Privilege level for Cisco NX-OS

For authenticated scanning of Cisco NX-OS devices you'll need to provide a user account with privilege level 15 (recommended) or an account with a lower privilege level as long as the account has been configured so that it's able to execute all of the commands that are required for scanning these devices.

Important - Please be aware that sensitive configurations could be at risk when you grant access to commands to a user account with a lower privilege level. Please assign the appropriate privilege level per your business needs and your organization's security policies.

For compliance scanning - this high level of privileges is required for the scan to be successful.

For vulnerability scanning - this high level of privileges is required for configuration based checks only. The configuration QID for Cisco NX-OS is QID 45243 "Cisco NX-OS Device Configurations Detected".

Commands required for scanning

show running-config all
show logging info | include '(Logging console|Logging loopback|Logging monitor|Logging linecard)'
show logging server
show logging level
show clock
show version
show running-config | include '(clock timezone|clock summer-time)'
show logging onboard status
show checkpoint summary

Note - The commands listed above may not show the required output. This will depend on the customer configuration, except for "show version" and "show running-config all" commands. The compliance scan will fail if "show running-config all" or "show version" doesn't have any output.

Scan user account requirements

The user account you provide for authentication must have access to run the commands mentioned above in the Commands required for scanning section.

There are three ways to configure the scan user account to allow it to run the required commands:

1) Add the highest user role (network-admin or priv-15 or equivalent) to your scan user

2) Modify existing roles with special rules

3) Create a custom role and add custom rules

Choose the method for configuring the scan user account that's best for your environment. Each method is described in more detail below.

Add the highest user role to the scan user account

Use this command to create a user with network-admin privileges:

username user-id [password password] [expire date] [role role-name]

nxos-device(config)# username john ******** role network-admin

Modify existing roles with special rules

Use this command to modify the privilege for existing role:

nxos-device(config)# role name priv-3

nxos-device(config-role)# rule 12 permit command show crypto key mypubkey rsa

Create a custom role and add custom rules

Use this command to create a custom role and rules:

nxos-device(config)# role name temp

nxos-device(config-role)# rule 12 permit command show version

nxos-device(config-role)# rule 13 permit command show running-config all

Verify the scan user role privileges

Use the following command to verify that the scan user role has the privilege to run the required commands.

nxos-device# show role name temp

Role: temp

  Description: new role

  Vlan policy: permit (default)

  Interface policy: permit (default)

  Vrf policy: permit (default)

  -------------------------------------------------------------------

  Rule    Perm    Type        Scope               Entity

  -------------------------------------------------------------------

  13      permit  command                         show running-config all

  12      permit  command                         show version