ALERT: Some images may not load properly within the Knowledge Base Article. If you see a broken image, please right-click and select 'Open image in a new tab'. We apologize for this inconvenience.

Privileges required to scan UNIX targets from Symantec Control Compliance Suite Vulnerability Manager (CCS VM)

book

Article ID: 161299

calendar_today

Updated On:

Products

Control Compliance Suite Vulnerability Manager

Issue/Introduction

What are the privileges required to scan UNIX targets from Symantec Control Compliance Suite Vulnerability Manager (CCS VM) ?

Cause

This article should be referred while granting privileges to the sudo user account on the target Linux machines for Symantec CCS VM to successfully perform authenticated scanning for vulnerability analysis.
 

Resolution

For scanning Linux systems, root access is required for certain checks but not for most others. If you plan to scan with a non-root user, you need to make sure the account has specified permissions, and be aware that the non-root user will not find certain checks. The following section contains guidelines for what to configure and what can only be found with root access. Due to the complexity of the checks and the fact that they are updated frequently, it is not guaranteed to be comprehensive.

 
NOTE: The application expects that the commands are part of the PATH variable and there are no non-standard PATH collisions.
 
--------------------------------------------------------------
 
For the following types of distributions, the account needs execute permissions as indicated.
 
Debian-based distributions (e.g. Ubuntu):
  • uname
  • dpkg
  • egrep
  • cut
  • xargs
RPM-based distributions (e.g. Red Hat, SUSE, or Oracle):
  • uname -a
  • rpm -qa
 Unix or AIX:
  • lslpp –cL to list packages
 Cisco:
  • The account needs to be able to do a “show tech-support password
FreeBSD:
  • The user account needs permissions to execute cat /var/db/freebsd-update/tag.
  • Version fingerprinting requires root to reliably fingerprint versions earlier than 10.
 --------------------------------------------------------------
 
The account also needs to be able to perform the following commands for certain checks:
 
Command Root Access Needed ?
cat Depends on file
find Depends on file
mysqlaccess No
mysqlnotcopy No
sh No
sshd No
suid Yes
sysctl Depends on file
dmidecode Depends on data
perlsuid Depends on file
Apt-get/rpm Depends on OS
 
--------------------------------------------------------------
 
Nexpose will attempt to scan certain files, and will be able to perform the corresponding checks if the user account has the appropriate access to those files. The following is a list of files that the account needs to be able to access:
 
Files Root Access Needed
/etc/group No
/etc/passwd No
grub.conf No
menu.lst No
lilo.conf No
syslog.conf No
/etc/permissions No
/etc/securetty No
/var/log/postgresql No
/etc/hosts.equiv No
/root /home -type f -name .netrc -xdev No
'/', '/dev', '/sys', and '/proc' "/home" "/var" "/etc" Yes
World writable file search /etc/master.passwd No

 

--------------------------------------------------------------
 
For certain checks, root access is required. If you choose to scan with a non-root user, be aware that these vulnerabilities will not be found, even if they exist on your system. The following is a list of checks that require root access:
 
Note: You can search for the Vulnerability ID in the Security Console to find the description and other details.
 
Vulnerability Title
Vulnerability ID
Solaris Serial Login Prompts solaris-serial-login-prompts
Solaris Loose Destination Multihoming solaris-loose-dst-multihoming
Solaris Forward Source Routing Enabled solaris-forward-source-route
Solaris Echo Multicast Reply Enabled solaris-echo-multicast-reply
Solaris ICMP Redirect Errors Accepted solaris-redirects-accepted
Solaris Reverse Source Routing Enabled solaris-reverse-source-route
Solaris Forward Directed Broadcasts Enabled solaris-forward-directed-broadcasts
Solaris Timestamp Broadcast Reply Enabled solaris-timestamp-broadcast-reply
Solaris Echo Broadcast Reply Enabled solaris-echo-broadcast-reply
Solaris Empty Passwords solaris-empty-passwords
OpenSSH config allows SSHv1 protocol unix-check-openssh-ssh-version-two
.rhosts files exist unix-rhosts-file
Root's umask value is unsafe umask-unsafe
.netrc files exist unix-netrc-files
MySQL mysqlhotcopy
Temporary File Symlink Attack mysql-mysqlhotcopy-temp-file
Partition Mounting Weakness unix-partition-mounting-weakness

 


Applies To

Target UNIX machines