Using agentless connections to monitor Linux systems is done by providing Cyberwatch an account used to connect to the asset with the SSH protocol. SSH provides different ways to set up credentials (password, keys) to allow users to connect.
For example, you can use the following command:
sudo useradd --create-home --shell '/bin/bash' --comment 'CyberWatch SAS' 'cyberwatch' sudo passwd cyberwatch # You will have to type the desired password after this command
Details: this command creates an account named “cyberwatch” and lets you choose its password.
On a Linux asset dedicated to key generation, generate a 4096 bits RSA key with the command:
ssh-keygen -t rsa -b 4096
By default, this key will be saved in
~/.ssh/id_rsa (private key) and
~/.ssh/id_rsa.pub (public key).
N.B. SSH keys with passphrase are not supported.
On the targeted Linux asset, create a ‘cyberwatch’ user with the command:
sudo useradd --create-home --shell '/bin/bash' --comment 'CyberWatch SAS' 'cyberwatch'
From the Linux dedicated to the key generation, transfer the public key generated at step 1, towards to the targeted Linux asset. This can be done with the command:
cat ~/.ssh/id_rsa.pub | ssh [user]@[host] 'sudo tee -a /home/cyberwatch/.ssh/authorized_keys'
[host] by the actual parameters of the targeted asset.
For some operations, such as deploying security fixes, performing certain types of scans or executing some Compliance scripts, sudoers rights are required to run relevant commands on the asset.
N.B. Providing these rights is not strictly required, as Cyberwatch is still able to perform its vulnerabilities scans without having specific rights on the monitored assets.
Described below is one of the way you can set up these rights on your assets so that Cyberwatch is able to perform these operations.
On the targeted asset, with SSH, use the following command:
Add at the end of the file the following lines:
# cyberwatch privileges cyberwatch ALL=(ALL) NOPASSWD:ALL Defaults:cyberwatch !requiretty
Details: this command edits the
/etc/sudoers file and configures the rights of the “cyberwatch” user so that it can be sudoer without requiring TTY.
Details regarding minimal sudoers rights needed to deploy patches and perform all scans on Linux systems
Linux systems provide ways to limit sudoers rights to some specific commands. This can be useful if you want to allow Cyberwatch to perform some specific operations such as patch deployment, but is not going to be sufficient for Compliance scans as it is not possible to establish the complete list of all commands that require sudoers rights.
A way to restrict sudoers rights of the user monitoring a Linux asset is to limit its rights to the following commands:
id apt-get/yum/pacman shutdown ss dmidecode
Here is a short description of why you may want to allow these commands:
idis the first command ran by Cyberwatch when monitoring an asset, it helps determine whether or not Cyberwatch has sudoers rights on the asset;
apt-get/yum/pacmanare typical package managers commands, these will be used in case you ask Cyberwatch to deploy patches on your assets depending on the type of system monitored;
shutdownwill be used if you wish to perform reboots on your assets directly from Cyberwatch;
ssis used for ports scans, allowing to run the command with sudoers rights allows Cyberwatch to get the processes that own the ports;
dmidecodeis used to retrieve the BIOS metadata, the command requires sudoers rights to be run.
For an asset using apt, an example configuration for the file
/etc/sudoers could be:
# cyberwatch privileges Cmnd_Alias CBW = /usr/bin/id, /usr/bin/apt-get, /sbin/shutdown, /usr/bin/ss, /usr/sbin/dmidecode cyberwatch-agent ALL=(ALL) NOPASSWD:SETENV: CBW Defaults:cyberwatch-agent !requiretty