Configure credentialed scanning for Linux systems

You can provide credentials to a Managed Risk Scanner to allow the scanner to scan your environment with elevated permissions.

Note: To configure credentialed scanning in the Risk Dashboard, see Configure credentialed scanning for Linux systems in the Risk Dashboard.

On Linux, credentialed scans use SSH on port 22 to authenticate using a username and either a password or SSH keys.

Note:
  • If you rotate your credentials, you must reset them on the scanner as well.
  • To minimize security risks, Arctic Wolf recommends that you use these credentials for scanning only. Do not provide more permissions to these credentials or use them with systems other than the scanner.

These resources are required:

  • An account with root access.
  • If you authenticate with an SSH key — A key that is:
    • Private.
    • Owned by the user account that the credentialed scans.
    • Of the Ed25519, ECDSA, RSA, or DSA key type.
      Note: Ed25519 is generally considered more secure, but not all hosts support Ed25519.
    • In either PEM or OpenSSH format.
  • If you authenticate using a username — A valid username, which can contain these characters:
    • Any alphanumeric character
    • -
    • _
    • @
    • .
    • \

These actions are required:

  • Make sure that the scanner can sign into scan targets without access policy restrictions on targets.
  • Make sure the sshd daemon is running on the scan targets to authenticate SSH sign-in attempts from the scanner.
  • Make sure that scan targets have these sshd_config default settings:
    • MaxSessions: 10
    • MaxAuthTries: 6
    • PubkeyAuthentication yes
  • Install locate or mlocatetool on the scan target. These commands reduce calls to the command used to search for files. As a result, they improve search performance and reduce resource usage on the target system.
  • If you authenticate with an SSH key, run this command to generate an SSH key pair:
    SHELL 
    ssh-keygen -t <key_type>
    Where:
    • key_type is the type of SSH key you want to create. For example, ed25519.
    Note: If you experience issues, confirm that the keys can be properly used to authenticate across the network before you submit a ticket to your Concierge Security® Team (CST).
  1. Sign in to the Arctic Wolf Unified Portal.
  2. In the navigation menu, click Data Collection > Scanners.
  3. Find the scanner to view, and then click View Scanner.
  4. Click the Credentialed Scanning tab.
  5. Do one of these options:
    • If you are adding new scan credentials — Click Create New Scan Credentials.
    • If you are updating existing scan credentials — Next to the existing credentials, click Edit.
  6. Configure these settings:
    • Name — Enter a name for the credential.
      Note: This name cannot be the same as another credential.
    • Description — (Optional) Enter a description for the credential.
    • Add Targets — Enter the IP addresses of the target hosts in a comma-separated list.
      Tip: This field accepts these formats:

      • To specify a range of IP addresses, use a dash (-). For example, 10.0.0.1-3 expands to 10.0.0.1, 10.0.0.2, 10.0.0.3.

      • To specify a CIDR block, use this format: X.X.X.X/Y. For example, 10.0.0.0/24.

      Note: These IP addresses cannot overlap with the targets of another scan credential.
  7. In the Type list, select the type of credential and fill out the fields that appear:
    • Username/Password — Enter the Username and Password.
    • Username/SSH Key — Enter the Username and SSH Key. You can also optionally enter a Passphrase.
  8. Do one of these actions:
    • To create new scan credentials — Click Create Credentialed Scanning.
    • To update existing scan credentials — Beside the existing credentials, click Update Credentialed Scanning.