Unix Scanning Credential Requirement (Why Qualys PC requires root access)

Document created by Hariom Singh Employee on Oct 6, 2016
Version 1Show Document
  • View in full screen mode

Why “sudo su –“ is required:

 

Sudo is only designed to run individual commands. The PC scanning requires scanner to run complex (multiple) commands that are linked, which perform operations such as piping, IO redirection, and inline execution. These linked commands (scripts) also contain the start and end marker for capturing output. Essentially the scanner is running small scripts, which require a secure environment for execution. The sudo commands only provide secure environment just for the single commands and therefore cannot be used to run the scripts securely. In order to run a script in secure environment one needs a root shell hence the scanner executes “sudo su –“ to obtain the secure shell.

 

In a nutshell, all of our data point detections are scripts that need to be run as root. Running them as a non-root user would, in most cases, result in permission errors which cannot be distinguished from other error sources. That would result in incorrect data being returned by the scanner, which is why we do not support this. There is no way to make non-root scanning work reliably with a scanning model based on shell commands or shell scripts.

 

Customers should use appropriate account protection to secure the scanning account. They can obviously monitor such account, restrict access to only during scan times, etc. The best way to alleviate such concerns would be use authentication vaults.

Credential Vaults Supported:

  • Cyber-Ark PIM Suite
  • Thycotic Secret Server
  • Quest Vault
  • CA Access Control
  • Hitachi ID PAM
  • Lieberman ERPM

Long Term Solution

The longer-term solution to this is to move away from shell scripts/commands to an agent-based approach similar to Windows, where we push a temporary agent to the target, which uses system APIs. That project is currently on hold, in early design, until the issues with our QA lab are resolved. ETA is anywhere from 6 to 8 months for the technology, plus the time needed to rewrite existing detections.

Security Considerations with Sudo:

  1. Difficult to restrict access to root shell via sudoer’s file -  Let’s say that you allow a user to execute find command using sudo which is pretty harmless i.e. configuring sudoers file with "scanuser ALL=/usr/bin/find." However, one can simply get to the root shell simply by executing the following command. 

 sudo /usr/bin/find . -maxdepth 0 -name . -exec /bin/sh -c "su -" ";" -quit

This illustrates that trying to restrict shell access to individual "commands" in sudoers, really serves no security purpose. Essentially, there is NO security difference whatsoever between permitting a command like "find" vs. permitting a shell in sudoers.

http://makeitcompliant.blogspot.com/2012/06/restricting-root-shell-and-root-user.html

  1. Improper error detection - For most checks certain types of errors are expected, e.g. "file not found" may be a legitimate condition that may not result in a control failure if the fact that the file is missing means that a particular piece of software is not installed and, thus, no policy violation exists. On the other hand "access denied" would have to result in a control failure, since we cannot evaluate the control if we don't have access to some of its data. The problem is that without root access we cannot distinguish between the two cases, because the texts in error messages in Unix vary too much and are not reliable enough to be used in detections. Some commands do not even print real error messages at all. Because of this we have to use root during PC scans, to ensure that "access denied" never happens.
  2. Scan time - When each command is prefixed with sudo the scan time goes way up and can lead scalability issues in large environments. From my past experience using sudo to perform remote scanning was the most inefficient method.

Sample Scripts:

 

Scripts:
Ex.1 -> this will provide Positive results in root whereas run under scan user with no higher privileges it will provide File not found.

