Nessus UNIX Configuration Auditing "sudo" Support
Tenable's research group recently added support to all SSH enabled UNIX configuration audits to make use of "sudo". Support is available in version 1.4.4 of the UNIX compliance checks.
Some organizations explicitly prohibit remote "root" logins to their UNIX servers. However, many of these organizations do allow a "non-root" login which has access to the "sudo" command. The "sudo" facility allows a non-root user to run specific restricted commands at the root level. Activity related to "sudo" can be logged as well.
When Nessus logs into a UNIX host via SSH, if the remote account used to login is not "root", it will attempt the command "sudo id". If the identification of the root user is returned, Nessus will perform the configuration checks through the "sudo" command. If the "sudo" facility has not been configured, or it requires a password, Nessus won't use "sudo" and will instead perform it's audit with whatever privileges the remote user account has access to.
When configuring your "sudo" facility, keep the following guidelines in mind:
- The account used by Nessus should be able to run the command "id" and see that it is effectively running as root without being prompted for a password.
- The "sudo" facility should be configured to log all commands run by the Nessus account, including failed commands. These logs can be audited by the Log Correlation Engine to ensure only authorized users are running commands.
- If you've restricted the list of commands available to the remote Nessus auditing account, you should perform some test audits to see if your Nessus scan policies can complete their audits. There is nothing wrong with restricting the commands allowed through "sudo", but testing this prior to performing an audit is important.
If you are using Nessus with the Direct Feed or Security Center, you do not need to make any changes to your existing scan policies. However, with this new update, you now have the flexibility to configure your target UNIX systems with accounts that have access to the "sudo" facility to support your CIS, NIST and other types of configuration audits.