To scan Linux® operating systems by using secure
public key authentication, you must configure your IBM®
QRadar® console or managed host
and the asset that you want to scan. When authentication is configured you can do authenticated
scanning by specifying a Linux operating system user name,
and not specifying a password. QRadar supports both
rsa
and dsa
for SSH key generation.
Before you begin
You must install a public and private key on a QVM scanner, and install the public key on the
scan target.
A QVM scanner is automatically installed on a QVM processor host, and might also be installed on
other managed hosts.
The user account on the scan target must have a login shell and must be capable of running the
commands that are required for a patch scan on the target. For more information, see Enabling permissions for Linux or UNIX patch scans.
This procedure describes how to configure a single public/private key pair and transfer them to a
QVM scanner and scan target.
Procedure
-
Using SSH, log in to the QRadar console as the root
user.
-
Generate a public key pair by typing the following command:
su -m -c 'ssh-keygen -t <key_type>' qvmuser
Note: <key_type> is either dsa or rsa.
-
Accept the default file by pressing Enter.
-
Accept the default passphrase for the public key by pressing
Enter.
-
Press Enter again to confirm.
-
Copy the public and private keys to all managed hosts on which a QVM scanner is
installed.
cd /home/qvmuser/.ssh
rsync -ogp id_<key_type> id_<key_type>.pub
<IP address>:/home/qvmuser/.ssh
- Replace <key_type> with dsa or rsa.
- Replace <IP address> with the IP address of the scanner and enter the root
password when prompted.
Note: The QVM processor includes a scanner. If the processor is not running on the QRadar
console, you must also transfer the keys to the QVM processor.
-
Copy the public key to the scan target by typing the following command:
cd /home/qvmuser/.ssh
ssh-copy-id -i id_<key_type>.pub
<user>@<IP address>
- <key_type> – dsa or rsa.
- <IP address> – the IP address of the scan target.
- <user> – the user on the scan target.
-
Type the user password for the scan target.
-
Check that the qvmuser account on the QVM scanner can SSH to the scan target
without a password by typing the following command:
su -m -c 'ssh -o StrictHostKeyChecking=no <user>@<IP
address> ls' qvmuser
- <IP address> – the IP address of the scan target.
- <user> – the user on the scan target.
A list of the files in the user's home directory on the scan target is displayed.
What to do next
Create a scan profile in QRadar Vulnerability Manager with user name of the user on the scan target without specifying a password and run a patch
scan.