Inability to credentialed Scan PAM instances
Article ID: 266761
Updated On:
Products
Issue/Introduction
Although you have configured the accurate credentials to perform Nessus vulnerability and compliance scanning on the CAPAM instance, you are unable to perform a credentialed scan on this CAPAM instance. This inability to run a credential scan is causing an issue with your Systems Security posture.
Cause
Nessus credentialed scans are done by accessing the target, in this case the PAM instance/appliance, with server credentials. This is not possible for a PAM appliance.
Resolution
No credentialed scans can be configured for PAM appliances. This is as designed.
Additional Information
Part of what hardens the CA PAM is the lack of ability for anyone , including system admins, from accessing the console or backend. The only port that is open to any external access by default is port 443. Several other ports are required to be opened between cluster nodes but these are not accessible by any other resource.
The only access method to the backend of PAM appliances is through Broadcom Support, and even then the SSH access must be manually started prior to that access and control of the session is never passed over to the customer. It uses Private Key authentication, which expires 6 months from when the key was created, not when the key was added to the system. Furthermore the SSH port can only be opened for a limited time. The default is 1 week and the max time is 30 days. See page "Configure System Diagnostics, Maintenance, and Cluster Tuning Options" in the latest CA PAM Manual for more information on how to enable.
PAM development follows the Broadcom Secure Software Development Lifecycle (SSDLC).
Feedback
