I have recently started work in application security at a mid-sized firm, having transitioned away from 5+ years in security consulting (pentesting, etc). One of the biggest challenges I see here from the start are that security scanners and other tools use root/Administrator access, since that is what vendors had told them to use, most likely because of the ease of configuration. I really don't like this idea. For instance, Nexpose and Nessus are both configured to use root and Administrator.
My question - What are the best practices in terms of governing access to these privileged accounts? My initial thought is to have a type of password-vault system, that solely knows the passwords to the system. Then, a user can "check out" the root/Administrator password as needed" For Nessus in particular, only a few commands are run as root, so I think it would make sense just to create a standard user, and add it to the sudoers file while only allowing those specific commands.