vCenter

 View Only
  • 1.  Tenable Credentialed Scanning

    Posted Feb 22, 2022 01:15 AM

    We are trying to scan VCENTER 7 VCSA with SSH. We are only able to get a scan credentialed scan with the "root" account. The operator, Admin,Super Admin, account return credentialed yes but insufficient priviledge or elavation require. Tried adding the account to wheel and root group. Also tried granting the account all the permissions and roles via the web console. Changed permissions for the entire "/" file system to 777. We were not able to find a way to create a backup or emergency root accout so we would not have to use the root account. We don't want to use a compliance audit file just a straight vulnerability scan. We were able to use the VCENTER SOAP API with VCENTER 6 but it does not appear to work with VCSA 7 appliance. Does it need to be configured with VCSA 7.

    Thanks



  • 2.  RE: Tenable Credentialed Scanning

    Posted Jun 14, 2022 11:42 AM

    I managed to get this working. However, and I cannot stress this enough, I dispute the validity of "vulnerabilities" returned. Our group that does the scanning where I work, expects mitigation of "vulnerabilities" found and you simply cannot patch individual vulnerabilities without risking breaking your VCenter Appliance installation irrevocably. For instance, I was expected to update the underlying Photon OS, Apache libraries etc. This is not an option as far as I'm concerned. That being said here is how I managed to get "credentialed Nessus scanning" to work on VCenter Server Appliance:

    1) Logon to appliance as "root' at bash prompt
    2) create "scanner" account (name what you want it to be)
    useradd scanner
    3) make scanner account an admin account
    usermod -aG sudo "scanner"
    4) visudo - match "root" settings" in /etc/sudoers
    5) change default shell for "scanner" account
    chsh -s /bin/bash "scanner"
    6) from /home/scanner
    chmod 777 -scanner -R

     



  • 3.  RE: Tenable Credentialed Scanning

    Posted Jun 15, 2022 07:55 PM

    I just want to say I feel your pain. We too have Tenable and a sec team that only cares about the score. A lot of our bundled apps cannot have as you say Apache patched until the vendor releases an update bundle. It's always easy to tell someone to patch when you're not the one who has to deal with it when it breaks. I didn't even know we could scan vCenter with Tenable. I just keep telling my sec team I can't install agents on it so they can't scan it



  • 4.  RE: Tenable Credentialed Scanning

    Posted Sep 22, 2022 01:18 AM

    John

    Can you advice how to get Nessus Credential Scan to say Yes. We are using the VMWARE vCENTER SOAP API but credential scan is still coming back "NO".

     

     



  • 5.  RE: Tenable Credentialed Scanning

    Posted Jan 27, 2023 04:39 PM

    Hi,

    I am a massive Tenable.sc user and a few years back I put together a 'how to guide' for scanning vCenters/ESXi hosts.

    It's available on the Tenable Forums here:  https://community.tenable.com/s/feed/0D5f200006YeBqjCAF

    I hope you find that helpful.

    ta  Ricky



  • 6.  RE: Tenable Credentialed Scanning

    Posted Oct 25, 2023 09:40 PM

    I found a fix on a blog post. It's very close, if not the same as '.

    https://blog.securestrux.com/guide-creating-a-tenable-nessus-scanning-account-for-vcsa