I am looking for best practices for scanning Macs for vulnerabilities. Any help would be appreciated.
We have about 200 Mac's in our environment. Initially they implemented using a local account on every system to authenticate. I found this ineffective once I took over because Auth Record Report showed there was no setting or improper configuration for the sudoers file.
My new plan is to use SSH keys and a domain account. SSH keys can be updated/pushed out by the Linux admin's or installed at the time of the build. The domain account allows for password cycling to stay within enterprise standards. The hardest part is going to be ensuring the sudoers file is properly configured.
I plan to use this practice for our MacOS users as well as our servers across the entire enterprise.
You could also look at the option of deploying the Qualys CloudAgent for MAC. This is way more simpler and needs least or no management.
I'd love to. Unfortunately the CA w/VM isn't a part of the Consultant offering.
Thanks Red Beard. I like the domain keys approach for express. I'll probably stick to SSH when we do assessments for our clients.
Should I add anything extra in Option Profile to scan Macs, authenticated or non-authenticated scans. TCP port or something? At the moment I believe I don't see any DNS Hostname, NetBIOS Name nor OS for Macs for scanned Asset Group.
Nothing specific needs to be added to scan Mac devices. The scanning engine is intelligent to detect the target as a Mac device and fire audits that are applicable to Mac's.
If you'd like scans to be authenticated, enable authentication within the option profile: Scans > Option Profiles > Scan > Authentication > Enable Unix
Also, make sure you've created the required authentication records: Scans > Authentication > New > Unix Record.
Is it possible from client side to set up local machine settings to not allow perform Qualys scans?
I would believe that you could restrict to a certain extent. If the host has a local firewall/host IDS, it could certainly block scan traffic.
However, there are going to be some ports that will be open and the scanner could perform some audits on them.
How can I have an authentication record for MacOS users when I am required to use a Unix Authentication Record and provide IPs? Mac's are laptops that receive DHCP addresses. Putting an agent on the host is not an option.
You could put in a range that reflects the DHCP scope.
Retrieving data ...