Run Nessus on macOS as a Non-Privileged User
Limitations
- When scanning localhost, Nessus plugins assume that they are running as root. Therefore, certain types of scans may fail. For example, because Nessus is now running as a non-privileged user, file content Compliance Audits may fail or return erroneous results since the plugins are not able to access all directories.
- nessuscli does not have a --no-root mode. Running commands with nessuscli as root could potentially create files in the Nessus install directory owned by root, which could cause Nessus to be unable to access them appropriately. Use care when running nessuscli, and potentially fix permissions with chown after using it.
Steps
- If you have not already done so, Install Nessus on MacOSX.
-
Since the Nessus service is running as root, you need to unload it.
Use the following command to unload the Nessus service:
sudo launchctl unload /Library/LaunchDaemons/com.tenablesecurity.nessusd.plist
- On the Mac, in System Preferences > Users & Groups, create a new Group.
-
Next, in System Preferences > Users & Groups, create the new Standard User. Configure this user to run as the Nessus non-privileged account.
-
Add the new user to the group you created in Step 1.
-
Remove 'world' permissions on Nessus binaries in the /sbin directory.
sudo chmod 750 /Library/Nessus/run/sbin/*
-
Change ownership of /Library/Nessus/run directory to the non-root (Standard) user you created in Step 2.
sudo chown -R nonprivuser:nonprivuser /Library/Nessus/run
-
Give that user read/write permissions to the /dev/bpf* devices. A simple way to do this is to install Wireshark, which creates a group called access_bpf and a corresponding launch daemon to set appropriate permissions on /dev/bpf* at startup. In this case, you can simply assign the nonpriv user to be in the access_bpf group. Otherwise, you need to create a launch daemon giving the "nonpriv" user, or a group that it is a part of, read/write permissions to all /dev/bpf*.
- For Step 8. changes to take effect, reboot your system.
-
Using a text editor, modify the Nessus /Library/LaunchDaemons/com.tenablesecurity.nessusd.plist file and add the following lines. Do not modify any of the existing lines.
<string>--no-root</string>
<key>UserName</key>
<string>nonprivuser</string>
-
Using
sysctl, verify the following parameters have the minimum values:$ sysctl debug.bpf_maxdevices
debug.bpf_maxdevices: 16384
$ sysctl kern.maxfiles
kern.maxfiles: 12288
$ sysctl kern.maxfilesperproc
kern.maxfilesperproc: 12288
$ sysctl kern.maxproc
kern.maxproc: 1064
$ sysctl kern.maxprocperuid
kern.maxprocperuid: 1064
-
If any of the values in Step 9. do not meet the minimum requirements, take the following steps to modify values.
Create a file called /etc/sysctl.conf.
Using a text editor, edit the systctl.conf file with the correct values found in Step 9.Example:
$ cat /etc/sysctl.conf
kern.maxfilesperproc=12288
kern.maxproc=1064
kern.maxprocperuid=1064
-
Next, using the launchctl limit command, verify your OS default values.
Example: MacOSX 10.10 and 10.11 values.
$ launchctl limit
cpu unlimited unlimited
filesize unlimited unlimited
data unlimited unlimited
stack 8388608 67104768
core 0 unlimited
rss unlimited unlimited
memlock unlimited unlimited
maxproc 709 1064
maxfiles 256 unlimited
-
If you do not set any of the values in Step 11 to the default OSX values above, take the following steps to modify values.
Using a text editor, edit the launchd.conf file with the correct, default values as shown in Step 11.
Example:
$ cat /etc/launchd.conf
limit maxproc 709 1064
Note: Some older versions of OSX have smaller limits for maxproc. If your version of OSX supports increasing the limits through /etc/launchctl.conf, increase the value.
-
For all changes to take effect either reboot your system or reload the launch daemon.
sudo launchctl load /Library/LaunchDaemons/com.tenablesecurity.nessusd.plist
