VMware Cloud Community
vincentfeaster
Contributor
Contributor

Tenable Credentialed Scanning

We are trying to scan VCENTER 7 VCSA with SSH. We are only able to get a scan credentialed scan with the "root" account. The operator, Admin,Super Admin, account return credentialed yes but insufficient priviledge or elavation require. Tried adding the account to wheel and root group. Also tried granting the account all the permissions and roles via the web console. Changed permissions for the entire "/" file system to 777. We were not able to find a way to create a backup or emergency root accout so we would not have to use the root account. We don't want to use a compliance audit file just a straight vulnerability scan. We were able to use the VCENTER SOAP API with VCENTER 6 but it does not appear to work with VCSA 7 appliance. Does it need to be configured with VCSA 7.

Thanks

Reply
0 Kudos
5 Replies
John_Nicholas
Contributor
Contributor

I managed to get this working. However, and I cannot stress this enough, I dispute the validity of "vulnerabilities" returned. Our group that does the scanning where I work, expects mitigation of "vulnerabilities" found and you simply cannot patch individual vulnerabilities without risking breaking your VCenter Appliance installation irrevocably. For instance, I was expected to update the underlying Photon OS, Apache libraries etc. This is not an option as far as I'm concerned. That being said here is how I managed to get "credentialed Nessus scanning" to work on VCenter Server Appliance:

1) Logon to appliance as "root' at bash prompt
2) create "scanner" account (name what you want it to be)
useradd scanner
3) make scanner account an admin account
usermod -aG sudo "scanner"
4) visudo - match "root" settings" in /etc/sudoers
5) change default shell for "scanner" account
chsh -s /bin/bash "scanner"
6) from /home/scanner
chmod 777 -scanner -R

 

Reply
0 Kudos
pmichelli
Hot Shot
Hot Shot

I just want to say I feel your pain. We too have Tenable and a sec team that only cares about the score. A lot of our bundled apps cannot have as you say Apache patched until the vendor releases an update bundle. It's always easy to tell someone to patch when you're not the one who has to deal with it when it breaks. I didn't even know we could scan vCenter with Tenable. I just keep telling my sec team I can't install agents on it so they can't scan it

Reply
0 Kudos
KineOfNew
Contributor
Contributor

John

Can you advice how to get Nessus Credential Scan to say Yes. We are using the VMWARE vCENTER SOAP API but credential scan is still coming back "NO".

 

 

Reply
0 Kudos
RickyHarding1
Contributor
Contributor

Hi,

I am a massive Tenable.sc user and a few years back I put together a 'how to guide' for scanning vCenters/ESXi hosts.

It's available on the Tenable Forums here:  https://community.tenable.com/s/feed/0D5f200006YeBqjCAF

I hope you find that helpful.

ta  Ricky

Reply
0 Kudos
likeahoss
Enthusiast
Enthusiast

I found a fix on a blog post. It's very close, if not the same as @John_Nicholas'.

https://blog.securestrux.com/guide-creating-a-tenable-nessus-scanning-account-for-vcsa

Reply
0 Kudos