Posted on 01-25-2016 05:28 PM
My original posting for this started off as just an Extension Attribute. In the past 3 days, it has become a full blown workflow.
Here's that workflow.
JAMF Software Deployment: Nessus Agent for Apple Macintosh
INTRODUCTION
Tenable Network Security's Nessus software is currently being utilized for vulnerability scanning and vulnerability management within the enterprise.
JAMF Software's Casper Suite (JSS) is used to manage Apple Macintosh systems within the enterprise. This includes the deployment of software packages such as the Nessus agent.
This article describes the various elements and requirements as utilized by the Casper Suite in order to package and deploy the Nessus agent to Macintosh systems within the enterprise.
TOPICS
....Preparing for Deployment
........The Software
............Acquiring the Nessus agent
............Creating a Custom PKG Payload
................Acquiring and Installing Casper Composer
................Overview and Purpose of Creating a Custom PKG Payload
................Enabling Hidden Files and Folders in OS X
................Staging the Nessus Agent DMG File
................Using Casper Composer to Create a Custom Nessus Agent Installer PKG File
........Configuring the JSS
............Uploading the Custom Nessus Agent Installer PKG to the JSS Server
................Extension Attributes
................Nessus Agent Installation Status
................Nessus Agent Service Status
................Nessus Agent Version and Build Information
............JAMF JSS Computer Groups
................Creating Smart Computer Groups for the Nessus Agent
....................Nesus Agent - Installed
....................Nesus Agent - Not Installed
....................Nesus Agent - Installed - IT Department
....................Nesus Agent - Not Installed - IT Department
....................Nessus Agent Service - Running
....................Nessus Agent Service - Stopped
................Creating Static Computer Groups for the Nessus Agent
................IT Department
............JAMF JSS Computer Policies
................Creating Computer Policies for the Nessus Agent
................Nessus Agent - Installation
....Testing the Deployment
....Transitioning Into Production
........Re-scoping for Production
PREPARING FOR DEPLOYMENT
THE SOFTWARE
ACQUIRING THE NESSUS AGENT
The latest version of the Nessus agent for the Macintosh platform can be obtained from the following URL:
http://www.tenable.com/products/nessus/agent-download
An installer PKG file is contained within the downloaded DMG file. The installer PKG file has been designed by Tenable Network Security to perform an integrity check against itself. This self-check prevents the extraction and upload of a working version of the PKG to the JAMF JSS server.
NOTE - 2017-05-17: It seems the latest version of Tenable's Nessus Agent v6.10.5 may actually work as-is without all the fancy re-packaging. As the old mantra goes, "Test! Test! Test!" - YMMV!
The following work-around provides us with the necessary functionality.
OVERVIEW AND PURPOSE OF CREATING A CUSTOM PKG PAYLOAD
The JAMF JSS Server relies on PKG files to install 3rd Party software.
The JAMF JSS Server can not deploy DMG files that have not been created in Casper Composer.
By creating a custom PKG file using Casper Composer, we have the ability to:
ACQUIRING AND INSTALLING CASPER COMPOSER
If you do not currently have the correct version of Casper Composer installed on your local system, please log into your JAMF Nation account by visiting the following URL:
https://my.jamfsoftware.com/products.html
If you do not have access to the JAMF assets, please contact your JAMF Administrator for further assistance.
If you do have access the JAMF Assets, please download the proper version of the Casper Suite for deployment on the Macintosh.
Once you have downloaded the appropriate Casper Suite DMG file to your local system perform the following steps:
01 - Double-Click the DMG file
02 - Drag the "Casper Suite" icon to the "Applications" Icon
ENABLING HIDDEN FILES AND FOLDERS IN OS X
Because we are creating a special deployment PKG file, we will want to use the /tmp folder on all of the target Macintosh systems. In order for Finder, and ultimately Casper Composer to see the /tmp folder, we need to enable hidden files and folders.
01 - Launch /Applications/Utilities/Terminal.app
02 - Type in the following commands, pressing the Enter/Return key after each line
defaults write com.apple.finder AppleShowAllFiles YES
killall Finder
03 - Open a Finder window and navigate to /tmp
STAGING THE NESSUS AGENT DMG FILE
Copy the Nessus Agent DMG file to /tmp
USING CASPER COMPOSER TO CREATE A CUSTOM NESSUS AGENT INSTALLER PKG
01 - Launch /Applications/Casper Suite/Composer.app
02 - If this is the first time you have launched Casper Composer
a. You may be presented with the ""Composer.app" is an application downloaded from the Internet" window
b. Click the "Open" button
c. If prompted, type in your password
d. You will be presented with the "Choose a method to create your package:" screen
e. Continue to Step 4
03 - If this is not your first time to launch Casper Composer you will be taken to the main Casper Composer screen
a. If prompted, type in your password
b. Click on the "New" icon
c.You will be presented with the "Choose a method to create your package:" screen
04 - Select "Normal Snapshot" icon
05 - Click the "Next" button
06 - Provide a "Package Name" (i.e. NessusAgent-6.5.5_Casper_Installer_v1.2.pkg)
07 - Casper Composer will begin taking a Snapshot of your system.
