0
I have a user account with a few privileges that is used to run security scans. What is the best practice to secure the systems when a scan is not running? My thought was to have the accounts be disabled with a random password, and that if I need to run a scan, I initiate a change request or some such, and an administrator enables the account, generates a random password for me, and at the end of my testing disables the account and resets the password.
Is there a better solution? I don't like the idea of an account with the same password on multiple systems.
Clarification: This is for a Linux environment that does not use LDAP/Kerberos/any other method of credential management.
We primarily use RHEL, though there are some Solaris systems as well.
appsecguy
Posted 2014-08-04T20:41:06.277
Reputation: 119
It would help if you can provide more details like what kind of systems are you accessing, what kind of accounts, is there an LDAP involved for all the systems you are accessing, etc. – Marcelo – 2014-08-04T20:48:54.800
What OS and version please? Helps to frame any potential answer to your problem. – mdpc – 2014-08-04T21:57:31.123
Typically RHEL. – appsecguy – 2014-08-07T23:26:43.923
Any thoughts on how to work with this? I don't like the idea of scanning tools like Nexpose or Nessus having full sudo access – appsecguy – 2014-08-11T19:44:08.717