Unix authentication records contain Unix authentication credentials and the target hosts that those credentials apply to. Using these credentials, the scanning engine is able to log into Unix systems that support the SSH protocol (SSH1 and SSH2) and gain access to information that would otherwise not be available.
You must supply a user name to be used by the scanning engine to log into target hosts. Optionally, you may also supply an RSA and/or DSA private key. When authenticating to target hosts that support SSH2, authentication is attempted in the following order: 1) RSA key, 2) DSA key and 3) user name and password. For target hosts that only support SSH1, only the supplied user name and password are used for authentication. For user account requirements and detailed instructions for generating an SSH key pair, see Unix Authentication Setup.
When the compliance module is enabled, users with compliance privileges can launch compliance scans to identify whether hosts are compliant with user-defined policies. Successful authentication is required for compliance scans. For compliance scans, the user account provided for authentication must have superuser (root) privileges (or lower privileges if root delegation is enabled). If root privileges are not provided or if authentication to hosts fails, then compliance analysis cannot be performed on the hosts.
The privilege to create authentication records is granted to all Managers automatically. Managers may grant Unit Managers the privilege to create authentication records for hosts in their business unit. This option is set when creating or editing a Unit Manager's account.
Important: For vulnerability scans, root level access is optional; when provided the service has the ability to perform more in depth security analysis. For compliance scans, root level access is required.
1. Select Authentication Records from the left menu, under Tools.
2. Go to New > Unix Record.
3. In the Title field, enter a descriptive name for this record.
4. Enter user credentials for the Unix user account to be used. Your options are:
• Basic Authentication. Enter the user name and password for the Unix user account. For key authentication, supply an RSA and/or DSA private key. See Unix Login Credentials.
• Authentication Vault. Select this option if the password for the Unix user account is stored in a third party authentication vault. See Authentication Vault Login Credentials.
5. (Optional) In the Policy Compliance section, identify custom ports to scan for authentication and compliance assessment. By default, these well known ports are scanned: 22 (SSH), 23 (telnet) and 513 (rlogin). If services (SSH, telnet, rlogin) are not running on these well known ports for the hosts you will be scanning, then you must define a custom ports list. See Policy Compliance for details.
6. On the IPs tab, select all hosts that the scanning engine should log into with the specified credentials. If key authentication is used, each of the target hosts must contain the corresponding public key or authentication will fail. Each IP address may be included in one Unix record or in one Cisco IOS record. The same IP may not be in both a Unix record and a Cisco IOS record.
7. In the Comments section, enter notes about the account, credentials or hosts.
8. Click Save.
After creating a Unix record, you must enable this feature in your scan options for vulnerability scans. Create or edit an option profile and select the Unix option under Authentication on the Scan tab. Then apply that profile to vulnerability scan tasks.
Note that Unix authentication is automatically enabled in compliance profiles for compliance scan tasks.