a. During this time, do not make any changes to your system
08 - Once Casper Composer has completed taking the Snapshot, click on the "Create Package Source" button
09 - Casper Composer will begin taking the "After Snapshot" of your system
10 -Once Casper Composer has completed taking the After Snapshot, you will be returned to the main Casper Composer screen
11 - Your newly created source container will reside in the left-hand pane
12 - Drag the Nessus Agent DMG file from /tmp to the right-hand pane of the Casper Composer Window
13 - This will create a tree structure depicting the path to the Nessus Agent DMG file
14 - In the left-hand sidebar, expand the Nessus Agent source
15 - Right-Click on "Scripts"
16 - Click on "Add Shell Script"
17 - Click on "Post Install"
18 - Click on "postinstall" in the left-hand pane
19 - Select all of the script contents within the right-hand pane and delete the contents
20 - Copy and paste in the following script
#!/bin/sh
## postinstall
# Nexus Agent Installation Script v1.2
# Written by Caine Hörr
# Written on Tue, Jan 26, 2016
# Updated by Caine Hörr
# Updated on Wed, Jan 17, 2016
# UPDATE LOG
# v1.2
# Replaced Username="$(whoami)" with Username="$(stat -f "%Su" /dev/console)" to correct issue of identifying root as the username
# v1.1
# Added line to unlink the Nessus Agent
# Automatically collect username and hostname to generate unique name
# Add unique name when linking to the Nessus Agent
# v1.0
# Initial Nexus Agent Installation script
# Mount the Nessus Agent DMG file
# Latest version can be downloaded from http://www.tenable.com/products/nessus/agent-download
echo "########## MOUNTING THE NESSUS AGENT DMG ##########" | logger
hdiutil attach /tmp/NessusAgent-6.5.4.dmg | logger
# Run the Nessus Agent installer PKG file
echo "########## INSTALLING THE NESSUS AGENT ##########" | logger
sudo installer -pkg /Volumes/Nessus Agent Install/Install Nessus Agent.pkg -target / | logger
# Check to see if Nessus Agent is installed
NessusAgentInstalled="$(ls /Library/NessusAgent/run/sbin/ | grep nessuscli)"
if [ "$NessusAgentInstalled" = "nessuscli" ]; then
echo "########## NESSUS AGENT INSTALLED ##########" | logger
# Identify the correct mount point for the DMG file
NessusAgentDMG="$(hdiutil info | grep "/Volumes/Nessus Agent Install" | awk '{ print $1 }')"
# Detach the DMG file
echo "########## UNMOUNTING THE NESSUS AGENT DMG ##########" | logger
hdiutil detach $NessusAgentDMG | logger
# Check to see if Nessus Agent is running
NessusAgentRunning="$(sudo launchctl list com.tenablesecurity.nessusagent | grep "PID" | awk '{ print $1 }' | tr -d '"')"
if [ "$NessusAgentRunning" = "PID" ]; then
echo "########## NESSUS AGENT IS RUNNING ##########" | logger
# Unlink the Nessus agent - Needed in case of upgrade or re-link…
echo "########## UNLINKING NESSUS AGENT ##########" | logger
sudo /Library/NessusAgent/run/sbin/nessuscli agent unlink | logger
# Acquire some personal data (currently logged in username and computer hostname)
Username="$(stat -f "%Su" /dev/console)"
Computername="$(hostname | sed 's/..*$//')"
Fullname="${Computername}_${Username}"
# Link the Nessus Agent to cloud.tenable.com
echo "########## CONFIGURING THE NESSUS AGENT ##########" | logger
sudo /Library/NessusAgent/run/sbin/nessuscli agent link --key=<your key goes here> --name=$Fullname --host=cloud.tenable.com --port=443 | logger
exit 0 # Success
else
echo "########## WARNING - NESSUS AGENT IS NOT RUNNING ##########" | logger
exit 1 # Failure
fi
else
echo "########## ERROR - NESSUS AGENT DID NOT INSTALL ##########" | logger
exit 1 # Failure
fi
21 - In the left-hand sidebar, click the Nessus Agent source icon
22 - You will be prompted to save changes - Click the "Save" button
23 - Click the "Build as PKG" icon
24 - Select a destination to save the custom PKG file (ie Desktop)
25 - Click the "Save" button
CONFIGURING THE JSS
UPLOADING THE CUSTOM NESSUS AGENT INSTALLER PKG TO THE JSS SERVER
01 - Connect to https://jss.yourdomain.net:8443/
02 - Log in with your credentials
03 - Click on the "Settings" (gear) icon in the upper right corner
04 - Click on "Computer Management" within the left-hand pane
05 - Click on the "Packages" icon within the "Computer Management" group
06 - Click on the "Plus" button
07 - Type in a "Display Name" (ie NessusAgent-6.5.5_Casper_Installer_v1.2.pkg)
08 - Select "Security" from the "Category" drop down menu
09 - Click on the "Upload Package File" button
10 - Click on the "Choose File" button
11 - Navigate to the location of your custom Nessus Agent PKG file
12 - Select your custom Nessus Agent PKG file
13 - Click the "Open" button
14 - Click the "Upload" button
15 - Add any additional Info or Notes to the relevant fields
16 - Click the "Save" button
EXTENSION ATTRIBUTES
Extension attributes are used to augment the functionality of the JAMF Casper Suite.
