ML
    • Recent
    • Categories
    • Tags
    • Popular
    • Users
    • Groups
    • Register
    • Login

    So you want to build a Security Program? Part 1 - Vulnerability Scanning

    Scheduled Pinned Locked Moved IT Discussion
    72 Posts 13 Posters 8.2k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • stacksofplatesS
      stacksofplates @IRJ
      last edited by stacksofplates

      @irj said in So you want to build a Security Program? Part 1 - Vulnerability Scanning:

      @stacksofplates said in So you want to build a Security Program? Part 1 - Vulnerability Scanning:

      So @IRJ I wasn't sure where else to put this. Do you give root access to your vulnerability scanners? Just a conversation I've been having with some people here.

      Unfortunately they need root to scan according to tenables documentation. You can set a specific login window for that account to correlate with your scan. That way it isn't abused anywhere besides during the scan window. Not really 100% secure, but it's better than leaving it wide open.

      Ya we do SCAP with the RedHat SCAP tool. We don't control the Nessus box so we weren't going to give up root access, and they are essentially just checking patch levels.

      What I don't get is why they need root access. If there is a vulnerability, it has to be able to be seen/leveraged from an unprivileged account. Sure you can see vulnerabilities when you log in as root, because you are the vulnerability. I think it's kind of pointless.

      IRJI 1 Reply Last reply Reply Quote 0
      • IRJI
        IRJ @stacksofplates
        last edited by

        @stacksofplates said in So you want to build a Security Program? Part 1 - Vulnerability Scanning:

        @irj said in So you want to build a Security Program? Part 1 - Vulnerability Scanning:

        @stacksofplates said in So you want to build a Security Program? Part 1 - Vulnerability Scanning:

        So @IRJ I wasn't sure where else to put this. Do you give root access to your vulnerability scanners? Just a conversation I've been having with some people here.

        Unfortunately they need root to scan according to tenables documentation. You can set a specific login window for that account to correlate with your scan. That way it isn't abused anywhere besides during the scan window. Not really 100% secure, but it's better than leaving it wide open.

        Ya we do SCAP with the RedHat SCAP tool. We don't control the Nessus box so we weren't going to give up root access, and they are essentially just checking patch levels.

        What I don't get is why they need root access. If there is a vulnerability, it has to be able to be seen/leveraged from an unprivileged account. Sure you can see vulnerabilities when you log in as root, because you are the vulnerability. I think it's kind of pointless.

        You can do an external uncredentialed scan against a box and only see a few vulnerabilities. It doesn't mean the box only has those vulnerabilities. A skilled hacker could try common exploits against the box and possibly breach it. Another possibility is they are using their own scripts against the box instead of what you'd see with an out of the box scanner.

        stacksofplatesS 1 Reply Last reply Reply Quote 1
        • stacksofplatesS
          stacksofplates @IRJ
          last edited by

          @irj said in So you want to build a Security Program? Part 1 - Vulnerability Scanning:

          @stacksofplates said in So you want to build a Security Program? Part 1 - Vulnerability Scanning:

          @irj said in So you want to build a Security Program? Part 1 - Vulnerability Scanning:

          @stacksofplates said in So you want to build a Security Program? Part 1 - Vulnerability Scanning:

          So @IRJ I wasn't sure where else to put this. Do you give root access to your vulnerability scanners? Just a conversation I've been having with some people here.

          Unfortunately they need root to scan according to tenables documentation. You can set a specific login window for that account to correlate with your scan. That way it isn't abused anywhere besides during the scan window. Not really 100% secure, but it's better than leaving it wide open.

          Ya we do SCAP with the RedHat SCAP tool. We don't control the Nessus box so we weren't going to give up root access, and they are essentially just checking patch levels.

          What I don't get is why they need root access. If there is a vulnerability, it has to be able to be seen/leveraged from an unprivileged account. Sure you can see vulnerabilities when you log in as root, because you are the vulnerability. I think it's kind of pointless.

          You can do an external uncredentialed scan against a box and only see a few vulnerabilities. It doesn't mean the box only has those vulnerabilities. A skilled hacker could try common exploits against the box and possibly breach it. Another possibility is they are using their own scripts against the box instead of what you'd see with an out of the box scanner.

          We do credentialed but not privileged. I just don't trust another team to have root access to our stuff. Admins don't even have permission to log into the servers. It's all forced through Tower. Root access is disabled on both console logins and SSH and I get real time notifications for events. To me, I think I'd be going backwards if I gave them root access. If I owned the Nessus box it would be 100% different, but since it's a different team I don't trust it.

          1 Reply Last reply Reply Quote 0
          • stacksofplatesS
            stacksofplates
            last edited by stacksofplates

            I don't have permission to change things on their Nessus system. So I think it's more important that they don't have permissions on mine. If we had to do something, I would craft a sudoers file for them vs just give them root/sudo for everything.

            dafyreD 1 Reply Last reply Reply Quote 1
            • dafyreD
              dafyre @stacksofplates
              last edited by

              @stacksofplates said in So you want to build a Security Program? Part 1 - Vulnerability Scanning:

              I don't have permission to change things on their Nessus system. So I think it's more important that they don't have permissions on mine. If we had to do something, I would craft a sudoers file for them vs just give them root/sudo for everything.

