Nessus UNIX Configuration Auditing "sudo" Support
Tenable's research group recently added support to all SSH enabled UNIX configuration audits to make use of "sudo". Support is available in version 1.4.4 of the UNIX compliance checks.
Some organizations explicitly prohibit remote "root" logins to their UNIX servers. However, many of these organizations do allow a "non-root" login which has access to the "sudo" command. The "sudo" facility allows a non-root user to run specific restricted commands at the root level. Activity related to "sudo" can be logged as well.
When Nessus logs into a UNIX host via SSH, if the remote account used to login is not "root", it will attempt the command "sudo id". If the identification of the root user is returned, Nessus will perform the configuration checks through the "sudo" command. If the "sudo" facility has not been configured, or it requires a password, Nessus won't use "sudo" and will instead perform it's audit with whatever privileges the remote user account has access to.
When configuring your "sudo" facility, keep the following guidelines in mind:
- The account used by Nessus should be able to run the command "id" and see that it is effectively running as root without being prompted for a password.
- The "sudo" facility should be configured to log all commands run by the Nessus account, including failed commands. These logs can be audited by the Log Correlation Engine to ensure only authorized users are running commands.
- If you've restricted the list of commands available to the remote Nessus auditing account, you should perform some test audits to see if your Nessus scan policies can complete their audits. There is nothing wrong with restricting the commands allowed through "sudo", but testing this prior to performing an audit is important.
If you are using Nessus with the Direct Feed or Security Center, you do not need to make any changes to your existing scan policies. However, with this new update, you now have the flexibility to configure your target UNIX systems with accounts that have access to the "sudo" facility to support your CIS, NIST and other types of configuration audits.
Related Articles
Cybersecurity Snapshot: New Report Ranks Top Cloud Threats, while CISA Guide Helps Assess Security of Software Products
August 9, 2024The Cloud Security Alliance has released its list of top cloud threats for 2024. Plus, CISA and the FBI published a guide for determining if a software product was built ‘secure by design.’ Meanwhile, find out how AI can transform offensive security. And get the latest on the Royal ransomware gang, the CIS Benchmarks and TikTok’s legal troubles!
Cybersecurity Snapshot: Data Breach Costs Rise, as Ransomware Attacks Fall, Reports Find
August 2, 2024IBM’s latest “Cost of a Data Breach Report” finds these data-theft incidents getting more expensive. Plus, the IT-ISAC says that ransomware attacks fell in Q2 due to law-enforcement disruptions of ransomware groups. Meanwhile, check out a Carnegie Mellon comp sci professor’s take on AI system security. And Tenable’s headed to Black Hat – visit our booth! And much more!
Tenable Cloud Security To Help Fed Agencies Tackle Cloud Challenges as It Nears FedRAMP Authorization
July 31, 2024As federal agencies adopt a cloud-first policy, they face unique challenges in securing cloud infrastructure. Learn how Tenable Cloud Security, which is now FedRAMP "In Process," can help.
CVE-2024-7593: Ivanti Virtual Traffic Manager Authentication Bypass Vulnerability
August 14, 2024Ivanti released a patch for a critical severity authentication bypass vulnerability and a warning that exploit code is publicly available
Microsoft’s August 2024 Patch Tuesday Addresses 88 CVEs
August 13, 2024Microsoft addresses 88 CVEs with seven critical vulnerabilities and 10 zero-day vulnerabilities, six of which were exploited in the wild.
Compromising Microsoft's AI Healthcare Chatbot Service
August 13, 2024Tenable Research discovered multiple privilege-escalation issues in the Azure Health Bot Service via a server-side request forgery (SSRF), which allowed researchers access to cross-tenant resources.
- Government
- Security Frameworks