Because the Nessus Agent is not a typical Macintosh application that resides in /Applications, we need to build a set of custom controls to gather the necessary information about the status of the Nessus Agent on the client systems that are deployed within the enterprise.
With custom designed Extension attributes, we can gather the following information:
NESSUS AGENT INSTALLATION STATUS
01 - Connect to https://jss.yourdomain.net:8443/
02 - Log in with your credentials
03 - Click on the "Settings" (gear) icon in the upper right corner
04 - Click on "Computer Management" within the left-hand pane
05 - Click on "Extension Attributes" icon within the "Computer Management - Management Framework" group
06 - Click on the "Plus" button
07 - In the "Display Name" field, type in the following: Nessus Agent Installation Status
08 - In the "Description" field, type in the following: Check to determine if the Nessus Agent is installed.
09 - In the "Data Type" drop down, select "String"
10 - In the "Inventory Display" drop down, select "Operating System"
11 - In the "Input Type" drop down, select "Script"
12 - Click on the "OS X" button
13 - In the "Script" text field, copy and paste in the following script:
#!/bin/sh
# Check to see if Nessus Agent is installed
NessusAgentInstalled="$(ls /Library/NessusAgent/run/sbin/ | grep nessuscli)"
if [ "$NessusAgentInstalled" != "nessuscli" ]
then
echo "<result>Not Installed</result>"
else
echo "<result>Installed</result>"
fi
14 - Click the "Save" button
NESSUS AGENT SERVICE STATUS
01 - Connect to https://jss.yourdomain.net:8443/
02 - Log in with your credentials
03 - Click on the "Settings" (gear) icon in the upper right corner
04 - Click on "Computer Management" within the left-hand pane
05 - Click on "Extension Attributes" icon within the "Computer Management - Management Framework" group
06 - Click on the "Plus" button
07 - In the "Display Name" field, type in the following: Nessus Agent Service Status
08 - In the "Description" field, type in the following: Check to determine if the Nessus Agent Service is running.
09 - In the "Data Type" drop down, select "String"
10 - In the "Inventory Display" drop down, select "Operating System"
11 - In the "Input Type" drop down, select "Script"
12 - Click on the "OS X" button
13 - In the "Script" text field, copy and paste in the following script:
#!/bin/sh
# Check to see if Nessus Agent is running
NessusAgentRunning="$(sudo launchctl list com.tenablesecurity.nessusagent | grep "PID" | awk '{ print $1 }' | tr -d '"')"
if [ "$NessusAgentRunning" = "PID" ]
then
echo "<result>Running</result>"
else
echo "<result>Stopped</result>"
fi
14 - Click the "Save" button
NESSUS AGENT VERSION AND BUILD INFORMATION
01 - Connect to https://jss.yourdomain.net:8443/
02 - Log in with your credentials
03 - Click on the "Settings" (gear) icon in the upper right corner
04 - Click on "Computer Management" within the left-hand pane
05 - Click on "Extension Attributes" icon within the "Computer Management - Management Framework" group
06 - Click on the "Plus" button
07 - In the "Display Name" field, type in the following: Nessus Agent Version
08 - In the "Description" field, type in the following: Determine the version of the Nessus Agent that is currently installed.
09 - In the "Data Type" drop down, select "String"
10 - In the "Inventory Display" drop down, select "Operating System"
11 - In the "Input Type" drop down, select "Script"
12 - Click on the "OS X" button
13 - In the "Script" text field, copy and paste in the following script:
#!/bin/sh
# Check to see if Nessus Agent is installed
NessusAgentInstalled="$(ls /Library/NessusAgent/run/sbin/ | grep nessuscli)"
if [ "$NessusAgentInstalled" != "nessuscli" ]
then
echo "<result>N/A</result>"
else
NessusAgentVersion="$(/Library/NessusAgent/run/sbin/nessuscli -v | awk 'NR==1{print $3 " " $4 " " $5}')"
echo "<result>$NessusAgentVersion</result>"
fi
14 - Click the "Save" button
JAMF JSS COMPUTER GROUPS
The JAMF JSS provides two kinds of Computer Groups.
Smart Computer Groups include logic statements that determine how Policies, Configuration Profiles, Extension Attributes and other resources are applied. Smart Computer Groups provide a mechanism by which the JSS can determine which actions to take and when.
Static Computer Groups are manually assigned systems without any form of logic work flow. Static Computer Groups are perfect for deploying systems within small, isolated test and lab groups thereby reducing any major impact on a production environment.
