Best Way to Allow 3rd Party Software Permissions to Scan RHEL systems

Latest response

I'm dealing with some 3rd party software vendors who need to allow their software the ability to either traverse or ls on directories owned by Root.

I'm surprised that they don't have a much more secure way of doing this or they don't have a solution for me and that I have to figure it out.

I though one way would be to put them in the Root group, however I don't think this is secure. And I don't want to change default permissions on files and directories to allow their software to work.

I'm just wondering what others have done to get this to work.

thanks

Responses

Hi Christopher, what about ACL's ? might be an option ;-)

We use ACL's when we get into that situation. Sometimes standard permissions just aren't enough.

I've not used ACLs here in our production environment. Only when studying for the RHCSA.

Do you have an example that you could provide for a learning opporunity?

thanks

edited/modified

Chris, you'd likely have to run ACLs against the entire system or whatever would be scanned by a vulnerability scanner. (recommend against that though, more in a moment...)

However, for the sake of just giving ACL information, an ACL in principle goes as follows link1 1 & link 2

setfacl -m u:nameofsystemaccont:rwx /project/somefile
echo "alternatively, maybe you want to allow a group to access a subdirectory with ACLs, if this were warranted"

echo "those are backtick characters in the find command at right in the next line"
setfacl -m g:nameofthegroup:rwx `find /var/www/html/pub/kickstarts/thosepeople`
echo "the last example, with a follow-up of setting a group sticky-bit perhaps for directories, if it is sensible"

I'd stridently recommend against setting ACLs against everything you intend to scan for vulnerability scanning software. I've never seen ACLs used in order to enable vulnerability scans to work for all systems anywhere, for any form of software or method in my history of any customer I know of for both UNIX or Linux at any time (in the context of enabling vulnerability scans, to be clear).

Now I've seen customers who have scanning software with a service account and the service account could be set up for either /bin/su - upon login (within the specialized software, vendors differ on setup/configuration) for scanning or perhaps sudo rights, used against hundreds & hundreds or more systems.

Kind Regards,

-RJ

I was in the same boat with facl's, learned them for my RHCSA but never used them till a about a year ago. There's lots of web sites with tutorials on them. Here's a good web site to go through:

http://bencane.com/2012/05/27/acl-using-access-control-lists-on-linux/

Close

Welcome! Check out the Getting Started with Red Hat page for quick tours and guides for common tasks.