Elevating permissions

With SSH authentication you can elevate Scan Engine permissions to administrative or root access, which is required for obtaining certain data. For example, Unix-based CIS benchmark checks often require administrator-level permissions. Incorporating su (super-user), sudo (super-user do), or a combination of these methods, ensures that permission elevation is secure.

Permission elevation is an option available with the configuration of SSH credentials. Configuring this option involves selecting a permission elevation method. Using sudo protects your administrator password and the integrity of the server by not requiring an administrative password. Using su requires the administrator password.

The option to elevate permissions appears when you create or edit SSH credentials in a site configuration:

Permission elevation

You can choose to elevate permissions using one of the following options:

Configuring your scan environment to support pbrun permission elevation

Before you can elevate scan permissions with pbrun, you will need to create a configuration file and deploy it to each target host. The configuration provides the conditions that Nexpose needs to scan successfully using this method:

The following excerpt of a sample configuration file shows the settings that meet these conditions:

RootUsers = {"user_name" };

RootProgs = {"bash"};

if (pbclientmode == "run" &&

user in RootUsers &&

basename(command) in RootProgs) {

 

# setup the user attribute of the delegated task

runuser = "root";

rungroup = "!g!";

rungroups = {"!G!"};

runcwd = "!~!";

 

# setup the runtime environment of the delegated task

setenv("SHELL", "!!!");

setenv("HOME", "!~!");

setenv("USER", runuser);

setenv("USERNAME", runuser);

setenv("LOGNAME", runuser);

setenv("PWD", runcwd);

setenv("PATH", "/bin:/usr/bin:/usr/local/bin:/sbin:/usr/sbin");

 

# setup the log data

CleanUp();

 

accept;

}

Using system logs to track permission elevation

Administrators of target assets can control and track the activity of su and sudo users in system logs. When attempts at permission elevation fail, error messages appear in these logs so that administrators can address and correct errors and run the scans again.