CREATING SMART COMPUTER GROUPS FOR THE NESSUS AGENT
NESSUS AGENT - INSTALLED
01 - Click on the "Computers" icon
02 - Click on "Smart Computer Groups"
03 - Click on the "Plus" button
04 - In the "Display Nam"e field, type in the following: Nessus Agent - Installed
05 - Click on the "Criteria" tab
06 - Click on the "Plus" button
07 - Click the "Choose" button for All Criteria
08 - Click the "Choose" button for Nessus Agent Installation Status
09 - Change the "Operator" drop down to is
10 - In the "Value" field, type in Installed
a. This value corresponds with the value as defined in the script associated with the Nessus Agent Installation Status Extension Attribute
11 - Click the "Save" button
NESSUS AGENT - NOT INSTALLED
01 - Click on the "Computers" icon
02 - Click on "Smart Computer Groups"
03 - Click on the "Plus" button
04 - In the "Display Name" field, type in the following: Nessus Agent - Not Installed
05 - Click on the "Criteria" tab
06 - Click on the "Plus" button
07 - Click the "Choose" button for "All Criteria"
08 - Click the "Choose" button for "Nessus Agent Installation Status"
09 - Change the "Operator" drop down to "is not"
10 - In the "Value" field, type in "Installed"
a. This value corresponds with the value as defined in the script associated with the Nessus Agent Installation Status Extension Attribute
11 - Click the "Save" button
NESSUS AGENT - INSTALLED - TEST GROUP
01 - Click on the "Computers" icon
02 - Click on "Smart Computer Groups"
03 - Click on the "Plus" button
04 - In the "Display Name" field, type in the following: Nessus Agent - Installed - Test Group
05 - Click on the "Criteria" tab
06 - Click on the "Plus" button
07 - Click the "Choose" button for "All Criteria"
08 - Click the "Choose" button for "Nessus Agent Installation Status"
09 - Change the "Operator" drop down to "is"
10 - In the "Value" field, type in "Installed"
a. This value corresponds with the value as defined in the script associated with the Nessus Agent Installation Status Extension Attribute
11 - Click the "Save" button
NESSUS AGENT - NOT INSTALLED - TEST GROUP
01 - Click on the "Computers" icon
02 - Click on "Smart Computer Groups"
03 - Click on the "Plus" button
04 - In the "Display Name" field, type in the following: Nessus Agent - Not Installed - Test Group
05 - Click on the "Criteria" tab
06 - Click on the "Plus" button
07 - Click the "Choose" button for "All Criteria"
08 - Click the "Choose" button for "Nessus Agent Installation Status"
09 - Change the "Operator" drop down to "is not"
10 - In the "Value" field, type in "Installed"
a. This value corresponds with the value as defined in the script associated with the Nessus Agent Installation Status Extension Attribute
11 - Click the "Save" button
NESSUS AGENT SERVICE - RUNNING
01 - Click on the "Computers" icon
02 - Click on "Smart Computer Groups"
03 - Click on the "Plus" button
04 - In the "Display Name" field, type in the following: Nessus Agent Service - Running
05 - Click on the "Criteria" tab
06 - Click on the "Plus" button
07 - Click the "Choose" button for "All Criteria"
08 - Click the "Choose" button for "Nessus Agent Service Status"
09 - Change the "Operator" drop down to "is"
10 - In the "Value" field, type in "Running"
a. This value corresponds with the value as defined in the script associated with the Nessus Agent Service Status Extension Attribute
11 - Click the "Save" button
NESSUS AGENT SERVICE - STOPPED
01 - Click on the "Computers" icon
02 - Click on "Smart Computer Groups"
03 - Click on the "Plus" button
04 - In the "Display Name" field, type in the following: Nessus Agent Service - Stopped
05 - Click on the "Criteria" tab
06 - Click on the "Plus" button
07 - Click the "Choose" button for "All Criteria"
08 - Click the "Choose" button for "Nessus Agent Service Status"
09 - Change the "Operator" drop down to "is not"
10 - In the "Value" field, type in "Running"
a. This value corresponds with the value as defined in the script associated with the Nessus Agent Service Status Extension Attribute
11 - Click the "Save" button
CREATING STATIC COMPUTER GROUPS FOR THE NESSUS AGENT
NESSUS AGENT TEST GROUP
01 - Click on the "Computers" icon
02 - Click on "Static Computer Groups"
03 - Click on the "Plus" button
04 - In the "Display Name" field, type in the following: IT Department
05 - Click on the "Assignments" tab
06 - Select each individual system to be included within the group
07 - Click the "Save" button
JAMF JSS COMPUTER POLICIES
CREATING COMPUTER POLICIES FOR THE NESSUS AGENT
NESSUS AGENT - INSTALLATION
01 - Click on the "Computers" icon
02 - Click on "Policies"
03 - Click on the "Plus" button
04 - In the "Display Name" field, type in the following: Nessus Agent - Installation
05 - Select the "Enabled" checkbox
a. Selecting "Enabled" commits the policy once the "Save" button has been clicked. By not enabling the policy, the policy will not run.
