically a few weeks before general availability.

stable: Does not automatically update to the latest Tenable Nessus Agent version. Remains on an earlier version of Tenable Nessus Agent set by Tenable, usually one release older than the current generally available version, but no earlier than 7.7.0. When Tenable Nessus Agent releases a new version, your agent updates software versions, but stays on a version prior to the latest release.

Always Validate SSL Server Certificates strict_certificate_validation

When enabled, always validate SSL server certificates, even during initial remote link (requires manager to use a trusted root CA).

no yes or no
Automatic Hostname Update update_hostname When enabled, when someone modifies the endpoint hostname, the new hostname is updated in the agent's manager. This feature is disabled by default to prevent custom agent names from being overridden. no yes or no
Connection Status Check Time connection_status_check_time

(Tenable Vulnerability Management-linked agents only)

Determines how often the agent checks its connection status when offline in seconds.

900 Integers >299
Days To Keep Unused Plugins days_to_keep_unused_plugins

(Tenable Vulnerability Management-linked agents only)

Determines the duration of time (in days) after which an agent deletes an unused plugin set.

For example, if you set this setting to 14 and the agent has not used one of its plugin set for scanning in over 14 days, the agent deletes that plugin set.

14 Integers >7
Detect Duplicate Agents detect_duplicates

Regardless of this setting, the agent automatically checks if it is a duplicate agent by comparing its current list of MAC addresses to the MAC addresses the agent had at link time. For agents linked to Tenable Vulnerability Management or Tenable Nessus Manager 8.11.1 and later, the manager performs the same check to identify duplicate agents.

When disabled, the agent automatically logs duplicates in backend.log, but no action is taken.

When enabled, if either the agent or the manager detects a duplicate agent, the agent automatically unlinks and regenerates its identifying information (for example, the UUID) so that it can be linked again. This event is logged in backend.log. You must manually relink the agent.

no yes or no
Disable Core Updates disable_core_updates When set to yes, the agent does not request automatic core updates. You can still upgrade software versions manually. The agent can still receive plugin updates. no yes or no
Log File Maximum Files logfile_max_files Determines the maximum number of nessusd.messages files that Tenable Nessus Agent keeps on the disk. If the number of nessusd.messages log files exceeds the specified value, Tenable Nessus Agent deletes the oldest log files.

Tenable Nessus — 100

Tenable Nessus Agent — 2

Integers 1-1000

Log File Maximum Size logfile_max_size Determines the maximum size of the nessusd.messages file in MB. If the file size exceeds the maximum size, Tenable Nessus Agent creates a new messages log file.

Tenable Nessus —512

Tenable Nessus Agent — 10

Integers 1-2048
Log File Rotation Time logfile_rotation_time Determines how often Tenable Nessus Agent messages log files are rotated in days. 1 Integers 1-365
Log File Rotation logfile_rot Determines whether Tenable Nessus Agent rotates messages log files based on maximum rotation size or rotation time. size

sizeTenable Nessus Agent rotates log files based on size, as specified in logfile_max_size.

timeTenable Nessus Agent rotates log files based on time, as specified in logfile_rotation_time.

Long Term Upload Interval Seconds long_term_upload_interval_seconds

(Tenable Vulnerability Management-linked agents only)

Determines the number of seconds the agent waits between attempting to upload smart scan results.

180 Integers >59
Maximum Scans Per Day maximum_scans_per_day Determines the maximum number of scans an agent can run per day. 10 Integers 1-48
Minimum Metadata Update Interval min_metadata_update_interval

(Tenable Vulnerability Management-linked agents only)

Determines the minimum number of minutes between the agent's attempts to push metadata to Tenable Vulnerability Management.

Note: The agent only attempts to push metadata to Tenable Vulnerability Management if the metadata changes.

10 Integers >4
Nessus Dump File Max Files dumpfile_max_files Sets the maximum number of the nessusd.dump files kept on disk. If the number exceeds the specified value, the setting deletes the oldest dump file. 100 Integers 1-1000
Nessus Dump File Max Size dumpfile_max_size Sets the maximum size of the nessusd.dump files in MB. If file size exceeds the maximum size, the setting creates a new dump file. 512 Integers 1-2048
Offline Agent Scan Trigger Execution Threshold offline_agent_scan_trigger_execution_threshold_days

(Tenable Vulnerability Management-linked agents only)

Determines the number of days of being offline after which rule-based scans no longer launch.

14 Integers >0
Plugin Compilation Performance plugin_load_performance_mode

Sets plugin compilation performance, which affects CPU usage. Low performance slows down plugin compilation, but reduces the agent's CPU consumption. Setting the performance to medium or high means that plugin compilation completes more quickly, but the agent consumes more CPU. For more information, see Agent CPU Resource Control.

high

low, medium, or high

Scan Performance scan_performance_mode Sets scan performance, which affects CPU usage. Low performance slows down scans, but reduces the agent's CPU consumption. Setting the performance to medium or high means that scans complete more quickly, but the agent consumes more CPU. For more information, see Agent CPU Resource Control. high low, medium, or high
Skip Asset Observation On Update skip_asset_observation_on_update

Determines whether the agent only updates the asset metadata when linking to Tenable Vulnerability Management. When you set this setting to no, the agent updates Tenable Vulnerability Management with new asset metadata based on the Minimum Metadata Update Interval.

no yes or no
SSL Cipher List ssl_cipher_list Sets the cipher list to use for Agent outbound connections. compatible
  • legacy — A list of ciphers that can integrate with older APIs.
  • compatible — A list of secure ciphers. May not include all the latest ciphers.
  • modern — A list of the latest and most secure ciphers.
  • custom — A custom OpenSSL cipher list. For more information on valid cipher list formats, see the OpenSSL documentation.
SSL Mode ssl_mode Minimum supported version of TLS. tls_1_2
  • compat — TLS v1.0+.
  • ssl_3_0 — SSL v3+.
  • tls_1_1 — TLS v1.1+.
  • tls_1_2 — TLS v1.2+.