 

grep -s '^root' /etc/shadow 1> /dev/null;qgc_err001=`echo $?`;if [ $qgc_err001 -eq 0 ]; then qgc_var001=$(expr `date +%s`);qgc_var002=`awk -F":" '/^root/ {print $3}' /etc/shadow`;echo $qgc_var001,$qgc_var002;elif [ $qgc_err001 -eq 1 ]; then echo “Setting not found” ;elif [ $qgc_err001 -eq 2 ]; then echo “file not found”;else echo ERR;fi

~                                                                     

 

Ex:2  Purpose is get Protocol value from /etc/ssh/sshd_config

 

root: Protocol value

Scan user: Setting not found

 

loc="";option="-Ei";file="/etc/ssh/sshd_config";cc=#;setting="Protocol";del=[[:blank:]];bs="[[:blank:]]"; if [ -f "$file" 2>/dev/null ] ;then if [ `echo $del | egrep ".*blank.*"` ] && [ "x$loc" = "x" ] ; then qgc_var001=`grep $option "^$bs*$setting$bs*$del" $file 2>/dev/null | sed -e 's/'$cc'.*$//g'`;else if [ -n "$loc" ];  then qgc_var001=`$loc/grep $option "^$bs*$setting$bs*$del" $file  2>/dev/null | $loc/sed -e 's/'$cc'.*$//g'`;else qgc_var001=`grep $option "^$bs*$setting$bs*$del" $file  2>/dev/null | sed -e 's/'$cc'.*$//g'`;fi;fi;if [ -n "$qgc_var001" ]; then printf "%s" "$qgc_var001";  printf "%s" "$qgc_var001" 1>&2 ;else echo 'Setting not found'; fi ;else echo 'File not found'; fi;unset file cc setting del

 

Sample Output from History File:

