Pro Tips with Esben #19
Similar to last week, we’re exploring how to scan agentless with the least amount of privileges possible. This time we’re taking a look at Linux.
When scanning with Lansweeper, admin privileges are often required to be able to scan all the details from the operating system. The specific requirements for scanning are always listed on the official requirements knowledgebase article but the required permissions can be limited a bit more if you’re willing to spend the extra time or are forced to due to strict security policies.
Our IT team has documented how you can scan Linux/Unix systems by providing it with specific permissions, they tested this on Lansweeper 9.3 (so not with the new Linux scanning update done in 9.4) on OpenSUSE, CentOS, Red Hat Enterprise Linux, Ubuntu, Debian, Fedora, Manjaro, AIX, and OpenSolaris.
Similar to last time with Windows scanning, I would personally recommend testing everything first, it’s always possible something was missed. Additionally, since this isn’t the recommended way of scanning, our support team will always refer you to our official documentation. Additionally, it is likely that new Linux/Unix scanning features won’t work without adjustments.
Linux Permission Configuration
As mentioned above, changes might be required for people using Lansweeper 9.4 or higher. I already added some notes in the configuration steps that will help you adjust the commands for the newer Linux scanning implemented in version 9.4.
Configuration for Local Users
- Open a terminal emulator on the Linux device
- Create a local group that will contain all scanning accounts
sudo groupadd scanning_accounts - Add the scanning account to the group
sudo usermod -a -G scanning_accounts <Account Name>
- Give the scanning group sudo permissions to dmidecode, lspci, ifconfig and lshw by adding the following line with the “
sudo visudo
” command:%scanning_accounts ALL=(root) /sbin/dmidecode, /sbin/lspci, /sbin/ifconfig, /sbin/lshw | sudo EDITOR='tee -a' visudo
Notes:
In Lansweeper 9.4, “ifconfig
” got replaced by “ip
”
Users and groups are scanned using the following commands:cat /etc/passwd
andcat /etc/group
- Make sure SSH runs at system startup on port 22
- Check that there are no firewall rules in place which block SSH access to these accounts
Configuration for Domain Users
- Create a scanning user in your domain
- Create a domain group for the scanning accounts
- Add the scanning user to the newly created domain group
- Give the scanning group sudo permissions to dmidecode, lspci, ifconfig and lshw by adding the following line with the “sudo visudo” command:
echo "%<DomainGroupUPN> ALL=(root) /sbin/dmidecode, /sbin/lspci, /sbin/ifconfig, /sbin/lshw" | sudo EDITOR='tee -a' visudo
Notes:
In Lansweeper 9.4, “ifconfig
” got replaced by “ip
“
Users and groups are scanned using the following commands:cat /etc/passwd
andcat /etc/gr
- Make sure SSH runs at system startup on port 22
- Check that there are no firewall rules in place which block SSH access to these accounts
- Ensure that the domain accounts can authenticate (PAM with SSSD/Winbind)
Next time we’ll dive into Apple Macs with the last part of Least Privilege Scanning!