Credentialed Scanning and Privileged Account Use

Tenable provides authenticated vulnerability and configuration assessments of systems to validate the presence of vulnerabilities, patches and secure configurations. To obtain accurate results when assessing a system, privileged authentication and access levels must be granted for Nessus or systems to access the end system.

Performing a vulnerability scan or audit with an account lacking sufficient privileges may result in incomplete results. For example, files may not be found and commands may return erroneous or incomplete information or lack output altogether.

Configuration of administrator or root-equivalent accounts will avoid erroneous or inaccurate system assessments. While customers may create accounts with customized privileges for use in scanning and assessment, this approach is fragile and not recommended. The methods used by Tenable products to assess systems may change to adapt to new technologies or vulnerabilities; therefore, the required granular privileges may also change.

Consider the following when reviewing strategies for authenticated assessment of systems in your environment:

  1. Implement compensating controls for privileged accounts to limit risk, such as:
    1. Log monitoring for when the account is in use outside of standard change control hours, with alerts for activities outside of normal windows.
    2. Perform frequent password rotation for privileged accounts more often than the “normal” internal standard.
    3. Enable accounts only when the time window for scans is active; disable accounts at other times.
    4. On non-Windows systems, do not allow remote root logins. Configure your scans to utilize escalation such as su, sudo, pbrun, .k5login, or dzdo.
    5. Use key authentication instead of password authentication.
  2. Use Nessus Agents where available.
  3. If an exception is not granted with the use of compensating controls, perform a scan with an account having lower privileges than what Tenable recommends and observe any missing results. Modify the account privileges so that no missing results are observed. Changes to the audit file or plugins may impact results at a later time.

For further information on credentialed checks, refer to the Nessus User Guide.