Authentication on Unix and related targets: best practices
For scanning Unix and related systems such as Linux, it is possible to scan most vulnerabilities without root access. You will need root access for a few vulnerability checks, and for many policy checks. If you plan to scan with a non-root user, you need to make sure the account has specified permissions, and be aware that the non-root user will not find certain checks.The following sections contain guidelines for what to configure and what can only be found with root access. Due to the complexity of the checks and the fact they are updated frequently, this list is subject to change.
To ensure near-comprehensive vulnerability coverage when scanning as a non-root user, you need to do one of the following:
- Elevate permissions so that you can run commands as root without using an actual root account.
- Configure your systems such that your non-root scanning user has permissions on specified commands and directories.
The following sections describe the configuration for these options.
Configuring your scan environment to support permission elevation
One way to elevate scan permissions without using a root user or performing a custom configuration is to use permission elevation, such as sudo or pbrun. These options require specific configuration (for instance, for pbrun, you need to whitelist the user's shell), but do not require you to customize permissions as described in Commands the application runs below.
Commands the application runs
The following section contains guidelines for what commands the application runs when scanning. The vast majority of these commands can be run without root. As indicated above, this list is subject to change as new checks are added.
The majority of the commands are required for one of the following:
- getting the version of the operating system
- getting the versions of installed software packages
- running policy checks implemented as shell scripts
The application expects that the commands are part of the $PATH variable and there are no non-standard $PATH collisions.
The following commands are required for all Unix/Linux distributions:
ifconfigjavasha1sha1summd5md5sumawkgrepegrepcutidlsunzip
InsightVM will attempt to scan certain files, and will be able to perform the corresponding checks if the user account has the appropriate access to those files. The following is a list of files or directories that the account needs to be able to access:
/etc/group/etc/passwdgrub.confmenu.lstlilo.confsyslog.conf/etc/permissions/etc/securetty/var/log/postgresql/etc/hosts.equiv.netrc/,/dev,/sys, and/proc/home/var/etc/etc/master.passwdsshd_config
For Linux, the application needs to read the following files, if present, to determine the distribution:
/etc/debian_release/etc/debian_version/etc/redhat-release/etc/redhat_version/etc/os-release/etc/SuSE-release/etc/fedora-release/etc/slackware-release/etc/slackware-version/etc/system-release/etc/mandrake-release/etc/yellowdog-release/etc/gentoo-release/etc/UnitedLinux-release/etc/vmware-release/etc/slp.reg/etc/oracle-release
On any Unix or related variants (such as Ubuntu or OS X), there are specific commands the account needs to be able to perform in order to run specific checks. These commands should be whitelisted for the account.
The account needs to be able to perform the following commands for certain checks:
catfindmysqlaccessmysqlhotcopyshsysctldmidecodeperlsuidapt-getrpm
For the following types of distributions, the account needs execute permissions as indicated.
AIX
Root privileges are required in order to correctly run without false positive vulnerabilities being reported.
lslpp –cLto list packagesoslevelemgr -l
Blue Coat
show version
Cisco
Required for operating system detection:
show version
Show Version
The show version is used on multiple Cisco platforms, including IOS, IOS-XE, IOS-XR, NX-OS and ASA.
Required for vulnerability scanning (configuration detection):
Cisco IOS:
show cip statusshow interfaceshow ioxshow running-configshow udp
Cisco IOS-XE:
show ap statusshow avc sd-service info detailedshow bgp rpki serversshow cip statusshow ioxshow ip interface briefshow ip virtual-reassemblyshow ipv6 mfib .*show l2tp tunnelshow mdns-sd summaryshow mpls interfacesshow platform hardware qfp active feature firewall runtimeshow running-configshow sdwan appqoe statusshow udpshow utd engine standard statusshow wireless ewc-ap redundancy summary
Cisco IOS-XR:
show bfd hw-offload stateshow mpls interfacesshow platformshow running-configshow version
Cisco NX-OS:
show cfs statusshow cloudsec sa interface allshow featureshow ip ospf interfaceshow moduleshow mpls interface detailshow running-configshow running-config allshow running-config cdp allshow sockets connection
Cisco ASA:
show asp table socketshow running-configshow running-config tunnel-group
Required for policy scanning:
show version | include Ciscoshow interfaceshow running-configshow snmp hostshow run | include banner loginshow log | incl Trap loggingshow snmp usershow snmp groupshow ip ssh | incl retriesshow cdpshow ip ssh | incl timeoutshow running-config | include [ ]*neighbor[ ]*.*[ ]*passwordshow run | include banner execshow run | include banner motd
Privileged Exec Mode required for vulnerability and policy scanning
Privileged Exec Mode or Privilege Level 15 is required for vulnerability and policy scanning of Cisco devices. Cisco IOS, Cisco IOS XE, and Cisco ASA all support privilege escalation using the enable command. For more information about how to configure privilege escalation, read the Elevating Permissions documentation.
