• LOGIN
  • No products in the cart.

How to Use eEye Retina On Red Hat/UNIX/Linux Systems by Rebecca Wynn

You can use eEye Retina on Red Hat/UNIX/Linux systems. In the article below, you can find some details how to make it.

When auditing Red Hat/UNIX/Linux systems, Retina will attempt to remotely access the target system using Secure Shell (SSH). The credential, used by Retina, must be allowed to login using SSH. The SSH server can use v1 or v2 of the SSH protocol. The authentication method must be Password based.

When configuring Retina to audit UNIX/Linux systems, a credential that is allowed to login using SSH should be added to the Retina credential manager. Usually, the credential is added as \, the typical format for win32 or win64 systems. For the UNIX/Linux systems, you do not need to add the domain part of the credential. For example:

Win64 Credential: MYDOMAIN\Administrator Win32 Credential: MYDOMAIN\Administrator UNIX credential: Administrator
Linux credential: root

When creating a scan job in Retina, you can select the stored credentials which allow Retina to have both a win32 credential or win64 and a UNIX/Linux credential. When the target system is scanned, the stored credentials will be tried until one is found to allow access or none are allowed.

There are some configuration settings for the SSHD daemon that must be considered. Retina will only perform Password Authentication. This means the Password/Authentication option in the SSHD config file must be set to Yes.

To use the root account for access, you must also allow this in the SSHD configuration as well by setting Permit-RootLogin to Yes. The Protocol can be 1 or 2 or both.

The hosts.allow and host.deny files should be configured to control access from remote systems.

eEye also recommends disabling ‘Reverse DNS Lookup’ configuration within SSH. This setting in SSH (on the tar- get) can slow down Retina’s scanning performance. By disabling ‘Reverse DNS Lookup’ on the SSH target, the target will not perform a DNS lookup after each SSH connection.

Most major UNIX/Linux vendors use a version of OpenSSH. The above referenced settings are typical of OpenSSH implementations. Specific versions of UNIX could vary to some degree. The important idea is that Retina doesn’t know or have any preference to one implementation or the other. You do not need root access. It is generally a bad practice to allow root access from anywhere except the console itself. Allowing root to connect using any means remotely is not recommended. When scanning remote systems, Retina will attempt to find identifiers for known vulnerabilities through several methods. One common method is to review the package database to determine what patches could be installed. Depending on the UNIX/Linux system itself, the package database may not allow a non-privileged user access to it. If this occurs, you may need to add the user that will be used within Retina to some specific groups. SUDO support is available.

How to Enable SUDO Support for Retina

In order to provide for more flexibility for scanning of Unix/ Linux targets, Retina additionally supports environments that implement the SUDO security framework. SUDO support in Retina is disabled by default and is configured through registry entries. To Enable SUDO perform the following:

1.) Use the Windows Registry Editor (Start > Run > regedit) to view the following registry key, and add the following value to this key, or modify it if the value already exists:

For 32-bit systems: HKEY_LOCAL_MACHINE\SOFTWARE\eEye\Retina\5.0\Settings\AuditRemote.

For 64-bit systems: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\eEye\Retina\5.0\Settings\AuditRemote

Value: EnableSUDO
Value Type: REG_DWORD
Value Data: 0x0 (Hex) – Default (SUDO off)

2.) Set the EnableSUDO data to 1

Value: EnableSUDO
Value Type: REG_DWORD Value Data: 0x1 (Hex) – SUDO on

Note

When scanning a UNIX system, you will want to look for this specific audit in the results to indicate if the SSH con- nection was NOT established during the scan. If you find this audit in the results, stop and investigate why SSH was not established and then re-scan. If you use any Audit Group other than All Audits, please ensure that this audit is included in the Audit Group before scanning.

Audit ID and Name: 2264 – SSH Local Access not available.

Additional Reference: http://www.eeye.com/Files/Com- munity/Retina-Best-Practices.pdf.


ABOUT THE AUTHOR

Rebecca Wynn, DHL, MBA, CCISO, CISSP, CRISC, LPT, CWNA, CIWSA, CIWSP, MCP, MCTS SQL Server 2005, GSEC, CCSK, ITILv3, NSA/CNSS NSTISSI 4011-4016 is a Lead/ Senior Principal Security Engineer with NCI Information Systems, Inc. She has been on the Editorial Advisory Board for Hakin9 Practical Protection IT Security Magazine since 2008 and is a Privacy by Design Ambassador under Ann Cavoukian, Ph.D the Information & Privacy Commissioner for Ontario, Canada (www.privacybydesign.ca).

The article comes from BSD Mag Vol. 09 No. 08 (72)

0 responses on "How to Use eEye Retina On Red Hat/UNIX/Linux Systems by Rebecca Wynn"

Leave a Message

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.

© HAKIN9 MEDIA SP. Z O.O. SP. K. 2013