Tenable Nessus Agent Certificate to sign package is not trusted

arekdreyer
Contributor

If anyone runs into this when trying to install the Nessus Agent with Jamf Pro:

Installation failed. The installer reported: installer: Package name is Tenable Nessus Agent installer: Certificate used to sign package is not trusted. Use --allow Untrusted to overwrite.

I have a fix. Thanks to Bartłomiej Sojka for pointing out that it's a hard link, and suggesting the solution.

It’s the package downloaded directly from the vendor https://www.tenable.com/downloads/nessus-agents, in the section Nessus Agents - 7.4.3, NessusAgent-7.4.3.dmg

I think the visible package in the disk image is actually a hard link to a hidden package in the disk image, named .NessusAgent.pkg.

I have no idea why.

Here is me using “ls -la” to get a long listing of all the files, even hidden files, in the disk image:

MacBookPro:Nessus Agent Install ladmin$ ls -la total 28120 drwxr-xr-x 5 ladmin staff 238 Sep 10 16:11 . drwxr-xr-x+ 4 root wheel 128 Oct 31 19:55 .. -rw-r--r-- 1 ladmin staff 14357839 Sep 10 16:11 .NessusAgent.pkg d-wx-wx-wt 2 ladmin staff 68 Sep 10 16:11 .Trashes -rw-r--r-- 1 ladmin staff 34145 Sep 10 16:11 Install Nessus Agent.pkg

That “14357839” is the size of the hidden package - it’s much bigger than the visible package.

The good news is that the fix is to copy the hidden item to your Downloads folder (as an example), then upload that package to Jamf Pro:
Open the disk image
In Terminal, use the command:

cp /Volumes/Nessus Agent Install/.NessusAgent.pkg ~/Downloads/Install Nessus Agent.pkg

Eject the disk image
Upload ~/Downloads/Install Nessus Agent.pkg to Jamf Pro

13 REPLIES 13

Stubakka
Contributor II

Thank you so much! im trying this out now edit worked perfectly thank you!

tlarkin
Honored Contributor

Yeah I have had many problems with Nessus and you hit the nail on the head. Mount the DMG and find the hidden package and use that instead. I have opened up cases with them about this and also told them that their scripts in their package are no longer supported in flat packages.

I have learned more about Nessus than I ever intended to

jorge_
New Contributor III

when packaging nessus, we need to extract the hidden .NessusAgent.pck file, and import that to composer, then edit the 'postinstall' script that is already there? looks there is already a script when I import it, this is what it contains:

!/bin/sh

chown -R root:admin /Library/NessusAgent/run/
chmod a-w /Library/NessusAgent/run/lib/lib

killall -9 nessusd
/bin/launchctl unload -w /Library/LaunchDaemons/com.tenablesecurity.nessusagent.plist
chmod 0644 /Library/LaunchDaemons/com.tenablesecurity.nessusagent.plist
/Library/NessusAgent/run/sbin/nessuscli install /Library/NessusAgent/run/var/nessus/plugins-core.tar.gz
/bin/launchctl load -w /Library/LaunchDaemons/com.tenablesecurity.nessusagent.plist
sleep 10

exit 0

id like to include my switches but not sure how to include them into that pre existing script

these are the settings id like to include with my installation: # /Library/NessusAgent/run/sbin/nessuscli agent link --key=XXXXXXXXXXXXXXXXXX --groups=MACS --host=host.domain.com --port=8834

whenever i try to add this, i get an unsupported script error message. wondering if anyone has the instructions for deplying the nessus agent and include group, key, host and port in the config.

Not sure how relevant this is to anyone, but I created a NessusRelink.sh script that unloads Nessus, pings once to make sure the server is there, then adds the machine to our link, drops it into our scan groups, & reloads Nessus. I also run this after a fresh Nessus install to link.

Here's an edited version: (if you use, please leave credit to us) [Replace the *.*.*.* host with your Nessus Scan Manager Server, the port ****, your link xxxxxxxxxxxx, & your groups xxxxx xxxxxx xxxxxxx]

--------------------------------------------------

# Created by Charles Archibald with help from Hieu Simms
# Modified by John Daly
# Relinks Nessus Agent to new Host:

pingcheck=`ping -c 1 *.*.*.* | grep "1 packets received"`

if [ "$pingcheck" != "" ] ; then #{ check to see if the nessus machine is online if it is, there will be something in pingcheck

launchctl unload -w /Library/LaunchDaemons/com.tenablesecurity.nessusagent.plist

rm -rf /private/etc/tenable_tag

/Library/NessusAgent/run/sbin/nessuscli agent link --key=xxxxxxxxxxxx --host=*.*.*.* --port=**** --groups="xxxxx","xxxxxx","xxxxxxx"

launchctl load -w /Library/LaunchDaemons/com.tenablesecurity.nessusagent.plist

else echo "Server is Down"

fi #}

msiedenburg
New Contributor II

Stumbled on this post while figuring out this silly certificate trust issue. Thanks! I would have never thought to check the DMG for a hidden pkg. Why, Tenable?!

@jorge.blandon Why not have a script run in your policy that installs the package? You could even pass different groups as a parameter. Just set it to run "After" the package step.

PCDoc
New Contributor

This did not work for me am I missing a step I follow your steps to the t.

tlarkin
Honored Contributor

mount the installer DMG and open terminal

% cd /Volumes/Nessus Agent Install  
% ls -al
total 32696
drwxr-xr-x  4 tlarkin  staff       204 Aug  4 20:09 .
drwxr-xr-x  6 root     wheel       192 Aug 31 20:56 ..
-rw-r--r--  1 tlarkin  staff  16658522 Aug  4 20:09 .NessusAgent.pkg
-rw-r--r--  1 tlarkin  staff     75703 Aug  4 20:09 Install Nessus Agent.pkg

See the .NessusAgent.pkg? That is the actual installer. Now we can cp the pkg to the Desktop or whatever and then mv it to rename it. Remember, all . files are invisible to the Finder

cp .NessusAgent.pkg ~/Desktop && mv ~/Desktop/.NessusAgent.pkg ~/Desktop/NessusAgent.pkg

Now you should see it on your Desktop. From here you can rename it in the Finder if you want to add say _vesrion to the PKG.

prbsparx
Contributor II

Anyone bugged Tenable about this?
I'll nag them about it on my end. Recommend others do the same.

scheb
New Contributor III

Looks like the only reason they wrap it is for the license, logo, and readme <sigh>. I stumbled upon the hidden .pkg in their install guide (but should have checked here first). I shouldn't have to do that. Software is supposed to be self-explanatory. <sigh>

Mac_User_
New Contributor III

2 years later and this fix still holds true! I was able to unhide the real .NessusAgent.pkg and remove the . from it to unhide, uploaded it into Jamf Pro and successfully rolled out the agent after. Thanks @arekdreyer

davidi4
Contributor

Developers who fail to follow simple rules for app packaging should be shamed out of business... especially for stupid things like this.

 

<<edit>> Looks like they learned their lesson, as 10.2.0 has a normal pkg file inside the dmg. I withdraw my previous comment

<<edit2>> I take back my take back, they did an even dumber thing by putting a dummy visible pkg in there, fool me once, shame on me

Thanks to the OP for the fix for this 

mfletch
New Contributor III

Thanks you @arekdreyer and @tlarkin this was super helpful! 

vladmech
New Contributor II

Just wanted to swing through and say this 100% saved my bacon. I've been beating my head against automating the Nessus agent install/register for a week now and Tenable has been spectacularly unhelpful, no mention at all of this hidden file. Popped this in and everything cruised right through, thank you so much!