Nessus Credentialed Checks
In addition to remote scanning, you can use Nessus to scan for local exposures. For information about configuring credentialed checks, see Credentialed Checks on Windows and Credentialed Checks on Linux.
External network vulnerability scanning is useful to obtain a snapshot in time of the network services offered and the vulnerabilities they may contain. However, it is only an external perspective. It is important to determine what local services are running and to identify security exposures from local attacks or configuration settings that could expose the system to external attacks that an external scan might not detect.
A typical network vulnerability assessment performs a remote scan against the external points of presence and an on-site scan is performed from within the network. Neither of these scans can determine local exposures on the target system. Some of the information gained relies on the banner information shown, which may be inconclusive or incorrect. By using secured credentials, you can grant the Nessus scanner local access to scan the target system without requiring an agent. This can facilitate scanning of a large network to determine local exposures or compliance violations.
The most common security problem in an organization is that security patches are not applied in a timely manner. A Nessus credentialed scan can quickly determine which systems are out of date on patch installation. This is especially important when a new vulnerability is made public and executive management wants a quick answer regarding the impact to the organization.
Another major concern for organizations is to determine compliance with site policy, industry standards (such as the Center for Internet Security (CIS) benchmarks) or legislation (such as Sarbanes-Oxley, Gramm-Leach-Bliley, or HIPAA). Organizations that accept credit card information must demonstrate compliance with the Payment Card Industry (PCI) standards. There have been quite a few well-publicized cases where the credit card information for millions of customers was breached. This represents a significant financial loss to the banks responsible for covering the payments and heavy fines or loss of credit card acceptance capabilities by the breached merchant or processor.
Credentialed scans can perform any operation that a local user can perform. The level of scanning depends on the privileges granted to the user account that you configure Nessus to use.
Non-privileged users with local access on Linux systems can determine basic security issues, such as patch levels or entries in the /etc/passwd file. For more comprehensive information, such as system configuration data or file permissions across the entire system, you need an account with “root” privileges.
Nessus needs to use an administrator level account for credentialed scans on Windows systems. Several bulletins and software updates by Microsoft have made reading the registry to determine software patch level unreliable without administrator privileges. Nessus needs administrative access to perform direct reading of the file system. This allows Nessus to attach to a computer and perform direct file analysis to determine the true patch level of the systems that Nessus evaluates. On Windows XP Pro, this file access only works with a local administrator account if you change the “Network access: Sharing and security model for local accounts” policy to “Classic – local users authenticate as themselves."
Detecting When Credentials Fail
If you are using Nessus to perform credentialed audits of Linux or Windows systems, analyzing the results to determine if you had the correct passwords and SSH keys can be difficult. You can detect if your credentials are not working using plugin 21745.
This plugin detects if either SSH or Windows credentials did not allow the scan to log into the remote host. When a login is successful, this plugin does not produce a result.