06 - Change the "Category" drop down to "Security"
07 - Select the "Enrollment Complete" checkbox
08 - Select the "Recurring Check-In" checkbox
09 - Change the "Execution Frequency" drop down to "Once per computer"
10 - Click on the "Packages" icon
11 - Click on the "Configure" button
12 - Click the "Add" button that corresponds to the Nessus Agent Installer PKG file
13 - Click on the "Maintenance" icon
14 - Click on the "Configure" button
15 - Click on the "Scope" tab
16 - Click on the "Plus" button
17 - Click on the "Computer Groups" button
18 - Click the "Add" button that corresponds to "Nessus Agent - Not Installed - IT Department"
19 - Click the "Done" button
20 - Click the "Save" button
a. Clicking the "Save" button commits the policy if the policy is Enabled.
TESTING THE DEPLOYMENT
Once the policy has been enabled and saved, all systems that have been assigned to the Nessus Agent Test Group Static Computer Group will download and run the policy during their next check in period.
You can expedite this process by running the following commands on the command line (/Applications/Utilities/Terminal.app) of a target system:
sudo jamf manage
sudo jamf policy
TRANSITIONING TO PRODUCTION
To transition to a final production run for all target systems within the enterprise, you only need to re-scope the Computer Policy entitled "Nessus Agent - Installation".
RE-SCOPING FOR PRODUCTION
01 - Click on the "Computers" icon
02 - Click on "Policies"
03 - Click on the "Nessus Agent - Installation" policy link
04 - Click on the "Scope" tab
05 - Click on the "Edit" button
06 - Click on the "Remove" button that corresponds with the "Nessus Agent - Not Installed - Test Group Smart Computer Group"
07 - Click on the "Plus" button
08 - Click on the "Computer Groups" button
09 - Click on the "Add" button associated with the "Nessus Agent - Not Installed" Smart Computer Group
10 - Click the "Done" button
11 - Click the "Save" button
a. Clicking the "Save" button commits the policy if the policy is Enabled.
Caine Hörr
A reboot a day keeps the admin away!
Posted on 01-26-2016 05:10 PM
Edited previous post to reflect updates in the primary script that links to cloud.tenable.com
Caine Hörr
A reboot a day keeps the admin away!
Posted on 01-27-2016 03:18 PM
Today, I added some additional functionality.
I created a script that updates the Nessus Agent's link to cloud.tenable.com.
The purpose for the additional script is to auto-correct the link without the need to redeploy the custom Nessus Agent package.
I configured the script to run as a policy.
It is triggered as a recurring check-in on a weekly basis.
The scope is set to the "Nessus Agent - Installed" Smart Computer Group.
Here is the script.
#!/bin/sh
# Nessus_Agent_Link_Update.sh v1.0
# Written by Caine Hörr
# Written on Wed, Jan 17, 2016
# Updated by Caine Hörr
# Updated on Wed, Jan 17, 2016
# UPDATE LOG
# v1.0
# Initial Nexus Agent Link Update script
# Unlink the Nessus agent - Needed in case of upgrade or re-link…
echo "########## UNLINKING NESSUS AGENT ##########" | logger
sudo /Library/NessusAgent/run/sbin/nessuscli agent unlink | logger
# Acquire some personal data (currently logged in username and computer hostname)
Username="$(stat -f "%Su" /dev/console)"
Computername="$(hostname | sed 's/..*$//')"
Fullname="${Computername}_${Username}"
# Link the Nessus Agent to cloud.tenable.com
echo "########## CONFIGURING THE NESSUS AGENT ##########" | logger
sudo /Library/NessusAgent/run/sbin/nessuscli agent link --key=<your key goes here> --name=$Fullname --host=cloud.tenable.com --port=443 | logger
exit 0
If you've read through the fist post in this thread, then this should look familiar to you as it is actually part of the larger deployment script.
Caine Hörr
A reboot a day keeps the admin away!
Posted on 01-27-2016 03:20 PM
And the final piece...
A Nessus Agent uninstaller script.
I have not added this into the JSS, but it could be done quite easily and then added to Self Service or as a policy.
#!/bin/sh
echo "UNINSTALLING THE NESSUS AGENT" | logger
# This script follows the Mac Agent Removal process as outlined by Tenable
# http://www.tenable.com/documentation/nessus/#_New_Topics/Mac_Agent_Uninstall.htm%3FTocPath%3DInstall%7CRemove%7CAgent%7C_____1
# Unlink the Nessus Agent
sudo /Library/NessusAgent/run/sbin/nessuscli agent unlink | logger
# Disable the Nessus Agent service
sudo launchctl remove com.tenablesecurity.nessusagent | logger
# Remove the Nessus Agent directories and files
sudo rm -rf /Library/NessusAgent/ | logger
sudo rm -f /Library/LaunchDaemons/com.tenablesecurity.nessusagent.plist | logger
sudo rm -rf /Library/PreferencePanes/Nessus Agent Preferences.prefPane/ | logger
exit 0
Caine Hörr
A reboot a day keeps the admin away!
Posted on 01-05-2017 09:42 AM
I just wanted to point out, this is by far the best, most comprehensive and complete work flow it has been my pleasure to implement ! Thank you so much, it worked flawlessly!
Posted on 01-24-2017 09:29 AM
I want to second that. This worked perfectly for me the first time. My eternal thanks
Posted on 01-31-2017 10:53 AM
Thank you so much for the kind words. I am glad the workflow has found value to someone else.
