Install a Tenable Nessus Agent on macOS

Use the following procedure to install Tenable Nessus Agent on a macOS system. After the installation, you link the agent to its manager Tenable Vulnerability Management or Tenable Nessus Manager) so that it can begin sending scan data once the installation is complete.

Before you begin:

Note: Agents may need Full Disk Access when using some audits for full directory access. Therefore, Tenable recommends granting Full Disk Access to agents installed on macOS.

Caution: If you install a Tenable Nessus Agent on a system where an existing Tenable Nessus Agent, Tenable Nessus Manager, or Tenable Nessus scanner is running nessusd, the installation process kills all other nessusd processes. You may lose scan data as a result.

Download Tenable Nessus Agent

On the Tenable Nessus Agent Download Page, download the package specific to your operating system.

Once you download the agent package, install the agent.

Install the Agent

Note: You need root privileges to perform the following steps.

To install the Tenable Nessus Agent, you can use either the GUI installation wizard or the command line.

GUI Installation:

  1. Double-click the Nessus Agent .dmg (macOS disk image) file.
  2. Double-click Install Nessus Agent.pkg.
  3. Complete the Nessus Agent Install Wizard.

Command line Installation:

  1. Extract Install Nessus Agent.pkg and .NessusAgent.pkg from NessusAgent-<version number>.dmg.

    Note: The .NessusAgent.pkg file is normally invisible in the macOS Finder.

  2. Open Terminal.
  3. From the command line, enter the following command:
  4. # sudo installer -pkg /<path-to>/Install Nessus Agent.pkg -target /

Once the agent installation completes, link the agent to the manager.

Tip: You can install a full plugin set before linking to reduce the bandwidth impact during a mass installation. You can accomplish this by using the nessuscli agent update command with the --file parameter, which specifies the location the plugins set. You must do this before starting the Tenable Nessus Agent. For example:

/opt/nessus_agent/sbin/nessuscli agent update --file=./plugins_set.tgz

The plugins set must be less than five days old. A stale plugin set older than five days forces a full plugins download to occur. You can download a recent plugin set from the Tenable Nessus Agent download page.

Link Agent Using the Command Line

To link an agent on macOS:

  1. Open Terminal.
  2. From the command line, use the nessuscli agent link command.

    For example:

    # sudo /Library/NessusAgent/run/sbin/nessuscli agent link
    --key=00abcd00000efgh11111i0k222lmopq3333st4455u66v777777w88xy9999zabc00
    --name=MyOSXAgent --groups=All --host=yourcompany.com --port=8834

    Note: You must copy and paste the entire link command on the same line. Otherwise, you receive an error.

Once you install and link the agent, Tenable recommends that you verify that the agent is successfully linked to the manager by viewing the agent in the manager user interface.

Tip: If you attempt to clone an agent and link it to Tenable Nessus Manager or Tenable Vulnerability Management, a 409 error may appear. This error appears because another machine was linked with the same UUID value in the /private/etc/tenable_tag file. To resolve this issue, replace the value in the /private/etc/tenable_tag file with a valid UUIDv4 value.

Verify the Linked Agent

Once you install and link the agent, use the following steps to view the new agent in the manager user interface:

  • To verify a linked agent in Tenable Vulnerability Management:

    1. In the upper-left corner, click the Menu button.

      The left navigation plane appears.

    2. In the left navigation plane, click Settings.

      The Settings page appears.

    3. Click the Sensors tile.

      The Sensors page appears. By default, Nessus Scanners is selected in the left navigation menu and the Cloud Scanners tab is active.

    4. In the left navigation menu, click Nessus Agents.

      The Nessus Agents page appears and the Linked Agents tab is active.

    5. Locate the new agent in the linked agents table.

  • To verify a linked agent in Tenable Nessus Manager:

    1. In the top navigation bar, click Sensors.

      The Linked Agents page appears.

    2. Locate the new agent in the linked agents table.