PRUEBA AHORA
Pro Tips

Linux Least Privilege Scanning

3 min. read
08/04/2022
By Esben Dochy
Pro-Tips-with-Esben-19-Linux-Least-Privilege-Scanning

Pro Tips with Esben #19

Similar to last week, we’re exploring how to scan agentless with the least amount of privileges possible. This time we’re taking a look at Linux.

When scanning with Lansweeper, admin privileges are often required to be able to scan all the details from the operating system. The specific requirements for scanning are always listed on the official requirements knowledgebase article but the required permissions can be limited a bit more if you’re willing to spend the extra time or are forced to due to strict security policies.

Our IT team has documented how you can scan Linux/Unix systems by providing it with specific permissions, they tested this on Lansweeper 9.3 (so not with the new Linux scanning update done in 9.4) on OpenSUSE, CentOS, Red Hat Enterprise Linux, Ubuntu, Debian, Fedora, Manjaro, AIX, and OpenSolaris.

Similar to last time with Windows scanning, I would personally recommend testing everything first, it’s always possible something was missed. Additionally, since this isn’t the recommended way of scanning, our support team will always refer you to our official documentation. Additionally, it is likely that new Linux/Unix scanning features won’t work without adjustments.

Linux Permission Configuration

As mentioned above, changes might be required for people using Lansweeper 9.4 or higher. I already added some notes in the configuration steps that will help you adjust the commands for the newer Linux scanning implemented in version 9.4.

Configuration for Local Users

  1. Open a terminal emulator on the Linux device
  2. Create a local group that will contain all scanning accounts
    sudo groupadd scanning_accounts
  3. Add the scanning account to the group
    sudo usermod -a -G scanning_accounts <Account Name>
  4. Give the scanning group sudo permissions to dmidecode, lspci, ifconfig and lshw by adding the following line with the “sudo visudo” command:
    %scanning_accounts ALL=(root) /sbin/dmidecode, /sbin/lspci, /sbin/ifconfig, /sbin/lshw | sudo EDITOR='tee -a' visudo

    Notes:
    In Lansweeper 9.4, “ifconfig” got replaced by “ip
    Users and groups are scanned using the following commands: cat /etc/passwd and cat /etc/group
  5. Make sure SSH runs at system startup on port 22
  6. Check that there are no firewall rules in place which block SSH access to these accounts

Configuration for Domain Users

  1. Create a scanning user in your domain
  2. Create a domain group for the scanning accounts
  3. Add the scanning user to the newly created domain group
  4. Give the scanning group sudo permissions to dmidecode, lspci, ifconfig and lshw by adding the following line with the “sudo visudo” command:
    echo "%<DomainGroupUPN> ALL=(root) /sbin/dmidecode, /sbin/lspci, /sbin/ifconfig, /sbin/lshw" | sudo EDITOR='tee -a' visudo

    Notes:
    In Lansweeper 9.4, “ifconfig» got replaced by «ip«
    Users and groups are scanned using the following commands: cat /etc/passwd and cat /etc/gr
  5. Make sure SSH runs at system startup on port 22
  6. Check that there are no firewall rules in place which block SSH access to these accounts
  7. Ensure that the domain accounts can authenticate (PAM with SSSD/Winbind)

Next time we’ll dive into Apple Macs with the last part of Least Privilege Scanning!