Security Basics mailing list archives

RE: Question on root credentials for scanning

From: "Hung Lee" <hlee () xogrp com>
Date: Fri, 23 Sep 2011 16:33:36 -0400

Couldn't agree with you more on Nessus.  That's what we use for all our
internal scans.

-----Original Message-----
From: listbounce () securityfocus com [mailto:listbounce () securityfocus com]
On Behalf Of Todd Haverkos
Sent: Friday, September 23, 2011 12:43 PM
To: Shobana Narayanaswamy
Cc: security-basics () securityfocus com
Subject: Re: Question on root credentials for scanning

Shobana Narayanaswamy <snaraya () opnet com> writes:

Hi:

I am a newbie to security and scanning. Here is my question:

Do you generally need root credentials in order for the scan to 
produce detailed results? When I run a scan without root credentials, 
it comes up very little info. However, when I supply root credentials,

I get several useful reports. It appears that the scanner detects the 
OS version and other s/w component versions only if it is provided 
root access.

What's best depends on your goals, but generally, yes, credentialed
gives you a far far more actionable report. But if you're doing a test
for a client who wants to know what they look like to an attacker
without credentials, obviously black box and uncredentialed is the right
call.

If you are scanning your own assets on the internal network to harden
them and determine what machines have software that's not getting
patched, then absolutely--credentialed scanning is the way to go.

Since you mention root, the assumption is that you're scanning *nix
boxes. A low privileged account can get you most of where you need to
go for most patch checks, but a root level account is needed to run some
checks on certain configuration dependendent vulnerabilities, so if you
have one avaialble to you, root would be the better way to go.
I have a vague recollection that Solaris cared about this more than
Linux did, but I can't recall.

However, it's not a great idea to allow direct root logins via ssh or
allowing password auth, so picking a scanner that knows what it's doing
with su and sudo and supports public key ssh auth well would be
something you should strongly consider. Nessus and Tenable Security
Center, by the way, really outshine the competition on this point if
this is a priority to you.

Best Regards,
--
Todd Haverkos, LPT MsCompE
http://haverkos.com/

------------------------------------------------------------------------
Securing Apache Web Server with thawte Digital Certificate In this guide
we examine the importance of Apache-SSL and who needs an SSL
certificate. We look at how SSL works, how it benefits your company and
how your customers can tell if a site is secure. You will find out how
to test, purchase, install and use a thawte Digital Certificate on your
Apache web server. Throughout, best practices for set-up are highlighted
to help you ensure efficient ongoing management of your encryption keys
and digital certificates.

http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be442
f727d1
------------------------------------------------------------------------

This email (and any attachments) is the property of XO Group Inc. or one of its subsidiaries. It is intended only for
the person(s) to which it is addressed and may contain information that is privileged, confidential or otherwise
protected from disclosure. Distribution or copying of this email or the information contained herein by anyone other
than the intended recipient(s) is strictly prohibited. If you are not an intended recipient and have received this
email in error, please notify the sender immediately by replying to this email and destroy all electronic and paper
copies of this message.

------------------------------------------------------------------------
Securing Apache Web Server with thawte Digital Certificate
In this guide we examine the importance of Apache-SSL and who needs an SSL certificate. We look at how SSL works, how
it benefits your company and how your customers can tell if a site is secure. You will find out how to test, purchase,
install and use a thawte Digital Certificate on your Apache web server. Throughout, best practices for set-up are
highlighted to help you ensure efficient ongoing management of your encryption keys and digital certificates.

http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be442f727d1
------------------------------------------------------------------------

Current thread:

Question on root credentials for scanning Shobana Narayanaswamy (Sep 22)
- Re: Question on root credentials for scanning Nikhil Wagholikar (Sep 23)
- RE: Question on root credentials for scanning Mikhail A. Utin (Sep 23)
  - RE: Question on root credentials for scanning Hung Lee (Sep 23)
- RE: Question on root credentials for scanning David Gillett (Sep 23)
- Re: Question on root credentials for scanning AK (Sep 23)
- Re: Question on root credentials for scanning Todd Haverkos (Sep 23)
  - RE: Question on root credentials for scanning Hung Lee (Sep 23)
- <Possible follow-ups>
- Re: Question on root credentials for scanning Sandeep Cheema (Sep 23)
- Re: Question on root credentials for scanning anilk (Sep 23)