echo __QUALYS\\_EOC__43__;(bs="[[:blank:]]";file="/etc/pam.d/system-auth";if [ -f $file ]; then qgc_var001=`grep -E "^$bs*auth$bs*(required|requisite)$bs*.*pam_tally2.so" $file|awk '{for(i=1;i<=NF;i++) if ($i ~ /deny=/) {split($i,a,"=");print a[2];} }'`; if [ -n "$qgc_var001" ] ; then echo "$qgc_var001"; else echo '161803399999999'; fi; else echo '314159265358979'; fi ) 2>/tmp/.qualys.f41a1fa4.2bd3.a4587ee1f5.42;echo __QUALYS\\_EOC__44__ echo __QUALYS\\_EOC__45__;cat /tmp/.qualys.f41a1fa4.2bd3.a4587ee1f5.42;/bin/rm -f /tmp/.qualys.f41a1fa4.2bd3.a4587ee1f5.42;echo __QUALYS\\_EOC__46__ echo __QUALYS\\_EOC__47__;(loc="";option="-Ei";file="/etc/login.defs";cc=#;setting="FAIL_DELAY";del=[[:blank:]]; bs="[[:blank:]]"; if [ -f "$file" 2>/dev/null ] ;then if [ `echo $del | egrep ".*blank.*"` ] && [ "x$loc" = "x" ] ; then qgc_var001=`grep $option "^$bs*$setting$bs*$del" $file 2>/dev/null | sed -e 's/'$cc'.*$//g'`; else if [ -n "$loc" ]; then qgc_var001=`$loc/grep $option "^$bs*$setting$bs*$del" $file 2>/dev/null | $loc/sed -e 's/'$cc'.*$//g'`; else qgc_var001=`grep $option "^$bs*$setting$bs*$del" $file 2>/dev/null | sed -e 's/'$cc'.*$//g'`;fi; fi; if [ -n "$qgc_var001" ]; then printf "%s" "$qgc_var001"; printf "%s" "$qgc_var001" 1>&2 ; else echo '161803399999999'; fi ; else echo '314159265358979'; fi; unset file cc setting del ) 2>/tmp/.qualys.f41a1fa4.2bd3.2f115cd805.46;echo __QUALYS\\_EOC__48__ echo __QUALYS\\_EOC__49__;cat /tmp/.qualys.f41a1fa4.2bd3.2f115cd805.46;/bin/rm -f /tmp/.qualys.f41a1fa4.2bd3.2f115cd805.46;echo __QUALYS\\_EOC__50__ echo __QUALYS\\_EOC__51__;(bs="[[:blank:]]";file="/etc/pam.d/system-auth";if [ -f $file ]; then qgc_var001=`grep -E "^$bs*auth$bs*optional$bs*.*pam_faildelay.so" $file|awk '{for(i=1;i<=NF;i++) if ($i ~ /delay=/) {split($i,a,"=");print a[2];} }'`; if [ -n "$qgc_var001" ] ; then echo "$qgc_var001"; else echo '161803399999999'; fi; else echo '314159265358979'; fi ) 2>/tmp/.qualys.f41a1fa4.2bd3.5e7e32bc22.50;echo __QUALYS\\_EOC__52__ echo __QUALYS\\_EOC__53__;cat /tmp/.qualys.f41a1fa4.2bd3.5e7e32bc22.50;/bin/rm -f /tmp/.qualys.f41a1fa4.2bd3.5e7e32bc22.50;echo __QUALYS\\_EOC__54__ echo __QUALYS\\_EOC__55__;(qgc_var001=`awk -F: '($2 == ""){print $1}' /etc/shadow`; if [ -n "$qgc_var001" ]; then echo "$qgc_var001"; else echo '161803399999999'; fi; ) 2>/tmp/.qualys.f41a1fa4.2bd3.bc5964876c.54;echo __QUALYS\\_EOC__56__ echo __QUALYS\\_EOC__57__;cat /tmp/.qualys.f41a1fa4.2bd3.bc5964876c.54;/bin/rm -f /tmp/.qualys.f41a1fa4.2bd3.bc5964876c.54;echo __QUALYS\\_EOC__58__ echo __QUALYS\\_EOC__59__;(qgc_var001=`awk -F: ' ($3 == "0"){print $1}' /etc/passwd`; if [ -n "$qgc_var001" ]; then echo "$qgc_var001"; else echo '161803399999999'; fi; ) 2>/tmp/.qualys.f41a1fa4.2bd3.14d94313db.58;echo __QUALYS\\_EOC__60__ echo __QUALYS\\_EOC__61__;cat /tmp/.qualys.f41a1fa4.2bd3.14d94313db.58;/bin/rm -f /tmp/.qualys.f41a1fa4.2bd3.14d94313db.58;echo __QUALYS\\_EOC__62__ echo __QUALYS\\_EOC__63__;(qgc_var001=`awk -F: '($1 == "root"){print $6}' /etc/passwd`; if [ -n "$qgc_var001" ]; then echo "$qgc_var001"; else echo '161803399999999'; fi; ) 2>/tmp/.qualys.f41a1fa4.2bd3.31ae68ccb0.62;echo __QUALYS\\_EOC__64__ echo __QUALYS\\_EOC__65__;cat /tmp/.qualys.f41a1fa4.2bd3.31ae68ccb0.62;/bin/rm -f /tmp/.qualys.f41a1fa4.2bd3.31ae68ccb0.62;echo __QUALYS\\_EOC__66__ echo __QUALYS\\_EOC__67__;(qgc_var001=`echo "$ORIG_PATH" | grep '::'`; if [ -n "$qgc_var001" ]; then echo "$qgc_var001"; else echo "161803399999999";fi ) 2>/tmp/.qualys.f41a1fa4.2bd3.b485273fde.66;echo __QUALYS\\_EOC__68__ echo __QUALYS\\_EOC__69__;cat /tmp/.qualys.f41a1fa4.2bd3.b485273fde.66;/bin/rm -f /tmp/.qualys.f41a1fa4.2bd3.b485273fde.66;echo __QUALYS\\_EOC__70__ echo __QUALYS\\_EOC__71__;(qgc_var001=`echo "$ORIG_PATH" | grep -E ":$"`; if [ -n "$qgc_var001" ]; then echo "$qgc_var001"; else echo "161803399999999";fi ) 2>/tmp/.qualys.f41a1fa4.2bd3.bf3a0ec969.70;echo __QUALYS\\_EOC__72__ echo __QUALYS\\_EOC__73__;cat /tmp/.qualys.f41a1fa4.2bd3.bf3a0ec969.70;/bin/rm -f /tmp/.qualys.f41a1fa4.2bd3.bf3a0ec969.70;echo __QUALYS\\_EOC__74__ echo __QUALYS\\_EOC__75__;(qgc_var001=`echo "$ORIG_PATH" | awk -F: '{for(i=1;i<=NF;i++) if ($i ~ /^\./) {print ; } }'`; if [ -n "$qgc_var001" ]; then echo "$ORIG_PATH"; else echo "161803399999999";fi ) 2>/tmp/.qualys.f41a1fa4.2bd3.99f3d040b6.74;echo __QUALYS\\_EOC__76__ echo __QUALYS\\_EOC__77__;cat /tmp/.qualys.f41a1fa4.2bd3.99f3d040b6.74;/bin/rm -f /tmp/.qualys.f41a1fa4.2bd3.99f3d040b6.74;echo __QUALYS\\_EOC__78__ echo __QUALYS\\_EOC__79__;(qgc_var001=`echo "$ORIG_PATH" | grep -E "^:"`; if [ -n "$qgc_var001" ]; then echo "$qgc_var001"; else echo "161803399999999";fi ) 2>/tmp/.qualys.f41a1fa4.2bd3.25e03c628c.78;echo __QUALYS\\_EOC__80__ echo __QUALYS\\_EOC__81__;cat /tmp/.qualys.f41a1fa4.2bd3.25e03c628c.78;/bin/rm -f /tmp/.qualys.f41a1fa4.2bd3.25e03c628c.78;echo __QUALYS\\_EOC__82__ echo __QUALYS\\_EOC__83__;(qgc_var001=`for dir in \`echo $ORIG_PATH | sed -e 's/\.//g' -e 's/::/:/g' -e 's/^://g' -e 's/:$//g' -e 's/:/ /g'\`; do if [ -d "$dir" ]; then dirperm=\`ls -ld "$dir" 2>/dev/null \`; if [ \`echo $dirperm | cut -c6\` != "-" ]; then file2=\`ls -ld "$dir" 2>/dev/null | awk '{OFS=":"; print $3,$4,substr($1,2),$9}' \`; echo "$file2";fi;fi;done`;if [ -n "$qgc_var001" ]; then echo "$qgc_var001";else echo "161803399999999";fi ) 2>/tmp/.qualys.f41a1fa4.2bd3.56f312a1f8.82;echo __QUALYS\\_EOC__84__ echo __QUALYS\\_EOC__85__;cat /tmp/.qualys.f41a1fa4.2bd3.56f312a1f8.82;/bin/rm -f /tmp/.qualys.f41a1fa4.2bd3.56f312a1f8.82;echo __QUALYS\\_EOC__86__ echo __QUALYS\\_EOC__87__;(qgc_var001=`for dir in \`echo $ORIG_PATH | sed -e 's/\.