How to setup your MacOS environment for a Nessus Credentialed patch scan

If you are reading this you may be undergoing a Cyber Essentials Plus audit, which requires you to undergo a credentialed patch scan, one of the products which can be used is Tenable Nessus.

Your Cyber Essentials certification body may have asked you to configure your environment in preparation for this, this is a requirement and failure to not have a successful credential patch scan will result in your audit failing.

This guide walks you through the process of configuring your environment in preparation for an audit. There are several parts to this configuration and this guide will concentrate on the manual setup of your Mac to allow Nessus to communicate with your device.  If you have several MacOS machines, you may want to look at a RMM tool or other means to configure multiple machines quickly.

The steps to configure the environment are as follows:

  • Create a dedicated administrator/root account to use with the credentialed scan
  • Enable remote login
  • Setup SSH credentials within Nessus

Create a dedicated administrator/root account to use with the credentialed scan

Go into your System Preferences and click on ‘Users & Groups’, click on the padlock on the lower left corner of the screen to allow changes. Enter your password when prompted.

Once authenticated, click on the ‘+’ button just above the padlock to create a new account.

Create a new account, by changing the new account to ‘Administrator’ and then set a name and password for it. You should ensure that you use a strong password for this and make sure that you use the username and password for each Mac being scanned. Otherwise, your scan will fail on all the other machines.

Enable remote login

Once the user account has been created for the scanning, we need to ensure that remote login support is configured on each MacOS device. To do this, within System Preferences, click on Sharing, then click on ‘Remote Login’ and select the option, ‘Only these users:’ and select the user that you have just created.

Setup SSH credentials with Nessus

Lastly, now that you have created the dedicated username, setup remote management for the machines, the last thing to do is get SSH setup for the Nessus scanner. If you are configuring your environment yourself, securely provide the new login details to your Certification Body, or provide them on the day of the audit.  All they will need to know if the username and password.

The certification body can then configure the Nessus scanning credentials to use SSH and provide the username and password.