It is a long battle between vulnerability scanner vendors and network engineers to allow level 15 access privilege from the scanner. Since it is common on windows / Linux environment, the vendor often casually asked it. Well, just providing level 15 access would be easier to finish the argument.
It does NOT require full level 15 access for Tenable/Nessus Scanner. However, the vendor always asks for full access and control. There are two methods of vulnerability and compliance scan : Online and offline. Of course, offline will give you more work to do. So most of the security team prefer to have online scanning capability.
For network administrator point of view, giving full level 15 access is not common or lightly decided.
What if we know what Cisco commands is required by Tenable/Nessus?
Here is the list of the commands you are looking for. I got the list from Tenable official website.
Once you open it, you will see the whole list of Cisco commands. Careful, they put together of all commands of Cisco router, switch and ASA in a single spreadsheet.
So, now we know what commands that Nessus use for the vulnerability and compliance scanning.
If you have Cisco ACS (TACACS+) server, it would be easy to control permitted commands with the dedicated user account for the Nessus scanner.
If you don’t have Cisco ACS server, try the following way to achieve the goal.
username NESSUS privilege 3 password Abcd12345
aaa new-model
aaa authentication login default local
aaa authorization exec default local
username NESSUS privilege 7 secret Abcd12345
privilege exec all level 7 show
privilege exec all level 7 show running-config
file privilege 7
The new credential will provide all ” show + commands “, but no write memory.
One catch from this method is “show running-config” need to be changed with “show running-config view full” in order for viewing entire running configuration.
It would be the problem since Tenable / Security Center will execute “show running-config” command instead of the special(hidden command)
Again, ACS 5.x will be handy to prohibit and permit certain Cisco commands
Here is a second round to address the issue. Yes, below solution is not in best practice, but a temporary workaround until you get Cisco ACS or ISE solution.
aaa new-model
aaa authentication login default local
aaa authorization exec default local
username NESSUS privilege 7 secret Abcd12345
privilege exec all level 7 show
privilege exec all level 7 show running-config
privilege configure all level 7 scheduler
privilege configure all level 7 line
privilege configure all level 7 privilege
privilege configure all level 7 vstack
privilege configure all level 7 ephone
privilege configure all level 7 ephone-dn
privilege configure all level 7 ephone-template
privilege configure all level 7 telephony-service
privilege configure all level 7 sip-ua
privilege configure all level 7 dial-peer
privilege configure all level 7 dspfarm
privilege configure all level 7 sccp
privilege configure all level 7 mgcp
privilege configure all level 7 ccm-manager
privilege configure all level 7 voice-port
privilege configure all level 7 control-plane
privilege configure all level 7 tftp-server
privilege configure all level 7 snmp
privilege configure all level 7 snmp-server
privilege configure all level 7 route-map
privilege configure all level 7 vc-group
privilege configure all level 7 mac-address-table
privilege configure all level 7 access-list
privilege configure all level 7 interface
privilege configure all level 7 vc-class
privilege configure all level 7 gw-accounting
privilege configure all level 7 policy-map
privilege configure all level 7 class-map
privilege configure all level 7 controller
privilege configure all level 7 username
privilege configure all level 7 vtp
privilege configure all level 7 archive
privilege configure all level 7 crypto
privilege configure all level 7 vxml
privilege configure all level 7 voice
privilege configure all level 7 virtual-template
privilege configure all level 7 isdn
privilege configure all level 7 vpdn
privilege configure all level 7 multilink
privilege configure all level 7 virtual-profile
privilege configure all level 7 vlan
privilege configure all level 7 ntp
privilege configure all level 7 ip
privilege configure all level 7 dot11
privilege configure all level 7 network-clock-select
privilege configure all level 7 network-clock-participate
privilege configure all level 7 clock
privilege configure all level 7 aaa
privilege configure all level 7 enable
privilege configure all level 7 logging
privilege configure all level 7 vrf
privilege configure all level 7 boot
privilege configure all level 7 hostname
privilege configure all level 7 service
privilege configure all level 7 parser
privilege configure all level 7 version
privilege configure all level 7 no
file privilege 7
I hope it is informative for you.
The www.ipBalance.com runs by a volunteer group with IT professionals and experts at least over 25 years of experience developing and troubleshooting IT in general. ipBalance.com is a free online resource that offers IT tutorials, tools, product reviews, and other resources to help you and your need.