One of my SecOps guys made a change. He modified the following:
ORIGINAL CODE
# Link the Nessus Agent to cloud.tenable.com
echo "########## CONFIGURING THE NESSUS AGENT ##########" | logger
sudo /Library/NessusAgent/run/sbin/nessuscli agent link --key=<your key goes here> --name=$Fullname --host=cloud.tenable.com --port=443 | logger
UPDATED CODE
# Link the Nessus Agent to cloud.tenable.com
echo "########## CONFIGURING THE NESSUS AGENT ##########" | logger
sudo /Library/NessusAgent/run/sbin/nessuscli agent link ----key=<your key goes here> --name=$Fullname --host=cloud.tenable.com --port=443 --groups="<your group info goes here>" | logger
Just in case y'all were curious!
Caine Hörr
A reboot a day keeps the admin away!
Posted on 07-27-2022 08:28 AM
This is so all-inclusive and so awesome. Thank you for taking the time to share with the community. We use this product and your info really helped me understand more I will be shamelessly using your scripts and configurations.
Posted on 03-14-2017 10:45 AM
@cainehorr Thank you sir!
Posted on 03-14-2017 10:46 AM
@cainehorr Thank you sir!
Posted on 04-17-2017 08:21 PM
Awesome Guide @cainehorr, tested and working with Nessus Agent 6.10.5 today!
Posted on 04-18-2017 11:57 AM
@PatrickD I'm glad you found the workflow useful. Feel free to reach out if you have any questions.
Caine Hörr
A reboot a day keeps the admin away!
Posted on 05-17-2017 04:10 PM
NOTE - 2017-05-17
Hey everyone...
It seems the latest version of Tenable's Nessus Agent v6.10.5 may actually work as-is without all the fancy re-packaging. As the old mantra goes, "Test! Test! Test!" - YMMV!
That being said, the rest of the workflow remains sound.
Cheers!
Caine Hörr
A reboot a day keeps the admin away!
Posted on 01-05-2018 05:54 PM
Hey everyone - I have finally gotten around to cleaning up my own blog.
I have transplanted this workflow and given it a slight facelift.
Find it here: http://www.cainehorr.com/jamf-workflow-for-tenable-nessus-agent/
Caine Hörr
A reboot a day keeps the admin away!
Posted on 04-02-2018 12:09 PM
Thanks for the write up @cainehorr . I was wondering if there was a way to remove the system preferences pane when installing the agent? Giving any admin ability to disable the agent seems counterproductive.
Posted on 04-16-2018 09:09 AM
@vao You can add a line to the script after you install and activate to simply remove the PrefPane. I'm just starting to roll out the Nessus Agent but so far haven't run into any issues with the agent still running even though the PrefPane has been removed.
rm -rf /Library/PreferencePanes/Nessus Agent Preferences.PrefPane
@cainehorr Thanks for the EAs, was exactly what I was looking for.
Posted on 08-28-2018 11:22 AM
Confirmed that these instructions still work for the 7.1.1 agent as of 8/27/18. See OP's blog for the most up to date script and instructions. Not sure if there's an easier way to do this on 7.x, but I ran into trouble trying to do any of the following:
-use the pkg inside the NessusAgent dmg without repackaging
-repackage using the Composer and running a post-installation script as described above as a separate script process.
I did hear some rumblings that using the hidden pkg inside the Nessus Agent DMG might work better than the visible pkg, but didn't have an opportunity to test.
Posted on 03-13-2019 04:46 PM
Hey everyone! I trully appreciate all the proof-positive feedback.
I really with I was still working with Tennable's Nessus Agent so I could provide updates. Unfortunately, I'm not...
So I freely pass the mantle to anyone here who is willing to expand upon what I've done.
Isn't community great!?
Caine Hörr
A reboot a day keeps the admin away!
Posted on 04-17-2019 04:09 PM
I tried the instructions above using 7.3.1 but ran into the following error:
Installation failed. The installer reported: installer: Package name is Nessus Agent-7.3.1 installer: Installing at base path / installer: The install failed (The Installer encountered an error that caused the installation to fail. Contact the software manufacturer for assistance.)
Instead I packaged the dmg as instructed and ran the script separately within the same policy and seemed to work. Still in testing mode, but so far, so good
Posted on 09-09-2019 12:35 PM
Tried installing the DMG and then doing the script via same policy.
Came back with this:
Verifying package integrity...
Installing NessusAgent.pkg...
Successfully installed NessusAgent.pkg.
Running script Nessus Agent - Install Script...
Script exit code: 1
Script result: hdiutil: attach failed - No such file or directory
ls: /Library/NessusAgent/run/sbin/: No such file or directory
Error running script: return code was 1.
Posted on 09-09-2019 02:36 PM
I just re-packaged the .nessus silent installer and used a post install script to add cloud or local agents (one line)...
Cloud
/Library/NessusAgent/run/sbin/nessuscli agent link --key=[cloud_key] --groups=All --host=cloud.tenable.com --port=443
Local
/Library/NessusAgent/run/sbin/nessuscli agent link --key=[local_key] --groups=All --host=[URL] --port=8834
Posted on 07-10-2020 03:27 PM
@Initialised can you share this script?