              If they're doing real pen testing, they don't need root access to stuff. Hack the box and tell me how you got in!

              stacksofplatesS IRJI 2 Replies Last reply Reply Quote 2
              • stacksofplatesS
                stacksofplates @dafyre
                last edited by

                @dafyre said in So you want to build a Security Program? Part 1 - Vulnerability Scanning:

                @stacksofplates said in So you want to build a Security Program? Part 1 - Vulnerability Scanning:

                I don't have permission to change things on their Nessus system. So I think it's more important that they don't have permissions on mine. If we had to do something, I would craft a sudoers file for them vs just give them root/sudo for everything.

                If they're doing real pen testing, they don't need root access to stuff. Hack the box and tell me how you got in!

                Right.

                1 Reply Last reply Reply Quote 0
                • IRJI
                  IRJ @dafyre
                  last edited by

                  @dafyre said in So you want to build a Security Program? Part 1 - Vulnerability Scanning:

                  @stacksofplates said in So you want to build a Security Program? Part 1 - Vulnerability Scanning:

                  I don't have permission to change things on their Nessus system. So I think it's more important that they don't have permissions on mine. If we had to do something, I would craft a sudoers file for them vs just give them root/sudo for everything.

                  If they're doing real pen testing, they don't need root access to stuff. Hack the box and tell me how you got in!

                  Vulnerability Scanning and pen testing are not the same. Not all attack surfaces are covered during pen tests and pen testing is much more labor intensive for less information.

                  dafyreD 1 Reply Last reply Reply Quote 0
                  • dafyreD
                    dafyre @IRJ
                    last edited by

                    @irj said in So you want to build a Security Program? Part 1 - Vulnerability Scanning:

                    @dafyre said in So you want to build a Security Program? Part 1 - Vulnerability Scanning:

                    @stacksofplates said in So you want to build a Security Program? Part 1 - Vulnerability Scanning:

                    I don't have permission to change things on their Nessus system. So I think it's more important that they don't have permissions on mine. If we had to do something, I would craft a sudoers file for them vs just give them root/sudo for everything.

                    If they're doing real pen testing, they don't need root access to stuff. Hack the box and tell me how you got in!

                    Vulnerability Scanning and pen testing are not the same. Not all attack surfaces are covered during pen tests and pen testing is much more labor intensive for less information.

                    I guess I don't see why you would do either without it being blind. I guess it's not a far cry to assume that hackers could get root on your box if they find a vulnerable application.

                    stacksofplatesS 1 Reply Last reply Reply Quote 0
                    • stacksofplatesS
                      stacksofplates @dafyre
                      last edited by stacksofplates

                      @dafyre said in So you want to build a Security Program? Part 1 - Vulnerability Scanning:

                      @irj said in So you want to build a Security Program? Part 1 - Vulnerability Scanning:

                      @dafyre said in So you want to build a Security Program? Part 1 - Vulnerability Scanning:

                      @stacksofplates said in So you want to build a Security Program? Part 1 - Vulnerability Scanning:

                      I don't have permission to change things on their Nessus system. So I think it's more important that they don't have permissions on mine. If we had to do something, I would craft a sudoers file for them vs just give them root/sudo for everything.

                      If they're doing real pen testing, they don't need root access to stuff. Hack the box and tell me how you got in!

                      Vulnerability Scanning and pen testing are not the same. Not all attack surfaces are covered during pen tests and pen testing is much more labor intensive for less information.

                      I guess I don't see why you would do either without it being blind. I guess it's not a far cry to assume that hackers could get root on your box if they find a vulnerable application.

                      I can see the merit to a credentialed scan because of insider threats. It will show packages are up to date, file perms that should be set, etc. However I don't see the merit to a plain root access scan. I would at the very least craft sudo perms for the Nessus user.

                      stacksofplatesS 1 Reply Last reply Reply Quote 2
                      • stacksofplatesS
                        stacksofplates @stacksofplates
                        last edited by

                        @stacksofplates said in So you want to build a Security Program? Part 1 - Vulnerability Scanning:

                        @dafyre said in So you want to build a Security Program? Part 1 - Vulnerability Scanning:

                        @irj said in So you want to build a Security Program? Part 1 - Vulnerability Scanning:

                        @dafyre said in So you want to build a Security Program? Part 1 - Vulnerability Scanning:

                        @stacksofplates said in So you want to build a Security Program? Part 1 - Vulnerability Scanning:

                        I don't have permission to change things on their Nessus system. So I think it's more important that they don't have permissions on mine. If we had to do something, I would craft a sudoers file for them vs just give them root/sudo for everything.

                        If they're doing real pen testing, they don't need root access to stuff. Hack the box and tell me how you got in!

                        Vulnerability Scanning and pen testing are not the same. Not all attack surfaces are covered during pen tests and pen testing is much more labor intensive for less information.

                        I guess I don't see why you would do either without it being blind. I guess it's not a far cry to assume that hackers could get root on your box if they find a vulnerable application.

                        I can see the merit to a credentialed scan because of insider threats. It will show packages are up to date, file perms that should be set, etc. However I don't see the merit to a plain root access scan. I would at the very least craft sudo perms for the Nessus user.

                        Edit, initially wrote can't see the merit. Meant to say can.

                        1 Reply Last reply Reply Quote 0
                        • 1
                        • 2
                        • 3
                        • 4
                        • 2 / 4
                        • First post
                          Last post