I am looking for assistance on getting the Policy & Compliance scans to run authenticated. Are you doing it? How did you accomplish and convince your UNIX folks to let Qualys run and execute root-level commands?
I once received a detailed list of commands that are executed during an authenticated scan on UNIX. Although this list is probably outdated by now, I can give you the details if you PM me.
You could also ask technical support to send you the most recent list...
I created them scan accounts restricted to their asset groups that they could include in their SOP. When they were included in the configuration and schedule, the UNIX folks were more than happy to make it automated and have the high visibilty vulns remediated.
John - do you have any digital password vaults installed in your UNIX environment?
Sorry, the issue is not a question of safeguarding the password, it is allowing Qualys run root-level commands on our machines.
Thread was moved to the Policy Compliance community.
Convincing people to allow you root access can be hard, how about convincing the Unix guys to setup a set of key pairs so you can authenticate and then use sudo to run the commands?
In the end of the day your give them better information if you can get root level access and I'm sure they run a similar set of tools on their own systems that check patches that have a similar level of access as root. If they don't then that could be another reason that they should allow you access!
Thanks for the replies. It is really just a question of the commands that are being run could have horrific impacts to the environment.
You're question John is always a challenge. Here's what I did to gather "buy-in" from my Unix team. (By the way, I've been running Qualys PC on computing environment for approximately 2 years. My environment is made up of over 600 Unix servers and about 4000 Window boxes.)
1.) Get the technical details from Qualys stating why root level access is needed.
2.) What Clement mentioned above is a great idea.
3.) I did the following and it worked great for me. I got a cross section of Unix servers that represented our Unix OS environment. These servers were test and dev. I made sure I could scan them any time I wanted and myself and my Unix contact could make config changes (within reason) during the day.
Once my Unix contact and his manager realized the PC scans was pretty benign, we took the next steps to productionalize the PC scans.
We've had no issues since turning that scan feature on. (We also do Vuln scans as well.) I do PC scans once a week and vuln scans once a week. The scan do not overlap.
Hopefully you find this helpful.
Retrieving data ...