Posted on 07-10-2020 03:38 PM
I have to deal with Nessus, unfortunately, but vuln scan data is valuable. here is how I approach the deployment.
Nessus actually deploys a dummy package in their DMG that has a hidden package nested inside the DMG. Why they do this, I have literally zero clue. Security through obscurity? So you can mount the DMG and use terminal to find the hidden package that is named with a .
in front of it hiding it. The downside is there are some chmod
scripts that seem to apply permissions after the install, again no idea why they designed it that way. Of course if Jamf just supported native DMG installs this wouldn't be much of an issue, but it is what it is.
Also, there is a unique agent ID located in /etc/tenable_tag
you must, and I will stress this, you must remove this tag if you reinstall the agent at all. This is what they use to a unique identifier on their server side tools, so I have baked in a bunch of checks into an install/remediation script
#!/bin/zsh
# use poisiotnal parameters to pass the agent link ID to the tenable agent post install
# jamf reserves 1-3 so we are startign with 4
# your nessus agent ID to register with your cloud tenant
NSAGENT="${4}"
# test to see if tenable installed correctly, if not force non zero exit status to track errors in jamf
if /Library/NessusAgent/run/sbin/nessuscli help
then echo "binary is installed proceeding"
else echo "Not installed, lets install now"
jamf policy -event install_nessus
exit 0
fi
# yeet the Nessus Pref pane because it is useless
# then yeet the tenable agent ID beacuse it is unique
if [[ -e /Library/PreferencePanes/Nessus Agent Preferences.prefPane ]]
echo "removing pref pane..."
then rm -rf /Library/PreferencePanes/Nessus Agent Preferences.prefPane
fi
if [[ -e /etc/tenable_tag ]]
echo "removing tenable UUID"
then rm -f /etc/tenable_tag
fi
# just in case it is registered with a bad/wrong scan we are gonna force it to unlink
echo "forcing an unlink..."
/Library/NessusAgent/run/sbin/nessuscli agent unlink --force
# remove the files and unload the daemons
echo "removing the daemons..."
launchctl unload /Library/LaunchDaemons/com.tenablesecurity.nessusagent.plist
rm -f /Library/LaunchDaemons/com.tenablesecurity.nessusagent.plist
echo "removing the files"
rm -rf /Library/NessusAgent
# install the new agent
echo "reinstalling the agent clean..."
jamf policy -event install_nessus
# apparently nessus deemed it necessary to deploy binaries that are not executable, because why not?
echo "setting the agent permissions..."
chmod -R +x /Library/NessusAgent/run
# now relink it
/Library/NessusAgent/run/sbin/nessuscli agent link --key="${NSAGENT}" --cloud --groups="your-scan-group-here"
We are seeing agents that auto upgrade and then not check into Nessus and I have open support tickets on this, so if anyone has insight into this I would be happy to hear about it. I am on Slack more often than here though.
Posted on 07-27-2022 08:29 AM
truth!
Posted on 07-26-2024 12:34 PM
Hey @tlarkin - have tried the above and got to a point I'm testing installing through self service (let me know if there is a better option) and it just spins. Assuming something I've done is incorrect and but so far I have.
put the dmg into composer > saw that the 2 .pkg files were there > set up a post install script with what you had suggested > then uploaded that as a package to jamf and pushed to self service.
Not sure if this isnt what it was intended for but I'm struggling to find a solution that works for me > tried a lot of the above and hoping it isnt just because it may be outdated.
I have verified that just manually installing tenable and then running the script for linking an agent in terminal works I just cannot get it to work remotely and don't want to manually do it on everyones machine :D
Posted on 07-26-2024 02:51 PM
@keenan710 it also needs CLI arguments to register the agent to the proper scan group and server. If you look at the output of that `nessuscli --help` it should give you the args to complete that task. The package by itself only installs the components but does not configure them. So you will need some sort of script to do so.
also my script could very well be outdated as it is pretty old. Alternatively Nessus does offer some APIs to programmatically download the installer as well, which we only use in our Linux VDI deployment currently but I am sure that could be adapted to macOS. Just gotta put API creds in a script which is not a great security practice
i would look at the CLI args from the nessus binaries and see if you are properly registering the agent
Posted on 09-14-2020 01:42 PM
Good stuff, thanks @cainehorr
So.. at least as of the 7.x+ Nessus, if you show hidden files there is a second PKG inside the DMG. Thats the actualy installer and it works fine outside of the DMG. I just pull that out, unhide it (take off the leading ".") and deploy it with Jamf. Following it up with the command to add it to out nessus enviorment.
Any reason this is wrong? I guess Im missing all the logic to check it, but i have other Polcies and EA for that.
Posted on 07-27-2022 08:30 AM
So awesome to know this! Thanks for sharing.
Posted on 09-16-2020 02:57 PM
Also the Version EA needs a little work, the newer versions of Nessus are outputting alot of data with the -v. I'm trying to figure it out now, ill post back if I get it working better
Posted on 07-27-2022 03:55 AM
Sorry to revive a two year dead thread but how did you get Jamf to acknowledge you are running the Nessus Agent in the console? I can see it running in the Tenable side but nothing on the Jamf side.
