Install a Tenable Nessus Agent on Linux

Use the following procedure to install Tenable Nessus Agent on a Linux system. After the installation, you link the agent to its manager Tenable Vulnerability Management or Tenable Nessus Manager) so that it can begin sending scan data once the installation is complete.

Before you begin:

Caution: If you install a Tenable Nessus Agent on a system where an existing Tenable Nessus Agent, Tenable Nessus Manager, or Tenable Nessus scanner is running nessusd, the installation process kills all other nessusd processes. You may lose scan data as a result.

Download the Tenable Nessus Agent

On the Tenable Nessus Agent Download Page, download the package specific to your operating system.

Once you download the agent package, install the agent.

Install the Agent

Note: The following procedure requires root privileges.

Using the command line interface, install the Tenable Nessus Agent.

Example Linux Install Commands

Tip: You can install a full plugins set before linking to reduce the bandwidth impact during a mass installation. You can accomplish this by using the nessuscli agent update command with the --file parameter, which specifies the location the plugins set. You must do this before starting the Tenable Nessus Agent. For example:

/opt/nessus_agent/sbin/nessuscli agent update --file=./plugins_set.tgz

The plugins set must be less than five days old. A stale plugin set older than five days forces a full plugin download to occur. You can download a recent plugins set from the Nessus Agents download page.

Note: After installing a Nessus Agent, you must manually start the service using the /sbin/service nessusagent start command. Tenable also recommends running systemctl enable nessusagent to ensure that the Nessus Agent service starts anytime the host is rebooted.

Link the Agent Using the Command Line

At the command prompt, use the nessuscli agent link command. For example:

/opt/nessus_agent/sbin/nessuscli agent link

--key=00abcd00000efgh11111i0k222lmopq3333st4455u66v777777w88xy9999zabc00

--name=MyOSXAgent --groups="All" --host=yourcompany.com --port=8834

Note: You must copy and paste the entire link command on the same line. Otherwise, you receive an error.

The supported arguments for this command are:

Argument Required? Value
--key

yes

(Required) Use the values obtained from the manager.

To retrieve the linking key from the manager, see the Tenable Nessus User Guide or the Tenable Vulnerability Management User Guide, depending on which manager you use.

--host yes
--port yes

--name

no Specify a name for your agent. If you do not specify a name for your agent, the name defaults to the name of the computer where you are installing the agent.
--groups no

Specify existing agent group or groups where you want to add the agent. If you do not specify an agent group during the install process, you can add your linked agent to an agent group later in Tenable Nessus Manager or Tenable Vulnerability Management.

Note: The agent group name is case-sensitive and must match exactly. You must encase the agent group name in quotation marks (for example, --groups="My Group").

--offline-install no

You can install the Tenable Nessus Agent on a system even if it is offline. Add the command line option offline-install="yes" to the command line input. The Tenable Nessus Agent periodically attempts to link itself to either Tenable Vulnerability Management or Tenable Nessus Manager.

If the agent cannot connect to the controller then it retries every hour, and if the agent can connect to the controller but the link fails then it retries every 24 hours.

--cloud no

Specify the --cloud argument to link to Tenable Vulnerability Management.

The --cloud argument is a shortcut to specifying --host=sensor.cloud.tenable.com --port=443.

Note:If you are connecting to Tenable Vulnerability Management through Tenable Nessus scanners, Tenable Nessus Agents, Tenable Web App Scanning scanners, or Tenable Nessus Network Monitors (NNM) located in mainland China, you must connect through sensor.cloud.tenablecloud.cn instead of sensor.cloud.tenable.com.

Note: For more information about linking agents to Tenable Vulnerability Management, see Link a Sensor in the Tenable Vulnerability Management User Guide.

--network no

For Tenable Vulnerability Management-linked agents, add the agent to a custom network. If you do not specify a network, the agent belongs to the default network.

Note: You must encase the network name in quotation marks (for example, --network="My Network").

Once you install and link the agent, Tenable recommends that you verify that the agent is successfully linked to the manager by viewing the agent in the manager user interface.

Tip: If you attempt to clone an agent and link it to Tenable Nessus Manager or Tenable Vulnerability Management, a 409 error may appear. This error appears because another machine was linked with the same UUID value in the /etc/machine_id or /etc/tenable_tag file. To resolve this issue, replace the value in the /etc/tenable_tag file with a valid UUIDv4 value. If the /etc/machine_id file does not exist, you can delete /etc/tenable_tag to generate a new value.

Verify the Linked Agent

Once you install and link the agent, use the following steps to view the new agent in the manager user interface:

  • To verify a linked agent in Tenable Vulnerability Management:

    1. In the upper-left corner, click the Menu button.

      The left navigation plane appears.

    2. In the left navigation plane, click Settings.

      The Settings page appears.

    3. Click the Sensors tile.

      The Sensors page appears. By default, Nessus Scanners is selected in the left navigation menu and the Cloud Scanners tab is active.

    4. In the left navigation menu, click Nessus Agents.

      The Nessus Agents page appears and the Linked Agents tab is active.

    5. Locate the new agent in the linked agents table.

  • To verify a linked agent in Tenable Nessus Manager:

    1. In the top navigation bar, click Sensors.

      The Linked Agents page appears.

    2. Locate the new agent in the linked agents table.