Nessuscli Agent

Use the Agent nessuscli utility to perform some Nessus Agent functions through a command line interface.

Note: You must run all Agent nessuscli commands as a user with administrative privileges.

Nessuscli Syntax

Operating System

Command

Linux

# /opt/nessus_agent/sbin/nessuscli <cmd> <arg1> <arg2>

Mac OS X

# /Library/NessusAgent/run/sbin/nessuscli <cmd> <arg1> <arg2>

Windows

C:\Program Files\Tenable\Nessus Agent\nessuscli.exe <cmd> <arg1> <arg2>

Nessuscli Commands

Command Description
Informational Commands

# nessuscli help

Displays a list of nessuscli commands.

# nessuscli -v Displays your current version of Nessus Agent.
Bug Reporting Commands

# nessuscli bug-report-generator

Generates an archive of system diagnostics.

If you run this command without arguments, the utility prompts you for values.

Optional arguments:

--quiet: Run the bug report generator without prompting user for feedback.

--scrub: The bug report generator sanitizes the last two octets of the IPv4 address.

--full: The bug report generator collects extra data.

Local Agent Commands

Used to link, unlink, and display agent status

# nessuscli agent link --key=<key> --host=<host> --port=<port>

Using the Nessus Agent Linking Key, this command links the agent to the Nessus Manager or Tenable.io.

Required arguments:

  • --key: The linking key that you retrieved from the manager.
  • --host: The static IP address or hostname you set during the Nessus Manager installation.
  • --port: 8834 or your custom port.

Optional arguments:

  • --name:  A name for your agent. If you do not specify a name for your agent, the name defaults to the name of the computer where you are installing the agent.
  • --groups: One or more existing agent groups where you want to add the agent. If you do not specify an agent group during the install process, you can add your linked agent to an agent group later in Nessus Manager. List multiple groups in a comma-separated list. If any group names have spaces, use quotes around the whole list. For example: "Atlanta,Global Headquarters"

    Note: The agent group name is case-sensitive and must match exactly.

  • --ca-path: A custom CA certificate to use to validate the manager's server certificate.
  • --offline-install: If enabled (set to "yes"), installs Nessus Agent on the system, even if it is offline. Nessus Agent periodically attempts to link itself to its manager.

    If the agent cannot connect to the controller, it retries every hour. If the agent can connect to the controller but the link fails, it retries every 24 hours.

  • --proxy-host: The hostname or IP address of your proxy server.
  • --proxy-port: The port number of the proxy server.
  • --proxy-password: The password of the user account that you specified as the username.
  • --proxy-username: The name of a user account that has permissions to access and use the proxy server.
  • --proxy-agent: The user agent name, if your proxy requires a preset user agent.

# nessuscli agent unlink

Unlinks agent from the Nessus Manager or Tenable.io.

# nessuscli agent status

Displays the status of the agent, jobs pending, and if the agent is linked or not linked to server.

Optional arguments:

--local(Default behavior) Provides the status, current jobs count, and jobs pending. This option prevents the agent from contacting the management software that it is linked with to fetch the status. Instead, it displays the last known information from its most recent sync.

--remote(Default behavior) Fetches the job count from the manager and displays the status.

Note: Tenable does not recommend running frequent status checks with the --remote option (for example, when using automation).

--offline: Provides the most recently cached agent status when it cannot connect to Nessus Manager or Tenable.io.

--show-token: Displays the agent's token that is used to identify and authenticate with its manager.

--show-uuid: Displays the agent's Tenable UUID.

Update Commands
# nessuscli agent update --file=<plugins_set.tgz>

Manually installs a plugins set.

nessuscli fix --set agent_update_channel=<value>

(Tenable.io-linked agents only)

Sets the agent update plan to determine what version the agent automatically updates to.

Values:

  • ga: Automatically updates to the latest Nessus version as soon as it is made generally available (GA).

  • ea: Automatically updates to the latest Nessus version as soon as it is released for Early Access (EA), typically a few weeks before general availability.

  • stable: Does not automatically update to the latest Nessus version. Remains on an earlier version of Nessus set by Tenable, usually one release older than the current generally available version, but no earlier than 8.10.0. When Nessus releases a new version, your Nessus instance updates software versions, but stays on a version prior to the latest release.

Fix Commands
nessuscli fix --list Displays a list of agent settings and their values.
nessuscli fix --set <setting>=<value> Set an agent setting to the specified value.

For a list of agent settings, see Advanced Settings in the Nessus Agent User Guide.

# nessuscli fix --set update_hostname="<value>"

Updates agent hostnames automatically in Tenable.io or Nessus Manager 7.1.1 or later.

The update_hostname parameter can be set to yes or no. By default, this preference is disabled.

Note: Restart the agent service for the change to take effect in Nessus Manager.

# nessuscli fix --set track_unique_agents="<value>"

Tracks unique agent assets by MAC address to prevent duplicates and outdated agents from appearing in Nessus Manager if a system is reinstalled.

The track_unique_agent parameter is available in Nessus 7.1.1 and can be set to yes or no. By default, this preference is enabled.

# nessuscli fix --set max_retries="<value>"

Sets the maximum number of times an agent should retry in the event of a failure when executing the agent link, agent status, or agent unlink commands. The commands retry, the specified number of times, consecutively, sleeping increasing increments of time set by retry_sleep_milliseconds between attempts. The default value for max_retries is 0.

For example, if max_retries is set to 4, and retry_sleep_milliseconds is set to the default of 1500, then the agent will sleep for 1.5 seconds after the first try, 3 seconds after the second try, and 4.5 seconds after the third try.

Note: This setting does not affect offline updates or the agent's normal 24 hour check-in after it is linked.
# nessuscli fix --set retry_sleep_milliseconds="<value>"

Sets the number of milliseconds that an agent sleeps for between retries in event of a failure when executing the agent link, agent status, or agent unlink commands. The default is 1500 milliseconds (1.5 seconds).

Fix Secure Settings
# nessuscli fix --secure --set <setting>=<value>

Set secure settings on the agent.

Caution: Tenable does not recommend changing undocumented --secure settings as it may result in an unsupported configuration.

For a list of supported secure settings, see Advanced Settings in the Nessus Agent User Guide.

Resource Control Commands  

# nessuscli fix --set process_priority="<value>"

# nessuscli fix --get process_priority

# nessuscli fix --delete process_priority

Commands

Set, get, or delete the process_priority setting.

You can control the priority of the Nessus Agent relative to the priority of other tasks running on the system by using the process_priority preference.

For valid values and more information on how the setting works, see Agent CPU Resource Control in the Nessus Agent Deployment and User Guide for <value> preference options