I've tried to follow the practice of least privilege and created a restricted account in IOS (15.2 and XE) for Qualys to use for PC scanning. The documentation shows that Qualys uses three commands to perform a PC scan on a Cisco device: show version, show logging, and show running-config.
I created a Privilege Level 2 account with a unique password and assigned the commands show logging and show running-config to Level 2. The other command, show version, is already a Level 1 command so didn't need reassigned.
The problem is to get the information it needs, Qualys needs the show running-config command with the implied view full option that comes naturally with Level 15 (enable) access. Unfortunately, if you assign the show running-config command to a lower privilege level you have to explicitly give the full show running-config view full command to see the data you need – it isn’t implied.
If we could configure Qualys to use the show running-config view full command, then it wouldn't need the ENABLE password and thus be restricted to proper least privilege instead of having unlimited Level 15 access.
Is anyone else interested in this or do you have other ways of not using the ENABLE password for Cisco PC scanning?
Conference of State Bank Supervisors