TOC & Recently Viewed

Recently Viewed Topics

Run Nessus on MAC OSX as a Non-Privileged User

Limitations

  • For use with Nessus 6.7 or later.
  • When scanning localhost, Nessus plugins assume that they are running as root. Therefore, certain types of scans may fail. For example, because Nessus is now running as a non-privileged user, file content Compliance Audits may fail or return erroneous results since the plugins are not able to access all directories.
  • nessuscli does not have a --no-root mode. Running commands with nessuscli as root could potentially create files in the Nessus install directory owned by root, which could cause Nessus to be unable to access them appropriately. Use care when running nessuscli, and potentially fix permissions with chown after using it.

Steps

  1. If you have not already done so, Install Nessus on MacOSX.
  2. Since the Nessus service is running as root, it needs to be unloaded.
    Use the following command to unload the Nessus service:

    sudo launchctl unload /Library/LaunchDaemons/com.tenablesecurity.nessusd.plist
  3. On the Mac, in System Preferences -> Users & Groups, create a new Group..
  4. Next, in System Preferences -> Users & Groups, create the new Standard User. This user will be configured to run as the Nessus non-privileged account.

  5. Add the new user to the group you created in Step 1.

  6. Remove 'world' permissions on Nessus binaries in the /sbin directory.

    sudo chmod 750 /Library/Nessus/run/sbin/*

  7. Change ownership of /Library/Nessus/run directory to the non-root (Standard) user you created in Step 2.

    sudo chown -R nonprivuser:nonprivuser /Library/Nessus/run

  8. Give that user read/write permissions to the /dev/bpf* devices. A simple way to do this is to install Wireshark, which creates a group called "access_bpf", as well as a corresponding launch daemon to set appropriate permissions on /dev/bpf* at startup. In this case, you can simply assign the "nonpriv" user to be in the "access_bpf" group. Otherwise, you will need to create a launch daemon giving the "nonpriv" user, or a group that it is a part of, read/write permissions to all /dev/bpf*.

  9. For Step 8. changes to take effect, reboot your system.
  10. Using a text editor, modify the Nessus /Library/LaunchDaemons/com.tenablesecurity.nessusd.plist file and add the following lines. Do not modify any of the existing lines.
    <string>--no-root</string>
    <key>UserName</key>
    <string>nonprivuser</string>


  11. Using sysctl, verify the following parameters have the minimum values:
    $ sysctl debug.bpf_maxdevices
    debug.bpf_maxdevices: 16384
    $ sysctl kern.maxfiles
    kern.maxfiles: 12288
    $ sysctl kern.maxfilesperproc
    kern.maxfilesperproc: 12288
    $ sysctl kern.maxproc
    kern.maxproc: 1064
    $ sysctl kern.maxprocperuid
    kern.maxprocperuid: 1064
  12. If any of the values in Step 9. do not meet the minimum requirements, take the following steps to modify values.

Create a file called /etc/sysctl.conf.
Using the a text editor, edit the systctl.conf file with the correct values found in Step 9.

Example:

$ cat /etc/sysctl.conf
kern.maxfilesperproc=12288
kern.maxproc=1064
kern.maxprocperuid=1064
  1. Next, using the launchctl limit command, verify your OS default values.
    Example: MacOSX 10.10 and 10.11 values.

    $ launchctl limit

    cpu unlimited unlimited
    filesize unlimited unlimited
    data unlimited unlimited
    stack 8388608 67104768
    core 0 unlimited
    rss unlimited unlimited
    memlock unlimited unlimited
    maxproc 709 1064
    maxfiles 256 unlimited

  2. If any of the values in Step 11. are not set to the default OSX values above, take the following steps to modify values.

    Using the a text editor, edit the launchd.conf file with the correct, default values as shown in Step 11.

    Example:

    $ cat /etc/launchd.conf
    limit maxproc 709 1064

    Note: Some older versions of OSX have smaller limits for maxproc.  If your version of OSX supports increasing the limits through /etc/launchctl.conf, increase the value.

  3. For all changes to take effect either reboot your system or reload the launch daemon.
    sudo launchctl load /Library/LaunchDaemons/com.tenablesecurity.nessusd.plist

Copyright © 2017. Tenable Network Security, Inc. All rights reserved. Tenable Network Security, Nessus, SecurityCenter Continuous View, Passive Vulnerability Scanner, and Log Correlation Engine are registered trademarks of Tenable Network Security, Inc. All other products or services are trademarks of their respective owners.