0
I have a scanning tool, Nexpose, that requires a user account to have sudo privileges. Our Linux systems at this point do not use Kerberos, LDAP, or anything centralized. Most of these systems run RHEL 5 or Solaris 10.
Is it considered acceptable to do the following:
- Create a privileged account on each system with a shared password
- Disable the account
- Require a sysadmin to enable the account on each relevant system prior to initiating scan
- Require a sysadmin to disable the account after scanning
appsecguy
Posted 2014-08-15T19:10:27.097
Reputation: 119
If this is a service account why not modify your sudo config, so that it can use sudo without a password for the specific tools it needs to run? How does Nexpose remotely access the systems? SSH, if so then setup key-based authentication for that. Anyway, in short, you should need a shared password for this. You should be able to setup password-less authentication for this service. – Zoredache – 2014-08-15T19:41:12.543
This question might belong on Security.SE. – G-Man Says 'Reinstate Monica' – 2014-08-15T20:18:18.363