Satisnet Ltd, Basepoint Innovation Centre, 110 Butterfield Great Marlings, Luton, Bedfordshire, LU2 8DL
+44 (0) 1582 434320

Tenable Allows Least Privilege SSH Scans

Tenable Allows Least Privilege SSH Scans

Tenable Allows Least Privilege SSH Scans

Credentialed scans have long been encouraged as the quickest and most accurate way to perform a vulnerability assessment against any network. However, customer always run into problems which are related to users or process which need to be followed.

Usually when the discussion of credentials become topic of a conversation, further questions are asked; who? why? what? Nevertheless, from a business perspective these are legitimate questions which should be rightly asked. This then causes many conversations between the people involved and then meaning polices and procedures have to be created. Eventually a final decision will be made either to grant access for the credentials; denied or not the correct privileges which was initially discussed.

To help solve this problem, Tenable provided transparency around which commands are run by a Nessus® scan, what privileges are required to run the commands and if the commands failed, which Nessus plugins would fail as a result.

  • Nessus 6.11 or later, either standalone or managed by Vulnerability Management or SecurityCenter
  • Scan Target Operating System
    • CentOS, Redhat, Amazon Linux, SuSE, Ubuntu, Debian, HP-UX, Scientific Linux, AIX, Oracle Linux, Gentoo.
Scan Configuration

At a high level, the process can be summarised in five simple steps:

  • Configure a scan account to run with sudo privileges
  • Enable ‘Attempt Least Privilege’ preference in scan policy
  • Review plugin output of Nessus plugin IDs #102094 and #102095
  • Update /etc/sudoers file based on results on plugin #102094
  • Repeat Step 4, until commands which run with higher privileges are accounted in /etc/sudoers file

Step 1: Configure user to run commands via sudo

Log in to the system as the root user and create a normal user account. Run visudo to edit the /etc/sudoers file, and add the commands the user is allowed to run with sudo. In the example below I created a user ‘nessus_scan_account’ assigned it SUDOER User_Alias who can run the ‘/usr/bin/dmidecode’ command which requires root privileges to run.

Step 2: Enable ‘Attempt Least Privilege’ checkbox in scan policy

Follow the below steps to enable ‘‘Attempt Least Privilege’ preference in the scan policy. Vulnerability Management & Nessus

Click Scans -> New Scan -> Advanced Scan -> Credentials -> SSH -> Attempt Least Privilege

When this preference is enabled, Nessus plugins attempt to execute commands with least privileges (i.e. without privilege escalation), and if the initial attempt fails, it retries executing the command with privilege escalation. It also logs commands which failed and succeeded with privilege escalation and reports the information in two plugins (#102094, #102095) which will be discussed in the next steps. As a result of running the same command twice, customers should note the scans could run 10-30 percent slower according to our lab tests.

Image 1