Posted on 09-16-2020 05:39 PM
@ScottSimmons quick and dirty one liner
sudo /Library/NessusAgent/run/sbin/nessuscli --version | awk '/nessus/ { print $4}'
8.1.0
Posted on 09-28-2020 08:20 PM
We still have some machines running the old Nessus agent version, so made this adjustment to the script
#!/bin/sh
# rfnc https://www.jamf.com/jamf-nation/discussions/18592/extension-attribute-tenable-network-security-nessus
# 20200929 chriso updated to parse v8 client output
# Check to see if Nessus Agent is installed
RESULT="N/A"
if [ -f /Library/NessusAgent/run/sbin/nessuscli ]; then
OUTPUT=$(/Library/NessusAgent/run/sbin/nessuscli -v | head -n 1)
if [[ ${OUTPUT} == *"(Nessus) 7"* ]]; then
RESULT="$(echo ${OUTPUT} | awk 'NR==1{print $3 " " $4 " " $5}')"
elif [[ ${OUTPUT} == *"(Nessus Agent) 8"* ]]; then
RESULT="$(echo ${OUTPUT} | awk 'NR==1{print $4 " " $5 " " $6}')"
else # catch-all to capture at least something
RESULT=${OUTPUT}
fi
fi
echo "<result>${RESULT}</result>"
Posted on 11-03-2020 10:46 AM
I just revisited this after using the prior method during a trial over the Summer. The process is much easier now. No need to use Composer any longer.
Mount the Nessus Agent DMG from the Tenable website.
Pull the hidden file ".NessusAgent.pkg" out of the DMG and place it where you'd like.
Rename it as you like. (I used NessusAgent_v_8_0_2.pkg)
Pull the PKG into Jamf Admin, add whatever info/details you prefer.
Create a Policy installing this PKG on the target computer.
Add the following script to run after the PKG install, it will link the agent to your Tenable instance and delete the Preference Pane (we prefer that users not mess with it)
#!/bin/sh
#Links Nessus agent to our specific key and sets needed cloud domain and port
/Library/NessusAgent/run/sbin/nessuscli agent link --key=YOUR_SPECIFIC_KEY_HERE --host=cloud.tenable.com --port=443
# If desired, the --groups"Group Name" tag can be added
# This removes the Nessus Agent Preference Pane
rm -rf /Library/PreferencePanes/Nessus Agent Preferences.PrefPane
Tested and works well for deployment.
Posted on 12-11-2020 06:12 AM
I am getting the error below for people with Catalina OS but some with the older Mojave OS it is installing no problem. Anyone any ideas why?
NessusAgent-8.2.0
installer: Upgrading at base path /
installer: The upgrade failed. (The Installer encountered an error that caused the installation to fail. Contact the software manufacturer for assistance. The package is attempting to install content to the system volume.)
also getting
Script result: sudo: /Library/NessusAgent/run/sbin/nessuscli: command not found
Posted on 12-11-2020 11:57 AM
You are trying to upgrade an existing agent @EddieF and you must remove some files that are unique first before reinstalling
Posted on 12-14-2020 08:36 AM
When creating the package i've deleted everything except files in /Library and i've also tried deleting all files except /Library/NessusAgent it isn't making a difference
Posted on 12-14-2020 09:47 AM
If you are going to uninstall you should delete all contents in /Library/Nessus
, the preference pane if you deploy it (we do not), and there is a unique ID that is generated upon install called the /etc/tenable_tag
which also must be deleted to reinstall the app.
The installer and the agent is sorta horrible, and health checking it is also a nightmare. Please open tickets with the vendor and let them know you would like to see improvements.
Posted on 02-16-2021 11:48 AM
Hello,
Are there any updates in deployment version 8.2.2, recommendations, please?
UPD. Nessus Version EA returns: Agent) 8.2.2 [build
Posted on 10-04-2022 09:28 AM
So I am having a bit of a problem getting this Linked. I've done the following:
Mounted the Nessus Agent DMG from the Tenable website.
Pulled the hidden file ".NessusAgent.pkg" out of the DMG and place it where you'd like.
Renamed it (NessusAgent_v_10_3_0.pkg)
Uploaded PKG my console.
I added the installed Script:
#This Works it installs and then it launches a webpage)
installer -pkg ./NessusAgent_v_10_3_0.pkg -target /
#Post-Install script:
/Library/Nessus/run/sbin/nessuscli agent link --key=(I removed key for post purposes) --groups=MACs --cloud --host=cloud.tenable.com
#I tried running this via a terminal and I get an errors:
Could not open /Library/Nessus/run/var/nessus/master.key - Permission denied
Error: Command '--key=Remove key for purposes of this post' not found
I am not sure what I am doing wrong here, any help would be very appreciated.
Posted on 10-04-2022 09:45 AM
Have you tried using Sudo if your attempting via the terminal?
I'd switch user if you aren't attempting this through the admin side of things on the machine itself (you can do this via terminal as well).