Technical information on agentless connections for Linux systems

Using agentless connections to monitor Linux systems is done by providing Cyberwatch an account used to connect to the asset with the SSH protocol. SSH provides different ways to set up credentials (password, keys) to allow users to connect.

Create an SSH account with login/password authentication

For example, you can use the following command:

sudo useradd --create-home --shell '/bin/bash' --comment 'CyberWatch SAS' 'cyberwatch'
sudo passwd cyberwatch # You will have to type the desired password after this command

Details: this command creates an account named “cyberwatch” and lets you choose its password.

Create an SSH account with public/private key authentication

Generating the SSH key

On a Linux asset dedicated to key generation, generate a 4096 bits RSA key with the command:

ssh-keygen -t rsa -b 4096

By default, this key will be saved in ~/.ssh/id_rsa (private key) and ~/.ssh/id_rsa.pub (public key).

SSH keys with passphrase are not supported.

Creating the user and setting up its key

On the targeted Linux asset, create a ‘cyberwatch’ user with the command:

sudo useradd --create-home --shell '/bin/bash' --comment 'CyberWatch SAS' 'cyberwatch'

From the Linux dedicated to the key generation, transfer the public key generated at step 1, towards to the targeted Linux asset. This can be done with the command:

cat ~/.ssh/id_rsa.pub | ssh [user]@[host] 'sudo tee -a /home/cyberwatch/.ssh/authorized_keys'

please replace [user] and [host] by the actual parameters of the targeted asset.

Optional - Grant the sudoers rights WITHOUT TTY to Cyberwatch

For some operations, such as deploying security fixes, performing certain types of scans or executing some Compliance scripts, sudoers rights are required to run relevant commands on the asset.

Providing these rights is not strictly required, as Cyberwatch is still able to perform its vulnerabilities scans without having specific rights on the monitored assets.

Described below is one of the way you can set up these rights on your assets so that Cyberwatch is able to perform these operations.

On the targeted asset, with SSH, use the following command:

sudo visudo

Add at the end of the file the following lines:

# cyberwatch privileges
cyberwatch ALL=(ALL) NOPASSWD:ALL
Defaults:cyberwatch !requiretty

Details: this command edits the /etc/sudoers file and configures the rights of the “cyberwatch” user so that it can be sudoer without requiring TTY.

Details regarding minimal sudoers rights needed to deploy patches and perform all scans on Linux systems

Linux systems provide ways to limit sudoers rights to some specific commands. This can be useful if you want to allow Cyberwatch to perform some specific operations such as patch deployment, but is not going to be sufficient for Compliance scans as it is not possible to establish the complete list of all commands that require sudoers rights.

A way to restrict sudoers rights of the user monitoring a Linux asset is to limit its rights to the following commands:

id
apt-get/yum/pacman
shutdown
ss
dmidecode
docker

Here is a short description of why you may want to allow these commands:

  • id is the first command ran by Cyberwatch when monitoring an asset, it helps determine whether or not Cyberwatch has sudoers rights on the asset;
  • apt-get/yum/pacman are typical package managers commands, these will be used in case you ask Cyberwatch to deploy patches on your assets depending on the type of system monitored;
  • shutdown will be used if you wish to perform reboots on your assets directly from Cyberwatch;
  • ss is used for ports scans, allowing to run the command with sudoers rights allows Cyberwatch to get the processes that own the ports;
  • dmidecode is used to retrieve the BIOS metadata, the command requires sudoers rights to be run;
  • docker is needed to perform a vulnerability scan on all found Docker images.

For an asset using apt, an example configuration for the file /etc/sudoers could be:

# cyberwatch privileges
Cmnd_Alias CBW = /usr/bin/id, /usr/bin/apt-get, /sbin/shutdown, /usr/bin/ss, /usr/sbin/dmidecode, /usr/bin/docker
cyberwatch-agent ALL=(ALL) NOPASSWD:SETENV: CBW
Defaults:cyberwatch-agent !requiretty