Facebook Google Plus Twitter LinkedIn YouTube RSS Menu Search Resource - BlogResource - WebinarResource - ReportResource - Eventicons_066 icons_067icons_068icons_069icons_070

Elevated Privilege Failures

by Andrew Freeborn
July 28, 2016

Organizations using Tenable Nessus obtain a tremendous amount of details such as vulnerabilities, software used, and hardware supporting the environment. Nessus provides valuable insight into systems to protect the organization. With any piece of software or hardware, Nessus needs to be properly configured to ensure the best scan results are returned to the analyst. Each organization will have different methods of account management and what Nessus can use to SSH (secure shell) into systems.

Analysts create scans within Nessus for many tasks such as compliance, Windows patch verification, or general vulnerability scanning. With credentialed scans for systems, analysts can configure the scans to use SSH username/password credentials. Configuring the credentialed scans to use SSH credentials allows Nessus to gather detailed information from the system.

If a Nessus scan is configured with SSH credentials for a regular user account, basic information about a system can be retrieved. However, a SSH credentialed scan can include a regular user account along with credentials to “su/sudo”. The “su/sudo” SSH credentials allow the user to gain higher privileges into the system with an administrator or root account.

When Nessus attempts to connect to a system with SSH, the first set of credentials is used to make a connection. Once Nessus is able to create a session with SSH, Nessus will try to elevate privileges with “su/sudo” to retrieve further information from the system. If Nessus is unable to perform this action, Nessus plugin 12634 will report that the attempt to elevate permissions was unsuccessful. This dashboard stems from a Discussion Forums post about the capabilities of this plugin and the value of this information to analysts (https://discussions.nessus.org/message/14694).

This dashboard identifies scans that used Nessus plugin 12634 with the specific failure message within the plugin output. With this dashboard, analysts can identify systems that did not have adequate permissions to do in-depth scanning of systems with SSH username/password credentials. Along with each system identified with this plugin, the details of the plugin are provided to further assist analysts in remediating the SSH credential issue. To ensure there is no confusion, this dashboard only addresses “su/sudo” failures when Nessus attempts to elevate privileges from a scan. This dashboard does not address attempts from users who try to elevate privileges with “su/sudo” and are unsuccessful.

This dashboard is available in the SecurityCenter Feed, a comprehensive collection of dashboards, reports, Assurance Report Cards, and assets. The dashboard can be easily located in the SecurityCenter Feed under the category Monitoring. The dashboard requirements are:

  • SecurityCenter 5.2
  • Nessus 6.7
  • This dashboard requires “Full Text Search” to be enabled for each analyzed repository

Tenable SecurityCenter Continuous View (CV) provides continuous network monitoring, vulnerability identification, and security monitoring. SecurityCenter is continuously updated with information about advanced threats and zero-day vulnerabilities, and new types of regulatory compliance configuration audit files. Tenable constantly analyzes information from our unique sensors, delivering continuous visibility and critical context, enabling decisive action that transforms your security program from reactive to proactive. Active scanning examines the devices on the systems, running processes and services, configuration settings, and vulnerabilities. With this information, analysts have greater insight to determine if supported software and systems are operating within the organization. Continually scanning the network, servers, desktops and applications helps prioritize security efforts to mitigate threats and weaknesses. Tenable enables powerful, yet non-disruptive, continuous monitoring of the organization to ensure vulnerabilities are available to analysts.

This dashboard contains the following components:

  • Elevated Privilege Failures - Privilege failures over the last 3 days: This trend line component displays the failures of specific elevation techniques over the last 3 days
  • Account Status Indicators - Group Memberships: There are several default groups such as the administrators, server operators, account operators, backup operators, print operators, and replicator; this matrix provides an easy method to monitor these memberships
  • Elevated Privilege Failures - Specific privilege failures: This matrix component displays the failures of specific elevation techniques
  • CSF - Access Information and Changes (Last 72 Hours): This matrix component can help an analyst quickly pull up information on systems where certain user access-related events and changes have occurred
  • Elevated Privilege Failures - Hosts with privilege failures: This table component displays the hosts with failures of specific elevation techniques