Run Nessus on macOS as a Non-Privileged User

Limitations

  • When scanning localhost, Nessus plugins assume that they are running as root. Therefore, certain types of scans may fail. For example, because Nessus is now running as a non-privileged user, file content Compliance Audits may fail or return erroneous results since the plugins are not able to access all directories.
  • nessuscli does not have a --no-root mode. Running commands with nessuscli as root could potentially create files in the Nessus install directory owned by root, which could cause Nessus to be unable to access them appropriately. Use care when running nessuscli, and potentially fix permissions with chown after using it.

Steps

  1. If you have not already done so, Install Nessus on MacOSX.
  2. Since the Nessus service is running as root, you need to unload it.

    Use the following command to unload the Nessus service:

    sudo launchctl unload /Library/LaunchDaemons/com.tenablesecurity.nessusd.plist

  3. On the Mac, in System Preferences > Users & Groups, create a new Group.
  4. Next, in System Preferences > Users & Groups, create the new Standard User. Configure this user to run as the Nessus non-privileged account.


  5. Add the new user to the group you created in Step 1.


  6. Remove 'world' permissions on Nessus binaries in the /sbin directory.

    sudo chmod 750 /Library/Nessus/run/sbin/*

  7. Change ownership of /Library/Nessus/run directory to the non-root (Standard) user you created in Step 2.

    sudo chown -R nonprivuser:nonprivuser /Library/Nessus/run

  8. Give that user read/write permissions to the /dev/bpf* devices. A simple way to do this is to install Wireshark, which creates a group called access_bpf and a corresponding launch daemon to set appropriate permissions on /dev/bpf* at startup. In this case, you can simply assign the nonpriv user to be in the access_bpf group. Otherwise, you need to create a launch daemon giving the "nonpriv" user, or a group that it is a part of, read/write permissions to all /dev/bpf*.

  9. For Step 8. changes to take effect, reboot your system.
  10. Using a text editor, modify the Nessus /Library/LaunchDaemons/com.tenablesecurity.nessusd.plist file and add the following lines. Do not modify any of the existing lines.

    <string>--no-root</string>

    <key>UserName</key>

    <string>nonprivuser</string>

  11. Using sysctl, verify the following parameters have the minimum values:

    $ sysctl debug.bpf_maxdevices

    debug.bpf_maxdevices: 16384

    $ sysctl kern.maxfiles

    kern.maxfiles: 12288

    $ sysctl kern.maxfilesperproc

    kern.maxfilesperproc: 12288

    $ sysctl kern.maxproc

    kern.maxproc: 1064

    $ sysctl kern.maxprocperuid

    kern.maxprocperuid: 1064

  12. If any of the values in Step 9. do not meet the minimum requirements, take the following steps to modify values.

    Create a file called /etc/sysctl.conf.
    Using a text editor, edit the systctl.conf file with the correct values found in Step 9.

    Example:

    $ cat /etc/sysctl.conf

    kern.maxfilesperproc=12288

    kern.maxproc=1064

    kern.maxprocperuid=1064

  13. Next, using the launchctl limit command, verify your OS default values.

    Example: MacOSX 10.10 and 10.11 values.

    $ launchctl limit

    cpu unlimited unlimited

    filesize unlimited unlimited

    data unlimited unlimited

    stack 8388608 67104768

    core 0 unlimited

    rss unlimited unlimited

    memlock unlimited unlimited

    maxproc 709 1064

    maxfiles 256 unlimited

  14. If you do not set any of the values in Step 11 to the default OSX values above, take the following steps to modify values.

    Using a text editor, edit the launchd.conf file with the correct, default values as shown in Step 11.

    Example:

    $ cat /etc/launchd.conf

    limit maxproc 709 1064

    Note: Some older versions of OSX have smaller limits for maxproc.  If your version of OSX supports increasing the limits through /etc/launchctl.conf, increase the value.

  15. For all changes to take effect either reboot your system or reload the launch daemon.

    sudo launchctl load /Library/LaunchDaemons/com.tenablesecurity.nessusd.plist