Jamf Nation Community

arekdreyer · ‎10-31-2019

If anyone runs into this when trying to install the Nessus Agent with Jamf Pro:

Installation failed. The installer reported: installer: Package name is Tenable Nessus Agent installer: Certificate used to sign package is not trusted. Use --allow Untrusted to overwrite.

I have a fix. Thanks to Bartłomiej Sojka for pointing out that it's a hard link, and suggesting the solution.

It’s the package downloaded directly from the vendor https://www.tenable.com/downloads/nessus-agents, in the section Nessus Agents - 7.4.3, NessusAgent-7.4.3.dmg

I think the visible package in the disk image is actually a hard link to a hidden package in the disk image, named .NessusAgent.pkg.

I have no idea why.

Here is me using “ls -la” to get a long listing of all the files, even hidden files, in the disk image:

MacBookPro:Nessus Agent Install ladmin$ ls -la total 28120 drwxr-xr-x 5 ladmin staff 238 Sep 10 16:11 . drwxr-xr-x+ 4 root wheel 128 Oct 31 19:55 .. -rw-r--r-- 1 ladmin staff 14357839 Sep 10 16:11 .NessusAgent.pkg d-wx-wx-wt 2 ladmin staff 68 Sep 10 16:11 .Trashes -rw-r--r-- 1 ladmin staff 34145 Sep 10 16:11 Install Nessus Agent.pkg

That “14357839” is the size of the hidden package - it’s much bigger than the visible package.

The good news is that the fix is to copy the hidden item to your Downloads folder (as an example), then upload that package to Jamf Pro:
Open the disk image
In Terminal, use the command:

cp /Volumes/Nessus Agent Install/.NessusAgent.pkg ~/Downloads/Install Nessus Agent.pkg

Eject the disk image
Upload ~/Downloads/Install Nessus Agent.pkg to Jamf Pro

Stubakka · ‎06-05-2020

Thank you so much! im trying this out now edit worked perfectly thank you!

tlarkin · ‎06-05-2020

Yeah I have had many problems with Nessus and you hit the nail on the head. Mount the DMG and find the hidden package and use that instead. I have opened up cases with them about this and also told them that their scripts in their package are no longer supported in flat packages.

I have learned more about Nessus than I ever intended to

jorge_ · ‎07-15-2020

when packaging nessus, we need to extract the hidden .NessusAgent.pck file, and import that to composer, then edit the 'postinstall' script that is already there? looks there is already a script when I import it, this is what it contains:

!/bin/sh

chown -R root:admin /Library/NessusAgent/run/
chmod a-w /Library/NessusAgent/run/lib/lib

killall -9 nessusd
/bin/launchctl unload -w /Library/LaunchDaemons/com.tenablesecurity.nessusagent.plist
chmod 0644 /Library/LaunchDaemons/com.tenablesecurity.nessusagent.plist
/Library/NessusAgent/run/sbin/nessuscli install /Library/NessusAgent/run/var/nessus/plugins-core.tar.gz
/bin/launchctl load -w /Library/LaunchDaemons/com.tenablesecurity.nessusagent.plist
sleep 10

exit 0

id like to include my switches but not sure how to include them into that pre existing script

these are the settings id like to include with my installation: # /Library/NessusAgent/run/sbin/nessuscli agent link --key=XXXXXXXXXXXXXXXXXX --groups=MACS --host=host.domain.com --port=8834

whenever i try to add this, i get an unsupported script error message. wondering if anyone has the instructions for deplying the nessus agent and include group, key, host and port in the config.

c_archibald · ‎10-29-2024

Not sure how relevant this is to anyone, but I created a NessusRelink.sh script that unloads Nessus, pings once to make sure the server is there, then adds the machine to our link, drops it into our scan groups, & reloads Nessus. I also run this after a fresh Nessus install to link.

Here's an edited version: (if you use, please leave credit to us) [Replace the *.*.*.* host with your Nessus Scan Manager Server, the port ****, your link xxxxxxxxxxxx, & your groups xxxxx xxxxxx xxxxxxx]

--------------------------------------------------

# Created by Charles Archibald with help from Hieu Simms
# Modified by John Daly
# Relinks Nessus Agent to new Host:

pingcheck=`ping -c 1 *.*.*.* | grep "1 packets received"`

if [ "$pingcheck" != "" ] ; then #{ check to see if the nessus machine is online if it is, there will be something in pingcheck

launchctl unload -w /Library/LaunchDaemons/com.tenablesecurity.nessusagent.plist

rm -rf /private/etc/tenable_tag

/Library/NessusAgent/run/sbin/nessuscli agent link --key=xxxxxxxxxxxx --host=*.*.*.* --port=**** --groups="xxxxx","xxxxxx","xxxxxxx"

launchctl load -w /Library/LaunchDaemons/com.tenablesecurity.nessusagent.plist

else echo "Server is Down"

fi #}

msiedenburg · ‎07-31-2020

Stumbled on this post while figuring out this silly certificate trust issue. Thanks! I would have never thought to check the DMG for a hidden pkg. Why, Tenable?!

@jorge.blandon Why not have a script run in your policy that installs the package? You could even pass different groups as a parameter. Just set it to run "After" the package step.

