Credentialed Scanning and Privileged Account Use
Tenable provides authenticated vulnerability and configuration assessments of systems to validate the presence of vulnerabilities, patches, and secure configurations. To obtain accurate results when assessing a system, you must grant Nessus or Tenable Security Center privileged authentication and access levels to access the end system.
Performing a vulnerability scan or audit with an account lacking sufficient privileges may result in incomplete results. For example, Nessus may not find certain files and commands may return erroneous or incomplete information or lack output altogether.
Tenable recommends configuring administrator or root-equivalent accounts to avoid erroneous or inaccurate system assessments. You can create accounts with customized privileges for scanning and assessment, but this approach is fragile and not recommended. The methods used by Tenable products to assess systems may change to adapt to new technologies or vulnerabilities; therefore, the required granular privileges may also change.
Consider the following when reviewing strategies for authenticated assessment of systems in your environment:
- Implement compensating controls for privileged accounts to limit risk, such as:
- Log monitoring for when the account is in use outside of standard change control hours, with alerts for activities outside of normal windows.
- Perform frequent password rotation for privileged accounts more often than the “normal” internal standard.
- Enable accounts only when the time window for scans is active; disable accounts at other times.
- On non-Windows systems, do not allow remote root logins. Configure your scans to utilize escalation such as su, sudo, pbrun, .k5login, or dzdo.
- Use key authentication instead of password authentication.
- Use Nessus Agents where available.
- If you do not grant an exception with compensating controls, perform a scan with an account having lower privileges than what Tenable recommends and observe any missing results. Modify the account privileges so that all expected results are shown. Changes to the audit file or plugins may impact results later.
For further information on credentialed checks, refer to the Nessus User Guide.