Agent Profiles

Required Tenable Vulnerability Management User Role: Scan Manager or Administrator

In Tenable Vulnerability Management, you can create agent profiles to customize and manage the behavior of your linked agents. An agent profile allows you to configure a range of settings for a specific group of agents.

You can use a profile to:

  • Assign a specific agent version for testing or standardization purposes.

  • Control how and when agents receive plugin updates.

  • Enable advanced asset identification.

  • Configure continuous assessment and set a baseline scan frequency.

By assigning agents to different profiles, you can apply distinct configurations to various segments of your environment, which provides granular control over agent operations.

There are two types of agent profile:

  • Default — The profile to which an agent or agent group belongs to unless you assign it to a custom profile. You cannot copy, delete, or edit the name and description of the Default profile.

  • Custom profiles — A custom profile that you create. Custom profiles allow you to associate and configure different agents and agent groups based on your business needs.

Note: You can only assign an agent to one profile.

Note: The agent profile version overrides the agent's Nessus Agent update plan setting. If you assign the agent a freeze window, the freeze window overrides both the Nessus Agent update plan and the agent profile. In this case, the agent remains on its current version and no software updates occur for that agent as long as the agent is assigned to the freeze window.

To manage agent profiles:

  1. In the left navigation, click Sensors.

    The Sensors page appears. By default, the Nessus Scanners tab is active and Linked Scanners is selected in the drop-down box.

  2. Click the Nessus Agents tab.

    The list of agents appears and Linked Agents is selected in the drop-down box.

  3. Above the linked agents table, click Profiles.

    The Profiles page appears.

Use the following procedures to manage your agent profiles:

Note: You cannot create an agent profile for an end-of-life (EOL) Tenable Agent version.

To create an agent profile:

  1. On the Profiles page, click Add Agent Profile.

    The Create Agent Profile page appears.

  2. Configure the following settings for the agent profile:

    Setting Required Default Description
    Name Yes n/a The agent profile name.
    Description No n/a The agent profile description.
    Agent Version Yes None

    The version that agents assigned to the profile are upgraded or downgraded to.

    You can set the agent profile to stay on the latest major version release (for example, 10.x) or the latest minor version release (for example, 10.8.x), or you can set the agent profile to a specific patch release (for example, 10.8.1).
    Open Agent Port (Advanced Asset Identification) No Disabled

    Determines whether agents designate an open agent port on your scan targets and, if so, which port is opened.

    Enabling Open Agent Port allows Tenable scanners to identify scan targets that host the agents assigned to this profile. These hosts then appear as a single asset regardless of whether they are the target of a scanner's network scan or are generating agent scans. This helps minimize asset duplication in your network. To learn more about the Open Agent Port, see Configure Agent Profiles to Avoid Asset Duplication in Tenable Vulnerability Management in the Tenable Agent User Guide.

    Note: Configuring the Open Agent Port permits your network scanners to probe each target system on the port you select.

    Note: Only agents version 10.6.0 and later can use the Open Agent Port setting. The setting does not apply to any agent on an earlier version.
    Plugin Update Setting Yes Auto update to latest

    Determines what plugins Tenable Vulnerability Management installs on agents during the daily plugin update. Choose from the following options:

    • Auto update to latest — (Default) Update agents with the latest plugin set.

    • Delay plugin updates by days — Update agents with a delayed plugin set. The plugin set can be delayed by a minimum of one day and a maximum of 30 days. If multiple plugin sets were published on the configured day, Tenable Vulnerability Management installs the latest set of that day.

    • Select plugin set from the last 30 days — Update agents with a specific plugin set from the last 30 days. Tenable Vulnerability Management uses this plugin set until you choose another plugin set or update plan setting.

    Note: This setting only applies to agents on version 10.7.0 and later.

    Note: If an agent assigned to the agent profile has a later plugin set version than the plugin set version offered by Plugin Update Setting, the agent retains the newer set. In other words, you cannot use this setting to downgrade agent plugin sets.
    Accelerate plugin updates Yes Disabled

    Determines whether agents assigned to this profile accelerate plugin set updates.

    When enabled, agents immediately update their plugin sets after receiving a new plugin set assignment that replaces an earlier set assigned by the profile.

    When disabled, agents update their plugin sets during their regular check-in cycle, which occurs at least every 24 hours.

    Note: This setting only applies to agents on version 11.0.1 and later.
    Disable Agent Version Update Yes Disabled Determines whether Tenable Vulnerability Management prevents the agents from receiving software updates. This setting overrides any scheduled freeze windows.
    Enable Continuous Assessment Scan Yes Disabled

    Determines whether the agents can perform continuous assessment scanning on their hosts.

    Continuous assessment scanning provides continuous monitoring and reporting of vulnerability status changes on your hosts. Continuous assessment scanning is only available for Tenable Agents on Linux hosts. For more information, see Continuous Assessment Scanning.

    Note: You cannot accept or recast vulnerabilities that are discovered only with continuous assessment scanning. If another sensor also detects the vulnerability (for example, a Tenable Nessus scanner), you can accept or recast it.

    Note: Continuous assessment scanning requires a system user to run under. When continuous assessment is first started on an agent, the agent automatically creates a system user called tenable_tua_comm. The tenable_tua_comm user is a locked system user and cannot be used for logging in.

    Caution: Agents that have NIAP mode enforced cannot perform continuous assessment scanning. For more information on NIAP mode, see Configure Tenable Agent for NIAP Compliance and Tenable Agent CLI Commands in the Tenable Agent User Guide.
    Baseline Scan Frequency No, unless Enable Continuous Assessment Scan is selected n/a

    Configures how often you would like the agents to perform a full software inventory scan via continuous assessment scanning in days. You can choose any integer between 1 and 14.

