Using Nessus 3 for OS X Configuration Auditing

Nessus 3 users who have subscribed to the Direct Feed service can audit the configurations of many OSes, including OS X. This blog entry will show the basic configuration of an OS X device to allow auditing by Nessus 3.

Configuring Remote Auditing for OS X

The first step to auditing an OS X system with Nessus is to allow remote SSH access. To do this, as an administrator of the OS X system, under sharing, enable "Remote Login" as is shown below:

By default, your firewall settings should allow inbound SSH to the OS X system. If you've modified your firewall configuration to stop SSH or block certain IP addresses, this may effect your Nessus scanning.

Next you must create a user and configure it for use with Nessus certificates.

Note: Actually, Nessus supports usernames and passwords for SSH authentication, but this means you need the same username and password combination on your systems, so we recommend creation of shared SSH keys.

Add an "audit" account as shown below:

At the command line, copy the SSH public key you've created for your Nessus scanner into the audit account's home .ssh folder.

You will likely need to create the hidden .ssh directory as well as set the permissions of the directory as indicated in the "Nessus Credentials Checks for UNIX and Windows" paper.

Since we are on OS X, these commands need to be accomplished with administrator privileges which requires the sudo command.

Configuring Nessus 3 for Windows to Audit OS X

To then scan the OS X system, create a scan policy which takes advantage of the existing credentials, as well as specifies a UNIX compliance .audit file. Each Nessus client is slightly different, and below is a screen shot of how Nessus 3.0.4 can be configured to audit an OS X system:

Note that the SSH username (the username of "nesssus") for the OS X server has been specified as well as both the public and private SSH keys (which become blocked out once loaded). To configure a .audit file, obtain one from the "Nessus 3 Agent-less Compliance Checks" web site and download it to the system where your Nessus client is running.

Configuring the Security Center to audit OS X Systems

Under the Security Center, auditing an OS X system is no different than auditing another other UNIX system.

First, you need to create a vulnerability policy which specifies credentials for the target OS X system(s). Second, that same vulnerability policy should be configured with the desired .audit tests to be performed.

Note: The Security Center can also maintain separate credentials per asset group which overrides the credentials in the vulnerability policy.

After running a scan, OS X compliance results will look similar to the screenshots below:

Results Summary	Compliant Results	Non-compliant Results

Moving Forward

The National Security Agency has published a guide for hardening OS X systems. Tenable will be releasing a .audit file for Nessus 3 to perform configuration analysis specific to OS X servers. Since OS X is based on UNIX though, many of the current .audit files generate very good results.

If this sort of auditing is interesting to you, please feel free to contact Tenable's sales staff to inquire about the Direct Feed or the Security Center. Also, Tenable has also made a video demonstration of Nessus 3 performing configuration audits available to the public.