Authentication on Unix and related targets: best practices

For scanning Unix and related systems such as Linux, it is possible to scan most vulnerabilities without root access. You will need root access for a few vulnerability checks, and for many policy checks. If you plan to scan with a non-root user, you need to make sure the account has specified permissions, and be aware that the non-root user will not find certain checks.The following sections contain guidelines for what to configure and what can only be found with root access. Due to the complexity of the checks and the fact they are updated frequently, this list is subject to change.

To ensure near-comprehensive vulnerability coverage when scanning as a non-root user, you need to do one of the following:

  • Elevate permissions so that you can run commands as root without using an actual root account.
  • Configure your systems such that your non-root scanning user has permissions on specified commands and directories.

The following sections describe the configuration for these options.

Configuring your scan environment to support permission elevation

One way to elevate scan permissions without using a root user or performing a custom configuration is to use permission elevation, such as sudo or pbrun. These options require specific configuration (for instance, for pbrun, you need to whitelist the user's shell), but do not require you to customize permissions as described in Commands the application runs below.

Commands the application runs

The following section contains guidelines for what commands the application runs when scanning. The vast majority of these commands can be run without root. As indicated above, this list is subject to change as new checks are added.

The majority of the commands are required for one of the following:

  • getting the version of the operating system
  • getting the versions of installed software packages
  • running policy checks implemented as shell scripts

The application expects that the commands are part of the $PATH variable and there are no non-standard $PATH collisions.

The following commands are required for all Unix/Linux distributions:

  • ifconfig
  • java
  • sha1
  • sha1sum
  • md5
  • md5sum
  • awk
  • grep
  • egrep
  • cut
  • id
  • ls
  • unzip

InsightVM will attempt to scan certain files, and will be able to perform the corresponding checks if the user account has the appropriate access to those files. The following is a list of files or directories that the account needs to be able to access:

  • /etc/group
  • /etc/passwd
  • grub.conf
  • menu.lst
  • lilo.conf
  • syslog.conf
  • /etc/permissions
  • /etc/securetty
  • /var/log/postgresql
  • /etc/hosts.equiv
  • .netrc
  • '/', '/dev', '/sys', and '/proc' "/home" "/var" "/etc"
  • /etc/master.passwd
  • sshd_config

For Linux, the application needs to read the following files, if present, to determine the distribution:

  • /etc/debian_release
  • /etc/debian_version
  • /etc/redhat-release
  • /etc/redhat_version
  • /etc/os-release
  • /etc/SuSE-release
  • /etc/fedora-release
  • /etc/slackware-release
  • /etc/slackware-version
  • /etc/system-release
  • /etc/mandrake-release
  • /etc/yellowdog-release
  • /etc/gentoo-release
  • /etc/UnitedLinux-release
  • /etc/vmware-release
  • /etc/slp.reg
  • /etc/oracle-release

On any Unix or related variants (such as Ubuntu or OS X), there are specific commands the account needs to be able to perform in order to run specific checks. These commands should be whitelisted for the account.

The account needs to be able to perform the following commands for certain checks:

  • cat
  • find
  • mysqlaccess
  • mysqlhotcopy
  • sh
  • sysctl
  • dmidecode
  • perlsuid
  • apt-get
  • rpm

For the following types of distributions, the account needs execute permissions as indicated.

AIX

Root privileges are required in order to correctly run without false positive vulnerabilities being reported.

  • lslpp –cL to list packages
  • oslevel
  • emgr -l

Blue Coat

  • show version

Cisco

Required for vulnerability scanning:

  • show version (Note: this is used on multiple Cisco platforms, including IOS, PIX, ASA, and IOR-XR)

Required for policy scanning:

  • show version | include Cisco
  • show interface
  • show running-config
  • show snmp host
  • show run | include banner login
  • show log | incl Trap logging
  • show snmp user
  • show snmp group
  • show ip ssh | incl retries
  • show cdp
  • show ip ssh | incl timeout
  • show running-config | include [ ]neighbor[ ].*[ ]*password
  • show run | include banner exec
  • show run | include banner motd

Debian-based distributions

  • uname
  • dpkg
  • egrep
  • cut
  • xargs

F5

  • either "version", "show", or "tmsh show sys version"

FreeBSD

  • freebsd-version is needed to fingerprint FreeBSD versions 10 and later
  • The user account needs permissions to execute cat /var/db/freebsd-update/tag on FreeBSD version earlier than 10.
  • FreeBSD package fingerprinting requires:
    • pkg info
    • pkg_info

Juniper

  • uname
  • show version

Mac OS X

  • /usr/sbin/softwareupdate
  • /usr/sbin/system_profiler
  • sw_vers

Palo Alto Networks PAN-OS

  • show system info

RPM-based distributions (e.g. Red Hat, SUSE, or Oracle)

  • uname
  • rpm
  • chkconfig

Solaris

  • showrev
  • pkginfo
  • ndd

VMware ESX/ESXi

  • vmware -v
  • rpm
  • esxupdate -a query || esxupdate query

Vulnerability Checks that require RootExecutionService

For certain vulnerability checks, root access is required. If you choose to scan with a non-root user, be aware that these vulnerabilities will not be found, even if they exist on your system.The following is a list of checks that require root access:

You can search for the Vulnerability ID in the search bar of the Security Console to find the description and other details.

Vulnerability Title

Vulnerability ID

Solaris Serial Login Prompts

solaris-serial-login-prompts

Solaris Loose Destination Multihoming

solaris-loose-dst-multihoming

Solaris Forward Source Routing Enabled

solaris-forward-source-route

Solaris Echo Multicast Reply Enabled

solaris-echo-multicast-reply

Solaris ICMP Redirect Errors Accepted

solaris-redirects-accepted

Solaris Reverse Source Routing Enabled

solaris-reverse-source-route

Solaris Forward Directed Broadcasts Enabled

solaris-forward-directed-broadcasts

Solaris Timestamp Broadcast Reply Enabled

solaris-timestamp-broadcast-reply

Solaris Echo Broadcast Reply Enabled

solaris-echo-broadcast-reply

Solaris Empty Passwords

solaris-empty-passwords

OpenSSH config allows SSHv1 protocol*

unix-check-openssh-ssh-version-two*

.rhosts files exist

unix-rhosts-file

.netrc files exist

unix-netrc-files

MySQL mysqlhotcopy Temporary File Symlink Attack

unix-mysql-mysqlhotcopy-temp-file

Partition Mounting Weakness

unix-partition-mounting-weakness

  • OpenSSH config allows SSHv1 protocol/unix-check-openssh-ssh-version-two is conceptually the same as another check, SSH server supports SSH protocol v1 clients/ssh-v1-supported, which does not require root.