This depends on whether you'll be running vulnerability scans, compliance scans or both.
The account you provide must be able to perform certain commands like 1) execute “uname” to detect the platform for packages, 2) read /etc/redhat-release and execute “rpm” (if the target is running Red Hat), and 3) read /etc/debian_version and execute “dpkg” (if the target is running Debian). There are many more commands that must be performed.
The following article describes the types of commands run, and gives you an idea of the breadth and scope of the commands executed. It includes a list of commands that a Qualys service account might run during a scan. Not every command is run every time, and *nix distributions differ. This list is neither comprehensive nor actively maintained.
*NIX Authenticated Scan Process and Commands
In order to evaluate all compliance checks you must provide an account with superuser (root) privileges. The compliance scan confirms that full UID=0 access has been granted even if the initial SSH access has been granted to a non-root user. Without full UID=0 access, the scan will not proceed. Note also the account must be configured with the “sh” or “bash” shell.
We support use of sudo, dzdo, or PowerBroker root delegation for systems where remote root login has been disabled for the system to be scanned. However, you cannot use a restricted Unix/Linux account by delegating specific root level commands to the account specified in the sudoers file or equivalent. A non-root account can be used to establish the initial SSH connection but that account must be able to execute a “sudo su –“ command (or equivalent) so that account can gain root level (UID=0) access for the compliance scan to proceed.