Tenable’s Nessus agent has a fair bit of underappreciated power. The ability to force a Nessus agent scan on demand is a feature I hear people ask for a lot, without knowing the capability already exists. There’s a bit of setup that needs to happen in the cloud, but once you do that, a sysadmin can perform scan on demand from the host.
You can force a Tenable Nessus Agent scan on demand by dropping a file into a user-specified location, or running the nessuscli command.
Defining a scan trigger in Tenable Vulnerability Management or Tenable.io
If you’re a remediator looking to force a Nessus agent scan, skip to the next section. This part applies just to security teams.
You can define scan triggers in Tenable Vulnerability Management to allow scan on demand from the client, among other benefits. I strongly recommend using interval scans for routine scanning rather than scheduled scans. You give up a degree of control but the reliability of the scans increases dramatically and works across time zones, in addition to enabling scan on demand from the client.
You can define as many triggers as you need, including both an interval and a file trigger for each agent group you have, if you need that degree of control.
But many organizations find a single 24-hour scan interval trigger and a file trigger and applying both to all of their agent groups meets their needs well. I recommend keeping it simple at first, adding additional triggers only when you find them necessary. Remember, you’re going to have to show this to an auditor once a year, and the more complex it is and the more you have to explain, the more doubts you raise in the auditor’s mind.
Using a file-based trigger for scan on demand with the Nessus agent
If you define a file-based trigger, then all a remediator has to do to initiate a Tenable agent scan on demand is create or copy a file with the name you specify in one of the following directories:
- Windows: C:\ProgramData\Tenable\Nessus Agent\nessus\triggers
- Linux: /opt/nessus_agent/var/nessus/triggers
- Mac OS X: /Library/NessusAgent/run/var/nessus/triggers
The contents of the file don’t matter to launch the scan on demand, it just needs the right filename.
You can run the command nessuscli agent status to verify the agent is running if you like.
But it’s also possible to initiate an agent scan on demand from the command line on the client against an interval-based trigger if you have one of those defined.
Forcing a Tenable agent scan on demand from the client
It’s always been possible to initiate an agent scan from Tenable Vulnerability Management (formerly known as Tenable.io) that runs right away. But a remediator may want to initiate a scan at the end of a maintenance window, especially if SLAs are the metric the security team or management use to measure and report success. They can force a Tenable agent scan from the command line to accomplish this, which may be more convenient than logging into the Tenable web-based GUI. Run from an elevated command prompt on Windows or use sudo on a Mac or Linux, and specify the full path regardless of platform.
The nessuscli command lives in one of three places, depending on the OS.
- Windows: C:\Program Files\Tenable\Nessus Agent\nessuscli.exe is the full path
- Linux: /opt/nessus_agent/sbin/nessuscli is the full path
- Mac OS X: /Library/NessusAgent/run/sbin/nessuscli is the full path
Run the command nessuscli scan-triggers –list to get a list of available scan triggers. Note the UUID of the trigger you want to run. Copy it so you can paste it to make life easier on yourself.
Then run the similar command nessuscli scan-triggers –start –UUID=<scan-uuid> and paste in the UUID of the trigger you want in place of <scan-uuid>.
Note the command for future use, since the scan trigger UUID won’t change unless someone deletes the trigger from Tenable Vulnerability Management’s web UI.
If your patching tool has the ability to run an after-reboot script, that would be a fantastic place to put this command. That way, as soon as the system reboots after applying updates, it launches a Tenable scan.
David Farquhar is a computer security professional, entrepreneur, and author. He started his career as a part-time computer technician in 1994, worked his way up to system administrator by 1997, and has specialized in vulnerability management since 2013. He invests in real estate on the side and his hobbies include O gauge trains, baseball cards, and retro computers and video games. A University of Missouri graduate, he holds CISSP and Security+ certifications. He lives in St. Louis with his family.