    This option only appears when you select Enable Continuous Assessment Scan.

  3. Under Assign Agents, select the checkboxes next to the agents you want to assign.

  4. Click Create. The agents’ versions update the next time they check in with Tenable Vulnerability Management, which can take up to 24 hours.

You can link an agent to a profile by running the nessuscli agent link command and specifying the optional --profile-uuid argument. You can also link an agent to a profile during deployment by specifying the profile-uuid in the config.json file. Use the following procedure to view a profile's --profile-uuid.

To view an agent profile ID:

  1. On the Profiles page, double-click the agent profile that you want to view the ID of.

    The Sensor Profile Details page appears.

  2. In the Details tab, view the --profile-uuid under Agent Profile ID. You can click to copy the ID to your clipboard.

To edit an agent profile:

  1. On the Profiles page, double-click the profile that you want to edit.

    The Sensor Profile Details page appears.

  2. Edit the agent profile as needed:

    Setting Required Default Description
    Name Yes n/a The agent profile name.
    Description No n/a The agent profile description.
    Agent Version Yes None

    The version that agents assigned to the profile are upgraded or downgraded to.

    You can set the agent profile to stay on the latest major version release (for example, 10.x) or the latest minor version release (for example, 10.8.x), or you can set the agent profile to a specific patch release (for example, 10.8.1).
    Open Agent Port (Advanced Asset Identification) No Disabled

    Determines whether agents designate an open agent port on your scan targets and, if so, which port is opened.

    Enabling Open Agent Port allows Tenable scanners to identify scan targets that host the agents assigned to this profile. These hosts then appear as a single asset regardless of whether they are the target of a scanner's network scan or are generating agent scans. This helps minimize asset duplication in your network. To learn more about the Open Agent Port, see Configure Agent Profiles to Avoid Asset Duplication in Tenable Vulnerability Management in the Tenable Agent User Guide.

    Note: Configuring the Open Agent Port permits your network scanners to probe each target system on the port you select.

    Note: Only agents version 10.6.0 and later can use the Open Agent Port setting. The setting does not apply to any agent on an earlier version.
    Plugin Update Setting Yes Auto update to latest

    Determines what plugins Tenable Vulnerability Management installs on agents during the daily plugin update. Choose from the following options:

    • Auto update to latest — (Default) Update agents with the latest plugin set.

    • Delay plugin updates by days — Update agents with a delayed plugin set. The plugin set can be delayed by a minimum of one day and a maximum of 30 days. If multiple plugin sets were published on the configured day, Tenable Vulnerability Management installs the latest set of that day.

    • Select plugin set from the last 30 days — Update agents with a specific plugin set from the last 30 days. Tenable Vulnerability Management uses this plugin set until you choose another plugin set or update plan setting.

    Note: This setting only applies to agents on version 10.7.0 and later.

    Note: If an agent assigned to the agent profile has a later plugin set version than the plugin set version offered by Plugin Update Setting, the agent retains the newer set. In other words, you cannot use this setting to downgrade agent plugin sets.
    Accelerate plugin updates Yes Disabled

    Determines whether agents assigned to this profile accelerate plugin set updates.

    When enabled, agents immediately update their plugin sets after receiving a new plugin set assignment that replaces an earlier set assigned by the profile.

    When disabled, agents update their plugin sets during their regular check-in cycle, which occurs at least every 24 hours.

    Note: This setting only applies to agents on version 11.0.1 and later.
    Disable Agent Version Update Yes Disabled Determines whether Tenable Vulnerability Management prevents the agents from receiving software updates. This setting overrides any scheduled freeze windows.
    Enable Continuous Assessment Scan Yes Disabled

    Determines whether the agents can perform continuous assessment scanning on their hosts.

    Continuous assessment scanning provides continuous monitoring and reporting of vulnerability status changes on your hosts. Continuous assessment scanning is only available for Tenable Agents on Linux hosts. For more information, see Continuous Assessment Scanning.

    Note: You cannot accept or recast vulnerabilities that are discovered only with continuous assessment scanning. If another sensor also detects the vulnerability (for example, a Tenable Nessus scanner), you can accept or recast it.

    Note: Continuous assessment scanning requires a system user to run under. When continuous assessment is first started on an agent, the agent automatically creates a system user called tenable_tua_comm. The tenable_tua_comm user is a locked system user and cannot be used for logging in.

    Caution: Agents that have NIAP mode enforced cannot perform continuous assessment scanning. For more information on NIAP mode, see Configure Tenable Agent for NIAP Compliance and Tenable Agent CLI Commands in the Tenable Agent User Guide.
    Baseline Scan Frequency No, unless Enable Continuous Assessment Scan is selected n/a

    Configures how often you would like the agents to perform a full software inventory scan via continuous assessment scanning in days. You can choose any integer between 1 and 14.

    This option only appears when you select Enable Continuous Assessment Scan.

  3. Click Save.

    Tenable Vulnerability Management saves your changes. The agents’ versions update the next time they check in with Tenable Vulnerability Management, which can take up to 24 hours.

Copy an agent profile to create a duplicate of the existing agent profile. You can then use the duplicate to set up a new agent profile.

To copy an agent profile:

  1. On the Profiles page, click in the row of the profile that you want to copy.

    A menu appears.

  2. Click Copy.

    Tenable Vulnerability Management creates a new profile with "Copy of" appended to the profile name.

Delete an agent profile if you no longer need the agent profile. You cannot undo an agent profile deletion.

To delete an agent profile:

  1. On the Profiles page, click in the row of the profile that you want to delete.

    A menu appears.

  2. Click Delete.

    The Delete Agent Profile window appears.

  3. Click Delete to confirm the deletion.

    Tenable Vulnerability Management deletes the agent profile and removes all the linked agents from the profile.

What to do next: