Configure a Least-Privilege SSH Scan

Required user role when using Tenable Nessus Manager: Standard, Administrator, or System Administrator

You can use an iterative process in Tenable Nessus to identify the exact permissions required for a complete and accurate credentialed SSH scan, allowing you to create a least-privilege account that avoids the security risks of granting full root access. This process relies on a scan setting and four informational plugins that report on command execution.

You can use this process to resolve the common challenge of negotiating scan credentials with server administrators, which often leads to delays or the assignment of a limited account that produces incomplete scan data.

 

How It Works

When you enable the Attempt Least Privilege scan setting, Tenable Nessus plugins first try to run commands without privilege escalation. If a command fails, Tenable Nessus retries it using privilege escalation (for example, sudo) and records the results in the output of four plugins:

  • Plugin ID 102094 (SSH Commands Require Privilege Escalation) — Lists all commands that failed to run as a standard user and required elevated privileges. The output is in a simple YAML format that you can use to update the /etc/sudoers file.

    Example output:

    Login account : <username>

    Commands failed due to lack of privilege escalation :

    - Escalation account : (none)

    Escalation method : (none)

    Plugins :

    - Plugin Filename : host_tag_nix.nbin

    Plugin ID : 87414

    Plugin Name : Host Tagging (Linux)

    - Command : "cat /etc/tenable_tag"

    Response : null

    Error : "\ncat: /etc/tenable_tag: Permission denied"

    - Plugin Filename : nessus_agent_installed_linux.nbin

    Plugin ID : 110230

    Plugin Name : Tenable Nessus Agent Installed (Linux)

    - Command : "strings '/opt/nessus_agent/var/nessus/agent.version' 2>&1"

    Response : "strings: /opt/nessus_agent/var/nessus/agent.version: Permission denied"

    Error : ""

  • Plugin ID 102095 (SSH Commands Ran With Privilege Escalation) — Lists all commands that ran successfully with escalated privileges. You can use this output to verify that only authorized commands are running with sudo.

    Example output:

    Login account : <username>

    Escalation account : root

    Escalation method : su

    Commands required privilege escalation :

    Plugins :

    - Plugin Filename : bios_get_info_ssh.nasl

    Plugin ID : 34098

    Plugin Name : BIOS Info (SSH)

    - Command : "LC_ALL=C dmidecode"

    - Plugin Filename : linux_kernel_speculative_execution_detect.nbin

    Plugin ID : 125216

    Plugin Name : Processor Speculative Execution Vulnerabilities (Linux)

    - Command : "head /sys/kernel/debug/x86/pti_enabled"

    - Command : "head /sys/kernel/debug/x86/retp_enabled"

    - Command : "head /sys/kernel/debug/x86/ibrs_enabled"

    Command forced to use privilege escalation :

    Plugins :

    - Plugin Filename : netstat_portscan.nasl

    Plugin ID : 14272

    Plugin Name : Netstat Portscanner (SSH)

    - Command : "netstat -a -n"

  • Plugin ID 100158 (SSH Combined Host Command Logging) — Shows the log file of the commands that were run. This plugin provides a downloadable debug log file that describes the SSH commands that Tenable Nessus ran during the scan.

  • Plugin ID 84239 (Debugging Log Report) — Gathers the logs written by other plugins and reports them. This plugin provides an attachment with all plugin debug log files available at the end of a scan.

Note that plugins 100158 and 84239 are advanced diagnostic tools and require you enable plugin debugging in the scan configuration. Use these plugins to investigate unexpected scan results, particularly in environments with sophisticated, granular access controls (for example, TACACS).

While plugins 102094 and 102095 report that a command failed or succeeded, the debugging logs from 100158 and 84239 provide the exact command syntax Tenable Nessus passed to the host and the complete error response.

This additional detail can help diagnose complex access issues, such as a security module that allows a base command but blocks that command when used with a specific flag. Because enabling debugging is resource-intensive, Tenable recommends using these plugins only to troubleshoot a specific endpoint.

 

Example Process to Determine Account Configuration

The following is a workflow you can use to determine the necessary account configuration for a least-privilege SSH scan.

Before you begin:

  • The following steps assume the scan target is a Linux server, using sudo for command escalation.

  • The following steps assume you already know how to create and configure a scan in Tenable Nessus. For more information, see Create a Scan.

To determine permissions for a least-privilege SSH scan:

  1. On the target host, create a standard user account for scanning.

  2. Log in as the root user.

  3. Run the visudo command to edit the /etc/sudoers file. Configure the new user account with basic sudo permissions.

  4. In Tenable Nessus, begin creating an advanced scan.

  5. Navigate to the Credentials tab.

  6. Select SSH.

  7. In the Elevate privileges with drop-down box, select sudo.

  8. Select the Attempt Least Privilege check box.

    Note: Enabling Attempt Least Privilege may increase scan times by 10–30% because Tenable Nessus attempts some commands twice.

  9. Configure the remaining scan settings as needed and save the scan.

  10. Launch the scan against the target host.

  11. After the scan completes, review the scan results for Plugin ID 102094 (SSH Commands Require Privilege Escalation).

  12. (Optional) Review the output of Plugin ID 102095 (SSH Commands Ran With Privilege Escalation) to verify which commands are running with escalated privileges.

  13. On the target host, edit the /etc/sudoers file again. Add the commands reported by plugin 102094 to grant the necessary permissions to the scan account.

  14. Relaunch the scan.

  15. Repeat steps 11-14 until plugin 102094 no longer reports any failed commands. At this point, the scan account has the precise privileges required for an accurate authenticated scan.

 

Troubleshoot Complex Access Issues

If you follow the procedure above (reviewing 102094, updating sudoers, and relaunching) but plugin 102094 still reports failed commands, you may have a complex access issue. You can use the debugging plugins to investigate further.

  1. In the Tenable Nessus scan configuration, enable plugin debugging.

  2. Relaunch the scan against the single target host.

  3. After the scan completes, review the output of Plugin ID 100158 (SSH Combined Host Command Logging) and Plugin ID 84239 (Debugging Log Report). Use the detailed logs from these plugins to identify the exact command syntax or error message causing the failure.

  4. Update your host's access control configuration (for example, /etc/sudoers or TACACS rules) with the corrected permissions.

  5. Disable plugin debugging in the scan configuration and relaunch the scan to confirm the issue is resolved.