I already searched the forum and read through parts of the documentation, but I couldn’t find a clear answer, so I thought I’d ask here.
We are currently running authenticated scans with Greenbone / OpenVAS. For testing purposes we tried both root-authenticated scans via SSH and scans using a regular user account via SSH. So far we haven’t noticed any difference in the scan results.
That raised the following question for us:
Are there specific tests or NVTs that actually require root privileges to run properly, or is it generally sufficient to run authenticated scans with a normal SSH user?
If there are no additional checks that require root privileges, it wouldn’t really make much sense to run the scans using a root SSH account.
There are no vulnerability tests that only run when root (or other user) privilege escalation is enabled. The impact on scan results depends heavily on how your Linux OS has been configured. If some commands, or files are only accessible to root, then the test results will differ. If you have fairly wide-open permissions such as most default installations, then then the results may be few or even none.
For package version check tests, (such as Linux security advisories), then every user typically has access to listing the installed packages, so this will report all package level checks accurately.
$ /usr/sbin/dmidecode
# dmidecode 3.6
/sys/firmware/dmi/tables/smbios_entry_point: Permission denied
Scanning /dev/mem for entry point.
Can't read memory from /dev/mem
This would be one of these cases where either root access or any other solution on the target system is required as otherwise e.g. BIOS and Hardware Information Detection (Linux/Unix SSH Login) (OID: 1.3.6.1.4.1.25623.1.0.800163) can gather less info from the target system.