Using Sudo for root delegation

You can choose the Sudo root delegation tool when configuring a Unix authentication record. Just configure the file /etc/sudoers to allow the user account provided in the Unix authentication record to execute commands with root access on the hosts to be scanned.

What credentials should I use?

This depends on the type of scanning you plan to do. We recommend you review what credentials are needed for scanning.

How does root delegation work?

When Sudo is properly configured within a Unix record, Unix authentication to hosts in the record works like this 1) we'll authenticate to the hosts using the login credentials provided in the record (user name and password, RSA key or DSA key), 2) we'll execute the command "sudo su -" to obtain root authority, and 3) we'll perform commands with root authority and complete the scan.

Do I need to get Sudo?

Sudo may already be installed on your Unix system since it is included in many distributions by default. Sudo is not a standard part of all Unix distributions so you may need to install it. You can download it from http://www.sudo.ws.

How do I configure the "sudoers" file?

Add /bin/su to the sudoers file to allow the user to execute /bin/su in order to gain elevated privileges. One method for setting this up in your sudoers file is to create a command alias for the /bin/su command and then grant the privilege to run this command to the user account.

In the example below, "scanuser" is the account user name you supply in the Unix authentication record:

# Cmnd alias specification

Cmnd_Alias SU=/bin/su

# User privilege specification

root ALL=(ALL) ALL

scanuser ALL=SU

Using the NOPASSWD option

Note it is recommended that you use the NOPASSWD option (in your sudoers file) to avoid unnecessary exposure of the password. If the NOPASSWD option is enabled you must still provide valid login credentials in the Unix authentication record for the initial authentication.

Keep in mind if NOPASSWD option is Not Enabled (in your sudoers file), then you must include the password in the Unix authentication record login credentials section.

Still have questions?

Please refer to your sudoers documentation for information on proper configuration.