Configure Unix records to allow our service to authenticate to your Unix hosts at scan time. Now you can configure a single authentication record that supports better integration with third party vaults, and let you define a variety of private keys and root delegation tools.
For the most current list of supported authentication technologies and the versions that have been certified for VM and PC by record type, please refer to the following article:
Authentication Technologies Matrix
|
A few things to consider... |
|
What credentials should I use?What credentials should I use? This depends on the type of scanning you plan to do. If you're going to run vulnerability scans only, the account you provide must be able to execute certain commands. If you're going to run compliance scans, superuser (root) privileges are needed in order to evaluate all compliance checks. Learn more |
|
Where can I find a list of commands?Where can I find a list of commands? The article *NIX Authenticated Scan Process and Commands describes the types of commands run, and gives you an idea of the breadth and scope of the commands executed. It includes a list of commands that a Qualys service account might run during a scan. Not every command is run every time, and *nix distributions differ. This list is neither comprehensive nor actively maintained. |
|
Help me with the record settings |
|||||||||||||||
|
How do I get started?How do I get started? - Go to Scans > Authentication. - Create a Unix record for the host. Go to New >Operating Systems > Unix. |
|||||||||||||||
|
What do I enter for Login Credentials?What do I enter for Login Credentials? You must provide a user name and password to be used for login. There's an option to get the password from a vault that's configured in your account. Skip Password - Select this option if your login account does not have a password. Clear Text Password - Select this option if your password should be transmitted in clear text when connecting to services which do not support strong password encryption. Learn more For target hosts that only support SSH1, only the user name and password are used for authentication. Provide a target type while creating or updating the Unix (SSH2) authentication record. With this field, you can define the non-shell based target types in the SSH2 authentication record. Targets with a standard Unix shell will continue to be auto-detected. The target type is set to "Auto (default)" in this case. Newly supported target types will be added to the Target Type menu. |
|||||||||||||||
|
Using Kerberos authenticationUsing Kerberos authentication Kerberos is a network authentication protocol designed to provide secure and encrypted authentication for your systems and services. You can specify Kerberos authentication details and perform authenticated scans on Unix systems that have Kerberos (GSSAPI) enabled. Turn on the Use Kerberos toggle and specify the following details for realm discovery and authentication:
|
|||||||||||||||
|
Using Private Keys / CertificatesUsing Private Keys / Certificates You can use multiple private keys and/or certificates for authentication. Any combination of private keys (RSA, DSA, ECDSA, ED25519) and certificates (OpenSSH, X.509). Private key authentication is supported for SSH2 only. All of the private keys can either be unencrypted or encrypted with a passphrase. Tip - If you have multiple private keys/certificates you can sort the order in your record. We'll use the private keys/certificates in the order listed. Options to get key info from vault: - Get private key from vault you've configured. - Get private key passphrase from vault you've configured. Looking for more help? |
|||||||||||||||
|
The user account must be added to all target hosts along with the public key, which will be appended to the “.ssh/authorized_keys2” file in the user’s home directory. Important - Our service must have full access to the target hosts during scanning. It is possible that manually added options in “.ssh/authorized_keys2” files (like no-pty) lockout our service and in this case security tests cannot be performed. Troubleshooting tipsIf you are looking into the reason why a scan did not return expected results, it is recommended that you remove the additional, manually added options from the scanning account’s public key in the “.ssh/authorized_keys2” files and scan the target hosts again to confirm whether our service can authenticate to hosts and perform scanning. |
|||||||||||||||
|
In previous releases the RSA/DSA key fields in the UI allowed you to enter a key and certificate in the same input field. We've separated these elements in the UI starting with release 8.9. Did you create Unix records with private keys and certificates prior to release 8.9? If yes these will now show up in their respective fields separately. |
|||||||||||||||
|
Using Root Delegation toolsUsing Root Delegation tools You can use multiple root delegation tools for authentication: Sudo, Pimsu and PowerBroker. There's an option to get password for root delegation from a vault you've configured. Tip - If you have multiple tools you can arrange the tools in a particular order in the authentication record. We'll attempt each root delegation method in sequence, depending on the order configured. By enabling root delegation you can provide a lower-privileged user account in the record and still perform scan tests with the elevated privileges of the superuser (root). For compliance scans, root level privileges are required. For vulnerability scans, root level privileges are not required. If you do not want to use root level privileges for vulnerability scans, then edit your vulnerability scan option profile and select the scan option Attempt least privilege for Unix (skip root delegation in Unix record). Learn more |
|||||||||||||||
|
Which IPs should I add to my record?Which IPs should I add to my record? Select the Unix hosts (IPs) to authenticate to. The IPs you include in this record cannot also be included in a Cisco or Checkpoint Firewall record. |
|||||||||||||||
|
Do you have tag support enabled?Do you have tag support enabled? If your subscription has Tag Support for Authentication Records enabled, then you'll see additional options for specifying hosts using asset tags. Choose an asset type and then provide IPs or tags to the record. Your asset type options are: IPs/Ranges, IP Range in Tag Rule and Asset Tags. Asset Type: IPs/Ranges - Use this option to add IP addresses/ranges to the record. Enter the IP addresses/ranges in the field provided. Asset Type: IP Range in Tag Rule - Use this option to add tags that have IP address ranges defined in the tag rule. All IP addresses defined in the tag rule will be associated with the record, including IPs that don’t already have the tag assigned. Click Add Tag to pick tags to include or exclude. Note that only tags with the dynamic tag rule “IP Address in Range(s)” will be available in the tag selector. Asset Type: Asset Tags - Use this option to add tags to the record for the assets you want included. IP addresses with the selected tags already assigned will be associated with the record. Click Add Tag to pick tags to include or exclude. |
|||||||||||||||
|
Policy Compliance optionsPolicy Compliance options Our security service needs to find login services in order to successfully authenticate to Unix hosts and perform compliance assessment. By default, these well-known ports are scanned: 22 (SSH), 23 (telnet) and 513 (rlogin). Any one of these services is sufficient for authentication. If services (SSH, telnet, rlogin) are not running on well-known ports for the hosts you will be scanning, then you must define a custom ports list. Note: The actual ports scanned also depends on the Ports setting in the compliance option profile used at scan time. Tell me more about scanned portsTell me more about scanned ports If Standard Scan is selected in the compliance profile, then these ports will be scanned: the standard ports list (about 1900 ports) provided by the service, including ports 22, 23 and 513, plus the custom ports specified in the authentication record. If Targeted Scan is selected in the compliance profile, then these ports will be scanned: the custom ports specified in the authentication record only (no other ports). Refer to the table below:
|
|||||||||||||||
|
Tell me about Agentless TrackingTell me about Agentless Tracking Select the option "Enable agentless tracking" to track the hosts in this record by host ID. During the scanning process, the service assigns a unique host ID to each target host. Learn more Don't see this option? The Agentless Tracking feature must first be accepted at the subscription level by the Manager primary contact. This feature is not available to Express Lite users. |
|||||||||||||||
|
TACACS server supportTACACS server support Password based authentication to a TACACS server is supported. This server follows the SSH user authentication specification. |
|||||||||||||||
|
Important Notes for Unit ManagersImportant Notes for Unit Managers When a Unit Manager edits a record, the Unit Manager only sees the IPs in the record that they have permission to. Any changes made by the Unit Manager will apply to all hosts defined in the record, regardless of whether all hosts belong to the user's business unit. The record may contain more IPs that are not visible to the Unit Manager. |
|||||||||||||||
|
Use RSA keys stored in CyberArk AIM vault to scan Unix hosts |