Tenable Nessus Agent Secure Settings

You can configure the following secure settings in the command line interface, using the nessuscli utility.

Use the command # nessuscli fix --secure --set setting=value. For more information, see Tenable Nessus Agent CLI Commands .

Caution: Tenable does not recommend changing undocumented --secure settings as it may result in an unsupported configuration.

Setting Description Valid Values
auto_proxy

(Windows-only) If enabled, the agent uses Web Proxy Auto Discovery (WPAD) to obtain a Proxy Auto Config (PAC) file for proxy settings. This setting overrides all other proxy configuration preferences.

If disabled, the agent defaults to the remaining proxy settings.

true or false
ignore_proxy

If enabled, the agent attempts a direct connection to the manager instead of using the set proxy, until it fails 10 times.

If disabled, the agent attempts to connect using the set proxy, until it fails three times.

This setting changes automatically, as described in Proxy Connection Fallback. You can also set this setting manually; however, if at any point the agent meets one of the conditions described in Proxy Connection Fallback, the agent automatically changes the setting.

yes or no

ms_proxy

When enabled, the agent uses a proxy to connect to its manager. true or false
proxy The hostname or IP address of your proxy server. String

proxy_port

The port number of the proxy server. String
proxy_auth (Optional) If you want to use authentication to connect to the proxy, specify the authentication scheme. basic, digest, ntlm, or auto
proxy_username If using authentication to connect to the proxy, the name of a user account that has permissions to access and use the proxy server. String. If there are spaces, use quotes (").
proxy_password If authenticating with the proxy, password associated with the username. String

Tenable Nessus Manager advanced settings

You can configure the following system-wide agent settings in Tenable Nessus Manager, under the Agents & Scanners section. For more information, see Advanced Settings in the Tenable Nessus User Guide.

Name

Setting

Description

Default Valid Values Restart Required?
Agent Auto Delete agent_auto_delete Controls whether agents are automatically deleted after they have been inactive for the duration of time set for agent_auto_delete_threshold. no yes or no no
Agent Auto Delete Threshold agent_auto_delete_threshold The number of days after which inactive agents are automatically deleted if agent_auto_delete is set to yes. 60 Integers 1-365 no
Agent Auto Unlink agent_auto_unlink

Controls whether agents are automatically unlinked after they have been inactive for the duration of time set for agent_auto_unlink_threshold.

no yes or no no
Agent Auto Unlink Threshold agent_auto_unlink_threshold

The number of days after which inactive agents are automatically unlinked if agent_auto_unlink is set to yes.

Note: This value must be less than the agent_auto_delete_threshold.

30 Integers 30-90 no
Agents Progress agents_progress_viewable When a scan gathers information from agents, Tenable Nessus Manager does not show detailed agents information if the number of agents exceeds this setting. Instead, a message indicates that results are being gathered and will be viewable when the scan is complete. 100

Integers.

If set to 0, this defaults to 100.

no
Automatically Download Agent Updates agent_updates_from_feed

When enabled, new Tenable Nessus Agent software updates are automatically downloaded.

yes yes or no yes
Concurrent Agent Software Updates cloud.manage.download_max The maximum concurrent agent update downloads. 10 Integers no
Include Audit Trail Data agent_merge_audit_trail

Controls whether or not agent scan result audit trail data is included in the main agent database. Excluding audit trail data can significantly improve agent result processing performance.

If this setting is set to false, the Audit Trail Verbosity setting in an individual scan or policy defaults to No audit trail.

Available in Nessus 8.3 and later.

false true or false no
Include KB Data agent_merge_kb

Includes the agent scan result KB data in the main agent database. Excluding KB data can significantly improve agent result processing performance.

If this setting is set to false, the Include the KB setting in an individual scan or policy defaults to Exclude KB.

Available in Nessus 8.3 and later.

false true or false no
Result Processing Journal Mode agent_merge_journal_mode

Sets the journaling mode to use when processing agent results. Depending on the environment, this can somewhat improve processing performance, but also introduces a small risk of a corrupted scan result in the event of a crash. For more details, refer to the sqlite3 documentation.

Available in Nessus 8.3 and later.

DELETE

MEMORY

TRUNCATE

DELETE

no
Result Processing Sync Mode agent_merge_synchronous_setting

Sets the filesystem sync mode to use when processing agent results. Turning this off will significantly improve processing performance, but also introduces a small risk of a corrupted scan result in the event of a crash. For more details, refer to the sqlite3 documentation.

Available in Nessus 8.3 and later.

FULL

OFF

NORMAL

FULL

no
Track Unique Agents track_unique_agents When enabled, Tenable Nessus Manager checks if MAC addresses of agents trying to link match MAC addresses of currently linked agents with the same hostname, platform, and distro. Tenable Nessus Manager deletes duplicates that it finds. no yes or no no