The Alert Logic® Scan Engine provides the functionality for credentials to be provided within the Alert Logic console for authenticated patch scanning against host scan targets. Conducting a credentialed scan will provide the operating system (OS) administrator with greater visibility of vulnerabilities residing within the OS and the installed applications, which may not be visible from a network-only vulnerability assessment scan perspective.
Credentialed scans can be utilized throughout the patch management life cycle of the operating hosts within the customer infrastructure. Scan authentication takes place, allowing for the enumeration of the operating system and installed patches and applications. Any vulnerabilities associated to missing patches and applications that require update are then identified. Credentialed scans will not execute on hosts with agent-based scanning enabled. Alert Logic highly recommends that credentialed scans be utilized when agent-based scanning is disabled to ensure maximum visibility of available vulnerabilities.
The information in this article provides crucial technical details around the benefits and requirements of credentialed scanning. For information on performing credentialed scans in the Alert Logic console, see our Authenticated Scanning documentation.
Considerations with Microsoft and Linux
Review the following information for additional understanding of Microsoft and Linux functionality as it relates to credentialed scanning.
Microsoft Superseding Patches
The Alert Logic Scan Engine takes Microsoft Superseding Patches into consideration; however, Microsoft has recently adopted a methodology where installing monthly patches may not remediate all vulnerabilities. Further action may be required by the administrator, such as installing prerequisite patches or standalone patches and/or applying manual registry entries. Due to this change, Alert Logic highly recommends that administrators review all Microsoft security advisories and supporting documentation prior to patch installation.
Note: Alert Logic does not support Microsoft Preview Patches.
Linux Backporting
Linux vendors employ application backporting for remediation of vulnerabilities when installed via package management. Thus, the application version advertised within the application's network header may not increment to that of a known non-vulnerable version. This can lead to false positives when service version detection and common platform enumeration are conducted from a network-only vulnerability assessment scan. Performing a credentialed scan will allow visibility of the application package version residing on the target host, which will reduce false positives being produced within the scan results.
For further details regarding Linux backporting, see the Red Hat documentation.
Credential Storage
Alert Logic customer credentials are stored securely utilizing private 2048-bit RSA encryption and the credentials are decrypted at the time the Alert Logic Scan Engine commences the scan. At no point are these credentials exposed to Alert Logic personnel.
Environment and Product Requirements
For credentialed scanning to be conducted in your environment, the following requirements are mandatory. Any deviation from these requirements could result in inconsistencies being produced.
Microsoft Windows
Product | Cloud Defender, Cloud Insight, Managed Detection & Response |
Credentials | Local or domain administrator account* *Domain administrator account is best practice for auditing purposes |
Credential Input |
Cloud Defender Domain: Username: Password: Cloud Insight, Managed Detection & Response Username: Domain\Username Password: |
Network Access | RPC (135/TCP) NetBIOS (139/TCP, 137/UDP) SMB/CIFS (445/TCP, 445/UDP) WMI (49152-65535/TCP) |
Services | Enable WMI and remote registry services |
Note: For more information regarding WMI port requirements, refer to the following Microsoft article.
Linux
Product | Cloud Defender, Cloud Insight, Managed Detection & Response |
Credentials | Standard user -- no root or sudo required |
Network Access | SSH (22/TCP) |
Product | Cloud Insight, Managed Detection & Response |
Credentials |
Standard user and SSH key -- 2048-bit RSA, PEM format |
Network Access | SSH (22/TCP) |
Note: For hardened Linux instances, root level credentials are required.
Simple Network Management Protocol (SNMP)
Product | Cloud Defender |
Credentials | Community names |
Product | Cloud Insight, Managed Detection & Response |
Credentials | Username and community string |
Supported Operating Systems
Microsoft
- Windows 2003
- Windows 7
- Windows 8 / 8.1
- Windows 10
- Server 2008 / r2
- Server 2012 / r2
- Server 2016
- Server 2019
Linux
- Amazon Linux 1 and 2
- Centos 4, 5, 6, 7, and 8
- Debian 7, 8, and 9
- Oracle Linux 5, 6, and 7
- Suse 10, 11, and 12
- Red Hat 4, 5, 6, 7, and 8
- Ubuntu 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, and 19
- Solaris 10
- Juniper Juno OS
Note: For versions of operating systems that have met their end-of-life, Alert Logic does not provide any additional detection of new vulnerabilities past the end-of-life. The OS vendor does not report new vulnerabilities for end-of-life operating systems, nor do they provide any updated patches. The only solution is to upgrade the OS.
Complex Passwords
Alert Logic supports complex passwords; however, some special characters give command line interfaces difficulty, as they have special meanings. Keep your password special characters limited to:
- Numbers (0-9)
- Periods (.)
- Colons (:)
- Semicolons (;)
- Percentages (%)
- Spaces ( )
Alert Logic supports password lengths up to 64 characters.
Informational Exposures for Patch Scanning
Within the scan results in the Alert Logic console, there are multiple informational exposures tied to authenticated patch scanning, described below. Alert Logic recommends that these details are not made Inactive for Cloud Defender or Disposed for Cloud Insight and Managed Detection & Response.
No Credentials Provided for Authenticated Scanning: Exposure ID 127346
This detail is provided when a host is detected with the open port requirements for a credentialed scan to be performed, but no credentials have been applied within the Alert Logic console.
No Ports Available: Exposure ID 128343
This detail is reported when credentials have been applied within the Alert Logic console, but the open port requirements have not been met.
Local Checks Error: Exposure ID 16205
This error is reported when credentials have been added within the Alert Logic console and the required open ports have been met, but the authentication has failed during the scan. Further details regarding the failure are described within the scan result in the Alert Logic console.
Authentication Successful: Exposure ID 127345
This detail is provided when all requirements have been met and authentication has been successful during the scan.
Comments
0 comments
Please sign in to leave a comment.