Credentialed Checks on macOS

Follow the steps in this document to configure macOS systems for local security checks. You can enable local security checks using an SSH private/public key pair or user credentials and sudo or su access.

OpenSSH is the example SSH daemon used in this document. If you have a commercial variant of SSH, your procedure may differ slightly.

Note: To view the macOS operating systems that are compatible with Tenable Nessus, see Tenable Nessus Software Requirements.

Prerequisites

You can configure an SSH server to accept certain types of encryption. However, some commercial SSH variants do not support blowfish-cbc. Check that your SSH server supports the algorithm you want to use.

Tenable Nessus supports the blowfish-cbc, aesXXX-cbc (aes128, aes192, and aes256), 3des-cbc, and aes-ctr algorithms.

For maximum effectiveness, the SSH user must be able to run any command on the system. On macOS systems, the SSH user must be a member of the Administrator group and have full disk access. While it is possible to run some checks (such as patch levels) with non-privileged access, full compliance checks that audit system configuration and file permissions require full disk access. For this reason, Tenable recommends that you use SSH keys instead of credentials when possible.

If you use Kerberos, you must configure sshd with Kerberos support to verify the ticket with the KDC. You must properly configure reverse DNS lookups for this to work. The Kerberos interaction method must be gssapi-with-mic.

Generate SSH Public and Private Keys

Generate a private/public key pair for the Tenable Nessus scanner. You can generate this key pair from the Tenable Nessus scanner. This document assumes that the scanner is running on Linux, but you can also perform the same steps on any of your macOS systems, using any user account.

Note: The defined Tenable Nessus user must own the generated keys.

To generate the key pair, use ssh-keygen and save the key in a safe place. See the following example:

# ssh-keygen -t dsa

Generating public/private dsa key pair.

Enter the file in which to save the key (/Users/test/.ssh/id_dsa):

/home/test/Nessus/ssh_key

Enter the passphrase (empty for no passphrase):

Enter the same passphrase again:

Your identification has been saved in

/home/test/Nessus/ssh_key.

Your public key has been saved in

/home/test/Nessus/ssh_key.pub.

The key fingerprint is:

06:4a:fd:76:ee:0f:d4:e6:4b:74:84:9a:99:e6:12:ea

#

Do not transfer the private key to any system other than the one running the Tenable Nessus server. When ssh-keygen asks you for a passphrase, enter a strong passphrase or press the Return key twice (that is, do not set any passphrase). If you specify a passphrase, you must specify it in Policies > Credentials > SSH settings for your Tenable Nessus scan configuration to use key-based authentication.

Create a User Account

On every target system that you want to scan using local security checks, create a new user account dedicated to Tenable Nessus. This user account must have the same name on all systems. You must grant the account Administrator and Remote Login privileges to allow Tenable Nessus to run remote credentialed scans.

Configure macOS Remote Login

On the host macOS system, enable Allow full disk access for the remote users under the Remote Login System setting. This enables full disk access to sshd-keygen-wrapper, which you need in the following steps.

Then, grant Full disk access under Privacy and Security to any related system services to allow plugins to search across the file system. Ensure that the following the services are included:

  • /Library/NessusAgent/run/sbin/nessus-service

  • /usr/libexec/sshd-keygen-wrapper

Set Up the SSH Key

From the system containing the keys, secure copy the public key to the system that you want to scan for host checks as shown in the following example. This document refers to the user as nessus, but you can use any name.

# scp ssh_key.pub [email protected]:/home/nessus/.ssh/authorized_keys

#

You can also copy the file from the system on which you installed Tenable Nessus using the secure ftp command, sftp. You must name the file on the target system authorized_keys.

Return to the Public Key System

Set the permissions on both the /home/nessus/.ssh directory and the authorized_keys file.

# chown -R nessus:nessus ~nessus/.ssh/

# chmod 0600 ~nessus/.ssh/authorized_keys

# chmod 0700 ~nessus/.ssh/

#

Repeat this process on all systems that you want to test for SSH checks (starting at the Create a User Account steps).

Test the SSH Key

Next, test to make sure that the accounts and networks are configured correctly. Using the simple command id, from the Tenable Nessus scanner, run the following command:

# ssh -i /home/test/nessus/ssh_key [email protected] id

uid=252(nessus) gid=250(tns) groups=250(tns)

#

If the Tenable Nessus scanner successfully returns information about the Tenable Nessus user, the setup was successful.

What to do next: