Using a root delegation tool, a system administrator may give certain users the ability to run commands as root. The service supports these root delegation tools: Sudo and PowerBroker. When a root delegation tool is enabled in a Unix authentication record and properly configured on target hosts, the scanning engine can log in to target hosts using a lower-privileged user account (password entered in the Unix authentication record) and perform scan tests with the elevated privileges of the superuser (root).
Important: For vulnerability scans, root level access is optional; when provided the service has the ability to perform more in depth security analysis. For compliance scans, root level access is required.
How it works: When Sudo is properly configured and selected as the root delegation tool in the Unix record, the scanning engine 1) authenticates to target hosts using the login credentials provided in the record (user name and password, RSA key or DSA key), 2) executes the command "sudo su -" to obtain root authority, and 3) performs commands with root authority to complete the scan.
Sudo is not a standard part of all Unix distributions. If it's not included as part of the default installation for your Unix distribution, then you can download it from http://www.sudo.ws
The configuration file /etc/sudoers must be properly configured to allow the user account provided in the Unix authentication record to execute commands with root access on the hosts to be scanned. Add /bin/su to the sudoers file to allow the user to execute /bin/su in order to gain elevated privileges. One method for setting this up in your sudoers file is to create a command alias for the /bin/su command and then grant the privilege to run this command to the user account.
In the following example, "scanuser" is the account user name you supply in the Unix authentication record:
# Cmnd alias specification
Cmnd_Alias SU=/bin/su
# User privilege specification
root ALL=(ALL) ALL
scanuser ALL=SU
If you configure the sudoers file without the NOPASSWD option, meaning that a password is required to run Sudo, then you must include the password in the Unix authentication record in order for authentication with root access to be successful.
If you configure the sudoers file with the NOPASSWD option, meaning that a password is not required to run Sudo, then a password is not required in the Unix authentication record. You must still provide valid credentials for the initial authentication.
Please refer to your sudoers documentation for information regarding proper configuration.
How it works: When PowerBroker is properly configured and selected as the root delegation tool in the Unix record applied to a scan, the scanning engine 1) authenticates to target hosts using the login credentials provided in the record (user name and password, RSA key or DSA key), 2) executes the command "pbrun su -" to obtain root authority, and 3) performs commands with root authority to complete the scan.
BeyondTrust PowerBroker version 6.0 is required.
PowerBroker supports multiple Unix/Linux platforms. The following technology platforms have been verified for successful PowerBroker integration with our security service: Red Hat Ent Linux v3, v4, and v5.x, SUSE Linux Ent Server 9, 10, and 11, HP-UX 11i v1, v2, and v3, IBM AIX v5.x and 6.x, SUN Solaris 8, 9, and 10, VMware ESX 3.x and 4.x, Mac OS X 10.x.
The PowerBroker environment must be properly configured to allow the user account provided in the Unix authentication record to execute commands with root access on the hosts to be scanned. Please refer to your PowerBroker documentation for further information regarding proper configuration.
For successful integration of your PowerBroker environment with our security service, please edit the pb.conf file settings for your policy. See PowerBroker Integration for more information, including samples settings.