//g' -e 's/::/:/g' -e 's/^://g' -e 's/:$//g' -e 's/:/ /g'\`; do if [ -d "$dir" ]; then dirperm=\`ls -ld "$dir" 2>/dev/null \`; if [ \`echo $dirperm | cut -c9\` != "-" ]; then file2=\`ls -ld "$dir" 2>/dev/null | awk '{OFS=":"; print $3,$4,substr($1,2),$9}' \`; echo "$file2";fi;fi;done`;if [ -n "$qgc_var001" ]; then echo "$qgc_var001";else echo "161803399999999";fi ) 2>/tmp/.qualys.f41a1fa4.2bd3.5db0487856.86;echo __QUALYS\\_EOC__88__ echo __QUALYS\\_EOC__89__;cat /tmp/.qualys.f41a1fa4.2bd3.5db0487856.86;/bin/rm -f /tmp/.qualys.f41a1fa4.2bd3.5db0487856.86;echo __QUALYS\\_EOC__90__ echo __QUALYS\\_EOC__91__;(list="`awk -F: '($1 == "root"){print $6}' /etc/passwd 2>/dev/null`";type=d; type=`echo $type | sed -e 's/f/-/g'`; if [ -n "$list" ]; then qgc_var001=`ls -alLd $list 2>&1 | awk "/^[$type]/"'{OFS=":"; print $3,$4,substr($1,2),$NF}'`; if [ -n "$qgc_var001" ]; then echo "$qgc_var001"; else echo 314159265358979; fi; else echo 314159265358979; fi; unset file list type ) 2>/tmp/.qualys.f41a1fa4.2bd3.ede265f6dc.90;echo __QUALYS\\_EOC__92__ echo __QUALYS\\_EOC__93__;cat /tmp/.qualys.f41a1fa4.2bd3.ede265f6dc.90;/bin/rm -f /tmp/.qualys.f41a1fa4.2bd3.ede265f6dc.90;echo __QUALYS\\_EOC__94__ echo __QUALYS\\_EOC__95__;(file="/etc/securetty"; s=".*"; cc="#"; if [ -f $file ]; then if [ "$cc" ]; then qgc_var001=`grep -E "$s" $file 2>/dev/null | sed -e 's/'$cc'.*$//g' -e '/^[[:blank:]]*$/d'`; else qgc_var001=`grep -E "$s" $file 2>/dev/null | sed -e '/^[[:blank:]]*$/d'`; fi; if [ -n "$qgc_var001" ]; then printf "%s" "$qgc_var001"; else echo "161803399999999"; fi; else echo "314159265358979"; fi; unset file s cc ) 2>/tmp/.qualys.f41a1fa4.2bd3.ec2085534f.94;echo __QUALYS\\_EOC__96__ echo __QUALYS\\_EOC__97__;cat /tmp/.qualys.f41a1fa4.2bd3.ec2085534f.94;/bin/rm -f /tmp/.qualys.f41a1fa4.2bd3.ec2085534f.94;echo __QUALYS\\_EOC__98__ echo __QUALYS\\_EOC__99__;(qgc_var001=`cut -d: -f 1,4 /etc/passwd|egrep ":[1-4][0-9]{2}$|:[0-9]{1,2}$"`; if [ -n "$qgc_var001" ]; then echo "$qgc_var001"; else echo "161803399999999";fi ) 2>/tmp/.qualys.f41a1fa4.2bd3.1c56e7ee6f.98;echo __QUALYS\\_EOC__100__ echo __QUALYS\\_EOC__101__;cat /tmp/.qualys.f41a1fa4.2bd3.1c56e7ee6f.98;/bin/rm -f /tmp/.qualys.f41a1fa4.2bd3.1c56e7ee6f.98;echo __QUALYS\\_EOC__102__ echo __QUALYS\\_EOC__103__;(qgc_var001=`awk -F':' 'NR==FNR{!a[$3]++;next}!($4 in a)' /etc/group /etc/passwd |awk -F':' '{OFS=":"; print $1,$4}'`; if [ -n "$qgc_var001" ]; then echo "$qgc_var001"; else echo "161803399999999";fi ) 2>/tmp/.qualys.f41a1fa4.2bd3.947dff13a5.102;echo __QUALYS\\_EOC__104__ echo __QUALYS\\_EOC__105__;cat /tmp/.qualys.f41a1fa4.2bd3.947dff13a5.102;/bin/rm -f /tmp/.qualys.f41a1fa4.2bd3.947dff13a5.102;echo __QUALYS\\_EOC__106__ echo __QUALYS\\_EOC__107__;(list="/etc";type=d; type=`echo $type | sed -e 's/f/-/g'`; if [ -n "$list" ]; then qgc_var001=`ls -alLd $list 2>&1 | awk "/^[$type]/"'{OFS=":"; print $3,$4,substr($1,2),$NF}'`; if [ -n "$qgc_var001" ]; then echo "$qgc_var001"; else echo 314159265358979; fi; else echo 314159265358979; fi; unset file list type ) 2>/tmp/.qualys.f41a1fa4.2bd3.6b2e5d3b6f.106;echo __QUALYS\\_EOC__108__

7 people found this helpful

Attachments

    Outcomes