Cisco NX-OS and Cisco IOS-XR do not support privilege escalation using the enable command and an account with privilege Level 15 is required.
Debian-based distributions
unamedpkgegrepcutxargs
F5
- either
version,show, ortmsh show sys version
FreeBSD
freebsd-versionis needed to fingerprint FreeBSD versions 10 and later- The user account needs permissions to execute
cat /var/db/freebsd-update/tagon FreeBSD version earlier than 10. - FreeBSD package fingerprinting requires:
pkg infopkg_info
Juniper
unameshow version
Mac OS X
/usr/sbin/softwareupdate/usr/sbin/system_profilersw_vers
Palo Alto Networks PAN-OS
show system infoRun a Palo Alto firewall policy
Palo Alto Networks PAN-OS asset configuration
The following information applies to PanOS and engine-based policies only.
Prerequisites
Before you can scan an asset, ensure that:
- You have access to an SSH connection as an administrator.
- The scan is able to run the show config running xpath [value] and show config merged command which is available in the default operational mode.
Run a Palo Alto firewall policy
- Copy the provided example.
- Customize the values in the policy's configurable fields to meet your organization's individual needs.
Configurable fields may yield unexpected results
The benchmark example provided may require modification depending on individual needs.
1admin@cis-pa-9-c> show config running23config {4mgt-config {5users {6admin {7phash $1$fuinsaxv$MK4HTQeN9qrqhUqi6T4op0;8permissions {9role-based {10superuser yes;11}12}13}14}15password-complexity {16minimum-length 12;17password-history-count 24;18minimum-lowercase-letters 1;19minimum-uppercase-letters 1;20minimum-numeric-letters 1;21minimum-special-characters 1;22new-password-differs-by-characters 3;23enabled yes;24block-username-inclusion yes;25password-change-period-block 90;26}27password-profile;28}29shared {30application;31application-group;32service;33.34.35.- Create a scan template by selecting the Palo Alto benchmark.
- Create a site as an administrator using SSH.
RPM-based distributions (e.g. Red Hat, SUSE, or Oracle)
unamerpmchkconfig
Solaris
showrevpkginfondd
VMware ESX/ESXi
vmware -v
Vulnerability Checks that require RootExecutionService
For certain vulnerability checks, root access is required. If you choose to scan with a non-root user, be aware that these vulnerabilities will not be found, even if they exist on your system.The following is a list of checks that require root access:
You can search for the Vulnerability ID in the search bar of the Security Console to find the description and other details.
Vulnerability Title | Vulnerability ID |
|---|---|
Solaris Serial Login Prompts | solaris-serial-login-prompts |
Solaris Loose Destination Multihoming | solaris-loose-dst-multihoming |
Solaris Forward Source Routing Enabled | solaris-forward-source-route |
Solaris Echo Multicast Reply Enabled | solaris-echo-multicast-reply |
Solaris ICMP Redirect Errors Accepted | solaris-redirects-accepted |
Solaris Reverse Source Routing Enabled | solaris-reverse-source-route |
Solaris Forward Directed Broadcasts Enabled | solaris-forward-directed-broadcasts |
Solaris Timestamp Broadcast Reply Enabled | solaris-timestamp-broadcast-reply |
Solaris Echo Broadcast Reply Enabled | solaris-echo-broadcast-reply |
Solaris Empty Passwords | solaris-empty-passwords |
OpenSSH config allows SSHv1 protocol* | unix-check-openssh-ssh-version-two* |
.rhosts files exist | unix-rhosts-file |
.netrc files exist | unix-netrc-files |
MySQL mysqlhotcopy Temporary File Symlink Attack | unix-mysql-mysqlhotcopy-temp-file |
Partition Mounting Weakness | unix-partition-mounting-weakness |
- OpenSSH config allows SSHv1 protocol/unix-check-openssh-ssh-version-two is conceptually the same as another check, SSH server supports SSH protocol v1 clients/ssh-v1-supported, which does not require root.
Discovery scans vs Authenticated scans
The difference between discovery and authenticated scans
A discovery scan only creates the best predictions by using information the asset makes available. To properly identify the asset, you have to perform an authenticated scan. The Full Audit Without Web Spider is the most commonly used scan template for performing authenticated scans. In the site for the scan, you will want to use domain admin credentials for the scan. For more information about authenticated scans read our Authenticated Discovery Scans docs.