To get to this page: Select Authentication Records from the left menu. Go to New > Unix Record (or click edit for the Unix record you want to change.)

New/Edit Unix Record

Each Unix authentication record contains Unix authentication credentials and a list of hosts that those credentials apply to. You must supply a user name to be used by the scanning engine to log into target hosts. You may also supply an RSA and/or DSA private key as long as the key is PEM-encoded. The corresponding public key must be appended to the ".ssh/authorized_keys2" file in the user's home directory on all target hosts.

When authenticating to target hosts that support SSH2, authentication is attempted in the following order: 1) RSA key, 2) DSA key and 3) password. For target hosts that only support SSH1, only the supplied user name and password are used for authentication.

When the compliance module is enabled, users with compliance privileges can launch compliance scans to determine whether hosts are compliant with user-defined policies. Successful authentication is required for compliance scans. For compliance scans, the user account provided for authentication must have superuser (root) privileges (or lower privileges if root delegation is enabled). If root privileges are not provided or if authentication to hosts fails, then compliance analysis cannot be performed on the hosts.

For user account requirements and detailed instructions for generating an SSH key pair, read Unix Authentication Setup.

Important Notes:

For vulnerability scans, root level access is optional; when provided the service has the ability to perform more in depth security analysis. For compliance scans, root level access is required.

When a Unit Manager edits a record, the Unit Manager only sees the IPs in the record that they have permission to. Any changes made by the Unit Manager to the record settings will apply to all hosts defined in the record, regardless of whether all hosts belong to the user's business unit. The record may contain more IPs that are not visible to the Unit Manager.

Record Title

Title. Enter a unique, descriptive title for this record. The record title will be referenced in scan results when authentication fails so you can go back and verify the authentication credentials. The title may contain a maximum of 255 characters.

Login Credentials

Enter user credentials to be used for authentication. Refer to Unix Authentication Setup to understand the requirements for Unix authenticated scanning to be successful. Your options are:

Basic Authentication. Enter the user name and password for the Unix user account. For key authentication, supply an RSA and/or DSA private key. See Unix Login Credentials.

Authentication Vault. Select this option if the password for the Unix user account is stored in a third party authentication vault. See Authentication Vault Login Credentials.

IPs

Select all target hosts that the scanning engine should log into with the specified credentials. If key authentication is used, each of the target hosts must contain the corresponding public key or authentication will fail. Each IP address may be included in one Unix record or in one Cisco IOS record. The same IP may not be in both a Cisco IOS record and a Unix record.

Available IPs. A list of IPs in your account that are not currently part of another Unix record or Cisco IOS record. From this list, select the IPs you want to include, and click Add. Click Add All to add all available IPs to this record.

Assigned IPs. This is a list of IP addresses and ranges added to this record. To remove an IP from the record, select it and click Remove. To remove all IPs from the record, click Remove All.

Expand. Select an IP range and click the Expand button to view a complete list of all IPs within the range. This allows you to select individual IPs from inside a range (instead of selecting the entire range).

Manually. Select to manually add or remove IP addresses. A pop-up will appear where you can type or paste in a list of IPs. Then click Add to add the IPs to the record or click Remove to remove the IPs from the record.

Asset Group. Select to copy IPs from an asset group to this record. A pop-up will appear prompting you to select the asset group you want to copy IPs from. Select the asset group and click Add.

Policy Compliance

(Applicable to policy compliance scans only.)

The scanning engine needs to find login services in order to successfully authenticate to Unix hosts and perform compliance assessment. By default, these well known ports are scanned: 22 (SSH), 23 (telnet) and 513 (rlogin). Any one of these services is sufficient for authentication. If services (SSH, telnet, rlogin) are not running on these well known ports for the hosts you will be scanning, then you must define a custom ports list.

Well Known Ports. The service scans services (SSH, telnet, rlogin) on well known ports (22, 23, 513 respectively).

Custom Ports. The service scans a custom list of ports. Select this option if services (SSH, telnet, rlogin) are not running on well known ports (22, 23, 513 respectively). Multiple ports must be comma separated. Note: The actual ports scanned also depends on the Ports setting in the compliance option profile.

If Standard Scan is selected in the compliance profile, then these ports will be scanned: the standard ports list (about 1900 ports) provided by the service, including ports 22, 23 and 513, plus the custom ports specified in the authentication record.

If Targeted Scan is selected in the compliance profile, then these ports will be scanned: the custom ports specified in the authentication record only (no other ports).

See the table below to better understand which ports are scanned based on your settings.

Comments

Enter important notes about the authentication credentials or target hosts.

Additional Options

Save. Click to save the record and return to the authentication records list.

Cancel. Click to return to the authentication records list without saving your changes.