PCDoc · ‎08-31-2020

This did not work for me am I missing a step I follow your steps to the t.

tlarkin · ‎08-31-2020

mount the installer DMG and open terminal

% cd /Volumes/Nessus Agent Install  
% ls -al
total 32696
drwxr-xr-x  4 tlarkin  staff       204 Aug  4 20:09 .
drwxr-xr-x  6 root     wheel       192 Aug 31 20:56 ..
-rw-r--r--  1 tlarkin  staff  16658522 Aug  4 20:09 .NessusAgent.pkg
-rw-r--r--  1 tlarkin  staff     75703 Aug  4 20:09 Install Nessus Agent.pkg

See the .NessusAgent.pkg? That is the actual installer. Now we can cp the pkg to the Desktop or whatever and then mv it to rename it. Remember, all . files are invisible to the Finder

cp .NessusAgent.pkg ~/Desktop && mv ~/Desktop/.NessusAgent.pkg ~/Desktop/NessusAgent.pkg

Now you should see it on your Desktop. From here you can rename it in the Finder if you want to add say _vesrion to the PKG.

prbsparx · ‎04-12-2021

Anyone bugged Tenable about this?
I'll nag them about it on my end. Recommend others do the same.

scheb · ‎08-30-2021

Looks like the only reason they wrap it is for the license, logo, and readme <sigh>. I stumbled upon the hidden .pkg in their install guide (but should have checked here first). I shouldn't have to do that. Software is supposed to be self-explanatory. <sigh>

Mac_User_ · ‎11-12-2021

2 years later and this fix still holds true! I was able to unhide the real .NessusAgent.pkg and remove the . from it to unhide, uploaded it into Jamf Pro and successfully rolled out the agent after. Thanks @arekdreyer.

davidi4 · ‎08-29-2022

Developers who fail to follow simple rules for app packaging should be shamed out of business... especially for stupid things like this.

<<edit>> Looks like they learned their lesson, as 10.2.0 has a normal pkg file inside the dmg. I withdraw my previous comment

<<edit2>> I take back my take back, they did an even dumber thing by putting a dummy visible pkg in there, fool me once, shame on me

Thanks to the OP for the fix for this

mfletch · ‎11-29-2023

Thanks you @arekdreyer and @tlarkin this was super helpful!

vladmech · ‎09-11-2024

Just wanted to swing through and say this 100% saved my bacon. I've been beating my head against automating the Nessus agent install/register for a week now and Tenable has been spectacularly unhelpful, no mention at all of this hidden file. Popped this in and everything cruised right through, thank you so much!

sparrowhawk · Thursday

I'm hoping one of the JAMF community can help me on this one. Following the recent bug affecting the v10.8.0 and 10.8.1 Nessus agents, I have several Macs that need the Nessus agent updating to v10.8.2. I've pulled the hidden pkg file off the dmg and tried installing it using my existing policy that has been working fine for months. But the install is failing with the same error that we got when using the visible file i.e. "Certificate used to sign package is not trusted. Use -allowUntrusted to override.".
I went to raise a support case with Tenable, and was directed to a KB article which references this very thread as a possible solution :-D Tenable won't provide any support as deployment of the agent is "system admin" work.
Does anyone have any suggestions? I could create a script to copy the pkg to the endpoint and run the installer with the argument mentioned in the error. Has anyone done that?

Thanks

mfletch · Thursday

It sounds like you're already doing this, but if not, these are the instructions I created a year or more ago so I would remember what to do next time I had to create a nessus package, or if I left the next guy could do it. I just ran through it the other day to update to 10.8.2 and it worked, so hopefully it will work for you as well. Also, be sure the script you have in your policy is set to run After.

Preparing NessusAgent.pkg

Perform the following steps on a macOS device running the latest version of macOS
Once you have the Nessus Agent (NessusAgent-10.4.4.dmg) downloaded, mount it by double clicking it. You should then see “Nessus Agent Install” Volume on your Desktop
Open Terminal (command+spacebar and then type Terminal and hit return for Terminal to open) and within Terminal type in the first command as seen in the screen shot below and hit return and it should run. Please take note if you receive any errors, if so, your syntax may need to be adjusted. When it finishes, type in the second command and hit return and again look for any errors and adjust as needed. If you receive no errors, your screen should look similar to what is seen below, and you are ready to move to step 4.

Note in the screen shot above that you now have a dot before NessusAgent.pkg this means the .pkg is hidden, so we need to copy the .pkg to your desktop and rename it to remove the dot before the name to unhide it. Within Terminal now run the command seen below.

sparrowhawk · Thursday

Hi @mfletch , yes, that's what I've done. I just tried replacing our original Nessus installer (v10.2) into the policy payload and it installs fine. As I said, we've never had to jump through all the hoops that others on this thread have had to. Maybe we were just lucky with the first version we deployed? We've never updated the pkg as we have Nessus do that for us.

jamiesmithJAX · Thursday

While I cannot offer you a solution, I can say that I am doing the exact same thing as you are and am encountering the error as well. Following the steps in this KB does not solve it with 10.8.2, at least on Sequoia which is the only OS I have tested so far.

jamiesmithJAX · Thursday

I seem to have gotten it working. I had to upload the hidden pkg to JAMF with the same name that it had in the .dmg (.NessusAgent.pkg). Previously I had been renaming the file so I had some version info in the name.

sparrowhawk · Thursday

Interesting, I'll give that a try.

I've found that installing 10.2 and have Tenable automatically update to 10.8.2 after 24 hours works as well.

Jamf Nation Community

Tenable Nessus Agent Certificate to sign package is not trusted

!/bin/sh